Hacking Discussion Info on SHA-256 hashes on FS patches

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
For the nerdy, if you look at the python files for es patches, you will see a line that converts CBZ to a Branch instruction, as most people probably don't know much about bit shifting or what that line is doing.

byte1 = 0x34000280; # byte swapped from 80020034 (cbz w0, #0x50)

Convert to branch instruction: xxx = int((0x14 << 24) | ((byte1 >> 5) & 0x7FFFF))

It's converting our instruction from CBZ to B - but keeping the same address. Bit shifting is something like this:

Hex 14 (branch instruction)
To Int:20
To Binary: 10100
Shift binary bits 24 places left:10100000000000000000000000000
Resulting Hex:14000000

Hex 0280
To int:640
To bin:1010000000
Shift binary bits right 5 places:000000010100
000000010100 to hex:000014

Final converted instruction: 14000014 (b #0x50) ( hex is then inverted, so the last byte 14 is the branch instruction, first 2 bytes is the address).

At least that's what I think it does :-), maybe I am wrong.

Example Python code for checking:
Code:
#CBZ to B checker - MrDude
#Check instrctions here(Arm64) - https://armconverter.com/?disasm

import struct
byte = "0x80020034" #(cbz w0, #0x50)
byte1 = int(byte, 16) # convert above byte string to an int
byte2 = struct.unpack("<I", struct.pack(">I", byte1))[0] # convert endianess of int/byte

value1 = int((0x14 << 24) | ((byte2 >> 5) & 0x7FFFF)) # the make branch inst & byteshift
inst = struct.unpack("<I", struct.pack(">I", value1))[0] # convert endianess

hexval = '0x{0:0{1}X}'.format(inst, 8) # change int back to uppercase hex (make sure we also print leading zero)
print (hexval) # (b #0x50 - 0x14000014)
 
Last edited by mrdude,
Final ES patch python script

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
I've re-written the es patch python file from scratch to make it easier to update the patches if they need to be in the future, everything is now handled from this one script (extraction/folder creation/patching). This is so it can be converted in to a stand alone program in the future so you won't need to have python installed, and it should be compatible if you update python in the future and python breaks the script.

This will now be the final es python script (unless someone finds and issue, so you should update to this one. FS and Loader scripts will also be re-written at some point soon.
 

Attachments

  • AutoIPS-ES.zip
    183.5 KB · Views: 265

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
As above, but with a standalone exe file, so you don't need python installed.

Usage example:
Code:
ES-MakeIPS.exe "firmware 11" prod.keys

Output screenshot:
hSn8ivF.png


If I make 2 more exe's for loader and fs patches - it will be very easy to make a gui for this, and they can easily be updated by anyone as the python scripts can be modded and made back into exe's when that situation arises.
 

Attachments

  • AutoIPS-ES.zip
    6.6 MB · Views: 278
Last edited by mrdude,

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
@mrdude have you considered uploading your scripts to a git server? I'd make it easier to have latest modifications

Thanks for your awesome btw!
Mabey I will write a windows program when I get some time and put that on github. In the meantime - I'll just stick to this thread so the info is more public and can be seen by more people - then they can also read the entire thread to see what's been done, and how we managed to write the patches.
Also this thread only explains how to decrypt files and make an auto patcher based on current patches, It doesn't explain how hackers managed to find these patches in the first place, that still needs to be discussed. I imagine that some switch with a devkit, or emu has been running and memory regions were intercepted to see what was happening when the switch o/s tried to run a game. I would think a debugger was able to trace that call and then hackers found where to patch like that. I am just speculating of course, but there's still plenty to know and learn until these patches are conquered properly.
 
  • Like
Reactions: LyuboA and peteruk

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
Here you go fellas, all the scripts have now been re-written, cleaned up etc - these should be final now and all previous ones can be deleted and replaced with these. I also added a little python menu for you so you don't need to use batch scripts or make bash scripts.

(In the menu, you might need to edit where you installed python), The menu will automatically install the bitstring module if you don't have it installed already the first time you run it.
zI99YaN.png


All ips files will be generated inside the output folder to there relevant folders for atmosphere, patches.ini will be put in the root of the output folder so you can easily add them to your current patches.ini file.

That's me finished with this now - unless I (or someone else) makes a windows gui.

Have fun :-)
 

Attachments

  • AutoIPS-Patcher.zip
    188.8 KB · Views: 1,474
Last edited by mrdude, , Reason: Updated scripts

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
534
Trophies
0
XP
907
Country
Bulgaria
Here you go fellas, all the scripts have now been re-written, cleaned up etc - these should be final now and all previous ones can be deleted and replaced with these. I also added a little python menu for you so you don't need to use batch scripts or make bash scripts.

(In the menu, you might need to edit where you installed python), The menu will automatically install the bitstring module if you don't have it installed already the first time you run it.
zI99YaN.png


All ips files will be generated inside the output folder to there relevant folders for atmosphere, patches.ini will be put in the root of the output folder so you can easily add them to your current patches.ini file.

That's me finished with this now - unless I (or someone else) makes a windows gui.

Have fun :-)

thats amazing thank you @mrdude you are great
 
  • Like
Reactions: impeeza

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
Updated menu, changed so you can input the paths for the firmware folder + fusee-secondary.bin

iJHTxtI.png


If you don't want to enter anything, just put the fusee-secondary.bin + firmware folder in the same dir you are running the menu from, and press enter without entering any text.
 

