Hacking Question regarding play history

[fatleon5]

I’ve been preparing myself for Atmosphere, bought a few jigs and reading up on the latest developments etc. I have not yet ran any home brew or even entered RCM mode yet so my Switch is completely clean.

I’m just thinking, if we run a homebrew app with the switch offline, will we need to somehow clear the play history of it before we go back online? If Nintendo can see suspicious activity on our play logs they could maybe issue a ban? Or am I being too paranoid?

If we do need to clear our play history before going back online, how do we even do that? Is it possible to do it now or will we need some sort of homebrew to allow us to do that?

Thank you for any input you can offer.

 

[Deleted-442439]

I’ve been preparing myself for Atmosphere, bought a few jigs and reading up on the latest developments etc. I have not yet ran any home brew or even entered RCM mode yet so my Switch is completely clean.

I’m just thinking, if we run a homebrew app with the switch offline, will we need to somehow clear the play history of it before we go back online? If Nintendo can see suspicious activity on our play logs they could maybe issue a ban? Or am I being too paranoid?

If we do need to clear our play history before going back online, how do we even do that? Is it possible to do it now or will we need some sort of homebrew to allow us to do that?

Thank you for any input you can offer.

We dont yet know what Nintendo checks for bans, the only confirmed reason so far is using CDN.

If you don't want to be banned wait for other to use stuff and get banned so we learn more and stay offline until we get a list of safe / unsafe stuff.

 

[FAST6191]

I’ve been preparing myself for Atmosphere, bought a few jigs and reading up on the latest developments etc. I have not yet ran any home brew or even entered RCM mode yet so my Switch is completely clean.

I’m just thinking, if we run a homebrew app with the switch offline, will we need to somehow clear the play history of it before we go back online? If Nintendo can see suspicious activity on our play logs they could maybe issue a ban? Or am I being too paranoid?

If we do need to clear our play history before going back online, how do we even do that? Is it possible to do it now or will we need some sort of homebrew to allow us to do that?

Thank you for any input you can offer.

As was mentioned things are still up in the air. We can speculate based on what else has been seen in the world and obvious approaches that we would take.

Yes play logs would be something I would look at. It is obvious and easy.
Clearing them/restoring them to pre hack would be a thing to do. An application might be able to do that. Pending that then as long as you don't mess the efuses up and can work around the rest you might be able to restore a NAND image.

There are other methods. If Nintendo has the means of communicating within the Switch between sessions (by whatever means -- SD card, simple memory (if you only do a soft reset then it is pointless), some other fragment of memory somewhere (the "ban this guy" thing needs only be one bit after all). None of this is particularly exotic either.

So again we don't know. It is all up in the air. If you play with early hacks you risk this sort of thing. Early signs are Nintendo might just be starting to approach the levels of competency seen elsewhere some 15 years ago, as opposed to the "no big deal" approach they favoured before, but that is still more than they had before and enough to make things harder to work with.

For yourself try running a thought exercise on how you would trap hackers if you were Nintendo.

 

[fatleon5]

Thank you for the replies.

Yeah I’m not going to touch any of the early hacks even though some are very tempting. If my Switch ever gets banned and then Animal Crossing comes out for it in the future my wife would kill me!

I’ll keep an eye on the developments and go from there. If I had the money I would get another to use for emulation and things, but that’s not a reality for me anytime soon.

 

[Deletedmember448668]

Thank you for the replies.

Yeah I’m not going to touch any of the early hacks even though some are very tempting. If my Switch ever gets banned and then Animal Crossing comes out for it in the future my wife would kill me!

I’ll keep an eye on the developments and go from there. If I had the money I would get another to use for emulation and things, but that’s not a reality for me anytime soon.

If you are super interested in testing things out early, you can get a 2nd Switch on ebay for $180 USD or £135 quid if you're in the UK. It's literally just the panel (tablet) but you can use your existing joycons and/or Switch Pro controller on it and just do all your hacking stuff on that, just make a new account . Best of luck!

 

[XargonWan]

Maybe it would be a good idea if the CFW cleans the logs every time an app is started/closed, even a game backup.
OR: every time the CFW starts it backups the logs, and restore it every time an app is started/closed.

