The Ninja leak occurred on the 22nd December 2020 and is named after the contents containing information that prove the long-standing Nintendo “Ninja” myth.
Including stalking and intimidation of a Nintendo 3DS developer who is well respected in the scene known as Neimod.
Note that as Nintendo kept private information about this individual such as real name, address and parents information, it is not recommended to share this information, and none of that information will be in this article.
Files leaked:
NintendoSDK_fromSSD_IKEDA_20151124.zip - Old 2015 Switch SDK
Documents.7z (901.8 MB) - Anti-piracy Related documents
Secure.7z (570.2 MB) - Security related documents
Documents.7z
The Documents archive contains exactly what it says on the tin, internal documents related to security of the 3DS, Switch and WiiU Amiibos.
Root files
The files at the root after extracting the directory are:
In some of the presentation files a number of acronyms are mentioned, we will list what they mean here.
ASIC - Application-specific integrated circuit
HASP - Firmware Generation Tool
HSM - Hardware Security Module (Signing Device)
MITM - Man in the Middle Attacks
NCL - Nintendo Central Location in Japan
NTD - Nintendo Technology Development (North American Nintendo division)
NUP - Nintendo Update - used to talk about the 3DS firmware version
PSEG - ?
PCSG - ?
Security team management files (/セキュリティチーム運営)
This is where the Ninja part of the name comes from, Nintendo has documented proof of stalking and intimidating consumers who managed to find any exploits for the 3DS.
The root folder only contains one document called NXT1_revoke_toNishiurasan.pptx which is simply a diagram of the security mldel used on the 3DS.
The folder is split into two sections:
セキュリティ仕様書 - Security specifications
プロジェクト - project
Security specifications (/セキュリティ仕様書)
This folder contains a list of useful security specifications for various consoles and even android. This is to give the developers context as to what security systems are available.
The files in this folder are:
CTR - 3DS security specifications
DRM - 3DS Digital Rights Management specifications
DS - Nintendo DS specifications
DSP_support_200_100903-internal - Documentation for the Nintendo DS Anti-Piracy tool DSProtect
RFC 5756 - Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters.mht
Visio-マスタリング・OLSデータフロー_20100426.pdf - Mastering / OLS Data Flow_20100426
drm-module-image.pdf
drmArch140324_disclosedToIAAB.pdf
drmArch140324_disclosedToIAAB.pptx
drmArch140402_disclosedToIAAB.pdf
drmArch140402_disclosedToIAAB.pptx
新しいフォルダー - contains a diagram showing the security of the entire system
The file drmArch140402_disclosedToIAAB.pdf is well worth checking as it is a diagram showing the entire security from game creation to game installing. It is also completely in english!
This folder just contains a single document called 111027_Detection which is a spreadsheet of the Card ROM header values for each Card size, in Hex, Decimal and even binary!
NewSwitch
This folder contains the following files:
SecurityPORmeeting.pptx
SecurityPORmeeting_GameCart.pptx
SoC
on_the_rotor_head.jpg
セキュリティ設計検証 - Security design verification
極小署名 - Minimal signature
3DS Zorro signature tool (/Niji)
This folder contains the following files:
CTR_MW-Zorro
CTR_MW-Zorro_20150916alpha.zip
CTR_MW-Zorro_20160122.zip
CTR_MW-Zorro_alpha
OPSSR_project.pptx
NorthPort
This folder contains the following files:
AP-114750851-080316-2251-1880.pdf
プレゼンテーション1.pptx
プレゼンテーション1.thmx - same as above but in different Powerpoint format
This folder contains a folder called データ書込みソフト_セキュリティホール確認用_20140509 (Data writing software For checking security holes) which contains the following files:
CTR_TRIAL
CTR_TRIAL.zip - zipped version of CTR_TRIAL
HwCheck_Import
HwCheck_Import.zip - zipped version of HwCheck_Import
新井さん下村さん案件
This folder contains the following files:
FSL_Roadmap update_20140716.pdf
IMX6DQ6SDLSRM.pdf
IMX6DQRM.pdf
NDES-56759045-250814-1402-614.pdf
i MX7 Security Document 8-5-2014.pdf
必要なセキュリティ要件.pptx - Required security requirements
必要なセキュリティ要件.pptx.gpg - GPG version of above
新しいテキスト ドキュメント.txt
General purpose SoC (汎用SoC)
This folder contains the following files:
ContentsDistributionDesign.png
GameSecurity-j.pdf
Mobile App Integrity Protection Handbook.pdf
NTD_20140424.txt
img-X10175644.pdf
新しいフォルダー - contains pdf of Mobile App Integrity Protection Handbook in japanese by ARXAN
新規 Microsoft Visio 図面.vsd
汎用SoC.pptx
Nintendo 3DS (/CTR)
The files in the folder are:
32C3 - screenshots from the Breaking the 3DS 32C3 talk
win32diskimager-v0.9-binary.zip - Image Writer for Windows from SourceForge (LGPL license)
新しいフォルダー - Translated to new folder - duplicate of 32C3 folder contents
新しいフォルダー (2) - another new folder simply containing 32c3.txt
Most of the files in this folder are screenshots from the 32C3 talk by Smealum, derrek and plutoo.
