Discussion The Nintendo Switch, Malicious Apps, and You

Discussion in 'Switch - Emulation, Homebrew & Software Projects' started by Crusatyr, Sep 21, 2018.

  1. Crusatyr

    Crusatyr GBAtemp Regular

    Jul 31, 2016
    United States

    The Nintendo Switch, Malicious Apps, and You
    How to Stay Safe Around Assholes on the Internet​

    For those who are new to this site, or new to the Nintendo Switch scene in general, there was a pretty nasty event that happened in mid to late July. A user posted a payload, with some of their friends claiming to be a working SX OS crack, when in reality, it caused almost irreparable damage to the user’s Switch. I say almost because there was a single fix, but after reading the subsequent threads, it seems like most users did not take even the single and most useful precaution beforehand. This post is to educate the users of this site on how to keep yourself safe, what these applications are, and how they work.

    You may be thinking to yourself “Pssh, that was a one-off event, it’s not going to happen again.” but you’d be wrong. An unfortunate side effect of the anonymity of the internet are people being assholes just because they can. I am making this post because I genuinely feel for those with issues with their Switches and I want to prevent as many “My Switch won’t boot up posts” as I can. That being said, staying safe is easy and there’s a wide variety of tools as well as practices you can engage in to keep you, your system, and your parent’s wallet happy.

    How to keep safe

    • The single most important thing you can do to keep your Switch safe in this era of assholery, is to make your nand backup, as well as a backup of boot0/boot1. Why is this nand backup so important? Because having it can fix damn near any problem.

      There are a few tools available for you to use in order to make backups of your nand and boot0/boot1. Hekate is a real nice one to make a clean nand backup before any CFW is used. The backup function in the ReiNX Toolbox is good to use if you’ve been messing around with CFW and just want a quick but dirty one.

      The second most important thing you can do, is follow the 3-2-1 rule of backing up:
      • Make THREE copies
      • On TWO different mediums
      • Have ONE copy off site
      A nand backup with little to no installed content compresses very well; mine, for example, is around 300MB. There’s nothing wrong with having one stored on your Google Drive /iCloud/Dropbox/whatever.

      But a nand backup alone won’t help you. You also need to be smart and follow safe practices.

      If you need help making a nand backup, check the spoilers below. I am going to assume you already know how to push payloads, as well as boot into CFW.

      How to Backup your Nand and Boot0/Boot1
    • The main reason you should be critical of EVERYTHING you run on the Switch, is because homebrew applications and payloads run with UNRESTRICTED ACCESS. This is NOT the same as running “As an Administrator” on Windows machines or executing a sudo command on Linux/macOS builds. It is kernel level access which is so much more powerful, and so much more dangerous.

      The next three sentences are going to be caps lock, bolded, italicized, whatever so you know they are SUPER DUPER IMPORTANT.


      Running applications from trusted developers is your number one priority. If a new user posts a compiled binary and claims things that trusted devs haven’t claimed yet, common sense dictates that should be a hell of a giveaway that something is not right. If a user posts source rather than a binary, then it may be a throwaway account of a known dev, but you should still be skeptical of all claims.

      For the next part, please keep in mind that there are some developers who like to keep their stuff closed source. Their reputation in this case is a lot more important because they don’t want to reveal the source. Be cautious, because all it takes is one bad day, and they can easily turn their useful and safe tools into malicious programs before anyone notices. It is probably trickier for inexperienced users, but you should try to understand how the code works and how to compile it yourself. Getting to the point of compiling builds is semi-difficult on windows machines and much easier on MacOS/Linux, but doing so is beyond the scope of this post.

      There are couple reasons for doing being able to compile on your own. The first is you have no promise that what’s posted on the Releases tabs of projects is what’s actually written. The second is that no one can post a hash of a file and say “Make sure your hash matches this one to be safe.” Binaries of the same code will have different hashes when built on different machines. There’s no way for a user to be able to guarantee that that the binary they are giving you is exactly what the code outputs, which leads back to the previous point. Make sure you trust them before running their stuff.

