Fuck Team Xecuter
05 July 2018 on rants. 29 minutes
NOTICE: The following piece is even more editorialized than my normal posts are. If you think me a cunt or anything for what I’m about to rant about, then please fuck off. I don’t need your readership. Same goes for trying to do any cheap gotcha’s.
Something I semi-often talk about here is homebrew. For the slightly unaware, although I don’t have the desire to go super deeply into it, homebrew is the idea of running custom code on devices that are often locked down by their manufacturers. Of course, it should go with the addendum that this specifically refers to gaming consoles, as hacking phones have their own names (Unlocking bootloader for Android, jailbreaking for the iDevice) and PCs usually aren’t locked down in any significant manner that can’t be solved with a good old partition wipe and a Linux install.
The Switch scene at the moment consists of three major groups, formerly four plus Team SALT that… did something? Things are kinda muddy in the regard for SALT as at one point they were part of one of the major groups but then got booted for choosing the hill they would die on was the one for good old pedophilia. While I’m not entirely interested in digging up those molehills, safe to say is that the Switch scene from it’s inception has been riddled with drama, personal attacks and in general a divide that at it’s safest way of putting it is simply two groups getting at very odd ends with each other, fueled by the nice little backdrop that has been plaguing politics for the past few years.
The groups currently relevant are: ReSwitched, the team I personally support that are developing the Atmosphere Custom Firmware, discovered ShofEL2 (the hardware exploit that is so easy to do, it only requires either a slightly awkward to find screwdriver or some tinfoil) and in general are making the most progress when it comes to actually making stuff for the Switch. It also mainly consists of developers that moved wholesale from the 3DS scene, which is a nice bonus as near the end, the 3DS scene got up to some really awesome shit. Oh and it contains some people who I genuinley consider my friends. Full disclosure on that fact, and if you think that I’m just an esjeedoubleyou because of that, then quite honestly… leave. Just leave. I don’t need or want you.
The other groups are: Team failoverfl0w, a team that moved from hacking the PS4 to set it’s eyes on the Nintendo Switch and had discovered ShofEL2 on their own (its discovery was announced early and subjected to a disclosure period to give Nvidia time to fix it, before an anonymous 4chan user discovered it too and leaked it) and released Linux on the Nintendo Switch, but beyond that aren’t hugely relevant due to an unreliable communication as to what they’re up to, but they can be considered a decent enough group.
Continuing the line of groups before I dig into the meat was Switchbrew, a team consisting of the original 3DS scene devs (smealum, qlutoo, derrek) and so on. Switchbrew however is currently effectively dead in the water, in spite of the fact that they had the backing of the main toolchain used to develop homebrew for a lot of systems, devKitPro. This comes with the close followup of some Switchbrew devs, wether on accident or not, starting drama towards ReSwitched. Which I’m not getting into, but just so you have the full picture, realize that this is a thing that happened. Oh and this team in particular has no desire to do anything beyond userland development, which the rest of the scene has already firmly marched past.
And finally, we reach the final group, the giant elephant in the room that nobody really wants to be there, but has to endure anyway: Team Xecuter. Formerly a team from the XBOX scene with some slight notoriety for having a bit of an ego (for context here, although it’s a bit deep to get into, I refer to pbanj, the current owner of Nintendo Homebrew, who dislikes them for doing shoddy solder jobs and having the gall to call anyone elses soldering garbage. Search #meta in NH for ‘FUCKING SLIM BALLS’ for full context.), Team Xecuter was bought out at some point and is now under the managment of what is very likely the widely hated Gateway team.
They recently released a dongle for the Nintendo Switch that automatically runs the off-device f-g/ShofEL2 portion if inserted in the switch, effectively making coldbooted CFW without needing an external device and an USB-C cable attached to it a reasonable possibility.
This is all well and good, and admittedly, the dongle seems like a nice piece of work so I’ll give them that much. The real meat of my disgruntlement comes from the project they sold alongside the dongle, and if I’m not mistaken comes with the dongle. Dubbed SX OS (what SX stands for is anybody’s guess, but my guess is Switch Xecuter), SX OS is considered the first ‘proper’ CFW that is in a releasable state (Atmosphere is in early alpha) that can to boot play ‘backups’. Which to those that have spend any form of time in a hacking scene is codeword for ‘piracy’.
Piracy is a bit of an iffy thing in the homebrew scene. Many developers hate it, I personally dislike piracy because I think it’s worthwile supporting game developers so they can make more awesome games, but I’m not as moralistic as Switchbrew in that I refuse to look into even the slightest advance that might enable piracy.
SX OS meanwhile is sold for a good 20 bucks. Without even getting into the hypocricy of SX OS being a CFW that enables piracy that is sold for a price, it is also illegal. Yep, you heard that right. No gray water muddying, no dodgy stuff involving breaching the DMCA, just flat out illegal.
ReSwitched developer Mike Heskin (hexkyz) discovered (and posted on his twitter) the following tweet:
Just gonna leave this here...https://t.co/rv1e1czlTJ pic.twitter.com/BipbBqHKAz
— Mike Heskin (@hexkyz) June 28, 2018
For those of you (like me) who don’t fully get what he posted here, permit me to clarify: What you are looking at is one of the files from SX OS opened in a hex editor. A hex editor is a program that allows you to view the contents of a file as hex data, and usually edit the files. While I’m not going into the full details of how this works, the real meat of what is shown in this tweet is on the right. Specifically its meant to read “Do you mean to tell me that you’re thinking seriously of building that way, when and if you are an architect?”, except it’s partially obfuscated. The reason this is relevant? It’s the same line as an easter egg found in the source code for nx-hbloader, therefore proving that nx-hbloaders source code was used in the development of SX OS.
nx-hbloader is licensed under the ISC license, a variant that, while functionally identical to the MIT license, strips out some of the unneeded bits. The basic demand of the ISC license however is the same: if you desire to use parts of nx-hbloaders source code in your own project, you have to state that you used nx-hbloader by including a copy of the ISC license (as well as that you can’t impose any warranty or hold the devs liable, which is bog standard for OSS licenses.)
Team Xecuter did not do that. Not in their current release, not in any of their updates. In this case, it’s such an easily fixable problem too! All they have to do is download the license file (which if they cloned the code, they already have), add it to the zip file on their main page (or simply add it to the download page) and they would follow the requirements for the ISC license
All of this however fades in the next bit I’ll talk about. The ISC/MIT license is a cheap license, and many large companies (including Apple) make use of programs written in it.
AMENDMEND: It has been brought to my attention that nx-hbloader isn’t under the ISC/MIT license. My mistake. It’s not licensed, which means “All rights reserved”, aka “can’t use it in any way unless we give you permission to”. This just makes it a flat out copyright violaton and nx-hbloader can’t be reused in any project, added notice or not. The confusion sterned from nx-hbmenu, which is licensed under the ISC/MIT License. This does not change the fact that nx-hbloader is open source software, it just doesn’t count as free software. There is no real solution for Team Xecuter here, they’re boned for using nx-hbloader in their program.
A much stronger license used by proponents of Free software (not the same as Open source software for reasons too long to get into) is the GNU General Public License. It’s a license that is more complexly written than the previous licenses, expands on many requirements and demands, and in general is more the kind of thing that is only read by people with a legal degree and too much time on their hands.
For you and me though, what you should know about the GPL are the following things:
- You can freely use any GPL code in your own projects, and you are allowed to sell them and privately use it.
- This however comes under a few conditions. Namely that you need to disclose the source code (and the entire source code, a user should be able to compile their own copy of your release if they so wish to, list your changes (a diff file or a git log can actually suffice here), make sure that the original license is included in the project and make sure the project is licensed under a similar license that ensures that all the previous demands are met. As well as the general boilerplate no liability and warranty clauses mentioned earlier.
The GPL is probably the most popular FOSS license out there, although it is not the only one. Why it is relevant in this case is that another tweet by Heskin shows the following:
Sneak peak of TX's enterprise-ready filesystem layer totally developed from scratch!
