Question Possible to extract/upload save data from NAND backup or from Hekate?

Discussion in 'Switch - Emulation, Homebrew & Software Projects' started by blaze5, Sep 13, 2018.

  1. blaze5
    OP

    blaze5 Member

    Newcomer
    3
    Nov 27, 2016
    United States
    I'm wondering if there's a way to extract save data from my legit Switch which can't be detected or result in a ban. One way I can imagine that would probably work and leave zero traces would be start with a NAND backup, use CFW and a save manager, and restore the NAND backup afterwards, but that takes a lot of time just to extract save data. Preferably I'd like to be able to move save data both ways between Switch consoles and restoring the NAND backup would only allow me to pull the save data and not write it back to the Switch. I can't see much risk at all just reading save data from a system, but updating or adding new save data could have more of a risk.

    Here are some questions I have:
    1. Does just performing a NAND backup/restore with Hekate (without booting into any CFW) leave any trace that can be detected by Nintendo?
    2. Is it possible to identify where the save data is stored in NAND and only dump certain portions without booting into CFW?
    3. With a full NAND dump, is there any software/homebrew which can analyze and extract or write save data at this time? (without emunand yet basically)
    4. Could a save game manager be written for hekate which wouldn't be detected and would be practical?
     
  2. Draxzelex

    Draxzelex GBAtemp Guru

    Member
    17
    Aug 6, 2017
    United States
    New York City
    1. Potentially yes much like with any and all other hacks
    2. Theoretically yes (however I doubt any dev is interested in such a thing)
    3. Not at the current time, no (nor in the foreseeable future)
    4. There is no such thing as an undetectable save manager outside of Nintendo's own online cloud saving service
     
    Last edited by Draxzelex, Sep 13, 2018
  3. blaze5
    OP

    blaze5 Member

    Newcomer
    3
    Nov 27, 2016
    United States
    The reason I asked about Hekate leaving traces is Lakka or other Linux versions are run completely separate from the NAND and rest of the system. It's like dual booting a different OS if you aren't actually touching or changing anything in Horizon. If Hekate is being run strictly in memory and only backs up and restores the exact NAND data byte for byte it should be pretty safe (you could image the micro SD card and restore it after the NAND backup if you're really worried about it). I understand and am willing to accept some risk, but the hypothetical it could happen doesn't say much. Yes Nintendo certainly stepped up their security game this time around but they also aren't omniscient and I've seen a lot of paranoia without reasons to back it up in the Switch scene. The important thing to keep in mind is what information actually gets sent to Nintendo and what they can track.

    As far as analyzing the NAND goes, a tool already exists courtesy of rajkosto called HacDiskMount which can at least serve as a starting point. If the save data can be viewed using a NAND tool, it wouldn't be a big stretch to edit the NAND and then make a save edit tool built-in to hekate, especially if it doesn't leave the traces on a stock system that CFW would. Of course if you actually modify or write new save data there's a greater chance of it being detected, but if you aren't hacking save data for online games it should be pretty safe. Even once Nintendo's online cloud saves roll out, you aren't connected to the Internet 24/7, especially with a portable console. And who knows, maybe at some point they'll finally release local backups (though given how they've gotten burnt by ACE through save exploits in the past I'm not holding my breath on that one). I don't care as much about writing save data back to my stock Switch, but I would like to at least copy my current save data for single player games over to my other Switch and there should be little ban risk in doing so.
     
  4. JJTapia19

    JJTapia19 I fight for my friends.

    Member
    9
    May 31, 2015
    Puerto Rico
    This will probably be unbelievable but I swear earlier today I has the exact same idea! I was thinking about how I'm not sure if buying the upcoming pokemon game. I wanted to try it out (pirated) with cfw and if I really liked it buying it and transferring the save file BUT then is when I remembered that running checkpoint or any other homebrew on my clean nand would be risky so I remembered HacDiskMount. I got home and tried it out but everything on the user partition of the Rawnand.bin is encrypted (the files use different extensions and structures, I couldn't recognize which files were the saves) so I can't easily move the saves from checkpoint to the user partition. I don't think there's a way currently but hopefully a tool to help us is created soon. It wold be the only way to manage saves on a clean nand without risking leaving traces on the telemetry of horizon.
     
    blaze5 likes this.
  5. blaze5
    OP

    blaze5 Member

    Newcomer
    3
    Nov 27, 2016
    United States
    @JJTapia19 Sorry I've been pretty busy. With HacDiskMount, if you dump your keys with biskeydump (should be AES encryption) you should be able to analyze the encrypted user partition. I'm not sure which keys are applicable to which system components but you can probably post a question to the biskeydump thread (https://gbatemp.net/threads/biskeyd...c-decryption-real-time-mounting-tools.502434/) or PM rajkosto if you can't find anything there or elsewhere. I just don't have the time for it right now and it's not that high of a priority for me at the moment unfortunately. I'd like to identify where/how the save data is stored and how to read the NAND to only have to do a partial NAND dump to save time. The easiest way currently to get your saves off your stock Switch would probably be using CFW and checkpoint to dump the saves and revert to a clean NAND dump after, but it looks like you're more interested in the reverse. Trying to write save data back to the stock Switch through hekate to leave as little trace as possible would be harder, but analyzing the unencypted NAND dump and comparing to known save data you can extract using checkpoint (temporarily using CFW and reverting back) would probably be the best starting point. Then you could go through the hekate source (the backup and restore NAND portions) and identify the correct partitions and offsets and try to write some module. There might be some additional steps needed for padding though or other sizes/checksums/header stuff which may need to be updated. I think 3 NAND dumps would be the best to look at for reverse engineering if it's not already out there. The first NAND dump as a control, the second NAND dump exactly the same but update the save file for a single game, and the third backup with a brand new save from a different game. I don't know what kind of programming background you have, but if you're able to identify the save data from the user partition of your NAND dump, I'd certainly be interested in hearing how you did it and could help with a hekate modification for a partial NAND dump or writing new save data to NAND.
     
  6. RareCandyMan

    RareCandyMan Member

    Newcomer
    1
    Feb 17, 2013
    United States
    Hey, I see this topic is about a month old, but I wanted to check in and see how things were going for you with this? I have interest in keeping my Smash and Pokemon save files that I started while running CFW after reverting back to stock so I can do some things like get the Petey Pirhana in Smash and the Mystery Box in Pokemon.

    Do you think it would be worth it? Or should I just wipe back to stock firmware, cash in on my rewards, then go right back to CFW rather than mess with injecting saves using HacDiskMount?
     
Loading...