Hacking Hack SXOS

mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
Inaki said:
I will have a look into tinfoil.nro ( or the elf file ) and see if there is some easy way. The thing is the license.dat seems not enough, right ? first I need to see wether that is actually the case and then see how it accesses console fingerprint.

--------------------- MERGED ---------------------------


yeah, it seems those check it, somehow, or the boot.dat itself does it, probably reading the firmware serial ID if boot.dat is doing the check...
Click to expand...
Yep - it's a license check.

I used modded boot.dat and booted the switch.
FTP's into switch and renamed atmosphere/sept/bootloader folders and licence.dat file.
Opened Tinfoil - still the same error.

Booting with unmodded boot.dat and original licence - everything works, even with sept/atmosphere/bootloader folder present.

There's no other explanation other than those apps check for the fingerprint/license is valid.
 
  • Like
Reactions: lordelan
I

Inaki

Well-Known Member
Member
Level 5
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
41
XP
591
Country
laotoulyh said:
Yes, this method cannot be applied to SX CORE and SX LITE.
Will prompt "boot.dat?"
I just tested it.
Click to expand...
It is more or less assumable that lite and core users will have a license, but that could still be not the case. The guy that reversed the firmware to create SpaceCraft-NX may know something. My guess is the firmware is not able to do any major check, maybe just some first n byte compare, some checksum or something like that.
 
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
Inaki said:
It is more or less assumable that lite and core users will have a license, but that could still be not the case. The guy that reversed the firmware to create SpaceCraft-NX may know something. My guess is the firmware is not able to do any major check, maybe just some first n byte compare, some checksum or something like that.
Click to expand...
OK, update.

I ran modded boot.dat, ftp'd into switch and renamed those folders - opened tinfoil and pressed Y to remove offending files. Then Tinfoil worked, so I ftp'd back into the switch and renamed the folders back again and rebooted the switch - Now tinfoil works fine with those folders present.

I assume the offending file might have been in my sxos folder - as all other folder/files are still there. So Tinfoil doesn't do a license check after all :-).

SX Save manager navigation keys don't work on the main screen.
SX Dumper - same as above.
 
Last edited by mrdude,
  • Like
Reactions: lordelan and Inaki
I

Inaki

Well-Known Member
Member
Level 5
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
41
XP
591
Country
mrdude said:
OK, update.

I ran modded boot.dat, ftp'd into switch and renamed those folders - opened tinfoil and pressed Y to remove offending files. Then Tinfoil worked, so I ftp'd back into the switch and renamed the folders back again and rebooted the switch - Now tinfoil works fine with those folders present.

I assume the offending file might have been in my sxos folder - as all other folder/files are still there. So Tinfoil doesn't do a license check after all :-).
Click to expand...
can you use the icon view ?
 
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
Inaki said:
ok, so yeah, it needs to be cracked. Looking into the elf file right now...
Click to expand...

It seems weird that SX Save manager and SX Dumper even load - these totally fail under Atmosphere. They would work under modded SXOS if the navigation buttons worked - so probably only 1 check needs patched.
 
  • Like
Reactions: Inaki
angrynewraze

angrynewraze

Well-Known Member
Member
Level 2
Joined
May 27, 2020
Messages
135
Trophies
0
Age
33
XP
218
Country
United States
mrdude said:
Script updated - added fingerprint.txt

If you want to use your own fingerprint - put it in a text file called fingerprint.txt and use your own licence.dat.

If the fingerprint.txt file is missing the script will use it's own embedded fingerprint and make a licence.dat file for you automatically.

This means you don't need to edit the python file now, when using this script.

(put only the fingerprint shown from the switch that contains the valid licence in the text file - no other data)
Click to expand...
How do I use this? Is there some sort of guide on how to use this to mod my boot.dat file and give me a license.dat file?
 
davexx

davexx

Active Member
Newcomer
Level 5
Joined
Oct 9, 2018
Messages
36
Trophies
0
Age
34
XP
558
Country
Bahamas, The
im little confuse, sxos has the feature to play xci or is tinfoil app with extra features when using sxos?
will be good have a port to play xci using external usb on ams
 
angrynewraze

angrynewraze

Well-Known Member
Member
Level 2
Joined
May 27, 2020
Messages
135
Trophies
0
Age
33
XP
218
Country
United States
mrdude said:
Install python 3.9, put boot.dat in the same folder as this script - click on the script to run it.
Click to expand...
I have python 3.9.2 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing. I also just tried with python 3.9.0 and it still did nothing
 
Last edited by angrynewraze,
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
angrynewraze said:
I have python 3.9 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing.
Click to expand...
You probably didn't set up windows environment variables then. Probably you should use google to figure that out. This isn't really a thread about teaching people how to use their computers.
 
