Did you NOT know gaming? – Nintendo Switch Piracy & Hacking
I didn't want to do this. I legitimately wanted to give DYKG a chance to fix stuff. But it didn't happen and now we're left with nothing else. Time to write that original blog I said I was going to write a while ago.
Okay, so to those of you who didn't understand that previous paragraph, allow me to explain. 2 weeks ago, as of writing, Did You Know Gaming (the YouTube channel) put out a video about Nintendo Switch Piracy & Hacking. And... it's bad. Like, REALLY bad. It's rife with outdated and incorrect information and goes out of it's way to characterize the entire Nintendo console homebrew scene as nothing more than a den of pirates.
In case you didn't know, I kinda give a fuck about the homebrew and hacking scene. I've met friends and the like there and I love seeing people make awesome stuff for Nintendo consoles, which in and of itself remain to this date just about the only consoles I wholeheartedly recommend.
So... when this video came out and I watched it, I kinda got irritated and considered writing a blogpost about it at the time. That post was never made, because a friend of mine had informed me that DYKG had reached out and asked involved hackers and scene members to point out exactly what was broken with the script. Whilst at the time I was busy and a number of people had pointed out flaws before I could get to it, I opted to not write the blogpost in question. Instead, I gave DYKG the benefit of the doubt. I would wait and see what they would do and give tips on what was incorrect in their script. Supposedly, they would be retracting their previous video and creating a new one based on the concerns we raised.
So... I waited. For reference, I first got confirmation that the script that we added comments to was send off to DYKG for the first time on July 15th. As you can see, it is 28th of July. To the best of my knowledge, DYKG has not responded in any form to the modified script in any shape, way or form. Nary so much as a comment on their original video, a response to the email that was sent to them, anything on their Twitter feed. I have checked this.
With me getting this out of the way, my patience sort of has run dry, as one might guess. So let's make that original blogpost. Let's do a minute-by-minute takedown on DYKGs original video.
For those of you who want to watch along, I have put an embed below or you can watch the video yourself here
Beat? Set? Go.
The setup will be as follows: I will go over the video on timestamps. I'll clearly state if there is a visual or a script concern/error (the video has issues on both of these ends).
first couple seconds are a promotion for the since passed New Jersey GamerCon. As these do not relate to the video, I will skip over them.
- 0:21 Visual concern: The intro screen. Solely focuses on piracy, there is no mention of hacking whatsoever. Strange for a video that claims to focus on both.
- 0:43 Script error: 7.0.0 did not introduce a “scrambled batch of code”. It introduces a signed TSEC payload that prevented CFW that booted Horizon from working.
- 0:53 Script error: “elmirorac” is motezazer. elmirorac is their Twitter handle.
- General concern: No mention about the actual method that was devised to get past this. It's called sept and could definetly get a mention in the video.
- 0:57 Script error: I can't fault DYKG too much. Most tech media took this single example of “cross-pollution” so to say and ran with it, whereas it so far has not proven the case on other hacked Switches, meaning it is for all purposes an unverifiable claim.
- 1:12 Script concern: “A bug found in the Nvidia Tegra X1 allowed hackers access to the Switch's bootrom to install a range of programs on the Switch”. This is more... confusing than incorrect. The Tegra X1 bug (known as fusee-gelee) allows access to the Tegra's own Recovery Mode which due to an exploit permits unsigned code execution. Due to the specific methods involved for Switch Hacking, generally nothing is ever installed to the Switch itself (everything exists on the SD card).
- 1:40 Visual error: This is the Recovery Mode of Horizon. It is not the Recovery Mode of the Tegra X1. That mode does not have a GUI and is just a black screen. This issue pops up several times in the video. In combination with the script talking about the X1,
- 1:47 Script concern: While switch-linux is interesting, it more or less works seperately from the actual homebrew involved and can exist completely separate from any CFW. (In addition, it would be recommendable to instead show footage from linux4tegra, as it is better performance wise, especially for dolphin footage.)
