Skip to content

Instantly share code, notes, and snippets.

View SciresM's full-sized avatar

SciresM

1.9k followers · 3 following
View GitHub Profile
@SciresM
SciresM / tz_701.idc
Created February 19, 2019 11:50
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
@SciresM
SciresM / tz_700.idc
Created January 29, 2019 10:04
//
// This file should be used in the following way:
// - reload executable into IDA with using switch -c
// - use File, Load IDC file and load this file.
//
// NOTE: This file doesn't contain all information from the database.
//
#define UNLOADED_FILE 1
#include <idc.idc>
@SciresM
SciresM / kernel_writeup.md
Last active March 10, 2024 23:47

The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.

Background information

I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!

In particular, he describes:

Additionally, the kernel itself would start allocating memory outside of the carveout region
@SciresM
SciresM / nx_bootloader_uncompress.c
Last active December 27, 2019 10:43
Quick and dirty NX bootloader uncompression code for 6.2.0+
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
typedef uint32_t u32;
typedef uint8_t u8;
@SciresM
SciresM / bea.py
Created October 5, 2018 21:52
from struct import unpack as up
import sys, os, hashlib
import zstandard as zstd
dirs, files = None, None
def read_at(fp, off, len):
fp.seek(off)
return fp.read(len)
@SciresM
SciresM / CMAC.py
Last active September 9, 2022 04:55
Script to decrypt/re-encrypt (resign) Splatoon 2 save files.
# -*- coding: utf-8 -*-
#
# Hash/CMAC.py - Implements the CMAC algorithm
#
# ===================================================================
# The contents of this file are dedicated to the public domain. To
# the extent that dedication to the public domain is not available,
# everyone is granted a worldwide, perpetual, royalty-free,
# non-exclusive license to exercise all rights associated with the
# contents of this file for any purpose whatsoever.
@SciresM
SciresM / nisasyst.py
Last active February 23, 2019 02:29
Script for decrypting Splatoon 2 resources.
import sys, os, struct, zlib
from Crypto.Cipher import AES
def u32(x):
return (x & 0xFFFFFFFF)
KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'
class sead_rand:
'''Implements Splatoon 2's mersenne random generator.'''
@SciresM
SciresM / test_pid_patch.c
Created June 3, 2018 02:29
#include <string.h>
#include <stdio.h>
#include <switch.h>
static Handle g_port;
static uint64_t g_procID;
#define MODULE_HBL 111
@SciresM
SciresM / 5.x kernel SMC log + arb read patch
Created June 2, 2018 01:32
0xbc100: ; save start
mov x19, x0
mov x0, #0xC0000000
adrp x1, #0x15000
ldr x1, [x1, #0x730]
ldr x1, [x1]
add x0, x1, x0
adrp x1, #0x15000
ldr x1, [x1, #0x668]
ldr x1, [x1]
@SciresM
SciresM / quest_enc_set.py
Created May 30, 2018 04:52
Encounter Set printer for Pokemon Quest
def print_set(p):
ind_lvl = 0
def printf(s, lvl = ind_lvl):
s = '%s%s' % (' ' * ind_lvl, s)
print s
try:
outf.write('%s\n' % s)
except:
pass
printf('Pack: %s' % p)