Skip to content

Instantly share code, notes, and snippets.

View znxDomain's full-sized avatar

znxDomain

2 followers · 3 following
View GitHub Profile
@SciresM
SciresM / switch_cert.py
Last active June 1, 2024 03:36
import binascii, sys, random, asn1
from fractions import gcd
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
@hthh
hthh / a-diff.py
Last active March 10, 2024 23:47
Switch IPC changes
from data1 import data1
from data2 import data2
from data3 import data3
from data4 import data4
from data500 import data500
from data600 import data600
from data610 import data610
from data700 import data700
all_data = (data1, data2, data3, data4, data500, data600, data610, data700)
@SciresM
SciresM / public_keys.md
Last active April 19, 2024 07:41

Nintendo Switch RSA-PKCS#1 Public Key Recovery

This is a short writeup of a fun (but ultimately pretty useless) attack I implemented on the Nintendo Switch a few months ago resulting in the recovery of some otherwise unobtainable RSA public keys. Since public keys aren't private keys, this is pretty useless, apart from letting us validate some signatures on PC. Even so, the attack is a pretty cool one, so I thought I'd write it up.

Every Switch gamecart has a unique certificate (called its "CERT"), storing an RSA signature followed by some kind of unknown but unique encrypted data. I was trying to reverse how these certificates work, and the obvious first step was to try to see how they were validated. However, when I tried looking through the FileSystem (FS) module, which should be responsible for validating these certificates, I found no references to the format at all. The "CERT" magic number was nowhere to be seen, and I couldn't find an RSA modulus that validated the signatures I had. This was in

@roblabla
roblabla / HABILITIES.md
Last active March 14, 2024 03:24
We believe in your habilities.

Muh Switch Keys

So you want to decrypt switch content ? Well, the good news is that all the tools required to do that are written up! The great news is, since this is crypto we're talking about, you'll have to find the keys. Yourself. Like it's easter.

So here you can find a template of the $HOME/.switch/prod.keys file that hactool uses to decrypt content. It contains all the SHA256 and location of the keys and seeds, so you can find them yourselves.

Note that all the seeds (the keys that end with _source) are used along with the master_key_## to derive an actual key. If you have somehow obtained the key without the seed, you can rename xxx_source to xxx_## (where ## is the master key number) and put your key there.

How the heck do I obtain dem keys ?

@roblabla
roblabla / 00-KernelPatches.md
Last active April 3, 2019 05:58
Kernel Patches

This is a small repository that aims to document some fun kernel patches I have come up with while reverse engineering the kernel. They're meant to be useful for debugging various things.

You can easily apply those patches by getting the appropriate Kernel.bin, and applying them in a hex editor. The format is: offset origvalue => newvalue offset. They are made with radiff2. (If anyone knows of a better way to create binary patches, I'd love to hear it). Another way to test those patches is to use Hekate, which recently got kernel patching support (https://github.com/nwert/hekate/blob/master/ipl/pkg1.c#L71, thanks @CTCaer ^^)

I try to document what each patch does. If something is missing or wrong, feel free to leave a comment!

Have fun!

@SocraticBliss
SocraticBliss / CertNXtractionPack.cmd
Last active May 30, 2024 04:01
CertNXtractionPack
@ECHO OFF
TITLE CertNXtractionPack by SocraticBliss and SimonMKWii (R)
ECHO: && ECHO PRE-REQUISITES:
ECHO -- Get your BIS Keys (via biskeydump)
ECHO -- Dump your SYSNAND (via hekate)
ECHO -- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory (via HacDiskMount)
ECHO -- keys.txt (ie. key = 32 digit hex value) file with the following keys...
ECHO --- master_key_00
ECHO --- rsa_private_kek_generation_source
@hexkyz
hexkyz / tx_unpack.py
Last active June 2, 2023 17:10
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
@3096
3096 / findbytes.py
Last active June 17, 2024 10:54
# If you see very long/bad variable names and questionable design choice, probably because I wrote this in sleep deprivation
import sys
def findBytesInTarget(findingBytes, target):
foundList = []
findingOffestInTarget = 0
while True:
offset = target.find(findingBytes, findingOffestInTarget)
if offset is -1:
@SciresM
SciresM / kernel_writeup.md
Last active March 10, 2024 23:47

The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.

Background information

I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!

In particular, he describes:

Additionally, the kernel itself would start allocating memory outside of the carveout region
@p-sam
p-sam / main.c
Created January 18, 2019 10:49
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <switch.h>
#include "web_wifi.h"
#define PRINT_RC(str, rc) printf("[!] %s: [0x%x] %04d-%04d\n", str, rc, R_MODULE(rc), R_DESCRIPTION(rc))
void userAppInit() {