Hacking Suggestion [IMPORTANT] Possible Nintendo server changes to block web applets from working

[PatrickJr]

They really wanna crack down on modding huh.

 

[BL4Z3D247]

For moral support - so am I.

People presumably are now sniffing the network traffic of their consoles to see how Nintendo could connect to them (and ALL of them) without going through the usual update servers - could be a domain that lay dormant and never popped up in logs of the Switch talking to Nintendo before, could be a baked in return channel, that directly communicates to an IP, and circumvents DNS resolving, ...

Once they've found it, we can block it. Presumably once they've found it, they also will analyze the part of their software where the "command and control" pipe comes in to hopefully have a better chance of preventing them to do this in the future.

"We" can reverse what they have done - but not without considerable effort on the part of everyone who wants to do so. Making syspartition backups and writing to them via linux on the switch primarily. And in the end, they wont be able to prevent the hardware assisted exploits.

So depending on how long folks take to find out what exactly N is doing, this might be an entirely useless storm in the waterglass, that does nothing for N apart from pissing off the most technically savvy users.

If this turns out to take longer than expected - everyone on 3.0.0 shoudl look for the esp8266 method of launching HBL from a local "mini server" that costs about 7USD.

Less convenient, but not really slower, or more complicated.

Of course - using the locally hosted exploit, still blocking the Switches Internet access entirely - is only possible - if the bit hasn't already been switched (the access restriction for the browser enabled). At least until the method to flip the bit back is released. (Which shouldnt take long, but let devs reside on the side of caution there).

Well you've definitely helped me in the moral support area, thanks.

It's not even the fact that I can't do anything now, it hurts more that tonight I finally had nothing going on and decided, "Tonight's the night", only to find out (dun dun duuun), it's not.

 

[Resaec]

There is no way to tell if a 3.01 - 5.01 Switch has been affected or not at this time.

You should be able to check them all trying to use the webauthapplet on a captive site...

 

[TerminatR]

You should be able to check them all trying to use the webauthapplet on a captive site...

Yeah, I realized that after. Where could I obtain a chunk of code to test offline? It makes no sense to test online because it's extremely risky to do so.

 

[lordelan]

My 3.0.0 Switch that I haven't touched for 3 or 4 days has no issues.
Did a coldboot and tried the hbmenu DNS with success.
Still on 3.0.0 and everything's working fine. I can get into the hbmenu.

I have "auto connect" inside my internet connection settings off (and always had) if that helps someone.
If you turn that off, the OS would ask you in a popup whenever "something's" trying to connect to the internet and you would have to accept that.

 

[Resaec]

Yeah, I realized that after. Where could I obtain a chunk of code to test offline? It makes no sense to test online because it's extremely risky to do so.

Just get yourself the homebrew launcher, pull your routers internet connection and you are fine

 

[Amino]

Iam on 3.0.0 and Set DNS and use HBL everyday...
I Dont Understand whats going on... Stop using HBL ????

 

[sansnumen]

Anyone that has the browser update nag can use the recently released NXLoader from an Android phone. You just need a USB to OTG cable for your phone, a USB A to USB C cable with a 56k ohm resistor and a piece of old cable to short pin 10. Run Fusee Gelee exploit chain and send over payload from your phone.

Have Sony and Microsoft ever done anything like this?

Kind of. On the Xbox 360 you needed to pay for Xbox Live to access the web browser and Netflix, for example. On the PS4 you need to be signed in to a PSN account to activate the web browser. Not sure how it works on the Xbox One.

 

[TerminatR]

Just get yourself the homebrew launcher, pull your routers internet connection and you are fine

Not sure what you mean.... because it can't connect to the active portal to test if there's no internet connection. It can't get to the IP, I would need to host the portal locally, no?

 

[Red1Reaper]

You know where all those hacks (and all software entry points currently being worked on) open a browser window?
Nintendo, doesn't allow you to get access to the browser anymore, if you are not on the most current firmware. Instead you get a popup that tells you to update.
-

By all intents and purposes Nintendos behavior should be illegal, if they are pulling it off in Europe as well. US customers, as always are out of luck, because their rights can be sold away on a virtual piece of napkin, that no one has to read.

First: Here are the different "license agreements" for both regions:

The european one does not even have to be read, you can skip it in the setup progress without acknowledging that you have read it. Nintendo simply asks you to, but you don't have to - so you are not entering into an interpersonal contract with them at that point.

Also - the european text doesnt remove their responsibility to inform you of the update or to ask for your consent. Nintendo should also have a hard time arguing, how what they are doing is covered by any of the reasons they list for being allowed to update software automatically -

and as they are putting up another usage restriction, and are not "removing content" (they are flipping a bit, adding a 1), no potential action of theirs is covered in the last paragraph. Also "may render the Software unplayable" is stated passively and should not cover them "hacking into your console" and adding a usage restriction.

So by any of the quasi legal texts they include with the platform in Europe, they shouldn't be allowed to do what they are currently doing.

