Hacking Hack SXOS

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
Where is the channel in gimp ?

We need to change RGB to BGR....so do it like this:

Open a 1280x768 image

In gimp Menu's:
Image/transform
Rotate 90 clockwise
Flip Horizontal

Image/view
Rotate 90 anti/clockwise
Flip Horizontal

(carry out any mods to the image here such as adding text or whatever)

Colours/components/channel mixer/
Set channel to this:
Red channel - Blue 1 (rest 0)
Green channel - Green 1 (rest 0)
Blue channel - Red 1 (rest 0)

Add Alpha channel:
layer/transparency/add alpha channel

Export as Windows BMP (32 bit ARBG)
Compatibly options - unchecked
Advanced options - 32bit A8 R8 G8 B8

Next hex edit saved image and remove the first 89 bytes - save as fb_F0000000.bin.
Put in same folder as the python script and clean unmodded boot.dat.
Run the script.
Upload modded boot.dat to switch - reboot and the new screen should look good.
 
Last edited by mrdude,

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
it's hid for me
FxiKDug.jpg
 
  • Like
Reactions: chronoss

lordelan

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
5,757
Trophies
1
Age
44
XP
6,463
Country
Germany
What is currently happening i'm lost lol

I can see SXOS has been cracked but are they extracting the XCI payloads and trying to make it work on atmosphere??
No one's working on XCI in Atmosphère right now.
I think instead they are messing around with the boot splash screen now.
 
  • Like
Reactions: slimhakz

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
@Reacher17

I was look at where our modded files hashes are located:

Code:
App Header.bin original hash: 3F6BAF83C3C1D0C260A10E510BFD165DA312FCD357C178726203D98515A45CF7 (hash not found)
Rommenu - original hash: 0D7015FAB49D426C92BF22BCCB941087B67EDAD3A59375BFEE3CA044BA15BCCA (found in app_header.bin)
payload_81000000.bin original hash: 438BE0527651636B5B6EEFCD2FDDE01236A094E82B7403490F46A98C598CEA57 (found in stage3_80020000.bin)
stage2_40008100.bin original hash: A5DFC7C9775928374DAA1F42C708D92C07C10757641FBC1243C7FA58C22AC60E - (hash found in boot.dat)
stage3_80020000.bin original hash: 07DF04E7AA77FFD17C6DCB719A97021ADA0282CEC95A368E48A3456DFFD5D177 - (hash found in boot.dat)

As we are modding app_header.bin and changing the hash value of that file, surely there must be somewhere that hash is stored? I didn't find the location for it so I assume it's still in an encrypted part of boot.dat or does this value never get checked?
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
Sha256 hashes for extracted unmodded SXOS 3.10
Code:
apps
App Header.bin original hash: 3F6BAF83C3C1D0C260A10E510BFD165DA312FCD357C178726203D98515A45CF7 (hash not found)
CREPBIN.bin original hash: 795E912EA039184AA36A7A5FD8878EB489DF7545D98F65945A990BA911CC738F (found in app_header.bin)
CREPMETA.bin original hash: 08C0CDE7B4FA9E2953B773E70297CA3191430D9BED38CBAB702720C58AAC2198 (found in app_header.bin)
ECLBIN.bin original hash: 95BBAEACC5AC583E08E6DCBD3FE6155A6DED3D92FC8631D4E32367D8A49AD221 (found in app_header.bin)
ECLMETA.bin original hash: 818AA93082E294673599DBFCBEE0BAE5032D35F411600575200FDC21BC4202EF (found in app_header.bin)
FTLBIN.bin original hash: 30A7B43C1C5E366D533032BF29E3C1EF0B82F4E4B5CA1560B7ABA4B6116C72EF (found in app_header.bin)
FTLMETA.bin original hash: 5A8ACAA75D85577B89E24C50E07EEED25989DDFF31E2708702FEC2D7647FEBD1 (found in app_header.bin)
HBLBIN.bin original hash: 95389AF481B620107A1EB90C63CB8464978B147BBD95BCE67DD33B860B3C2839 (found in app_header.bin)
HBLMETA.bin original hash: CA746203E550F76F96A9C402F35D92EF6E96C051221D640AE1893FFEBCD86000 (found in app_header.bin)
HBMENU.bin original hash: D7748A735EC8D590ACCAE5682B4F94B86DF41B09ADFCC30C90367E1105ABBCE5 (found in app_header.bin)
MLBIN.bin original hash: 5C861FABC5362E7B716F732C4D974D0C4C9F92CF457614EB77F8918B4BA46E50 (found in app_header.bin)
MLMETA.bin original hash: EE50431E33E463EE93AF20A30174CC2CBBAFBAC914303F37741581DCF034598B (found in app_header.bin)
ROMMENU.bin original hash: 0D7015FAB49D426C92BF22BCCB941087B67EDAD3A59375BFEE3CA044BA15BCCA (found in app_header.bin)

bootloader
bootloader_88000000.bin original hash: AE650688106805F0E65D5CBE37103C32E2CA5B5D970A1AEB028F3E5AE6A4A711 (hash not found)

firmware
kip_BFE808C4.bin original hash: 9988FA51206AFD3C56F8B57ECB1DEE44F6FFC8D1A6BAD4F73690FE8F5F05CAD7 (hash not found)
kip_BFE09360.bin original hash: 6C555826D3144CE12CDBE493651E8E387203371ECB4DD9E9F1D347F82A54EACE (hash not found)
kip_BFE52904.bin original hash: 27F726807A327E3D3A8E6A62BBE0AB8C815BC65619FF8FAEE5457C96B48ED9E7 (hash not found)
kip_BFE62504.bin original hash: 9A2779978EA54DEE84C4FE240A2B1C2032B0CEA85EDAFE51E6600F10A9B679B1 (hash not found)
kip_header.bin original hash: AE0463B8193D6D73A94C6D312E2650B92794B1F8E21286976342A5A9C7D0C504 (hash not found)

init
fb_F0000000.bin original hash: B13A9C11B13BD7AD94172D3C5ACDD628DA483FCB2F5AB0CFD42B022CDFE190D7 (found in stage3_80020000.bin)
stage2_40008100.bin original hash: A5DFC7C9775928374DAA1F42C708D92C07C10757641FBC1243C7FA58C22AC60E (found in boot.dat)
stage3_80020000.bin original hash: 07DF04E7AA77FFD17C6DCB719A97021ADA0282CEC95A368E48A3456DFFD5D177 (found in boot.dat)

patcher
patcher_B0000000.bin original hash: 75A9B4D57786FC84E080FEB8B594D72E1E0933D1E1963E91E3F6761C9A443107 (found in payload_A0000000_dec.bin)
patcher_B0010000.bin original hash: 7E1070A935DD517858E1E74D6D4823F20279FB6250289827466B0FF57E13496E (found in payload_A0000000_dec.bin)
patcher_BFE00000.bin original hash: 420EA677B85FFE43974F42D3C472FD02D2B5A4ED3DB7E7F9DDB233DBEAEB7E0B (found in payload_A0000000_dec.bin)

payloads
payload_81000000.bin original hash: 438BE0527651636B5B6EEFCD2FDDE01236A094E82B7403490F46A98C598CEA57 (found in stage3_80020000.bin)
payload_90000000.bin original hash: 1C859549DB0843E98EBF3CF750CB82EB1E04CB51D40528DCDD261FBFD8B06DCE (hash not found)
payload_98000000.bin original hash: 613E27063681EF5ACC00D5B57ECC45E87FC42F559D12EDC5D7772674DD27A86B (found in payload_90000000.bin)
payload_A0000000.bin original hash: AA5153CF7F86FA06943740D0117527953BC03FBC655605AD46095CD1D8769718 (found in payload_90000000.bin)
payload_A0000000_dec.bin original hash: 80F1C4418B3FF850106FD2CFD265F72BD7480E494831509D1E5D3DDD914DBDF9 (hash not found)

Just posting here if anyone wants to know.

You can decompress the kip files like this for use in IDA
hactool -t kip1 kip_BFE808C4.bin -k keys.dat --uncompressed=kip_BFE808C4_Dec.bin
 
Last edited by mrdude,

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
@mrdude
no it's stage3 which is checked itself on restart
OK thanks.

