Hack SXOS

By Reacher17, Feb 12, 2021 209,563 1,249 53

  1. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    We need to change RGB to BGR....so do it like this:

    Open a 1280x768 image

    In gimp Menu's:
    Image/transform
    Rotate 90 clockwise
    Flip Horizontal

    Image/view
    Rotate 90 anti/clockwise
    Flip Horizontal

    (carry out any mods to the image here such as adding text or whatever)

    Colours/components/channel mixer/
    Set channel to this:
    Red channel - Blue 1 (rest 0)
    Green channel - Green 1 (rest 0)
    Blue channel - Red 1 (rest 0)

    Add Alpha channel:
    layer/transparency/add alpha channel

    Export as Windows BMP (32 bit ARBG)
    Compatibly options - unchecked
    Advanced options - 32bit A8 R8 G8 B8

    Next hex edit saved image and remove the first 89 bytes - save as fb_F0000000.bin.
    Put in same folder as the python script and clean unmodded boot.dat.
    Run the script.
    Upload modded boot.dat to switch - reboot and the new screen should look good.
     
    Last edited by mrdude, Apr 12, 2021
  2. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,525
    Country:
    Congo, Republic of the
    it's hid for me
     
  3. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    [​IMG]
     
    chronoss likes this.
  4. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,525
    Country:
    Congo, Republic of the
    Yes, can't click on it
     
  5. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    If you're using a bmp or png file that already has an alpha layer you can't add another one. In that case you can miss that step out.
     
    Last edited by mrdude, Apr 12, 2021
    chronoss likes this.
  6. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,525
    Country:
    Congo, Republic of the
    ok
     
  7. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    This is Sparta - boot screen:

    [​IMG]
     

    Attached Files:

  8. lordelan

    lordelan GBAtemp Guru
    Member

    Joined:
    Jan 4, 2015
    Messages:
    5,043
    Country:
    Germany
    No one's working on XCI in Atmosphère right now.
    I think instead they are messing around with the boot splash screen now.
     
    slimhakz likes this.
  9. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    @Reacher17

    I was look at where our modded files hashes are located:

    Code:
    App Header.bin original hash: 3F6BAF83C3C1D0C260A10E510BFD165DA312FCD357C178726203D98515A45CF7 (hash not found)
    Rommenu - original hash: 0D7015FAB49D426C92BF22BCCB941087B67EDAD3A59375BFEE3CA044BA15BCCA (found in app_header.bin)
    payload_81000000.bin original hash: 438BE0527651636B5B6EEFCD2FDDE01236A094E82B7403490F46A98C598CEA57 (found in stage3_80020000.bin)
    stage2_40008100.bin original hash: A5DFC7C9775928374DAA1F42C708D92C07C10757641FBC1243C7FA58C22AC60E - (hash found in boot.dat)
    stage3_80020000.bin original hash: 07DF04E7AA77FFD17C6DCB719A97021ADA0282CEC95A368E48A3456DFFD5D177 - (hash found in boot.dat)
    
    As we are modding app_header.bin and changing the hash value of that file, surely there must be somewhere that hash is stored? I didn't find the location for it so I assume it's still in an encrypted part of boot.dat or does this value never get checked?
     
