Hacking Hack SXOS

[mrdude]

I will have a look into tinfoil.nro ( or the elf file ) and see if there is some easy way. The thing is the license.dat seems not enough, right ? first I need to see wether that is actually the case and then see how it accesses console fingerprint.

--------------------- MERGED ---------------------------


yeah, it seems those check it, somehow, or the boot.dat itself does it, probably reading the firmware serial ID if boot.dat is doing the check...

Yep - it's a license check.

I used modded boot.dat and booted the switch.
FTP's into switch and renamed atmosphere/sept/bootloader folders and licence.dat file.
Opened Tinfoil - still the same error.

Booting with unmodded boot.dat and original licence - everything works, even with sept/atmosphere/bootloader folder present.

There's no other explanation other than those apps check for the fingerprint/license is valid.

 

[Inaki]

Yes, this method cannot be applied to SX CORE and SX LITE.
Will prompt "boot.dat?"
I just tested it.

It is more or less assumable that lite and core users will have a license, but that could still be not the case. The guy that reversed the firmware to create SpaceCraft-NX may know something. My guess is the firmware is not able to do any major check, maybe just some first n byte compare, some checksum or something like that.

 

[mrdude]

It is more or less assumable that lite and core users will have a license, but that could still be not the case. The guy that reversed the firmware to create SpaceCraft-NX may know something. My guess is the firmware is not able to do any major check, maybe just some first n byte compare, some checksum or something like that.

OK, update.

I ran modded boot.dat, ftp'd into switch and renamed those folders - opened tinfoil and pressed Y to remove offending files. Then Tinfoil worked, so I ftp'd back into the switch and renamed the folders back again and rebooted the switch - Now tinfoil works fine with those folders present.

I assume the offending file might have been in my sxos folder - as all other folder/files are still there. So Tinfoil doesn't do a license check after all .

SX Save manager navigation keys don't work on the main screen.
SX Dumper - same as above.

 

[Inaki]

OK, update.

I ran modded boot.dat, ftp'd into switch and renamed those folders - opened tinfoil and pressed Y to remove offending files. Then Tinfoil worked, so I ftp'd back into the switch and renamed the folders back again and rebooted the switch - Now tinfoil works fine with those folders present.

I assume the offending file might have been in my sxos folder - as all other folder/files are still there. So Tinfoil doesn't do a license check after all .

can you use the icon view ?

 

[mrdude]

can you use the icon view ?

No

 

[Inaki]

No

ok, so yeah, it needs to be cracked. Looking into the elf file right now...

 

[mrdude]

ok, so yeah, it needs to be cracked. Looking into the elf file right now...

It seems weird that SX Save manager and SX Dumper even load - these totally fail under Atmosphere. They would work under modded SXOS if the navigation buttons worked - so probably only 1 check needs patched.

 

[angrynewraze]

Script updated - added fingerprint.txt

If you want to use your own fingerprint - put it in a text file called fingerprint.txt and use your own licence.dat.

If the fingerprint.txt file is missing the script will use it's own embedded fingerprint and make a licence.dat file for you automatically.

This means you don't need to edit the python file now, when using this script.

(put only the fingerprint shown from the switch that contains the valid licence in the text file - no other data)

How do I use this? Is there some sort of guide on how to use this to mod my boot.dat file and give me a license.dat file?

 

[mrdude]

How do I use this? Is there some sort of guide on how to use this to mod my boot.dat file and give me a license.dat file?

Install python 3.9, put boot.dat in the same folder as this script - click on the script to run it.

 

[davexx]

im little confuse, sxos has the feature to play xci or is tinfoil app with extra features when using sxos?
will be good have a port to play xci using external usb on ams

 

[angrynewraze]

Install python 3.9, put boot.dat in the same folder as this script - click on the script to run it.

I have python 3.9.2 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing. I also just tried with python 3.9.0 and it still did nothing

 

[mrdude]

I have python 3.9 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing.

You probably didn't set up windows environment variables then. Probably you should use google to figure that out. This isn't really a thread about teaching people how to use their computers.

 

[Inaki]

I have python 3.9 installed and boot.dat is in the same folder and I've clicked on script to run it but it did nothing.

use cmd to run the script, you are probably having the crypto library dependency issue. in cmd, type this:

pip install pycryptodome

then run the scrypt again ( python scriptname.py ).

 

[mrdude]

im little confuse, sxos has the feature to play xci or is tinfoil app with extra features when using sxos?
will be good have a port to play xci using external usb on ams

AMS will never be able to play XCI files from an external hard drive, this has been made clear for years and nothing has changed.

 

[davexx]

AMS will never be able to play XCI files from an external hard drive, this has been made clear for years and nothing has changed.

im talking about a port, not a native support

 

[angrynewraze]

You probably didn't set up windows environment variables then. Probably you should use google to figure that out. This isn't really a thread about teaching people how to use their computers.

so python is now added in my environment variables and I click on the script to run it and it still does nothing no modded boot.dat file and no license.dat file were created. and in the most recent zip file you uploaded did not have the fingerprint.txt file in it.

 

[Inaki]

@mrdude the rommenu.nro can be extracted from any boot.dat, right ? the thing is:

a) tinfoil.elf does not have any direct reference to license.dat. Maybe it is obfuscated or maybe it is calling the rommenu.nro ? no idea.
b) I found a cracked sx os 1.3, which seems to be a rommenu.nro. So, I thought, hmmm, what if I compare it to the original rommenu.nro from sx os 1.3 ? that, comparing the .elf files extracted from the .nro files, would maybe point us in the right direction to some pattern/place to look for in the extracted rommenu.nro from sx os 3.1.0...
c) so, how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?

EDIT: Having a hard time finding SX OS v1.3... anyone has that ? EDIT2: found this, it was not easy...

 

[angrynewraze]

use cmd to run the script, you are probably having the crypto library dependency issue. in cmd, type this:

pip install pycryptodome

then run the scrypt again ( python scriptname.py ).

that worked thank you for the help.

 

[mrdude]

how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?

Comment out this line: os.remove("rommenu.bin") - rename that bin file to nro.

Or you can just use python3-tx_unpack.py file that's already posted in this thread and use that on any sxos boot.dat version. rommenu.bin is found in the apps folder - just rename to rommenu.nro.

 

[blawar]

@mrdude the rommenu.nro can be extracted from any boot.dat, right ? the thing is:

a) tinfoil.elf does not have any direct reference to license.dat. Maybe it is obfuscated or maybe it is calling the rommenu.nro ? no idea.
b) I found a cracked sx os 1.3, which seems to be a rommenu.nro. So, I thought, hmmm, what if I compare it to the original rommenu.nro from sx os 1.3 ? that, comparing the .elf files extracted from the .nro files, would maybe point us in the right direction to some pattern/place to look for in the extracted rommenu.nro from sx os 3.1.0...
c) so, how would I extract the rommenu.nro from a given boot.dat file ? the python script you guys made does this ?

EDIT: Having a hard time finding SX OS v1.3... anyone has that ?

Did you disassemble the tinfoil nro or nsp?