Front-page Hacking  Updated

SX OS 2.6 Beta released: full support for Nintendo Switch firmware 7.x

From Team Xecuter:

This new 2.6 BETA of SX OS adds full support for Nintendo Switch firmware 7.x, including ALL functionality you expect when using our product. We've been pioneering our own unique and proprietary solution for defeating any future firmware protection and we're quite happy with the results so far.

This release is marked as BETA because we changed things drastically under the hood to streamline future firmware updates and some things may inadvertently behave differently.

That does not mean it hasn't been vetted at all, so give it a shot today!

Of course, we haven't been sitting idly behind the scenes either. A lot of our development resources and attention has been dedicated to bringing SX OS to those "unhackable" switches. We are working hard to bring the SX OS experience to all of you who are stuck with an "unhackable" switch. Stay tuned for more news!
Click to expand...

Download here: -REMOVED-
 
Last edited by linuxares,
  • Like
Reactions: Ra1d, m_babble, _abysswalker_ and 23 others
Click to expand...
O

oblid

Well-Known Member
Newcomer
Level 3
Joined
Oct 1, 2018
Messages
49
Trophies
0
Age
41
XP
349
Country
Uruguay
https://twitter.com/balika011/status/1107748638095220738?s=19

Triszka Balázs says:
"There is more to the story, and this is gonna be EPIC! They store the root key in plaintext, but they are not using it. On 7.0+ they set the tsec_root_keys + 0x10 then don't even touch it. It's a leftover. What they are using is a seed decrypted using slot 7. That they not clear."

Somebody can explain?

Mike Heskin says:
"This means the plaintext key was left by accident and there was already a system in place to use an obfuscated version. As of v2.6.1, the plaintext key is no longer present in the binary and the obfuscated path is taken just like before."
 
Last edited by oblid,
  • Like
Reactions: gizmomelb and ghjfdtg
V

V-Temp

Well-Known Member
Member
Level 8
Joined
Jul 20, 2017
Messages
1,227
Trophies
0
Age
34
XP
1,342
Country
United States
oblid said:
https://twitter.com/balika011/status/1107748638095220738?s=19

Triszka Balázs says:
"There is more to the story, and this is gonna be EPIC! They store the root key in plaintext, but they are not using it. On 7.0+ they set the tsec_root_keys + 0x10 then don't even touch it. It's a leftover. What they are using is a seed decrypted using slot 7. That they not clear."

Somebody can explain?

Mike Heskin says:
"This means the plaintext key was left by accident and there was already a system in place to use an obfuscated version. As of v2.6.1, the plaintext key is no longer present in the binary and the obfuscated path is taken just like before."
Click to expand...

Basically they left the key in plain-text out of oversight/rush, and it was in no capacity used (in its plain-text form, just loaded) much like the code remnants of sept, though those still seem to have been left over. It has been removed in plaintext from the boot, and the method is an obfuscated use of seed slot 7 as balika points out.
 
Last edited by V-Temp,
  • Like
Reactions: gizmomelb and oblid
Meepers55

Meepers55

Flintstones Regular
Member
Level 6
Joined
Aug 7, 2018
Messages
318
Trophies
0
XP
949
Country
United States
oblid said:
https://twitter.com/balika011/status/1107748638095220738?s=19

Triszka Balázs says:
"There is more to the story, and this is gonna be EPIC! They store the root key in plaintext, but they are not using it. On 7.0+ they set the tsec_root_keys + 0x10 then don't even touch it. It's a leftover. What they are using is a seed decrypted using slot 7. That they not clear."

Somebody can explain?

Mike Heskin says:
"This means the plaintext key was left by accident and there was already a system in place to use an obfuscated version. As of v2.6.1, the plaintext key is no longer present in the binary and the obfuscated path is taken just like before."
Click to expand...
So I was right about it being temporary after all. As I've stated before, all this arguing over nothing.
 
  • Like
Reactions: gizmomelb
josete2k

josete2k

Well-Known Member
Member
Level 9
Joined
Apr 24, 2009
Messages
680
Trophies
1
Age
43
Location
Spain
XP
1,610
Country
Spain
oblid said:
https://twitter.com/balika011/status/1107748638095220738?s=19

Triszka Balázs says:
"There is more to the story, and this is gonna be EPIC! They store the root key in plaintext, but they are not using it. On 7.0+ they set the tsec_root_keys + 0x10 then don't even touch it. It's a leftover. What they are using is a seed decrypted using slot 7. That they not clear."

Somebody can explain?

Mike Heskin says:
"This means the plaintext key was left by accident and there was already a system in place to use an obfuscated version. As of v2.6.1, the plaintext key is no longer present in the binary and the obfuscated path is taken just like before."
Click to expand...

tinkle said:
Ergo, SXOS is allowed to be linked here.
Click to expand...
 
  • Like
Reactions: gizmomelb
ZachyCatGames

ZachyCatGames

Well-Known Member
Member
Level 14
Joined
Jun 19, 2018
Messages
3,398
Trophies
1
Location
Hell
XP
4,209
Country
United States
I’m pretty sure they still have the key in it, it’s just obfuscated/hidden now

(at least that’s how I read hexkyz’s tweet)

And even if the key is completely removed there’s still other stuff in it that makes it violate this website’s rules
 
Last edited by ZachyCatGames,
  • Like
Reactions: ghjfdtg and g4jek8j54
O

oblid

Well-Known Member
Newcomer
Level 3
Joined
Oct 1, 2018
Messages
49
Trophies
0
Age
41
XP
349
Country
Uruguay
ZachyCatGames said:
I’m pretty sure they still have the key in it, it’s just obfuscated/hidden now
Click to expand...

