CTCaer

## switch_romfs.py
from struct import unpack as up
import sys, os

dirs, files = None, None

def read_at(fp, off, len):
    fp.seek(off)
    return fp.read(len)

def read_u8(fp, off):

## hfs0.py
from struct import unpack as up
import sys, os, hashlib

dirs, files = None, None

def read_at(fp, off, len):
    fp.seek(off)
    return fp.read(len)

def read_u8(fp, off):

## switch_cert.py
import binascii, sys, random, asn1
from fractions import gcd

def extended_gcd(aa, bb):
    lastremainder, remainder = abs(aa), abs(bb)
    x, lastx, y, lasty = 0, 1, 1, 0
    while remainder:
        lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
        x, lastx = lastx - quotient*x, x
        y, lasty = lasty - quotient*y, y

## brcm_flash.c
unsigned __int8 *__fastcall process_cmd(struct_a1 *a1, int a2, int a3, unsigned __int8 *pkt, signed int pkt_len)
{
  unsigned __int8 *pkt_; // r0@1 MAPDST
  int v10; // r0@2
  int v11; // r12@8
  unsigned __int8 v12; // r0@13
  signed int b0; // r0@15
  int v14; // r0@38
  unsigned __int8 v15; // r1@46
  unsigned int v16; // r2@51

## brcm_patchram_spi_otp.txt
OTP PatchRAM. (SPI @0x0)

01[raw]: F000006208C05D89
FD[raw]: FFFFFFFF
40[raw]: 123456B9E698 // BD_ADDR
// Overwritten by DS# PatchRAM
0A:    D03DC:   D03E4 b'AA55F00F68E597D2' // Magic
// Overwritten by DS# PatchRAM
0A:    D0200:   D030C b'00F009F842F78EBE374900231A460860202174F77CB93549097801F00F0140EA01204FF44811096801F48051084370470EB56A460C2141F6F47074F7D7FB0C2809D108222A496846A2F76EFA002802D12849029808600EBD70B5284926484FF448140860206820F480502060A06E20F07F40A066A06E40F08240A066E06E00F07F40E066E06E1E490843E066D4F888001C490840C4F888001B4DD5F83801C0071BD0D5F83C01D5F8381180B24FF4E02202EAC13108434FF44D110A686FF312021043086000F053F8D5F8300110F4E06F03D04FF67F70C5F8B002206840F480502060BDE87040A3E75C7D210034282000DC030D00B87C21008FFE0D00607D210041414100FF0F00F000603300'
// Overwritten by DS# PatchRAM

## fuses.c
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>

#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))

## package1.py
from struct import unpack as up, pack as pk
from binascii import unhexlify as uhx, hexlify as hx
from Crypto.Cipher import AES
from Crypto.Util import Counter
import sys

pk11key = uhx('') # Insert key here.

def string_to_ctr(ctr):
    return Counter.new(128, initial_value=int(hx(ctr), 16))

## README.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                CTCaer
                / README.md
            
            
              Created
              March 14, 2018 08:56
                — forked from roblabla/HABILITIES.md
            
              
                We believe in your habilities.
              
          
    Muh Switch Keys

So you want to decrypt switch content ? Well, the good news is that all the tools required to do that are written up! The great news is, since this is crypto we're talking about, you'll have to find the keys. Yourself. Like it's easter.
So here you can find a template of the $HOME/.switch/prod.keys file that hactool uses to decrypt content. It contains all the SHA256 and location of the keys and seeds, so you can find them yourselves.
Note that all the seeds (the keys that end with _source) are used along with the master_key_## to derive an actual key.
If you have somehow obtained the key without the seed, you can rename xxx_source to xxx_## (where ## is the master key number) and put your key there.
How the heck do I obtain dem keys ?


## libusb.patch
diff --git a/libusb/os/linux_usbfs.h b/libusb/os/linux_usbfs.h
index 2449632..5ef03ba 100644
--- a/libusb/os/linux_usbfs.h
+++ b/libusb/os/linux_usbfs.h
@@ -82,7 +82,7 @@ struct usbfs_iso_packet_desc {
 };

 #define MAX_BULK_BUFFER_LENGTH		16384
-#define MAX_CTRL_BUFFER_LENGTH		4096
+#define MAX_CTRL_BUFFER_LENGTH		0xFFFF

## scan_amiibo.log
Legend:
WRI: Sent packet
RCV: Received packet
MCU: Received x31 packet. The first 49 bytes are truncated.

WRI: subcmd x22 - Set MCU state (suspend/resume)
RCV: 21 eb800000006a6878bed87500 8022 00000000000000000000000000000000000000000000000000000000000000000000
WRI: subcmd x21 - Write MCU
RCV: 21 f4800000006c5878bec87500 a021 0100ff00030005060000000000000000000000000000000000000000000000000062
WRI: subcmd x03 - Change input report format
	from struct import unpack as up
	import sys, os

	dirs, files = None, None

	def read_at(fp, off, len):
	fp.seek(off)
	return fp.read(len)

	def read_u8(fp, off):
	from struct import unpack as up
	import sys, os, hashlib

	dirs, files = None, None

	def read_at(fp, off, len):
	fp.seek(off)
	return fp.read(len)

	def read_u8(fp, off):
	import binascii, sys, random, asn1
	from fractions import gcd

	def extended_gcd(aa, bb):
	lastremainder, remainder = abs(aa), abs(bb)
	x, lastx, y, lasty = 0, 1, 1, 0
	while remainder:
	lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
	x, lastx = lastx - quotient*x, x
	y, lasty = lasty - quotient*y, y
	unsigned __int8 __fastcall process_cmd(struct_a1 a1, int a2, int a3, unsigned __int8 *pkt, signed int pkt_len)
	{
	unsigned __int8 *pkt_; // r0@1 MAPDST
	int v10; // r0@2
	int v11; // r12@8
	unsigned __int8 v12; // r0@13
	signed int b0; // r0@15
	int v14; // r0@38
	unsigned __int8 v15; // r1@46
	unsigned int v16; // r2@51
	OTP PatchRAM. (SPI @0x0)

	01[raw]: F000006208C05D89
	FD[raw]: FFFFFFFF
	40[raw]: 123456B9E698 // BD_ADDR
	// Overwritten by DS# PatchRAM
	0A: D03DC: D03E4 b'AA55F00F68E597D2' // Magic
	// Overwritten by DS# PatchRAM
	0A: D0200: D030C b'00F009F842F78EBE374900231A460860202174F77CB93549097801F00F0140EA01204FF44811096801F48051084370470EB56A460C2141F6F47074F7D7FB0C2809D108222A496846A2F76EFA002802D12849029808600EBD70B5284926484FF448140860206820F480502060A06E20F07F40A066A06E40F08240A066E06E00F07F40E066E06E1E490843E066D4F888001C490840C4F888001B4DD5F83801C0071BD0D5F83C01D5F8381180B24FF4E02202EAC13108434FF44D110A686FF312021043086000F053F8D5F8300110F4E06F03D04FF67F70C5F8B002206840F480502060BDE87040A3E75C7D210034282000DC030D00B87C21008FFE0D00607D210041414100FF0F00F000603300'
	// Overwritten by DS# PatchRAM
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/mman.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <string.h>

	#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
	from struct import unpack as up, pack as pk
	from binascii import unhexlify as uhx, hexlify as hx
	from Crypto.Cipher import AES
	from Crypto.Util import Counter
	import sys

	pk11key = uhx('') # Insert key here.

	def string_to_ctr(ctr):
	return Counter.new(128, initial_value=int(hx(ctr), 16))
	diff --git a/libusb/os/linux_usbfs.h b/libusb/os/linux_usbfs.h
	index 2449632..5ef03ba 100644
	--- a/libusb/os/linux_usbfs.h
	+++ b/libusb/os/linux_usbfs.h
	@@ -82,7 +82,7 @@ struct usbfs_iso_packet_desc {
	};

	#define MAX_BULK_BUFFER_LENGTH 16384
	-#define MAX_CTRL_BUFFER_LENGTH 4096
	+#define MAX_CTRL_BUFFER_LENGTH 0xFFFF
	Legend:
	WRI: Sent packet
	RCV: Received packet
	MCU: Received x31 packet. The first 49 bytes are truncated.

	WRI: subcmd x22 - Set MCU state (suspend/resume)
	RCV: 21 eb800000006a6878bed87500 8022 00000000000000000000000000000000000000000000000000000000000000000000
	WRI: subcmd x21 - Write MCU
	RCV: 21 f4800000006c5878bec87500 a021 0100ff00030005060000000000000000000000000000000000000000000000000062
	WRI: subcmd x03 - Change input report format