Hacking rxTools with Signatures patched out!

[djricekcn]

two setups
9.2 3DSXL with CUBIC NINJA or 4.5 with GATEWAY.

only tried it with the 4.5 3ds since i have no idea how to do it with 9.2 (and hopefully i'm doing it right with 4.5)
i repeated the cycle at least 5 times

 

[VinsCool]

if I install the 1.08 update cia will it work? can someone confirm this.

thanks

Works fine in official rx-mode with retail smash carts.

 

[johnboyjr]

two setups
9.2 3DSXL with CUBIC NINJA or 4.5 with GATEWAY.

only tried it with the 4.5 3ds since i have no idea how to do it with 9.2 (and hopefully i'm doing it right with 4.5)
i repeated the cycle at least 5 times

all i get is a black screen too

 

[leerz]

two setups
9.2 3DSXL with CUBIC NINJA or 4.5 with GATEWAY.

only tried it with the 4.5 3ds since i have no idea how to do it with 9.2 (and hopefully i'm doing it right with 4.5)
i repeated the cycle at least 5 times

can't do it in gw mode.
9.2, launch rx via web, make sure you are using rxtools.dat from the OP;
for your 4.5, launch rx, make sure you have keyx, update emunand to latest fw.

also ensure you have the right keyx file, the contents are correct; otherwise you will get a blackscreen.

 

[djricekcn]

on the 4.5, the emunand is on RX9.8 (when i boot into RX from browser, booting up GW will also give me 9.8 emunand), key files are in the root of the SD (3DS Side) since the 3ds ==> .cia days

 

[leerz]

maybe your ssb dump is faulty?

 

[djricekcn]

maybe your ssb dump is faulty?

not sure which one is ssb dump, but I tried redownloading rx and the firmware it created multiple times

if you're talking about SUper Smash Brothers, I'm not even trying to boot that...just trying to boot up gba

 

[Suiginou]

Alrighty then, who wants to unpack rxTools and do what they want on their own?

Here are four tools you can use to unpack and repack rxTools.
https://mega.co.nz/#F!Dc8HlRIR!uBhpFbwUWEZ5tRajs-f1lg

rxTools Unpacker:
This tool will decrypt and unpack rxTools for you, and you should get two files: main.dat and filepack.dat.
This utility is drag 'n' drop.

rxTools Packer:
This does the opposite. It will pack and encrypt main.dat and filepack.dat into rxTools.dat.
This utility should be run in the same directory as main.dat and filepack.dat.

filepack Unpacker:
This will unpack filepack.dat, and it should give you four files: file000-003.bin
This utility is drag 'n' drop.

filepack Packer:
This will pack filepack.dat back together.
This utility should be run in the same directory as file000-003.bin

Here are their sources:
rxTools Unpacker: http://pastebin.com/ZWuWc6SV
rxTools Packer: http://pastebin.com/wqEKc7Gi
filepack Unpacker: http://pastebin.com/303DAJ1a
filepack Packer: http://pastebin.com/sfyaRv6X

Extra:

FIRM patches are stored in file002.bin from filepack.dat.

The format of file002.bin is fairly simple:
0x00-0x03: Number of patches.

Directly after are the patches:
0x00-0x03: Offset in FIRM
0x04-0x07: Size of data to write
0x08-0x...: Data to write

If you don't feel like parsing them, they're also here: http://pastebin.com/fazkjHRn

The rxTools splash screen is file003.bin from filepack.dat.
makebgr.bat from here: https://gbatemp.net/threads/release...-x-cfw-with-customizable-boot-options.388071/ does the trick.

Again, thanks to @Apache Thunder for testing.

Thanks for the release! I found an interesting bunch of strings regarding a possible MSET downgrader that probably doesn't work.

Hopefully these patches can be ported over to 9.2 (though I still need to locate the part where 9.6 NATIVE_FIRM is decrypted and loaded to adjust the IV for decrypting and validation; I'm assuming the payload is loaded into memory offset around 0x0800000) to keep kernel hax working.

https://github.com/yellows8/ropgadget_patternfinder should massively help with that.

 

[AHP_person]

Thanks for the release! I found an interesting bunch of strings regarding a possible MSET downgrader that probably doesn't work.

Hopefully these patches can be ported over to 9.2 (though I still need to locate the part where 9.6 NATIVE_FIRM is decrypted and loaded to adjust the IV for decrypting and validation; I'm assuming the payload is loaded into memory offset around 0x0800000) to keep kernel hax working.

I wish you good luck.

 

[pedrobarca]

@AHP_person
Have you apologized to Roxas for what you did?

 

[Vappy]

@AHP_person
Have you apologized to Roxas for what you did?

Have any of the exploit developers apologized to Nintendo for what they did?

 

[pedrobarca]

Have any of the exploit developers apologized to Nintendo for what they did?

