Hacking Switch Cartridge - Reverse Engineering

Status
Not open for further replies.
TheZander

TheZander

1337
Member
Level 13
Joined
Feb 1, 2008
Messages
2,136
Trophies
2
Location
Level 7
XP
3,860
Country
United States
Just saw this, man I was going to try this too. Ha, guess you beat me to it!

However if it will help the cause for my input I'll be more than happy. I might need a couple games as well, like Mario Odyssey when that comes out. Or Bomberman for now I guess, although it didn't look that great. For dumping that is, I mean the best games to dump will most likely be top tier titles. I'll take Splatoon 2 though, I never played dumped the original but willing to give it a shot.
 
  • Like
Reactions: Risingdawn and Subtle Demise
K

KoFFiE

New Member
Newbie
Level 2
Joined
Oct 16, 2009
Messages
1
Trophies
0
XP
162
Country
Belgium
smf said:
The data will be statically encrypted inside the chip and dynamically encrypted when transferred. In terms of the production cost at the volumes they will do, it is essentially free.

The cost of not adding adequate security is that Nintendo make no sales after week 1 due to flash carts and counterfeits.
Click to expand...

Given that both the 1-2 Switch and Zelda already use different chips based on the pictures, so I doubt there's logic running on them beyond the flash firmware. Now I'm not working in embedded anymore and I haven't seen specs of flash chips in over 10 years, but there were no chips with embedded security-features in them back-then, and since these seem to be run-of-the-mill flash chip with semi-customized branding, I highly doubt there's any active security on the cartridges. There also doesn't seem to be any extra silicon on the cartridge PCB, so It's probably all passive crypto-based, probably signatures on the data+serial numbers.

If hardware/'active' protection would have been implemented on cartridges, a separate chip would have been the most logical way to go anyway, otherwise they would have to produce multiple silicons for smaller and larger games, or go for a single, larger flash chip that would be able to accommodate all future possible games, and this would be very very expensive. Even just a custom packaging with flash+security chip would probably have added to the price. With an additional chip they could use one cheapo small off-the-shelf SoC (arm7 based or so with crypto acceleration), and proxy their flash data through that. That would have been the cheapest option, but still would still have ended up eating their margin on every game sold physically.

For the situation I suppose we're in, you'd have to fake the hardware ID's of the flash chips to be able to copy them, but if I was Nintendo, I would actively blacklist serial numbers of pirated chips through regular system updates, which would effectively make piracy a clusterfuck without actual exploits to circumvent the security completely or re-sign images. This also doesn't address code signing issues for running custom code, which can be a very though nut to crack if Nintendo did their job properly.
 
Last edited by KoFFiE,
  • Like
Reactions: peteruk
HeraCraoz

HeraCraoz

New Member
Newbie
Level 1
Joined
Mar 23, 2017
Messages
1
Trophies
0
Age
21
XP
51
Country
United States
couldn't you do some sort of hard-rip of the stuff stored on the chip? then create a chip that can store like 5 of them and have it be able to "Switch" between them? (lol, sry for the pun)
 
Duo8

Duo8

Well-Known Member
Member
Level 12
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,024
Country
Vietnam
KoFFiE said:
Given that both the 1-2 Switch and Zelda already use different chips based on the pictures, so I doubt there's logic running on them beyond the flash firmware. Now I'm not working in embedded anymore and I haven't seen specs of flash chips in over 10 years, but there were no chips with embedded security-features in them back-then, and since these seem to be run-of-the-mill flash chip with semi-customized branding, I highly doubt there's any active security on the cartridges. There also doesn't seem to be any extra silicon on the cartridge PCB, so It's probably all passive crypto-based, probably signatures on the data+serial numbers.

If hardware/'active' protection would have been implemented on cartridges, a separate chip would have been the most logical way to go anyway, otherwise they would have to produce multiple silicons for smaller and larger games, or go for a single, larger flash chip that would be able to accommodate all future possible games, and this would be very very expensive. Even just a custom packaging with flash+security chip would probably have added to the price. With an additional chip they could use one cheapo small off-the-shelf SoC (arm7 based or so with crypto acceleration), and proxy their flash data through that. That would have been the cheapest option, but still would still have ended up eating their margin on every game sold physically.

