Hacking the Switch through the Album?

Discussion in 'Switch - Hacking & Homebrew' started by Jackson Ferrell, Jun 9, 2017.

  1. Jackson Ferrell
    OP

    Jackson Ferrell Naked Banana

    Member
    238
    53
    Nov 28, 2015
    Australia
    Is it possible for JPGs to have code in it to hack the Switch?
    I know that code can be hidden in JPGs, but not sure if it's possible (or known to be plausible) with for example the Switch.
     
  2. antiswirl

    antiswirl Member

    Newcomer
    33
    16
    Feb 11, 2008
    You mean like ChickHen for the PSP?
     
  3. xXxSwagnemitexXx

    xXxSwagnemitexXx The person who asks n00b questions

    Member
    353
    84
    Dec 7, 2016
    United States
    Somewhere
    Maybe! Try it
     
  4. Fyrus

    Fyrus Artilleur Carmin

    Member
    798
    127
    Jul 6, 2010
    France
    Marseille - France
  5. xXxSwagnemitexXx

    xXxSwagnemitexXx The person who asks n00b questions

    Member
    353
    84
    Dec 7, 2016
    United States
    Somewhere
    Fyrus likes this.
  6. Dr.Hacknik

    Dr.Hacknik Maniac | Dev | A Fellow (lewd) Megumin

    Member
    1,243
    1,066
    Mar 26, 2014
    United States
    my lewd corner
    If you can cause some sort of Buffer Overflow; much like you can do with the Wii U and .mp4's. Then yes, unless the Album Application has some way to fall back from a buffer overflow (Such as an error dialog.)
     
  7. GarnetSunset

    GarnetSunset Advanced Member

    Newcomer
    75
    112
    Apr 27, 2017
    United States
    ChickHen relied on the Tiff format. So. Otherwise you can account for all of the changes the switch has made to protect itself from overflows and find a stable overflow which'd be like... groundbreaking.
     
  8. jt_1258

    jt_1258 GBAtemps Midna

    Member
    1,800
    1,013
    Aug 21, 2016
    United States
    The Twilight Realm
    hmm, soundhax but with pictures
     
    HugaTheFox and supermario18 like this.
  9. xXxSwagnemitexXx

    xXxSwagnemitexXx The person who asks n00b questions

    Member
    353
    84
    Dec 7, 2016
    United States
    Somewhere
    lol
     
  10. DeoNaught

    DeoNaught ¯\_(ツ)_/¯

    Member
    1,588
    1,703
    Aug 22, 2016
    United States
    Constant Fear
    you can hide files in JPG s i have seen it done before,
     
  11. xXxSwagnemitexXx

    xXxSwagnemitexXx The person who asks n00b questions

    Member
    353
    84
    Dec 7, 2016
    United States
    Somewhere
  12. StackMasher

    StackMasher GBAtemp Regular

    Member
    118
    57
    Nov 29, 2016
    That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions
     
    Tomato Hentai and peteruk like this.
  13. jt_1258

    jt_1258 GBAtemps Midna

    Member
    1,800
    1,013
    Aug 21, 2016
    United States
    The Twilight Realm
    like I said, soundhax but with pictures, pichax, lul, cause that sounds like how soundhax works
     
    Xanibale likes this.
  14. blujay

    blujay GBATemp's Official Warthog

    Member
    GBAtemp Patron
    blujay is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,256
    2,132
    Nov 2, 2015
    United States
    Gilbert, Arizona
    Here is the problem.

    @sarkwalvein and I were messing around with the pictures.

    We learned the following:
    • There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
    • We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
    • The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

    So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

    Then you can mess around with "hacking" the switch by using the album.
     
    DarthDub likes this.
  15. DeoNaught

    DeoNaught ¯\_(ツ)_/¯

    Member
    1,588
    1,703
    Aug 22, 2016
    United States
    Constant Fear
    If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
     
  16. blujay

    blujay GBATemp's Official Warthog

    Member
    GBAtemp Patron
    blujay is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,256
    2,132
    Nov 2, 2015
    United States
    Gilbert, Arizona
    huh
    haven't tried it.

    once the Pokken Tournament is over, I'll take a look

    — Posts automatically merged - Please don't double post! —

    Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

    The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything
     
    Quantumcat and DeoNaught like this.
  17. Seelbreaker

    Seelbreaker GBAtemp Regular

    Member
    103
    20
    Mar 22, 2010
    Gambia, The
    So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?
     
  18. blujay

    blujay GBATemp's Official Warthog

    Member
    GBAtemp Patron
    blujay is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,256
    2,132
    Nov 2, 2015
    United States
    Gilbert, Arizona
    Let me explain our theory better:

    1. The screenshot is taken
    2. During the creation process, the image (excluding the metadata) is hashed.
      Hashing means that there is a set of numbers representing all of the data of the image. If one single byte changes in the image, the hash changes as well
    3. The hash is stored in metadata somewhere
    4. Because metadata isn't required to be read, image viewers (such as Microsoft Paint, or GIMP) can view the image seamlessly. This is also true for twitter
    5. When saving the image after manipulating it, the metadata is overwritten (this is completely true regardless of what image software you are using, unless it advertises otherwise)
      This means editing an image from an image manipulator will not allow it to be viewed by the Switch
    6. Even if you were to copy the metadata to another image, it would not work because the hash is different.

    So, in order to figure out how to inject images, you need to figure out:
    1. What kind of hash is being used
    2. Where it is stored in the image
    This theory is the best one currently, because using a key to sign the images would render it impossible to upload to twitter unless they changed them in the upload process. But then how would we view them straight from the Switch?

    If you have any questions, feel free to ask. I will be unavailable for the next few hours, but I am happy to respond either via PM, or via this thread.

    EDIT: I just realized that the metadata (excluding the hash) could also be hashed at the same time. This seems like too much for Nintendo to do just for one image (because in order to check the hash against the data, you would have to create a temporary file that omits the hash from the original file and then check that files hash)
     
    Last edited by blujay, Jun 15, 2017
    Seelbreaker, Quantumcat and yanagi like this.
  19. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,108
    2,350
    Mar 8, 2012
    United States
    It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

    If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.
     
    DarthDub likes this.
  20. blujay

    blujay GBATemp's Official Warthog

    Member
    GBAtemp Patron
    blujay is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,256
    2,132
    Nov 2, 2015
    United States
    Gilbert, Arizona
    Define those, I am not sure what those are (I know, I'm stupid).