 

[Clydefrosch]

to be entirely fair, if all you want is the homebrewish stuff, you might get off much cheaper and easier with some tablet+bluetooth controller.

 

[FAST6191]

Maybe it would be a good idea if the CFW cleans the logs every time an app is started/closed, even a game backup.
OR: every time the CFW starts it backups the logs, and restore it every time an app is started/closed.

That would be a start, assuming it does not just fail to write the logs in the first place. I doubt it will be the only thing Nintendo do though -- if you are using a custom firmware, which is to say one of Nintendo's with the no user code and such checks patched out, then Nintendo can also hide other checks in there (a simple one being the firmware tries to launch something that is not signed, if it runs then clearly signing has been broken and the user is using a hacked system), write said check back to the SD card (or some other hidden area) and send that off whenever they like.
Hackers could well patch out every check Nintendo puts in there (and there could be hundreds, fairly well hidden at that) but a past I am willing to look at here (what happened in the PSP has little bearing on what happened in the wii u say) says that people will miss one or two checks somewhere and that is all they need -- normally when it comes to hackers to prevent yourself being hacked you have to be right every time, they just need once, the situation is reversed in this case).

If all this sounds fairly basic for Nintendo to do then it is, and it is why Nintendo have been laughed at for their online efforts this last 15 years or so, definitely for the Wii/DSi on up.

There are some hacks that seem to start right at boot. If then it was intercepted and there are no internal power on times or anything and people run a fully homebrew coded firmware (not that such a thing will likely be able to play online at first) and don't link IDs then that might be safe.

 

[XargonWan]

Another idea... About accounts we have no control because they are on nintendo's server, but on the switch we may... We may unban the switch by spoofing something?
Dunno, serials, MACs... I don't know, we have to find out what is nintendo checking and try...
We can start by spoofing the banned switch and see what happens...

Like an IP ban... if you change IP you are unbanned, same logic.

 

[FAST6191]

Another idea... About accounts we have no control because they are on nintendo's server, but on the switch we may... We may unban the switch by spoofing something?
Dunno, serials, MACs... I don't know, we have to find out what is nintendo checking and try...
We can start by spoofing the banned switch and see what happens...

Like an IP ban... if you change IP you are unbanned, same logic.

Mac addresses are the technique for the poorest of implementations, while they might be part of the package here (especially if it is hardware set) I doubt they are anything close to the whole story.
Serial as in the one on the back of the device? Probably not.
I imagine they are issuing something like a unique certificate for every device, possibly noting some hardware characteristics in it and carrying on from there.

Spoof enough of it with info from another working device and you should be able to get back on, probably just in time to be banned again as you probably don't know what causes the bans and what checks are done. To that end at this point I would be focusing more on finding the checks and making sure your responses to them are valid.

 

[smf]

The cpu might even have an internal rcm count, or some way of keeping track of how long since you entered rcm mode.

As there is no legitimate reason why a user would enter rcm, then that might be a trigger.

 

[XargonWan]

The cpu might even have an internal rcm count, or some way of keeping track of how long since you entered rcm mode.

As there is no legitimate reason why a user would enter rcm, then that might be a trigger.

Yes but all the data should be sent online by the software, so we just have to intercept that and change it.

 

[FAST6191]

Yes but all the data should be sent online by the software, so we just have to intercept that and change it.

You could run a packet scanner that aims to intercept and rewrite the data before it gets encrypted and sent, possibly at some random time during the system runtime. That is hard though so the better route is to find the things it searches for.

I don't know the size of switch updates/firmwares but call it 200 megs. Could probably work it out from stuff on http://switchbrew.org/index.php?title=Flash_Filesystem but meh.

Each instruction is what 32 bits (not that 64 will make much of a difference if it is). You can do a check in not a lot, maybe 10 but we will go for 50 and double that to 100 to allow for some obfuscation.

100*32 bits is just over 3KB. Does not have to be in one big lump either, does not have to be all in one thing either (can be started, half finished, noted and finished in something running minutes later).

http://switchbrew.org/index.php?title=Category:Services notes some 48 services at time of writing and all with multiple functions within that, though realistically a few will be less useful for this. Plus the kernel in general, plus any programs they care to give some elevated privileges.

You then get to search for that among however many megs of kernel code there is.

