Hacking Discussion Why FreeShop is still possible on the Switch, and what should have been done to prevent it.

[jakkal]

<QUOTE>Get title contents from CDN:
Nintendo really fucked this one up hard.</QUOTE>

you forget one thing.
Nintendo LOGS everything. Also the entries without a valid key/ certificate. This way they leave an entrance to ban people afterwards.

How do you think people have been downloading using cdnsp all this time. Even with a banned console cert you can download games from Nintendo servers

 

[Ian095]

That could lead to some legal headaches for them, I doubt they would bring IP addresses into it. Imagine if you were on a public network and got a ban all of a sudden because someone else on the network was acting nefariously.

Thing is didn't they already do that to someone using their PC to communicate with CDN? Not a pro when it comes to this but I'm sure their Terms & Conditions probably covers their ass in that scenario because anyone who was banned most likely would either never sue or be guilty enough to not take action.

Nintendo does seem to have ways to know if a cartridge is legitimately inside the console (from what I've heard on here) so I'm sure they wouldn't go banning people on public networks.

Plus if someone bought a game and it was blocked from online play I'm sure they'd be entitled to their money back anyways. I would find it humorous if someone got banned off of a local IP but this place is full of people using illegitimate code on their devices so they don't really have an argument here.

 

[comput3rus3r]

Their strategy is to allow it but be able to detect who's doing it so they can just ban you. Instead of trying to block it and then have somebody make a workaround and them not being able to detect them. So unless somebody comes up with a way of not being detected then freeshop is not possible.

 

[SimonMKWii]

Their strategy is to allow it but be able to detect who's doing it so they can just ban you. Instead of trying to block it and then have somebody make a workaround and them not being able to detect them. So unless somebody comes up with a way of not being detected then freeshop is not possible.

Even when they ban you, you can still access the CDN.

 

[comput3rus3r]

Even when they ban you, you can still access the CDN.

are the games you download(that you don't own) playable on the switch?

 

[SimonMKWii]

are the games you download(that you don't own) playable on the switch?

Not on official firmware, but as I mentioned in the post, you can patch sigchecks and generate and install an unsigned common ticket, making it playable on custom firmware.

 

[adrifcastr]

Sad you get banned for it and I want play Pokemon whenever it get released :-/

16/11/2018

 

[Deleted User]

I mean, the IPCs in boginstaller + sx patches = basically freeshop lol. dunno if it works tho.

Has anyone, even privately, reverse engineered those patches? If I had a switch I would try just by dumping the sysmodules out of RAM with and without SX and comparing them... They would be incredibly useful for cfw because you could just make an nsp of the homebrew menu and it wouldn't have to be opened through the album

 

[Lacius]

Has anyone, even privately, reverse engineered those patches? If I had a switch I would try just by dumping the sysmodules out of RAM with and without SX and comparing them... They would be incredibly useful for cfw because you could just make an nsp of the homebrew menu and it wouldn't have to be opened through the album

I don't have any evidence to back this up, but as basic of a feature this is, my guess is signature patches have privately existed long before the release of SX OS.

 

[lukhart]

Still, a month ago people said freeshop would be impossible on switch...and here we are just a year after it's launch being able to download anything from eshop and play it on SX using a ban cert, something that only started happening on 3DS late years.

People now say that playing it online will be impossible without getting a ban. Maybe emunand with a clean nand would fix this (online legit title/offline pirated titles). And what about futher development of anti-telemetry tools? We'll wait and see.

Never say it's impossible. Just a question of time and effort, really.

 

[morrison22]

Still, a month ago people said freeshop would be impossible on switch...and here we are just a year after it's launch being able to download anything from eshop and play it on SX using a ban cert, something that only started happening on 3DS late years.

People now say that playing it online will be impossible without getting a ban. Maybe emunand with a clean nand would fix this (online legit title/offline pirated titles). And what about futher development of anti-telemetry tools? We'll wait and see.

Never say it's impossible. Just a question of time and effort, really.

The question is how long will “freeshop” last on the switch before it’s patched.

 

[lukhart]

The question is how long will “freeshop” last on the switch before it’s patched.

I doubt it will be patched, or even so soon. When it comes to online, Nintendo is a dinosaur. Still no party chat or messaging on the system, even though singular games can do it. Maybe on the next system...

 

[Hario337]

Dude freeshop is awesome! I hope a switch version comes out soon.