— Mike Heskin (@hexkyz) June 28, 2018
But why does it look so familiar?
"embeddedfs:/titles/%016lx/exefs/main.npdm" 🤔 pic.twitter.com/sHMUi7jT0C
Once again, we are treated to the hex editor view from the previous tweet. In this case however, the portion shown here proves the code itself is from Atmosphere. Yes, the same Atmosphere mentioned much earlier in my article, the CFW that is developed by the ReSwitched team.
And guess what license Atmosphere is under? That’s right! It’s the GPL! (specifically the second version of it, reasoning here is unclear, but it might be due to so called “Tivoization” that the GPLv3 added to prevent running GPLv3 code on hardware that locks down the software it can run, which the Switch does with its efuses).
And just to get the obvious one out of the way here: Team Xecuter followed none of the clauses they had to follow to be able to use GPL licensed code in SX OS.
SX OS is closed source, is sold at a premium fee, does not list it’s changes from the original project and so on and so forth.
Carrying on from there, let me explain why it is bad that this happens. Ignoring the blatant copyright violation in plain sight (and yes people have been sued over the GPL, even big corporations like Microsoft), it is also highly disrespectful towards developers. I feel the best way to tackle this would be to highlight some form of arguments I received when expressing my views on this matter (note: none of these are strawmans, I can link you to the thread where I’ve seen pretty much all these arguments expressed in some form).
“If they didn’t want it stolen, they shouldn’t have given out the source code.”
The advantages of free software usually are that your project is considered “safe” by a lot of people, as anyone can check the code and make sure you didn’t tamper with it, and if they still don’t trust your release, they can build their own copy.
This comes with the addition that your project can never really “die”. Anyone with an interest in the program that wants to add something to it actually can. Free software licenses ensure on this end that the modified code is also contributed back to the community if you go public with your source code.
Secondly, what is basically argued here is that if you are robbed while your purse is in your open handbag (example scenario), the cops should not need to investigate the case because you practically lured the thieves to your purse. You’re engaging in victim blaming pretty much.
“I don’t give a fuck, Team Xecuter did it first!”
This mentality kills homebrew scenes. I’m not exaggerating that, it really does. The mentality that is being pushed here drives away developers, both new and existing. The best way to explain this would be through a little example that I posted earlier on GBATemp (where most of these arguments originate from, as well as where Team Xecuters defenders congegrate as they’re downvoted into oblivion on Reddit):
Here’s the thing: free (as in GPL free) source code isn’t the buffet you can eat from without giving anything back. You need to share your changes. That is how those licenses work. TX isn’t obeying them. Therefore, TX breaks copyright. Not obeying those licenses is therefore not only illegal in pretty much any modern country, it’s also highly disrespectful to anyone who wants to work on Free software.
Allow me a hypothetical scenario for you: let’s say you are a newbie dev, you are interested in making homebrew. Your first homebrew is gonna be GPL, you know there is tons of benefits and inherent trust and you can trust the scene not to use your work without properly following the license because open source and GPL are the norm.
Then you release your first alpha of the homebrew. People applaud you for your work, you get recognition and people are happy in general with what you did. You then eagerly decide to continue on it so you can make a stable release.
Suddenly, someone else, more experienced, comes along and sees your open source code and thinks “I’m gonna take that and improve on it”. And he does.
But then he releases his final version of your original work earlier than you, without the source code. That means he is in violation of the GPL license.
Now this becomes public knowledge and people start calling him out on his bullshit. However, for some reason, there is a large group of people saying “he did the final version first, I don’t care as long as I have it”.
Can you imagine how that must feel? Someone who is new to this kind of stuff would quit the scene, or maybe even open source programming as a whole.
Obviously in this case we are dealing with two groups of devs with both a decent amount of experience under their belt. But the base concept and message should hopefully be obvious, namely “saying you are okay with thievery is disrespectful to developers”.
Imagine a dev new to the scene reading this thread. I wouldn’t want to join the Switch scene if people don’t care for the time and effort I put into making things for other people and are willing to toss me out for the drop of a hat. Because that is the message you are sending. Your mentality drives away potential developers and possibly even existing ones. Driving away developers kills a scene. Look at the jailbreak community, they have barely any devs left and the community mainly consists of children at this point.