      The third and final point seems just as obvious as the first to me, but I’m sure there are some people who use it for the simplicity. It was brought to my attention a while ago, that someone had a bot on discord that will output your Switch’s console unique cert if you give them your prodinfo partition. This is quite handy if you don’t want to install python and run a script to do it, but keep in mind whoever owns that bot more than likely has a hundred private certs in his collection. You cannot convince me that they aren’t storing them.

      This also includes websites that act as payload injectors. While they are more convenient, and some can be saved to be run locally since they use javascript, if you are using something that sends a payload from online, you have no guarantee that it’s sending the payload that you think it is.

    What Applications Are Out There?

    • Knowing what you know now, WANNA PLAY :)
      As far as I know, the first malicious application was written by the ever-so popular team xecuter. However they wish to spin their “hacker challenge” their product up until version 1.3 contained malicious code that would lock eMMC should certain requirements be met. Since their code is closed source, it is not public knowledge how to determine what those requirements are, and even if it was possible to trigger them by mistake, rendering licensed user’s Switches useless.

      Should this code rear up it’s ugly head again, according to @hexkyz on twitter “Regular users won't be able to restore the NAND normally. You need to mess with raw MMC commands to either unlock or force erase the eMMC.”

      With that out of the way, let’s talk about the possibly dangerous apps out there. I know some of these exist because I’ve seen them in the wild, while others are entirely theoretical, as far as I know. I’m going to list them in order of least-dangerous to most dangerous.
    • First, it is possible to corrupt the ticket database (ticketDB for short) of the Switch. This is more inconvenient than actually malicious and sometimes happens by accident when using legitimate applications. As of the time of writing this, I’ve not seen any apps that do this intentionally, but if you install a corrupted or dev-encrypted nsp file, it may damage your ticketDB. This can easily be fixed by restoring a nand backup, or by reinitializing your Switch..
    • Secondly, there are Certificate Stealers. These types of programs aren’t going to cause damage to the Switch itself, but they have far reaching consequences. To understand why these are so important you must understand what your certificate, commonly shortened to “Cert”, is. Simply put, it is console-unique data that Nintendo uses primarily to negotiate online functions like gaming and the eShop. Knowing this, if a malicious user has a copy of your cert, anything they do online will look like it’s coming from your Switch, getting you banned while they reap the benefits. There is no public way to unban your consoles.
    • The next set of malicious apps come in two forms as a payload you inject, or as a homebrew app you can run. They are software bricks. Basically, they damage some part of the system’s flash memory. The main concern is if ProdInfo gets corrupted. That partition is console-unique so you have to restore from a nand backup if you’d like to fix it. Other parts of the system’s flash memory can be fixed without a backup (but it is highly recommended to still have one)
    • The most damaging applications cause hardware damage to the Switch. If you hang around in scene Discords, you may often here users joke about “FuseBurner.bin” or “ScreenOvervolter.bin.” Once again, at the time of this writing, these things are purely theoretical but let’s get into the nitty gritty of why these two things in particular are so destructive, starting with FuseBurner.

      The Switch has microscopic anti-downgrade fuses built into it’s CPU, and once a fuse is blown, it is impossible to undo. When the console is booting up, it compares the number of fuses to the current firmware of the Switch. If too few fuses are blown, it blows them to compensate but if too many are blown, the Switch immediately panics and shuts down. FuseBurner, as you can guess by the name, burns ALL of the fuses.

      For all intents and purposes though, this is a minor issue because all modern CFW ignore the fuse count/burning step of the bootloader. However, it DOES prevent your Switch from ever booting again without the use of RCM exploits.

      Now for ScreenOverVolter. This works, in theory, because voltages on the Switch are controlled by software. So Horizon OS controls what part of the Switch gets what voltage. It is possible to tell it to give more voltage to one part than it requires, thus causing damage. The joke is that it’ll break the screen, but it is easily capable of breaking the battery, mother/daughterboards, game card slot readers, etc. There is no known fix other than replacing the part that was damaged, and I hope you have the tools as well as the know how in order to do so.

