Homebrew Discussion SX OS Crack Thread

Status
Not open for further replies.

PRAGMA

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
2,202
Trophies
1
Location
127.0.0.1
Website
pragma.pw
XP
4,799
Country
Ireland
People are childish.
Just because one person releases a crack a few hours before me, im a bad person and apparently Stole from Rei.
Sure, fappa.

Tons of Information on how SX OS works is now gone.

y6ON7ye.gif


You guys complained when:
- I made this threads - complained about ethics (says pirates here probably from 3ds scene who use shit like freeshop)
- Explained a PoC on how editing the boot.dat's public key could effectively let us crack SX OS - complained that I had no work to show and apparently just stole info from others
- Literally re-compiled an edited version with the new key that booted but froze (progress none the less) - complained that I stole hexkyz work even though hexkyz dealt with decryption keys and I dealt with unpacking and repacking efforts
...
- Released the .nro Album App of SX OS 1.4 - complained yet again, relatively same reason as above
- Patched/Cracked the .nro and released it on Twitter (An essential step to a complete SX OS crack) - complained making accusations that I stole rei's crack and just edited text (which is very not true)

Notable ACTUAL fucking discussion made on this thread:
- A dude pointed out the location of the public key
- Explained how he found it
- Some users explained about some of the Console Fingerprint make-up that I had wrong, mainly the "regular old ascii->hex" ones.
- thats about it, depressing af, everyone else: ethics, why crack its only $30 you paid $300 on switch, pragma is a fagma, pragma fuck off

What I learned:
People here are more toxic then overwatch and thats fucking saying something.
All of you guys are leeching tools that just complain when progress is made, regardless how progress is made, by who, or what was done, you just complain.

Notable Morons:
PD0B2wH.png

(Decides to follow me around everywhere and complain even on twitter - even took the time out of his own day to send a retarded pm see here)

q6vzyEv.png
 
Last edited by PRAGMA,

Visual Studio

Developer
Developer
Joined
Aug 25, 2016
Messages
121
Trophies
0
Age
28
XP
1,303
Country
United States
Let's discuss PROGRESS here.

SX OS's Request for Licence Validation

Let's make something clear. SX OS payload/boot.dat does NOT make ANY requests
It ONLY does a request on the Licence Code Redeem section.
The Payload for RCM itself does not do any external website requests for validation. NONE.
Everything is handled by the boot.dat file.

Console Fingerprint

The SX has a "Console Fingerprint".
Using HxD 2.0.0 aswell as Hekate, managed to find the following information:

Hexadecimal Base - Big Endian as UInt64
Format: [A-F0-9]{32}/AABBBBBBBBCDDDDD
SectionValue
AA?? This could be eMMC USER's LBA Sector. On my console, AA is 34, and my USER LBA Sector is 0x34
BBBBBBBBeMMC -> Card ID -> S/N in Big Endian (e.x.: AABBCCDD in eMMC Info should be: DDCCBBAA)
C0B (static? same for everyone?)
DDDDDeMMC -> Card ID -> Model (in regular old ASCII -> HEX)


It could be possible to use a pre-existing licence.dat if we are able to spoof our "CF".
Since the boot.dat checks "licence.dat" to see if it is in fact matching the Console Fingerprint, then it will let you through.
Otherwise it tells you features will be disabled.
So if we can figure out AA,
Spoof eMMC S/N (may not be easy)
and since CCCCCC may be static, we dont need to do anything to that.
So for example, someone could edit there licence-request.dat file to 99133713370B5234
Use a key on it, and if we all spoof our AA to 99, BBBBBBBB to 13371337 and just leave CCCCCC alone, we everyone would be able to enter.

Decrypting boot.dat

The boot.dat seems to be encrypted with aes-128-ctr
It seems to contain 4 (payloads?)
"stage2" at 0x40020000
"arm64" at 0x80FFFE00
"fb" at 0xF0000000
"data" at 0x80000000
https://gist.github.com/nwert/9430a454c64248dd1186868c00b682c6

The Licence.dat Signer/Downloader

sx.xecuter.com has a page for Signing and Downloading the signed licences.
These CANNOT be exploited.
For example this request did NOT result in the requester having a usable licence.dat at all.
All that happened, was he downloaded the licence.dat that someone already signed.
The "csr_data"'s contents is exactly what the licence.dat is. This is what the "Launch Custom Firmware" button checks with your Console Fingerprint.
Why we cant sign our own Console Fingerprint into the value given, is because we don't know the keys used for encryption and we don't know the value when decrypted.
If we knew the value in plaintext, we could brute keys until we end up encrypting it to the same value. That way, we would know which keys were used, could make our own "plaintext" with our own Console Fingerprint and then encrypt it with said keys, and it would work.
But since the entire thing is on a website serverside, we have no idea what the plaintext or keys are.
Only way to get those would be with either SQLi Injection (very unlikely and that would only work if the plaintext or keys were stored their for some reason) or getting into the entire servers code (impossible)
I would assume the data in the license request is random console unique data and it gets signed with a private key when you upload it to the site and purchase the OS then gets verified by an embedded public key to allow the OS's "extended features"
 

PRAGMA

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
2,202
Trophies
1
Location
127.0.0.1
Website
pragma.pw
XP
4,799
Country
Ireland
I would assume the data in the license request is random console unique data and it gets signed with a private key when you upload it to the site and purchase the OS then gets verified by an embedded public key to allow the OS's "extended features"
Yes thats exactly whats going on here.
 

Visual Studio

Developer
Developer
Joined
Aug 25, 2016
Messages
121
Trophies
0
Age
28
XP
1,303
Country
United States
Yes thats exactly whats going on here.
Then just binary search for the default RSA public exponent that everyone uses and you have the license, get the modulus size and divide it by 8 then you have the RSA bits, and then you just replace the public key with your own, profit?
 

Visual Studio

Developer
Developer
Joined
Aug 25, 2016
Messages
121
Trophies
0
Age
28
XP
1,303
Country
United States
Can you explain this bit? and why you think its the key and how you found it? (ik the data bin, but how you found the value itself)
It starts with a VERY common RSA public exponent which is 65537 and right after it is a 0x100 byte (2048 bit) array that's null-terminated right after so the odds of it being the RSA key are extremely high.
 
Status
Not open for further replies.
General chit-chat
Help Users
    UnreaLorenzo @ UnreaLorenzo: Hi Tempers. :)