Hacking Hack SXOS

[Inaki]

Just wanted to inform you. Black screen. I can use SXOS Genuine Boot and fw12.0.0 boots just fine. TegraExplorer doesn't fail but it seems it does not work properly. Lockpick_RCM doesn't recognize the partition. I will try with other prod.keys and call it a day.

Oh well, being bleeding edge and using the tools that are not updated...
https://github.com/shchmue/Lockpick_RCM/releases
https://github.com/suchmememanyskill/TegraExplorer/releases
Both updated hours ago...

EDIT: Tried with the new TegraExplorer and it still creates a 575MB output... the author says he doesn't have a mariko switch so, maybe there's something with mariko units he didn't see yet ?

 

[mrdude]

@Reacher17,

It seems you should be able to remove license.dat check from bootloader_88000000.bin

Extract from boot.dat code to add to python script:

bootloader_key = unhexlify("FB61357AB9DEE1C9D4C49F6488349EF0")
bootloader_ctr = unhexlify("5BCF60493E61BCB930FD44C7FAC0EE09")
bootloader = 'bootloader_88000000.bin'

#bootloader
bootloader_off = 0x5B6DE0
bootloader_size = 0x4A000
bootloader_base = 0x88000000
bootload = open(bootloader.format(bootloader_base), "wb")
bootload.write(aes_ctr_dec(b[bootloader_off:bootloader_off+bootloader_size], bootloader_key, bootloader_ctr))
bootload.close()

In IDA:

Open extracted bootloader_88000000.binwith ida64:

Set processor type to: Arm Little Endian
Uncheck - create segments/load as code segment

Next popup box - just press ok
Next popup box - just press yes
Next popup box - just press ok

In ida main menu - Edit/select all
Right click on code window and select - code
Chose Analyze from popup.

Subs will be on left side...

View - open subviews/strings.
Select from strings menu - license.dat - then click on the sub1_1DC8+1A0 address (inspect the sub)
Select from strings menu - Genuine boot - then click on sub_748c+1E8 (inspect the sub)

It seems like this license check can be patched out - but there seems to be a sha256(or something else), for this file because if you mod it and re-encrypt and put back into boot.dat, sxos won't boot. Do you happen to know what/where the check is made?

 

[Reacher17]

@Reacher17,

It seems you should be able to remove license.dat check from bootloader_88000000.bin

Extract from boot.dat code to add to python script:

bootloader_key = unhexlify("FB61357AB9DEE1C9D4C49F6488349EF0")
bootloader_ctr = unhexlify("5BCF60493E61BCB930FD44C7FAC0EE09")
bootloader = 'bootloader_88000000.bin'

#bootloader
bootloader_off = 0x5B6DE0
bootloader_size = 0x4A000
bootloader_base = 0x88000000
bootload = open(bootloader.format(bootloader_base), "wb")
bootload.write(aes_ctr_dec(b[bootloader_off:bootloader_off+bootloader_size], bootloader_key, bootloader_ctr))
bootload.close()

In IDA:

Open extracted bootloader_88000000.binwith ida64:

Set processor type to: Arm Little Endian
Uncheck - create segments/load as code segment

Next popup box - just press ok
Next popup box - just press yes
Next popup box - just press ok

In ida main menu - Edit/select all
Right click on code window and select - code
Chose Analyze from popup.

Subs will be on left side...

View - open subviews/strings.
Select from strings menu - license.dat - then click on the sub1_1DC8+1A0 address (inspect the sub)
Select from strings menu - Genuine boot - then click on sub_748c+1E8 (inspect the sub)

It seems like this license check can be patched out - but there seems to be a sha256(or something else), for this file because if you mod it and re-encrypt and put back into boot.dat, sxos won't boot. Do you happen to know what/where the check is made?

Sub_339C(&v20, ''license.dat, 1i64);. 1i64 == "wb"

license writing ^^

 

[mrdude]

Sub_339C(&v20, ''license.dat, 1i64);. 1i64 == "wb'
Writing license ^^

--------------------- MERGED ---------------------------

EDIT: OOPS messed up while I was checking other stuff - still need to find where this is hashed.

 

[Reacher17]

Thanks I found the sha256 check in payload_81000000.bin - it's at offest: 1c9fe8

0x19cfe8 Sha256 bootloader

--------------------- MERGED ---------------------------

Thanks I found the sha256 check in payload_81000000.bin - it's at offest: 1c9fe8

Addr 0x1d2a14 size 0x50. Key xor 0xFE
Payload90000000.bin

--------------------- MERGED ---------------------------

Addr 0x1c9829. size 0x50

Code brick ???

 

[Inaki]

0x19cfe8 Sha256 bootloader

--------------------- MERGED ---------------------------



Addr 0x1d2a14 size 0x50. Key xor 0xFE
Payload90000000.bin

--------------------- MERGED ---------------------------

Addr 0x1c9829. size 0x50

Code brick ???

You mean Code block ? or do you mean the infamous bricking code ?

 

[mrdude]

0x19cfe8 Sha256 bootloader

--------------------- MERGED ---------------------------



Addr 0x1d2a14 size 0x50. Key xor 0xFE
Payload90000000.bin

--------------------- MERGED ---------------------------

Addr 0x1c9829. size 0x50

Code brick ???

Yep, oops sorry I had about 20 files open at the time and got the hash for the wrong file I guess.... I still need to find where this check is found.

