Incognito_RCM - wipe personal information to reduce risk of ban

Incognito_RCM

since Incognito by blawar doesn't work on vanilla atmosphere, I made a payload to use with hekate (or any other payload injector) with the same functionality.
Incognito_RCM wipes personal information from your Nintendo Switch by removing it from prodinfo.

Functionality:​
  • wipe personal information on sysnand/emunand
  • backup prodinfo from sysnand/emunand
  • restore prodinfo to sysnand/emunand
Since NAND memory is encrypted, this is based on shchmue's Lockpick_RCM to first get the neccessary encryption keys.
You can apply Incognito_RCM directly after installing atmosphere or any time after and it has the advantage that you don't need to set 90DNS after an internet connection and possibly communication with nintendo servers is already established. (You can apply 90DNS anyway)

This has only been tested by me on firmware 8.1.0, so please test it and report back.
Since it has only been tested by me, keep a hekate nand backup ready to be safe.

source: https://github.com/jimzrt/Incognito_RCM
releases: https://github.com/jimzrt/Incognito_RCM/releases

Disclaimer:
This is early stage and there is no guarantee that everything works as expected! Please have a hekate NAND backup ready!

Screenshots:
main.png
incognito.png

backup.png
restore.png

Changelog:
v0.6.1
  • bugfix: write to emummc instead of sdmmc
v0.6.0
  • incorporate hekate & lockpick_rcm changes
  • reboot to payload
v0.5.1
  • firmware 9.1.0 support
v0.4.0
  • adopt lockpick_rcm and hekate changes (includes fixing of possible bugs and better resource management)
  • reduced payload size
  • use tui progressbar
v0.3.0
  • more error handling
  • backup validation when reading and writing
  • retry up to 5 times when reading and writing before aborting
v0.2.0
  • more validation
  • code cleanup and refactoring
v0.1.0
  • much faster read and write speed (not sector by sector anymore)
  • much more validation and verification (still not perfect)
  • more error handling (still not perfect)
  • backups aren't overwritten, old backups are renamed
  • check for backup before applying incognito
  • auto-restore backup if something goes wrong
v0.0.2
  • Removed external libraries and better handling of reading big chunks of memory.
as always, have a NAND backup ready!
 
Last edited by jimzrt,

hippy dave

BBMB
Member
Joined
Apr 30, 2012
Messages
7,228
Trophies
1
XP
8,750
Country
United Kingdom
Sounds promising, nice work. Does it support the various kinds of emunand, does it read config from emummc/emummc.ini?

e: for anyone using this, ALWAYS copy your backup off your SD card onto your computer, and preferably keep multiple copies on flash drives, cloud drives etc. Don't lose it.
 
Last edited by hippy dave,

Wuigi

Well-Known Member
Member
Joined
Sep 14, 2012
Messages
726
Trophies
0
XP
1,595
Country
United States
Really nice, I already wanted to use the normal incognito, but ReiNX wasn't updated for 9.0 at that time.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,229
Trophies
1
Age
53
XP
3,460
Country
Sounds promising, nice work. Does it support the various kinds of emunand, does it read config from emummc/emummc.ini?

e: for anyone using this, ALWAYS copy your backup off your SD card onto your computer, and preferably keep multiple copies on flash drives, cloud drives etc. Don't lose it.

RCM stuff such as this and lockpic only read & write to sysnand. If you want a solution to write to the micro sd card (hidden or file based) emunand - you can make a PC app to do that, then it won't care what CFW you have installed. PC app just needs to mount the hidden partition or emunand files and then write at various offsets. It would'n be hard to code this, why not try yourself? You could do it in visual studio (C#) or C++.
 

shchmue

Developer
Developer
Joined
Dec 23, 2013
Messages
785
Trophies
0
XP
2,196
Country
United States
i can't comment on the usefulness/foolhardiness of wiping these areas of prodinfo but more importantly...

  • this doesn't validate any step of the backup before proceeding, none of the fatfs calls at all, you don't even check how many bytes were actually written, you only subtract the amount that should be written from the total
  • why did you bundle a sha256 library? not only is calling the SE enormously faster, there are multiple example se_calc_sha256 calls in lockpick_rcm and hekate to reference. performance won't really matter for numbers this small but it is super unnecessary bloat when what you need is already in the codebase. and fwiw the calls are way simpler than the bconte library you used
  • combining these two issues, you should probably reread and hash the data on nand vs backup file before proceeding, too
i do appreciate the utility of this solution getting around the cfw protection problem, but consider that protection is there for good reason. even if you take every precaution, none of this is literally foolproof
 

jimzrt

Active Member
OP
Newcomer
Joined
Oct 3, 2019
Messages
25
Trophies
0
XP
317
Country
Germany
i can't comment on the usefulness/foolhardiness of wiping these areas of prodinfo but more importantly...

