Skip to content

Instantly share code, notes, and snippets.

SciresM

Block or report user

Report or block SciresM

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@SciresM
SciresM / nx_bootloader_uncompress.c
Last active Jun 17, 2019
Quick and dirty NX bootloader uncompression code for 6.2.0+
View nx_bootloader_uncompress.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
typedef uint32_t u32;
typedef uint8_t u8;
View bea.py
from struct import unpack as up
import sys, os, hashlib
import zstandard as zstd
dirs, files = None, None
def read_at(fp, off, len):
fp.seek(off)
return fp.read(len)
@SciresM
SciresM / CMAC.py
Last active Aug 6, 2019
Script to decrypt/re-encrypt (resign) Splatoon 2 save files.
View CMAC.py
# -*- coding: utf-8 -*-
#
# Hash/CMAC.py - Implements the CMAC algorithm
#
# ===================================================================
# The contents of this file are dedicated to the public domain. To
# the extent that dedication to the public domain is not available,
# everyone is granted a worldwide, perpetual, royalty-free,
# non-exclusive license to exercise all rights associated with the
# contents of this file for any purpose whatsoever.
@SciresM
SciresM / nisasyst.py
Last active Feb 23, 2019
Script for decrypting Splatoon 2 resources.
View nisasyst.py
import sys, os, struct, zlib
from Crypto.Cipher import AES
def u32(x):
return (x & 0xFFFFFFFF)
KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'
class sead_rand:
'''Implements Splatoon 2's mersenne random generator.'''
View test_pid_patch.c
#include <string.h>
#include <stdio.h>
#include <switch.h>
static Handle g_port;
static uint64_t g_procID;
#define MODULE_HBL 111
View 5.x kernel SMC log + arb read patch
0xbc100: ; save start
mov x19, x0
mov x0, #0xC0000000
adrp x1, #0x15000
ldr x1, [x1, #0x730]
ldr x1, [x1]
add x0, x1, x0
adrp x1, #0x15000
ldr x1, [x1, #0x668]
ldr x1, [x1]
@SciresM
SciresM / quest_enc_set.py
Created May 30, 2018
Encounter Set printer for Pokemon Quest
View quest_enc_set.py
def print_set(p):
ind_lvl = 0
def printf(s, lvl = ind_lvl):
s = '%s%s' % (' ' * ind_lvl, s)
print s
try:
outf.write('%s\n' % s)
except:
pass
printf('Pack: %s' % p)
View boot2_5x.json
{
"name" : "boot2.ProdBoot",
"title_id" : "0x0100000000000008",
"title_id_range_min" : "0x0100000000000008",
"title_id_range_max" : "0x0100000000000008",
"main_thread_stack_size" : "0x4000",
"main_thread_priority" : 48,
"default_cpu_id" : 3,
"process_category" : 0,
"pool_partition" : 2,
View fusee_bct0_spec.txt
There'll be two stages in the core fusee payload, loading configuration from a shared ini file (https://en.wikipedia.org/wiki/INI_file).
- Stage 1 will be the actual exploit payload, and it will be fairly minimal:
- It will initialize DRAM, and initialize the display.
- It will load a filename and address for stage 2, loading stage 2 into DRAM and jumping to it.
- Stage 2 will be a "loader" -- it will be responsible for loading everything else into place prior to boot.
- Stage 2 will be able to load arbitrarily many files to arbitrary load addresses off of the SD card.
- Stage 2 will get a list of files to load from a "loadlist" key, with loadables delimited by "|" in the value.
- For each loadable, a _path and _addr key will be used to identify a filename and where to load it to.
@SciresM
SciresM / Loader_1_0_0.idc
Created Apr 25, 2018
IDCs for the Nintendo Switch's "Loader" sysmodule.
View Loader_1_0_0.idc
This file has been truncated, but you can view the full file.
#define UNLOADED_FILE 1
#include <idc.idc>
static main(void)
{
// set 'loading idc file' mode
set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
GenInfo(); // various settings
Segments(); // segmentation
You can’t perform that action at this time.