Hacking Suggestion I maybe have an idea to hack patched switches

[Dathuss]

Hi !

I'm new to the Switch hacking scene, I come from the 3ds one, and my idea maybe seems stupid, but I'm thinking of a way to hack patched switches. First, sorry for my bad english. Do you know the exploit steelhax from the 3ds scene ? It is a way to run the 3ds Homebrew Launcher by injecting a hacked save file into the game Steeldiver Subwars to the sd card, which will run unsigned code. As a the save file needs to be encrypted, you need to send a false friend request to obtain the encryption. They've probably patched this issue for the Switch, but maybe we can inject a hacked save file (if making a hacked save file to run unsigned code is possible) in a clean NAND from a RCM compatible Switch, then transfer the user with the hacked file to a patched switch. Do you think it can work ?

 

[Goku1992A]

SXOS is currently selling modchips

 

[tatumanu]

Even if that was possible the result would be 2 banned switches.

 

[Itsuki235]

Do you know the exploit steelhax from the 3ds scene ? It is a way to run the 3ds Homebrew Launcher by injecting a hacked save file into the game Steeldiver Subwars to the sd card, which will run unsigned code.
[...]
Do you think it can work ?

Save data is now 100% always kept on the native switch internal memory and they provide exactly -zero- ways that are accessible to the user naively to ever export/import it. Only their official cloud servers can interact with the save data on the nand.

Theoretically, if one of their server's auth (TLS) certificates were to leak (even an old one) a MITM could be performed that could be leveraged to reverse engineer their transfer protocol for game saves, but then you would still need a key that only they posses for the switch to load that save data, and it would only work for that specific switch. It could also/probably does require an online account specific key that may not be derivable without previously having hacked the switch, so...

So, Nintendo learned this lesson concerning save data the hard way, but they did learn it and are now draconian about it.

This lack of freedom concerning YOUR save data that Nintendo thinks THEY own (because actually they do own it in Japan, but not in the USA/Europe), is one of the top reasons to hack your switch. It returns ownership of your save data back to you, because otherwise there is no way to get the console to give it to you.

 

[Dathuss]

Save data is now 100% always kept on the native switch internal memory and they provide exactly -zero- ways that are accessible to the user naively to ever export/import it. Only their official cloud servers can interact with the save data on the nand.

Theoretically, if one of their server's auth (TLS) certificates were to leak (even an old one) a MITM could be performed that could be leveraged to reverse engineer their transfer protocol for game saves, but then you would still need a key that only they posses for the switch to load that save data, and it would only work for that specific switch. It could also/probably does require an online account specific key that may not be derivable without previously having hacked the switch, so...

So, Nintendo learned this lesson concerning save data the hard way, but they did learn it and are now draconian about it.

This lack of freedom concerning YOUR save data that Nintendo thinks THEY own (because actually they do own it in Japan, but not in the USA/Europe), is one of the top reasons to hack your switch. It returns ownership of your save data back to you, because otherwise there is no way to get the console to give it to you.

But there is the User data transfer in the console's settings, which can transfer users with their data . I mean a RCM-compatible switch with a CLEAN nand, by following for example this tutorial : https://gbatemp.net/threads/edit-of...up-restoring-via-fusee-gelee-payloads.541081/ , could make a custom save, then transfer it by the previously said setting. And I know SXOS is selling modchips, but these cost money and need soldering.

 

[Itsuki235]

But there is the User data transfer in the console's settings, which can transfer users with their data . I mean a RCM-compatible switch with a CLEAN nand, by following for example this tutorial : https://gbatemp.net/threads/edit-of...up-restoring-via-fusee-gelee-payloads.541081/ , could make a custom save, then transfer it by the previously said setting. And I know SXOS is selling modchips, but these cost money and need soldering.

Nintendo has been getting more serious with their system security. It makes sense to remove the checking of signed/unsigned save data from the applications to the base OS (Horizon), so any and all modifications should be detectable.

Remember that using a modified or restored save file = ban, especially for online games.

Just because a specific user has not been banned does not mean much. It makes sense to keep some users unbanned who hacked their consoles in order to maintain telemetry on what hacked consoles look like. For example, according to Team Atlas (maintainers of Kosmos), just using CFW itself is not a ban reason, however it would be foolish to think that Nintendo cannot detect it/are closely monitoring them.

