Front-page Hacking  Updated

SX OS 2.6 Beta released: full support for Nintendo Switch firmware 7.x

From Team Xecuter:

This new 2.6 BETA of SX OS adds full support for Nintendo Switch firmware 7.x, including ALL functionality you expect when using our product. We've been pioneering our own unique and proprietary solution for defeating any future firmware protection and we're quite happy with the results so far.

This release is marked as BETA because we changed things drastically under the hood to streamline future firmware updates and some things may inadvertently behave differently.

That does not mean it hasn't been vetted at all, so give it a shot today!

Of course, we haven't been sitting idly behind the scenes either. A lot of our development resources and attention has been dedicated to bringing SX OS to those "unhackable" switches. We are working hard to bring the SX OS experience to all of you who are stuck with an "unhackable" switch. Stay tuned for more news!
Click to expand...

Download here: -REMOVED-
 
Last edited by linuxares,
  • Like
Reactions: Ra1d, m_babble, _abysswalker_ and 23 others
Click to expand...
comput3rus3r

comput3rus3r

Well-Known Member
Member
Level 15
Joined
Aug 20, 2016
Messages
3,580
Trophies
1
Age
123
XP
4,920
Country
United States
_hexkyz_ said:
What happens is that a key is set in keyslot 7 at the end of payload_98000000 and then patcher_BFC70000 does:
- Initialize tmp_buf as 16 0xAA bytes;
- Call se_aes_ecb_decrypt_block(0x07, tmp_buf, 0x10, seed_buf, 0x10);
- Call decrypt_data_into_keyslot(0x0C, 0x07, seed_buf, 0x10).

The se_aes_ecb_decrypt_block is useless and was likely there just for testing (it's still there on v2.6.1 and you can find it by looking for 0xAAAAAAAA in the disassembled code).
This was already being used in v2.6, but they also had a piece of code that would load the actual plaintext key from memory. On v2.6.1 the key and this leftover code was removed.

The user @Falo has shared an accurate screenshot comparison of v2.6 vs. v2.6.1 here: https://gbatemp.net/threads/sx-os-2...license-activation.533956/page-3#post-8559251
Click to expand...
again this should be pinned and thread closed.
 
  • Like
Reactions: gizmomelb and thaikhoa
kingaz

kingaz

Well-Known Member
Member
Level 6
Joined
Oct 27, 2013
Messages
298
Trophies
0
Age
36
XP
877
Country
United States
smf said:
Depends on what pretend lawyer they are listening to really. Its still a DMCA violation, but then admitting that would remove links to a few favoured projects.
Click to expand...

Nearly everything on this site is in violation of the DMCA. But not all violations are created equal.
 
natkoden

natkoden

Well-Known Member
Member
Level 6
Joined
Jul 25, 2006
Messages
1,182
Trophies
1
XP
916
Country
Argentina
  • Like
Reactions: ZachyCatGames, Deleted User and g4jek8j54
bi388

bi388

Well-Known Member
Member
Level 7
Joined
May 29, 2015
Messages
1,086
Trophies
0
Age
26
XP
1,256
Country
United States
Game_Over_Tom said:
Gateway was not a TX product, lol
The Switch is the first Nintendo product Team Xecuter has gotten involved with.
Click to expand...
While theres no confirmation one way or the other, it is pretty widely suspected that thats untrue and the current Xecuter is the Gateway team. its on legal record that the TX branding was sold, so it certainly isnt the same team that did xbox modding.
 
  • Like
Reactions: Deleted User
G

ghjfdtg

Well-Known Member
Member
Level 12
Joined
Jul 13, 2014
Messages
1,360
Trophies
1
XP
3,274
Country
josete2k said:
So, are saying that you can't prove it?

I can't prove it, many people can't prove it, but we believe it.

But SXOS has to prove they don't use keys...

Aham...
Click to expand...
There isn't even anything to prove about SX OS. It needs the key to boot 7.X.X and if they go through the lengths of acquiring it shows they have not fully pwned TSEC. So this is their only option besides using sept (which is out of the question for them).
 
T

thaikhoa

Well-Known Member
Member
Level 11
Joined
Sep 16, 2008
Messages
2,236
Trophies
1
XP
2,590
Country
Australia
TX didn't do anything to prove themselves for whether being guilty, even a single line the changelogs in details, the scene did the rest for free. So now, discussion is still on going whether TX is Gateway.
 
Last edited by thaikhoa,
  • Like
Reactions: gizmomelb
xiaNaix

xiaNaix

Well-Known Member
Member
Level 6
Joined
Nov 14, 2002
Messages
570
Trophies
0
Website
xiaNaix.net
XP
950
Country
United States
bi388 said:
While theres no confirmation one way or the other, it is pretty widely suspected that thats untrue and the current Xecuter is the Gateway team. its on legal record that the TX branding was sold, so it certainly isnt the same team that did xbox modding.
Click to expand...

Members of the team have come and gone since the 360 scene for sure. We're talking about decades here after all. I can assure you that, while consoles and hacking methods have changed significantly over the years, some of the people responsible for SX OS definitely go back to the 360 days.

I think the conspiracy theory regarding Gateway started because they may have used the same factory in China for manufacturing. TX is not a "Chinese company" though and never has been.
 
