The Nintendo Switch, Malicious Apps, and You
How to Stay Safe Around Assholes on the Internet
How to Stay Safe Around Assholes on the Internet
For those who are new to this site, or new to the Nintendo Switch scene in general, there was a pretty nasty event that happened in mid to late July. A user posted a payload, with some of their friends claiming to be a working SX OS crack, when in reality, it caused almost irreparable damage to the user’s Switch. I say almost because there was a single fix, but after reading the subsequent threads, it seems like most users did not take even the single and most useful precaution beforehand. This post is to educate the users of this site on how to keep yourself safe, what these applications are, and how they work.
You may be thinking to yourself “Pssh, that was a one-off event, it’s not going to happen again.” but you’d be wrong. An unfortunate side effect of the anonymity of the internet are people being assholes just because they can. I am making this post because I genuinely feel for those with issues with their Switches and I want to prevent as many “My Switch won’t boot up posts” as I can. That being said, staying safe is easy and there’s a wide variety of tools as well as practices you can engage in to keep you, your system, and your
How to keep safe
Your Nand Backup Safe Practices
- The single most important thing you can do to keep your Switch safe in this era of assholery, is to make your nand backup, as well as a backup of boot0/boot1. Why is this nand backup so important? Because having it can fix damn near any problem.
There are a few tools available for you to use in order to make backups of your nand and boot0/boot1. Hekate is a real nice one to make a clean nand backup before any CFW is used. The backup function in the ReiNX Toolbox is good to use if you’ve been messing around with CFW and just want a quick but dirty one.
The second most important thing you can do, is follow the 3-2-1 rule of backing up:
- Make THREE copies
- On TWO different mediums
- Have ONE copy off site
But a nand backup alone won’t help you. You also need to be smart and follow safe practices.
If you need help making a nand backup, check the spoilers below. I am going to assume you already know how to push payloads, as well as boot into CFW.
Using ReiNX ToolkitUsing Hekate
- Compile/download the latest ReiNX Toolkit Found Here.
- Copy the ReiNXToolkit.nro file to the /switch folder
- Open album and select ReiNX Toolkit
- Scroll down to backup and choose BOTH “Backup Boot0/1” and “Backup NAND”
If you are confused, please see the pictures below.
- Compile/download the latest Hekate Found Here.
- Once you’ve pushed the hekate payload, go to Tools>Backup
- You must run BOTH “Backup EMMC Boot0/1” as well as “Backup Raw GPP”.
If you are confused, please see the pictures below.
- The main reason you should be critical of EVERYTHING you run on the Switch, is because homebrew applications and payloads run with UNRESTRICTED ACCESS. This is NOT the same as running “As an Administrator” on Windows machines or executing a sudo command on Linux/macOS builds. It is kernel level access which is so much more powerful, and so much more dangerous.
The next three sentences are going to be caps lock, bolded, italicized, whatever so you know they are SUPER DUPER IMPORTANT.
- ONLY RUN THINGS FROM TRUSTED SOURCES
- LOOK AT THE SOURCE (AND IDEALLY COMPILE IT YOURSELF)
- DON’T USE SKETCHY WEBSITES OR TOOLS
Running applications from trusted developers is your number one priority. If a new user posts a compiled binary and claims things that trusted devs haven’t claimed yet, common sense dictates that should be a hell of a giveaway that something is not right. If a user posts source rather than a binary, then it may be a throwaway account of a known dev, but you should still be skeptical of all claims.
For the next part, please keep in mind that there are some developers who like to keep their stuff closed source. Their reputation in this case is a lot more important because they don’t want to reveal the source. Be cautious, because all it takes is one bad day, and they can easily turn their useful and safe tools into malicious programs before anyone notices. It is probably trickier for inexperienced users, but you should try to understand how the code works and how to compile it yourself. Getting to the point of compiling builds is semi-difficult on windows machines and much easier on MacOS/Linux, but doing so is beyond the scope of this post.
There are couple reasons for doing being able to compile on your own. The first is you have no promise that what’s posted on the Releases tabs of projects is what’s actually written. The second is that no one can post a hash of a file and say “Make sure your hash matches this one to be safe.” Binaries of the same code will have different hashes when built on different machines. There’s no way for a user to be able to guarantee that that the binary they are giving you is exactly what the code outputs, which leads back to the previous point. Make sure you trust them before running their stuff.
The third and final point seems just as obvious as the first to me, but I’m sure there are some people who use it for the simplicity. It was brought to my attention a while ago, that someone had a bot on discord that will output your Switch’s console unique cert if you give them your prodinfo partition. This is quite handy if you don’t want to install python and run a script to do it, but keep in mind whoever owns that bot more than likely has a hundred private certs in his collection. You cannot convince me that they aren’t storing them.
