Pirates battling pirates —

Switch pirates don’t want you to pirate their piracy-enabling firmware

But anti-piracy hackers are hacking the piracy hack for themselves.

Two video game pirates; one has no arms
Enlarge / Yarrrrrr

As expected, the unpatchable Nintendo Switch exploit published months ago has now led to the existence of piracy-enabling custom firmware for the system. In an ironic twist, though, the makers of that firmware have introduced anti-piracy code to prevent people from pirating their own work.

While there is a free version Team Xecutor's custom SX OS available online, loading that firmware only allows Switch players to play homebrew software. To load pirated (or "backed up") versions of copyrighted Switch games, you have to buy a licensed copy of SX OS from an authorized reseller.

Trying to load the paid version of SX OS without a valid license leads the firmware to execute a "brick code" path, locking up the system's internal NAND memory behind a password. It's possible to recover your hardware from this "bricked" state, but regaining control can be an opaque process if you don't know what you're doing.

Vulnerability researcher Mike Heskin—who is helping Team ReSwitched in its efforts to develope open source Switch homebrew firmware Atmosphere—discovered and publicized SX OS' piracy protections on his blog and Twitter earlier this week.

"If I worked on cracking the Switch itself, why shouldn't I try to do the same with their product?" Heskin wrote. "It's out there for anyone to grab and has multiple layers of obfuscation, seems like an interesting puzzle to me... I just like to crack DRMs."

In the process, Heskin says he found that the SX OS simply modified much of Team ReSwitched's own code in violation of that firmware's open source license. "Even the code for talking to their license server uses an open-source crypto library so, yes, there are multiple license violations here," he wrote. "However, none of us expected differently, to be honest."

The “cat-and-mouse” game

For its part, Team Xecutor denied any attempts to maliciously damage the consoles of users that try to pirate its product. Speaking to The Verge, a Team Xecutor representative said it was just engaging in "a harmless cat-and-mouse game between aspiring hackers and competing teams... We do not 'brick' any consoles, ever. We do implement inconveniences to safeguard anti-tampering of our SX OS boot file to remain at a competitive advantage. It would simply be bad business to intentionally harm a user’s console."

"Our product has been designed with the greatest possible stability and polish," the Xecutor representative added. "Whenever someone is running our SX OS they can be assured they are running a safe and well-tested product. We cannot guarantee equal functionality and performance when any changes are made and therefore do not support any unauthorized modifications."

Heskin confirmed on Twitter that he's already reversed Xecutor's "brick code" on his guinea pig system and that the piracy protection attempt "didn't hinder in the slightest my progress in cracking the SX OS. Ironically, it had the reverse effect since I was able to observe where and how the next stages are loaded into which in turn allows to improve emulation solutions to further crack the code."

More generally, though, Heskin called piracy "a despicable and toxic practice that goes directly against the morals and values of the homebrew community. It completely discredits our attempts to show companies that we are capable of building positive solutions by modifying their products."

While Nintendo is obviously pushing back against Switch piracy any way it can, it's interesting to see portions of the console hacking community itself trying to prevent piracy on the Switch. If that means helping to enable piracy of the piracy software itself, then, apparently, so be it.

Channel Ars Technica