From the earliest home computers to devices such as the NES, Genesis/MegaDrive, PlayStation and XBoX, all have experienced piracy problems to a greater or lesser extent.
It’s something that manufacturers and developers alike have been keen to stamp out. Interestingly, however, Nintendo itself has been contributing to 3DS piracy for some time now.
The problem began with the eShop, Nintendo’s digital distribution service for the 3DS, Wii U, and more recently, Switch. Among other things, the eShop allows users to download games, demos and other applications. However, when the 3DS was hacked, the store’s servers could be exploited to allow anyone to download games, whether they had previously bought them or not.
Enter ‘Freeshop‘, an open-source homebrew eShop alternative for the Nintendo 3DS which allows users to browse and install titles “they own” utilizing title keys/tickets. While this isn’t much a problem in its own right, Freeshop users (if they’re that way inclined) are able to exploit a weakness in the Nintendo authentication system.
After users have bought content, they’re able to use the eShop to re-download that content when required. This is made possible by the eShop keeping records of who bought what while placing the necessary credentials (a ticket/key) on the user’s machine. Freeshop, however, only looks for tickets on a user’s machine, which is a huge problem when tickets are freely available online for anyone to install.
The bottom line is that Freeshop (and other similar tools) allowed users to fool Nintendo’s system into believing that they had already purchased games, which then allowed them to download perfect copies directly from Nintendo’s own servers. In basic terms, Nintendo has been fueling piracy of its own games, and for some time now.
Yesterday, however, all that came to an end. On Twitter, ‘Matt’ (aka CheatFreak47) revealed that Nintendo had finally pulled the plug on the free-for-all.
Nintendo has enabled download authentication essentially every 3DS title on their CDN. Y'all know what this means… pic.twitter.com/Jhhf9PFrZl
— Matt (@Cheatfreak47) August 22, 2018
“For those seeking some elaboration, at around 1AM EST or so, Nintendo updated over 2800 3DS software titles on their CDN to require a valid ticket be received to download. Otherwise, the server will return a 403 (Forbidden) error when requesting downloads,” he added.
In a follow-up discussion on Reddit, CheatFreak47 put yet more meat on the bones.
“The system they had in place relied on the contents on the eShop server being encrypted with a key that they would send only to consoles that had purchased the software – however, once the 3DS was completely hacked, this system made widespread piracy easy, since people would simply share the keys,” he said.
“With this new download authentication system, once you have been issued a ticket, your console must send the eShop server an encrypted copy of it to have it validated before you are authenticated to download.”
Quite why it has taken Nintendo so long to plug this gaping hole isn’t clear. The gaming giant has been aware of the problem for years and in 2016 took direct action against Freeshop by targeting its Github repository with a DMCA takedown.
“The FreeShop application provided at infringes Nintendo’s copyrights, because the application circumvents Nintendo’s technological protection measures in violation of the Digital Millennium Copyright Act,” the original notice read.
The developer of Freeshop, known as TheCruel, wasn’t impressed with the takedown, noting that his software would only infringe if users chose to introduce their own tickets/keys.
“Fuck Nintendo,” he wrote.
“[Freeshop] only circumvents protections if people utilize title keys they did not purchase or obtain legally. If people illegally obtain the password/PINs of a person’s bank account, you can’t criticize the banking website for facilitating theft.”
Finally, while Nintendo has now fixed its own issues, that doesn’t mean that 3DS piracy has been brought to an end. The titles are readily available from many other sources, albeit with a slightly more difficult installation process.