Mary Guillemard marysaka

This is a small repository that aims to document some fun kernel patches I have come up with while reverse engineering the kernel. They're meant to be useful for debugging various things.

You can easily apply those patches by getting the appropriate Kernel.bin, and applying them in a hex editor. The format is: offset origvalue => newvalue offset. They are made with radiff2. (If anyone knows of a better way to create binary patches, I'd love to hear it). Another way to test those patches is to use Hekate, which recently got kernel patching support (https://github.com/nwert/hekate/blob/master/ipl/pkg1.c#L71, thanks @CTCaer ^^)

I try to document what each patch does. If something is missing or wrong, feel free to leave a comment!

Have fun!

Muh Switch Keys

So you want to decrypt switch content ? Well, the good news is that all the tools required to do that are written up! The great news is, since this is crypto we're talking about, you'll have to find the keys. Yourself. Like it's easter.

So here you can find a template of the $HOME/.switch/prod.keys file that hactool uses to decrypt content. It contains all the SHA256 and location of the keys and seeds, so you can find them yourselves.

Note that all the seeds (the keys that end with _source) are used along with the master_key_## to derive an actual key. If you have somehow obtained the key without the seed, you can rename xxx_source to xxx_## (where ## is the master key number) and put your key there.

How the heck do I obtain dem keys ?

Cart Command

int CartCommand(char cmd, int data1, int data2)
{
  CARDCMD_0 = cmd;
  CARDCMD_1 = BYTE3(data1);
  CARDCMD_2 = (unsigned int)(data1 << 8) >> 24;
  CARDCMD_3 = (unsigned int)(data1 << 16) >> 24;
  CARDCMD_4 = data1;

	# This code is very hacky, please excuse the nonsensical variable/function naming
	# See https://twitter.com/David3141593/status/1442883432925773829 for context
	# Derived from this implementation of XXHASH64: https://github.com/Cyan4973/xxHash/blob/dev/xxhash.h

	from xxhash import xxh64

	XXH_PRIME64_1 = 0x9E3779B185EBCA87
	XXH_PRIME64_2 = 0xC2B2AE3D27D4EB4F
	XXH_PRIME64_3 = 0x165667B19E3779F9
	XXH_PRIME64_4 = 0x85EBCA77C2B2AE63

	#!/bin/bash
	print_trans() {
	printf "\x1b[38;2;091;206;250m\x1b[48;2;091;206;250m██████████████████\x1b[0m\n"
	printf "\x1b[38;2;254;169;184m\x1b[48;2;254;169;184m██████████████████\x1b[0m\n"
	printf "\x1b[38;2;255;255;255m\x1b[48;2;255;255;255m██████████████████\x1b[0m\n"
	printf "\x1b[38;2;254;169;184m\x1b[48;2;254;169;184m██████████████████\x1b[0m\n"
	printf "\x1b[38;2;091;206;250m\x1b[48;2;091;206;250m██████████████████\x1b[0m\n"
	}

	print_lesbian() {

	from idautils import *
	from idaapi import *
	from idc import *
	from ida_hexrays import *
	from ida_bytes import *
	from ida_funcs import *

	SVC_MAPPINGS = {
	0x01 : ("SetHeapSize", "Result %s(uintptr_t *out_address, size_t size);"),
	0x02 : ("SetMemoryPermission", "Result %s(uintptr_t address, size_t size, MemoryPermission perm);"),

	#define UNLOADED_FILE 1
	#include <idc.idc>

	static main(void)
	{
	// set 'loading idc file' mode
	set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC\|get_inf_attr(INF_GENFLAGS));
	GenInfo(); // various settings
	Segments(); // segmentation
	Enums(); // enumerations

	♫

	You're sitting at your desk,
	coding away with no rest.
	Many little things to fix.
	Did you know asie likes unix?

	Stuck inside a loop, no break in sight.
	Looks like I'll be staying up all night.
	Though I'm already tired, it feels like I'm wired.