Moving on as this argument is so much bullshit and my response here really exemplifies it.
“They only want it FOSS because they want to steal TX’s backup loader”
“If SX OS consists mainly off other peoples work, then why doesn’t Atmosphere have all of it’s features yet?”
These two arguments are often made together, with the little side note that SX OS is proven by Heskin (yes I know I bring him up a lot, but mind you that people like SciresM, nwert, fincs and ihaveamac affirm the claims he makes, who are people who one by one hold pretty massive relevance to the scene) to primarily contain a modified version of Atmosphere’s loader code and an older build of nx-hbloader. Proof is listed below.
After stripping down all the obfuscation we can now say for sure that the SX OS is made of:
— Mike Heskin (@hexkyz) June 28, 2018
- Custom bootloader to display their main menu;
- Set of kernel + INI1/KIP1 patches to disable signature checking;
- Modified KIP1 Loader.
The "Loader" is the meat of the "OS", but it's nothing more than:
— Mike Heskin (@hexkyz) June 28, 2018
- An old build of nx-hbmenu;
- Atmosphère's loader code.
Backup loading is mostly achieved by parsing and decrypting XCI files and feeding them directly to the FS sysmodule (which has signature checks disabled).
(AMENDED NOTICE: Heskin confuses nx-hbmenu with nx-hbloader here, see my earlier argument.)
Firstly, let’s ignore point one, as this argument should not matter when it comes to copyright violations. Nintendo shutting down projects that have been in development for 9 years is cuntish sure and the desire to stifle a fans project so they can sell Samus Returns (their own remake) is annoying as hell, but legally speaking they are perfectly within their right. This isn’t a case for morality on the legal end of things. (note: me making the moral argument on the “violating the GPL” part does not by any means invalidate this claim, it just goes to show that Team Xecuter is both morally and legally in the wrong).
The second point specifically can be disproven by the fact that Team Xecuter only included two portions of custom work (or rather one, as the other is rather insignificant for what most people care for): The bootloader and the kernel patches. Now while you could argue that “they did that original bit of work”, the bigger joke here is that Team Xecuter actually shot themselves in the foot here by using GPL code. You see, the way the GPL works is that if you use GPLed source code in another project, you actually have to put that code under the GPL as well. Even if it is as a library or just talks with it in some form that isn’t directly talking to the binary program.
(To adress obvious concerns here and stifle a large amount of eager people that want to make a couple of closed source/not GPL projects open source/GPL: there is a variant of the GPL that lets you use a GPLed library without having to make your code GPL as well. It’s called the LGPL and stands for Lesser GNU Public License. None of the aforementioned programs use the LGPL though. Just thought I’d clear that up.)
Oh and in case you try and argue that second argument with me, mind you that they didn’t just break the licenses for nx-hbloader and Atmosphere. They also broke the license for an unnamed crypto library which talks to their license servers. Once again, proof below.
Even the code for talking to their license server uses an open-source crypto library so, yes, there are multiple license violations here. However, none of us expected differently, to be honest.
— Mike Heskin (@hexkyz) June 28, 2018
And as to why this is relevant, their license code is called in all portions of their software, if I read Heskins next tweet properly.
As for the brick code, I was wrong. Not only it is more destructive than I originally thought (it tries to corrupt boot partitions too), but it's also deployed on *multiple* stages across the boot chain. It is also way more likely to be triggered on accident than expected.
— Mike Heskin (@hexkyz) June 28, 2018
Ah yeah… the brick code. Welp, this is the best segue I could manage, so let’s go to it.
Yes. SX OS contains bricking code. If you choose to load SX OS using another program, such as Hekate, a function will be triggered that locks your eMMC chip with the password “WANNA PLAY? :)” (or in the first incident in which this was reported by Heskin, with random data from the stack, but in this case the function was intentionally triggered).
