Hacking Switch Cartridge - Reverse Engineering

Blitzur · Apr 1, 2017

The switch version supports 900p so better textures maybe?

Mr. Wizard · Apr 1, 2017

I propose [foo.sin] = Suck It Nintendo.

Zan' · Apr 1, 2017

GorrillaRIBS said:
I'd go with .ns - if there's no third letter, why add one?

Probably because .ns is a "namespace" file and is already taken?

Not that it matters since people just use whatever anyway.
I mean .3ds used to be 3d object files.

leonmagnus99 · Apr 1, 2017

i have read this reverse engineering thing before, what does it do ?
more like what actually is reverse engineering ?

Duo8 · Apr 1, 2017

leonmagnus99 said:
i have read this reverse engineering thing before, what does it do ?
more like what actually is reverse engineering ?

Like you try to engineer something but in reverse.

gundamu · Apr 1, 2017

leonmagnus99 said:
i have read this reverse engineering thing before, what does it do ?
more like what actually is reverse engineering ?

reverse engineering is breaking something apart to learn about it's core concepts/priniciples and how it works.

in this case game cartridge is broken apart, then it's circuit board is carefully observed to find the purpose of each component on it.

all this research helps you make r4 type cartridge for switch in return

leonmagnus99 · Apr 1, 2017

gundamu said:
reverse engineering is breaking something apart to learn about it's core concepts/priniciples and how it works.

in this case game cartridge is broken apart, then it's circuit board is carefully observed to find the purpose of each component on it.

all this research helps you make r4 type cartridge for switch in return

wow interesting, cool thanks for the info !

Benoit934 · Apr 3, 2017

In this case and in many cases what we reverse is protected by patents, so we can't release clones stuff but we can share schematics and code that isn't owned by Nintendo, it's why we are not publishing CFW but only patching stuff (there is not Nintendo's codes inside), broads selled for cold boot exploit work the same way it just inject little chunks of code in memory.

So if someone find a way to create a fake cartridge he have to be smart to avoid patents issues and the best way is to let a team working without having a switch (just by sharing enough knowledge to let them work) so they will find solutions without cloning stuff.

Platinum Lucario · Apr 5, 2017

The first ever genuine raw dump of a Nintendo Switch Game Card will have the .ns file extension. Also, don't be surprised to find that the ROM is encrypted. I also wouldn't be surprised if the ROM is encrypted with a Game Card-unique key, which has a different key for every Game Card manufactured. And if that ends up happening, that raw dump won't ever be playable, even if an emulator gets made, because the person who dumped it didn't extract the unique encryption key for the ROM.

So if anyone is trying to dump the contents of a Nintendo Switch Game Card, please make sure you extract everything, from every chip found on the Game Card, not just the flash memory that contains the encrypted game.

Duo8 · Apr 5, 2017

Platinum Lucario said:
The first ever genuine raw dump of a Nintendo Switch Game Card will have the .ns file extension. Also, don't be surprised to find that the ROM is encrypted. I also wouldn't be surprised if the ROM is encrypted with a Game Card-unique key, which has a different key for every Game Card manufactured. And if that ends up happening, that raw dump won't ever be playable, even if an emulator gets made, because the person who dumped it didn't extract the unique encryption key for the ROM.

So if anyone is trying to dump the contents of a Nintendo Switch Game Card, please make sure you extract everything, from every chip found on the Game Card, not just the flash memory that contains the encrypted game.

There is literally one chip.

lefthandsword · Apr 5, 2017

Platinum Lucario said:
The first ever genuine raw dump of a Nintendo Switch Game Card will have the .ns file extension. Also, don't be surprised to find that the ROM is encrypted. I also wouldn't be surprised if the ROM is encrypted with a Game Card-unique key, which has a different key for every Game Card manufactured. And if that ends up happening, that raw dump won't ever be playable, even if an emulator gets made, because the person who dumped it didn't extract the unique encryption key for the ROM.

So if anyone is trying to dump the contents of a Nintendo Switch Game Card, please make sure you extract everything, from every chip found on the Game Card, not just the flash memory that contains the encrypted game.

Actually this is the case since the Wii, it depends how well Nintendo protects the root encryption key

Deleted-19228 · Apr 5, 2017

Platinum Lucario said:
The first ever genuine raw dump of a Nintendo Switch Game Card will have the .ns file extension. Also, don't be surprised to find that the ROM is encrypted. I also wouldn't be surprised if the ROM is encrypted with a Game Card-unique key, which has a different key for every Game Card manufactured. And if that ends up happening, that raw dump won't ever be playable, even if an emulator gets made, because the person who dumped it didn't extract the unique encryption key for the ROM.

So if anyone is trying to dump the contents of a Nintendo Switch Game Card, please make sure you extract everything, from every chip found on the Game Card, not just the flash memory that contains the encrypted game.

should be .hac

dubbz82 · Apr 6, 2017

Platinum Lucario said:
The first ever genuine raw dump of a Nintendo Switch Game Card will have the .ns file extension. Also, don't be surprised to find that the ROM is encrypted. I also wouldn't be surprised if the ROM is encrypted with a Game Card-unique key, which has a different key for every Game Card manufactured. And if that ends up happening, that raw dump won't ever be playable, even if an emulator gets made, because the person who dumped it didn't extract the unique encryption key for the ROM.

