Homebrew Discussion The Nintendo Switch, Malicious Apps, and You

Crusatyr

Well-Known Member
OP
Member
Joined
Jul 31, 2016
Messages
197
Trophies
0
XP
863
Country
United States

The Nintendo Switch, Malicious Apps, and You
How to Stay Safe Around Assholes on the Internet​

For those who are new to this site, or new to the Nintendo Switch scene in general, there was a pretty nasty event that happened in mid to late July. A user posted a payload, with some of their friends claiming to be a working SX OS crack, when in reality, it caused almost irreparable damage to the user’s Switch. I say almost because there was a single fix, but after reading the subsequent threads, it seems like most users did not take even the single and most useful precaution beforehand. This post is to educate the users of this site on how to keep yourself safe, what these applications are, and how they work.

You may be thinking to yourself “Pssh, that was a one-off event, it’s not going to happen again.” but you’d be wrong. An unfortunate side effect of the anonymity of the internet are people being assholes just because they can. I am making this post because I genuinely feel for those with issues with their Switches and I want to prevent as many “My Switch won’t boot up posts” as I can. That being said, staying safe is easy and there’s a wide variety of tools as well as practices you can engage in to keep you, your system, and your parent’s wallet happy.

How to keep safe

Your Nand Backup Safe Practices

  1. The single most important thing you can do to keep your Switch safe in this era of assholery, is to make your nand backup, as well as a backup of boot0/boot1. Why is this nand backup so important? Because having it can fix damn near any problem.

    There are a few tools available for you to use in order to make backups of your nand and boot0/boot1. Hekate is a real nice one to make a clean nand backup before any CFW is used. The backup function in the ReiNX Toolbox is good to use if you’ve been messing around with CFW and just want a quick but dirty one.

    The second most important thing you can do, is follow the 3-2-1 rule of backing up:
    • Make THREE copies
    • On TWO different mediums
    • Have ONE copy off site
    A nand backup with little to no installed content compresses very well; mine, for example, is around 300MB. There’s nothing wrong with having one stored on your Google Drive /iCloud/Dropbox/whatever.

    But a nand backup alone won’t help you. You also need to be smart and follow safe practices.

    If you need help making a nand backup, check the spoilers below. I am going to assume you already know how to push payloads, as well as boot into CFW.

    Using ReiNX ToolkitUsing Hekate



      1. Compile/download the latest ReiNX Toolkit Found Here.
      2. Copy the ReiNXToolkit.nro file to the /switch folder
      3. Open album and select ReiNX Toolkit
      4. Scroll down to backup and choose BOTH “Backup Boot0/1” and “Backup NAND”

      If you are confused, please see the pictures below.

      STEP 1:
      REINX1.png

      STEP 2:
      ReiNX2.jpg

      STEP 3:
      ReiNX3.jpg

      1. Compile/download the latest Hekate Found Here.
      2. Once you’ve pushed the hekate payload, go to Tools>Backup
      3. You must run BOTH “Backup EMMC Boot0/1” as well as “Backup Raw GPP”.

      If you are confused, please see the pictures below.

      STEP 1:
      Hekate1.jpg

      STEP 2:
      Hekate2.jpg

      STEP 3:
      Hekate3.jpg
  2. The main reason you should be critical of EVERYTHING you run on the Switch, is because homebrew applications and payloads run with UNRESTRICTED ACCESS. This is NOT the same as running “As an Administrator” on Windows machines or executing a sudo command on Linux/macOS builds. It is kernel level access which is so much more powerful, and so much more dangerous.

    The next three sentences are going to be caps lock, bolded, italicized, whatever so you know they are SUPER DUPER IMPORTANT.

    • ONLY RUN THINGS FROM TRUSTED SOURCES
    • LOOK AT THE SOURCE (AND IDEALLY COMPILE IT YOURSELF)
    • DON’T USE SKETCHY WEBSITES OR TOOLS

    Running applications from trusted developers is your number one priority. If a new user posts a compiled binary and claims things that trusted devs haven’t claimed yet, common sense dictates that should be a hell of a giveaway that something is not right. If a user posts source rather than a binary, then it may be a throwaway account of a known dev, but you should still be skeptical of all claims.

    For the next part, please keep in mind that there are some developers who like to keep their stuff closed source. Their reputation in this case is a lot more important because they don’t want to reveal the source. Be cautious, because all it takes is one bad day, and they can easily turn their useful and safe tools into malicious programs before anyone notices. It is probably trickier for inexperienced users, but you should try to understand how the code works and how to compile it yourself. Getting to the point of compiling builds is semi-difficult on windows machines and much easier on MacOS/Linux, but doing so is beyond the scope of this post.

