Skip to content

Instantly share code, notes, and snippets.

SciresM

Block or report user

Report or block SciresM

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View tz_800.idc
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
View tz_701.idc
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
View tz_700.idc
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
View kernel_writeup.md

The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.

Background information


I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!

In particular, he describes:

Additionally, the kernel itself would start allocating memory outside of the carveout region
@SciresM
SciresM / nx_bootloader_uncompress.c
Last active Jan 15, 2019
Quick and dirty NX bootloader uncompression code for 6.2.0+
View nx_bootloader_uncompress.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
typedef uint32_t u32;
typedef uint8_t u8;
View bea.py
from struct import unpack as up
import sys, os, hashlib
import zstandard as zstd
dirs, files = None, None
def read_at(fp, off, len):
fp.seek(off)
return fp.read(len)
@SciresM
SciresM / CMAC.py
Last active Apr 18, 2019
Script to decrypt/re-encrypt (resign) Splatoon 2 save files.
View CMAC.py
# -*- coding: utf-8 -*-
#
# Hash/CMAC.py - Implements the CMAC algorithm
#
# ===================================================================
# The contents of this file are dedicated to the public domain. To
# the extent that dedication to the public domain is not available,
# everyone is granted a worldwide, perpetual, royalty-free,
# non-exclusive license to exercise all rights associated with the
# contents of this file for any purpose whatsoever.
@SciresM
SciresM / nisasyst.py
Last active Feb 23, 2019
Script for decrypting Splatoon 2 resources.
View nisasyst.py
import sys, os, struct, zlib
from Crypto.Cipher import AES
def u32(x):
return (x & 0xFFFFFFFF)
KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'
class sead_rand:
'''Implements Splatoon 2's mersenne random generator.'''
View test_pid_patch.c
#include <string.h>
#include <stdio.h>
#include <switch.h>
static Handle g_port;
static uint64_t g_procID;
#define MODULE_HBL 111
View 5.x kernel SMC log + arb read patch
0xbc100: ; save start
mov x19, x0
mov x0, #0xC0000000
adrp x1, #0x15000
ldr x1, [x1, #0x730]
ldr x1, [x1]
add x0, x1, x0
adrp x1, #0x15000
ldr x1, [x1, #0x668]
ldr x1, [x1]
You can’t perform that action at this time.