    I firmly believe that part of spreading awareness in identifying how these programs work, involves making their source codes known. However, doing so does open the doors to making this sort of stuff more readily available. What I will be doing is posting the source codes of of two malicious apps, followed by the source codes of the legitimate tools they were derived from, and then explaining how the differences between the two work.



    Thank you for reading my post. I hope you found it to be very informational, and I hope you do stay safe.

    Last edited by Crusatyr, Sep 22, 2018
  2. Draxzelex

    Draxzelex GBAtemp Guru

    Aug 6, 2017
    United States
    New York City
    I always knew lizards were secretly evil. One minute they're eating worms, the next they're making PozzNX and other brick code.
  3. Jacklack3

    Jacklack3 ( ゚ヮ゚) buddie was here

    Oct 6, 2015
    In your basement Dick Size: 5 meters.
    Doom is on everything, Quake is on everything, and now I'm worried anti-virus like AVG or Avast are gonna be on everything too. :unsure:
    Itzumi and Drakia like this.
  4. Darth Meteos

    Darth Meteos Entertainer

    GBAtemp Patron
    Darth Meteos is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jan 6, 2015
    Down Under
    Hey, this is good work, buddy! Can we get a pin in here, mods?
    Hexalform, Itzumi, Drakia and 2 others like this.
  5. Darth Meteos
    This message by Darth Meteos has been removed from public view by Cyan, Sep 29, 2018, Reason: not a picture board, disturbing.
    Sep 22, 2018
  6. FahQ

    FahQ Advanced Member

    Mar 31, 2018
    United States
    Thanks for this. It's nice to see smart people exist here. :D
  7. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    Oct 27, 2002
    Engine room, learning
    Maybe you could add this one to your list :

    even if it's not a real treats, it was an attempt to explain that providing sources and compiling them yourself doesn't always mean it's safe.
    That's too bad a lot of users didn't understand his reasons and he only got bad comments.

    Users should be careful and not trust random repository, or binary files without a proper safety measure (NAND backup, hardware flasher, etc.)
    unfortunately, binary can even affect hardware and fry the switch completely, without any possible NAND restoration. always be careful and search information and other user's report first.

    I added a category on Wikitemp with bricker too. There's no link (yet), it's only informative like this thread.
    sergux likes this.
  8. Crusatyr

    Crusatyr GBAtemp Regular

    Jul 31, 2016
    United States
    Thanks for bringing my attention to that Cyan. I'll definitely look into it.
  9. Jonna

    Jonna Some sort of musician.

    May 15, 2015
    Oh my god, this formatting is just

    I wish every post on this forum followed this formatting
  10. TheMCNerd2017

    TheMCNerd2017 GBAtemp Regular

    Jun 21, 2017
    United States
    Sorry if this is a dumb question, but how would posting the explanation of the two malware payloads listed in the main post affect someone's homebrew bounty program?
  11. Captain_N

    Captain_N GBAtemp Maniac

    Mar 29, 2010
    United States
    reminds me of the malicious NDS phat firmware bricker homebrew. Norton anti-virus actually detected this .nds file as a virus and the virus description was right on. I dont know why symantec the makers of norton antivirus would even worry about a nintendo ds file lol.
  12. iyenal

    iyenal Advanced Member

    Feb 11, 2016
    United States
    Great summary, well written! And I like how you speak of "assholery" like an inevitable and general fact.
  13. Elliander

    Elliander GBAtemp Advanced Fan

    Sep 16, 2011
    United States
    Very good information. I have to wonder though, who would do something like this? Yeah, I know, malicious people exist who just want to see the world burn, but generally I tend to believe that most malice on the net comes from those who stand to gain from it.

    I'm reminded of the days of Napster, when recording labels would release their own MP3 files with random sound defects to make it more difficult to find a good track and discourage piracy. Eventually they started to release malicious code on purpose.