    There are couple reasons for doing being able to compile on your own. The first is you have no promise that what’s posted on the Releases tabs of projects is what’s actually written. The second is that no one can post a hash of a file and say “Make sure your hash matches this one to be safe.” Binaries of the same code will have different hashes when built on different machines. There’s no way for a user to be able to guarantee that that the binary they are giving you is exactly what the code outputs, which leads back to the previous point. Make sure you trust them before running their stuff.

    The third and final point seems just as obvious as the first to me, but I’m sure there are some people who use it for the simplicity. It was brought to my attention a while ago, that someone had a bot on discord that will output your Switch’s console unique cert if you give them your prodinfo partition. This is quite handy if you don’t want to install python and run a script to do it, but keep in mind whoever owns that bot more than likely has a hundred private certs in his collection. You cannot convince me that they aren’t storing them.

    This also includes websites that act as payload injectors. While they are more convenient, and some can be saved to be run locally since they use javascript, if you are using something that sends a payload from online, you have no guarantee that it’s sending the payload that you think it is.

What Applications Are Out There?

A Brief HistoryTicketDB corrupters Certificate StealersSoftware BrickersHardware Breakers

  1. Knowing what you know now, WANNA PLAY :)
    As far as I know, the first malicious application was written by the ever-so popular team xecuter. However they wish to spin their “hacker challenge” their product up until version 1.3 contained malicious code that would lock eMMC should certain requirements be met. Since their code is closed source, it is not public knowledge how to determine what those requirements are, and even if it was possible to trigger them by mistake, rendering licensed user’s Switches useless.

    Should this code rear up it’s ugly head again, according to @hexkyz on twitter “Regular users won't be able to restore the NAND normally. You need to mess with raw MMC commands to either unlock or force erase the eMMC.”

    With that out of the way, let’s talk about the possibly dangerous apps out there. I know some of these exist because I’ve seen them in the wild, while others are entirely theoretical, as far as I know. I’m going to list them in order of least-dangerous to most dangerous.
  2. First, it is possible to corrupt the ticket database (ticketDB for short) of the Switch. This is more inconvenient than actually malicious and sometimes happens by accident when using legitimate applications. As of the time of writing this, I’ve not seen any apps that do this intentionally, but if you install a corrupted or dev-encrypted nsp file, it may damage your ticketDB. This can easily be fixed by restoring a nand backup, or by reinitializing your Switch..
  3. Secondly, there are Certificate Stealers. These types of programs aren’t going to cause damage to the Switch itself, but they have far reaching consequences. To understand why these are so important you must understand what your certificate, commonly shortened to “Cert”, is. Simply put, it is console-unique data that Nintendo uses primarily to negotiate online functions like gaming and the eShop. Knowing this, if a malicious user has a copy of your cert, anything they do online will look like it’s coming from your Switch, getting you banned while they reap the benefits. There is no public way to unban your consoles.
  4. The next set of malicious apps come in two forms as a payload you inject, or as a homebrew app you can run. They are software bricks. Basically, they damage some part of the system’s flash memory. The main concern is if ProdInfo gets corrupted. That partition is console-unique so you have to restore from a nand backup if you’d like to fix it. Other parts of the system’s flash memory can be fixed without a backup (but it is highly recommended to still have one)
  5. The most damaging applications cause hardware damage to the Switch. If you hang around in scene Discords, you may often here users joke about “FuseBurner.bin” or “ScreenOvervolter.bin.” Once again, at the time of this writing, these things are purely theoretical but let’s get into the nitty gritty of why these two things in particular are so destructive, starting with FuseBurner.

    The Switch has microscopic anti-downgrade fuses built into it’s CPU, and once a fuse is blown, it is impossible to undo. When the console is booting up, it compares the number of fuses to the current firmware of the Switch. If too few fuses are blown, it blows them to compensate but if too many are blown, the Switch immediately panics and shuts down. FuseBurner, as you can guess by the name, burns ALL of the fuses.

    For all intents and purposes though, this is a minor issue because all modern CFW ignore the fuse count/burning step of the bootloader. However, it DOES prevent your Switch from ever booting again without the use of RCM exploits.

    Now for ScreenOverVolter. This works, in theory, because voltages on the Switch are controlled by software. So Horizon OS controls what part of the Switch gets what voltage. It is possible to tell it to give more voltage to one part than it requires, thus causing damage. The joke is that it’ll break the screen, but it is easily capable of breaking the battery, mother/daughterboards, game card slot readers, etc. There is no known fix other than replacing the part that was damaged, and I hope you have the tools as well as the know how in order to do so.