Also I found where some of the decryption keys are stored, it might be handy for finding more keys:

Code:
found in stage3_80020000.bin
fb_ctr = ("39B0F6E0846C53DCE0457F285797AE99") - 0xA5F0
fb_key = ("4599F62BF51E62B6AC05AAA7E7B03DE3") - 0xA600

found in stage3_80020000.bin
payload81_ctr = ("C28124EAA147BEE8EF865E2AE8496834") 0xA640
payload81_key = ("12280A64B7A487E99864CD2E22393C87") 0xA650

found in payload_81000000.bin
bootloader_ctr = ("5BCF60493E61BCB930FD44C7FAC0EE09") 0x1CA008
bootloader_key = ("FB61357AB9DEE1C9D4C49F6488349EF0") 0x1CA018

found in bootloader_88000000.bin
assets_ctr = ("7298408E70FBE048DCC6E594B0C272B6") 0x47E60
assets_key = ("EF48639FC925C8D0364B2DA7614EB038") 0x47E70

found in payload_90000000.bin
payload98_ctr = ("467E7F219FDCAFA5E6187262755D4DFC") - 0x11ff020
payload98_key = ("DEE47F27900D540AFE04C4063638CE0F") - 0x11ff030

found in payload_90000000.bin
payloadA0_ctr = ("AAF5295AEC233F953B408EE27F892CF8") - 0x11F070
payloadA0_key = ("043AB07482B9A8B55EA9041C74CD92EB") - 0x11F080

found in payload_98000000.bin
fw_ctr = ("A4C122884E6C8979E3E3E0F07D116E52") - 0x17F21C
fw_key = ("81F555CC58EF03CB41BD81C90A8E8F79") - 0x17F22C

s2_ctr = ("8E4C7889CBAE4A3D64797DDA84BDB086")
s2_key = ("47E6BFB05965ABCD00E2EE4DDF540261") - not found

(Found in payload_81000000.bin (0x1D2A14 size 0x50) XOR with 0xFE) - use winhex
payload90_ctr = ("DCD96167060A7A9E1F2BC8C1C2A611B4")
payload90_key = ("95F4D1F3C1EC6E5A54AC70F49AE315F5")
 
Last edited by mrdude,

Inaki

Well-Known Member
Member
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
42
XP
603
Country
Ok thanks, I managed it in winhex - my other hex editor didn't have that feature:

DnOOykj.png


How did you figure that out?
it has been ages since I used them but there were some programs that would do data analysis and search using several techniques like enthropy, statistical, transpositions and easy/linear transformations and such over a given plaintext into data file. Anyway, for this case, you could write a small program to look for any 4, 8, 16 or 32 bytes that would check for them with any xor value.

Just a small idea how to do this a bit faster: just scan the buffer incrementing the pointer byte by byte but checking 1, 2, 4 or 8 dwords. Also, I would check like this ( this example is for scanning for 16 byte targets ):

unsigned int TargetDwordA = ReadHex(argv[1]); // Provide target 16 byte value by giving four 32bit hex parameters
unsigned int TargetDwordB = ReadHex(argv[2]);
unsigned int TargetDwordC = ReadHex(argv[3]);
unsigned int TargetDwordD = ReadHex(argv[4]);

unsigned int TestDwordA;
unsigned int TestDwordB;
unsigned int TestDwordC;
unsigned int TestDwordD;

int InBufferIndex;
unsigned char* pBuffer; // read file contents here...
int BufferSize; // set file size or read bytes number here...

for(InBufferIndex = 0; InBufferIndex < (BufferSize - 16); InBufferIndex++)
{
TestDwordA = ((unsigned int*)&(pBuffer[InBufferIndex]))[0] ^ TargetDwordA;
TestDwordB = ((unsigned int*)&(pBuffer[InBufferIndex]))[1] ^ TargetDwordB;
TestDwordC = ((unsigned int*)&(pBuffer[InBufferIndex]))[2] ^ TargetDwordC;
TestDwordD = ((unsigned int*)&(pBuffer[InBufferIndex]))[3] ^ TargetDwordD;

if ((TestDwordA == TestDwordB) && (TestDwordA == TestDwordC) && (TestDwordA == TestDwordD))
{
printf("Target found at offset %d (%X) using xor key %08X.\n", InBufferIndex, InBufferIndex, TestDwordA); // Note that key may be 32bits, 16bits or 8bits but printed as 32bits, so if its four bytes are equal it would be an 8bit xor, if it has two 16bit parts that are equal it would be a 16bit xor key and if four bytes are different it would be a 32bit xor key
}
}


This is a way to look for any xored value by looking for the target and obtaining the xor key without trying all keys.
 
