Hacking Discussion Info on SHA-256 hashes on FS patches

DarkMatterCore

Finding my light.
Developer
Joined
May 30, 2009
Messages
1,292
Trophies
1
Age
28
Location
Madrid, Spain
Website
github.com
XP
2,602
Country
Spain
@DarkMatterCore knows how to make the ES Patches maybe he will make a script or maybe @mrdude will
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.
 

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
530
Trophies
0
XP
919
Country
Bulgaria
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.

thats great if @mrdude is up for another script for complete patches
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
thats great if @mrdude is up for another script for complete patches

I think crckd is looking into it, he says on a previous post he is. If he needs help, then he can post in here and then we can help him. In the meantime, I have bigger fish to fry :-). I do agree with you that it would be good if we also have this ability to make es patches, but I've not really got much time to look into it just now and it takes a long time to do all the 'investigating' before scripts can even be started.
 

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
530
Trophies
0
XP
919
Country
Bulgaria
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.

since you dont have a switch anymore what does this mean for nxdumptool ??

I think crckd is looking into it, he says on a previous post he is. If he needs help, then he can post in here and then we can help him. In the meantime, I have bigger fish to fry :-). I do agree with you that it would be good if we also have this ability to make es patches, but I've not really got much time to look into it just now and it takes a long time to do all the 'investigating' before scripts can even be started.

when you have time you've already done more then most Thank you and Thanks to @DarkMatterCore and @crckd you guys are great for this community
 

peteruk

Well-Known Member
Member
Joined
Jun 26, 2015
Messages
3,002
Trophies
2
XP
7,275
Country
United Kingdom
(I fear I could get shot down here, but am willing to take one for the team)

Are we likely to see a GUI tool version of this when everything is figured out and finished ? PC / Linux / Mac ?

Figured I'd ask, thanks in advance.
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
(I fear I could get shot down here, but am willing to take one for the team)

Are we likely to see a GUI tool version of this when everything is figured out and finished ? PC / Linux / Mac ?

Figured I'd ask, thanks in advance.

Yes, that can easily be done. No point in doing it though until we figure out ES the patches though. The program can be used to make loader/fs/es patches. Also there would be no need for python to be installed as we can make python files into stand alone executables. See attached MakeIPS.py has been converted into an exe.
 

Attachments

  • AutoIPS-FS.zip
    4.7 MB · Views: 269

ShadowOne333

QVID PRO QVO
Editorial Team
Joined
Jan 17, 2013
Messages
12,136
Trophies
2
XP
32,664
Country
Mexico
Yes, that can easily be done. No point in doing it though until we figure out ES the patches though. The program can be used to make loader/fs/es patches. Also there would be no need for python to be installed as we can make python files into stand alone executables. See attached MakeIPS.py has been converted into an exe.

And we might have an insight into the ES patches, thanks to an anonymous source.
The source gave quite a lot of neat info, which might be what's required to finalize the set of signature patches to make an open source solution that everyone can run and create the patches from.

Here's the intel provided:

Anonymous said:
These are the patterns found between different versions of the ES NSO:
Code:
03E4EB5556B98B327D1353E8AA2C7ADF2C544470 [10.0.0]:
    2DC1C: 20010034 -> 09000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2E9D8: E0030036 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2DC70: 61000054 -> 1F2003D5 [F3 03 1F AA 02 00 00 14] [pattern found in more than one segment] [not found in 11.0.0+]

5AA09E1AF740A91D0F73ADFAE81A63E8AC0610D2 [10.1.0]:
    2DC30: 20010034 -> 09000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2E9F8: E0030036 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2DC84: 61000054 -> 1F2003D5 [F3 03 1F AA 02 00 00 14] [pattern found in more than one segment] [not found in 11.0.0+]

3B8BF56DBEC7225D2EE666B009C42C0DC4552010 [11.0.0]:
    2D094: 80020034 -> 14000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2DBBC: 36D28152 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2D0F4: C80000B4 -> 06000014 [E0 23 00 91 45 EE FF 97] [11.0.0+ only pattern]
The hex string at the start of each section represents the build ID for that version of the ES NSO (which is also the filename used for the IPS patches).

Each indented line starts with the patch offset (taken from the corresponding IPS patch), followed by the original and modified AArch64 instructions, as well as the 8 bytes after that. In order words, this is somewhat the format being used to document these findings:
Code:
{build_ID} [{version}]:
    {patch_offset}: {original_sequence} -> {patch_sequence} [{byte_sequence_after_patch}]
    ...
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
And we might have an insight into the ES patches, thanks to an anonymous source.
The source gave quite a lot of neat info, which might be what's required to finalize the set of signature patches to make an open source solution that everyone can run and create the patches from.

Here's the intel provided:
It would be handy to know what files are being patched, and how they are extracted from firmware files - can your source also supply that info?
 