Examples
I firmly believe that part of spreading awareness in identifying how these programs work, involves making their source codes known. However, doing so does open the doors to making this sort of stuff more readily available. What I will be doing is posting the source codes of of two malicious apps, followed by the source codes of the legitimate tools they were derived from, and then explaining how the differences between the two work.

ONCE AGAIN FOR EMPHASIS: RUNNING THESE PROGRAMS WILL IN FACT DAMAGE YOUR SWITCH

PozzNX, also known as the “SX OS Crack”switchFuckerUpper.nro


  1. I was asked by a GBAtemp mod not to post the actual sources and explanations of how they work until after their homebrew bounty program is finished.


  2. I was asked by a GBAtemp mod not to post the actual sources and explanations of how they work until after their homebrew bounty program is finished.

Thank you for reading my post. I hope you found it to be very informational, and I hope you do stay safe.

~Crusatyr
 
Last edited by Crusatyr,

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,657
Trophies
2
Age
44
Location
Engine room, learning
XP
15,217
Country
France
Maybe you could add this one to your list :
https://gbatemp.net/threads/never-e...general-heres-example-of-classic-case.519132/

even if it's not a real treats, it was an attempt to explain that providing sources and compiling them yourself doesn't always mean it's safe.
That's too bad a lot of users didn't understand his reasons and he only got bad comments.

Users should be careful and not trust random repository, or binary files without a proper safety measure (NAND backup, hardware flasher, etc.)
unfortunately, binary can even affect hardware and fry the switch completely, without any possible NAND restoration. always be careful and search information and other user's report first.


I added a category on Wikitemp with bricker too. There's no link (yet), it's only informative like this thread.
 

TheMCNerd2017

Well-Known Member
Member
Joined
Jun 21, 2017
Messages
200
Trophies
0
XP
504
Country
United States
Sorry if this is a dumb question, but how would posting the explanation of the two malware payloads listed in the main post affect someone's homebrew bounty program?
 

Captain_N

Well-Known Member
Member
Joined
Mar 29, 2010
Messages
1,893
Trophies
1
XP
1,713
Country
United States
reminds me of the malicious NDS phat firmware bricker homebrew. Norton anti-virus actually detected this .nds file as a virus and the virus description was right on. I dont know why symantec the makers of norton antivirus would even worry about a nintendo ds file lol.
 

iyenal

Well-Known Member
Member
Joined
Feb 11, 2016
Messages
194
Trophies
0
XP
1,110
Country
United States
Great summary, well written! And I like how you speak of "assholery" like an inevitable and general fact.
 

Elliander

Well-Known Member
Member
Joined
Sep 16, 2011
Messages
634
Trophies
0
Location
Illinois
Website
elliander.etherealspheres.com
XP
1,400
Country
United States
Very good information. I have to wonder though, who would do something like this? Yeah, I know, malicious people exist who just want to see the world burn, but generally I tend to believe that most malice on the net comes from those who stand to gain from it.

I'm reminded of the days of Napster, when recording labels would release their own MP3 files with random sound defects to make it more difficult to find a good track and discourage piracy. Eventually they started to release malicious code on purpose.

Given the timing of the reports with Pokemon: Let's Go and then Super Smash Bros, with game dumps released prior to official sale some of which having malicious code, I have to wonder if Nintendo had any involvement. It would be smart of them to do this, as scaring people away from piracy would at least curb the problem a bit. It would be smart of them to do this, but not smart to ever admit it. I wonder if there would ever be a way to know for sure though, like tracking the IP address of the users who release malicious code, for example.

I'm inclined to believe that Fuse burners wouldn't be released the same way because all that would do is prevent playing inside Nintendo's ecosystem, but then again Nintendo ban's people from even buying games legitimately, so clearly Nintendo doesn't care about that. I am surprised Nintendo isn't including malicious code in their official carts to scan the microSD card for evidence of homebrew and brick the console if any is found.
 
Last edited by Elliander,
  • Like
Reactions: fisticuffs

iyenal

Well-Known Member
Member
Joined
Feb 11, 2016
Messages
194
Trophies
0
XP
1,110
Country
United States
Given the timing of the reports with Pokemon: Let's Go and then Super Smash Bros, with game dumps released prior to official sale some of which having malicious code, I have to wonder if Nintendo had any involvement. It would be smart of them to do this, as scaring people away from piracy would at least curb the problem a bit. It would be smart of them to do this, but not smart to ever admit it. I wonder if there would ever be a way to know for sure though, like tracking the IP address of the users who release malicious code, for example.

