Hacking Hacking the Switch through the Album?

Jackson Ferrell

I don't like SJWs
OP
Member
Joined
Nov 28, 2015
Messages
328
Trophies
0
XP
828
Country
Australia
Is it possible for JPGs to have code in it to hack the Switch?
I know that code can be hidden in JPGs, but not sure if it's possible (or known to be plausible) with for example the Switch.
 

xXxSwagnemitexXx

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Member
Joined
Dec 7, 2016
Messages
674
Trophies
0
Age
27
Location
New Donk City
XP
1,003
Country
United Kingdom
  • Like
Reactions: Fyrus

GarnetSunset

Well-Known Member
Member
Joined
Apr 27, 2017
Messages
213
Trophies
0
Age
33
XP
1,465
Country
United States
ChickHen relied on the Tiff format. So. Otherwise you can account for all of the changes the switch has made to protect itself from overflows and find a stable overflow which'd be like... groundbreaking.
 

StackMasher

Well-Known Member
Member
Joined
Nov 29, 2016
Messages
136
Trophies
0
Age
20
XP
370
Country
That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions
 

jt_1258

Ella
Member
Joined
Aug 21, 2016
Messages
3,051
Trophies
2
Age
24
XP
4,847
Country
United States
That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions
like I said, soundhax but with pictures, pichax, lul, cause that sounds like how soundhax works
 
  • Like
Reactions: Xanibale
D

Deleted User

Guest
Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:
  • There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
  • We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
  • The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.
 
  • Like
Reactions: DarthDub

DeoNaught

I'm here to steal memes and break dreams
Member
Joined
Aug 22, 2016
Messages
2,260
Trophies
0
Location
Constant Fear
Website
Gbatemp.net
XP
2,258
Country
United States
Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:
  • There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
  • We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
  • The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.
If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
 
D

Deleted User

Guest
If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------

If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything
 

Seelbreaker

Well-Known Member
Member
Joined
Mar 22, 2010
Messages
199
Trophies
0
XP
495
Country
Gambia, The
huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------


Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything

So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?
 
D

Deleted User

Guest
So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?
Let me explain our theory better:

  1. The screenshot is taken
  2. During the creation process, the image (excluding the metadata) is hashed.
    Hashing means that there is a set of numbers representing all of the data of the image. If one single byte changes in the image, the hash changes as well
  3. The hash is stored in metadata somewhere
  4. Because metadata isn't required to be read, image viewers (such as Microsoft Paint, or GIMP) can view the image seamlessly. This is also true for twitter
  5. When saving the image after manipulating it, the metadata is overwritten (this is completely true regardless of what image software you are using, unless it advertises otherwise)
    This means editing an image from an image manipulator will not allow it to be viewed by the Switch
  6. Even if you were to copy the metadata to another image, it would not work because the hash is different.

So, in order to figure out how to inject images, you need to figure out:
  1. What kind of hash is being used
  2. Where it is stored in the image
This theory is the best one currently, because using a key to sign the images would render it impossible to upload to twitter unless they changed them in the upload process. But then how would we view them straight from the Switch?

If you have any questions, feel free to ask. I will be unavailable for the next few hours, but I am happy to respond either via PM, or via this thread.

EDIT: I just realized that the metadata (excluding the hash) could also be hashed at the same time. This seems like too much for Nintendo to do just for one image (because in order to check the hash against the data, you would have to create a temporary file that omits the hash from the original file and then check that files hash)
 
Last edited by ,

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,249
Country
United States
It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.
 
  • Like
Reactions: DarthDub
D

Deleted User

Guest
It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.
Define those, I am not sure what those are (I know, I'm stupid).
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
    Veho @ Veho: @AdRoz78 start a thread and post a photo of the chip. +2