DarkMatterCore

Finding my light.
Developer
Joined
May 30, 2009
Messages
1,292
Trophies
1
Age
28
Location
Madrid, Spain
Website
github.com
XP
2,602
Country
Spain
It would be handy to know what files are being patched, and how they are extracted from firmware files - can your source also supply that info?
I'm sure they're just unpacking the Program NCA from the ES sysmodule and decompressing its main NSO.
 

DarkMatterCore

Finding my light.
Developer
Joined
May 30, 2009
Messages
1,292
Trophies
1
Age
28
Location
Madrid, Spain
Website
github.com
XP
2,602
Country
Spain
They skip the eTicket RSA signature verification. FS + Loader patches skip NCA RSA signature verification.

--------------------- MERGED ---------------------------


The filename for ES patches comes from the module/build ID found at 0x40 in the ES main NSO. It's a 0x20 byte-long field, but only 0x14 bytes are used - iirc it's a SHA-1 hash calculated over a section from the NSO while it's being built, and not a full file hash unlike FS patches.

Keep in mind NSOs usually use LZ4 compression - you need to use a NSO decompressor before creating/applying IPS patches:

Code:
hactool -t nso --disablekeywarns --uncompressed=main_dec main

By the way, looking for a specific, extracted file/path won't help you in this case because all ExeFS sections hold at least the main NSO and the main.npdm. You'll really need to check the NCA header or the main.npdm file.

If you go down the NCA header route, you can follow my previous instructions. The byte at 0x205 must match 0x00 (Program NCA) and the unsigned 64-bit integer at 0x210 must match 0x0100000000000033 (ES sysmodule).

If you go down the main.npdm route, the NULL-terminated string at 0x20 must match "es".
@mrdude This info should be handy. I shared it some pages ago.

The same command we've been using to unpack NCAs should do the trick - just replace "--romfsdir" with "--exefsdir".
 
Last edited by DarkMatterCore,
  • Like
Reactions: ShadowOne333

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
@mrdude This info should be handy. I shared it some pages ago.

The same command we've been using to unpack NCAs should do the trick - just replace "--romfsdir" with "--exefsdir".
I tried unpacking ALL the files, I got thousands of files/folders but none of them were called 'main', so that's where I failed on that info you supplied.

So I tried a little batch file like this, found the files in about 1 second :-)
for %%f in (firmware/*.*) do (
hactool.exe -k keys.dat -t nca --exefsdir=dumped/ firmware/%%f
if exist dumped/main.npdm (
EXIT /B
)
)

I take it nearly every file has these; main + main.npdm files, these should be dumped into separate folders and then scanned?
So batch needs to look like this to dump:
for %%f in (firmware/*.*) do (
mkdir dumped/%%f
hactool.exe -k keys.dat -t nca --exefsdir=dumped/%%f/ firmware/%%f
rmdir dumped/%%f /Q
)
 
Last edited by mrdude,

crckd

Member
OP
Newcomer
Joined
Dec 3, 2020
Messages
14
Trophies
0
Age
43
XP
291
Country
Philippines
Ok I will try and write a python script to do that as I don't know how to do it in dos command line.

I looped on all files inside the folder until i get the nca with title id 0100000000000033.
remaining would be finding the addresses.

Code:
import os
import sys
import subprocess

if len(sys.argv) == 1:
   print("no argv")
   sys.exit(1)

ES_NCA = ""
FIRMWARE_DIR = sys.argv[1]

print("Checking files in " + FIRMWARE_DIR + " folder.")
for filename in os.listdir(FIRMWARE_DIR):
   if filename.endswith(".nca"):
 
       outlines = subprocess.check_output(['hactool', '--disablekeywarns', FIRMWARE_DIR + '/' + filename])

       for line in outlines.splitlines():
           line = line.decode('ascii').replace(" ","")
           if line.startswith("TitleID:0100000000000033") and not filename.endswith(".cnmt.nca"):
               print("Found! Filename : " + filename)
               ES_NCA = filename
               break
       if ES_NCA:
           print("Using hactool to extract exefsdir")
           subprocess.run(["hactool","-t nca","--exefsdir=.","--disablekeywarns", FIRMWARE_DIR + '/' + filename], stdout=subprocess.DEVNULL)
           if os.path.exists("main"):
               outlines = subprocess.check_output(['hactool','--keyset=prod.keys','--intype=nso','--disablekeywarns','--uncompressed=main_dec','main'])
               print("Using hactool to uncompress main")
               for line in outlines.splitlines():
            
                   line = line.decode('ascii').replace(" ","")
                   if line.startswith("BuildId:"):
                       print("Found Build ID : " + line.replace("BuildId:","")[0:40])
           break
 

Attachments

  • es.zip
    695 bytes · Views: 220
Last edited by crckd,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    K3Nv2 @ K3Nv2: https://www.the-sun.com/news/10907833/self-checkout-complaints-new-target-dollar-general-policies...