Hacking Discussion Info on SHA-256 hashes on FS patches

DarkMatterCore

I like turtles.
Developer
Joined
May 30, 2009
Messages
1,288
Trophies
0
Age
27
Location
Madrid, Spain
Website
github.com
XP
2,486
Country
Spain
@DarkMatterCore knows how to make the ES Patches maybe he will make a script or maybe @mrdude will
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.
 

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
534
Trophies
0
XP
907
Country
Bulgaria
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.

thats great if @mrdude is up for another script for complete patches
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,475
Trophies
1
Age
54
XP
4,035
Country
thats great if @mrdude is up for another script for complete patches

I think crckd is looking into it, he says on a previous post he is. If he needs help, then he can post in here and then we can help him. In the meantime, I have bigger fish to fry :-). I do agree with you that it would be good if we also have this ability to make es patches, but I've not really got much time to look into it just now and it takes a long time to do all the 'investigating' before scripts can even be started.
 

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
534
Trophies
0
XP
907
Country
Bulgaria
I can't compare ES byte sequences on my own, so I can't really make any automated patches. I don't have a Switch anymore.

I can, however, provide insight and assist with the process. I'm familiar with all these formats thanks to working on nxdumptool.

since you dont have a switch anymore what does this mean for nxdumptool ??

I think crckd is looking into it, he says on a previous post he is. If he needs help, then he can post in here and then we can help him. In the meantime, I have bigger fish to fry :-). I do agree with you that it would be good if we also have this ability to make es patches, but I've not really got much time to look into it just now and it takes a long time to do all the 'investigating' before scripts can even be started.

when you have time you've already done more then most Thank you and Thanks to @DarkMatterCore and @crckd you guys are great for this community
 

peteruk

Well-Known Member
Member
Joined
Jun 26, 2015
Messages
2,855
Trophies
1
XP
6,230
Country
United Kingdom
(I fear I could get shot down here, but am willing to take one for the team)

Are we likely to see a GUI tool version of this when everything is figured out and finished ? PC / Linux / Mac ?

Figured I'd ask, thanks in advance.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,475
Trophies
1
Age
54
XP
4,035
Country
(I fear I could get shot down here, but am willing to take one for the team)

Are we likely to see a GUI tool version of this when everything is figured out and finished ? PC / Linux / Mac ?

Figured I'd ask, thanks in advance.

Yes, that can easily be done. No point in doing it though until we figure out ES the patches though. The program can be used to make loader/fs/es patches. Also there would be no need for python to be installed as we can make python files into stand alone executables. See attached MakeIPS.py has been converted into an exe.
 

Attachments

  • AutoIPS-FS.zip
    4.7 MB · Views: 188

ShadowOne333

QVID PRO QVO
Developer
Joined
Jan 17, 2013
Messages
10,916
Trophies
1
XP
13,405
Country
Mexico
Yes, that can easily be done. No point in doing it though until we figure out ES the patches though. The program can be used to make loader/fs/es patches. Also there would be no need for python to be installed as we can make python files into stand alone executables. See attached MakeIPS.py has been converted into an exe.

And we might have an insight into the ES patches, thanks to an anonymous source.
The source gave quite a lot of neat info, which might be what's required to finalize the set of signature patches to make an open source solution that everyone can run and create the patches from.

Here's the intel provided:

Anonymous said:
These are the patterns found between different versions of the ES NSO:
Code:
03E4EB5556B98B327D1353E8AA2C7ADF2C544470 [10.0.0]:
    2DC1C: 20010034 -> 09000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2E9D8: E0030036 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2DC70: 61000054 -> 1F2003D5 [F3 03 1F AA 02 00 00 14] [pattern found in more than one segment] [not found in 11.0.0+]

5AA09E1AF740A91D0F73ADFAE81A63E8AC0610D2 [10.1.0]:
    2DC30: 20010034 -> 09000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2E9F8: E0030036 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2DC84: 61000054 -> 1F2003D5 [F3 03 1F AA 02 00 00 14] [pattern found in more than one segment] [not found in 11.0.0+]

3B8BF56DBEC7225D2EE666B009C42C0DC4552010 [11.0.0]:
    2D094: 80020034 -> 14000014 [1F 90 01 31 28 92 80 52] [pattern found in more than one segment]
    2DBBC: 36D28152 -> 1F2003D5 [C0 72 40 F9 E1 93 00 91]
    2D0F4: C80000B4 -> 06000014 [E0 23 00 91 45 EE FF 97] [11.0.0+ only pattern]
The hex string at the start of each section represents the build ID for that version of the ES NSO (which is also the filename used for the IPS patches).

Each indented line starts with the patch offset (taken from the corresponding IPS patch), followed by the original and modified AArch64 instructions, as well as the 8 bytes after that. In order words, this is somewhat the format being used to document these findings:
Code:
{build_ID} [{version}]:
    {patch_offset}: {original_sequence} -> {patch_sequence} [{byte_sequence_after_patch}]
    ...
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,475
Trophies
1
Age
54
XP
4,035
Country
And we might have an insight into the ES patches, thanks to an anonymous source.
The source gave quite a lot of neat info, which might be what's required to finalize the set of signature patches to make an open source solution that everyone can run and create the patches from.

Here's the intel provided:
It would be handy to know what files are being patched, and how they are extracted from firmware files - can your source also supply that info?
 