  • this doesn't validate any step of the backup before proceeding, none of the fatfs calls at all, you don't even check how many bytes were actually written, you only subtract the amount that should be written from the total
  • why did you bundle a sha256 library? not only is calling the SE enormously faster, there are multiple example se_calc_sha256 calls in lockpick_rcm and hekate to reference. performance won't really matter for numbers this small but it is super unnecessary bloat when what you need is already in the codebase. and fwiw the calls are way simpler than the bconte library you used
  • combining these two issues, you should probably reread and hash the data on nand vs backup file before proceeding, too
i do appreciate the utility of this solution getting around the cfw protection problem, but consider that protection is there for good reason. even if you take every precaution, none of this is literally foolproof

yes, there is no validation (yet), it's a first release and I just wanted to share a first working solution. So work in progress. I will add a disclaimer that this is not guaranteed to work.
I tried se_calc_sah256 calls first, but the application kept freezing. I suspected that this was because I needed to allocate a few megabytes to hash and the library that is bundled allows to incrementally build that hash.
It is on my todo to investigate the possibility to use SE.

Of course protection is there for a good reason and I support atmospheres decision to make prodinfo protected - no one should use this application without a nand backup from hekate!

thanks for the feedback.

RCM stuff such as this and lockpic only read & write to sysnand. If you want a solution to write to the micro sd card (hidden or file based) emunand - you can make a PC app to do that, then it won't care what CFW you have installed. PC app just needs to mount the hidden partition or emunand files and then write at various offsets. It would'n be hard to code this, why not try yourself? You could do it in visual studio (C#) or C++.

This is not true, Lockpick has the ability to read and write to emunand as well, and consequently does this application
 
Last edited by jimzrt,

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,229
Trophies
1
Age
53
XP
3,460
Country
This is not true, Lockpick has the ability to read and write to emunand as well, and consequently does this application

Yep up until firmware 6.20 or something like that - after that firmware you need to use lockpic-rcm or it dumps the keys incorrectly - or not all of them. Also it just reads them, it writes to micro sd card not nand or emunand.

--------------------- MERGED ---------------------------

I like it, atleast people now doesn't have to deal with Blawar's malware.

Actually I'm not one for sticking up for people that use DRM - however, did you look at the github code that Blawar published for incogneto - it doesn't contain any malware, and it does work fairly well. Checks have been added to Atmosphere and SXOS probably as an Anti Brick measure - which is good for noobs. However don't blame Blawar now that his code doesn't work on these CFW as it's nothing to do with him.
 
Last edited by mrdude,

KitsumiTheFox

Well-Known Member
Newcomer
Joined
Jan 9, 2016
Messages
85
Trophies
0
Age
21
Location
Utah
XP
559
Country
United States
yes, there is no validation (yet), it's a first release and I just wanted to share a first working solution. So work in progress. I will add a disclaimer that this is not guaranteed to work.
I tried se_calc_sah256 calls first, but the application kept freezing. I suspected that this was because I needed to allocate a few megabytes to hash and the library that is bundled allows to incrementally build that hash.
It is on my todo to investigate the possibility to use SE.

Of course protection is there for a good reason and I support atmospheres decision to make prodinfo protected - no one should use this application without a nand backup from hekate!

thanks for the feedback.



This is not true, Lockpick has the ability to read and write to emunand as well, and consequently does this application
When you fully release it, this could be a super nifty tool to just keep around.
 
  • Like
Reactions: drrastovac

shchmue

Developer
Developer
Joined
Dec 23, 2013
Messages
785
Trophies
0
XP
2,196
Country
United States
yes, there is no validation (yet), it's a first release and I just wanted to share a first working solution. So work in progress. I will add a disclaimer that this is not guaranteed to work.
I tried se_calc_sah256 calls first, but the application kept freezing. I suspected that this was because I needed to allocate a few megabytes to hash and the library that is bundled allows to incrementally build that hash.
It is on my todo to investigate the possibility to use SE.

Of course protection is there for a good reason and I support atmospheres decision to make prodinfo protected - no one should use this application without a nand backup from hekate!

thanks for the feedback.
i'm surprised you wanted to get a proof of concept out without full precautions in place, that's irresponsible

yeah you can't at the moment do a streaming hash, we only just figured that out, but there's no RAM limitation that could keep you from just allocating a 4MiB buffer and reading the whole prodinfo in at once then hashing it in one go. and if you bench it you'll be shocked, even an asm implementation tailored to armv4t from openssl will take 10-100x + longer than se
This is not true, Lockpick has the ability to read and write to emunand as well, and consequently does this application
lockpick_rcm actually declines all writes to any sys/emunand, it only allows writes to SD filesystem

one more comment, i noticed you wrote a separate read function in diskio. this is against its design principle. it has an arg for what drive you're loading, but that doesn't even matter since you're not mounting a filesystem at all; ultimately reading and decrypting/writing and encrypting prodinfo would make more sense as functions outside fatfs - fatfs is for filesystems.
 

