Hacking Hacking the Switch through the Album?

jt_1258

Ella
Member
Joined
Aug 21, 2016
Messages
3,051
Trophies
2
Age
24
XP
4,848
Country
United States
I already documented how the hash works, post a few above yours references my tweet, it's just an sha256 hmac with a hard coded key lol -- eventually I'll probably make a tool but I tested and a custom "resigned" JPEG worked fine last night.
could we see a picture of your switch with this resigned image in your album? just for the sake of absolute proof, sorry, just want to know if this truly is real...it's hard to beleive that so much you folks have done in 4 months, I expected this all to take much longer to the point of at least a year or 2, just wow
 

SciresM

Developer
Developer
Joined
Mar 21, 2014
Messages
972
Trophies
3
Age
33
XP
8,253
Country
United States
i assume then you have the hardcoded key?

also, i'm happy my theory about the album was actually true.

Yes, the key is extremely easy to extract if you have capsrv's code....they were smart enough not store the key itself, instead the ipad/opad (Key ^ 0x363636...., Key ^ 0x5C5C...) are loaded via MOVK instructions.

Still, not hard if you know what you're doing.

On 2.0 the Hmac function is at 0x7B94 in .text, it takes in (pointer to output mac, pointer to jpeg data, size of jpeg data, pointer to output size_parsed variable)

could we see a picture of your switch with this resigned image in your album? just for the sake of absolute proof, sorry, just want to know if this truly is real...it's hard to beleive that so much you folks have done in 4 months, I expected this all to take much longer to the point of at least a year or 2, just wow

I guess I can tweet a pic this evening when I'm doing switch stuff, heh -- didn't bother since it's only screenshots...
 
Last edited by SciresM,

jt_1258

Ella
Member
Joined
Aug 21, 2016
Messages
3,051
Trophies
2
Age
24
XP
4,848
Country
United States
Yes, the key is extremely easy to extract if you have capsrv's code....they were smart enough not store the key itself, instead the ipad/opad (Key ^ 0x363636...., Key ^ 0x5C5C...) are loaded via MOVK instructions.

Still, not hard if you know what you're doing.

On 2.0 the Hmac function is at 0x7B94 in .text, it takes in (pointer to output mac, pointer to jpeg data, size of jpeg data, pointer to output size_parsed variable)



I guess I can tweet a pic this evening when I'm doing switch stuff, heh -- didn't bother since it's only screenshots...
oh, I thought you had edited and put in a custom pic
 
  • Like
Reactions: SciresM

SciresM

Developer
Developer
Joined
Mar 21, 2014
Messages
972
Trophies
3
Age
33
XP
8,253
Country
United States
oh, I thought you had edited and put in a custom pic

When I tested the screenshot stuff last night I "resigned" a pic of the reswitched logo and put on my SD card, verified album loaded it with no problems...didn't bother posting to social media because like I said it's only screenshots editing...

I think you took "it's only screenshots" to mean "no custom pictures" -- not what I meant, those work fine, I just meant screenshot editing isn't a huge deal in terms of hax-noteworthiness :)
 
Last edited by SciresM,
  • Like
Reactions: peteruk

jt_1258

Ella
Member
Joined
Aug 21, 2016
Messages
3,051
Trophies
2
Age
24
XP
4,848
Country
United States
When I tested the screenshot stuff last night I "resigned" a pic of the reswitched logo and put on my SD card, verified album loaded it with no problems...didn't bother posting to social media because like I said it's only screenshots editing...

I think you took "it's only screenshots" to mean "no custom pictures" -- not what I meant, those work fine, I just meant screenshot editing isn't a huge deal in terms of hax-noteworthiness :)
>.< well, hit it on the nail, sorry about that, well, cool
if ninty ever does implement recording gameplay maybe something similar could be done to get it to play movies and stuff
seems pretty dam cool
also are there ever any issues with adding an image into the album if it's not the same dimensions like a 150x120 image in there instead of the normal dimensions you would see on a tv or the switch itself?
 

