Discussion Info on SHA-256 hashes on FS patches

I can't get this script to work, for some reason it's not finding my keys "keys.dat" file, I edited your script and replaced prod.keys with keys.dat, but it was still saying: Invalid NCA header! Are keys correct?

 

I'm still getting an error - I have hactool and the keys in the same folder as I am using the py script in, and it's not finding the keys, which is weird as it obviously finds and runs hactool. It's a mystery.

 

This is what I m doing - see pictures for folder content, command line, and output + modded py script.




Ignore the double quotes round the keyset line - it's the same error using single quotes.

 

Same error. (reason it's only showing 1 error - is because I just have the one file you posted above in the firmware folder, to speed things up).

 

Yep I tried that before, I think it was line 25 which was causing the issues - and the keyfile being missing from the original script. Here the modded script which is now working. (use keys.dat).

 

Slightly modded the script to add another argument as people are using different named keyfiles.

Usage: python es.py firmware prod.keys

Firmware: is the name of the folder the firmware files are in.
prod.keys can be changed to whatever key file you are using - example: python es.py 11.0.0 keys.txt

Batch file code to dump + cleanup

Code:

rem SET VAR="C:\python3.9\python"
cls
mkdir dumped
%VAR% es.py firmware keys.dat
del main.* /Q
move main_dec dumped
)

@crckd
Your script doesn't seem find the files on firmware Firmware 10.1.0 or Firmware 10.0.4, firmware newer is ok though (10.2.0 & 11.x.x) Maybe this will affect newer firmware's in future. Do you know what's different in these older firmware's and why the script isn't finding the anything in those?

EDIT: OK, found it - change line to this: (this then finds the build id in nca files as well)

Code:

if line.startswith("TitleID:0100000000000033") and not filename.endswith("*.nca"):

Although this is what happens on 10.0.4:

There's no extraction of files.......even though it has the correct title id:


So removing that file, and running the script again - it finds this also has the same id

Code:

e006abf2423022702fa4839be9825ebc.nca

and this is the output: (which seems correct)
Found! Filename : e006abf2423022702fa4839be9825ebc.nca
Using hactool to extract exefsdir
Using hactool to uncompress main
Found Build ID : 03E4EB5556B98B327D1353E8AA2C7ADF2C544470

Running this:

Code:

hactool --keyset=keys.dat --intype=nca --exefsdir=dumped --disablekeywarns firmware/e006abf2423022702fa4839be9825ebc.nca

Dumps main + main.npdm - so maybe we need to put a check as well to check for:
"ContentType: Program" because the other file's content type is "meta" (no space before program - but forum is turning it into a smiley)

 

Ok here's the updated python file with the for loop modded, this finds the correct files now in all firmware I checked down to 10.0.0.4

 

Oh wow! This is coming along amazingly!
With these documentation and scripts, now the creation of the sigpatches is no longer hidden and everyone can attempt it.
This is just lovely!

 

We should be able to find the hex patterns if we use some wildcards, it shouldn't be a problem to do that - I just checked the first patch on each firmware, can can't see an issue doing it that way.

 

Not sure if this is any help but for patch 3 search for this text in ida: "escertificate"

See pic 1, scroll to the top of the function where you see the branch:

Click on that so you can go to the branch address, You will then be in the function that needs patched.


Now I know that's not ideal - and it may need done manually - but it's better than nothing :-)

Patch 3 in older firmware was doing a NOP, now it's doing a branch to address:


It could be possible that we can just (change the patch) nop the call to branch to address as shown in the 2nd picture - I didn't try this, but it might work and make patch 3 easier to automatically do.

 

Check your pm's, I'm using python 3.9.1/Windows 10 (64bit), IDA 7.5 (64 bit).

 

@crckd, as you probably have never used IDA, it's a bit of a learning curve - but here's how to work out the patch for patch 3.

The pictures should explain better than me drivelling on.
View from IDA of unpatched file..


Arm2hex website, how to get the branch address patch:


Now using that info for: Alternative Branch Patches
Firmware 9.1.0 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2d3a0 - patch: 04000014

Firmware 10.0.4 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2dc50 - patch: 09000014

Firmware 10.1.0/10.2.0 - patch 3 (tested - works fine)
Alternative Patch would look like this: offset: 2dc64 - patch: 09000014

Firmware 11.x.x - patch 3 (tested - works fine)
offset: 2d0f4 - patch: 06000014

 

@mrdude i tested the patches for 10.2.0 they work
now that you know how to make them what does this mean for script
or a guide so everyone can make them