Image: Cathryn Virginia/Motherboard

Inside the Messy, Dark Side of Nintendo Switch Piracy

Doxing rivals, stealing each other’s files, and poking around Nintendo’s servers are all a normal part of the ballooning Nintendo Switch hacking and piracy scenes.

|
Nov 13 2018, 3:00pm

Image: Cathryn Virginia/Motherboard

The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.

Listen to Motherboard’s new hacking podcast, CYBER, here.


The source of the leak had no chance of being traced. Someone, perhaps a professional games reviewer, had just helped dump a copy of Diablo III, a hotly anticipated Nintendo Switch game at least several days before its official launch date. The source had used a middleman who ultimately released the game for pirates to distribute among themselves.

This approach of disguising the original source of the leak by using a middleman was the right way to release games early, or ‘pre-street,’ one of the pirates chimed in, according to chat logs from a private group of a few dozen Nintendo Switch pirates obtained by Motherboard. Whoever the source was, they had released other games over the last few months, including games up to two weeks in advance of their general sale; a big win. In another instance, pirates managed to get their hands on Dark Souls: Remastered, another much-anticipated game ported to the Switch.

“They keep on coming,” a source from one of the private, tight-knit Switch chat rooms told Motherboard in an online chat.

Behind every free, pirated game, there’s a lot more going on.

“Welcome to the Switch scene. The drama is crazyyyyy,” the source added. Motherboard granted a number of sources anonymity to speak more candidly about private communities and illegal activity, and to avoid repercussions from other members; other sources requested anonymity because they did not have permission from their employers to speak to the press.

The Switch piracy community—much of which operates on the gamer-focused chat app Discord—is full of ingenuity, technical breakthroughs, and evolving cat-and-mouse games between the multi-billion dollar Nintendo and the passionate hackers who love the company but nonetheless illegally steal its games. Pirates deploy malware to steal each other’s files so they can download more games themselves. Groups deliberately plant code into others' Switches so they no longer work. And some people in the scene have been doxed, meaning they’ve had their personal information published online.

HOW PIRATES GET SWITCH GAMES

Pirating games for the Switch is not technically straightforward. Instead, there’s a complex supply chain constantly grinding away that helps people source and play unreleased games. There are reverse engineers who figure out how Nintendo’s own tools work, so hackers can then use them for their own advantage. There are coders who make programs to streamline the process of downloading or running games. Reviewers, developers, or YouTubers with access to games before general Switch users often leak unlock codes or other information to small groups, which then may trickle out to the wider community. These smaller groups may also have access to more boutique or niche leaks which rarely become public, such as demos from the servers of Nintendo Kiosks, which are consoles set up at special events. One source showed Motherboard alleged prototype Switch documents obtained from a developer meeting held last year.

To release a game, pirates may dump a copy from the physical cartridge; they can do this before the game releases in the United States by sourcing the cartridge from an Australian store, which releases earlier because of the time difference. But this only gets a game out one or two days before official release. For the more sought-after and early dumps, pirates often manage to grab a copy from Nintendo’s eShop, the company’s digital download game store that is built into the Switch. Here, pirates will likely use a piece of hacker-made software on their computers to talk to Nintendo’s servers, one pirate who uploads large archives of games explained to Motherboard in an online chat. The files can sometimes be downloaded early by anyone (by design), and are encrypted and need a so-called “titlekey” to unlock them and make the game playable. But reviewers or pirates with connections often obtain titlekeys and then share them. Crucially, titlekeys are not unique, and once grabbed, can be re-used by anyone to unlock a game.

JJB, who was until recently the administrator of the largest Switch piracy-focused Discord chat room called WarezNX, said pirates have had success in gaining access to parts of Nintendo’s infrastructure that is usually closed-off from ordinary Switch users.