And if you notice, it is a chicken and egg problem. If you already have a hacked switch, modifying/transferring your save data is not a problem, just use checkpoint. But without CFW, there is no way to leverage save data to create an entry point on a console for CFW in the first place. That is the point of Nintendo's current draconian policies regarding user save data.

So here is the crux of the issue: if it became common knowledge that so-and-so transferred save data could be leveraged to create an entry point, what do you think will happen to that feature in future? What do you think would happen to the people that followed that guide and edited their save data? What would happen to the accounts of people that transferred that modified save data? Note: transferring requires an online account.

 

[Dathuss]

Nintendo has been getting more serious with their system security. It makes sense to remove the checking of signed/unsigned save data from the applications to the base OS (Horizon), so any and all modifications should be detectable.

Remember that using a modified or restored save file = ban, especially for online games.

Just because a specific user has not been banned does not mean much. It makes sense to keep some users unbanned who hacked their consoles in order to maintain telemetry on what hacked consoles look like. For example, according to Team Atlas (maintainers of Kosmos), just using CFW itself is not a ban reason, however it would be foolish to think that Nintendo cannot detect it/are closely monitoring them.

And if you notice, it is a chicken and egg problem. If you already have a hacked switch, modifying/transferring your save data is not a problem, just use checkpoint. But without CFW, there is no way to leverage save data to create an entry point on a console for CFW in the first place. That is the point of Nintendo's current draconian policies regarding user save data.

So here is the crux of the issue: if it became common knowledge that so-and-so transferred save data could be leveraged to create an entry point, what do you think will happen to that feature in future? What do you think would happen to the people that followed that guide and edited their save data? What would happen to the accounts of people that transferred that modified save data? Note: transferring requires an online account.

But a game could make save modifications offline, and you won't be banned for this, and according to the creator of the tread I sent you, and with a bit of logic, you can't be banned. Also I'm still talking about a CLEAN nand from a rcm compatible console, which transfers data using an OFFICIAL SETTING on HorizonOS to a patched console, so the source console could STILL connect to the Internet.

At first, I just wanted to know if you could run unsigned code from a save file, I'll take the risk to test, I don't care.

 

[BaamAlex]

It is a way to run the 3ds Homebrew Launcher by injecting a hacked save file into the game Steeldiver Subwars to the sd card

Here is the moment where i have to stop you. How are you do that? It is not possible to inject own savefiles or dumping them.

but maybe we can inject a hacked save file (if making a hacked save file to run unsigned code is possible) in a clean NAND from a RCM compatible Switch

Unpatched units can already perform fusée gelée. Which would make your method superfluous with the aforementioned.

then transfer the user with the hacked file to a patched switch. Do you think it can work ?

And as stated before, the result would be 2 banned switches.

 

[Itsuki235]

But a game could make save modifications offline, and you won't be banned for this, and according to the creator of the tread I sent you, and with a bit of logic, you can't be banned. Also I'm still talking about a CLEAN nand from a rcm compatible console, which transfers data using an OFFICIAL SETTING on HorizonOS to a patched console, so the source console could STILL connect to the Internet.

At first, I just wanted to know if you could run unsigned code from a save file, I'll take the risk to test, I don't care.

Think about what that means for a second.

1. RCM switch
2. Modify save data for a particular title on that switch
3. Link online Account
4. Get Markio switch
5. Link online Account to second switch
6. Pay for online service
7. Upload modified save data online
8. Download it again for a particular title on the Markio switch

If they figured out that the modified save data from #2 (which was also given to them to closely inspect in #7) was being leveraged to create an entry point, they would instantly block transfers of save data for that title, ban both consoles, and the associated online account.

That would effectively close the entry point for everyone if someone ever leaked it/used it.

While theoretically possible, that is beyond fragile without a way to impersonate the entire online service itself. No one can do that without multiple certs that are obvious secret and that are only stored on official servers. It would be months of work for a one-time hack that would instantly be blocked. It would be a pointless endever.

 

[Dathuss]

7

Think about what that means for a second.

5. Link online Account to second switch
6. Pay for online service
7. Upload modified save data online
8. Download it again for a particular title on the Markio switch

Let me modify this :

1. Follow this tutorial : https://gbatemp.net/threads/edit-of...up-restoring-via-fusee-gelee-payloads.541081/ to inject a "hacked" save file into a newly created user into your RCM compatible console, assuming you can run unsigned code from a save file.

2. Transfer this user with Local User Transfer.

3. Go into airplane mode (or use 90dns)

4. Run the game made for the "hacked" save file with the "letterbomb" user.

5. Profit !

I know you need a nintendo account to transfer the save file, but just create a new one ! You don't need to pay for the online, as you don't need the Cloud. You'll never use this account again.

 

[Itsuki235]

I am not sure how you can understand that a Nintendo account is still required but can't seem to grasp the concept that linking one will connect the console to Nintendo. That obvious means they can block the transfer from occurring since the console needs to be connected to them during the transfer.

https://en-americas-support.nintend...id/27394/~/how-to-transfer-user-and-save-data

However, you are correct about not needing to pay for online to transfer consoles.

 

[Dathuss]

I am not sure how you can understand that a Nintendo account is still required but can't seem to grasp the concept that linking one will connect the console to Nintendo. That obvious means they can block the transfer from occurring since the console needs to be connected to them during the transfer.

https://en-americas-support.nintend...id/27394/~/how-to-transfer-user-and-save-data

However, you are correct about not needing to pay for online to transfer consoles.

You do need a nintendo account to transfer an user, I've already tested. I don't grasp how they would detect the save as something that would run something else, as it transfers by bluetooth (I also tested). You just need to connect to the internet so the server can check if both consoles are in the latest firmware.

 

[Itsuki235]

I don't know if you can't read or are just dense but I will not be responding further.

From the link above:

• Both systems must be updated to system menu version 4.0.0 or higher, connected to the Internet, and within proximity of each other for local communication.
  
• A Nintendo Account must be linked to the user account you wish to transfer from the source system.

Emphasis added.

 

[Dathuss]

I don't know if you can't read or are just dense but I will not be responding further.

From the link above:


Emphasis added.

• "Both systems must be updated to system menu version 4.0.0 or higher, connected to the internet, and within proximity of each other for LOCAL communication."
• A Nintendo Account must be linked to the user account you wish to transfer from the source system.

I am not sure how you can understand that a Nintendo account is still required

And I was also right about the mandatory nintendo account linked for the user, you proved it yourself. So now PLEASE, tell me if you can use a modified save data to run unsigned code.

 

[masagrator]

Still:
- Games are running in sandbox in Switch, you would need somehow to break sandbox and get access to everything else
- Find a game that allow this

 

[Dathuss]

Still:
- Games are running in sandbox in Switch, you would need somehow to break sandbox and get access to everything else
- Find a game that allow this

That's the kind of answer I wanted to hear !

-Do you know which program handles this "sandbox" mode ? I'll try to reverse engeniring it.

-Yes that will be the hardest part, but I'll first check how this "sandbox" mode works.

 

[masagrator]

That's the kind of answer I wanted to hear !

-Do you know which program handles this "sandbox" mode ? I'll try to reverse engeniring it.

-Yes that will be the hardest part, but I'll first check how this "sandbox" mode works.

Nope, i don't know. If I would know that, I would make a patch that changes flags and syscalls to get all permissions in games.

 

[Dathuss]

Nope, i don't know. If I would know that, I would make a patch that changes flags and syscalls to get all permissions in games.

Okay, I understand. Well, here lies Dathuss' super hacking quest.
Duration time : less than one day (well that's quite short).

Except if someone has a suggestion, of course

 

[Der_Blockbuster]

Hi !

I'm new to the Switch hacking scene, I come from the 3ds one, and my idea maybe seems stupid, but I'm thinking of a way to hack patched switches. First, sorry for my bad english. Do you know the exploit steelhax from the 3ds scene ? It is a way to run the 3ds Homebrew Launcher by injecting a hacked save file into the game Steeldiver Subwars to the sd card, which will run unsigned code. As a the save file needs to be encrypted, you need to send a false friend request to obtain the encryption. They've probably patched this issue for the Switch, but maybe we can inject a hacked save file (if making a hacked save file to run unsigned code is possible) in a clean NAND from a RCM compatible Switch, then transfer the user with the hacked file to a patched switch. Do you think it can work ?

First off, you should probably visit https://switchbrew.org/wiki/Main_Page
go ahead and find documentation on how the Switch works.
Test your hypothesis, code a small "game" that access something in the save files.
Try to make changes to it and so on.
I don't know if the hypervisor is deactivated when running cfw, but I think there should be a reimplementation running from AMS.
I think this should work in atmosphére.

Good luck!

 

[link42586]

https://i.imgur.com/WOYaYhZ.png