I'm inclined to believe that Fuse burners wouldn't be released the same way because all that would do is prevent playing inside Nintendo's ecosystem, but then again Nintendo ban's people from even buying games legitimately, so clearly Nintendo doesn't care about that. I am surprised Nintendo isn't including malicious code in their official carts to scan the microSD card for evidence of homebrew and brick the console if any is found.

Interesting. But actually no one can prove that Nintendo is behind this, which I really don't think that it is the case... because that would be really evil. But nothing is making this scenario impossible.
 

Crusatyr

Well-Known Member
OP
Member
Joined
Jul 31, 2016
Messages
197
Trophies
0
XP
863
Country
United States
I'm reminded of the days of Napster, when recording labels would release their own MP3 files with random sound defects to make it more difficult to find a good track and discourage piracy. Eventually they started to release malicious code on purpose.

Given the timing of the reports with Pokemon: Let's Go and then Super Smash Bros, with game dumps released prior to official sale some of which having malicious code, I have to wonder if Nintendo had any involvement.

Nah, I can promise you Nintendo had nothing to do with it. I wrote a proof of concept homebrew app for destroying prodinfo back in July. It was about 8 lines of code, and it worked. After seeing how easy it was to do, I grew concerned. That's why I wrote this guide and if you're ever on the same discord servers as me, you'll see why I am adamant about taking safety precautions and discouraging of the use of closed source apps.
 
  • Like
Reactions: fisticuffs

Elliander

Well-Known Member
Member
Joined
Sep 16, 2011
Messages
634
Trophies
0
Location
Illinois
Website
elliander.etherealspheres.com
XP
1,400
Country
United States
That's why I wondered about IP information. To give a parallel:

Years ago I actively edited on Wikipedia, and found that the a group kept editing the Settler's of Catan to remove all references to PC clones of the game. Right before Microsoft released their version. I suspected that Microsoft was involved, and sure enough after checking the IP information every person involved were at IP addresses owned by Microsoft. They were hiring people to control the flow of information, basically, which was in violation of Wikipedia terms. I reported this to their admins, who basically said they can't do anything about it because of some community voice BS argument, when in reality the real community voice was time and again silenced by corporations who can just hire people to be the voice.

So IP information can be used to find a link to larger organizations, meaning it's not impossible to find out if something like that is happening. It wouldn't be the first time Nintendo was caught with it's hands dirty.

Honestly, I wouldn't necessarily blame Nintendo for doing it. It's evil, sure, but absolutely smart. Problem is, it's also illegal. The thing is, there are case precedents with both Sony and Sega that found that it's legal to write your own code to run on other consoles or to emulate those consoles entirely. That's how EA convinced Sega to give them preferential deals, actually. Nintendo can stop someone from accessing their servers, but they can't legally break a console. If they were caught doing something like that it would be very damaging to their reputation as well, so even if it's a smart thing to do it's also an idiotic thing to do.

Nah, I can promise you Nintendo had nothing to do with it. I wrote a proof of concept homebrew app for destroying prodinfo back in July. It was about 8 lines of code, and it worked. After seeing how easy it was to do, I grew concerned. That's why I wrote this guide and if you're ever on the same discord servers as me, you'll see why I am adamant about taking safety precautions and discouraging of the use of closed source apps.

I hope so. In the mean time, if we can program a PC tool to scan an NSP or XCI file for malicious code and remove it that should help resolve the issue overall no matter who is doing it. Well, there would be an arms race of people trying to defeat it, so it wouldn't be perfect, but better than nothing.
 
Last edited by Elliander, , Reason: Not sure why text was duplicated on submit

sergux

Well-Known Member
Member
Joined
Jul 14, 2018
Messages
115
Trophies
0
Age
100
XP
956
Country
Afghanistan
i have only two copies of my nand, when a new fw from ninty will be released ill do the compres copy of 300MB im too lazy now, anyway i have that two copies of nand/boot on separate hdd. fortunately im running without issues, just playing my legit games online and backups with sx os on 6.2 both firmwares, on ofw and emunand.
 
Last edited by sergux,

Alchemy_Gaming

Active Member
Newcomer
Joined
Mar 11, 2019
Messages
32
Trophies
0
Age
32
XP
208
Country
United States
Awesome post! It'd be cool to see a mention of the more recent 'attack' with Pokemon Let's Go. It's not just payloads and .nros anymore :( They came disguised as game dumps. Obviously they should have backed up their NAND ANYWAY but they shouldn't have to deal with that crap. Happy to see people spreading the word. Sharing this, thank you!
 