US users on the other hand are effed, because they dont have consumer protection laws, that wouldnt allow any EULA to sign away their rights. EULAs to them are literally laws, as in that they cant negotiate them, and that to them they are legally binding even if they dont really read them, and whats inside conflicts with their state law.

Other interpretations are welcome.

Would be interesting to know if some of the known bit switches happened for european customers as well.

Here a European Customer, yes, it hapened to me, in europe, whit a europe bought console and whit europe IP(No vpn)

 

[softwareengineer]

In theory, but as I said we don't know what is triggering it, and there are no whitelist DNS's live right now, so offline is the only option.

That's not entirely true unless you don't count personal servers run locally(my server is always live for me! ), which they should be counted considering a whitelisting server is inherently a more personal thing anyway. (different people would want to whitelist different domains) So a stringent whitelist, or just blocking everything is basically the same as being offline, a controlled sort of offline unless what this user pointed out is actually happening ->

You are right... It might use an IP instead of a hostname and circumvent the DNS completely, too.
Offline is the best choice, second is an offline network for the switch only hosting HBL.

Yes we have to check if that's actually what's happening or else it could be one of the domains we're actually whitelisting that's sneaking this silent change in their on us. If it's directly using IPs rather than hostnames then custom dns servers isn't enough anymore, we also have to control it more at the router level... So we're then not only not allowing lookups to unknown locations (or not known safe) by hostname but not allowing connections to unknown locations by hostname or ip either.

I don't know about programming and stuffs like that... but what if someone emulate a DNS with a fake 5.0.2 firmware authentication to confuse Nintendo's servers? So that way we could get our switch's NeedUpdateVulnerability value set to 0 again... I don't know if something like that is possible ...

I don't think you have to do that in order to fix it, someone just has to reverse engineer NeedsUpdateVulnerability (Since we know exactly where we need to look) and see what it uses to determine when to follow the code path that ends up returning a value of 1. It's simple to fix either change the thing back that it uses to determine to return 1 back to normal so it returns 0 naturally itself again and keep a way to easily reset that at anytime. Or I like option two, just patch NeedsUpdateVulnerability to always return 0 for false. So anything that asks: Does it need update for vulnerability related issue? It says No not at all no need, that would be false, always.

Not sure what you mean.... because it can't connect to the active portal to test if there's no internet connection. It can't get to the IP, I would need to host the portal locally, no?

Yea I think he means to be 100% safe, connect it to a local network without any internet access whatsoever. So that means pulling the wire in his example, so that you locally trigger the exploit on your own local network which has no internet connected to it so nothing can access the internet (to prevent your switch from accidentally getting the message to flip that bit from somewhere, until we know where that's coming from we're on the lookout for anywhere it could be. If it comes from the regular servers that we whitelist in order to go online while just blocking updates then that's an issue and we'll just need to patch this b.s. and move on! We got homebrew to brew!!

I propose a direct code patch:

sub_NeedUpdateVulnerability:
   mov x0, #0
   ret
; End of function sub_NeedUpdateVulnerability

Or if not a fan of shortening the entire function down to something like that, just change the relevant part of it:

sub_NeedUpdateVulnerability:
; …
   mov x1,[VulnerabilityNeedsUpdateFlag]
   cmp x1, #1
   b.ne NoVulnerabilityNoUpdateNeeded
   mov x0, #1
   ret

   NoVulnerabilityNoUpdateNeeded:
   mov x0, #0
   ret
 ; End of function sub_NeedUpdateVulnerability

It might use more than just a flag to determine whether to return 1 or 0, but there’s a branch somewhere that makes all the difference of where it will go, find It and if it’s like the above example you could do something like ->

(branch when not equal)
b.ne NoVulnerabilityNoUpdateNeeded
->
The inverse (branch when equal) (change to):

b.e NoVulnerabilityNoUpdateNeeded

Or better unconditional branch (branch always) (change to):

b NoVulnerabilityNoUpdateNeeded

However the branch instruction that you need to patch is, you invert it for the opposite effect (ex. if vulnernable return not vulnerable, if not vulnerable return vulnerable), or make it an unconditional branch or nop (no operation) it in order to have it always take the path you want it to take in this case always returning a 0 instead of ever returning a 1.

But maybe with the switch instead of direct patching the code, maybe instead a hypervisor layer just takes over the execution and returns the 0 ? Because even with our full access can we just patch the code just like that? Or do we have to use our abilities in something like a hypervisor layer to act equivalently to a direct code patch?

Yea see I’m learning too, I’m used to patching other systems and trying to learn the proper way of doing such things for the switch, and as you can see my arm64 could use some work! But it’s an exciting platform none the less

 

[notimp]

Kind of. On the Xbox 360 you needed to pay for Xbox Live to access the web browser and Netflix, for example. On the PS4 you need to be signed in to a PSN account to activate the web browser. Not sure how it works on the Xbox One.

None of this sounds connected or true. First, N isnt forcing you to sign into a service, they are forcing a firmware update, second MS or Sony would not be able to restrict you from using the browser, if they also support captive portals. We need the browser for a few seconds, third no one is worried about having to pay for things - in general, or in this situation, fourth - how did Netflix play into this again?