For the situation I suppose we're in, you'd have to fake the hardware ID's of the flash chips to be able to copy them, but if I was Nintendo, I would actively blacklist serial numbers of pirated chips through regular system updates, which would effectively make piracy a clusterfuck without actual exploits to circumvent the security completely or re-sign images. This also doesn't address code signing issues for running custom code, which can be a very though nut to crack if Nintendo did their job properly.
Click to expand...
There has to be. Even the 3ds had that.
There's no reason to "rebrand" anything, the flash chips are custom made.
 
Duo8

Duo8

Well-Known Member
Member
Level 12
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,024
Country
Vietnam
TheCyberQuake said:
The 3ds games were much smaller in size. Nintendo may have just "rebranded" due to costs of the larger storage chips.
Edit: in terms of storage, not physical size
Click to expand...
Flash got cheaper since 2011, so using larger chips shouldn't cost much more than then.
 
T

Tesseract4d

New Member
Newbie
Level 1
Joined
Mar 23, 2017
Messages
1
Trophies
0
Age
36
XP
51
Country
http://www.satpimps.co.uk/showthread.php?63462-How-to-Jtag-the-Intel-TE28F160-chipped-7000E

Hey boy, that chip looks a lot like the intel flash chip used in the Motorola surfboard modems. That chip can be read and flashed using jtag for the purpose of flashing CFW on a modem such as haxorware. There's tons of tools and programs out there to do this.
If it's an EEPROM chip, most likely 32 or 64 gb capacity, if this is the case the cost for those chips is currently not worth the hassle.


smiba said:
- Getting a cartridge (Done)
- Opening the cartridge and making pictures (Done, check 'm! http://imgur.com/a/FndZC)
- Getting connected pins of the cartridge (Done, see this post)
- Getting to know the purpose of the pins <-- We're right right now
- Being able to dump a rom
- Developing a PoC PCB to upload roms to and run them

-----

Right now I'm looking for:

- More Switch cartridges of different games, preferably Zelda because I think the PCB is quite different. (Zelda confirmed to be just a chip)
- Donations. Producing PCB's, Buying tools and time ain't cheap D:

Let me know if you want to contribute!

-----

As promised, the pinout and high quality pictures of the PCB

For me it looks like a normal NAND chip, however it seems to have a rather odd pinout, that does not match regular TSOP48 NAND chips. It most likely is a 8-bit channel NAND chip though, which should be readable

(Oh, and the capacitors are 0.2 and 0.1uF. Top to bottom: 0.2uF, 0.1uF, 0.2uF, 0.1uF)

5PFpEgV.jpg


-----

Pinouts!

(Blank pins are not connected to anything)



To me it looks like Pink is VCC and Dark Blue is GND, to figure out all the pinouts I need to way to run a card inside the switch while also being able to probe it. I'm thinking about the cheapest and best way to do it

-----

Soon: Meaning of the pins (Required before we can dump a rom)
Click to expand...
 
Joom

Joom

 ❤❤❤
Member
Level 16
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,077
Country
United States
linuxares said:
Wait for the MEGA link, get it from there, try to check the dump data and see if it's somehow legit. Best would be another dump to compare with.
Click to expand...
Why would I pay for a premium MEGA account in the first place? That file is too large to download from MEGA for free thanks to retarded bandwidth caps they've put in place. Also, of course it's fake. Anyone that paid this ass did deserve to have their money taken, like @Favna said. Why the hell would the Switch version be larger than the Wii U version when they're the exact same game with some minor UI differences? If I saw this without any prior notice I'd immediately assume it was fake thanks to deductive skills.
 
Last edited by Joom,
Axido

Axido

Maker of TRASLApp
Member
Level 14
Joined
Feb 12, 2014
Messages
1,304
Trophies
2
Age
32
XP
4,300
Country
Germany
Joom said:
Why would I pay for a premium MEGA account in the first place? That file is too large to download from MEGA for free thanks to retarded bandwidth caps they've put in place. Also, of course it's fake. Anyone that paid this ass did deserve to have their money taken, like @Favna said. Why the hell would the Switch version be larger than the Wii U version when they're the exact same game with some minor UI differences? If I saw this without any prior notice I'd immediately assume it was fake thanks to deductive skills.
Click to expand...

You don't make a premium account. You just use Mega Downloader 1.7.
 
  • Like
Reactions: firke_the_one
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Rumor  April Nintendo Direct Leak + New Ubisoft IP?

April Nintendo Direct Leak

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Maybe but is it worth it?