OK, the goal posts keep changing with this, I'll wait until all the info is available then mess about.
For those wanting to mess about with this, you can use this to unpack boot.dat (use python 2.7)
tx_unpack.py
https://gist.github.com/hexkyz/cef102e45cea2cfba1350c7c42199983
I've no idea how to re-encrypt once you finish messing about with a hex editor, maybe the OP can make that clearer.
Last edited by mrdude,
And the Xecuter Team laughed.pragma the person who believed hacked the sxos just with the rommenu?
Now they’re laughing a little less...
there is a script in preparation ^^
--------------------- MERGED ---------------------------
i will start to update the sxos
@Reacher17
I modded some code to re-encrypt stage2 and the payload - does this look OK to you, and does it give the proper encrypted data:
Stage2 - v2.9.5
Payload v2.9.5
Encoded hex seems to match what is in boot.dat so I assume this is correct, can you confirm?
Also when you mod the payload at this address: 0x194100, do you mean put the console fingerprint hex as shown in SXOS licence page, and put licence.dat on the sd card that matches the console fingerprint?
I modded some code to re-encrypt stage2 and the payload - does this look OK to you, and does it give the proper encrypted data:
Stage2 - v2.9.5
Code:
from Crypto.Cipher import AES
from Crypto.Util import Counter
from binascii import hexlify, unhexlify
def aes_ctr_dec(buf, key, iv):
ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)
boot = open('stage2_40008100.bin_enc', 'wb')
with open('stage2_40008100.bin', 'rb') as fh:
stage2 = fh.read()
# write stage2 encrypted
s2_key = unhexlify("47E6BFB05965ABCD00E2EE4DDF540261")
s2_ctr = unhexlify("8E4C7889CBAE4A3D64797DDA84BDB086")
boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
boot.close()Payload v2.9.5
Code:
from Crypto.Cipher import AES
from Crypto.Util import Counter
from binascii import hexlify, unhexlify
def aes_ctr_dec(buf, key, iv):
ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)
boot = open('payload_80000000.bin_enc', 'wb')
with open('payload_80000000.bin', 'rb') as fh:
stage2 = fh.read()
# write encrypted payload
s2_key = unhexlify("8D65A659D22976FFB3AD8DF04DF6231F")
s2_ctr = unhexlify("4DC3342EAF3BA1FBB287EB378014EC90")
boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
boot.close()Encoded hex seems to match what is in boot.dat so I assume this is correct, can you confirm?
Also when you mod the payload at this address: 0x194100, do you mean put the console fingerprint hex as shown in SXOS licence page, and put licence.dat on the sd card that matches the console fingerprint?
Last edited by mrdude,
are you ever excited or happy about any kind of projects on here? or are you always going to be a Negative Nancy?
Thanks, is line line the fingerprint from the switch that has the working licence - or the fingerprint from the switch that we are running on:
fingerprint = "fingerprint".decode("hex")
I know it's the fingerprint, Is the fingerprint for the original switch that has the SXOS licence or the fingerprint from the Switch which we want to run the modded boot.dat on? Also is this for 2.9.5 boot.dat or another version?
I'm just acknowledging that this and anything else are unlikely to get you SX OS on anything higher than 11.0.0. Short of an update from TX, 11.0.1 support is unlikely.
@Reacher17
I fixed your script for python3 as it had a few errors and wouldn't work on python3.9 + some ident errors, also in python 2.7 I removed some stuff that wasn't needed and fixed ident errors. Both files produce the same results.
I fixed your script for python3 as it had a few errors and wouldn't work on python3.9 + some ident errors, also in python 2.7 I removed some stuff that wasn't needed and fixed ident errors. Both files produce the same results.
@mrdude to run the script...
pip install pycrotodomex works like a charm for me
pip install pycrotodome gives the ModuleNotFoundError
Similar threads
-
- Article