    Given the timing of the reports with Pokemon: Let's Go and then Super Smash Bros, with game dumps released prior to official sale some of which having malicious code, I have to wonder if Nintendo had any involvement. It would be smart of them to do this, as scaring people away from piracy would at least curb the problem a bit. It would be smart of them to do this, but not smart to ever admit it. I wonder if there would ever be a way to know for sure though, like tracking the IP address of the users who release malicious code, for example.

    I'm inclined to believe that Fuse burners wouldn't be released the same way because all that would do is prevent playing inside Nintendo's ecosystem, but then again Nintendo ban's people from even buying games legitimately, so clearly Nintendo doesn't care about that. I am surprised Nintendo isn't including malicious code in their official carts to scan the microSD card for evidence of homebrew and brick the console if any is found.
    Last edited by Elliander, Dec 4, 2018
  14. iyenal

    iyenal Advanced Member

    Feb 11, 2016
    United States
    Interesting. But actually no one can prove that Nintendo is behind this, which I really don't think that it is the case... because that would be really evil. But nothing is making this scenario impossible.
  15. Crusatyr

    Crusatyr GBAtemp Regular

    Jul 31, 2016
    United States
    Nah, I can promise you Nintendo had nothing to do with it. I wrote a proof of concept homebrew app for destroying prodinfo back in July. It was about 8 lines of code, and it worked. After seeing how easy it was to do, I grew concerned. That's why I wrote this guide and if you're ever on the same discord servers as me, you'll see why I am adamant about taking safety precautions and discouraging of the use of closed source apps.
  16. Elliander

    Elliander GBAtemp Advanced Fan

    Sep 16, 2011
    United States
    That's why I wondered about IP information. To give a parallel:

    Years ago I actively edited on Wikipedia, and found that the a group kept editing the Settler's of Catan to remove all references to PC clones of the game. Right before Microsoft released their version. I suspected that Microsoft was involved, and sure enough after checking the IP information every person involved were at IP addresses owned by Microsoft. They were hiring people to control the flow of information, basically, which was in violation of Wikipedia terms. I reported this to their admins, who basically said they can't do anything about it because of some community voice BS argument, when in reality the real community voice was time and again silenced by corporations who can just hire people to be the voice.

    So IP information can be used to find a link to larger organizations, meaning it's not impossible to find out if something like that is happening. It wouldn't be the first time Nintendo was caught with it's hands dirty.

    Honestly, I wouldn't necessarily blame Nintendo for doing it. It's evil, sure, but absolutely smart. Problem is, it's also illegal. The thing is, there are case precedents with both Sony and Sega that found that it's legal to write your own code to run on other consoles or to emulate those consoles entirely. That's how EA convinced Sega to give them preferential deals, actually. Nintendo can stop someone from accessing their servers, but they can't legally break a console. If they were caught doing something like that it would be very damaging to their reputation as well, so even if it's a smart thing to do it's also an idiotic thing to do.

    I hope so. In the mean time, if we can program a PC tool to scan an NSP or XCI file for malicious code and remove it that should help resolve the issue overall no matter who is doing it. Well, there would be an arms race of people trying to defeat it, so it wouldn't be perfect, but better than nothing.
    Last edited by Elliander, Dec 6, 2018 - Reason: Not sure why text was duplicated on submit
    iyenal and TheMCNerd2017 like this.
  17. Spadezilla

    Spadezilla Advanced Member

    Dec 19, 2013
    United States
    for this reason i do all my banking on a hacked Wii U
  18. sergux

    sergux Advanced Member

    Jul 14, 2018
    i have only two copies of my nand, when a new fw from ninty will be released ill do the compres copy of 300MB im too lazy now, anyway i have that two copies of nand/boot on separate hdd. fortunately im running without issues, just playing my legit games online and backups with sx os on 6.2 both firmwares, on ofw and emunand.
    Last edited by sergux, Jan 15, 2019 at 3:51 PM