jimzrt

Active Member
OP
Newcomer
Joined
Oct 3, 2019
Messages
25
Trophies
0
XP
317
Country
Germany
i'm surprised you wanted to get a proof of concept out without full precautions in place, that's irresponsible

yeah you can't at the moment do a streaming hash, we only just figured that out, but there's no RAM limitation that could keep you from just allocating a 4MiB buffer and reading the whole prodinfo in at once then hashing it in one go. and if you bench it you'll be shocked, even an asm implementation tailored to armv4t from openssl will take 10-100x + longer than se

lockpick_rcm actually declines all writes to any sys/emunand, it only allows writes to SD filesystem

one more comment, i noticed you wrote a separate read function in diskio. this is against its design principle. it has an arg for what drive you're loading, but that doesn't even matter since you're not mounting a filesystem at all; ultimately reading and decrypting/writing and encrypting prodinfo would make more sense as functions outside fatfs - fatfs is for filesystems.

well, I don't see it as irresponsible with notice to it being early stage and there being nand backups to revert everything I could to wrong in this application.
some like to release when it is as fool proof as possible and some like to release very early. It is open source and every one can improve on it. I put it out there also to gauge general interest and to keep me motivated to improve upon it.

If there is no limitation in allocation multiple mb then apparently I had another issue and I will probably do just that what you said in your comment.

yeah, the function in diskio is not the best place, but the other function had no argument for which partition to use. I could have added another parameter or change the variable of system_part (and/or its name to be more clear).
I'm going to organize those things in the near future and probably strip out most things I don't need. I know that this is more or less a hack to get what I wanted to accomplish.
 
  • Like
Reactions: gamesquest1

Hayato213

( -_・) ︻デ═一' * (/❛o❛)/
Member
Joined
Dec 26, 2015
Messages
10,736
Trophies
1
Location
Vector Industry
XP
5,686
Country
United States
Yep up until firmware 6.20 or something like that - after that firmware you need to use lockpic-rcm or it dumps the keys incorrectly - or not all of them. Also it just reads them, it writes to micro sd card not nand or emunand.

--------------------- MERGED ---------------------------



Actually I'm not one for sticking up for people that use DRM - however, did you look at the github code that Blawar published for incogneto - it doesn't contain any malware, and it does work fairly well. Checks have been added to Atmosphere and SXOS probably as an Anti Brick measure - which is good for noobs. However don't blame Blawar now that his code doesn't work on these CFW as it's nothing to do with him.

Incognito Cal0 block in Atmosphere isn't Blawar fault, but my point is that in general the scene doesn't really like him for the whole tinfoil blunder, first with the 1.56 build for picking a fight with ctcaer and kosmos developer for not including ACID patches, and now he is forcing people to use a custom fork of Atmosphere just to use recent build of tinfoil. Not that I hate him but dude make HBG users life difficult with all these tinfoil update, and making people jump through just to get it working. I use Incognito and his build of Tinfoil, but it is just a headache jumping through hoops to get Tinfoil to work on Atmosphere/Kosmos bundle pack.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,229
Trophies
1
Age
53
XP
3,460
Country
Incognito Cal0 block in Atmosphere isn't Blawar fault, but my point is that in general the scene doesn't really like him for the whole tinfoil blunder, first with the 1.56 build for picking a fight with ctcaer and kosmos developer for not including ACID patches, and now he is forcing people to use a custom fork of Atmosphere just to use recent build of tinfoil. Not that I hate him but dude make HBG users life difficult with all these tinfoil update, and making people jump through just to get it working. I use Incognito and his build of Tinfoil, but it is just a headache jumping through hoops to get Tinfoil to work on Atmosphere/Kosmos bundle pack.

Try tinfoil mod - that works on Atmosphere (untouched) and can be version spoofed, also DRM is removed.
 
  • Like
Reactions: iriez

shchmue

Developer
Developer
Joined
Dec 23, 2013
Messages
785
Trophies
0
XP
2,196
Country
United States
well, I don't see it as irresponsible with notice to it being early stage and there being nand backups to revert everything I could to wrong in this application.
some like to release when it is as fool proof as possible and some like to release very early. It is open source and every one can improve on it. I put it out there also to gauge general interest and to keep me motivated to improve upon it.

If there is no limitation in allocation multiple mb then apparently I had another issue and I will probably do just that what you said in your comment.

yeah, the function in diskio is not the best place, but the other function had no argument for which partition to use. I could have added another parameter or change the variable of system_part (and/or its name to be more clear).
I'm going to organize those things in the near future and probably strip out most things I don't need. I know that this is more or less a hack to get what I wanted to accomplish.
it does have such an arg: pdrv, but that's for things you mount using fatfs. since prodinfo isn't a filesystem, you don't need fatfs, just move the xts call to your module and be done with it :P
 

jimzrt

Active Member
OP
Newcomer
Joined
Oct 3, 2019
Messages
25
Trophies
0
XP
317
Country
Germany
it does have such an arg: pdrv, but that's for things you mount using fatfs. since prodinfo isn't a filesystem, you don't need fatfs, just move the xts call to your module and be done with it :P

I thought pdrv is physical drive number? anyway, all this tweak magic that happens for xts depending on sector index happens there, so I just did it there as well - temporarily.
I'm actually improving it right now (since there seems to be interest), but not everything is working as expected. Can I annoy you with one or two questions via pm regarding the code if I don't get it to work?
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Ophelia_Later @ Ophelia_Later: good night