Homebrew Discussion SX OS Crack Thread

Status
Not open for further replies.

Darth Meteos

Entertainer
Member
Joined
Jan 6, 2015
Messages
1,669
Trophies
1
Age
29
Location
The Wrong Place
XP
5,639
Country
United States

Darth Meteos

Entertainer
Member
Joined
Jan 6, 2015
Messages
1,669
Trophies
1
Age
29
Location
The Wrong Place
XP
5,639
Country
United States
I wish the Space Force would make a License Generator for this.
Trump here to save the Switch hacking scene!
giphy-downsized-large.gif


ozmodchips got back to me
they say they just got the codes and they'll refund the shipping
don't have the money to pay for the shipping in the first place
RIP

Anyone who wants a license, go to https://ozmodchips.com.au/product/xecuter-sx-os/
 

leerpsp

Well-Known Member
Member
Joined
Feb 22, 2014
Messages
1,742
Trophies
0
Age
33
XP
1,871
Country
United States

leerpsp

Well-Known Member
Member
Joined
Feb 22, 2014
Messages
1,742
Trophies
0
Age
33
XP
1,871
Country
United States
Last edited by leerpsp,

Darth Meteos

Entertainer
Member
Joined
Jan 6, 2015
Messages
1,669
Trophies
1
Age
29
Location
The Wrong Place
XP
5,639
Country
United States

Visual Studio

Developer
Developer
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
SX OS's Requests for Licence Validation

Let's make something clear. SX OS payload/boot.dat does NOT make ANY requests
It ONLY does a request on the Licence Code Redeem section.
The Payload for RCM itself does not do any external website requests for validation. NONE.
Everything is handled by the boot.dat file.
This is to allow offline usage.

Console Fingerprint

The SX has a "Console Fingerprint".
Using HxD 2.0.0 aswell as Hekate, managed to find the following information:

SectionValue (From eMMC Info on Hekate)
AAExtended Card Spec -> Spec Version (in regular old ASCII -> HEX)
BBBBBBBBCard ID -> S/N in Big Endian (e.x.: AABBCCDD in eMMC Info should be: DDCCBBAA)
CPrd Rev with 0 added to start, (e.x. "Prd Rev: B" -> "0B")
DDDDDCard ID -> Model (in regular old ASCII -> HEX)
EEEEEEEE{Card ID -> OEM ID}{Card ID -> Card/BGA (add 0 to start)}{Card ID -> Vendor ID}{00 for padding?}

REAL EXAMPLE:
Format: [A-F0-9]{32}

AA-BBBBBBBB-C-DDDDD-EEEEEEEE
34-C74CAB92-0B-5234424E4A42-00011500
wMBy4Hl.png


It could be possible to use a pre-existing licence.dat if we are able to spoof our "CF".
Since the boot.dat checks "licence.dat" to see if it is in fact matching the Console Fingerprint, then it will let you through.
It actually checks if license.dat matches the RSA-2048 public key and 65537 exponent.
Which its contents is generated from license-request.dat which is assumed to use CF.
Otherwise it tells you features will be disabled.
So if we can Spoof eMMC data (may not be easy) then we very well could spoof it to very basic values, redeem a key with it, and assumably everyone who spoofs to it and uses the same licence.dat, would be "verified".

Decrypting boot.dat

The boot.dat seems to be encrypted with aes-128-ctr
It seems to contain 4 (payloads?)
"stage2" at 0x40020000
"arm64" at 0x80FFFE00
"fb" at 0xF0000000
"data" at 0x80000000
https://gist.github.com/nwert/9430a454c64248dd1186868c00b682c6

license.dat

Encrypted with RSA-2048
This is in fact encrypted using license-request.dat as the "message".
The signature/modulus/public key encrypted with is @ offset 0x00040A0 (from 0C onwards) with a size of 0x100.
This is the rsa public key. The modulus is the default 65537.
We CANNOT encrypt license.dat files as we don't know the Private Key (stored serveriside on the website - that api link)
Thats why SX asks us to send our licence-request.dat (which you can see more of below) to that API so that it signs it using probably CF, Redeem Code and random entropy.

license-request.dat

Not encrypted (as far as I can tell)
Seems to just be some kind of Console Fingerprint with 32 bytes of 00 padding at the end.
This is likely so they dont have to pad it themselves for whatever hash function they using (possibly aes-ctr-256 or 128)
This file gets encrypted with a exponent (65537 confirmed), and a public and private key.
We know the exponent and public key but not the private key (as already explained, its server-side unable to be gotten unless their FTP was hacked).

payload.bin

As far as I know, this is either encrypted very well, or not encrypted at all
If it's not encrypted, then it doesn't do any hash checks as far as we can tell.
None are found and I can confirm it does not hash check boot.dat, see for yourself, pad 32bytes of 00 at the end, and it will still boot.
This seems to simply be a way to open a boot.dat, it seems to be NOTHING more.