Also contains the 32c3.txt document in japanese which contains the main hacks and notes on when they will be patched in the next 3DS update (NUP).
3DS /PCSG
The files in this folder are:
AP-20151218-Boot9Dumping-140316-1457-2496.pdf - Document describing a security flaw to dump Boot9 on the 3DS using an FPGA
AP-AES_SLOT.pdf - AES SLOT KEY exposure status
AP-NTRCARDHAX.pdf - document describing the memory overflow in process9 aka “NTRCARDHAX”
LatourCrypt修正3.pdf - LatourCrypt Fix 3 (Diagram of Switch hardware security)
Switch開発カードレビュー.pptx - Switch Development Card Review
The Development Card review Powerpoint presentation is very interesting it provides Attack scenarios for how hackers would get around the security of the NAND storage.
Development card and diagrams to show the security to prevent Man in the Middle attacks (MITM).
Global Anti-Piracy Team (/GlobalAPteam)
The files in this folder are:
GlobalAPteamKickoff.pptx - Presentation on the introduction to a global Anti-Piracy team
NTD - Nintendo Technology Development documents
security meeting with ntd 20170418.pdf - Mind map of meeting with japan and NA teams
security meeting with ntd 20170419.pdf - Another Mind map of meeting
The GlobalAPteamKickoff.pptx presentation is interesting (if you can get over the terrible spelling) as it covers the goals of the Anti-Piracy team which has members from all 3 Nintendo studios (NTD, NERD and NCL).
The mind maps are also worth a look as they highlight the problems a big company like Nintendo can have allocating time for security issues. They are not given as much time compared to brand new features and seems to be no full-time security experts at all.
NTD Exploit presentations (/GlobalAPteam/ntd)
In this folder we have some presentations that are both worth a read if you are interested in exploits:
NTD-security-slides-v2.pptx - Really interesting presentation of the vulnerabilities of ARM7 BPMP and others
Rand_Exploit_Raptor.pptx - Presentation from NVIDIA on the Random Number bug for Switch (December 2016)
Secure.7z
When the archive has been extracted it contains the following contents:
CTR-ROM-IDフォーマット.xls - 3DS ROM format based on the maker of the ROM (e.g Sandisk, KMC..)
GCIP_RTL - Switch Game Cartridge hardware simulator software
Lotus3Brom
NewFormat - 3DS CCI Format
ROM-ID_100421okisemi.xls - 3DS ROM forwat for OKI Semiconductor chips
Swtich
ウェハ取れ数計算_140728.xls - Wafer removal number calculation
カード関連仕様書 - Card-related specifications
**マリオカート8のROM容量の内訳と解像度比からサイズ縮小を検討.pdf - Mario Kart 8 ROM capacity
情報開発見積もり** - Information development estimate
鍵 - Card key files
Switch Game Cartridge IP (/GCIP_RTL)
This folder contains files for both the Game Cartridge chips known as MontBlanc and the Design Simulation Model (DSM) for the ARM Cortex M4.
