Skip to content

Instantly share code, notes, and snippets.

SciresM

Block or report user

Report or block SciresM

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View swsh_crash.log
Atmosphere Fatal Report (v1.0):
Result: 0x1BF802 (2002-3580)
Title ID: 010000000000000c
Process Name: bcat
Firmware: 9.0.0 (Atmosphere 0.9.4-master-c62c4846)
General Purpose Registers:
Start Address: 0000003551e00000
Stack Trace:
ReturnAddress[00]: 0000003551f79edc
@SciresM
SciresM / Signatures.txt
Last active Oct 23, 2019
"Perfect" sighax signatures for every Boot9 modulus.
View Signatures.txt
Retail NAND FIRM:
Perfect Signature:
B6724531C448657A2A2EE306457E350A10D544B42859B0E5B0BED27534CCCC2A4D47EDEA60A7DD99939950A6357B1E35DFC7FAC773B7E12E7C1481234AF141B31CF08E9F62293AA6BAAE246C15095F8B78402A684D852C680549FA5B3F14D9E838A2FB9C09A15ABB40DCA25E40A3DDC1F58E79CEC901974363A946E99B4346E8A372B6CD55A707E1EAB9BEC0200B5BA0B661236A8708D704517F43C6C38EE9560111E1405E5E8ED356C49C4FF6823D1219AFAEEB3DF3C36B62BBA88FC15BA8648F9333FD9FC092B8146C3D908F73155D48BE89D72612E18E4AA8EB9B7FD2A5F7328C4ECBFB0083833CBD5C983A25CEB8B941CC68EB017CE87F5D793ACA09ACF7
Exponentiated Message:
0002B31331C710412333A587890F9CF0B6A86E71C8A78F96B76082903B3E54EA9AB935978BBF2493BB829E9A5A6060B0C7811881176BCF9FE8B1C5C5E0A95327DB8B52EC178A884AD9CF28DB8BBF2922C05FD034AC81BD231AEB0CBEF6F7DE6F3A30812B9F9A83BF33251891BFA18FA38A64C6FF5F77DBE11C3780C23EA9F6D00F9C01D6FC8A878591D36C4F64ACA6B8D11BBEB21476103C6E86FF2196D465BA4DB78F81F1D3BCCA186BDDD56739A12DD36122F3F5B3DD518DDAC4FA29395EA4CD9DFD80AF8A399990F4FDD3CD6B07EC2122437CCFC3B62B1D1493A7DBB442003
View aes128.py
# Pure python AES128 implementation
# SciresM, 2017
from struct import unpack as up, pack as pk
def sxor(s1, s2):
'''Xors two strings.'''
assert(len(s1) == len(s2))
return ''.join([chr(ord(x) ^ ord(y)) for x,y in zip(s1, s2)])
class AESCBC:
View kernel_writeup.md

The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.

Background information


I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!

In particular, he describes:

Additionally, the kernel itself would start allocating memory outside of the carveout region
@SciresM
SciresM / switch_romfs.py
Created Jul 19, 2017
Switch RomFS (IStorage) -> Files
View switch_romfs.py
from struct import unpack as up
import sys, os
dirs, files = None, None
def read_at(fp, off, len):
fp.seek(off)
return fp.read(len)
def read_u8(fp, off):
@SciresM
SciresM / creport_901.idc
Created Oct 3, 2019
Crash Report system module IDC for 9.0.1
View creport_901.idc
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
@SciresM
SciresM / Loader_1_0_0.idc
Created Apr 25, 2018
IDCs for the Nintendo Switch's "Loader" sysmodule.
View Loader_1_0_0.idc
This file has been truncated, but you can view the full file.
#define UNLOADED_FILE 1
#include <idc.idc>
static main(void)
{
// set 'loading idc file' mode
set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
GenInfo(); // various settings
Segments(); // segmentation
@SciresM
SciresM / __patcher.py
Last active Sep 15, 2019
quick and dirty pokemon masters patcher
View __patcher.py
from struct import unpack as up, pack as pk
import arm64, os, sys
TEXT_START_OFFSET = 0x507300
TEXT_END_OFFSET = 0x32FEBF0
RWDATA_START = 0x3A9F000
ENCTABLE_START = 0x3F2C238
ENCTABLE_END = 0x3F957B8
View tz_900.idc
#define UNLOADED_FILE 1
#include <idc.idc>
static main(void)
{
// set 'loading idc file' mode
set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
GenInfo(); // various settings
Segments(); // segmentation
Enums(); // enumerations
@SciresM
SciresM / KernelLdr.idc
Created Sep 10, 2019
9.0.0 KernelLoader IDA database
View KernelLdr.idc
#define UNLOADED_FILE 1
#include <idc.idc>
static main(void)
{
// set 'loading idc file' mode
set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
GenInfo(); // various settings
Segments(); // segmentation
Enums(); // enumerations
You can’t perform that action at this time.