So if anyone is trying to dump the contents of a Nintendo Switch Game Card, please make sure you extract everything, from every chip found on the Game Card, not just the flash memory that contains the encrypted game.

You must have one hell of a crystal ball to be able to predict the future like that.

DarthDub · Apr 6, 2017

dubbz82 said:
You must have one hell of crystal meth to be able to predict the future like that.

Fix'd. They can name the file whatever extension they want.

Platinum Lucario · Apr 7, 2017

I'm sure that since the game cards only have one flash memory chip, the ROM data itself more than likely to be encrypted with either a common key (like the Wii), or using multiple keys and scrambling it with the key in the Nintendo Switch system (like the Nintendo 3DS). But if I had to take a guess, it would probably end up using a very similar encryption and key scrambling method, like the 3DS uses.

If anyone manages to dump a ROM of a game, I honestly don't mind what file extension it gets named or anything. When the ROM gets dumped, that will be our first step towards finding out if the ROM is encrypted and which areas of the ROM are not encrypted.

andxor · Apr 10, 2017

Hey, I've put some more details of the Gamecart interface and Logic Analyzer screengrabs at the ReSwitched Wiki:
https://reswitched.tech/hardware/gamecard

So far we've found the Pinout and the meaning of the pins, a long with some command - response dumps.

The Switch and gamecard definitely at some points starts to talk encrypted data (ie, randomness).
Have you guys found out anything else?

SuperGenericJoe · Apr 11, 2017

smiba said:
I'm currently a student so money is my biggest issue. Getting a PCB developed does not cost a lot of money these days. Shipping (still) does through.
Unless we want this to go on snail speed I'd need to pay extra for DHL shipping. I've been waiting for about 2 months on one of my PCB designs and it still hasn't arrived today because that's the service you get when you pay $15 for 10 10cmx10cm PCBs

With the Chinese who knows. My main goal is making the first steps into the development of a flash cart. Maybe I won't be the first but that's no reason for tears, were all trying to achieve the same goal!

As for the cracking of any kind of protection there are way more skilled people out there. Will I do it? Maybe.
At this point my main goal is purely to get a ROM export running on a non original cartridge.

This is what I'm developing right now, although I was wondering if there was an easier way (without destroying my cartridge slot. Remember $300 is a lot for a student). But I think this is the most solid and flexible way

Thanks!

Man, honestly if money is the BIGGEST hurdle for you, let me help you out. I'm definitely not a super rich mf, but I remember eating Taco Bell packets for supper a few years back in college. Set up some kind of donation site, maybe. Is there already something like this? I'm sure i wouldn't be the only one to throw cash at the cause, even if nothing comes of it. I hate the fact that this green $hit gets in the way of so much talent, it's really depressing.

modrobert · May 6, 2017

andxor said:
Hey, I've put some more details of the Gamecart interface and Logic Analyzer screengrabs at the ReSwitched Wiki:
https://reswitched.tech/hardware/gamecard

So far we've found the Pinout and the meaning of the pins, a long with some command - response dumps.

The Switch and gamecard definitely at some points starts to talk encrypted data (ie, randomness).
Have you guys found out anything else?

I think you got pin 12 and 13 (DAT6 and DAT7) mixed up on the pinout order here:
https://reswitched.tech/_media/gamecard-pinout.png?w=200&tok=0f97e7

This also affects your commands and LA screenshots on the page regarding bus bits, the first command should be '9b' instead of '5b', and so on.

You can reach me via PM or on EFnet if you are interested in comparing LA dumps.

JimmyZ · May 6, 2017

JimmyZ said:
I'm gonna return in a few months and remind all you "enthusiastic supporters" how stupid you were.

Here I am.

Bug_Checker_ · May 6, 2017

andxor said:
Hey, I've put some more details of the Gamecart interface and Logic Analyzer screengrabs at the ReSwitched Wiki:
https://reswitched.tech/hardware/gamecard

So far we've found the Pinout and the meaning of the pins, a long with some command - response dumps.

The Switch and gamecard definitely at some points starts to talk encrypted data (ie, randomness).
Have you guys found out anything else?

modrobert said:
I think you got pin 12 and 13 (DAT6 and DAT7) mixed up on the pinout order here:
https://reswitched.tech/_media/gamecard-pinout.png?w=200&tok=0f97e7

This also affects your commands and LA screenshots on the page regarding bus bits, the first command should be '9b' instead of '5b', and so on.

You can reach me via PM or on EFnet if you are interested in comparing LA dumps.

I would agree that it strongly appears (and absent any other relevant information) that ALL the top pins are even numbered bits(D0,D2,D4,D6) and ALL the bottom pins are odd numbered bits(D1,D3,D5,D7)

Hacking Switch Cartridge - Reverse Engineering

Member

Ending the spread of bullshit one thread at a time

2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Deleted-19228

Guest

Well-Known Member

Amateur Hacker

Well-Known Member

New Member

New Member

Member

Sarcastic Troll

Well-Known Member

Similar threads

Popular threads in this forum