Here's my (moderately detailed) analysis on why freeShop is still possible on Switch, and what I believe Nintendo should have done differently to prevent certain things.
First, lets recall how freeshop works on 3DS (heavily simplified):
Get the titlekey from a database
Generate the ticket for that title
Install the ticket
Get title contents from CDN
Install title contents
The title is now playable.
And this is how the Switch fails to prevent it (also heavily simplified):
Get the titlekey from a database:
That can't be stopped.
Generate the ticket for that title:
They would have solved that by generating RSA-wrapped personalized tickets server-side, but this is easily defeated by disabling signature checks and generating an unsigned common ticket.
Install the ticket:
With patched sysmodules, there's nothing stopping an attacker sending the ipc commands necessary for installing a common ticket.
Get title contents from CDN:
Nintendo really fucked this one up hard.
All requests to atum (within your certs environment) are accepted.
This is extremely poor design as both system modules/applets and eShop content share the Atum server.
What they should have done is segregate system and eShop content to different servers.
System content should require just your console-unique cert, similar to the current system put in place.
In the case of eShop content, it should require your ShopN bearer auth token, and check that your account has the rights to the requested title prior to returning any of its content (NCAs and patch CETKs).
Yes, Atum doesn't check whether you own a certain title before returning its content.
The dumbest part is, it was always possible, as Shogun, the eShop backend, already has a feature to list all of your owned titles that aren't currently installed on your device.
Sending an authed GET request to https://bugyo.hac.lp1.eshop.nintend...ned_titles?shop_id=4&lang=en&device_type_id=6 returns a JSON with all of the uninstalled titles you own.
And yet another colossal fuckup is sending an authed POST request to the "redownload" endpoint https://bugyo.hac.lp1.eshop.nintend...d_titles/download?device_type_id=6&title_ids= (title ID, uppercase) with the data "lang=en" will invoke nsBeginInstallApplication; downloading and installing the title, regardless of whether or not the requested title ID is present in your owned titles.
Yes, "owned_titles/download", unlike what the name would imply, doesn't actually check whether you're trying to download an owned title, and just downloads every title ID sent to the endpoint regardless.
Install title contents:
Same issue as ticket installation.
Assuming sigpatches are enabled and the ticket is installed, the Switch can load the titlekey from the ticket into the relevant keyslot, and the title is now playable.
First, lets recall how freeshop works on 3DS (heavily simplified):
Get the titlekey from a database
Generate the ticket for that title
Install the ticket
Get title contents from CDN
Install title contents
The title is now playable.
And this is how the Switch fails to prevent it (also heavily simplified):
Get the titlekey from a database:
That can't be stopped.
Generate the ticket for that title:
They would have solved that by generating RSA-wrapped personalized tickets server-side, but this is easily defeated by disabling signature checks and generating an unsigned common ticket.
Install the ticket:
With patched sysmodules, there's nothing stopping an attacker sending the ipc commands necessary for installing a common ticket.
Get title contents from CDN:
Nintendo really fucked this one up hard.
All requests to atum (within your certs environment) are accepted.
This is extremely poor design as both system modules/applets and eShop content share the Atum server.
What they should have done is segregate system and eShop content to different servers.
System content should require just your console-unique cert, similar to the current system put in place.
In the case of eShop content, it should require your ShopN bearer auth token, and check that your account has the rights to the requested title prior to returning any of its content (NCAs and patch CETKs).
Yes, Atum doesn't check whether you own a certain title before returning its content.
The dumbest part is, it was always possible, as Shogun, the eShop backend, already has a feature to list all of your owned titles that aren't currently installed on your device.
Sending an authed GET request to https://bugyo.hac.lp1.eshop.nintend...ned_titles?shop_id=4&lang=en&device_type_id=6 returns a JSON with all of the uninstalled titles you own.
And yet another colossal fuckup is sending an authed POST request to the "redownload" endpoint https://bugyo.hac.lp1.eshop.nintend...d_titles/download?device_type_id=6&title_ids= (title ID, uppercase) with the data "lang=en" will invoke nsBeginInstallApplication; downloading and installing the title, regardless of whether or not the requested title ID is present in your owned titles.
Yes, "owned_titles/download", unlike what the name would imply, doesn't actually check whether you're trying to download an owned title, and just downloads every title ID sent to the endpoint regardless.
Install title contents:
Same issue as ticket installation.
Assuming sigpatches are enabled and the ticket is installed, the Switch can load the titlekey from the ticket into the relevant keyslot, and the title is now playable.
