Hacking Discussion Info on SHA-256 hashes on FS patches

[mrdude]

I looped on all files inside the folder until i get the nca with title id 0100000000000033.
remaining would be finding the addresses.

import os
import sys
import subprocess

if len(sys.argv) == 1:
   print("no argv")
   sys.exit(1)

ES_NCA = ""
FIRMWARE_DIR = sys.argv[1]

print("Checking files in " + FIRMWARE_DIR + " folder.")
for filename in os.listdir(FIRMWARE_DIR):
   if filename.endswith(".nca"):
 
       outlines = subprocess.check_output(['hactool', '--disablekeywarns', FIRMWARE_DIR + '/' + filename])

       for line in outlines.splitlines():
           line = line.decode('ascii').replace(" ","")
           if line.startswith("TitleID:0100000000000033") and not filename.endswith(".cnmt.nca"):
               print("Found! Filename : " + filename)
               ES_NCA = filename
               break
       if ES_NCA:
           print("Using hactool to extract exefsdir")
           subprocess.run(["hactool","-t nca","--exefsdir=.","--disablekeywarns", FIRMWARE_DIR + '/' + filename], stdout=subprocess.DEVNULL)
           if os.path.exists("main"):
               outlines = subprocess.check_output(['hactool','--keyset=prod.keys','--intype=nso','--disablekeywarns','--uncompressed=main_dec','main'])
               print("Using hactool to uncompress main")
               for line in outlines.splitlines():
           
                   line = line.decode('ascii').replace(" ","")
                   if line.startswith("BuildId:"):
                       print("Found Build ID : " + line.replace("BuildId:","")[0:40])
           break

I can't get this script to work, for some reason it's not finding my keys "keys.dat" file, I edited your script and replaced prod.keys with keys.dat, but it was still saying: Invalid NCA header! Are keys correct?

 

[crckd]

I can't get this script to work, for some reason it's not finding my keys "keys.dat" file, I edited your script and replaced prod.keys with keys.dat, but it was still saying: Invalid NCA header! Are keys correct?

I had the same issue.
just change "-k keys.txt" to "--keyset=keys.txt". there should be no spaces on the argument.

 

[mrdude]

I had the same issue.
just change "-k keys.txt" to "--keyset=keys.txt". there should be no spaces on the argument.

I'm still getting an error - I have hactool and the keys in the same folder as I am using the py script in, and it's not finding the keys, which is weird as it obviously finds and runs hactool. It's a mystery.

 

[crckd]

I'm still getting an error - I have hactool and the keys in the same folder as I am using the py script in, and it's not finding the keys, which is weird as it obviously finds and runs hactool. It's a mystery.

At which part do you get the nca header error?

 

[mrdude]

At which part do you get the nca header error?

This is what I m doing - see pictures for folder content, command line, and output + modded py script.

Ignore the double quotes round the keyset line - it's the same error using single quotes.

 

[crckd]

This is what I m doing - see pictures for folder content, command line, and output + modded py script.

try to replace line 25 with this and use single quotes

Spoiler: no space

subprocess.run(['hactool','--intype=nca','--exefsdir=.','--disablekeywarns', FIRMWARE_DIR + '/' + filename], stdout=subprocess.DEVNULL)

 

[mrdude]

try to replace line 25 with this

Spoiler: no space

subprocess.run(['hactool','--intype=nca','--exefsdir=.','--disablekeywarns', FIRMWARE_DIR + '/' + filename], stdout=subprocess.DEVNULL)

Same error. (reason it's only showing 1 error - is because I just have the one file you posted above in the firmware folder, to speed things up).

 

[crckd]

Same error.

how about at line 16? did you add
your keys there?

i have my prod.keys at %USERPROFILE%\.switch so i don't need to add it as an argument on hactool.
i forgot to add it also on some lines of the script

 

[mrdude]

how about at line 16? did you add
your keys there?

i have my prod.keys at %USERPROFILE%\.switch so i don't need to add it as an argument on hactool.
i forgot to add it also on some lines of the script

Yep I tried that before, I think it was line 25 which was causing the issues - and the keyfile being missing from the original script. Here the modded script which is now working. (use keys.dat).

 

[mrdude]

Slightly modded the script to add another argument as people are using different named keyfiles.

Usage: python es.py firmware prod.keys

Firmware: is the name of the folder the firmware files are in.
prod.keys can be changed to whatever key file you are using - example: python es.py 11.0.0 keys.txt

Batch file code to dump + cleanup

rem SET VAR="C:\python3.9\python"
cls
mkdir dumped
%VAR% es.py firmware keys.dat
del main.* /Q
move main_dec dumped
)

@crckd
Your script doesn't seem find the files on firmware Firmware 10.1.0 or Firmware 10.0.4, firmware newer is ok though (10.2.0 & 11.x.x) Maybe this will affect newer firmware's in future. Do you know what's different in these older firmware's and why the script isn't finding the anything in those?

