Hacking Discussion Using "Match Version with Local Users" to install CFW on unhackable console?

[Elliander]

I have Two Switches. Both hackable. One (with black joycons) is running SXOS 2.3 Beta with emuNAND and OFW both at 6.0.1. The other is running OFW 6.2.0 and has never touched mods or homebrew. I attempted to use, "Match Version with Local Users" when - without warning - the higher firmware Switch started uploading a system update to the emuNAND which is offline and in Stealth Mode.

I cancelled before it had a chance to complete, and everything was fine. This of course reinforced the need for firmware spoofing since it's a serious problem that an update can be installed like this.

However, I got to thinking, and it also seems like a major vulnerability in the Switch itself. Since it's all done offline, if you can present one Switch to another as having a higher firmware version it will attempt to download and install it. It will just trust that the FW with the higher number is official! This might allow us to use one hackable Switch to inject a CFW onto an "unhackable" Switch without an RCM exploit.

Of course, if that is possible, I imagine it could also be used maliciously to trick random people into installing CFW onto their systems. Imagine the headache Nintendo would have to deal with if, say, someone at some convention center pushed CFW onto everyone. I mean, thankfully, it doesn't just download in the background - the user has to initiate it - but they have no way of knowing that it's not legit and the average user seems to just update without a second thought, so I can see potential problems here as well. Especially if the ban risk is high.

Regardless, it might still be a useful means of code injection if nothing else. Install some payload on a Switch that otherwise can't get the Payload with the update, to then allow it to do something else, like run emuNAND.

What do you guys think? Is it feasible?

 

[GizmoTheGreen]

no because 1. cfw is run in RAM, the actual FW on your device is still stock.
2. it's all signed. if you'd try to spoof a cfw to send as an update it would fail to install or make a brick.

 

[Elliander]

no because 1. cfw is run in RAM, the actual FW on your device is still stock.

ahh, so it's not like CFW on other systems, which is a modified original firmware?

2. it's all signed. if you'd try to spoof a cfw to send as an update it would fail to install or make a brick.

Weren't all the keys dumped though? It seems like if someone is able to make a CFW loaded in RAM, someone should be able to at least inject a payload into a firmware file to then launch a CFW in emuNAND.

 

[Snomannen_kalle]

ahh, so it's not like CFW on other systems, which is a modified original firmware?



Weren't all the keys dumped though? It seems like if someone is able to make a CFW loaded in RAM, someone should be able to at least inject a payload into a firmware file to then launch a CFW in emuNAND.

CFW on the Switch is just a set of patches that run on top of the actual firmware, and it can't run independently on itself. The keys that are dumped from the console are not the ones used to sign firmware updates or games, that's private key(s) that only Nintendo have access to (otherwise we wouldn't need the bootrom exploit to run CFW, homebrew, or play backups)

 

[Elliander]

I see. So if you tried to inject a payload into an NSP file for an official update, it would then fail the checks because we don't have the firmware keys? Which would, in turn, brick the emuNAND it is installed to? On the other hand, if those keys were ever determined would it be possible?

Now, do we need those keys for spoofing to work on CFW? Because the obvious problem with this feature is that it is a route of officially updating with Stealth mode turned on. If we could present the CFW as a higher firmware version than it actually is, it would allow us to update games from another Switch without updating the firmware and would also allow us to play on both together locally.

Of course, if I knew that the Switch can update from another Switch I would have used this to update to 6.0.1 and then stayed offline just to be able to play together. We wouldn't have been able to download game updates, or link Nintendo accounts to the console for the games that require that even offline, but it would have been something.

 

[smf]

ahh, so it's not like CFW on other systems, which is a modified original firmware?

No, there is something about this site where people want CFW so much they just call it that.

Using the naming that everyone else uses, it's a "tethered jailbreak".

 

[GizmoTheGreen]

ahh, so it's not like CFW on other systems, which is a modified original firmware?



Weren't all the keys dumped though? It seems like if someone is able to make a CFW loaded in RAM, someone should be able to at least inject a payload into a firmware file to then launch a CFW in emuNAND.

