Discussion Info on SHA-256 hashes on FS patches

Great post, I've been pulling my hair out (luckily we a re locked down as I now have lots of it), trying to find how these hashes are generated. I spent hours extracting stuff etc. I searched the net for clues and posted on here, but to no avail, Now I at least know It can help me immensely on my next quest which will be to see if this can be automated with a script.

Thanks.

 

what about es patches

 

Hi I followed your guide, what I did notice is that the offset in IDA is different from the offset in HXD, this is what the offset is for the patch in ida:




Does that byte pattern look like what you (OP) are patching?

 

My mistake - offset in IDA is correct, I was using a Switch64.dll to load the decompressed kip into ida, however in IDA 7.5 the python loaders weren't working - that's why I used the dll file, I switched back to IDA 7.2 and used the python loader - nxo64.py and the offsets now work properly.

The picture I posed above shows where the firmware is patched - and the offset is shown properly in ida (green square)

 

@crckd.

Now that I've had a look at the different firmwares - I can say that it will be indeed possible to automate this :-).



As you can see from the picture - the bytes after where we patch is the same for most newer firmware, this makes it easy to find. A small batch file can be written to do the part of dumping the firmware and extracting. Then we can mod the python files I made for autoips to get the sha256 values, search for the hex and write the ips patch - just need to search for the stuff in the pink boxes (from 1E) and subtract the 5 bytes from the address that it finds - then write the patch to that address.

 

Oh boy!
Finally, making ES/FS patches is no longer an obscure thing to do! Thanks @crckd!
Will be looking forward to what you can do to automate the process.
I will also create a Linux bash script, like with the Loader script, so users have more options

 

You need keys file to do it - that was missing from the first post - Example:

Code:

(cd to folder that contains hactool + keys.dat)
cd "C:\Users\MrDude\Desktop\xxx"

(create a dumped folder in the directory you just cd'd to)
mkdir dumped

(extract firmware files around 3 megabytes and put in firmware folder - (dump them first))
for %f in (firmware/*.*) do hactool.exe -k keys.dat -t nca --romfsdir=dumped/ firmware/%f

(Find our files we need: nx folder)
dir *package2*.* /s

(create a folder called dumps)
mkdir dumps

(dump extact package2 files to the dumps folder).
hactool.exe -k keys.dat -t pk21 dumped/nx/package2 --outdir=dumps/

(make a folder called files to dump ini1 into)
mkdir files

(extract INI1.bin)
hactool.exe -k keys.dat -t ini1 dumps/INI1.bin --outdir=files/

(In files directory FS.kip1 - use sha256 of this compressed file for name of patch)

(Decompress FS.kip1)
kip1decomp.exe d files/FS.kip1 FS.decomp.kip1

Now open FS.decomp.kip1 in hxd hex editor and search for the hex shown in the pink box (from 1E), look in blue box where to put the patch address for the ips file.


(For a batch file - replace % with %%)

 

Identifying which NCAs are the correct ones is a trivial operation. The output from:

Code:

hactool -t nca --disablekeywarns --header=hdr.bin [nca_file]

Should yield a 0xC00 byte-long decrypted NCA header, saved to "hdr.bin". The byte at 0x205 will always match 0x04 (Data NCA), and the little-endian unsigned 64 bit integer at 0x210 will always match either 0x0100000000000819 (BootImagePackage, FAT32-only firmware) or 0x010000000000081B (BootImagePackageExFat, firmware with exFAT support).

Alternatively, you can also get these in extracted form straight from a Switch using one of the proof-of-concept builds from nxdumptool-rewrite - this is still not ready for a release yet, but for this particular task it works wonders. That way, you won't need to wait until a full firmware dump is released online, nor will you need to identify the correct NCAs using a scripted loop.

 

Here's that c++ code compiled:

Code:

usage: fsOffset FS.decomp.kip1

 

Bundling the code alongside a quick ReadMe for setup could be good too.
I believe I can compile the C code on Linux and create a 32bit binary for it, so anyone can use it on any machine.
I'll give it a try.

 

On windows that byte pattern is different at offset:210, due the endianess being different from linux it will look like this:

Code:

1B 08 00 00 00 00 00 01
and

19 08 00 00 00 00 00 01

Still, thanks for the info. Although it takes longer to do that way than just dumping the files near 3 meg in size.

For those that want to do that way - this command works will from command prompt in windows: Dump to folder called headers

Code:

for %f in (firmware/*.*) do hactool -k keys.dat -t nca --disablekeywarns --header=headers/%f firmware/%f

 

That's because I didn't provide byte patterns, but unsigned 64-bit integer values. It's not gonna look any different under other OS - the data is stored using little-endian byte order because that's what the Switch uses.

 

Done, that's me done the script now......

Use your own keys.dat file....put in the folder as shown in the picture.

Make a firmware folder and put your firmare files in it.

Click on run.bat and wait a few minutes until the ips is created, don't worry as the batch file will clean everything up for you.

You will need to edit run.bat to point to where you have python installed. You will need the bitstring module installed and python3.



Enjoy and mod to how you want :-)

 

amazing thanks man
can the same be done for the es patches

 

I haven't looked at es patches, and I don't have the time too just now. I suppose it depends how many things are patched and if the byte patterns are similar between versions. If they are, it should just be a case of modding the scripts a little bit. Maybe you can look into it and let us know. Do you even need ES patches, what are they for?

 

well i`m not that good to do that but as far as i know es patches are for new firmware patching exefs_patches/es_patches
or we dont need these anymore ??