Nintendo ist not a member of this forum and not part of the scene. The purpose of this comunity is to work together and against each other. If Roxas decides not to work on rxTools anymore, who will update it whan fw 10.0 gets released. Pissing Roxas of was a incredibly stupid idea, especially since he considered to remove sig checks anyway.

 

[thekarter104]

Yep, almost everyone migrated to the rxTools with sig checks patched out anyway.

Let's see what happens when the next 3DS FW will be out, only time will tell.
And even that, I'll stay on RX-E 9.8 anyway.

Works fine in official rx-mode with retail smash carts.

I didn't know there was a v1.08 of Smash already. v1.07 works for me atleast and doesn't say that there's a new update unless there's a new update that came out literally a hour ago XD

EDIT: Yep
http://en-americas-support.nintendo...-to-update-super-smash-bros.-for-nintendo-3ds

Adjustments have also been made for a more pleasant gaming experience.

LOOOOOOOOOOOOOOOOOL

 

[dandymanz]

Nintendo ist not a member of this forum and not part of the scene. The purpose of this comunity is to work together and against each other. If Roxas decides not to work on rxTools anymore, who will update it whan fw 10.0 gets released. Pissing Roxas of was a incredibly stupid idea, especially since he considered to remove sig checks anyway.

If i remember correctly, Roxas was working on implementing some sort of "whitelist" for his Emunand support which basically means he chooses a predefined list of CIAs that you can install and run on your Emunand. I'm quite sure he wasn't planning to remove all signatures check in his next release. And if that's the case, it really doesn't matter fw10.0 or not.

 

[pedrobarca]

If i remember correctly, Roxas was working on implementing some sort of "whitelist" for his Emunand support which basically means he chooses a predefined list of CIAs that you can install and run on your Emunand. I'm quite sure he wasn't planning to remove all signatures check in his next release. And if that's the case, it really doesn't matter fw10.0 or not.

http://gbatemp.net/threads/pasta-cf...s-required-ninjhax.388925/page-3#post-5496256

 

[zero2exe]

If i remember correctly, Roxas was working on implementing some sort of "whitelist" for his Emunand support which basically means he chooses a predefined list of CIAs that you can install and run on your Emunand. I'm quite sure he wasn't planning to remove all signatures check in his next release. And if that's the case, it really doesn't matter fw10.0 or not.

Well it DOES matter for people like me that right now only actually need the Emunand because no gateway. Sure signature patching would have been nice but just because it doesn't give a fully opened system to run whatever you want means it doesn't matter if the cfw gets updated with the upcoming firmwares. I kind of like keeping access to web browser exploits while still being able to access the eshop for updates you know?

 

[dandymanz]

http://gbatemp.net/threads/pasta-cf...s-required-ninjhax.388925/page-3#post-5496256

Yes, in that post, he specifically stated

About signature disabling, it's something i'll decide later.

. He did not announce any ETA for that. Which i believe stems from this view he made earlier.
http://gbatemp.net/threads/wip-karl...ninjhax-loadcode.382113/page-121#post-5399810

Also, he has made a very clear stand on sig patches in these posts before, so i kind of doubt he would be releasing anything soon.
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-16#post-5386169
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-87#post-5440391
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-88#post-5440451

In all, i can understand why he would be upset with rxtools been hacked open, but it something that is bound to happen sooner or later. Even Gateway had it's clones before.

Well it DOES matter for people like me that right now only actually need the Emunand because no gateway. Sure signature patching would have been nice but just because it doesn't give a fully opened system to run whatever you want means it doesn't matter if the cfw gets updated with the upcoming firmwares. I kind of like keeping access to web browser exploits while still being able to access the eshop for updates you know?

There is an eshop spoofer. I'm currently using that on my N3DS 9.5 Emunand to get updates from eShop and in game DLCs. You can use that too.

 

[pedrobarca]

Yes, in that post, he specifically stated . He did not announce any ETA for that. Which i believe stems from this view he made earlier.
http://gbatemp.net/threads/wip-karl...ninjhax-loadcode.382113/page-121#post-5399810

Also, he has made a very clear stand on sig patches in these posts before, so i kind of doubt he would be releasing anything soon.
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-16#post-5386169
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-87#post-5440391
http://gbatemp.net/threads/release-...oolkit-fw-2-0-9-2.382782/page-88#post-5440451

In all, i can understand why he would be upset with rxtools been hacked open, but it something that is bound to happen sooner or later. Even Gateway had it's clones before.

I Havent said he will remove the sig checks, I've just said he is considering to remove them. He also stated that he'll decide later. Imo AHP_person should have at least waited until he has decided.

 

[alantgw]

Its way too over.
Tools for unpacking and packing rxTools?
Roxas would make it open source if he means to let others freely edit it

 

[djalmafreestyler]

@AHP_person
Do you think it's hard to add region free in rxtools? It makes emunand perfect I think