Hacking Hacking the Switch through the Album?

Jackson Ferrell

Jackson Ferrell

I don't like SJWs
OP
Member
Level 6
Joined
Nov 28, 2015
Messages
328
Trophies
0
XP
838
Country
Australia
Is it possible for JPGs to have code in it to hack the Switch?
I know that code can be hidden in JPGs, but not sure if it's possible (or known to be plausible) with for example the Switch.
 
xXxSwagnemitexXx

xXxSwagnemitexXx

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Member
Level 7
Joined
Dec 7, 2016
Messages
674
Trophies
0
Age
27
Location
New Donk City
XP
1,003
Country
United Kingdom
  • Like
Reactions: Fyrus
GarnetSunset

GarnetSunset

Well-Known Member
Member
Level 8
Joined
Apr 27, 2017
Messages
213
Trophies
0
Age
34
XP
1,475
Country
United States
ChickHen relied on the Tiff format. So. Otherwise you can account for all of the changes the switch has made to protect itself from overflows and find a stable overflow which'd be like... groundbreaking.
 
StackMasher

StackMasher

Well-Known Member
Member
Level 3
Joined
Nov 29, 2016
Messages
136
Trophies
0
Age
21
XP
380
Country
That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions
 
  • Like
Reactions: Deleted User and peteruk
jt_1258

jt_1258

Ella
Member
Level 15
Joined
Aug 21, 2016
Messages
3,055
Trophies
2
Age
24
XP
4,902
Country
United States
StackMasher said:
That's not how it works, you would have to find a buffer overflow vulnerability in the image parsing code, and then overwrite the stack with a ROP chain (that's one way, there's lots of different ways you can exploit buggy code). Even if you hex edited executable code into an image file, there would be no way to run it because of memory permissions
Click to expand...
like I said, soundhax but with pictures, pichax, lul, cause that sounds like how soundhax works
 
  • Like
Reactions: Xanibale
D

Deleted User

Guest
Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:
  • There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
  • We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
  • The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.
 
  • Like
Reactions: DarthDub
DeoNaught

DeoNaught

I'm here to steal memes and break dreams
Member
Level 10
Joined
Aug 22, 2016
Messages
2,260
Trophies
0
Location
Constant Fear
Website
Gbatemp.net
XP
2,268
Country
United States
blujay said:
Here is the problem.

@sarkwalvein and I were messing around with the pictures.

We learned the following:
  • There is either a common key used to encrypt images so that the only the Switch can view them, or there is something in the Metadata that does something (i think it hashes the picture, which only lets the switch confirm the image hasn't been tampered with).
  • We then decided that it has to be the latter because regular image viewers can see it, and you can upload your pictures to twitter
  • The files are always saved with the date of 12/31/1979 at 00:00. This poses a problem for SDXC users because that date specifically is illegal in the exFAT filesystem

So, in order to inject your images, you have to find out what kind of hash it is, where it is located, and what part of the image it hashes.

Then you can mess around with "hacking" the switch by using the album.
Click to expand...
If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
 
D

Deleted User

Guest
DeoNaught said:
If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
Click to expand...
huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------

DeoNaught said:
If you download the image from twitter, What is the difference from the twitter image, and the Switch image?
Click to expand...
Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything
 
  • Like
Reactions: Quantumcat and DeoNaught
S

Seelbreaker

Well-Known Member
Member
Level 4
Joined
Mar 22, 2010
Messages
199
Trophies
0
XP
495
Country
Gambia, The
blujay said:
huh
haven't tried it.

once the Pokken Tournament is over, I'll take a look

--------------------- MERGED ---------------------------


Well, considering it is compatible with regular image viewers, I am fairly sure that there is no difference.

The switch just calculates the hash of the image, and stores it in metadata. Then, it recalculates the hash each times it loads the image, and if it is different, then it fails to load. even a one byte difference changes everything
Click to expand...

So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?
 
D

Deleted User

Guest
Seelbreaker said:
So, if the Image on Twitter is magically the Same picture, you could calculate the hashes right?
Click to expand...
Let me explain our theory better:

  1. The screenshot is taken
  2. During the creation process, the image (excluding the metadata) is hashed.
    Hashing means that there is a set of numbers representing all of the data of the image. If one single byte changes in the image, the hash changes as well
  3. The hash is stored in metadata somewhere
  4. Because metadata isn't required to be read, image viewers (such as Microsoft Paint, or GIMP) can view the image seamlessly. This is also true for twitter
  5. When saving the image after manipulating it, the metadata is overwritten (this is completely true regardless of what image software you are using, unless it advertises otherwise)
    This means editing an image from an image manipulator will not allow it to be viewed by the Switch
  6. Even if you were to copy the metadata to another image, it would not work because the hash is different.