  10. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    Sha256 hashes for extracted unmodded SXOS 3.10
    Code:
    apps
    App Header.bin original hash: 3F6BAF83C3C1D0C260A10E510BFD165DA312FCD357C178726203D98515A45CF7 (hash not found)
    CREPBIN.bin original hash: 795E912EA039184AA36A7A5FD8878EB489DF7545D98F65945A990BA911CC738F (found in app_header.bin)
    CREPMETA.bin original hash: 08C0CDE7B4FA9E2953B773E70297CA3191430D9BED38CBAB702720C58AAC2198 (found in app_header.bin)
    ECLBIN.bin original hash: 95BBAEACC5AC583E08E6DCBD3FE6155A6DED3D92FC8631D4E32367D8A49AD221 (found in app_header.bin)
    ECLMETA.bin original hash: 818AA93082E294673599DBFCBEE0BAE5032D35F411600575200FDC21BC4202EF (found in app_header.bin)
    FTLBIN.bin original hash: 30A7B43C1C5E366D533032BF29E3C1EF0B82F4E4B5CA1560B7ABA4B6116C72EF (found in app_header.bin)
    FTLMETA.bin original hash: 5A8ACAA75D85577B89E24C50E07EEED25989DDFF31E2708702FEC2D7647FEBD1 (found in app_header.bin)
    HBLBIN.bin original hash: 95389AF481B620107A1EB90C63CB8464978B147BBD95BCE67DD33B860B3C2839 (found in app_header.bin)
    HBLMETA.bin original hash: CA746203E550F76F96A9C402F35D92EF6E96C051221D640AE1893FFEBCD86000 (found in app_header.bin)
    HBMENU.bin original hash: D7748A735EC8D590ACCAE5682B4F94B86DF41B09ADFCC30C90367E1105ABBCE5 (found in app_header.bin)
    MLBIN.bin original hash: 5C861FABC5362E7B716F732C4D974D0C4C9F92CF457614EB77F8918B4BA46E50 (found in app_header.bin)
    MLMETA.bin original hash: EE50431E33E463EE93AF20A30174CC2CBBAFBAC914303F37741581DCF034598B (found in app_header.bin)
    ROMMENU.bin original hash: 0D7015FAB49D426C92BF22BCCB941087B67EDAD3A59375BFEE3CA044BA15BCCA (found in app_header.bin)
    
    bootloader
    bootloader_88000000.bin original hash: AE650688106805F0E65D5CBE37103C32E2CA5B5D970A1AEB028F3E5AE6A4A711 (hash not found)
    
    firmware
    kip_BFE808C4.bin original hash: 9988FA51206AFD3C56F8B57ECB1DEE44F6FFC8D1A6BAD4F73690FE8F5F05CAD7 (hash not found)
    kip_BFE09360.bin original hash: 6C555826D3144CE12CDBE493651E8E387203371ECB4DD9E9F1D347F82A54EACE (hash not found)
    kip_BFE52904.bin original hash: 27F726807A327E3D3A8E6A62BBE0AB8C815BC65619FF8FAEE5457C96B48ED9E7 (hash not found)
    kip_BFE62504.bin original hash: 9A2779978EA54DEE84C4FE240A2B1C2032B0CEA85EDAFE51E6600F10A9B679B1 (hash not found)
    kip_header.bin original hash: AE0463B8193D6D73A94C6D312E2650B92794B1F8E21286976342A5A9C7D0C504 (hash not found)
    
    init
    fb_F0000000.bin original hash: B13A9C11B13BD7AD94172D3C5ACDD628DA483FCB2F5AB0CFD42B022CDFE190D7 (found in stage3_80020000.bin)
    stage2_40008100.bin original hash: A5DFC7C9775928374DAA1F42C708D92C07C10757641FBC1243C7FA58C22AC60E (found in boot.dat)
    stage3_80020000.bin original hash: 07DF04E7AA77FFD17C6DCB719A97021ADA0282CEC95A368E48A3456DFFD5D177 (found in boot.dat)
    
    patcher
    patcher_B0000000.bin original hash: 75A9B4D57786FC84E080FEB8B594D72E1E0933D1E1963E91E3F6761C9A443107 (found in payload_A0000000_dec.bin)
    patcher_B0010000.bin original hash: 7E1070A935DD517858E1E74D6D4823F20279FB6250289827466B0FF57E13496E (found in payload_A0000000_dec.bin)
    patcher_BFE00000.bin original hash: 420EA677B85FFE43974F42D3C472FD02D2B5A4ED3DB7E7F9DDB233DBEAEB7E0B (found in payload_A0000000_dec.bin)
    
    payloads
    payload_81000000.bin original hash: 438BE0527651636B5B6EEFCD2FDDE01236A094E82B7403490F46A98C598CEA57 (found in stage3_80020000.bin)
    payload_90000000.bin original hash: 1C859549DB0843E98EBF3CF750CB82EB1E04CB51D40528DCDD261FBFD8B06DCE (hash not found)
    payload_98000000.bin original hash: 613E27063681EF5ACC00D5B57ECC45E87FC42F559D12EDC5D7772674DD27A86B (found in payload_90000000.bin)
    payload_A0000000.bin original hash: AA5153CF7F86FA06943740D0117527953BC03FBC655605AD46095CD1D8769718 (found in payload_90000000.bin)
    payload_A0000000_dec.bin original hash: 80F1C4418B3FF850106FD2CFD265F72BD7480E494831509D1E5D3DDD914DBDF9 (hash not found)
    
    Just posting here if anyone wants to know.