First let’s get the obvious out of the way: if you include at any point in your program a function that when execute will damage someone’s device in a way that a regular user can’t easily recover from, you are already a cunt. This is just flat out malware, and using malware to combat piracy (irony that the piracy CFW uses one of the worst anti-piracy measures possible to prevent it from being pirated) should be considered grounds for being thrown into one of those old Victorian torture chambers, preferably with an executioner who really likes his job. But I’ll digress here, as there is a much bigger fish worth frying:
Namely that this is the same method of bricking (and the main argument for them being) used by the Gateway team. Now for those of you either new to Nintendo console hacking or just want a refresher on things: Gateway was a team that made a flashcard for the Nintendo 3DS back when the scene was an all-time low. The flashcard primarily permitted users to load .3ds files, which was the extension used for scene dumps of 3DS cards. They faded into obscurity as more normal (read: not paid CFW sold by greedy fucks) CFW took their place, yet still maintained a position as being cheap beginner bait and allowing users to pirate during a time where userland homebrew was the best that was available.
That said, Gateways entire existence always had the one notorious part attached to it: They would cause a brick on any 3DS system running their software if the Gateway card that was used would have been determined to be a fraudelent card. Gateways manufacturers being primarily China based and their dev team being rather unknown as to who (and where) they are, this meant that they could escape the more legal ramifications of intentionally bricking a 300$ console because some cheap fuck chose to rip them off wholesale and a stupid user baiting into the clones.
Now we fast forward to about a year ago. At this time, in the 3DS scene, Gateway is pretty much irrelevant, and the second best solution for CFW that has come out of the scene is arm9loaderhax. Gateway is mostly laughed at and smeared for being cheap beginner bait, with their eventual announcement that they were working on ‘something’ being met with mockery and the Gatewait meme (look it up, you’ll find some interesting stuff).
Cue them releasing “arm9loaderhax Gateway Fast Boot”, a wholesale ripoff of arm9loaderhax, with all the safety checks added by the main guide for arm9loaderhax ripped out, the new3DS unbricking part removed (meaning it can’t be installed on the new3DS without guaranteed bricking it) and in general more of a hazard than a boon to any devices. As well as locking users to the Gateway CFW, presumably in an ill-fated attempt to gather customer loyalty by forcing it upon them. Most of this was discovered by d0k3, who chose to post about it on a GBATemp blog. Well worth the read. The subsequent negative coverage gathered from pretty much anyone considered relevant and the scene at large caused Gateway to not just be mocked, but despised for taking free code and using it as their own while presumably also dropping any and all code deemed ‘too difficult for the enduser’ (which is a presumed reason as to why the new3DS bricking code was ripped out or the various safety checks). Obviously that last portion about dropping code is speculation on my end, but it wouldn’t suprise me.
Oh and the aforementioned bricking code remained as well. Just in case you thought they weren’t quite the equivalent of Satan in the 3DS hacking community.
Now in case you are drowning a bit and lost track of why this matters: The current status is that team Gateway has a bad rep for fucking with consoles inappropriatley and they aren’t liked at all.
Cue Team Xecuter being bought out by some unknown party, and conveniently, they start work on the next Nintendo console. While suspicions of them being GW have been around for a bit, by far the most solid proof available lies in SX OS’s way of bricking people that try to RE it: by using a password to lock the eMMC chip, which is identical to the method that was used for Gateway to brick 3DS devices.
There’s some other accusations to make here as well towards Gateway for maybe grounded, maybe not grounded cases about doxxing some people, but I’ll not go into that as I haven’t seen much direct proof here (aside from Maxconsole being owned by someone with close dealings to Gateway who linked the aforementiond doxx on Maxconsole for quite some time until an internet mob forced him to take the links down, but I consider that circumstantial at best), nor will I directly accuse them in this blog of doing so.
In addition, the aforementioned owner of Maxconsole is further potential proof of Team Xecuter being Gateway under a not as smeared yet name. This person in particular practically acts as their PR representative on GBATemp, where again the defenders of Team Xecuter congegrate, posting new updates to SX OS on there (this person has some more stuff attached to him as well, but it’s unrelated to the Switch scene and mostly refers to the PlayStation scene, refer to my query to twitter user GregoryRasputin here for more, ergo why I don’t bring this up here beyond this quick mention).