  • Like
Reactions: toto621 and Deleted User
O

oblid

Well-Known Member
Newcomer
Level 3
Joined
Oct 1, 2018
Messages
49
Trophies
0
Age
41
XP
349
Country
Uruguay
xiaNaix said:
Remove what? They just explained that SX OS works basically the same way Sept/Atmosphere does with seed keys.
Click to expand...

linuxares said:
Aye, the block stands that is. Can't they just remove it and I get an OK from and Admin. Then we can allow it.
Click to expand...

Nevermind @linuxares continue with the censhorip. I'm tired of this... Good day.
 
  • Like
Reactions: gizmomelb, toto621 and xiaNaix
D

Deleted User

Guest
bi388 said:
While theres no confirmation one way or the other, it is pretty widely suspected that thats untrue and the current Xecuter is the Gateway team. its on legal record that the TX branding was sold, so it certainly isnt the same team that did xbox modding.
Click to expand...

Yeah, attacks on TX are mostly speculation based, so that's nothing new for anyone involved.
Just the way it goes I guess.

Oh and by the way, the key was not in "plain text" as cleverly phrased as it has been reported ... Go ahead and use a hex editor and view the boot.dat you won't see the key in plain text. You need Mike's scripts to decompress and view the content first. (I know... I know.... but it's worth mentioning) There are plenty of keys included in various works that have been posted here, so I am happy to see people pointing out the hypocrisy and biased practices in play. I'm not going to debate the politics of that, but I figured I would at least drop my opinion while visiting this place.

Looks like the TX Hate train went faster and faster until it finally derailed itself.
 
  • Like
Reactions: MachRc, gizmomelb, JJTapia19 and 5 others
josete2k

josete2k

Well-Known Member
Member
Level 9
Joined
Apr 24, 2009
Messages
674
Trophies
1
Age
43
Location
Spain
XP
1,586
Country
Spain
ghjfdtg said:
Except it does not. sept still uses Nintendos TSEC firmware. The key is stored nowhere in no form inside sept while it is stored obfuscated inside SX OS.
Click to expand...

Are you really sure of that?

_hexkyz_ said:
What happens is that a key is set in keyslot 7 at the end of payload_98000000 and then patcher_BFC70000 does:
- Initialize tmp_buf as 16 0xAA bytes;
- Call se_aes_ecb_decrypt_block(0x07, tmp_buf, 0x10, seed_buf, 0x10);
- Call decrypt_data_into_keyslot(0x0C, 0x07, seed_buf, 0x10).

The se_aes_ecb_decrypt_block is useless and was likely there just for testing (it's still there on v2.6.1 and you can find it by looking for 0xAAAAAAAA in the disassembled code).
This was already being used in v2.6, but they also had a piece of code that would load the actual plaintext key from memory. On v2.6.1 the key and this leftover code was removed.

The user @Falo has shared an accurate screenshot comparison of v2.6 vs. v2.6.1 here: https://gbatemp.net/threads/sx-os-2...license-activation.533956/page-3#post-8559251
Click to expand...
 
V

V-Temp

Well-Known Member
Member
Level 8
Joined
Jul 20, 2017
Messages
1,227
Trophies
0
Age
34
XP
1,342
Country
United States
Far as I am aware, generally speaking, there's actually a fairly good check on whether or not code being shared here uses (a.) copyrighted Nintendo code or (b.) contains any keys. Several of the repacker codes even specifically state they are their own product with no code from Nintendo. Some our helpers do not and cannot share dumps of Boot0/1 which are generic and of no harmful use, and purely exist to help in recovery processes.

Atmos and it's periphery all operate under either byok rules or use key-extraction/derivation on the system itself with no distribution of any copyrighted content or otherwise.

The thing is, and this has been publicly since December, SX fails the first hurdle immediately because the of MIPS VM containing the cart header blocks and a LOTUS certificate. They have been held to a lower standard than smaller devs on here who have gone out of their way to make their own code and have been, by the community, audited on its legality.

So the fact that we're now seeing the reverse cry of persecution is rather ironic.

Edit: Even the emulator teams ban use of Nintendo's tools/details for obvious reasons and built entirely from scratch and reverse engineering. So at current, MIPS VM as provided by TX is skirting all rules that everyone else has been observing for months.
 
Last edited by V-Temp,
  • Like
Reactions: g4jek8j54, ghjfdtg, SonicvMario and 5 others
D

Deleted User

Guest
Game_Over_Tom said:
Yeah, attacks on TX are mostly speculation based, so that's nothing new for anyone involved.
Just the way it goes I guess.

Oh and by the way, the key was not in "plain text" as cleverly phrased as it has been reported ... Go ahead and use a hex editor and view the boot.dat you won't see the key in plain text. You need Mike's scripts to decompress and view the content first. (I know... I know.... but it's worth mentioning) There are plenty of keys included in various works that have been posted here, so I am happy to see people pointing out the hypocrisy and biased practices in play. I'm not going to debate the politics of that, but I figured I would at least drop my opinion while visiting this place.

Looks like the TX Hate train went faster and faster until it finally derailed itself.
Click to expand...
love how you tried to defend your company, but just ended up admitting you guys really fucked up this round of updates :rofl2:
 
guily6669

guily6669

GbaTemp is my Drug
Member
Level 10
Joined
Jun 3, 2013
Messages
2,326
Trophies
1
Age
34
Location
Doomed Island
XP
2,091
Country
United States
So I can now update mSD file type emunand to latest version while still being on 3.02 sysnand? Any problem loading it?

Though I basically never used the Switch and no games that I want are coming out :wink:
 

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
  • No one is chatting at the moment.
    ButterScott101 @ ButterScott101: +1