- 2:04 Script concern/error: A mixed bag of both. Nintendo didn't really fix much of anything. They simply decreased the maximum allowed payload size (configurable only while the Switch is still in the factory) to 0. While an actual fixed chip exists (called Mariko. This one is all but guaranteed to be in the Switch Lite, with the only reason we can't say it is being that nobody got their hands on one yet), this one is not out yet at the time of writing in regular units.
- 2:16 Script concern: “Model 1” is a very weird way to describe these Switches. The most common designation is typically unpatched, but as this might not work narratively for the script, launch Switches is also an option.
- 2:28 Script concern: Kate Temkin is cited several times throughout the video. Whilst inevitably, this is unavoidable to some extent, the video does not in any shape way or form make clear that she is no longer involved with Switch Hacking in any form, due to selling someone else's exploit to Google without that persons consent. As a result, most quotes and mention of her work tends to be outdated or inaccurate in this video due to advancements and new knowledge on the Switch.
- Kate did not make
fusee-gelee. Fusee-gelee is the name of the exploit (which the video doesn't fully make clear, but fail0verflow discovered the same exploit but called it ShoFEL2), mentioned earlier, she did not make the launcher (that would be a program called
- On that note, whilst Kate did report the bug to Nvidia and Nintendo, an anonymous user on the board 4chan either found or leaked the bug about a month before it's official disclosure date.
- Kate did not make
- 3:18 Script error: This developer should be called langer hans, not by their real name (It is generally impolite to use real names if users have handles that can be used instead that aren't outright indicative of their real names). Their work however should also be credited under the switchroot hacking group rather than their individual work as it is the result of collaborative work.
- 3:25 Script concern: Freebird is indeed capable of overclocking, but the project is not open source, meaning that mentioning it is a security concern, particularly since an open source version exists (sys-clk). In addition, both tools permit overclocking (and underclocking) the CPU, not just the GPU.
- 3:33 Script concern: Amir Rajan has little involvement with the hacking scene, nor is he an indie developer. He instead merely ported the mentioned game over. In addition, the Ruby interpreter in question was vulnerable to an exploit (as well as being a thinly veiled sales pitch for a paid 40$ Ruby programming library Rajan developed).
- 4:41 Script error: DevMenu is part of the SDK. It is not a part of the Switch itself. One doesn't “break into it”. One deliberately chooses to install it and it was leaked online (with all legal ramifications of sharing software that was granted under strict non-disclosure agreements). There is nothing 'innocent' about this.
- 4:52 Script concern: This puts the square of the issue in the hands of the hackers. The real fact of the matter is that the Switch merely uploaded whatever was set as the profile picture to Nintendo's servers, rather than issue a request to set it remotely.
- 5:11 Script error: This is ass covering. Reis general behavior outside of public locations (such as Twitter) seem to suggest more that Rei is the type of person to actively encourage this kind of behavior. To suggest he's actually sorry is nothing short of a lie.
- 6:21 Script concern: This is a very simple boilerplate way of explaining the Warez scene in general (not particular to the Switch) and could easily be left out, given how it's both inaccurate for the specifics of the scene and doesn't really work in general.
- 6:36 Script concern: This characterizes any and all developers who do reverse engineering or coding work in the scene as doing it purely for piracy due to it's position in the video. Numerous people in the scene do not do reverse engineering work for the sole purpose of piracy, but rather do them in order to allow general purpose homebrew to exist and work. Often reverse engineering has little to do within regards to piracy itself but is more about permitting custom programs (homebrew) to be able to access more in the Switch (such as the internal browser).
- 6:52 Script and Visual error: This is not how Switch piracy works and it somehow mischaracterizes game keys (which can often also be found in physical copies these days) as purely being reviewer keys. In addition, the suggestion is made that these keys can be reused. They cannot be.
- 7:02 Script and Visual error: Hooo boi. This one is so massively wrong. Where to start. Let's do it in sequence
- Visual error: See what I wrote at 1:40.
- A “boot menu” isn't installed. Assuming this is referring to a bootloader, it isn't even downloaded to the Switch but rather to a peripheral device which then sends the bootloader to the Switch.
- The “boot menu” doesn't launch homebrew. It is purely a bootloader, similar to the purpose of grub on an actual PC. It lets you choose what to boot. The actual homebrew menu (a piece of software designed to launch homebrew) can be loaded in if the bootloader is set up to do so.
- Similarly wrong here is the supposed need for an external program to launch these games. Signature patches to two specific Nintendo Switch modules are needed for piracy, but they are not separate programs.
- 7:26 Script error: This version wasn't uploaded to 4chan but rather to a piracy guild.
- 7:29 Script error: DAuther isn't a piracy tool. Rather, it is used to generate a token that permits browsing the eShop (and even then only the metadata backend part is accessible, meaning no piracy can be done using it.)
- 7:41 Script error: A certificate is not a “code”.
- 8:48 Visual and Script error: Visual error is that you're showing off “SX Installer”, a rebranded illegal copy of “DZ” (a program which I've written about before in the context of it's developer). The script error and I cannot believe you're making me say something 'positive' (even if that comes with a giant asterisk and several other subquotes) about SX OS is that it since version 1.3 has stubbed out the call to the brick code, meaning it is rendered inaccesible to normal users and the program just loops instead.
- To revolve this back at TX and DYKG not being accurate though: SX OS's original brick code would trigger the moment it detected anything out of place, including concerns within regards to hardware temperature accidentally being able to trigger it.
- 9:01 Script error: Accusations aren't accusations anymore if they're proven. And they have been. See my old blog here for the bulk of it.
- 9:10 Script concern/error: This refers to Kates old Fusee FAQ, which is considered widely outdated. Team Xecuter did not drop the “zero day” (referring to fusee-gelee). This was done by an anonymous 4chan user. This is entirely due to neglect on Kates end, which is sensible considering she's no longer a part of the hacking scene.
- 10:40 Script error: Again, this isn't a mere speculation, this is proof and it is not a hardware flag. The Nintendo Switch has various reporting services build into it. These reporting services keep track of playtime, crash reports and size of stuff on the MMC chip. If any of these are considered out of place, the user is banned. It should be noted that for non-piracy homebrew, it is sufficient to redirect only the crash reports, as playtime and size reports only end up being off when it comes to piracy (and faking these is a suspicious move as a large number of similar reports will break). These services keep the logs offline until the Switch connects to a wifi network, upon which the Switch will attempt to upload the logs it hasn't uploaded yet.
- 11:45 Script concern: Team Xecuter are without a reason beyond a doubt horrid horrid people. This statement is flat out false. Their product includes Nintendo code (notably lotus gamecard headers), encryption keys and large parts of GPL licensed software which is not following the requirements of the GPL. Including it leads to inappropriate validation of their statements being taken as fact.
After this a short outro fact plays and the general DYKG outro as well.
I cannot blame DYKG too much for these errors. A large part of this comes from the fact that the tech industry's reporting on console hacking in general is... notoriously poor and for the most part, they seemed to have taken only the reports made by the tech industry for their sources, rather than actually investigating on the matter.
This was my view before I heard of the collaborative effort to try and give them a chance to fix it. With that currently standing at about two weeks in with DYKG essentially having gone radio silent, that view while not completely gone is now in a much more cynical light, considering they seemed interested in attempting to fix their flaws, but aren't following up on them in the slightest.
Quite a shame, I used to really like Did You Know Gaming.
To the many people who made the Switch scene possible. As well as special credits to the original people involved with the editable document for pointing out stuff I missed.
: I do not consider this private information. The document that was used for edits was publicly available in ReSwitcheds #off-topic channel. : Signed: This means something is valid or created by a specific entity. The cryptography parts involved around this is beyond the scope of this post. : The TSEC is a specific processor on the Switch's motherboard that handles security. : Horizon OS is the Switch's “official OS”.