Last edited by Inaki,

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,192
it has been ages since I used them but there were some programs that would do data analysis and search using several techniques like enthropy, statistical, transpositions and easy/linear transformations and such over a given plaintext into data file. Anyway, for this cases, you could write a small program to look for any 4, 8, 16 or 32 bytes that would check for them with any xor value.

Just a small idea how to do this a bit faster: just scan the buffer incrementing the pointer byte by byte but checking 1, 2, 4 or 8 dwords. Also, I would check like this:

unsigned int TargetDwordA = ReadHex(argv[1]);
unsigned int TargetDwordB = ReadHex(argv[2]);
unsigned int TargetDwordC = ReadHex(argv[3]);
unsigned int TargetDwordD = ReadHex(argv[4]);

unsigned int TestDwordA;
unsigned int TestDwordB;
unsigned int TestDwordC;
unsigned int TestDwordD;

int InBufferIndex;
unsigned char* pBuffer; // read file contents here...
int BufferSize; // set file size or read bytes number here...

for(InBufferIndex = 0; InBufferIndex < (BufferSize - 16); InBufferIndex++)
{
TestDwordA = ((unsigned int*)&(pBuffer[InBufferIndex]))[0] ^ TargetDwordA;
TestDwordB = ((unsigned int*)&(pBuffer[InBufferIndex]))[1] ^ TargetDwordB;
TestDwordC = ((unsigned int*)&(pBuffer[InBufferIndex]))[2] ^ TargetDwordC;
TestDwordD = ((unsigned int*)&(pBuffer[InBufferIndex]))[3] ^ TargetDwordD;

if ((TestDwordA == TestDwordB) && (TestDwordA == TestDwordC) && (TestDwordA == TestDwordD))
{
printf("Target found at offset %d (%X) using xor key %08X.\n", InBufferIndex, InBufferIndex, TestDwordA); // Note that key may be 32bits, 16bits or 8bits but printed as 32bits, so if its four bytes are equal it would be an 8bit xor, if it has two 16bit parts that are equal it would be a 16bit xor key and if four bytes are different it would be a 32bit xor key
}
}
Maybe you can write a small c or c++ program to do it - but just make it read a text file or binary file containing the keys to search for? TBH it's probably easier to decompile the things in IDA and look at the address where the current keys are stored and then see what calls them and work backwards from there. You can't search for the keys if you don't know what they are - but looking at the decompiled code you can try to figure out where the jumps are made and take if from there.

Reacher17 will have a good idea on how to do this as he's found a heap of keys already.
 
  • Like
Reactions: Inaki

Inaki

Well-Known Member
Member
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
42
XP
603
Country
Maybe you can write a small c or c++ program to do it - but just make it read a text file or binary file containing the keys to search for? TBH it's probably easier to decompile the things in IDA and look at the address where the current keys are stored and then see what calls them and work backwards from there. You can't search for the keys if you don't know what they are - but looking at the decompiled code you can try to figure out where the jumps are made and take if from there.

Reacher17 will have a good idea on how to do this as he's found a heap of keys already.
Yeah, I will :) tomorrow. Wrote this with a shitty remote-like keyboard being in bed with screen projected in front wall, lol. I do think this would give easy hints to later look into the found offsets with IDA...

Btw, you guys are in a roll :bow:
 
Last edited by Inaki,
  • Like
Reactions: mrdude

tivu100

Well-Known Member
Member
Joined
Jun 6, 2015
Messages
2,260
Trophies
0
Age
34
XP
1,136
Country
United States
@mrdude Can you mod the latest Hetake please? Need it, so I can also dual boot Atmosphere on 12 without Tinfoil removing the patches.ini.

Thanks in advance.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Xdqwerty @ Xdqwerty: Good night