We are talking here about Nintendo literally putting in a usage restriction to the web browser, after the fact, using an undefeatable, silent update, that was designed not to go through normal update channels, so people would not catch it applying. Not asking for consent, not informing the user, that this was going on. Its literally quite similar to Nintendo hacking into your PC, deactivating the web browser - and arguing, that they would be allowed to do that, because even though you bought it, they would own your stuff.

None of the legal disclaimers, or contracts they have with their customers in europe allow for this behavior, and if Microsoft would have pulled it, this would be front page New York Times material ("Microsoft deactivates all browsers until users accept every update"). Almost cringingly new updates in todays world are bundled with new EULAs, you are made to agree to - so if f.e. you really liked the DNSBrew "browser feature", Nintendo made sure to brick it, and then to tell you that you may not use their device again, if you don't agree to all conditions the newest update comes with, where they could prevent you from using it - even if you are then again allowed to use the browser.

This is anti-competitive overreach to try to force user behavior.

They literally went into your network, into your device, and flipped a switch - that enabled them to prevent you from using the browser, if you decided not to update to the most current software version. Without informing you, without asking for consent, without doing this over the update mechanism. They hacked your device.

Let us try to come up with any similar behavior a multi billion dollar company pulled - and I show you a lawsuit that followed. In Europe espacially, their actions were flat out illegal. I think they are a little too power drunk on their closed system, not to know that they can't just load in malicious code to restrict you from using your browser after the fact. And with no ability for you to prevent or decline it. Or being informed that they are doing that. You literally "just find out it happend".

I mean where are we? Dear corporation, get out of my network - and get out of my devices. I've made it clear I don't wan't you in there - and now you are forcing your way in - despite the technical means I've set up to restrict your access? I've set up no account with you, I''ve never legally binding agreed to you hacking into my hardware - so what the frack do you think you are doing?

Even apart from deactivating entire usecases (a browser for gods sake) just to make sure I'd always update to the latest software and terms of use you provide? I mean, if anyone but the expensive cardboard company would have pulled this, this would be front page news.

And I still think, that this should be.

But of course they made sure not to talk about it, or put it into their update "features and changes" log - so it flies under the radar of journalists that only ever read press statements. Hey, no public visibility no accountability, right Nintendo?

 

[Deleted User]

Well shit, glad I unlinked my router from the Switch And airplane mode's a good few solid months ago now!

 

[Dmafra]

My switch connect with switchbru while airplane mode on!
How could it be?

 

[Deleted User]

On further reflection, this is bad. Really fucking bad. This gives "Sony Rootkit" vibes of bad.

 

[Resaec]

Someone with too much free time should setup a fakenet vm and use it as the router for the switch in an offline network.
Also the captive portal and such to remove as much variables as possible.

Then log all actions on the fakenet router

 

[Jungle_Jon]

There is a set off instructions posted by "Flacid_Monkey" on the Switch Haxing Reddit that claims to clear this:

5.0.0 verified.

If you currently get an update prompt, delete all wifi connections, put in airplane mode:

1. Shut down your Switch
2. Start in recovery mode EDIT: (hold both Up and Down volume Key and press power button, continue holding volume keys until system boots, video at bottom if needed).
3. Select update
4. Interupt the proces (press X to cancel is in the screen, I didn't have wifi on so it failed anyway and A got me back)
5. Power off and on
6. Profit, enjoy no prompts

https://old.reddit.com/r/SwitchHaxi...f_you_are_on_an_older_fw_and_want_an/dy974gj/

If someone tests this please state your switch's FW version, and if it worked for you.

EDIT:How To Enter Recovery mode

 

[notimp]

If they have the ability to reset the "needs firmware" bit - and maybe a sacrificial switch ( ), they can go fishing in the real seas. See the full two sided conversation.

If N bites, reset the bit. At which point N can start banning those Switches from online, and really start to p*ss people off..

--------------------- MERGED ---------------------------

There is a set off instructions posted by "Flacid_Monkey" on the Switch Haxing Reddit that claims to clear this:



https://old.reddit.com/r/SwitchHaxi...f_you_are_on_an_older_fw_and_want_an/dy974gj/

If someone tests this please state what FW version you are, and if it worked for you.

Huge if true.

Beat by their own tech.

In two days.

edit: More people confirming this are needed.

On the other hand, Nintendo has to set the flag back to 0 at one point, actually starting a firmware update and then canceling it in recovery, might do it..

If you try it out - be aware that you are in largely uncharted waters.

Where are the "can I update yet?" folks when you need them to test this...

 

[Taffy]

I have "auto connect" inside my internet connection settings off (and always had) if that helps someone.

I have my autoconnect off too, for...reasons.

I'm on a 4.1.0 switch with no issues about any of this. I was a little worried at first but it's been a day or so since the incident popped up and I've had no trouble either

 

[willdunz]

Well does it work? He said he got it from gbatemp.