Files in this folder are:
Cortex_M4_DSM_license_NTD - contains license file for the Cortex M4
Cortex_M4_DSM_license_NTD.zip - archive of the Cortex_M4_DSM_license_NTD folder
stmicroelectronics_montblanc_vp_2.4.1-GC_NCL
stmicroelectronics_montblanc_vp_2.4.1-GC_NCL.tar.gz - archive of the stmicroelectronics_montblanc_vp_2.4.1-GC_NCL folder
The Mont-Blanc GC Virtual Platform by STMicroelectronics was used by Nintendo for simulating Game Cartridges (GC).
Since these documents were created in 2014 it is very likely that this is for the Nintendo Switch.
Switch Game Card Lotus3 Boot ROM code (/Lotus3Brom/src)
This folder contains the source code for the Game cartridge BootROM firmware called “Lotus” version 3 written by MegaChips Corporation in 2015.
Files in this folder are:
crypt - contains PKCS1_Decode in pkcs1.c
driver - contains the main source code modules
main.c - main starting point for boot ROM
mpu.c - Main Microprocessor code
mpu.h - header for mpu.c
mpu_reg.h - register for MPU
Driver Source files
The driver sub folder contains the main code for each module that makes up the entire Game Cartridge BootROM.
These source files look like they have been generated from a hardware description language such as Verilog, and contain “register” files which are common in HDLs.
Name
Description
aes.c
Advanced Encryption Standard (AES) module
aes.h
Advanced Encryption Standard header
aes_reg.h
Advanced Encryption Standard register
bol.c
Boot Loader driver
bol.h
Header file for Boot Loader driver
bol_reg.h
Boot Loader Register
copy.c
memory copy code (Peripheral to Peripheral)
copy.h
ctl.c
Controller module
ctl.h
Header for Controller module
ctl_reg.h
Controller module register
dma.c
Direct memory access module
dma.h
Direct memory access header
dma_reg.h
Direct memory access register
emmc.c
embedded Multi-Media Controller module
emmc.h
embedded Multi-Media Controller header
fifo.c
First In first Out module
fifo.h
First In first Out module header
fifo_reg.h
First In first Out module register
lts3.h
Main lotus3 header
otp.c
otp.h
otp_reg.h
rnd.c
Random number module
rnd.h
Random number header
rnd_reg.h
Random number register
rom.h
ROM data header
rom_reg.h
ROM data register
rsa.c
Rivest-Shamir-Adleman (RSA) encryption module
rsa.h
RSA header
rsa_reg.h
RSA register
sha.c
Secure Hash Algorithm module
sha.h
Secure Hash Algorithm header
sha_reg.h
Secure Hash Algorithm register
startup_lts3.s
wgn.c
wgn.h
wgn_reg.h
3DS CCI format (/NewFormat)
This folder contains 3DS Cart images (.cci) which have an unknown purpose, probably just to show off the NCSD file format.
Files in this folder are:
Invalid-PROD0.cci
Invalid-PROD0.cci.bak - old version of Invalid-PROD0.cci
Invalid-PROD1.cci
Invalid.cci.bak
demo1-11_0-PROD0.master.cci
demo1-11_0-PROD1.master.cci
Switch private key certificates (/Swtich)
Files in this folder are:
AsicPrivKey - Private key for Game Card BootRom
CardHeader - Tool to build Game Cards
CardKensa - Test Card certificates
DevL3Cert - Level 3 Dev game card certificate
FwSigner - Tool for signing the Game card firmware
Package_20150902
aes_ccm - code for AES encryption in CCM mode
aes_ccm_old - old code for above
cardheader_gen - script for generating card header binary data
(/Swtich/Package_20150902)
This folder contains documentation from MegaChips about their simulation environment for Lotus game cards.
Files in this folder are:
LotusメモリエミュレーションFPGAボードPC用ライター仕様書 - Lotus Memory Embroidery FPGA Board PC Writer Specifications
MPTool_NCL_v3.0 - Mass Production Tool version 3 by MegaChips