Tutorial  Updated

Patching DevMenu v6.0.1 to remove startup notification

This tutorial implies that you found DevMenu v6.0.1 on some other sites. With this forum rules, links to the required copyrighted material are forbidden.

Problem

This version of DevMenu checks the FW version and displays a message on its startup if it's higher than 6.0:

fda7b072-cf7a-430a-b4fc-cc563703f5e5-jpeg.151526


The purpose of this tutorial is to remove this panel.


Step 1 - Uncompress executable "main"

First, you need HacTool (https://github.com/SciresM/hactool/releases/tag/1.2.2) and the DevMenu executable "main". This executable should have the following properties:

Size: 5807948 bytes
SHA256: DD1BA1C488AF2CD6EAC1B1DCAAB143BF4F2003C0DB7B3FEA74113D80D25C274E​

If you got an NSP file (not a LayeredFS version), you must extract the NSP then the biggest NCA file with the following commands:
  • hactool -t pfs0 -k keys.txt DevMenuApp.nsp --pfs0dir=extract
  • hactool -k keys.txt --exefsdir=exefs --romfsdir=romfs BiggestFileInExtractDir.nca
Now, you should have a "main" file in "exefs" directory. You need to uncompress it with the following command:
  • hactool -t nso0 -k keys.txt exefs/main --uncompressed=mainDec
The uncompressed executable file "mainDec" should have the following properties:

Size: 15011376 bytes (14 MiB)
SHA256: E802D200640E0F0E4A86913BBB616C682DA0BE3D3F47A82F976F37FC4B3DF125​


Step 2 - Patch executable "mainDec"

Open "mainDec" with an hexadecimal editor and replace the following bytes:
  • Binary ARM code: E80345391F19007161000054E8074539 => 080080521F0100716100005408008052
  • Hash check: EA43FE633F51336D3169BBFC70E280BAD95C4EF501AFC7E9D6C2310B745C8FBE => C1BEBE80DFE604D933F049090E95F5DFB60287E2CF65E46DFD70262954EB711D
The modified "mainDec" file should have the following properties:

Size: 15011376 bytes (14 MiB)
SHA256: 82F604C51F2B71D14571308DD5B87273BE1448F68432841BFB244986BA71CCBD​

Now, you can replace "exefs/main" by the patched "mainDec" (rename it to "main").

If you were using a LayeredFS version of DevMenu, you don't have anything more to do. If it was an NSP version, you will have to rebuild the NSP using hacPack (https://github.com/The-4n/hacPack/releases/tag/v1.33).


Method used to find the patch

The executable was opened with IDA Pro 7.0 and the loader "nxo64" available here:
https://github.com/reswitched/loaders

There was a tracking on "Found version" string usage and it leads to the following code which gets and checks the firmware version:

1545508227-devmenuasm.png


Parts of this code have been replaced (thanks to http://armconverter.com website which was used to get equivalent binary code):

1545508267-devmenuasmmod.png


Those changes makes that, whatever the retrieved FW version, it's not checked anymore and conditions to avoid the notification panel are met.

Finaly, in order to make the executable accepted when it's launched, the NSO0 header has to be modified where the ".text" part hash is located (see https://switchbrew.org/wiki/NSO for further details).


Happy hacking! :)
 
Last edited by OperationNT,

OperationNT

Well-Known Member
OP
Member
Joined
May 1, 2016
Messages
353
Trophies
0
Age
38
XP
2,161
Country
France
I mean, there is a DevMenu for 6.2 that you could use while on 6.2 and you wouldn't have to patch anything ;)

When there will be a FW 6.3 or 7.0, the DevMenu v6.2 will pop up the panel again. With those modifications, the DevMenu v6.0.1 will never pop up the panel so you won't have to track the next version.
Of course, there can be another incompatibility in future version (like it happens with DevMenu v5.0 on FW 6.0).

In addition, the tutorial part "Method used to find the patch" will allow you to also replicate the process on any future version of DevMenu.
 

OperationNT

Well-Known Member
OP
Member
Joined
May 1, 2016
Messages
353
Trophies
0
Age
38
XP
2,161
Country
France
The hash check is located at in the header of the NSO file, position 0xA0. You just have to find "EA43FE633F51336D3169BBFC70E280BAD95C4EF501AFC7E9D6C2310B745C8FBE" (it should place you at position 0xA0) and replace it by "C1BEBE80DFE604D933F049090E95F5DFB60287E2CF65E46DFD70262954EB711D".
 
  • Like
Reactions: Hmed

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
    K3Nv2 @ K3Nv2: Oh hi flame