Again, most of those last two are circumstantial, yet rather damning evidence if true, and at the very least should make anyone suspicious of who currently is inside Team Xecuter.
And finally, the final nail in the coffin, I will cite you the following argument, which lies at the base for anyone who still defends Team Xecuter:
“I don’t care, I got what I wanted! Suck it!”
Congratulations. You totally did. Never mind the fact that you knowingly now support a group that only cares about money, doesn’t give a flying shit about it’s users, has a very likely shady history, is actively harmful to the lifeblood of the scene with it’s visible practice to treating other developers. Congratulations that you are willing to stick your neck out for people like that. I hope you are proud of yourself as a human being. Also, while we’re on it, could you kindly never touch anything I work on ever again? I don’t want someone with your mentality in my life and quite frankly I don’t need someone like you either.
–
Notice: In the follow up days while I was thinking about this stuff before I put this into writing, Team Xecuter released an update to SX OS, which removed the bricking code, referring to it as a “challenge for aspiring hackers” (as well as calling anyone out on their bullshit ‘fake news’, in case we didn’t need some political addendum to this entire debacle). In my eyes that is trying to sugarcoat an awful practice, and the rough equivalent of saying “we broke into your house, shot your dog with a gun, but look, we only did that to see if your security was up to notch as you are a security expert in training, so you know, you can forgive us right?”. This comes with the added ‘features’ of layeredFS (whoopie, more stolen Atmosphere code), a battery fix (stolen from CTCaers Hekate fork) and eShop NSP file support (equivalent to CIA files on the 3DS, and this part is actually stolen from Nintendo’s own DevMenu, which if any of the previous portions didn’t lead to scorn, this actually could result in a legal battle from Nintendo as the DevMenu is under their strict developer Non-Disclosure Agreement) and the undocumented removal of the nx-hbloader easter egg, presumably hoping that this retroactively hides their use of nx-hbloader (it doesn’t).
Source here for all but that last point is this tweet by Heskin. I could link the same thing over and over, but that would lead to this paragraph becoming unreadable.
Oh and calling all their critics lazy fucks who only moan on social media. Yeah, that earns you sympathy.
Here’s a link to r/switchhacks reddit post on the matter.
In summary, I feel that this doesn’t invalidate my argument about the bricking code as well as the potential connections to Gateway and really just exemplifies of how this team doesn’t care about anyone but the money.
–
The aforementioned piece, more than any other article I’ve written represents my personal opinion and views, not of my employer, anyone involved with ReSwitched or any of the people I’ve quoted, talked about or mentioned in this article and so on and so forth.
I’m just someone who likes to code and cares about the homebrew scene because I like seeing awesome shit, and homebrew tends to invariably produce awesome shit. Simple as that.
Oh and this isn’t over. If anything new happens, I’ll try to post a follow up to this when stuff happens.
This has been noirscape, signing off.
–
Updates:
- Edited portion about ISC license. Turns out it’s just a flat out All rights reserved license. Credit here to astronautlevel for bringing this to my attention.
- Edited reference to fusee-gelee to ShofEL2, turns out that the exploit is called ShofEL2, not fusee-gelee. Credit here to Phoenix for noting my mistake.
–
List of useful references about the switch scene/stuff I couldn’t cover due to being out of scope/irrelevant:
- Heskins blogpost about TX. This goes into quite a few arguments from his own end as to why he does all this.
- Heskins twitter
- nwerts twitter. Quoted a lot less here simply due to not having as much tweets about Team Xecuter, he affirms many of the claims made agains Xecuter.
- SciresMs twitter. A good place to stay up-to-date with the progress of the Switch scene and more concretely, ReSwitched.
- Reswitcheds team twitter. Not as active as the other feeds, it’s following list contains a pretty good amount of people to follow if you like staying up-to-date with the Switch scene, plus it’s pinned tweet is an invite to the ReSwitched discord.
- Failoverfl0w. The other active, not fuckheaded, team, don’t know as much about them, but still worth a bump here.