3ds cfw is the same. Patches running on top of the original fw. We just have a way to coldboot it.

Technically I guess you could hardpatch the installed fw but the switch would be unable to boot normally and only via RCM + hekate or something.
As well as signing still being a problem. Re Re s we have are only for decryption. Not encryption.

If the keys are ever figured out then yes we could just flash a cfw straight to nand/emmc once via RCM and be done with it. Wouldn't even need the update thing you imagined.

 

[smf]

Technically I guess you could hardpatch the installed fw but the switch would be unable to boot normally and only via RCM + hekate or something.

Which is how most people run it currently anyway. That still wouldn't meet the non nintendo@gbatemp definition of CFW though.

If the keys are ever figured out then yes we could just flash a cfw straight to nand/emmc once via RCM and be done with it.

Or if the signature check is somehow bypassed entirely, I don't expect either to happen.

 

[Elliander]

Technically I guess you could hardpatch the installed fw but the switch would be unable to boot normally and only via RCM + hekate or something.

That... represents a potential problem. I mean, think about it: That means someone could use their Switch to brick another Switch, right? A malicious user injects CFW into their own Switch so it cannot boot without RCM and then connects via local play. Another user downloads their modified firmware, which then bricks them, and if their Switch isn't old enough to use RCM it will not be bootable. It might be fixable with a restore, but even if it is Nintendo would be able to detect that the user had CFW and would probably ban them. That sounds very dangerous and not at all useful.

If the keys are ever figured out then yes we could just flash a cfw straight to nand/emmc once via RCM and be done with it. Wouldn't even need the update thing you imagined.

Well, I was thinking about this for consoles where the RCM doesn't currently work (or rather, it does work, but not as user friendly since the jig doesn't work) so it was imagined as a way to get CFW straight to the NAND of a currently "unhackable" Switch.

Or if the signature check is somehow bypassed entirely, I don't expect either to happen.

yeah, I don't think so either. Well, a shot in the dark can't always hit.

 

[RitchieRitchie]

Sorry to but in but I have a related question. I have 2 switches, both on SXOS, on 5.1 the other 6.1. Would i be able to play a multiplayer game (for example ARK) locally? Appreciate any advice!

 

[Elliander]

Sorry to but in but I have a related question. I have 2 switches, both on SXOS, on 5.1 the other 6.1. Would i be able to play a multiplayer game (for example ARK) locally? Appreciate any advice!

That's... kinda off topic, but no. You can't. However, you can use one to update the other, making this a valid way of getting to 6.1 Firmware without needing to use Homebrew. If you update the 5.1 to 6.1 then they can play together. As far if the fuses would burn, if you use an official updater, but only update the emuNAND, I don't know.

 

[RitchieRitchie]

That's... kinda off topic, but no. You can't. However, you can use one to update the other, making this a valid way of getting to 6.1 Firmware without needing to use Homebrew. If you update the 5.1 to 6.1 then they can play together. As far if the fuses would burn, if you use an official updater, but only update the emuNAND, I don't know.

Thanks for replying and apologies for going off topic! Oh, one other thing, if were to update the 5.1 via the 6.1 would it include the ex-fat update?

 

[Elliander]

I don't believe so, but I am not sure. exFAT is considered separate from a system update, even though when installing it online a system update gets installed with it. Same thing for updating the joyconns. Since the goal of the "Match version with local users" is simply to be able to play with others, and since game updates can technically be installed to the sysNAND, I don't believe it would include the exFAT drivers.

That being said, if you have a microSD card in the Switch at the time that you attempt this it MIGHT since that is a preferred place for it to go. If this works for you, please respond because - back on topic - being able to send drivers separate from firmware might be an easier route to inject code this way.

Are the drivers signed the way firmware is?

 

[smf]

Thanks for replying and apologies for going off topic! Oh, one other thing, if were to update the 5.1 via the 6.1 would it include the ex-fat update?

You're best upgrading using choidujournx and selecting the exfat update. By default it will enable autorcm to prevent you burning fuses but you'll always need a dongle to boot, you can disable that if you don't care.