1. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    Hi ! :D

    I'm new to the Switch hacking scene, I come from the 3ds one, and my idea maybe seems stupid, but I'm thinking of a way to hack patched switches. First, sorry for my bad english. Do you know the exploit steelhax from the 3ds scene ? It is a way to run the 3ds Homebrew Launcher by injecting a hacked save file into the game Steeldiver Subwars to the sd card, which will run unsigned code. As a the save file needs to be encrypted, you need to send a false friend request to obtain the encryption. They've probably patched this issue for the Switch, but maybe we can inject a hacked save file (if making a hacked save file to run unsigned code is possible) in a clean NAND from a RCM compatible Switch, then transfer the user with the hacked file to a patched switch. Do you think it can work ?
     
  2. Goku1992A

    Goku1992A GBAtemp Maniac
    Member

    Joined:
    Nov 20, 2019
    Messages:
    1,052
    Country:
    United States
    SXOS is currently selling modchips
     
  3. tatumanu

    tatumanu GBAtemp Advanced Fan
    Member

    Joined:
    Nov 1, 2004
    Messages:
    599
    Country:
    Portugal
    Even if that was possible the result would be 2 banned switches.
     
  4. Itsuki235

    Itsuki235 GBAtemp Regular
    Member

    Joined:
    Jun 13, 2019
    Messages:
    231
    Country:
    United States
    Save data is now 100% always kept on the native switch internal memory and they provide exactly -zero- ways that are accessible to the user naively to ever export/import it. Only their official cloud servers can interact with the save data on the nand.

    Theoretically, if one of their server's auth (TLS) certificates were to leak (even an old one) a MITM could be performed that could be leveraged to reverse engineer their transfer protocol for game saves, but then you would still need a key that only they posses for the switch to load that save data, and it would only work for that specific switch. It could also/probably does require an online account specific key that may not be derivable without previously having hacked the switch, so...

    So, Nintendo learned this lesson concerning save data the hard way, but they did learn it and are now draconian about it.

    This lack of freedom concerning YOUR save data that Nintendo thinks THEY own (because actually they do own it in Japan, but not in the USA/Europe), is one of the top reasons to hack your switch. It returns ownership of your save data back to you, because otherwise there is no way to get the console to give it to you.
     
  5. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    But there is the User data transfer in the console's settings, which can transfer users with their data :unsure:. I mean a RCM-compatible switch with a CLEAN nand, by following for example this tutorial : https://gbatemp.net/threads/edit-of...up-restoring-via-fusee-gelee-payloads.541081/ , could make a custom save, then transfer it by the previously said setting. And I know SXOS is selling modchips, but these cost money and need soldering.
     
  6. Itsuki235

    Itsuki235 GBAtemp Regular
    Member

    Joined:
    Jun 13, 2019
    Messages:
    231
    Country:
    United States
    Nintendo has been getting more serious with their system security. It makes sense to remove the checking of signed/unsigned save data from the applications to the base OS (Horizon), so any and all modifications should be detectable.

    Remember that using a modified or restored save file = ban, especially for online games.

    Just because a specific user has not been banned does not mean much. It makes sense to keep some users unbanned who hacked their consoles in order to maintain telemetry on what hacked consoles look like. For example, according to Team Atlas (maintainers of Kosmos), just using CFW itself is not a ban reason, however it would be foolish to think that Nintendo cannot detect it/are closely monitoring them.

    And if you notice, it is a chicken and egg problem. If you already have a hacked switch, modifying/transferring your save data is not a problem, just use checkpoint. But without CFW, there is no way to leverage save data to create an entry point on a console for CFW in the first place. That is the point of Nintendo's current draconian policies regarding user save data.

    So here is the crux of the issue: if it became common knowledge that so-and-so transferred save data could be leveraged to create an entry point, what do you think will happen to that feature in future? What do you think would happen to the people that followed that guide and edited their save data? What would happen to the accounts of people that transferred that modified save data? Note: transferring requires an online account.
     
  7. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    But a game could make save modifications offline, and you won't be banned for this, and according to the creator of the tread I sent you, and with a bit of logic, you can't be banned. Also I'm still talking about a CLEAN nand from a rcm compatible console, which transfers data using an OFFICIAL SETTING on HorizonOS to a patched console, so the source console could STILL connect to the Internet.

    At first, I just wanted to know if you could run unsigned code from a save file, I'll take the risk to test, I don't care.
     
  8. BaamAlex

    BaamAlex DINKELBERG!
    Member

    Joined:
    Jul 23, 2018
    Messages:
    2,772
    Country:
    Germany
    Here is the moment where i have to stop you. How are you do that? It is not possible to inject own savefiles or dumping them.

    Unpatched units can already perform fusée gelée. Which would make your method superfluous with the aforementioned.

    And as stated before, the result would be 2 banned switches.
     
  9. Itsuki235

    Itsuki235 GBAtemp Regular
    Member

    Joined:
    Jun 13, 2019
    Messages:
    231
    Country:
    United States
    Think about what that means for a second.

