Hacking Hacking the Switch through the Album?

GerbilSoft

GerbilSoft

Well-Known Member
Member
Level 14
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,254
Country
United States
blujay said:
Define those, I am not sure what those are (I know, I'm stupid).
Click to expand...
HMAC = Hash-based message authentication code. Basically, you use a standard hash function, but add in a secret key. Nintendo DSi uses SHA1-HMAC for banners, which is why DSi-compatible flash carts use banners from licensed games instead of their own games.

RSA signature = using RSA public key cryptography to create a signature that validates the contents of some file. Usually this is done by taking a hash of the contents and then encrypting the hash using the RSA private key. The signature can be verified by decrypting the hash with the public key and comparing that hash with the actual hash. RSA signatures are used by the DSi and 3DS for virtually everything.

As far as I know, there are no general-purpose cracks for RSA signatures other than brute-force. However, that's assuming the implementation is working. The 3DS Boot ROM signature hax was only possible because the Boot ROM's RSA verification function is broken. (The main FIRM RSA verification is correct, though.)
 
  • Like
Reactions: Ricken, DarthDub, yanagi and 1 other person
D

Deleted User

Guest
GerbilSoft said:
HMAC = Hash-based message authentication code. Basically, you use a standard hash function, but add in a secret key. Nintendo DSi uses SHA1-HMAC for banners, which is why DSi-compatible flash carts use banners from licensed games instead of their own games.

RSA signature = using RSA public key cryptography to create a signature that validates the contents of some file. Usually this is done by taking a hash of the contents and then encrypting the hash using the RSA private key. The signature can be verified by decrypting the hash with the public key and comparing that hash with the actual hash. RSA signatures are used by the DSi and 3DS for virtually everything.

As far as I know, there are no general-purpose cracks for RSA signatures other than brute-force. However, that's assuming the implementation is working. The 3DS Boot ROM signature hax was only possible because the Boot ROM's RSA verification function is broken. (The main FIRM RSA verification is correct, though.)
Click to expand...
Alrighty! Thanks for letting me know. I'm assuming these things are stored outside of the image?
 
GerbilSoft

GerbilSoft

Well-Known Member
Member
Level 14
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,254
Country
United States
blujay said:
Alrighty! Thanks for letting me know. I'm assuming these things are stored outside of the image?
Click to expand...
I haven't checked yet, but it may or may not be. The signature and/or HMAC could be in some EXIF tags, or simply appended to the file, or stored in some extra database file somewhere.

The secret keys are definitely not stored in the image, though.
 
D

Deleted User

Guest
sarkwalvein said:
Not confirmed that it is a hash or anything.
But after checking the header, the only part that changes consistently between files and could contain a hash is this.
Click to expand...
Alright. Thanks for letting me know. I have to work on my 3ds homebrew for a few hours, but later I can check it out.
 
  • Like
Reactions: Seelbreaker
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,295
Country
United States
Apache Thunder said:
Seems like the Switch signs the JPGs with hashes much like the DSi did. I suppose in time that will be cracked. It was for the DSi. Sadly we found no flaws in the JPG stuff on DSi. :(
Click to expand...

I already documented how the hash works, post a few above yours references my tweet, it's just an sha256 hmac with a hard coded key lol -- eventually I'll probably make a tool but I tested and a custom "resigned" JPEG worked fine last night.
 
  • Like
Reactions: Deleted member 414991, I pwned U!, Alex1234 and 3 others
D

Deleted User

Guest
SciresM said:
I already documented how the hash works, post a few above yours references my tweet, it's just an sha256 hmac with a hard coded key lol -- eventually I'll probably make a tool but I tested and a custom "resigned" JPEG worked fine last night.
Click to expand...
i assume then you have the hardcoded key?

also, i'm happy my theory about the album was actually true.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

Hacking Hardware  Picofly on "old" Samsung EMMC glitching fails sometimes

General chit-chat
Help Users
  • No one is chatting at the moment.
  • SylverReZ @ SylverReZ:
    @Materia_tofu, We do learn a lot from plenty of talented individuals.
  • Materia_tofu @ Materia_tofu:
    this is true! i learned how to make soundfont remixes from a friend back in 2021
     +1
  • BakerMan @ BakerMan:
    Update on my brother: He's home now, tired and hungry, obviously, but other than that, seems to be doing fine.
     +2
  • Veho @ Veho:
    That's a relief to hear. Do you know what happened?
  • SylverReZ @ SylverReZ:
    @BakerMan, Any idea what happened? I hope that your brother's doing good.
  • BakerMan @ BakerMan:
    Well, from what I've heard from my parents, he had a seizure last night, perhaps an epileptic episode, fucking died, had a near death experience, my dad called the paramedics, they showed up, took him to the hospital, and he woke up covered in tubes, and started complaining.
  • BakerMan @ BakerMan:
    He couldn't eat until after his MRI, when he had a bomb pop.
  • BakerMan @ BakerMan:
    What matters now is that he's doing alright.
  • Veho @ Veho:
    But you still don't know what it was?
  • Veho @ Veho:
    Has he had seizures before?
  • The Real Jdbye @ The Real Jdbye:
    apparently stress can cause seizures, my brother had one during a test once
  • The Real Jdbye @ The Real Jdbye:
    never had one before that, and never had one since
  • Veho @ Veho:
    https://i.imgur.com/bG1pQld.mp4
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=_9PnFJMnYT0
  • Redleviboy123 @ Redleviboy123:
    Question about game texture chanching Do i need an own game id?
  • The Real Jdbye @ The Real Jdbye:
    @Veho for those that want to
    experience being sonic the hedgehog
  • Veho @ Veho:
    Ah, you mean
    furries.
     +1
  • The Real Jdbye @ The Real Jdbye:
    well, sonic fans are a whole separate thing from furries
  • The Real Jdbye @ The Real Jdbye:
    like bronys
  • The Real Jdbye @ The Real Jdbye:
    sonic porn is too weird even for me
  • Dumpflam @ Dumpflam:
    bruh
  • Dumpflam @ Dumpflam:
    guys how do i delete a post
  • The Real Jdbye @ The Real Jdbye:
    you don't
  • The Real Jdbye @ The Real Jdbye:
    you can report it and request deletion
  • BakerMan @ BakerMan:
    Also, no, that was his first time having a seizure, and hopefully the last
     +1
    BakerMan @ BakerMan: Also, no, that was his first time having a seizure, and hopefully the last +1