Hacking [Concept] Using LayeredFS to bypass anti-piracy measures

[RHOPKINS13]

So tired of seeing multiple threads for the same thing here, but I've thought of something that I don't think anyone else has posted yet.

SciresM made an AMAZING Reddit post about how Nintendo implemented anti-piracy on the Switch. If you haven't read it yet, I really encourage you to do so:
https://www.reddit.com/r/SwitchHacks/comments/8rxg26/psa_strong_antipiracy_measures_implemented_by/

It seems that Nintendo has learned from it's past mistakes with the 3DS and Wii U.

We currently have two ways of loading "backups" on Switch: SX OS and LayeredFS. I don't know the inner workings of SX OS, or whether this would even be plausible with SX OS, so I'm going to focus on the LayeredFS one.

LayeredFS works by "overriding" one Title ID to launch backup game files instead. It can override both eShop and cartridge titles.Currently, most people use LayeredFS by changing the title id in their backup's exefs to match their "target" title, and then throwing it in the right folder for Atmosphere to load when that title is opened.

What if we use a physical, legit cartridge to load a cartridge backup, and instead of just injecting the title ID into the backup, we ALSO inject the legit game's certificate? So when the Nintendo Switch goes online, Nintendo sees a matching Title ID and Certificate, and there's no reason for a ban.

Now, this method isn't exactly fool-proof. If you tried to actually play your backup online, Nintendo could probably detect this (Why is this person's Switch trying to connect to Splatoon servers while they're playing MarioKart 8 Deluxe?) Or maybe they won't/haven't taken their anti-piracy measures that far? But I'd imagine it's safer than playing with no certificate or a pirated one, and it would probably stop Nintendo from banning based on logs on the Switch if the Switch is logging certificate data.

This post is just for speculation and discussion, and hopefully somebody will try this and let us know their results.

Oh yeah, and I'm not responsible if you get your Switch banned or bricked. </legal disclaimer>

 

[d4nielr]

so your saying use the header of a legit game we own on a backup, i mean it could work with sx os cuz all that does is emulate a game cart

 

[RHOPKINS13]

so your saying use the header of a legit game we own on a backup, i mean it could work with sx os cuz all that does is emulate a game cart

Both the certificate and the Title ID, so they "match".

 

[LordVe]

If I remember right, Nintendo will ban you if the Cert doesn't match the game. So, you go online with MK8 after loading it your way. Nintendo sees the Game you loaded with, then that MK8 is trying to access the online server from the same switch without providing a valid MK8 Title Id and Cert. Now you are banned...

 

[scionae]

This could work, in theory. But the thing is: how the fuck do we inject the game certificate owo

 

[Maximilious]

The header's are signed to the game they belong too. The days of re-writing headers/certificates like in the 3DS days to specific games is over.

 

[RHOPKINS13]

This could work, in theory. But the thing is: how the fuck do we inject the game certificate owo

You could backup your legit cartridge using the WAIN Cart Dumper, then extract the certificate and import it into your "backup" for the other game you're trying to play using XCI-Explorer.

--------------------- MERGED ---------------------------

The header's are signed to the game they belong too. The days of re-writing headers/certificates like in the 3DS days to specific games is over.

Signed to what? The entire cartridge? If so, I wouldn't expect game mods to work with LayeredFS. If it's just signed to the Title ID, and we're replacing both, I don't see the issue?

 

[Deletedmember438770]

You could backup your legit cartridge using the WAIN Cart Dumper, then extract the certificate and import it into your "backup" for the other game you're trying to play using XCI-Explorer.

--------------------- MERGED ---------------------------



Signed to what? The entire cartridge? If so, I wouldn't expect game mods to work with LayeredFS. If it's just signed to the Title ID, and we're replacing both, I don't see the issue?

Certs aren't signed to a specific cartridge?

 

[Sgt. Lulz]

For digital titles: No. Just no.
For cartridge titles: Cartridge Certificates are unique to the cartridge and tied to the TitleID and Version, as well as more information that's unknown as of yet.
Additionally, Application Authorization Tokens are, as their name implies, tied to the Application that's authorized to use them. It wouldn't end very well for you if you tried to use an AAT generated for Mario Kart 8 Deluxe in Splatoon 2.

If that's not spicy enough, to make matters even spicier, all this data is also sent to Nintendo's servers alongside your Nintendo Account ID and your Device ID, so they'll know exactly who's trying funny business.

 

[Draxzelex]

SciresM said he is unsure if its safe or not to inject a header from a cartridge of the same game so I would not recommend this

If you're looking for hard evidence (network logs, capture files, decompiled modules, SDK reference materials, etc) I don't have them, no. My source of the info may though, you should ask them:

View attachment 131874

 

[RHOPKINS13]

For digital titles: No. Just no.
For cartridge titles: Cartridge Certificates are unique to the cartridge and tied to the TitleID and Version, as well as more information that's unknown as of yet.
Additionally, Application Authorization Tokens are, as their name implies, tied to the Application that's authorized to use them. It wouldn't end very well for you if you tried to use an AAT generated for Mario Kart 8 Deluxe in Splatoon 2.

If that's not spicy enough, to make matters even spicier, all this data is also sent to Nintendo's servers alongside your Nintendo Account ID and your Device ID, so they'll know exactly who's trying funny business.

Right, this would only apply to cartridge titles.

So I agree it would probably still be a bad idea to play online with these backups, but if you're offline I would think it would prevent the Switch from logging something you could be banned for when you go back online?

 

[BlastedGuy9905]

I mean, that sounds great and all. But what if, for example, boginstaller comes out? I won't want to keep using layeredFS, cause it's a hassle to get a game working.

 

[RHOPKINS13]

I mean, that sounds great and all. But what if, for example, boginstaller comes out? I won't want to keep using layeredFS, cause it's a hassle to get a game working.

Currently all BogInstaller does is install Splatoon 2 Testfire from Nintendo's CDN, and I don't really see much evidence that it's going to ever do much more than that. Trying to download a game you don't own from Nintendo's CDN sounds like a surefire way of getting banned.

There's no reason to believe that a homebrew can't be developed that would make LayeredFS easy. On the PC, we could have software that would take your "donor cartridge" certificate, title id, header, etc. and extract every XCI in a folder and inject them automatically. Then perhaps you could copy all of that data into a dedicated folder on your Switch microSD, let's say /dumps/, and a homebrew application could automatically move them to the correct folder under /atmosphere/ for your donor cartridge.

So you'd have something somewhat similar to SX OS's GUI, just as a separate homebrew you'd run instead. Or maybe LayeredFS mods could be made to work on Horizon and replicate the SX OS GUI completely. But as far as the Switch knows, you're running a legit cartridge with a legit title id and matching cert.

LayeredFS doesn't need to be so much of a hassle. We just need better tools developed for it.

 

[BlastedGuy9905]

Currently all BogInstaller does is install Splatoon 2 Testfire from Nintendo's CDN, and I don't really see much evidence that it's going to ever do much more than that. Trying to download a game you don't own from Nintendo's CDN sounds like a surefire way of getting banned.

There's no reason to believe that a homebrew can't be developed that would make LayeredFS easy. On the PC, we could have software that would take your "donor cartridge" certificate, title id, header, etc. and extract every XCI in a folder and inject them automatically. Then perhaps you could copy all of that data into a dedicated folder on your Switch microSD, let's say /dumps/, and a homebrew application could automatically move them to the correct folder under /atmosphere/ for your donor cartridge.

So you'd have something somewhat similar to SX OS's GUI, just as a separate homebrew you'd run instead. Or maybe LayeredFS mods could be made to work on Horizon and replicate the SX OS GUI completely. But as far as the Switch knows, you're running a legit cartridge with a legit title id and matching cert.

LayeredFS doesn't need to be so much of a hassle. We just need better tools developed for it.

Ohh boy.. You have no idea how much I've struggled with keys.ini. And asking for support yielded no results, as I've been trying to reach PRAGMA for the last 5 fucking days. Asking him to reply also yielded no results. I am fucking mad at every single little part of the procedure to decrypt XCIs.

EDIT: Every single XCI I've decrypted (except LEGO Worlds, which worked with Stern Pinball Arcade) didn't work, as the files I got from the decryption in total were smaller than the XCI itself. I've tried Skyrim, Cave Story+ and even Batman: The Telltale Series. NONE of them worked.

 

[KazoWAR]

From what I got from SciresM post, certs from a game cart say what game it is from. you can't edit that without making it invalid and then its not going to work anyways. you can only replace a cert from a Mario Kart is from another mario kart and at that point, its completely pointless.

 

[RHOPKINS13]

Ohh boy.. You have no idea how much I've struggled with keys.ini. And asking for support yielded no results, as I've been trying to reach PRAGMA for the last 5 fucking days. Asking him to reply also yielded no results. I am fucking mad at every single little part of the procedure to decrypt XCIs.

I'm not disagreeing with you, using LayeredFS to launch backups is currently a giant PITA. But with the proper tools it doesn't have to be. I could imagine an all-in-one homebrew that would grab the needed keys, automatically extract a selected XCI to the right folder under /atmosphere/, grab the header and certificate from the currently inserted cartridge, and inject it into the backup, preparing it for launch.

--------------------- MERGED ---------------------------

From what I got from SciresM post, certs from a game cart say what game it is from. you can't edit that without making it invalid and then its not going to work anyways. you can only replace a cert from a Mario Kart is from another mario kart and at that point, its completely pointless.

You are missing my point, we wouldn't just be replacing the cert. We would also replace the header that includes the title id of the game, so that as far as the Switch can tell, the cert and game match.

 

[BlastedGuy9905]

I'm not disagreeing with you, using LayeredFS to launch backups is currently a giant PITA. But with the proper tools it doesn't have to be. I could imagine an all-in-one homebrew that would grab the needed keys, automatically extract a selected XCI to the right folder under /atmosphere/, grab the header and certificate from the currently inserted cartridge, and inject it into the backup, preparing it for launch.

I need that right now. Make a homebrew for the Switch, that you run on the Switch, that takes an xci file on the root of your SD card and decrypts it with keys that it grabs THEN AND THERE. It would be a blessing.