    1. RCM switch
    2. Modify save data for a particular title on that switch
    3. Link online Account
    4. Get Markio switch
    5. Link online Account to second switch
    6. Pay for online service
    7. Upload modified save data online
    8. Download it again for a particular title on the Markio switch

    If they figured out that the modified save data from #2 (which was also given to them to closely inspect in #7) was being leveraged to create an entry point, they would instantly block transfers of save data for that title, ban both consoles, and the associated online account.

    That would effectively close the entry point for everyone if someone ever leaked it/used it.

    While theoretically possible, that is beyond fragile without a way to impersonate the entire online service itself. No one can do that without multiple certs that are obvious secret and that are only stored on official servers. It would be months of work for a one-time hack that would instantly be blocked. It would be a pointless endever.
     
  10. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    7
    Let me modify this :

    1. Follow this tutorial : https://gbatemp.net/threads/edit-of...up-restoring-via-fusee-gelee-payloads.541081/ to inject a "hacked" save file into a newly created user into your RCM compatible console, assuming you can run unsigned code from a save file.

    2. Transfer this user with Local User Transfer.

    3. Go into airplane mode (or use 90dns)

    4. Run the game made for the "hacked" save file with the "letterbomb" user.

    5. Profit !

    I know you need a nintendo account to transfer the save file, but just create a new one ! You don't need to pay for the online, as you don't need the Cloud. You'll never use this account again.
     
  11. Itsuki235

    Itsuki235 GBAtemp Regular
    Member

    Joined:
    Jun 13, 2019
    Messages:
    231
    Country:
    United States
    I am not sure how you can understand that a Nintendo account is still required but can't seem to grasp the concept that linking one will connect the console to Nintendo. That obvious means they can block the transfer from occurring since the console needs to be connected to them during the transfer.

    https://en-americas-support.nintend...id/27394/~/how-to-transfer-user-and-save-data

    However, you are correct about not needing to pay for online to transfer consoles.
     
    MeAndHax likes this.
  12. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    You do need a nintendo account to transfer an user, I've already tested. I don't grasp how they would detect the save as something that would run something else, as it transfers by bluetooth (I also tested). You just need to connect to the internet so the server can check if both consoles are in the latest firmware.
     
  13. Itsuki235

    Itsuki235 GBAtemp Regular
    Member

    Joined:
    Jun 13, 2019
    Messages:
    231
    Country:
    United States
    I don't know if you can't read or are just dense but I will not be responding further.

    From the link above:
    Emphasis added.
     
    Dartz150 and MeAndHax like this.
  14. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France

    • "Both systems must be updated to system menu version 4.0.0 or higher, connected to the internet, and within proximity of each other for LOCAL communication."
    • A Nintendo Account must be linked to the user account you wish to transfer from the source system.

    And I was also right about the mandatory nintendo account linked for the user, you proved it yourself. So now PLEASE, tell me if you can use a modified save data to run unsigned code.
     
    Last edited by Dathuss, May 8, 2020
  15. masagrator

    masagrator The developper
    Member

    Joined:
    Oct 14, 2018
    Messages:
    3,296
    Country:
    Poland
    Still:
    - Games are running in sandbox in Switch, you would need somehow to break sandbox and get access to everything else
    - Find a game that allow this
     
    MeAndHax likes this.
  16. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    That's the kind of answer I wanted to hear !

    -Do you know which program handles this "sandbox" mode ? I'll try to reverse engeniring it.

    -Yes that will be the hardest part, but I'll first check how this "sandbox" mode works.
     
  17. masagrator

    masagrator The developper
    Member

    Joined:
    Oct 14, 2018
    Messages:
    3,296
    Country:
    Poland
    Nope, i don't know. If I would know that, I would make a patch that changes flags and syscalls to get all permissions in games. :P
     
    Dathuss likes this.
  18. Dathuss

    OP Dathuss Member
    Newcomer

    Joined:
    Mar 29, 2018
    Messages:
    46
    Country:
    France
    Okay, I understand. Well, here lies Dathuss' super hacking quest.
    Duration time : less than one day (well that's quite short).

    Except if someone has a suggestion, of course ;)
     
    MeAndHax likes this.
  19. Der_Blockbuster

    Der_Blockbuster GBAtemp Advanced Fan
    Member

    Joined:
    Mar 2, 2016
    Messages:
    779
    Country:
    Germany
    First off, you should probably visit https://switchbrew.org/wiki/Main_Page
    go ahead and find documentation on how the Switch works.
    Test your hypothesis, code a small "game" that access something in the save files.
    Try to make changes to it and so on.
    I don't know if the hypervisor is deactivated when running cfw, but I think there should be a reimplementation running from AMS.
    I think this should work in atmosphére.

    Good luck!
     
    Dathuss and MeAndHax like this.
  20. link42586

    link42586 GBAtemp Fan
    Member

    Joined:
    May 9, 2018
    Messages:
    321
    Country:
    United States
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - switches, patched, maybe