SciresM

Developer
Developer
Joined
Mar 21, 2014
Messages
972
Trophies
3
Age
33
XP
8,253
Country
United States
>.< well, hit it on the nail, sorry about that, well, cool
if ninty ever does implement recording gameplay maybe something similar could be done to get it to play movies and stuff
seems pretty dam cool
also are there ever any issues with adding an image into the album if it's not the same dimensions like a 150x120 image in there instead of the normal dimensions you would see on a tv or the switch itself?

Don't know, haven't messed with that -- there's definitely "some" validation of size, images without right size thumbnail show as question marks with "corrupt data" message. I'm sure it'll get documented eventually, but the non-crypto parts of validation are low priority heh.
 
D

Deleted User

Guest
Yes, the key is extremely easy to extract if you have capsrv's code....they were smart enough not store the key itself, instead the ipad/opad (Key ^ 0x363636...., Key ^ 0x5C5C...) are loaded via MOVK instructions.

Still, not hard if you know what you're doing.

On 2.0 the Hmac function is at 0x7B94 in .text, it takes in (pointer to output mac, pointer to jpeg data, size of jpeg data, pointer to output size_parsed variable)



I guess I can tweet a pic this evening when I'm doing switch stuff, heh -- didn't bother since it's only screenshots...
ah i see. my switch is on 3.0 because i used to have a different stance on switch hacking. (although not really sure this is considered switch hacking).

capsrv is in the kernel then, right?
 

SciresM

Developer
Developer
Joined
Mar 21, 2014
Messages
972
Trophies
3
Age
33
XP
8,253
Country
United States
ah i see. my switch is on 3.0 because i used to have a different stance on switch hacking. (although not really sure this is considered switch hacking).

capsrv is in the kernel then, right?

Nope, capsrv is a sysmodule, not the kernel.

The sha256 stuff is implemented via native sha256 instructions in .text.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • S @ salazarcosplay:
    I can't help but think nintendo switch online is the reason we did not get a gameboy/n64/gamecube
    mini classic edition
    +1
  • Xdqwerty @ Xdqwerty:
    @salazarcosplay, i think it would have been impossible to see anything in a gameboy mini
  • S @ salazarcosplay:
    well I meant that as a figure of speech
  • S @ salazarcosplay:
    they could just rerelease a modern gameboy
  • S @ salazarcosplay:
    like the pocket analogue
  • S @ salazarcosplay:
    but nintendo licensed
  • LeoTCK @ LeoTCK:
    dammit that thread got moved from offtopic to edge, well since that happened
  • Xdqwerty @ Xdqwerty:
    @LeoTCK, atleast it's still avaliable
  • LeoTCK @ LeoTCK:
    yes but it wasn't meant to be a comedy thread
  • LeoTCK @ LeoTCK:
    and edge of the forum is mostly comedy and games
  • LeoTCK @ LeoTCK:
    so I don't get why it got moved at all
  • Xdqwerty @ Xdqwerty:
    @LeoTCK, mods are probably hating you
  • LeoTCK @ LeoTCK:
    on most sites mods hated me, sooner or later, but usually over time I get either banned or the mods get used to me
  • LeoTCK @ LeoTCK:
    sometimes to the point of thanking me for my quick actions etc against spam and other stuff, but yea...its either they come to respect me or outright hate me
    +1
  • BigOnYa @ BigOnYa:
    If it's not game related, it will be moved to the Egde of the forum. Mods have moved a few of my threads also.
  • Xdqwerty @ Xdqwerty:
    @BigOnYa, it was in the off topic chat forum
  • BigOnYa @ BigOnYa:
    Well atleast they didn't delete it completely.
  • LeoTCK @ LeoTCK:
    hmm
  • Xdqwerty @ Xdqwerty:
    uoiea
  • LeoTCK @ LeoTCK:
    huh?
  • Xdqwerty @ Xdqwerty:
    Aeiou backwards
  • BigOnYa @ BigOnYa:
    ?tuw
    BigOnYa @ BigOnYa: ?tuw