# HackingDiscussionInfo on SHA-256 hashes on FS patches

Member
linuxares

#### mrdude

##### Well-Known Member
Member
For the nerdy, if you look at the python files for es patches, you will see a line that converts CBZ to a Branch instruction, as most people probably don't know much about bit shifting or what that line is doing.

byte1 = 0x34000280; # byte swapped from 80020034 (cbz w0, #0x50)

Convert to branch instruction: xxx = int((0x14 << 24) | ((byte1 >> 5) & 0x7FFFF))

It's converting our instruction from CBZ to B - but keeping the same address. Bit shifting is something like this:

Hex 14 (branch instruction)
To Int:20
To Binary: 10100
Shift binary bits 24 places left:10100000000000000000000000000
Resulting Hex:14000000

Hex 0280
To int:640
To bin:1010000000
Shift binary bits right 5 places:000000010100
000000010100 to hex:000014

Final converted instruction: 14000014 (b #0x50) ( hex is then inverted, so the last byte 14 is the branch instruction, first 2 bytes is the address).

At least that's what I think it does :-), maybe I am wrong.

Example Python code for checking:
Code:
``````#CBZ to B checker - MrDude
#Check instrctions here(Arm64) - https://armconverter.com/?disasm

import struct
byte = "0x80020034" #(cbz w0, #0x50)
byte1 = int(byte, 16) # convert above byte string to an int
byte2 = struct.unpack("<I", struct.pack(">I", byte1))[0] # convert endianess of int/byte

value1 = int((0x14 << 24) | ((byte2 >> 5) & 0x7FFFF)) # the make branch inst & byteshift
inst = struct.unpack("<I", struct.pack(">I", value1))[0] # convert endianess

hexval = '0x{0:0{1}X}'.format(inst, 8) # change int back to uppercase hex (make sure we also print leading zero)
print (hexval) # (b #0x50 - 0x14000014)``````

Last edited by mrdude,
Final ES patch python script

#### mrdude

##### Well-Known Member
Member
I've re-written the es patch python file from scratch to make it easier to update the patches if they need to be in the future, everything is now handled from this one script (extraction/folder creation/patching). This is so it can be converted in to a stand alone program in the future so you won't need to have python installed, and it should be compatible if you update python in the future and python breaks the script.

This will now be the final es python script (unless someone finds and issue, so you should update to this one. FS and Loader scripts will also be re-written at some point soon.

#### Attachments

• AutoIPS-ES.zip
183.5 KB · Views: 265

#### mrdude

##### Well-Known Member
Member
As above, but with a standalone exe file, so you don't need python installed.

Usage example:
Code:
``ES-MakeIPS.exe "firmware 11" prod.keys``

Output screenshot:

If I make 2 more exe's for loader and fs patches - it will be very easy to make a gui for this, and they can easily be updated by anyone as the python scripts can be modded and made back into exe's when that situation arises.

#### Attachments

• AutoIPS-ES.zip
6.6 MB · Views: 278
Last edited by mrdude,

#### Homlet

##### Well-Known Member
Member
@mrdude have you considered uploading your scripts to a git server? I'd make it easier to have latest modifications

Thanks for your awesome work btw!

Last edited by Homlet,

#### mrdude

##### Well-Known Member
Member
@mrdude have you considered uploading your scripts to a git server? I'd make it easier to have latest modifications

Mabey I will write a windows program when I get some time and put that on github. In the meantime - I'll just stick to this thread so the info is more public and can be seen by more people - then they can also read the entire thread to see what's been done, and how we managed to write the patches.
Also this thread only explains how to decrypt files and make an auto patcher based on current patches, It doesn't explain how hackers managed to find these patches in the first place, that still needs to be discussed. I imagine that some switch with a devkit, or emu has been running and memory regions were intercepted to see what was happening when the switch o/s tried to run a game. I would think a debugger was able to trace that call and then hackers found where to patch like that. I am just speculating of course, but there's still plenty to know and learn until these patches are conquered properly.

LyuboA and peteruk

Member

#### mrdude

##### Well-Known Member
Member
Here you go fellas, all the scripts have now been re-written, cleaned up etc - these should be final now and all previous ones can be deleted and replaced with these. I also added a little python menu for you so you don't need to use batch scripts or make bash scripts.

(In the menu, you might need to edit where you installed python), The menu will automatically install the bitstring module if you don't have it installed already the first time you run it.

All ips files will be generated inside the output folder to there relevant folders for atmosphere, patches.ini will be put in the root of the output folder so you can easily add them to your current patches.ini file.

That's me finished with this now - unless I (or someone else) makes a windows gui.

Have fun :-)

#### Attachments

• AutoIPS-Patcher.zip
188.8 KB · Views: 1,474
Last edited by mrdude, , Reason: Updated scripts

#### LyuboA

##### Unknown Entity
Member
Here you go fellas, all the scripts have now been re-written, cleaned up etc - these should be final now and all previous ones can be deleted and replaced with these. I also added a little python menu for you so you don't need to use batch scripts or make bash scripts.

(In the menu, you might need to edit where you installed python), The menu will automatically install the bitstring module if you don't have it installed already the first time you run it.

All ips files will be generated inside the output folder to there relevant folders for atmosphere, patches.ini will be put in the root of the output folder so you can easily add them to your current patches.ini file.

That's me finished with this now - unless I (or someone else) makes a windows gui.

Have fun :-)

thats amazing thank you @mrdude you are great

impeeza

#### mrdude

##### Well-Known Member
Member
Updated menu, changed so you can input the paths for the firmware folder + fusee-secondary.bin

If you don't want to enter anything, just put the fusee-secondary.bin + firmware folder in the same dir you are running the menu from, and press enter without entering any text.

#### Attachments

999 bytes · Views: 376
Last edited by mrdude, , Reason: Added debug toggle

#### FanboyKilla

##### Well-Known Member
Member
So right now, the only script that still requires Python to be installed is MakeIPS_FS, correct? AutoIPS & MakeIPS_ES have standalone EXE's, just not MakeIPS_FS.

#### mrdude

##### Well-Known Member
Member
So right now, the only script that still requires Python to be installed is MakeIPS_FS, correct? AutoIPS & MakeIPS_ES have standalone EXE's, just not MakeIPS_FS.
You make them into exe's easily. In python install pyinstaller - "pip install pyinstaller".

Then cd to the directory where the scripts are - and issue this command: "pyinstaller --onefile FS-AutoIPS.py" after a few seconds it will make a standalone exe file for you.

#### FanboyKilla

##### Well-Known Member
Member
You make them into exe's easily. In python install pyinstaller - "pip install pyinstaller".

Then cd to the directory where the scripts are - and issue this command: "pyinstaller --onefile FS-AutoIPS.py" after a few seconds it will make a standalone exe file for you.

Cool, I compiled that remaining script into an EXE, Thanks for the info. Do you know if there's a native way to extract a pyinstaller EXE back into the original *.py source file?

Last edited by FanboyKilla,

#### mrdude

##### Well-Known Member
Member
Cool, I compiled that remaining script into an EXE, Thanks for the info. Do you know if there's a native way to extract a pyinstaller EXE back into the original *.py source file?
If you are converting to exe - do them all as all the scripts had changes/fixes applied to them. Not sure if you can convert back as I have never bothered trying it - due to having the original files.

#### mrdude

##### Well-Known Member
Member
Last edited by mrdude,

#### mrdude

##### Well-Known Member
Member
Updated fs patches script, I managed to reduce the time for finding both files down to about 2.5 seconds now instead of nearly 4 (on my old laptop) Not that 1.5 seconds matters - but why not :-). This is about as fast as I can get this now so I won't be looking at that script anymore.

Menu updated, now you can drag and drop your firmware folder or fusee-secondary.bin file on to the menu (open it first and select your choice), so you won't need to type anything into the menu if you're feeling lazy (like me).

#### Attachments

• FS-AutoIPS.zip
2.2 KB · Views: 466
1 KB · Views: 420
Last edited by mrdude,

#### mrdude

##### Well-Known Member
Member
For those that want a big speed increase, you can edit your keys.dat file to this (replace xxx with proper keys).

Code:
``````aes_kek_generation_source = xxx
aes_key_generation_source = xxx
key_area_key_application_00 = xxx
key_area_key_application_09 = xxx
key_area_key_application_0a = xxx
package2_key_0a = xxx``````