 

[Reacher17]

Yep, oops sorry I had about 20 files open at the time and got the hash for the wrong file I guess.... I still need to find where this check is found.

it is in the payload80. but you won't find it. it is encrypted

 

[ZachyCatGames]

Anyone dumped the encrypted hardcoded tsec keys yet? :shrek:
I may be interested in HOVI_ENC_KEY/package1_key if it's present

 

[Inaki]

Anyone dumped the encrypted hardcoded tsec keys yet? :shrek:
I may be interested in HOVI_ENC_KEY/package1_key if it's present

I dumped prod.keys...

 

[ZachyCatGames]

I dumped prod.keys...

lockpick misses the package1_key because it's wiped by the tsec firm and/or sept.
iirc TX hardcodes an encrypted version of the package1_key to decrypt package1, unless smth changed or they're actually hardcoding decrypted copies of package1.

 

[Inaki]

lockpick misses the package1_key because it's wiped by the tsec firm and/or sept.
iirc TX hardcodes an encrypted version of the package1_key to decrypt package1, unless smth changed or they're actually hardcoding decrypted copies of package1.

Aha, ok. Also, that part in bold is something that kinda sounds like what TX likes to do...

 

[Imancol]

The hybrid firmware method has been known by many people for ages. That Twitter thread just made it more widely known. Here's me and @ZachyCatGames discussing it in the TX Discord on March 23rd. Like Zachy said though it's not a great idea because if people try it now with 12.0.0 they could brick.

As for SX Save Manager, they use Google Cloud as a backend so if you trust Google with your privacy you can trust SXSM. It's mainly used by people with multiple consoles afaict but I just like having my saves backed up to the cloud incase something happens to my Switch and SD Card. I have lost all of my saves before when my Erista died but SXSM makes it easy to back up every save to the cloud automatically.

Edit: Also people use to bitch about Switch Online not having cloud saves so it's obviously something people want. SXSM works on banned consoles, the saves are easily accessible if you want to modify them, and it's a one time purchase included with SXOS instead of a monthly / annual fee.

Two things to highlight:

1 - If it is the Xecuter cloud, it will be less secure. Anyone with knowledge of Pentesting will get the access credentials and insert arbitrary files to corrupt the copies.

2 - If the application allows you to insert your own credentials from your cloud, if it will be worth using it.

--------------------- MERGED ---------------------------

Their "spoof" is flashing 11.0.0's package2 on 11.0.1, which would brick 12.0.0.

Is it safe to install 12.0.0 with this spoof installed?

 

[CompSciOrBust]

Two things to highlight:

1 - If it is the Xecuter cloud, it will be less secure. Anyone with knowledge of Pentesting will get the access credentials and insert arbitrary files to corrupt the copies.

2 - If the application allows you to insert your own credentials from your cloud, if it will be worth using it.

--------------------- MERGED ---------------------------


Is it safe to install 12.0.0 with this spoof installed?

As I said before, it is not using Xecuter's servers. It's using Google Drive as a backend. Anyone who has used the app knows this. If you can trust Google you can trust SX Save Manger.

If you have the hybrid 11.0.0 / 11.0.1 fw installed you can install 12.0.0 from inside of hos and it will work fine. You still won't be able to use CFW until it is supported and installing the 11.0.1 pkg2 after installing 12.0.0 will brick you.

 

[ZachyCatGames]

Is it safe to install 12.0.0 with this spoof installed?

If you have the “spoof” installed, then update to 12.0.0, it’ll be fine.
If you update to 12.0.0, then install the “spoof”, it’ll brick.

 

[Imancol]

As I said before, it is not using Xecuter's servers. It's using Google Drive as a backend. Anyone who has used the app knows this. If you can trust Google you can trust SX Save Manger.

If you have the hybrid 11.0.0 / 11.0.1 fw installed you can install 12.0.0 from inside of hos and it will work fine. You still won't be able to use CFW until it is supported and installing the 11.0.1 pkg2 after installing 12.0.0 will brick you.

With the Xecuter cloud, I was referring to the cloud they have on Google Drive.

 

[CompSciOrBust]

With the Xecuter cloud, I was referring to the cloud they have on Google Drive.

Google Drive is the cloud. Also you don't even need the credentials to upload arbitrary files, you can do that from inside the app.

 

[Reacher17]

@mrdude
sxos v3.1.0
payload90
addr 0x18990:0X1B100 size 0x2770
key 11F2805CC05B339A6570E58C45A0283C
ctr 72228D477C636C62B54C7A93E5147D5A

addr 0xFEA10:0XFFAB0 size 0x10A0
key 11F2805CC05B339A6570E58C45A0283C
ctr 760293F93A38B5FA67A531A449DDD9AD

 

[lordelan]

Strange.
I tried this hack on my friend's Switch.
If the SX Loader payload is the first thing I send (either with TegraSmash or a dongle) it works but if I chainload it through hekate or argon, it boots to the SX OS bootmenu just fine but gives me a black screen after the Nintendo logo when I actually launch the CFW.
I don't have this issue on my own Switch (I have a valid license though). There I can chainload it through hekate and even from within Atmosphère with hekateBrew.

Anyone else having this chainloading issue?

 

[tivu100]

Finally be able to borrow a unpatched Switch to try this out.

My few questions:

1. Are the script and file from OP updated/ latest?

2. How do you make SXOS Emunand? I have never used SXOS before.