  • Like
Reactions: Relink

Relink

Member
Newcomer
Joined
Dec 10, 2019
Messages
5
Trophies
0
Age
32
XP
24
Country
Switzerland
Good post, thank you!
It does scare one off when it comes backups, homebrew and especially to pirating a game so it would have been a good move on Nintendo's end if they had anything to do with it (which they don't, I think lol). Even with a proper NAND backup you could still be screwed and most users that get a modded device google a game they need a backup of because they don't know how to make their own yet and find more than enough, never knowing if they'll get infected by something bad.
The chance to see a fuseburner is a lot smaller then something with less impact but still enough bad stuff can happen.

Even someone that knows this danger exists (myself for example) would have no idea how to verify a *.NSZ (getting more common and can't even unpack that) *.NSP or *.XCI.
I'd love to learn how to but I just don't and got nobody to teach me (hactool doesn't work with NSZ, not that hactool ever worked for me). Same thing with homebrew programs.
The more people know the problems exist and how to remove them without needing a virus scanner on even your game systems the better I think.

Not everyone is pirating something after all, even if they did download it somewhere but they do get punished just the same way if they catch something bad because of it :(
 
Last edited by Relink,

Crusatyr

Well-Known Member
OP
Member
Joined
Jul 31, 2016
Messages
197
Trophies
0
XP
863
Country
United States
have no idea how to verify a *.NSZ (getting more common and can't even unpack that) *.NSP or *.XCI
I'm not too familiar with the process myself, but you can verify NSP and XCI files by verifying the ACID signature. As far as doing that with NSZ files, worst case would be having to convert it back to an NSP before verifying. Good news though, most title installers do signature verification by default and will throw an error if the signature check fails. @blawar is far more knowledgeable than me about how sig checking works if he'd like to chime in.
 
  • Like
Reactions: Relink
General chit-chat
Help Users
  • AncientBoi @ AncientBoi:
    And to shoot it well. :)
    Gift
  • Psionic Roshambo @ Psionic Roshambo:
    Indeed! Lol
    +1
    Gift
  • Dark_Phoras @ Dark_Phoras:
    Do you guys know what's Mr. Freeze's favorite date program? Netflix and chill
    Gift
  • Gift
  • Gift
  • FAST6191 @ FAST6191:
    Isn't Mr Freeze's backstory about him losing his wife?
    Gift
  • Flame @ Flame:
    @FAST6191 his called @Dark_Phoras for a reason
    Gift
  • Dark_Phoras @ Dark_Phoras:
    Mr. Freeze's wife is frozen while he looks for a cure to her illness
    Gift
  • Dark_Phoras @ Dark_Phoras:
    But, in the meantime, he knows how to throw a cool party
    Gift
  • Psionic Roshambo @ Psionic Roshambo:
    He's a chill dude lol
    Gift
  • Flame @ Flame:
    is that true @Dark_Phoras ? thats so cool
    Gift
  • Flame @ Flame:
    a little ice cold too at the same time
    Gift
  • Psionic Roshambo @ Psionic Roshambo:
    Dude is frosty
    Gift
  • gudenau @ gudenau:
    Does anyone happen to know if the gecko code handler will always be in the same location? It would be useful if you could call into it's own subroutines in ASM codes.
    Gift
  • FAST6191 @ FAST6191:
    Are there any codes that modify the handler to do fun extras like there are for DS codes?
    Gift
  • gudenau @ gudenau:
    I don't see why you would need that, Gecko just allows you to do ASM directly instead of needing to make codes to add new code types.
    Gift
  • gudenau @ gudenau:
    There is nothing stopping you from doing that though.
    Gift
  • FAST6191 @ FAST6191:
    I was thinking more if there were (some of the DS stuff allowing I think it was different boolean masks than stock) then it would confirm that.
    Gift
  • gudenau @ gudenau:
    Some of the later DS stuff was pretty impressive. I do want to figure out how some of the lower level stuff worked one of these days.
    Gift
  • gudenau @ gudenau:
    Is this chat still on IRC?
    Gift
  • FAST6191 @ FAST6191:
    I don't know if there is a second room connected to it
    but I doubt it
    Gift
  • FAST6191 @ FAST6191:
    There is still an IRC server/channel though
    Gift
  • KenniesNewName @ KenniesNewName:
    Neat steam deck dock shipped finally
    Gift
  • mthrnite @ mthrnite:
    psi gets a dick dock and you get a deck dock, poetic!
    Gift
  • KenniesNewName @ KenniesNewName:
    Ye but mine comes with a promise of less viruses
    Gift
    KenniesNewName @ KenniesNewName: Ye but mine comes with a promise of less viruses