These include servers used internally by Nintendo, such as one which hosts different versions of the Switch operating system. The trick to connecting to these usually off-limits servers was using files contained within the Switch Development Kit, which is typically only available to game creators, JJB said.

nintendo-switch-document
Caption: A screenshot of an alleged developer-focused Nintendo Switch document provided to Motherboard. Image: Motherboard

Playing pirated games requires more work than just downloading them. Pirates need to put their Switch into recovery mode—which involves physically connecting two pins inside the Switch with a paperclip or other tool. From there, pirates can download a bootmenu, which lets them select and launch software not specifically authorized by Nintendo. They also need to grab another piece of software that lets them install the pirated games themselves.

The largest Switch piracy Discord servers have thousands of members. Some of them are highly organized and user-friendly; on some servers, there is a bot that, when asked, will automatically send users a direct message with Google Drive links to a slew of Nintendo games, updates, and DLC to download for free.

Nintendo did not respond to a request for comment.

But the company has been working to make it harder to play pirated games. At its launch, the Switch contained a fundamental flaw in one of its chips—the Nvidia Tegra X1—which allowed hackers to gain more control over the console. Since July, Nintendo has rolled out fixed versions of its console. And in October, Nintendo tweaked how devices communicate with its servers, cutting off an established route of piracy. Developers of tools designed for ripping data from the company’s servers are now keeping them private because they are afraid that wider distribution will mean Nintendo will patch any techniques they are using.

“It’s insane they only got around to patching it now, when the exact same vulnerability was exploited for piracy on 3DS and Wii U for years,” one pirate who uploads large archives of games said.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

JJB told Motherboard his community of hackers reverse engineer “internal Nintendo content to help improve the scene.”

“We mostly stay in the dark due to the legality of what we do,” he added. “By providing such leaks from the shadows [...] we try to improve the rate of development.”

Nintendo is notorious for aggressively protecting its intellectual property, including taking down fan-made recreations of games or tackling piracy head-on.

“Video game piracy is illegal,” a post on Nintendo’s official website reads. “Nintendo opposes those who benefit and trade off the creative work of game developers, artists, animators, musicians, motion capture artists and others.”

The company is still lagging behind the pirates in some ways. The pirate who uploads archives of games says Nintendo only takes down files with a specific set of keywords, such as “Donkey Kong,” “Mario,” or “Zelda.” The pirate said they tweaked these just slightly—such as “Nintendo” to “Ninbendo”—and has faced no problems. The biggest issue, at least for this pirate, has been Google. He shares games using Google Drive, and the company takes swift action against users consuming a high amount of bandwidth.

Nintendo’s stance doesn’t ultimately stop piracy. It just shifts the dynamic of how the groups behind piracy tools operate.

But not all pirates are on the same side.

THE HONORLESS PIRATES

Simon develops a piece of software called DAuther which is used to generate an authentication token to then connect a computer to Nintendo’s servers. This can be used to receive game update notifications from Nintendo, Simon told Motherboard. But it can also be used for piracy.

Each Switch comes with its own, baked-in certificate for accessing Nintendo’s servers—this is how Nintendo knows which Switch it is talking to. If the company does catch someone downloading games they don’t own, then Nintendo can ban that certificate, and by extension, the pirate’s Switch, meaning the pirate can no longer officially download games or play online. So certificates are a hot commodity in the piracy community.

Recently, someone distributed a copy of DAuther on 4chan, according to Simon and several posts on 4chan and Reddit. This copy, it turned out, was malicious: it was designed to steal the user’s certificate and upload it to the hacker’s own server. Simon believes that the certificate-grabbing malware was going to be used for piracy en masse.

“Whoever did this required lots and lots of certificates as they knew they’ll get caught out, pinpointed by Nintendo and banned quickly,” Simon told Motherboard. Simon fired back against the people who made the malicious copy of DAuther, and coded a tool that uploads “random shit” to the hacker’s server, potentially to overload it, according to Simon’s GitHub. One user on Reddit went further, and published the apparent personal details of the person running the server, which a moderator swiftly removed (an email sent to the uncovered email address by Motherboard was not returned.)