So, in order to figure out how to inject images, you need to figure out:
  1. What kind of hash is being used
  2. Where it is stored in the image
This theory is the best one currently, because using a key to sign the images would render it impossible to upload to twitter unless they changed them in the upload process. But then how would we view them straight from the Switch?

If you have any questions, feel free to ask. I will be unavailable for the next few hours, but I am happy to respond either via PM, or via this thread.

EDIT: I just realized that the metadata (excluding the hash) could also be hashed at the same time. This seems like too much for Nintendo to do just for one image (because in order to check the hash against the data, you would have to create a temporary file that omits the hash from the original file and then check that files hash)
 
Last edited by ,
  • Like
Reactions: Seelbreaker, Quantumcat and yanagi
GerbilSoft

GerbilSoft

Well-Known Member
Member
Level 14
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
35
XP
4,269
Country
United States
It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.
 
  • Like
Reactions: DarthDub
D

Deleted User

Guest
GerbilSoft said:
It's probably more than just a plain old hash. Possibly an HMAC or RSA signed.

If it's an HMAC or RSA-signed, then chances are this won't be cracked until the required keys can be dumped from the Switch OS and/or Boot ROM.
Click to expand...
Define those, I am not sure what those are (I know, I'm stupid).
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Hacking Misc Tutorial  Eiyuden Chronicle Hundred Heroes save editing

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

Help a noob with if I need to update CFW to 18.0 or not

Emulation Misc  Is a totk memory editor possible? If so why has no one made one yet?

General chit-chat
Help Users
  • SylverReZ @ SylverReZ:
    They probably said "Hey, why not we combine the two together and make a 'new' DS to sell".
  • Veho @ Veho:
    It's a DS Lite in a slightly bigger DS Lite shell.
     +1
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
  • BakerMan @ BakerMan:
    imagine not having hands, cringe
     +1
  • AncientBoi @ AncientBoi:
    ESPECIALLY for things I do to myself :sad:.. :tpi::rofl2: Or others :shy::blush::evil:
     +1
  • The Real Jdbye @ The Real Jdbye:
    @SylverReZ if you could find a v5 DS ML you would have the best of both worlds since the v5 units had the same backlight brightness levels as the DS Lite unlockable with flashme
  • The Real Jdbye @ The Real Jdbye:
    but that's a long shot
  • The Real Jdbye @ The Real Jdbye:
    i think only the red mario kart edition phat was v5
  • BigOnYa @ BigOnYa:
    A woman with no arms and no legs was sitting on a beach. A man comes along and the woman says, "I've never been hugged before." So the man feels bad and hugs her. She says "Well i've also never been kissed before." So he gives her a kiss on the cheek. She says "Well I've also never been fucked before." So the man picks her up, and throws her in the ocean and says "Now you're fucked."
     +2
  • AncientBoi @ AncientBoi:
    :O:ohnoes::lol::rofl::rofl2:
  • BakerMan @ BakerMan:
    lmao
  • BakerMan @ BakerMan:
    anyways, we need to re-normalize physical media

    if i didn't want my games to be permanent, then i'd rent them
     +1
  • BigOnYa @ BigOnYa:
    Agreed, that why I try to buy all my games on disc, Xbox anyways. Switch games (which I pirate tbh) don't matter much, I stay offline 24/7 anyways.
  • AncientBoi @ AncientBoi:
    I don't pirate them, I Use Them :mellow:. Like I do @BigOnYa 's couch :tpi::evil::rofl2:
     +1
  • cearp @ cearp:
    @BakerMan - you can still "own" digital media, arguably easier and better than physical since you can make copies and backups, as much as you like.

    The issue is DRM
  • cearp @ cearp:
    You can buy drm free games / music / ebooks, and if you keep backups of your data (like documents and family photos etc), then you shouldn't lose the game. but with a disk, your toddler could put it in the toaster and there goes your $60

    :rofl2:
  • cearp @ cearp:
    still, I agree physical media is nice to have. just pointing out the issue is drm
  • rqkaiju2 @ rqkaiju2:
    i like physical media because it actually feels like you own it. thats why i plan on burning music to cds
  • cearp @ cearp:
    It's nice to not have to have a lot of physical things though, saves space
     +1
  • AncientBoi @ AncientBoi:
    Nor clothes 🤮 . Saves on time, soap, water and money having to wash them. :D
    AncientBoi @ AncientBoi: Nor clothes 🤮 . Saves on time, soap, water and money having to wash them. :D