Hacking Switch Cartridge - Reverse Engineering

[DoJo_Master]

Please scroll up and read the torrent description.

Haha oh wow!, completely skimmed over that

 

[TheZander]

Just saw this, man I was going to try this too. Ha, guess you beat me to it!

However if it will help the cause for my input I'll be more than happy. I might need a couple games as well, like Mario Odyssey when that comes out. Or Bomberman for now I guess, although it didn't look that great. For dumping that is, I mean the best games to dump will most likely be top tier titles. I'll take Splatoon 2 though, I never played dumped the original but willing to give it a shot.

 

[Manurocker95]

Oh, pretty nice! I'll be waiting for noob friendly tools for dumping my games :3

 

[KoFFiE]

The data will be statically encrypted inside the chip and dynamically encrypted when transferred. In terms of the production cost at the volumes they will do, it is essentially free.

The cost of not adding adequate security is that Nintendo make no sales after week 1 due to flash carts and counterfeits.

Given that both the 1-2 Switch and Zelda already use different chips based on the pictures, so I doubt there's logic running on them beyond the flash firmware. Now I'm not working in embedded anymore and I haven't seen specs of flash chips in over 10 years, but there were no chips with embedded security-features in them back-then, and since these seem to be run-of-the-mill flash chip with semi-customized branding, I highly doubt there's any active security on the cartridges. There also doesn't seem to be any extra silicon on the cartridge PCB, so It's probably all passive crypto-based, probably signatures on the data+serial numbers.

If hardware/'active' protection would have been implemented on cartridges, a separate chip would have been the most logical way to go anyway, otherwise they would have to produce multiple silicons for smaller and larger games, or go for a single, larger flash chip that would be able to accommodate all future possible games, and this would be very very expensive. Even just a custom packaging with flash+security chip would probably have added to the price. With an additional chip they could use one cheapo small off-the-shelf SoC (arm7 based or so with crypto acceleration), and proxy their flash data through that. That would have been the cheapest option, but still would still have ended up eating their margin on every game sold physically.

For the situation I suppose we're in, you'd have to fake the hardware ID's of the flash chips to be able to copy them, but if I was Nintendo, I would actively blacklist serial numbers of pirated chips through regular system updates, which would effectively make piracy a clusterfuck without actual exploits to circumvent the security completely or re-sign images. This also doesn't address code signing issues for running custom code, which can be a very though nut to crack if Nintendo did their job properly.

 

[KiiWii]

For *.NXG files just right click and run as Switch-ministrator in Windows XP compatibility mode.

/S

 

[HeraCraoz]

couldn't you do some sort of hard-rip of the stuff stored on the chip? then create a chip that can store like 5 of them and have it be able to "Switch" between them? (lol, sry for the pun)

 

[Duo8]

Given that both the 1-2 Switch and Zelda already use different chips based on the pictures, so I doubt there's logic running on them beyond the flash firmware. Now I'm not working in embedded anymore and I haven't seen specs of flash chips in over 10 years, but there were no chips with embedded security-features in them back-then, and since these seem to be run-of-the-mill flash chip with semi-customized branding, I highly doubt there's any active security on the cartridges. There also doesn't seem to be any extra silicon on the cartridge PCB, so It's probably all passive crypto-based, probably signatures on the data+serial numbers.

If hardware/'active' protection would have been implemented on cartridges, a separate chip would have been the most logical way to go anyway, otherwise they would have to produce multiple silicons for smaller and larger games, or go for a single, larger flash chip that would be able to accommodate all future possible games, and this would be very very expensive. Even just a custom packaging with flash+security chip would probably have added to the price. With an additional chip they could use one cheapo small off-the-shelf SoC (arm7 based or so with crypto acceleration), and proxy their flash data through that. That would have been the cheapest option, but still would still have ended up eating their margin on every game sold physically.

For the situation I suppose we're in, you'd have to fake the hardware ID's of the flash chips to be able to copy them, but if I was Nintendo, I would actively blacklist serial numbers of pirated chips through regular system updates, which would effectively make piracy a clusterfuck without actual exploits to circumvent the security completely or re-sign images. This also doesn't address code signing issues for running custom code, which can be a very though nut to crack if Nintendo did their job properly.

There has to be. Even the 3ds had that.
There's no reason to "rebrand" anything, the flash chips are custom made.

