Hacking Discussion Info on SHA-256 hashes on FS patches

[ShadowOne333]

Working fine here. This is the script I'm using atm - I slightly simplified it.

#! /bin/bash
cd "$(dirname "${BASH_SOURCE[0]}")"

mkdir -p dumped dumps files

for f in ./firmware/*.nca; do
    ncasize="$(wc -c < "$f")"
    ncaname="$(basename "$f")"

    if [ $ncasize -lt 3145728 ] || [ $ncasize -gt 3450000 ]; then
        continue
    fi

    echo Found "$ncaname" with size "$ncasize"

    ./hactool -t nca -k ./keys.dat --disablekeywarns --romfsdir=./dumped "$f" &> /dev/null
done

{
    ./hactool -t pk21 -k ./keys.dat --disablekeywarns --outdir=./dumps ./dumped/nx/package2
    ./hactool -t ini1 -k ./keys.dat --disablekeywarns --outdir=./files ./dumps/INI1.bin
    ./hactool -t kip1 -k ./keys.dat --disablekeywarns --uncompressed=./files/FS-dec.kip1 ./files/FS.kip1
} &> /dev/null

#mv 3meg/* firmware/
#rm -r {3meg,dumps,dumped}

python3 MakeIPS.py
#rm -r files/

read -p "Press any key to finish ..."

This is the output from the terminal window:

Found 0fd89afc0d0f1ee7021084df503bcc19.nca with size 3327488
Found 295926145fbd59982228a9c90f28c064.nca with size 3420160
Found 2ce2f151943a80fc719bd4179d7f6270.nca with size 3286528
Found 5c24763e70d04b110b25cddb1ad79c4c.nca with size 3430912
Found e399b2e4b955c41a211176371478e728.nca with size 3268608

IPS Offset patch address: 0xE3014
Press any key to finish ...

With your script it gave me the correct IPS @mrdude referred to.
I think this one's good for release alongside the .bat, all that's needed is the .txt formatting for Hekate inside the MakePatch.py and that should be it.

 

[DarkMatterCore]

It still needs to be modified to account for both firmware variants (FAT32 and exFAT). Only a single IPS is being generated at this moment, and the RomFS extraction steps overwrite the files from the first extracted firmware.

 

[DarkMatterCore]

#! /bin/bash
cd "$(dirname "${BASH_SOURCE[0]}")"

for f in ./firmware/*.nca; do
    ncasize="$(wc -c < "$f")"
    ncaname="$(basename "$f")"
    ncadirname="${ncaname%.*}"

    if [ $ncasize -lt 3145728 ] || [ $ncasize -gt 3450000 ]; then
        continue
    fi

    ./hactool -t nca -k ./keys.dat --disablekeywarns --romfsdir="./$ncadirname" "$f" &> /dev/null

    if [ ! -f "./$ncadirname/nx/package2" ]; then
        rm -rf "./$ncadirname"
        continue
    fi

    echo Found package2 in NCA "$ncaname" with size "$ncasize"

    {
        ./hactool -t pk21 -k ./keys.dat --disablekeywarns --outdir="./$ncadirname/package2_ext" "./$ncadirname/nx/package2"
        ./hactool -t ini1 -k ./keys.dat --disablekeywarns --outdir="./$ncadirname/INI1_ext" "./$ncadirname/package2_ext/INI1.bin"
    } &> /dev/null

    rm -rf ./files
    mkdir ./files

    mv "./$ncadirname/INI1_ext/FS.kip1" ./files/FS.kip1

    ./hactool -t kip1 -k ./keys.dat --disablekeywarns --uncompressed=./files/FS-dec.kip1 ./files/FS.kip1 &> /dev/null

    python3 MakeIPS.py

    rm -rf "./$ncadirname"
done

rm -rf ./files &> /dev/null

read -p "Press any key to finish ..."

This one should do it.

 

[mrdude]

It still needs to be modified to account for both firmware variants (FAT32 and exFAT). Only a single IPS is being generated at this moment, and the RomFS extraction steps overwrite the files from the first extracted firmware.

That should be simple enough - just mod the script so it runs on each file (instead of all files in a loop), make it count the amount of files - do the first file it finds - make it go through the script, then remove that file and then do the next one. It shouldn't be hard to do that.

EDIT: Just saw you posted just before me - lol.

 

[DarkMatterCore]

Modifying the Python script to make it generate a patches.ini file using the information from each IPS shouldn't be difficult, but it will have to parse the .text segment header from each FS KIP to properly determine the section index and section-relative offset. Hekate doesn't use file-relative offsets.

 

[mrdude]

Modifying the Python script to make it generate a patches.ini file using the information from each IPS shouldn't be difficult, but it will have to parse the .text segment header from each FS KIP to properly determine the section index and section-relative offset. Hekate doesn't use file-relative offsets.

Have a look at autoips python files I posted, these show how to make a patches.ini, I just removed that from the python files I posted in this thread - just to show how to make an ips file as that's all the OP asked for.

Also if you want to make 2 different ips files, there's no need to mod the python files - just mod the batch file or your bash script to do that.

I'm kind of in the middle of making a rechargeable bluetooth rs232 circuit just now or I'd have a look - but if I get time during the week I'll have a look. I might just bin the python files and write a proper windows program with GUI to do it all, and combine autoips into that. Just time and other stuff is stopping me from doing that just now.

