Hacking Hack SXOS

[mrdude]

get sha256 from payload80000000.bin and paste it into stage2 at address 0x126A0

--------------------- MERGED ---------------------------

then get the sha256 from stage2 and paste it into the boot.dat file at address 0x10

--------------------- MERGED ---------------------------

select in the boot.dat the code from 0x0 to 0xDF size 0xE0 and recover the sha256

--------------------- MERGED ---------------------------

and pasted the sha256 at address 0xE0 in the boot.dat file

--------------------- MERGED ---------------------------

you still need to re-encrypt the payload80000000.bin and stage2 and put them back in the boot.dat file

The sha from the modded payload80000000.bin from 2.95?

 

[Reacher17]

Stage2 addr 0x100 boot.dat
Pajload80000000.bin addr 0x12840

 

[mrdude]

Stage2 addr 0x100 boot.dat
Pajload80000000.bin addr 0x12840

OK, the goal posts keep changing with this, I'll wait until all the info is available then mess about.

For those wanting to mess about with this, you can use this to unpack boot.dat (use python 2.7)

tx_unpack.py
https://gist.github.com/hexkyz/cef102e45cea2cfba1350c7c42199983

I've no idea how to re-encrypt once you finish messing about with a hex editor, maybe the OP can make that clearer.

 

[agpixel]

People tried this already and bricked their switches. Have fun.

fun

 

[Rulesless]

pragma the person who believed hacked the sxos just with the rommenu?

And the Xecuter Team laughed.
Now they’re laughing a little less...

 

[linuxares]

And the Xecuter Team laughed.
Now they’re laughing a little less...

Yeah, Jail is no laughing matter

@Reacher17 I think it's better you make a Step by Step tutorial

 

[Reacher17]

Yeah, Jail is no laughing matter

@Reacher17 I think it's better you make a Step by Step tutorial

there is a script in preparation ^^

--------------------- MERGED ---------------------------

i will start to update the sxos

 

[linuxares]

there is a script in preparation ^^

--------------------- MERGED ---------------------------

i will start to update the sxos

Brilliant :3

 

[mrdude]

@Reacher17

I modded some code to re-encrypt stage2 and the payload - does this look OK to you, and does it give the proper encrypted data:

Stage2 - v2.9.5

from Crypto.Cipher import AES
from Crypto.Util import Counter
from binascii import hexlify, unhexlify

def aes_ctr_dec(buf, key, iv):
    ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
    return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)

boot = open('stage2_40008100.bin_enc', 'wb')

with open('stage2_40008100.bin', 'rb') as fh:
    stage2 = fh.read()

# write stage2 encrypted
s2_key = unhexlify("47E6BFB05965ABCD00E2EE4DDF540261")
s2_ctr = unhexlify("8E4C7889CBAE4A3D64797DDA84BDB086")

boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
boot.close()

Payload v2.9.5

from Crypto.Cipher import AES
from Crypto.Util import Counter
from binascii import hexlify, unhexlify

def aes_ctr_dec(buf, key, iv):
    ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
    return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)

boot = open('payload_80000000.bin_enc', 'wb')

with open('payload_80000000.bin', 'rb') as fh:
    stage2 = fh.read()

# write encrypted payload
s2_key = unhexlify("8D65A659D22976FFB3AD8DF04DF6231F")
s2_ctr = unhexlify("4DC3342EAF3BA1FBB287EB378014EC90")

boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
boot.close()

Encoded hex seems to match what is in boot.dat so I assume this is correct, can you confirm?

Also when you mod the payload at this address: 0x194100, do you mean put the console fingerprint hex as shown in SXOS licence page, and put licence.dat on the sd card that matches the console fingerprint?

 

[Flare-be]

Looking forward to see SX OS working for 11.0.1

 

[Reacher17]

the first script is finished with the integrated rommenu

 

[Lacius]

Looking forward to see SX OS working for 11.0.1

Don't hold your breath.

 

[nero99]

Don't hold your breath.

are you ever excited or happy about any kind of projects on here? or are you always going to be a Negative Nancy?

 

[Reacher17]

Up

it's a quick script that lets you improve it. ^^

 

[mrdude]

it's a quick script that lets you improve it. ^^

Thanks, is line line the fingerprint from the switch that has the working licence - or the fingerprint from the switch that we are running on:

fingerprint = "fingerprint".decode("hex")

 

[Reacher17]

Thanks, is line line the fingerprint from the switch that has the working licence - or the fingerprint from the switch that we are running on:

fingerprint = "fingerprint".decode("hex")

Yes ^^

--------------------- MERGED ---------------------------

Licence Fingerprint

 

[mrdude]

Yes ^^

--------------------- MERGED ---------------------------

Fingerprint licence

I know it's the fingerprint, Is the fingerprint for the original switch that has the SXOS licence or the fingerprint from the Switch which we want to run the modded boot.dat on? Also is this for 2.9.5 boot.dat or another version?

 

[Lacius]

are you ever excited or happy about any kind of projects on here? or are you always going to be a Negative Nancy?

I'm just acknowledging that this and anything else are unlikely to get you SX OS on anything higher than 11.0.0. Short of an update from TX, 11.0.1 support is unlikely.

 

[mrdude]

@Reacher17

I fixed your script for python3 as it had a few errors and wouldn't work on python3.9 + some ident errors, also in python 2.7 I removed some stuff that wasn't needed and fixed ident errors. Both files produce the same results.

 

[kaygeee]

@Reacher17

I fixed your script for python3 as it had a few errors and wouldn't work on python3.9 + some ident errors, also in python 2.7 I removed some stuff that wasn't needed and fixed ident errors. Both files produce the same results.

@mrdude to run the script...
pip install pycrotodomex works like a charm for me
pip install pycrotodome gives the ModuleNotFoundError