Hacking Question Custom Screenshots on Switch?

Deleted User · Aug 24, 2017

https://twitter.com/SciresM/status/885694921696354305
I might be a bit late, but this guy on Twitter was able transfer saves from one console to another, get custom screenshots etc. (I heard some hackers say that once you get access to your Switch saves, the security is a joke.) But for now, how would I get custom screenshots on my Switch? I have edited a screenshot and it just tells me that it is corrupted or damaged or something. I just wanna test something. I use paint.net and it retains the image info, but it doesn't work on switch. (It works on PC and every device I try.)

Deleted User · Aug 24, 2017

I know that you cannot make an exploit out of this, I wasn't asking, I just wanna try out custom screenshots.

Deleted User · Aug 24, 2017

So I found this, and I don't know where to hex edit my image.
http://switchbrew.org/index.php?title=Capture_services

jakerman999 · Aug 24, 2017

TL;DR: It's not a simple hex edit

The Switch won't look at an image unless it has the same timestamp as one that's already in memory. This means you either need to use an editor that doesn't alter the timestamp, or change the timestamp back after editing. This is fairly trivial.

But meeting that requirement doesn't mean the Switch will display the image yet. It now makes a copy of the image, makes the timestamp 0, hashes that copy and compares the hash to another that was saved with the timestamp that the image matches. The hash that is being compared against was generated from the screenshot taken at the timestamp. So how do we get our image to have the same hash as the one in memory(the original)?

Option A) hash collision. The new image has extra data added or some parts altered slightly to make the hash the same as the stored one. This is hard, as the nature of a hash means we can't use a formula to figure out what we need to change/add, it's a guess and check which means brute force. This borders on impossible as to figure out the hash we need to know what number the Switch uses to make the hash. Solving this takes breaking the Switch's crypto once and then a bruteforce for every picture you want to import.

Option B) change the hash in memory. Run the new image through the Switch's hash function, and overwrite the old hash with the new one. I believe this is what @SciresM has done, although I can only speculate how. PegaSwitch might be able to do it, or it might be a product of smhax, or some other unannounced [noun].

Option C) patch the hash check to always return true, or the image display to not care about a wrong hash (signature patching iirc). This probably requires TrustZone or at least kernel level code execution. Not likely.

Option D) ???

Deleted User · Aug 24, 2017

So making the edited photo's properties the same as the Switch, as in the same date the screenshot was taken on the switch and making sure it is the same file size?

DarkIrata · Aug 24, 2017

Well, first of all. You can Edit posts and don't need to make multiple posts.
How its currently work only SciresM can say more to it.

Deleted User · Aug 24, 2017

DarkIrata said:
Well, first of all. You can Edit posts and don't need to make multiple posts.
How its currently work only SciresM can say more to it.

Yes I know, and it's unlikely @SciresM would tell us anyway until switch homebrew is possible.

jimmyleen · Aug 24, 2017

Firmware 3.0.0 will be the golden ticket for a while if not for ever.

Dann_ · Aug 27, 2017

jakerman999 said:
TL;DR: It's not a simple hex edit

The Switch won't look at an image unless it has the same timestamp as one that's already in memory. This means you either need to use an editor that doesn't alter the timestamp, or change the timestamp back after editing. This is fairly trivial.

But meeting that requirement doesn't mean the Switch will display the image yet. It now makes a copy of the image, makes the timestamp 0, hashes that copy and compares the hash to another that was saved with the timestamp that the image matches. The hash that is being compared against was generated from the screenshot taken at the timestamp. So how do we get our image to have the same hash as the one in memory(the original)?

Option A) hash collision. The new image has extra data added or some parts altered slightly to make the hash the same as the stored one. This is hard, as the nature of a hash means we can't use a formula to figure out what we need to change/add, it's a guess and check which means brute force. This borders on impossible as to figure out the hash we need to know what number the Switch uses to make the hash. Solving this takes breaking the Switch's crypto once and then a bruteforce for every picture you want to import.

Option B) change the hash in memory. Run the new image through the Switch's hash function, and overwrite the old hash with the new one. I believe this is what @SciresM has done, although I can only speculate how. PegaSwitch might be able to do it, or it might be a product of smhax, or some other unannounced [noun].

Option C) patch the hash check to always return true, or the image display to not care about a wrong hash (signature patching iirc). This probably requires TrustZone or at least kernel level code execution. Not likely.

Option D) ???

Hmm, doesn't it actually hash it on the fly instead of obtaining the hash from memory? Pretty sure it says so on switchbrew and hashing it is as easy as zeroing out the makernote and hashing it with a private key that has already been leaked by sciresm

Hacking Question Custom Screenshots on Switch?

Deleted User

Guest

Deleted User

Guest

Deleted User

Guest

Well-Known Member

Deleted User

Guest

Well-Known Member

Deleted User

Guest

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum