Hacking Hack SXOS

Reacher17

Well-Known Member
OP
Member
Joined
Sep 18, 2019
Messages
128
Trophies
0
XP
755
Country
France
Not working for me, I've tried on 2 different switches with 2 original SXOS licences, this is how I tested:

Installed 10.0.0.2 firmware on emunand.
Tried boot.dat from 2.9.5 (unpatched works fine and boots into emunand using original licence.dat).
Using patched (manual and from scripts) boot,dat - sxos freezes on sxos logo screen, long press of volume plus button brings up sxos admin menu - this shows emunand as disabled, and sxos licence fail.
Maybe the change you made to my script that gives you this error
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
Maybe the change you made to my script that gives you this error
I tried manually and using the scripts - also in the ARM64 code it does this:

Code:
eor w0, w0, w1
mov w13, #0x95c
movk w13, #0x8100, lsl #16
ldrb w14, [x13, #3]
mov w15, #0
cmp w14, w15
b.ne #0x186e14
b #0x194020
mov x10, #0x4100
movk x10, #0x8019, lsl #16
ldp x11, x12, [x10]
mov x13, #0x950
movk x13, #0x8100, lsl #16
stp x11, x12, [x13]
b #0x186e14

How come the branch addresses are:
b.ne #0x186e14
b #0x194020

In your code you have them going here:
0x194100
0x186e10

That doesn't make sense to me?
 

Reacher17

Well-Known Member
OP
Member
Joined
Sep 18, 2019
Messages
128
Trophies
0
XP
755
Country
France
I tried manually and using the scripts - also in the ARM64 code it does this:

Code:
eor w0, w0, w1
mov w13, #0x95c
movk w13, #0x8100, lsl #16
ldrb w14, [x13, #3]
mov w15, #0
cmp w14, w15
b.ne #0x186e14
b #0x194020
mov x10, #0x4100
movk x10, #0x8019, lsl #16
ldp x11, x12, [x10]
mov x13, #0x950
movk x13, #0x8100, lsl #16
stp x11, x12, [x13]
b #0x186e14

How come the branch addresses are:
b.ne #0x186e14
b #0x194020

In your code you have them going here:
0x194100
0x186e10

That doesn't make sense to me?
b.ne 0x186e14 this is a jump condition

--------------------- MERGED ---------------------------

b 0x194020 this is also a jump condition
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
b.ne 0x186e14 this is a jump condition

--------------------- MERGED ---------------------------

b.ne 0x194000 this is also a jump condition
Yes I am aware of that - but the addresses they jump to does not make sense, you have put the fingerprint here
0x194100
But you make the jump to here:
0x194020

Also you have put a patch here:
0x186e10
but you make the jump to here:
0x186e14

Surely that patch can't work as your jump doesn't go to the correct address.


Also in your scripts you only have aes keys for v2.9.5 sxos, to encrypt/decrypt any other version of sxos you also need to include those keys (which you didn't).
 
Last edited by mrdude,

Reacher17

Well-Known Member
OP
Member
Joined
Sep 18, 2019
Messages
128
Trophies
0
XP
755
Country
France
you can have 3 errors. the fix in the payload80 at address 0x186e14 is not there. where your fingerprint in the payload80 has address 0x194100 is also not there. where the code at address 0x194000 in payload80 payload is not there.

--------------------- MERGED ---------------------------

mov x10, #0x4100
movk x10, #0x8019, lsl #16
= 0x80194100 ^^
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
you can have 3 errors. the fix in the payload80 at address 0x186e14 is not there. where your fingerprint in the payload80 has address 0x194100 is also not there. where the code at address 0x194000 in payload80 payload is not there.
Go to Arm2hex website:
https://armconverter.com/?disasm

Paste in your code:
0000014A8D2B81520D20B072AE0D40390F008052DF010F6BE16FF954010000140A2088D22A03B0F24B3140A90D2A81D20D20B0F2AB3100A977CBFF17

Set offset to: 0x194000

That's why it doesn't make sense.
 

mrdude

Developer
Developer
Joined
Dec 11, 2015
Messages
3,076
Trophies
1
Age
56
XP
8,220
Do you understand the ASM code? I don't think so in view of your words.
I understand that the patches don't work for me, and I also understand that without the correct aes keys in your scripts - encoding/decoding anything other than 2.9.5 sxos in not going to work.
 

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
Thread's been cleaned, if I have to come in here again anyone involved in behaviour that goes against our community standards will walk out of it with an extra notch on their warn count. Trolling and flaming won't be tolerated.
I think I was clear the first time, and I'm a man of my word. Smacks deployed where appropriate, don't let me catch you again. If you have no interest in the project, you can close the tab. If you see a post that upsets you, report it and walk away.
 
  • Like
Reactions: britain4 and Kioku

lordelan

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
5,769
Trophies
1
Age
44
XP
6,475
Country
Germany
We've had rommenu extracted since 2018 are you gonna show real real proof not shaky camera quick *Snip*
I'd rather take a shaky camera (as that is hard to fake by video editing things) than a static camera angle so he has catched my interest with those videos.
I still have a friend who wasn't able to get a license but would love to have the USB XCI mounting feature so I'd be happy to give him access to this. :)
 

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
In all fairness, you are obscuring the cartridge slot at a pretty critical moment there - no way of knowing if there's a third-party with you sneaking the cartridge in, but at least you went through the trouble of filming a video as requested. Carry on carrying on, just be aware that reasonable doubt is to be expected in this area at least until a working, somewhat stable public release is out and can be verified by the userbase.
 

lordelan

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
5,769
Trophies
1
Age
44
XP
6,475
Country
Germany
In all fairness, you are obscuring the cartridge slot at a pretty critical moment there - no way of knowing if there's a third-party with you sneaking the cartridge in, but at least you went through the trouble of filming a video as requested. Carry on carrying on, just be aware that reasonable doubt is to be expected in this area at least until a working, somewhat stable public release is out and can be verified by the userbase.
Haven't you seen his other video a few posts ago?
He has the real cartridge of BotW in it and flips it out while the video is going. You can clearly see it. Then he mounts Oceanhorn which boots. So it seems legit to that point.
 
  • Like
Reactions: JoeBloggs777

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
Haven't you seen his other video a few posts ago?
He has the real cartridge of BotW in it and flips it out while the video is going. You can clearly see it. Then he mounts Oceanhorn which boots. So it seems legit to that point.
I'm afraid that my participation in this thread is all business and no pleasure. :P
 
  • Like
Reactions: x65943 and lordelan

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    S @ salazarcosplay: Good morning everyone