DarkMatterCore

I like turtles.
Developer
Joined
May 30, 2009
Messages
1,288
Trophies
0
Age
27
Location
Madrid, Spain
Website
github.com
XP
2,486
Country
Spain
It would be handy to know what files are being patched, and how they are extracted from firmware files - can your source also supply that info?
I'm sure they're just unpacking the Program NCA from the ES sysmodule and decompressing its main NSO.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,475
Trophies
1
Age
54
XP
4,035
Country
I'm sure they're just unpacking the Program NCA from the ES sysmodule and decompressing its main NSO.
Ok maybe I should be clearer - what file in the latest firmware folder (11.0.1) is the ES Sysmodule?

For example is it: 0a34b913d4cfee8b15ef0c7cd6661697.nca, and how would one unpack it?
 

DarkMatterCore

I like turtles.
Developer
Joined
May 30, 2009
Messages
1,288
Trophies
0
Age
27
Location
Madrid, Spain
Website
github.com
XP
2,486
Country
Spain
They skip the eTicket RSA signature verification. FS + Loader patches skip NCA RSA signature verification.

--------------------- MERGED ---------------------------


The filename for ES patches comes from the module/build ID found at 0x40 in the ES main NSO. It's a 0x20 byte-long field, but only 0x14 bytes are used - iirc it's a SHA-1 hash calculated over a section from the NSO while it's being built, and not a full file hash unlike FS patches.

Keep in mind NSOs usually use LZ4 compression - you need to use a NSO decompressor before creating/applying IPS patches:

Code:
hactool -t nso --disablekeywarns --uncompressed=main_dec main

By the way, looking for a specific, extracted file/path won't help you in this case because all ExeFS sections hold at least the main NSO and the main.npdm. You'll really need to check the NCA header or the main.npdm file.

If you go down the NCA header route, you can follow my previous instructions. The byte at 0x205 must match 0x00 (Program NCA) and the unsigned 64-bit integer at 0x210 must match 0x0100000000000033 (ES sysmodule).

If you go down the main.npdm route, the NULL-terminated string at 0x20 must match "es".
@mrdude This info should be handy. I shared it some pages ago.

The same command we've been using to unpack NCAs should do the trick - just replace "--romfsdir" with "--exefsdir".
 
Last edited by DarkMatterCore,
  • Like
Reactions: ShadowOne333

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,475
Trophies
1
Age
54
XP
4,035
Country
@mrdude This info should be handy. I shared it some pages ago.

The same command we've been using to unpack NCAs should do the trick - just replace "--romfsdir" with "--exefsdir".
I tried unpacking ALL the files, I got thousands of files/folders but none of them were called 'main', so that's where I failed on that info you supplied.

So I tried a little batch file like this, found the files in about 1 second :-)
for %%f in (firmware/*.*) do (
hactool.exe -k keys.dat -t nca --exefsdir=dumped/ firmware/%%f
if exist dumped/main.npdm (
EXIT /B
)
)

I take it nearly every file has these; main + main.npdm files, these should be dumped into separate folders and then scanned?
So batch needs to look like this to dump:
for %%f in (firmware/*.*) do (
mkdir dumped/%%f
hactool.exe -k keys.dat -t nca --exefsdir=dumped/%%f/ firmware/%%f
rmdir dumped/%%f /Q
)
 
Last edited by mrdude,

crckd

Member
OP
Newcomer
Joined
Dec 3, 2020
Messages
13
Trophies
0
Age
41
XP
156
Country
Philippines
Ok I will try and write a python script to do that as I don't know how to do it in dos command line.

I looped on all files inside the folder until i get the nca with title id 0100000000000033.
remaining would be finding the addresses.

Code:
import os
import sys
import subprocess

if len(sys.argv) == 1:
   print("no argv")
   sys.exit(1)

ES_NCA = ""
FIRMWARE_DIR = sys.argv[1]

print("Checking files in " + FIRMWARE_DIR + " folder.")
for filename in os.listdir(FIRMWARE_DIR):
   if filename.endswith(".nca"):
 
       outlines = subprocess.check_output(['hactool', '--disablekeywarns', FIRMWARE_DIR + '/' + filename])

       for line in outlines.splitlines():
           line = line.decode('ascii').replace(" ","")
           if line.startswith("TitleID:0100000000000033") and not filename.endswith(".cnmt.nca"):
               print("Found! Filename : " + filename)
               ES_NCA = filename
               break
       if ES_NCA:
           print("Using hactool to extract exefsdir")
           subprocess.run(["hactool","-t nca","--exefsdir=.","--disablekeywarns", FIRMWARE_DIR + '/' + filename], stdout=subprocess.DEVNULL)
           if os.path.exists("main"):
               outlines = subprocess.check_output(['hactool','--keyset=prod.keys','--intype=nso','--disablekeywarns','--uncompressed=main_dec','main'])
               print("Using hactool to uncompress main")
               for line in outlines.splitlines():
            
                   line = line.decode('ascii').replace(" ","")
                   if line.startswith("BuildId:"):
                       print("Found Build ID : " + line.replace("BuildId:","")[0:40])
           break
 

Attachments

  • es.zip
    695 bytes · Views: 159
Last edited by crckd,
General chit-chat
Help Users
    Dark_Phoras @ Dark_Phoras: If I tell them in person, it goes well 99% of the time. I have a charm that doesn't translate to...