    You can decompress the kip files like this for use in IDA
    hactool -t kip1 kip_BFE808C4.bin -k keys.dat --uncompressed=kip_BFE808C4_Dec.bin
     
    Last edited by mrdude, Apr 12, 2021
  11. Reacher17

    OP Reacher17 GBAtemp Regular
    Member

    Joined:
    Sep 18, 2019
    Messages:
    127
    Country:
    France
    @mrdude
    it is stage3 that is checked
     
  12. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    App Header.bin (decrypted) original hash: 3F6BAF83C3C1D0C260A10E510BFD165DA312FCD357C178726203D98515A45CF7

    That hash is not found in stage3.
     
  13. Reacher17

    OP Reacher17 GBAtemp Regular
    Member

    Joined:
    Sep 18, 2019
    Messages:
    127
    Country:
    France
    @mrdude
    no it's stage3 which is checked itself on restart
     
    mrdude likes this.
  14. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    OK thanks.

    Also I found where some of the decryption keys are stored, it might be handy for finding more keys:

    Code:
    found in stage3_80020000.bin
    fb_ctr = ("39B0F6E0846C53DCE0457F285797AE99") - 0xA5F0
    fb_key = ("4599F62BF51E62B6AC05AAA7E7B03DE3") - 0xA600
    
    found in stage3_80020000.bin
    payload81_ctr = ("C28124EAA147BEE8EF865E2AE8496834") 0xA640
    payload81_key = ("12280A64B7A487E99864CD2E22393C87") 0xA650
    
    found in payload_81000000.bin
    bootloader_ctr = ("5BCF60493E61BCB930FD44C7FAC0EE09") 0x1CA008
    bootloader_key = ("FB61357AB9DEE1C9D4C49F6488349EF0") 0x1CA018
    
    found in bootloader_88000000.bin
    assets_ctr = ("7298408E70FBE048DCC6E594B0C272B6") 0x47E60
    assets_key = ("EF48639FC925C8D0364B2DA7614EB038") 0x47E70
    
    found in payload_90000000.bin
    payload98_ctr = ("467E7F219FDCAFA5E6187262755D4DFC") - 0x11ff020
    payload98_key = ("DEE47F27900D540AFE04C4063638CE0F") - 0x11ff030
    
    found in payload_90000000.bin
    payloadA0_ctr = ("AAF5295AEC233F953B408EE27F892CF8") - 0x11F070
    payloadA0_key = ("043AB07482B9A8B55EA9041C74CD92EB") - 0x11F080
    
    found in payload_98000000.bin
    fw_ctr = ("A4C122884E6C8979E3E3E0F07D116E52") - 0x17F21C
    fw_key = ("81F555CC58EF03CB41BD81C90A8E8F79") - 0x17F22C
    
    s2_ctr = ("8E4C7889CBAE4A3D64797DDA84BDB086")
    s2_key = ("47E6BFB05965ABCD00E2EE4DDF540261") - not found
    
    (Found in payload_81000000.bin (0x1D2A14 size 0x50) XOR with 0xFE) - use winhex
    payload90_ctr = ("DCD96167060A7A9E1F2BC8C1C2A611B4")
    payload90_key = ("95F4D1F3C1EC6E5A54AC70F49AE315F5")
    
     
    Last edited by mrdude, Apr 12, 2021
  15. Reacher17

    OP Reacher17 GBAtemp Regular
    Member

    Joined:
    Sep 18, 2019
    Messages:
    127
    Country:
    France
    @mrdude
    Payload90

    Payload81 addr 0x1D2A14 size 0x50 xor 0xFE

    ^^
     
    mrdude likes this.
  16. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    Ok thanks, I managed it in winhex - my other hex editor didn't have that feature:

    [​IMG]

    How did you figure that out?
     