Oh and for the record on the DS we saw hundreds of checks at points (some of them even slowing the game down notably such that the flash cart versions ran better), timing checks, checks on integrity, obfuscation, things loaded in way late in the game (see COP the recruit). The 3ds saw a few more fun things again. If they can do it there then they can certainly do it here. This is on top of the obvious trips as well -- if Nintendo makes the kernel launch something with an invalid signature then under normal conditions it would fail, should it run then your checks are not in place any more and you have a hacked system.
You have to get all of them too, Nintendo just needs one to slip through.

All this is doable, it certainly has been done in the past and you don't have to go completely manual, and I expect it to happen to various extents as the years roll on but I am not expecting the absolute cakewalk that was the Nintendo of the past decade or so here.

 

[XargonWan]

You could run a packet scanner that aims to intercept and rewrite the data before it gets encrypted and sent, possibly at some random time during the system runtime. That is hard though so the better route is to find the things it searches for.

I don't know the size of switch updates/firmwares but call it 200 megs. Could probably work it out from stuff on http://switchbrew.org/index.php?title=Flash_Filesystem but meh.

Each instruction is what 32 bits (not that 64 will make much of a difference if it is). You can do a check in not a lot, maybe 10 but we will go for 50 and double that to 100 to allow for some obfuscation.

100*32 bits is just over 3KB. Does not have to be in one big lump either, does not have to be all in one thing either (can be started, half finished, noted and finished in something running minutes later).

http://switchbrew.org/index.php?title=Category:Services notes some 48 services at time of writing and all with multiple functions within that, though realistically a few will be less useful for this. Plus the kernel in general, plus any programs they care to give some elevated privileges.

You then get to search for that among however many megs of kernel code there is.

Oh and for the record on the DS we saw hundreds of checks at points (some of them even slowing the game down notably such that the flash cart versions ran better), timing checks, checks on integrity, obfuscation, things loaded in way late in the game (see COP the recruit). The 3ds saw a few more fun things again. If they can do it there then they can certainly do it here. This is on top of the obvious trips as well -- if Nintendo makes the kernel launch something with an invalid signature then under normal conditions it would fail, should it run then your checks are not in place any more and you have a hacked system.
You have to get all of them too, Nintendo just needs one to slip through.

All this is doable, it certainly has been done in the past and you don't have to go completely manual, and I expect it to happen to various extents as the years roll on but I am not expecting the absolute cakewalk that was the Nintendo of the past decade or so here.

Maybe this is the dumbest idea ever but... What if we route all the packages to a software making switch believe that is the actual nintendo server but instead we can log all the informations that the switch sends?
In this case we could understand a pattern and that may simply the search.

 

[FAST6191]

I imagine Nintendo encrypts at least some of their traffic at some level and we don't have those keys. We could hack the kernel to make it use other keys (I doubt they will allow something as basic as the thing that allowed the save nintendo wifi stuff from the DS to work https://gbatemp.net/threads/save-ni...e-online-servers-for-ds-and-wii-games.362717/ ) but then we are back at the potentially hundreds of hidden checks problem. Oh and just because you can break the SSL signing you might still have the internal signing and encryption that the Switch could do to the data it sends.
Similarly as it is Nintendo's server we don't know the full extent of its abilities and thus we would have to recreate that, possibly blindly. If it was a simple web server or something well known then sure, this is a custom system from a multi million dollar company that seemingly now cares about security though.

Going further they could bury it in the middle of something else, or only send it after some number of megabytes of traffic have gone by -- you don't need to send the "ban this system" data as the first or second thing you do or in the initial handshake after all. Again they only need to get one packet through where you have to get every one of them.

Packet scanning and modification has its uses in hacking. If third party servers are to be a thing here I imagine it will be done extensively, but mass intercept and rewrite like you are describing is not really a viable one here, even for an exploration type hack using a sacrificial switch or three.

 

[XargonWan]

I see, maybe my hacking mind is still back in 1997 where all this security wasn't an issue

 

[smf]

Yes but all the data should be sent online by the software, so we just have to intercept that and change it.

That is possible. It depends on how well nintendo hide it and how much the good hackers want to protect you online.

If you look back at old scene releases when they used to be copy protected, there were games that failed in subtle ways which meant that all of the cracks were unplayable. If that happens just once then you could get banned.