Attachments

  • Menu.zip
    999 bytes · Views: 376
Last edited by mrdude, , Reason: Added debug toggle

FanboyKilla

Well-Known Member
Member
Joined
Mar 9, 2019
Messages
284
Trophies
0
XP
1,036
Country
United States
So right now, the only script that still requires Python to be installed is MakeIPS_FS, correct? AutoIPS & MakeIPS_ES have standalone EXE's, just not MakeIPS_FS.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
So right now, the only script that still requires Python to be installed is MakeIPS_FS, correct? AutoIPS & MakeIPS_ES have standalone EXE's, just not MakeIPS_FS.
You make them into exe's easily. In python install pyinstaller - "pip install pyinstaller".

Then cd to the directory where the scripts are - and issue this command: "pyinstaller --onefile FS-AutoIPS.py" after a few seconds it will make a standalone exe file for you.
 

FanboyKilla

Well-Known Member
Member
Joined
Mar 9, 2019
Messages
284
Trophies
0
XP
1,036
Country
United States
You make them into exe's easily. In python install pyinstaller - "pip install pyinstaller".

Then cd to the directory where the scripts are - and issue this command: "pyinstaller --onefile FS-AutoIPS.py" after a few seconds it will make a standalone exe file for you.

Cool, I compiled that remaining script into an EXE, Thanks for the info. Do you know if there's a native way to extract a pyinstaller EXE back into the original *.py source file?
 
Last edited by FanboyKilla,

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
Cool, I compiled that remaining script into an EXE, Thanks for the info. Do you know if there's a native way to extract a pyinstaller EXE back into the original *.py source file?
If you are converting to exe - do them all as all the scripts had changes/fixes applied to them. Not sure if you can convert back as I have never bothered trying it - due to having the original files.
 

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
Last edited by mrdude,

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
Updated fs patches script, I managed to reduce the time for finding both files down to about 2.5 seconds now instead of nearly 4 (on my old laptop) Not that 1.5 seconds matters - but why not :-). This is about as fast as I can get this now so I won't be looking at that script anymore.

Menu updated, now you can drag and drop your firmware folder or fusee-secondary.bin file on to the menu (open it first and select your choice), so you won't need to type anything into the menu if you're feeling lazy (like me).
 

Attachments

  • FS-AutoIPS.zip
    2.2 KB · Views: 466
  • Menu.zip
    1 KB · Views: 420
Last edited by mrdude,

mrdude

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
1,366
Trophies
1
Age
54
XP
3,957
Country
For those that want a big speed increase, you can edit your keys.dat file to this (replace xxx with proper keys).

Code:
aes_kek_generation_source = xxx
aes_key_generation_source = xxx
header_key = xxx
key_area_key_application_00 = xxx
key_area_key_application_09 = xxx
key_area_key_application_0a = xxx
package2_key_0a = xxx

Time taken to extract the loader and make an ips patch: 0.03 seconds
Time taken to extract firmware and make FS patches: 0.95 seconds
Time taken to extract firmware and make ES patches: 0.34 seconds
 
Last edited by mrdude,

UnT7oh

Well-Known Member
Newcomer
Joined
Mar 18, 2017
Messages
87
Trophies
0
XP
348
Country
United States
Updated fs patches script, I managed to reduce the time for finding both files down to about 2.5 seconds now instead of nearly 4 (on my old laptop) Not that 1.5 seconds matters - but why not :-). This is about as fast as I can get this now so I won't be looking at that script anymore.

Menu updated, now you can drag and drop your firmware folder or fusee-secondary.bin file on to the menu (open it first and select your choice), so you won't need to type anything into the menu if you're feeling lazy (like me).

Thanks for this, works great! Any chance you could add a comment to the patches.ini output to define firmware version and whether it's the FAT32 or exFAT patch? Earlier in the thread someone said it was displayed in the script output but I don't see it even with toggle debug info on.
 

LyuboA

Unknown Entity
Member
Joined
Jun 1, 2018
Messages
534
Trophies
0
XP
907
Country
Bulgaria
Thanks for this, works great! Any chance you could add a comment to the patches.ini output to define firmware version and whether it's the FAT32 or exFAT patch? Earlier in the thread someone said it was displayed in the script output but I don't see it even with toggle debug info on.

in patches.ini first is for ExFat and second for Fat32 you can see that by comparing the patches with the ones already out in other packs but that dosnt matter if it says exfat or fat32 you just dont need that and for the Atmosphere version you will know the version so just like the FS patches you can add that unnecessary info yourself theres no need to make the scripts more complex just to add these
 

UnT7oh

Well-Known Member
Newcomer
Joined
Mar 18, 2017
Messages
87
Trophies
0
XP
348
Country
United States
in patches.ini first is for ExFat and second for Fat32 you can see that by comparing the patches with the ones already out in other packs but that dosnt matter if it says exfat or fat32 you just dont need that and for the Atmosphere version you will know the version so just like the FS patches you can add that unnecessary info yourself theres no need to make the scripts more complex just to add these

I'm fully aware that it's not necessary but it's useful to help keep track of what's being/been added to patches.ini. If it's easy enough to add it would be a neat little enhancement.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    The Real Jdbye @ The Real Jdbye: ass tastes like ass