Hacking rxTools with Signatures patched out!

[tofast4u]

I have an MT-Card with EmuNand 9.2 on it, should I just replace the launcher with this one and update its emunand? I already have CIA managers installed on my EmuNand.

 

[VerseHell]

Yes, I checked, it's on the root of the SD card.

Is it filled with the 7.X key? Did you put the firmware.bin too?

I have an MT-Card with EmuNand 9.2 on it, should I just replace the launcher with this one and update its emunand? I already have CIA managers installed on my EmuNand.

yes you can.

 

[Elgrosp]

Is it filled with the 7.X key? Did you put the firmware.bin too?

For the key, I guess it's filled. I'll try to download it somewehere else.
firmware.bin is also there.

--------------------- MERGED ---------------------------

My bad, the key wasn't filled.
Thanks a lot

 

[Jaitsu]

So here are some neat little tricks:

You can xor 0B 3C E6 39 4D 9F 5B 4C @ 0x26754 of rxTools, and that'll display "RX-S" and "RX-E" which you can edit and re-xor to have whatever you want displayed in System settings. (Personally I revert "RX-S" back to "Ver.")

You can chop off the last 0x110000 bytes of rxTools.dat, that's a little over a mb.

You can write 72 5B 48 14 0C F4 5D 93 A2 6C 35 FF 29 83 53 41 @ 0x40A31 to have the slot 0x25 keyX load from the first 0x10 bytes of rxTools.dat. You'll have to paste the key in yourself, of course.

Few questions about this:

For #2: Does removing those bytes have any effect? If not, why is it that big in the first place?
For #3: Overwrite the first 0x10 bytes, or insert them?

 

[AHP_person]

Few questions about this:

For #2: Does removing those bytes have any effect? If not, why is it that big in the first place?
For #3: Overwrite the first 0x10 bytes, or insert them?

Removing the bytes has no effect, they're just there.
Overwrite.

 

[Apache Thunder]

Maybe you can recode the launcher to also load firmware.bin from inside the dat file? If there's a 1mb of useless data, you can use it for the firmware.bin file instead.

 

[laurorual]

You can write 72 5B 48 14 0C F4 5D 93 A2 6C 35 FF 29 83 53 41 @ 0x40A31 to have the slot 0x25 keyX load from the first 0x10 bytes of rxTools.dat. You'll have to paste the key in yourself, of course.

What benefits would i gain with that?

 

[AHP_person]

What benefits would i gain with that?

Less clutter.

 

[Jaitsu]

Tried those tweaks, and got 'em all working. Nifty.

 

[urherenow]

Less clutter.

And a completely illegal file that could not be posted or linked to in this forum. This is why it's a separate thing in the first place...

 

[AHP_person]

And a completely illegal file that could not be posted or linked to in this forum. This is why it's a separate thing in the first place...

Exactly why it's a tweak you gotta do on your own

 

[urherenow]

Exactly why it's a tweak you gotta do on your own

But how? Yes, it's easy to paste the data in there, but how do you make it know how to use it?

 

[RodrigoDavy]

I am having a strange problem. I downloaded the AGB/TWL version. But it doesn't run gba games, but it does run Smash Bros...

I even double checked by downloading it twice.

I found out what was causing the problem. I had this genious idea to put the two versions of RxTools.dat in the SD card. The Smash/MH4 named "RxTools.dat" and the "AGB/TWL" version as gba.dat

Then I used the Go! Gateway app, it has the ability to make a server to trigger the browser exploit, but it also let you choose the file in your SD card which triggered the exploit. So I made a server that triggers the gba.dat so I could easily choose which RxTools version to use by simply accessing the right website. The problem is that even though I had set Go! Gateway to open gba.dat it seems the file is hardcoded to access RxTools.dat so it makes no difference if you name the .dat archive differently since it will access whichever file is named RxTools.dat afterwards

 

[AHP_person]

But how? Yes, it's easy to paste the data in there, but how do you make it know how to use it?

72 5B 48 14 0C F4 5D 93 A2 6C 35 FF 29 83 53 41 is literally the encrypted string "rxTools.dat". It just overwrites "slot0x25KeyX.bin".

I found out what was causing the problem. I had this genious idea to put the two versions of RxTools.dat in the SD card. The Smash/MH4 named "RxTools.dat" and the "AGB/TWL" version as gba.dat

Then I used the Go! Gateway app, it has the ability to make a server to trigger the browser exploit, but it also let you choose the file in your SD card which triggered the exploit. So I made a server that triggers the gba.dat so I could easily choose which RxTools version to use by simply accessing the right website. The problem is that even though I had set Go! Gateway to open gba.dat it seems the file is hardcoded to access RxTools.dat so it makes no difference if you name the .dat archive differently since it will access whichever file is named RxTools.dat afterwards

It calls for itself several times, yeah.

 

[urherenow]

72 5B 48 14 0C F4 5D 93 A2 6C 35 FF 29 83 53 41 is literally the encrypted string "rxTools.dat". It just overwrites "slot0x25KeyX.bin".

Confused... I was talking about pasting firmware.bin into the RXtools.dat. How would the system automatically know that to do with it?

 

[Intronaut]

@AHP_person Maybe this is offtopic, but is it possible to access AM service through SPIDER? (To install a cia installer)

 

[AHP_person]

Confused... I was talking about pasting firmware.bin into the RXtools.dat. How would the system automatically know that to do with it?

OH, that's what you were talking about. You quoted my response to a question about why having the 7x keyx in rxtools.dat was beneficial. I assumed that's what you were talking about. I have no intention on making firmware.bin loadable from rxtools.dat.

@AHP_person Maybe this is offtopic, but is it possible to access AM service through SPIDER? (To install a cia installer)

I'm not the right person to ask about that.

 

[chick8ed]

Can't wait to try this

 

[Suiginou]

@AHP_person Maybe this is offtopic, but is it possible to access AM service through SPIDER? (To install a cia installer)

(CC: @AHP_person)
Yes, it is. You'll need to pull off kernel hax, however (e.g. via bootstrap adapted for spider, which has happened previously in the eShop firmware spoofer based on https://github.com/yifanlu/Spider3DSTools/commits/nim-patching]work by yifan_lu). Since rxTools runs NATIVE_FIRM beyond 9.2 (firmware.bin), those kernel hacks won't work. rxTools has no support for 9.2 NATIVE_FIRM.

For the privilege escalation in srv: to gain access to all services, you'll also need to do one piece of original research, which requires only very basic ARM disassembly reading skills: Finding the location of the srv: handle to close and reopen it correctly. This may vary between versions of spider.

The am module checks signatures via Process9, which does the actual heavy lifting, since am is just a wrapper around a few commands in Process9 (See 3dbrew on: AMPXI and am; in particular, AMPXI error 0xD8E0806A). Thus, you can only install legitimate CIAs via spider, assuming your code actually works. Spiderpasta would alleviate that issue, since it patches the current NATIVE_FIRM on sysNAND. Then you could make an emuNAND with, say, FBI installed already and continue installation on rxTools-P emuNAND.

 

[masterz87]

OK, so since I already have an sd card with the bbmenu, if I do an "emunand" with the format etc. Shouldn't it backup the nand itself or something? Or alternatively when I switch sd cards it continues with the fact that none of the cia's arestill there. It mkes no sense to me as I copied the file(s) and even deleted all of the files off of the sd card and tried to use. I was using pastacfw(4.x mset version)