EDIT: OK, found it - change line to this: (this then finds the build id in nca files as well)

if line.startswith("TitleID:0100000000000033") and not filename.endswith("*.nca"):

Although this is what happens on 10.0.4:

Checking files in firmware folder.
Found! Filename : b5757088d76f42f7222f141d3082d02d.nca
Using hactool to extract exefsdir

There's no extraction of files.......even though it has the correct title id:

So removing that file, and running the script again - it finds this also has the same id

e006abf2423022702fa4839be9825ebc.nca

and this is the output: (which seems correct)
Found! Filename : e006abf2423022702fa4839be9825ebc.nca
Using hactool to extract exefsdir
Using hactool to uncompress main
Found Build ID : 03E4EB5556B98B327D1353E8AA2C7ADF2C544470

Running this:

hactool --keyset=keys.dat --intype=nca --exefsdir=dumped --disablekeywarns firmware/e006abf2423022702fa4839be9825ebc.nca

Dumps main + main.npdm - so maybe we need to put a check as well to check for:
"ContentType: Program" because the other file's content type is "meta" (no space before program - but forum is turning it into a smiley)

 

[mrdude]

Ok here's the updated python file with the for loop modded, this finds the correct files now in all firmware I checked down to 10.0.0.4

 

[ShadowOne333]

Oh wow! This is coming along amazingly!
With these documentation and scripts, now the creation of the sigpatches is no longer hidden and everyone can attempt it.
This is just lovely!

 

[crckd]

I'm looking at the 3rd patch of 11.0.0. It would be much simpler if we can patch previous versions like the 11.0.0

 

[mrdude]

I'm looking at the 3rd patch of 11.0.0. It would be much simpler if we can patch previous versions like the 11.0.0

We should be able to find the hex patterns if we use some wildcards, it shouldn't be a problem to do that - I just checked the first patch on each firmware, can can't see an issue doing it that way.

 

[crckd]

We should be able to find the hex patterns if we use some wildcards, it shouldn't be a problem to do that - I just checked the first patch on each firmware, can can't see an issue doing it that way.

patch 3 pattern for 11.0.0 below can be used also.
but 11.0.0 we cannot be sure if it will change on new updates.

on patch 1, we can use "patch = int((0x14 << 24) | ((inst >> 5) & 0x7FFFF))" to convert that cbz to b (credit to anon user)

 

[mrdude]

Not sure if this is any help but for patch 3 search for this text in ida: "escertificate"

See pic 1, scroll to the top of the function where you see the branch:

Click on that so you can go to the branch address, You will then be in the function that needs patched.

Now I know that's not ideal - and it may need done manually - but it's better than nothing :-)

Patch 3 in older firmware was doing a NOP, now it's doing a branch to address:

It could be possible that we can just (change the patch) nop the call to branch to address as shown in the 2nd picture - I didn't try this, but it might work and make patch 3 easier to automatically do.

 

[crckd]

I was thinking the same thing. cbz-to-b on patch 3. It would change the existing es patches of versions below 11 but it would be much easier and more consistent.

off-topic:
Which OS/python/IDA version do you use? i'll try to install IDA to see the disassemble code easier. last debugger i used was ollydbg and it was 8 years ago.

 

[mrdude]

I was thinking the same thing. cbz-to-b on patch 3. It would change the existing es patches of versions below 11 but it would be much easier and more consistent.

off-topic:
Which OS/python/IDA version do you use? i'll try to install IDA to see the disassemble code easier. last debugger i used was ollydbg and it was 8 years ago.

Check your pm's, I'm using python 3.9.1/Windows 10 (64bit), IDA 7.5 (64 bit).

 

[mrdude]

@crckd, as you probably have never used IDA, it's a bit of a learning curve - but here's how to work out the patch for patch 3.

The pictures should explain better than me drivelling on.
View from IDA of unpatched file..

Arm2hex website, how to get the branch address patch:

Now using that info for: Alternative Branch Patches
Firmware 9.1.0 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2d3a0 - patch: 04000014

Firmware 10.0.4 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2dc50 - patch: 09000014

Firmware 10.1.0/10.2.0 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2dc64 - patch: 09000014

Firmware 11.x.x - patch 3 (tested - works fine)
offset: 2d0f4 - patch: 06000014

 

[LyuboA]

@mrdude i tested the patches for 10.2.0 they work
now that you know how to make them what does this mean for script
or a guide so everyone can make them