This also includes websites that act as payload injectors. While they are more convenient, and some can be saved to be run locally since they use javascript, if you are using something that sends a payload from online, you have no guarantee that it’s sending the payload that you think it is.
What Applications Are Out There?
A Brief HistoryTicketDB corrupters Certificate StealersSoftware BrickersHardware Breakers
- Knowing what you know now, WANNA PLAY :)
As far as I know, the first malicious application was written by the ever-so popular team xecuter. However they wish to spin their “hacker challenge” their product up until version 1.3 contained malicious code that would lock eMMC should certain requirements be met. Since their code is closed source, it is not public knowledge how to determine what those requirements are, and even if it was possible to trigger them by mistake, rendering licensed user’s Switches useless.
Should this code rear up it’s ugly head again, according to @hexkyz on twitter “Regular users won't be able to restore the NAND normally. You need to mess with raw MMC commands to either unlock or force erase the eMMC.”
With that out of the way, let’s talk about the possibly dangerous apps out there. I know some of these exist because I’ve seen them in the wild, while others are entirely theoretical, as far as I know. I’m going to list them in order of least-dangerous to most dangerous.
- First, it is possible to corrupt the ticket database (ticketDB for short) of the Switch. This is more inconvenient than actually malicious and sometimes happens by accident when using legitimate applications. As of the time of writing this, I’ve not seen any apps that do this intentionally, but if you install a corrupted or dev-encrypted nsp file, it may damage your ticketDB. This can easily be fixed by restoring a nand backup, or by reinitializing your Switch..
- Secondly, there are Certificate Stealers. These types of programs aren’t going to cause damage to the Switch itself, but they have far reaching consequences. To understand why these are so important you must understand what your certificate, commonly shortened to “Cert”, is. Simply put, it is console-unique data that Nintendo uses primarily to negotiate online functions like gaming and the eShop. Knowing this, if a malicious user has a copy of your cert, anything they do online will look like it’s coming from your Switch, getting you banned while they reap the benefits. There is no public way to unban your consoles.
- The next set of malicious apps come in two forms as a payload you inject, or as a homebrew app you can run. They are software bricks. Basically, they damage some part of the system’s flash memory. The main concern is if ProdInfo gets corrupted. That partition is console-unique so you have to restore from a nand backup if you’d like to fix it. Other parts of the system’s flash memory can be fixed without a backup (but it is highly recommended to still have one)
- The most damaging applications cause hardware damage to the Switch. If you hang around in scene Discords, you may often here users joke about “FuseBurner.bin” or “ScreenOvervolter.bin.” Once again, at the time of this writing, these things are purely theoretical but let’s get into the nitty gritty of why these two things in particular are so destructive, starting with FuseBurner.
The Switch has microscopic anti-downgrade fuses built into it’s CPU, and once a fuse is blown, it is impossible to undo. When the console is booting up, it compares the number of fuses to the current firmware of the Switch. If too few fuses are blown, it blows them to compensate but if too many are blown, the Switch immediately panics and shuts down. FuseBurner, as you can guess by the name, burns ALL of the fuses.
For all intents and purposes though, this is a minor issue because all modern CFW ignore the fuse count/burning step of the bootloader. However, it DOES prevent your Switch from ever booting again without the use of RCM exploits.
Now for ScreenOverVolter. This works, in theory, because voltages on the Switch are controlled by software. So Horizon OS controls what part of the Switch gets what voltage. It is possible to tell it to give more voltage to one part than it requires, thus causing damage. The joke is that it’ll break the screen, but it is easily capable of breaking the battery, mother/daughterboards, game card slot readers, etc. There is no known fix other than replacing the part that was damaged, and I hope you have the tools as well as the know how in order to do so.
Examples
I firmly believe that part of spreading awareness in identifying how these programs work, involves making their source codes known. However, doing so does open the doors to making this sort of stuff more readily available. What I will be doing is posting the source codes of of two malicious apps, followed by the source codes of the legitimate tools they were derived from, and then explaining how the differences between the two work.ONCE AGAIN FOR EMPHASIS: RUNNING THESE PROGRAMS WILL IN FACT DAMAGE YOUR SWITCH
PozzNX, also known as the “SX OS Crack”switchFuckerUpper.nro
I was asked by a GBAtemp mod not to post the actual sources and explanations of how they work until after their homebrew bounty program is finished.
I was asked by a GBAtemp mod not to post the actual sources and explanations of how they work until after their homebrew bounty program is finished.
Thank you for reading my post. I hope you found it to be very informational, and I hope you do stay safe.
~Crusatyr
Last edited by Crusatyr,