Hacking Question Custom Screenshots on Switch?

  • Thread starter Deleted User
  • Start date
  • Views 6,060
  • Replies 8
D

Deleted User

Guest
OP
https://twitter.com/SciresM/status/885694921696354305
I might be a bit late, but this guy on Twitter was able transfer saves from one console to another, get custom screenshots etc. (I heard some hackers say that once you get access to your Switch saves, the security is a joke.) But for now, how would I get custom screenshots on my Switch? I have edited a screenshot and it just tells me that it is corrupted or damaged or something. I just wanna test something. I use paint.net and it retains the image info, but it doesn't work on switch. (It works on PC and every device I try.)
 
D

Deleted User

Guest
OP
I know that you cannot make an exploit out of this, I wasn't asking, I just wanna try out custom screenshots.
 
jakerman999

jakerman999

Well-Known Member
Newcomer
Level 3
Joined
May 15, 2013
Messages
52
Trophies
0
Age
31
XP
338
Country
Canada
TL;DR: It's not a simple hex edit :(

The Switch won't look at an image unless it has the same timestamp as one that's already in memory. This means you either need to use an editor that doesn't alter the timestamp, or change the timestamp back after editing. This is fairly trivial.

But meeting that requirement doesn't mean the Switch will display the image yet. It now makes a copy of the image, makes the timestamp 0, hashes that copy and compares the hash to another that was saved with the timestamp that the image matches. The hash that is being compared against was generated from the screenshot taken at the timestamp. So how do we get our image to have the same hash as the one in memory(the original)?

Option A) hash collision. The new image has extra data added or some parts altered slightly to make the hash the same as the stored one. This is hard, as the nature of a hash means we can't use a formula to figure out what we need to change/add, it's a guess and check which means brute force. This borders on impossible as to figure out the hash we need to know what number the Switch uses to make the hash. Solving this takes breaking the Switch's crypto once and then a bruteforce for every picture you want to import.

Option B) change the hash in memory. Run the new image through the Switch's hash function, and overwrite the old hash with the new one. I believe this is what @SciresM has done, although I can only speculate how. PegaSwitch might be able to do it, or it might be a product of smhax, or some other unannounced [noun].

Option C) patch the hash check to always return true, or the image display to not care about a wrong hash (signature patching iirc). This probably requires TrustZone or at least kernel level code execution. Not likely.

Option D) ???
 
D

Deleted User

Guest
OP
So making the edited photo's properties the same as the Switch, as in the same date the screenshot was taken on the switch and making sure it is the same file size?
 
DarkIrata

DarkIrata

Well-Known Member
Member
Level 9
Joined
Jun 12, 2015
Messages
493
Trophies
0
Age
29
Website
ipmix.de
XP
1,591
Country
Germany
Well, first of all. You can Edit posts and don't need to make multiple posts.
How its currently work only SciresM can say more to it.
 
Dann_

Dann_

Well-Known Member
Newcomer
Level 2
Joined
May 3, 2016
Messages
66
Trophies
0
Age
32
XP
204
Country
Afghanistan
jakerman999 said:
TL;DR: It's not a simple hex edit :(

The Switch won't look at an image unless it has the same timestamp as one that's already in memory. This means you either need to use an editor that doesn't alter the timestamp, or change the timestamp back after editing. This is fairly trivial.

But meeting that requirement doesn't mean the Switch will display the image yet. It now makes a copy of the image, makes the timestamp 0, hashes that copy and compares the hash to another that was saved with the timestamp that the image matches. The hash that is being compared against was generated from the screenshot taken at the timestamp. So how do we get our image to have the same hash as the one in memory(the original)?

Option A) hash collision. The new image has extra data added or some parts altered slightly to make the hash the same as the stored one. This is hard, as the nature of a hash means we can't use a formula to figure out what we need to change/add, it's a guess and check which means brute force. This borders on impossible as to figure out the hash we need to know what number the Switch uses to make the hash. Solving this takes breaking the Switch's crypto once and then a bruteforce for every picture you want to import.

Option B) change the hash in memory. Run the new image through the Switch's hash function, and overwrite the old hash with the new one. I believe this is what @SciresM has done, although I can only speculate how. PegaSwitch might be able to do it, or it might be a product of smhax, or some other unannounced [noun].

Option C) patch the hash check to always return true, or the image display to not care about a wrong hash (signature patching iirc). This probably requires TrustZone or at least kernel level code execution. Not likely.

Option D) ???
Click to expand...
Hmm, doesn't it actually hash it on the fly instead of obtaining the hash from memory? Pretty sure it says so on switchbrew and hashing it is as easy as zeroing out the makernote and hashing it with a private key that has already been leaked by sciresm
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

General chit-chat
Help Users
    Veho @ Veho: https://i.imgur.com/7bH4YgV.mp4