Time taken to extract the loader and make an ips patch: 0.03 seconds
Time taken to extract firmware and make FS patches: 0.95 seconds
Time taken to extract firmware and make ES patches: 0.34 seconds

Last edited by mrdude,

#### UnT7oh

##### Well-Known Member
Newcomer
Updated fs patches script, I managed to reduce the time for finding both files down to about 2.5 seconds now instead of nearly 4 (on my old laptop) Not that 1.5 seconds matters - but why not :-). This is about as fast as I can get this now so I won't be looking at that script anymore.

Menu updated, now you can drag and drop your firmware folder or fusee-secondary.bin file on to the menu (open it first and select your choice), so you won't need to type anything into the menu if you're feeling lazy (like me).

Thanks for this, works great! Any chance you could add a comment to the patches.ini output to define firmware version and whether it's the FAT32 or exFAT patch? Earlier in the thread someone said it was displayed in the script output but I don't see it even with toggle debug info on.

#### LyuboA

##### Unknown Entity
Member
Thanks for this, works great! Any chance you could add a comment to the patches.ini output to define firmware version and whether it's the FAT32 or exFAT patch? Earlier in the thread someone said it was displayed in the script output but I don't see it even with toggle debug info on.

in patches.ini first is for ExFat and second for Fat32 you can see that by comparing the patches with the ones already out in other packs but that dosnt matter if it says exfat or fat32 you just dont need that and for the Atmosphere version you will know the version so just like the FS patches you can add that unnecessary info yourself theres no need to make the scripts more complex just to add these

#### UnT7oh

##### Well-Known Member
Newcomer
in patches.ini first is for ExFat and second for Fat32 you can see that by comparing the patches with the ones already out in other packs but that dosnt matter if it says exfat or fat32 you just dont need that and for the Atmosphere version you will know the version so just like the FS patches you can add that unnecessary info yourself theres no need to make the scripts more complex just to add these

I'm fully aware that it's not necessary but it's useful to help keep track of what's being/been added to patches.ini. If it's easy enough to add it would be a neat little enhancement.

Replies
22
Views
14K
Replies
1
Views
6K
Replies
3K
Views
981K

### Recent Content

12. #### Mario Kart 7 - Custom Track Grand Prix 7 (CTGP-7)

Help Users
• No one is chatting at the moment.
@ The Real Jdbye: ass tastes like ass