  • Like
Reactions: Inaki
I

Inaki

Well-Known Member
Member
Level 5
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
41
XP
591
Country
angrynewraze said:
I have python 3.9 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing.
Click to expand...
use cmd to run the script, you are probably having the crypto library dependency issue. in cmd, type this:

pip install pycryptodome

then run the scrypt again ( python scriptname.py ).
 
Last edited by Inaki,
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
davexx said:
im little confuse, sxos has the feature to play xci or is tinfoil app with extra features when using sxos?
will be good have a port to play xci using external usb on ams
Click to expand...

AMS will never be able to play XCI files from an external hard drive, this has been made clear for years and nothing has changed.
 
  • Like
Reactions: Inaki
angrynewraze

angrynewraze

Well-Known Member
Member
Level 2
Joined
May 27, 2020
Messages
135
Trophies
0
Age
33
XP
218
Country
United States
mrdude said:
You probably didn't set up windows environment variables then. Probably you should use google to figure that out. This isn't really a thread about teaching people how to use their computers.
Click to expand...
so python is now added in my environment variables and I click on the script to run it and it still does nothing no modded boot.dat file and no license.dat file were created. and in the most recent zip file you uploaded did not have the fingerprint.txt file in it.
 
Last edited by angrynewraze,
I

Inaki

Well-Known Member
Member
Level 5
Joined
Jan 23, 2014
Messages
278
Trophies
0
Age
41
XP
591
Country
@mrdude the rommenu.nro can be extracted from any boot.dat, right ? the thing is:

a) tinfoil.elf does not have any direct reference to license.dat. Maybe it is obfuscated or maybe it is calling the rommenu.nro ? no idea.
b) I found a cracked sx os 1.3, which seems to be a rommenu.nro. So, I thought, hmmm, what if I compare it to the original rommenu.nro from sx os 1.3 ? that, comparing the .elf files extracted from the .nro files, would maybe point us in the right direction to some pattern/place to look for in the extracted rommenu.nro from sx os 3.1.0...
c) so, how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?

EDIT: Having a hard time finding SX OS v1.3... anyone has that ? EDIT2: found this, it was not easy...
 
Last edited by Inaki,
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,488
Trophies
1
Age
55
XP
6,626
Inaki said:
how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?
Click to expand...

Comment out this line: os.remove("rommenu.bin") - rename that bin file to nro.

Or you can just use python3-tx_unpack.py file that's already posted in this thread and use that on any sxos boot.dat version. rommenu.bin is found in the apps folder - just rename to rommenu.nro.
 
  • Like
Reactions: Inaki
B

blawar

Developer
Developer
Level 14
Joined
Nov 21, 2016
Messages
1,709
Trophies
1
Age
39
XP
4,295
Country
United States
Inaki said:
@mrdude the rommenu.nro can be extracted from any boot.dat, right ? the thing is:

a) tinfoil.elf does not have any direct reference to license.dat. Maybe it is obfuscated or maybe it is calling the rommenu.nro ? no idea.
b) I found a cracked sx os 1.3, which seems to be a rommenu.nro. So, I thought, hmmm, what if I compare it to the original rommenu.nro from sx os 1.3 ? that, comparing the .elf files extracted from the .nro files, would maybe point us in the right direction to some pattern/place to look for in the extracted rommenu.nro from sx os 3.1.0...
c) so, how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?

EDIT: Having a hard time finding SX OS v1.3... anyone has that ?
Click to expand...

Did you disassemble the tinfoil nro or nsp?
 
  • Like
Reactions: Inaki
General chit-chat
Help Users
    A @ abraarukuk: :rofl2: