useful for assisting with achieving the recreation of a signed NCCH header, requires dumped ARM9 ITCM (obtainable via gm9 in M:/itcm.mem), extheader.bin and ncch.bin in the current working directory

verify_ncch_extheader_signature.py

from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 as pd
from cryptography.hazmat.primitives.hashes import SHA256 as sha256
from cryptography.hazmat.primitives.asymmetric import rsa
import cryptography.hazmat.backends

with open("ncch.bin", "rb") as f:
    ncch_sig = f.read(0x100)
    ncch_header_data = f.read(0x100)

with open("extheader.bin", "rb") as f:
    f.seek(0x400)
    accessdesc_sig = f.read(0x100)
    accessdesc_data = f.read(0x300)
    ncch_pkey_raw = accessdesc_data[0:0x100]

with open("arm9_itcm.bin", "rb") as f:
    f.seek(0x4A00)
    accessdesc_pkey_raw = f.read(0x100)

def lebytes(bytes: bytes) -> int:
    return int.from_bytes(bytes, "little")

try:
    ncch_pkey = rsa.RSAPublicNumbers(0x10001, int.from_bytes(ncch_pkey_raw, byteorder="big")).public_key(cryptography.hazmat.backends.default_backend())
    ncch_pkey.verify(ncch_sig, ncch_header_data, pd(), sha256())
    print("NCCH signature: GOOD!")
except:
    print("NCCH signature: BAD!")

try:
    accessdesc_pkey = rsa.RSAPublicNumbers(0x10001, int.from_bytes(accessdesc_pkey_raw, byteorder="big")).public_key(cryptography.hazmat.backends.default_backend())
    accessdesc_pkey.verify(accessdesc_sig, accessdesc_data, pd(), sha256())
    print("ExHeader accessdesc signature: GOOD!")
except:
    print("ExHeader accessdesc signature: BAD!")