Hacking Hacking the Switch through the Album?

[Jackson Ferrell]

Is it possible for JPGs to have code in it to hack the Switch?
I know that code can be hidden in JPGs, but not sure if it's possible (or known to be plausible) with for example the Switch.

 

[antiswirl]

You mean like ChickHen for the PSP?

 

[xXxSwagnemitexXx]

Maybe! Try it

 

[Fyrus]

http://gbatemp.net/threads/is-it-po...nto-the-switchs-gallery-and-view-them.473129/

 

[xXxSwagnemitexXx]

http://gbatemp.net/threads/is-it-po...nto-the-switchs-gallery-and-view-them.473129/

Then, no you can't unless you can decode the screenshots and find their code, and then copy it into your own image with the code, run it, and ta da

(Sorry, I'm not good at explaining!)

 

[Dr.Hacknik]

If you can cause some sort of Buffer Overflow; much like you can do with the Wii U and .mp4's. Then yes, unless the Album Application has some way to fall back from a buffer overflow (Such as an error dialog.)

 

[LexiconFumbler]

ChickHen relied on the Tiff format. So. Otherwise you can account for all of the changes the switch has made to protect itself from overflows and find a stable overflow which'd be like... groundbreaking.

 

[jt_1258]

hmm, soundhax but with pictures

 

[xXxSwagnemitexXx]

hmm, soundhax but with pictures

lol

 

[DeoNaught]

you can hide files in JPG s i have seen it done before,

 

[xXxSwagnemitexXx]

http://gbatemp.net/threads/is-it-po...nto-the-switchs-gallery-and-view-them.473129/

In this thread, they were saying that they could edit thumbnails using the metadata, so why don't we hide code in there?

 

[StackMasher]

That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions

 

[jt_1258]

That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions

like I said, soundhax but with pictures, pichax, lul, cause that sounds like how soundhax works

 

[Deleted User]

Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:

• There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
• We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
• The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.

 

[DeoNaught]

Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:

• There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
• We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
• The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.

If you download the image from twitter, What is the difference from the twitter image, and the Switch image?

 

[Deleted User]

If you download the image from twitter, What is the difference from the twitter image, and the Switch image?

huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------

If you download the image from twitter, What is the difference from the twitter image, and the Switch image?

Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything

 

[Seelbreaker]

huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------


Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything

So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?

 

[Deleted User]

So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?

Let me explain our theory better:

1. The screenshot is taken
2. During the creation process, the image (excluding the metadata) is hashed.
   Hashing means that there is a set of numbers representing all of the data of the image. If one single byte changes in the image, the hash changes as well
3. The hash is stored in metadata somewhere
4. Because metadata isn't required to be read, image viewers (such as Microsoft Paint, or GIMP) can view the image seamlessly. This is also true for twitter
5. When saving the image after manipulating it, the metadata is overwritten (this is completely true regardless of what image software you are using, unless it advertises otherwise)
   This means editing an image from an image manipulator will not allow it to be viewed by the Switch
6. Even if you were to copy the metadata to another image, it would not work because the hash is different.

So, in order to figure out how to inject images, you need to figure out:

1. What kind of hash is being used
2. Where it is stored in the image

This theory is the best one currently, because using a key to sign the images would render it impossible to upload to twitter unless they changed them in the upload process. But then how would we view them straight from the Switch?

If you have any questions, feel free to ask. I will be unavailable for the next few hours, but I am happy to respond either via PM, or via this thread.

EDIT: I just realized that the metadata (excluding the hash) could also be hashed at the same time. This seems like too much for Nintendo to do just for one image (because in order to check the hash against the data, you would have to create a temporary file that omits the hash from the original file and then check that files hash)

 

[GerbilSoft]

It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.

 

[Deleted User]

It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.

Define those, I am not sure what those are (I know, I'm stupid).