“The Switch scene is a bit of a dumpster fire at the moment, stuff like this is pretty common,” Simon told Motherboard.

mario-pirate
Image: Nintendo

And then there are rivalries and conflicts around more formal piracy gangs. Team Xecuter, an established piracy group that has also developed tools for the Xbox and Nintendo DS, released a version of their Switch tool that allows people to play pirated games and have more control over their console earlier this year. According to Mike Heskin, a security and Switch-focused researcher, Xecuter’s Switch tool included code that would disable, or ‘brick,’ the Switch of anyone who tried to copy the software without paying (Xecuter sells its software for profit). Heskin also accused Xecuter of stealing code from Atmosphere, a free Switch tool that he has worked on.

In an email, a representative of Team Xecuter denied the group deployed any bricking code, and said that the program locks Switch consoles with a password or until the software is updated (Heskin was able to circumvent this lock when he discovered the technique in June.) They also framed the lock as more of a challenge for hackers that may come across Xecuter’s own anti-piracy measures—a “harmless cat-and-mouse game” between hackers and competing piracy teams.

“Most of this was created by frustrated hackers that wanted to achieve what we did but did not like the fact that we make people pay for our product, as most hack software/products are free,” the representative added. As for stealing the Atmosphere code, Xecuter did not deny that claim out right, but said “we take inspiration from the work and documentation that is out there,” and “we are far from a ‘cut ‘n’ paste’ job.”

JJB, the former Discord admin, said there have been other cases of piracy tool code disabling Switches, but this was done by individuals to encourage others to “not run random shit of [off] the internet.”

Sometimes the scuffles between these piracy crews and researchers do trickle down to the ordinary consumer.

“Shit like this is why I’m gonna wait for the scene to die down a bit in hype, too much of a chance in my console getting maliciously hacked or bricked by assholes,” one Reddit user wrote in response to a thread on Simon’s tool.

The source with access to the chat logs of a private Switch group said “people are leaving and joining the scene left and right in response to bickering and feuds.”

”JUST REMARKABLY TOXIC, HONESTLY”

These sorts of tit-for-tat skirmishes are, as Xecuter said, rather harmless. At worst, someone’s Switch is going to become inoperable or they’ll be banned from Nintendo’s servers. But some sections of the community resort to aggressive, targeted harassment against other community members.

One Switch hacker Motherboard spoke to faced a wave of abuse in their Twitter direct messages after being doxed. They said they were also stalked, and other community members amplified the doxing, leading to more harassment. In this instance, the doxing appears to be motivated in part by transphobia towards the individual, judging by incendiary comments included with several of the doxing posts.

This hacker described the Switch hacking and piracy communities as “just remarkably toxic, honestly.”

“For a long time I thought the problem was the end users, i.e. people who wanted exploits for the purpose of piracy, and didn’t care past that. Thing is, a lot of the hackers, reverse engineers, [and] exploit devs are awful too,” they added. Multiple other sources also pointed to cases of doxing.

zelda-breath-of-the-wild
Image: Nintendo

Some of those include unmasking people who have signed non-disclosure agreements with Nintendo, according to JJB, the former administrator of the WarezNX Discord, who shut down the server in October.

“Could not let any evidence stay up,” JJB explained to Motherboard just before closing the server. JJB did not elaborate on what specifically motivated the doxing, but said it was related to “disagreements internally, some people use it as a way to get things they otherwise would not.”

Communities can not last like this, with doxing, and hacking, at least in their current form. In part because of this, WarezNX has retreated to a more private setting, away from the thousands of other Nintendo fans who flooded the Discord.

“This does happen from time to time, almost like a cycle,” JJB added. “Once communities like WarezNX become as large and public as it did anyway, there will be a limited lifespan.”

That iteration of the server is currently offline.