 

[mrdude]

Changing windows batch file to this - fixes the issue and generates both ips files:

SET VAR="C:\python3.9\python"
cls
%VAR% move.py

for %%f in (3meg/*.nca) do (
hactool.exe -k keys.dat -t nca --romfsdir=dumped/ 3meg/%%f
hactool.exe -k keys.dat -t pk21 dumped/nx/package2 --outdir=dumps/
hactool.exe -k keys.dat -t ini1 dumps/INI1.bin --outdir=files/
hactool --intype=kip1 --uncompressed=files/FS-dec.kip1 files/FS.kip1
%VAR% MakeIPS.py
move 3meg\%%f firmware\
)

rmdir files /S /Q
rmdir 3meg /Q
rmdir dumps /S /Q
rmdir dumped /S /Q

Obviously mod your own scripts to make it better.

This will generate 2 ips files:

E399156E844EB0AA3CC5152979961C879F5E90696C1224A1BBE0FF1BCDBFD7DC.ips
50 41 54 43 48 0E 30 14 00 04 1F 20 03 D5 45 4F 46

0BA15BB304B505633B6DA6B2C6E991B6A06EBAFB3378DF02BF6B494075976F06.ips
50 41 54 43 48 0E 30 14 00 04 1F 20 03 D5 45 4F 46

I've also included a modded MakeIPS.py to show how to make patches.ini files - this will need slightly modded to show the correct bytes to patch (not byte address - just found bytes) - although that should be trivial to fix.

This bit here in red, instead of being a static value - python file needs modded to show that correctly....I don't have time to fix that, so someone else will need to try.

patchnfo = (".nosigchk=0:0x%X" % final2 + ":0x4:E0030036,1F2003D5")

 

[DarkMatterCore]

I updated the MakeIPS.py script to fix the issue mentioned by @mrdude in their last post. The Linux bash script was updated to generate a single patches.ini file from the *.txt files generated by the latest MakeIPS.py script. And last but not least, I rewrote the Windows batch script from scratch to closely resemble the way the Linux bash script works.

You need to provide your own hactool build, a firmware dump and a keys.dat file, as usual.

Everything is covered now (in regards to FS patches, at least).

Also if you want to make 2 different ips files, there's no need to mod the python files - just mod the batch file or your bash script to do that.

Yeah, I'm fully aware of that. The bash script from my previous post takes this into account, which is the reason why a big for loop is now being used.

 

[mrdude]

I updated the MakeIPS.py script to fix the issue mentioned by @mrdude in their last post. The Linux bash script was updated to generate a single patches.ini file from the *.txt files generated by the latest MakeIPS.py script. And last but not least, I rewrote the Windows batch script from scratch to closely resemble the way the Linux bash script works.

You need to provide your own hactool build, a firmware dump and a keys.dat file, as usual.

Everything is covered now (in regards to FS patches, at least).


Yeah, I'm fully aware of that. The bash script from my previous post takes this into account, which is the reason why a big for loop is now being used.

Lol, I just fixed that python script as well - I'll see how you did it to see what you did different. Thanks.

 

[DarkMatterCore]

Lol, I just fixed that python script as well - I'll see how you did it to see what you did different. Thanks.

Nothing too fancy. I just used struct.unpack() to read the original instruction as a big-endian 32-bit integer, so that when it's printed it resembles the original 4 byte-long sequence.

 

[mrdude]

Nothing too fancy. I just used struct.unpack() to read the original instruction as a big-endian 32-bit integer, so that when it's printed it resembles the original 4 byte-long sequence.

Here's what I did. It prints out 2 text files. Although I do prefer you scripts - it's much faster :-)

 

[LyuboA]

Here's what I did. It prints out 2 text files. Although I do prefer you scripts - it's much faster :-)

works great thanks man

 

[linuxares]

@Homlet would this be possible to integrate this script in to your software? So it can be made directly on the Switch.

 

[DarkMatterCore]

@Homlet would this be possible to integrate this script in to your software? So it can be made directly on the Switch.

It's definitely possible. Any system title can be already extracted by the nxdumptool-rewrite codebase, as long as an updated prod.keys file is generated with Lockpick_RCM.

Anything beyond that would require porting PK21 and INI1 unpacking routines, as well as BLZ decompression (for the FS KIP).

iirc Hekate is capable of generating decrypted + unpacked dumps of the FS KIP.

 

[Homlet]

@Homlet would this be possible to integrate this script in to your software? So it can be made directly on the Switch.

Maybe, but since most people need other patches anyways, there's little point to it no? We still don't know how to make ES patches right? I'm not following closely any of this

 

[linuxares]

Maybe, but since most people need other patches anyways, there's little point to it no? We still don't know how to make ES patches right? I'm not following closely any of this

True true

 

[LyuboA]

@DarkMatterCore knows how to make the ES Patches maybe he will make a script or maybe @mrdude will

 

[mrdude]

Nothing too fancy. I just used struct.unpack() to read the original instruction as a big-endian 32-bit integer, so that when it's printed it resembles the original 4 byte-long sequence.

I just noticed in the modded MakeIPS.py file you posted, you forgot to close the files - just add this to line 44 and line 50 (f.close). That will just free up some resources. Maybe it's not an issue - but it's better to close a file when we are finished with it.

 

[DarkMatterCore]

@mrdude There's no need to call f.close() while using with statements - Python automatically handles it. Java acts in a similar way, too.

 

[mrdude]

@mrdude There's no need to call f.close() while using with statements - Python automatically handles it. Java acts in a similar way, too.

Thanks, I didn't know that. Also I just tested firmware 10.2.0, we need to increase file size to this:

if !ncasize! LEQ 3550000 (

Or it will only find 1 file to patch instead of both.