License Verification OFFICIAL RSA Keys

Exponent = 65537 (default, most commonly used)
Public Key = E8D43CB9F1880E0A8A722F126447F0B66D86A4B4AF68A96AE93E5866A26DA2B7873EC913FD3232196705A3FB6514F38C2CD6CFF21AA7CF4EE7237BD7FCE4F6AD5F3FDF9434B0DEC008C696CB9B4F4AEEA852EC9DAE8D396B3B5FA37008645CF19C841C2125DD44C70E824C16A8FF5CE4C1E74B35CA5CDAE25632250800B9CA593D9AA1091182E1591364849EC4A87CBD2B3F5F5D01C9F5F48420D81E57CFC2DCE8F167358D599284AC3468E448FEC5BEA35DBBB0217424FA675EC66C4956BECD4485AB91C2F1ECC7BDCDFBA037C7179BEECAEBF5928A2BF701F556D4830AC42687EB890A8E7808D622603B2C1F88A76A1AE73BF0B101B2D832E99A96054CE67B
Private Key = Impossible to obtain

How to Crack TX's SX OS (what we know so far)


Current State

  • As of RIGHT NOW, doing the following steps, we found out it will LOAD but will freeze on the splash screen/loading screen
  • This only happens on boots after the first boot. For some reason, some users on first boot get through. I never do.
  • Possibly saving a save file or something somewhere to nand
  • Confirmed BOOT0 is unaffected as I disabled autorcm, recovered my first ever boot0 before doing anything, and got it to freeze, and boot0 was the same. (Or perhaps we need it to get boot0 to BE edited?)
  • Confirmed SD Card and SD Card partitions is unaffected
  • Confirmed doing a full reset including saves did nothing
  • What does this mean? This means, this crack walkthrough isn't complete, we still need to find out more information.
Steps

  1. Decrypt boot.dat (look below for a script).
  2. In data.bin, Swap out the public key @ 0x00040A0 (0C) (size: 0x100) with the custom RSA key (A57F99B3E8BA0C714864800C23605ADAA1467AACF80728F282E95D5D7946EB42FB7E396DEF81130AB4E4541B8CC286E2CFCB52D9B3B6455E9250ACEBD3BAF7215040BB29CA5FC5BD49DD3F895CCBBB0CD00E286F1A71F329A18E80842976E6CF8D13256803A6019BC21815B39FAEC70CADEF125C5FD08E4EC1BC49AF08BC1BE3BA08C1C9FAFBCF6AC70202EF62F768C03CE8EF49F1DADCF13B678860450BEB011C3506631BEE5E12B2E712FF793E763C8BD02106F27566F6CACEDB221447579F0DD006D8D02F1344BA6E86937A1CF17F20BA7C76BAC29C3F827E62CC652C92718631C683FDF3F5FC1CEE227D880B377156ED557FB1563A554BF4322ACBC77879). Simply a random generated RSA public key that we know the private key to.
  3. In stage2.bin, it does a hash check of data.bin, we need to patch this out. Was pretty easy, search for the original sha256 hash of data before editing and replace it with edited versions SHA256.
    We now have data and stage2 edited. Data now has our own custom key, and Stage2 is simply edited to think its unedited.
  4. Rebuild boot.dat with arm64.bin, fb.bin, data.bin, stage2.bin aswell as the original boot.dat (look below for a script).
    Now boot.dat is custom edited with with the hash check for stage2 patched aswell as some header data before 0x110 is SHA hash patched.
  5. Generate a license.dat based on license-request.dat's contents using the public key we edited in, and its private key (not official private key, our own). (look below for a script)
    We now have a license.dat with contents of license-request.dat encrypted with RSA-2048 using our own keys. Normally, this wouldnt be usable by SX OS, but since we swapped out its public key, and encrypted the license.dat with said public key and private key, it will be usable by our modified boot.dat as we swapped out its public key, so all boot.dat knows, is to use that key.
  6. Put the modified boot.dat in your SD Card root. Use regular old payload.bin with RCMSmasher and it will run the modified boot.dat resulting in it using the modified public key for all licence.dat checks!
    Now obviously the public key matches with the licence.dat contents, so it thinks its a valid licence!
    SX OS Boots free of charge.




Tools

boot.dat Unpacker (by nwert)

https://gist.github.com/nwert/9430a454c64248dd1186868c00b682c6

boot.dat Repacker (by PRAGMA)

https://gist.github.com/imPRAGMA/b135f59df43728b64662f466874836f4

license.dat Generater (by PRAGMA) v0.9 (probably final)

https://transfer.sh/cHQQP/licenceDatGeneratorByPRAGMA.zip
This generates a license.dat file using licence-request.dat as contents and uses custom RSA Keys.
So again, this wont work on the official boot.dat, but if we can finalize the custom boot.dat and fix the freeze, it will work for that.
The boot.dat gets edited to use the custom RSA Public Key thats in this script. Which then allows it to basically verify for our needs.
Create a licence.dat using the same text, but different keys will result in a different licence.dat than the official. This is normal, thats the point.

No credit on the RSA key part? SMH. Also, the signature algorithm isn't known for the license.dat so making a signer wouldn't work.
 
Last edited by Visual Studio,

Kalisto

Active Member
Newcomer
Joined
Jun 15, 2018
Messages
25
Trophies
0
Age
28
XP
279
Country
Germany
Its not, not progressing but pragma is asleep. Jesus. Just wait had some pretty interesting developments while he was out.

--------------------- MERGED ---------------------------

No credit on the RSA key part? SMH.
I didn't see credit to anything. The last few identifers were identified by someone in discord.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: @salazarcosplay, Morning