 

[TheCyberQuake]

There has to be. Even the 3ds had that.
There's no reason to "rebrand" anything, the flash chips are custom made.

The 3ds games were much smaller in size. Nintendo may have just "rebranded" due to costs of the larger storage chips.
Edit: in terms of storage, not physical size

 

[Duo8]

The 3ds games were much smaller in size. Nintendo may have just "rebranded" due to costs of the larger storage chips.
Edit: in terms of storage, not physical size

Flash got cheaper since 2011, so using larger chips shouldn't cost much more than then.

 

[TheCyberQuake]

Flash got cheaper since 2011, so using larger chips shouldn't cost much more than then.

They have actually been going up in price the last 6+ months, and a price hike is about to happen as well.

 

[Tesseract4d]

http://www.satpimps.co.uk/showthread.php?63462-How-to-Jtag-the-Intel-TE28F160-chipped-7000E

Hey boy, that chip looks a lot like the intel flash chip used in the Motorola surfboard modems. That chip can be read and flashed using jtag for the purpose of flashing CFW on a modem such as haxorware. There's tons of tools and programs out there to do this.
If it's an EEPROM chip, most likely 32 or 64 gb capacity, if this is the case the cost for those chips is currently not worth the hassle.

- Getting a cartridge (Done)
- Opening the cartridge and making pictures (Done, check 'm! http://imgur.com/a/FndZC)
- Getting connected pins of the cartridge (Done, see this post)
- Getting to know the purpose of the pins <-- We're right right now
- Being able to dump a rom
- Developing a PoC PCB to upload roms to and run them

-----

Right now I'm looking for:

- More Switch cartridges of different games, preferably Zelda because I think the PCB is quite different. (Zelda confirmed to be just a chip)
- Donations. Producing PCB's, Buying tools and time ain't cheap D:

Let me know if you want to contribute!

-----

As promised, the pinout and high quality pictures of the PCB

For me it looks like a normal NAND chip, however it seems to have a rather odd pinout, that does not match regular TSOP48 NAND chips. It most likely is a 8-bit channel NAND chip though, which should be readable

(Oh, and the capacitors are 0.2 and 0.1uF. Top to bottom: 0.2uF, 0.1uF, 0.2uF, 0.1uF)

-----

Pinouts!

(Blank pins are not connected to anything)



To me it looks like Pink is VCC and Dark Blue is GND, to figure out all the pinouts I need to way to run a card inside the switch while also being able to probe it. I'm thinking about the cheapest and best way to do it

-----

Soon: Meaning of the pins (Required before we can dump a rom)

 

[Noctosphere]

i wonder what will be the extension f switch rom.
we saw
.gb
.gbc
.gba
.nds
.3ds
i wonder what switch will be

 

[TheCyberQuake]

i wonder what will be the extension f switch rom.
we saw
.gb
.gbc
.gba
.nds
.3ds
i wonder what switch will be

According to the fake dump it's going to be .nxg

 

[Noctosphere]

According to the fake dump it's going to be .nxg

 

[Duo8]

I propose .nsi

 

[GorrillaRIBS]

I'd go with .ns - if there's no third letter, why add one?

 

[Joom]

Wait for the MEGA link, get it from there, try to check the dump data and see if it's somehow legit. Best would be another dump to compare with.

Why would I pay for a premium MEGA account in the first place? That file is too large to download from MEGA for free thanks to retarded bandwidth caps they've put in place. Also, of course it's fake. Anyone that paid this ass did deserve to have their money taken, like @Favna said. Why the hell would the Switch version be larger than the Wii U version when they're the exact same game with some minor UI differences? If I saw this without any prior notice I'd immediately assume it was fake thanks to deductive skills.

 

[Axido]

Why would I pay for a premium MEGA account in the first place? That file is too large to download from MEGA for free thanks to retarded bandwidth caps they've put in place. Also, of course it's fake. Anyone that paid this ass did deserve to have their money taken, like @Favna said. Why the hell would the Switch version be larger than the Wii U version when they're the exact same game with some minor UI differences? If I saw this without any prior notice I'd immediately assume it was fake thanks to deductive skills.

You don't make a premium account. You just use Mega Downloader 1.7.

 

[Joom]

You don't make a premium account. You just use Mega Downloader 1.7.

I don't use Windows.

 

[Beetwaaf]

I don't use Windows.

https://github.com/megous/megatools
Same thing but works via command line and supports Mac OS & Linux.