Skip to content

Instantly share code, notes, and snippets.

Nintendo Switch RSA-PKCS#1 Public Key Recovery

This is a short writeup of a fun (but ultimately pretty useless) attack I implemented on the Nintendo Switch a few months ago resulting in the recovery of some otherwise unobtainable RSA public keys. Since public keys aren't private keys, this is pretty useless, apart from letting us validate some signatures on PC. Even so, the attack is a pretty cool one, so I thought I'd write it up.

Every Switch gamecart has a unique certificate (called its "CERT"), storing an RSA signature followed by some kind of unknown but unique encrypted data. I was trying to reverse how these certificates work, and the obvious first step was to try to see how they were validated. However, when I tried looking through the FileSystem (FS) module, which should be responsible for validating these certificates, I found no references to the format at all. The "CERT" magic number was nowhere to be seen, and I couldn't find an RSA modulus that validated the signatures I had. This was in

curl -H "Content-Type:application/json" -X POST http://localhost:5984/$DB/_view_cleanup
curl -H "Content-Type:application/json" -X POST https://localhost:5984/$DB/_compact
curl -H "Content-Type:application/json" -X POST https://localhost:5984/$DB/_compact
function FindProxyForURL(url, host) {
return "SOCKS 192.168.1.4:1080";
}
@PitBeast
PitBeast / brctl_show.sh
Created May 13, 2020 07:21
brforward convertion
brctl_showmacs () {
cat /sys/class/net/$1/brforward > /tmp/brforward ;
printf "port no\tmac addr\t\tis local?\tageing timer\n" ;
hexdump -v -e '5/1 "%02x:" /1 "%02x" /1 " %x" /1 " %x" 1/4 " %i" 1/4 "\n"' /tmp/brforward | awk '{ islocal = $3 ? "yes" : "no" ; printf "%3i\t%s\t%s\t\t%8.2f\n",$2,$1,islocal,$4/100 } ' ;
}
@PitBeast
PitBeast / gist:f1dc322bfcc2f011077980e989d32f53
Created March 23, 2018 04:38
Remove old IOS simulators
xcrun simctl delete unavailable
@PitBeast
PitBeast / gitlab-runner
Last active March 16, 2017 06:31
OpenSuse 12.1 gitlab-runner init script
#!/bin/sh
# For RedHat and cousins:
# chkconfig: - 99 01
# description: GitLab Runner
# processname: /usr/local/bin/gitlab-ci-multi-runner
### BEGIN INIT INFO
# Provides: /usr/local/bin/gitlab-ci-multi-runner
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
function fastDateFactory() {
var DAYS_IN_YEAR = 365;
var DAYS_IN_LEAP_YEAR = 366;
var DAYS_IN_4_YEARS = DAYS_IN_LEAP_YEAR + DAYS_IN_YEAR * 3;
var DAYS_IN_OTHER_FIRST_4_YEARS = DAYS_IN_YEAR * 4;
var DAYS_IN_FIRST_100_YEARS = DAYS_IN_4_YEARS * 25;
var DAYS_IN_NEXT_100_YEARS = DAYS_IN_OTHER_FIRST_4_YEARS + DAYS_IN_4_YEARS * 24;
var DAYS_IN_400_YEARS = DAYS_IN_FIRST_100_YEARS + DAYS_IN_NEXT_100_YEARS * 3;
@PitBeast
PitBeast / portal.js
Last active August 29, 2015 14:08
Directives for show part of some template in other template
'use strict';
angular
.module('portal', [''])
.directive('portalIn', [function() {
return {
scope: {
key: '@',
portalContainer: '='
},
//тесты для текущего(твоего) варианта директивы
describe('statsHeight', function() {
var $compile,
$rootScope,
$timeout;
beforeEach(function () {
angular.mock.module('gby.common');
});