    Last edited by mrdude, Apr 13, 2021
  17. Inaki

    Inaki GBAtemp Regular
    Member

    Joined:
    Jan 23, 2014
    Messages:
    264
    Country:
    it has been ages since I used them but there were some programs that would do data analysis and search using several techniques like enthropy, statistical, transpositions and easy/linear transformations and such over a given plaintext into data file. Anyway, for this case, you could write a small program to look for any 4, 8, 16 or 32 bytes that would check for them with any xor value.

    Just a small idea how to do this a bit faster: just scan the buffer incrementing the pointer byte by byte but checking 1, 2, 4 or 8 dwords. Also, I would check like this ( this example is for scanning for 16 byte targets ):

    unsigned int TargetDwordA = ReadHex(argv[1]); // Provide target 16 byte value by giving four 32bit hex parameters
    unsigned int TargetDwordB = ReadHex(argv[2]);
    unsigned int TargetDwordC = ReadHex(argv[3]);
    unsigned int TargetDwordD = ReadHex(argv[4]);

    unsigned int TestDwordA;
    unsigned int TestDwordB;
    unsigned int TestDwordC;
    unsigned int TestDwordD;

    int InBufferIndex;
    unsigned char* pBuffer; // read file contents here...
    int BufferSize; // set file size or read bytes number here...

    for(InBufferIndex = 0; InBufferIndex < (BufferSize - 16); InBufferIndex++)
    {
    TestDwordA = ((unsigned int*)&(pBuffer[InBufferIndex]))[0] ^ TargetDwordA;
    TestDwordB = ((unsigned int*)&(pBuffer[InBufferIndex]))[1] ^ TargetDwordB;
    TestDwordC = ((unsigned int*)&(pBuffer[InBufferIndex]))[2] ^ TargetDwordC;
    TestDwordD = ((unsigned int*)&(pBuffer[InBufferIndex]))[3] ^ TargetDwordD;

    if ((TestDwordA == TestDwordB) && (TestDwordA == TestDwordC) && (TestDwordA == TestDwordD))
    {
    printf("Target found at offset %d (%X) using xor key %08X.\n", InBufferIndex, InBufferIndex, TestDwordA); // Note that key may be 32bits, 16bits or 8bits but printed as 32bits, so if its four bytes are equal it would be an 8bit xor, if it has two 16bit parts that are equal it would be a 16bit xor key and if four bytes are different it would be a 32bit xor key
    }
    }


    This is a way to look for any xored value by looking for the target and obtaining the xor key without trying all keys.
     
    Last edited by Inaki, Apr 13, 2021
  18. mrdude

    mrdude GBAtemp Maniac
    Member

    Joined:
    Dec 11, 2015
    Messages:
    1,153
    Country:
    Maybe you can write a small c or c++ program to do it - but just make it read a text file or binary file containing the keys to search for? TBH it's probably easier to decompile the things in IDA and look at the address where the current keys are stored and then see what calls them and work backwards from there. You can't search for the keys if you don't know what they are - but looking at the decompiled code you can try to figure out where the jumps are made and take if from there.

    Reacher17 will have a good idea on how to do this as he's found a heap of keys already.
     
    Inaki likes this.
  19. Inaki

    Inaki GBAtemp Regular
    Member

    Joined:
    Jan 23, 2014
    Messages:
    264
    Country:
    Yeah, I will :) tomorrow. Wrote this with a shitty remote-like keyboard being in bed with screen projected in front wall, lol. I do think this would give easy hints to later look into the found offsets with IDA...

    Btw, you guys are in a roll :bow:
     
    Last edited by Inaki, Apr 13, 2021
    mrdude likes this.
  20. tivu100

    tivu100 GBAtemp Addict
    Member

    Joined:
    Jun 6, 2015
    Messages:
    2,250
    Country:
    United States
    @mrdude Can you mod the latest Hetake please? Need it, so I can also dual boot Atmosphere on 12 without Tinfoil removing the patches.ini.

    Thanks in advance.
     
Draft saved Draft deleted