Skip to content

Instantly share code, notes, and snippets.

SciresM

Block or report user

Report or block SciresM

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@SciresM
SciresM / CMAC.py
Last active Aug 6, 2019
Script to decrypt/re-encrypt (resign) Splatoon 2 save files.
View CMAC.py
# -*- coding: utf-8 -*-
#
# Hash/CMAC.py - Implements the CMAC algorithm
#
# ===================================================================
# The contents of this file are dedicated to the public domain. To
# the extent that dedication to the public domain is not available,
# everyone is granted a worldwide, perpetual, royalty-free,
# non-exclusive license to exercise all rights associated with the
# contents of this file for any purpose whatsoever.
@SciresM
SciresM / switch_fs.py
Created Mar 9, 2017
Parser for switch filesystem data.
View switch_fs.py
from struct import unpack as up
import sys, os
dirs, files = None, None
def read_at(fp, off, len):
fp.seek(off)
return fp.read(len)
def read_u8(fp, off):
@SciresM
SciresM / ACNL.cs
Created May 7, 2017
Encryption/Decryption of Animal Crossing: New Leaf's Bell/Money values.
View ACNL.cs
private static uint DecryptACNLMoney(ulong money)
{
// Unpack 64-bit value into (u32, u16, u8, u8) values.
var enc = (uint)(money & 0xFFFFFFFF);
var adjust = (ushort)((money >> 32) & 0xFFFF);
var shift_val = (byte)((money >> 48) & 0xFF);
var chk = (byte)((money >> 56) & 0xFF);
// Validate 8-bit checksum
if ((((enc >> 0) + (enc >> 8) + (enc >> 16) + (enc >> 24) + 0xBA) & 0xFF) != chk) return 0;
View tz_810.idc
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
@SciresM
SciresM / nx_bootloader_uncompress.c
Last active Jun 17, 2019
Quick and dirty NX bootloader uncompression code for 6.2.0+
View nx_bootloader_uncompress.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
typedef uint32_t u32;
typedef uint8_t u8;
@SciresM
SciresM / Signatures.txt
Last active Jun 4, 2019
"Perfect" sighax signatures for every Boot9 modulus.
View Signatures.txt
Retail NAND FIRM:
Perfect Signature:
B6724531C448657A2A2EE306457E350A10D544B42859B0E5B0BED27534CCCC2A4D47EDEA60A7DD99939950A6357B1E35DFC7FAC773B7E12E7C1481234AF141B31CF08E9F62293AA6BAAE246C15095F8B78402A684D852C680549FA5B3F14D9E838A2FB9C09A15ABB40DCA25E40A3DDC1F58E79CEC901974363A946E99B4346E8A372B6CD55A707E1EAB9BEC0200B5BA0B661236A8708D704517F43C6C38EE9560111E1405E5E8ED356C49C4FF6823D1219AFAEEB3DF3C36B62BBA88FC15BA8648F9333FD9FC092B8146C3D908F73155D48BE89D72612E18E4AA8EB9B7FD2A5F7328C4ECBFB0083833CBD5C983A25CEB8B941CC68EB017CE87F5D793ACA09ACF7
Exponentiated Message:
0002B31331C710412333A587890F9CF0B6A86E71C8A78F96B76082903B3E54EA9AB935978BBF2493BB829E9A5A6060B0C7811881176BCF9FE8B1C5C5E0A95327DB8B52EC178A884AD9CF28DB8BBF2922C05FD034AC81BD231AEB0CBEF6F7DE6F3A30812B9F9A83BF33251891BFA18FA38A64C6FF5F77DBE11C3780C23EA9F6D00F9C01D6FC8A878591D36C4F64ACA6B8D11BBEB21476103C6E86FF2196D465BA4DB78F81F1D3BCCA186BDDD56739A12DD36122F3F5B3DD518DDAC4FA29395EA4CD9DFD80AF8A399990F4FDD3CD6B07EC2122437CCFC3B62B1D1493A7DBB442003
View public_keys.md

Nintendo Switch RSA-PKCS#1 Public Key Recovery

This is a short writeup of a fun (but ultimately pretty useless) attack I implemented on the Nintendo Switch a few months ago resulting in the recovery of some otherwise unobtainable RSA public keys. Since public keys aren't private keys, this is pretty useless, apart from letting us validate some signatures on PC. Even so, the attack is a pretty cool one, so I thought I'd write it up.

Every Switch gamecart has a unique certificate (called its "CERT"), storing an RSA signature followed by some kind of unknown but unique encrypted data. I was trying to reverse how these certificates work, and the obvious first step was to try to see how they were validated. However, when I tried looking through the FileSystem (FS) module, which should be responsible for validating these certificates, I found no references to the format at all. The "CERT" magic number was nowhere to be seen, and I couldn't find an RSA modulus that validated the signatures I had. This was in

View Sighax.md

This is being hosted here, until the reddit post I made gets approved.

I saw, in the recent reddit thread about sighax, a lot of information being posted that's factually incorrect. I'd like to go ahead and clarify how sighax works, and how it's different from arm9loaderhax, while also clearing up some misconceptions I'm seeing (I really dislike misinformation).

What is sighax?

Sighax is an exploit taking advantage of a flaw in the arm9 bootrom, causing the signatures (which those of you less technically oriented may think of as "proofs of authenticity" that normally only Nintendo can generate) for arbitrary firmwares to be read as valid. On a normal boot, if one modifies the header for the firmware partition stored in NAND, the signatur

View tz_800.idc
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
@SciresM
SciresM / nisasyst.py
Last active Feb 23, 2019
Script for decrypting Splatoon 2 resources.
View nisasyst.py
import sys, os, struct, zlib
from Crypto.Cipher import AES
def u32(x):
return (x & 0xFFFFFFFF)
KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'
class sead_rand:
'''Implements Splatoon 2's mersenne random generator.'''
You can’t perform that action at this time.