But I believe illegal.

 

[Draxzelex]

Meh, any version of Freeshop for the Switch will cut your ability to play online games until someone makes a private server for online Switch games. It just allows people to pirate games without loading them as cartridges. Still stupid, but its an improvement.

 

[Asia81]

come on dude don't give them ideas to fix it or stop it lol

I was about to say that

 

[SapphireExile]

You can't prevent piracy entirely. One way or another, someone will run a game they do not own. This goes for literally any digital media, and even some physical media. Enacting more and more DRM and security will eventually backfire on paying customers, similar to SecuROM and Denuvo preventing actual legal customers from running their own games.

Also, I highly doubt Nintendo is concerned about this. For one, its another reason to buy a Switch, then another reason to buy the game. I can't count the number of games Ive bought after pirating it, simply because I never would have played it otherwise, and enjoy it.

Whats the difference between installing a 3DS CIA and installing through Freeshop?
Time. That's it.
Just because there's an app that allows you to get it quicker doesnt mean methods arenta available right now, regardless of Nintendo's server security.

 

[guily6669]

Well, Nintendo full online service is still upcoming so yeah... I even wonder why they started the bans before actually having their full online paid service, but oh well...

As far as I know when the new online system comes into place, most likely there will be a lot of changes and they will probably give more apps like youtube or other things since ppl will be paying.

 

[MadonnaProject]

PREVENT? You're nuts lol.

 

[Reisyukaku]

Has anyone, even privately, reverse engineered those patches? If I had a switch I would try just by dumping the sysmodules out of RAM with and without SX and comparing them... They would be incredibly useful for cfw because you could just make an nsp of the homebrew menu and it wouldn't have to be opened through the album

Yes I've looked into it a bit.. Tx uses custom kips (forked from atmo). The significance of the image I tweeted last was that I dumped the backup loader and loaded it in ida lol. That image was in .data segment. I have to check if the nsp patch is a secmon patch.

 

[Type_O_Dev]

Here's my (moderately detailed) analysis on why freeShop is still possible on Switch, and what I believe Nintendo should have done differently to prevent certain things.

First, lets recall how freeshop works on 3DS (heavily simplified):
Get the titlekey from a database
Generate the ticket for that title
Install the ticket
Get title contents from CDN
Install title contents
The title is now playable.

And this is how the Switch fails to prevent it (also heavily simplified):

Get the titlekey from a database:
That can't be stopped.

Generate the ticket for that title:
They would have solved that by generating RSA-wrapped personalized tickets server-side, but this is easily defeated by disabling signature checks and generating an unsigned common ticket.

Install the ticket:
With patched sysmodules, there's nothing stopping an attacker sending the ipc commands necessary for installing a common ticket.

Get title contents from CDN:
Nintendo really fucked this one up hard.

All requests to atum (within your certs environment) are accepted.

This is extremely poor design as both system modules/applets and eShop content share the Atum server.

What they should have done is segregate system and eShop content to different servers.

System content should require just your console-unique cert, similar to the current system put in place.

In the case of eShop content, it should require your ShopN bearer auth token, and check that your account has the rights to the requested title prior to returning any of its content (NCAs and patch CETKs).

Yes, Atum doesn't check whether you own a certain title before returning its content.

The dumbest part is, it was always possible, as Shogun, the eShop backend, already has a feature to list all of your owned titles that aren't currently installed on your device.

Sending an authed GET request to https://bugyo.hac.lp1.eshop.nintend...ned_titles?shop_id=4&lang=en&device_type_id=6 returns a JSON with all of the uninstalled titles you own.

And yet another colossal fuckup is sending an authed POST request to the "redownload" endpoint https://bugyo.hac.lp1.eshop.nintend...d_titles/download?device_type_id=6&title_ids= (title ID, uppercase) with the data "lang=en" will invoke nsBeginInstallApplication; downloading and installing the title, regardless of whether or not the requested title ID is present in your owned titles.

Yes, "owned_titles/download", unlike what the name would imply, doesn't actually check whether you're trying to download an owned title, and just downloads every title ID sent to the endpoint regardless.

Install title contents:
Same issue as ticket installation.

Assuming sigpatches are enabled and the ticket is installed, the Switch can load the titlekey from the ticket into the relevant keyslot, and the title is now playable.

Its seems the shopN we are using is no longer working