Yes... You are right. Balázs and Heskin? Who know them...

Like before? Before that 2.6? 2.5.3 was ok by gbatemp.
And the censorship of link come for keys. Already say that 2.5.3 was ok.
 
Last edited by oblid,
AkGBA

AkGBA

Nope
Member
Level 8
Joined
Feb 14, 2007
Messages
345
Trophies
1
XP
1,437
Country
France
I know one day TX will drop support of SXOS. I bought it knowingly, while thinking about Gateway.
In the mean time, I'm really glad they found a way to run on 7.0.x.
Don't know why, but I really prefer xci loading than nsp installing.
Anyway, keep up the good work TX.
 
  • Like
Reactions: gizmomelb
metal921

metal921

Active Member
Newcomer
Level 1
Joined
Aug 28, 2018
Messages
41
Trophies
0
Age
31
XP
139
Country
United States
Anybody still have issues getting this to run? I have sys on 7.0.1 and emunand on 6.2 but for some reason I still can’t boot just blackscreens :/
 
jacopastorius

jacopastorius

Well-Known Member
Member
Level 3
Joined
Oct 24, 2018
Messages
164
Trophies
0
Age
44
XP
316
Country
Italy
AkGBA said:
I know one day TX will drop support of SXOS. I bought it knowingly, while thinking about Gateway.
In the mean time, I'm really glad they found a way to run on 7.0.x.
Don't know why, but I really prefer xci loading than nsp installing.
Anyway, keep up the good work TX.
Click to expand...
what is gateway?
 
JJTapia19

JJTapia19

I fight for my friends.
Member
Level 11
Joined
May 31, 2015
Messages
2,171
Trophies
1
Age
32
XP
2,438
Country
Puerto Rico
metal921 said:
Anybody still have issues getting this to run? I have sys on 7.0.1 and emunand on 6.2 but for some reason I still can’t boot just blackscreens :/
Click to expand...
Try a couple of times. I'm also getting low boot rate on my emunand since 2.6. I've reported it on their forums.
 
  • Like
Reactions: metal921
H

_hexkyz_

Well-Known Member
Newcomer
Level 4
Joined
Oct 4, 2018
Messages
60
Trophies
0
XP
447
Country
United States
ZachyCatGames said:
I’m pretty sure they still have the key in it, it’s just obfuscated/hidden now

(at least that’s how I read hexkyz’s tweet)

And even if the key is completely removed there’s still other stuff in it that makes it violate this website’s rules
Click to expand...

What happens is that a key is set in keyslot 7 at the end of payload_98000000 and then patcher_BFC70000 does:
- Initialize tmp_buf as 16 0xAA bytes;
- Call se_aes_ecb_decrypt_block(0x07, tmp_buf, 0x10, seed_buf, 0x10);
- Call decrypt_data_into_keyslot(0x0C, 0x07, seed_buf, 0x10).

The se_aes_ecb_decrypt_block is useless and was likely there just for testing (it's still there on v2.6.1 and you can find it by looking for 0xAAAAAAAA in the disassembled code).
This was already being used in v2.6, but they also had a piece of code that would load the actual plaintext key from memory. On v2.6.1 the key and this leftover code was removed.

The user @Falo has shared an accurate screenshot comparison of v2.6 vs. v2.6.1 here: https://gbatemp.net/threads/sx-os-2...license-activation.533956/page-3#post-8559251
 
  • Like
Reactions: gizmomelb, ghjfdtg, thaikhoa and 4 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

General chit-chat
Help Users
  • No one is chatting at the moment.
  • K3Nv2 @ K3Nv2:
    I'll reformat and have a 3tb raid0 m. 2 at least
     +1
  • K3Nv2 @ K3Nv2:
    Lmao that sold out fast
     +1
  • Veho @ Veho:
    https://i.imgur.com/h0w1HLp.mp4
     +1
  • Veho @ Veho:
    Yeet the cat.
     +1
  • K3Nv2 @ K3Nv2:
    Good idea
     +1
  • K3Nv2 @ K3Nv2:
    https://youtu.be/9kE3Env_2AY?si=Bs6lUZ0ZIlqmYaGT
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    https://youtu.be/TECN1Gm7j3A?si=XwYKYHKwxoMNdFqN
  • Veho @ Veho:
    https://i.imgur.com/7bH4YgV.mp4
  • The Real Jdbye @ The Real Jdbye:
    i thought everybody knew cocktails are like 75% ice
  • Veho @ Veho:
    Yeah but not like this.
  • Veho @ Veho:
    It's not like they're complaining that their Slurpee is 99% ice or something, but if the cocktail calls for "shot of vodka, shot of vermouth, shot of gin, shot of Campari, three shots of juice, squirt of lemon" and ends up being a thimbleful of booze, that's a problem.
  • The Real Jdbye @ The Real Jdbye:
    the funny thing is cocktails in norway are only allowed to have 1 20ml shot of booze
  • The Real Jdbye @ The Real Jdbye:
    so..... yeah
  • The Real Jdbye @ The Real Jdbye:
    we're used to only having a thimbleful of booze
  • Veho @ Veho:
    Booo.
  • The Real Jdbye @ The Real Jdbye:
    same thing if you want whisky on the rocks or something, you can't get a double
  • The Real Jdbye @ The Real Jdbye:
    but you could buy as many shots of whisky (or anything else) as you want and ask for a glass of ice and pour them in
  • The Real Jdbye @ The Real Jdbye:
    it's dumb
  • Veho @ Veho:
    Maybe.
  • Veho @ Veho:
    There was a comparison of the number of Ibuprofen poisonings before and after they limited the maximum dosage per box or per pill (i'll look that up). No limit on the number of boxes you can still buy as many as you want, so people argued it was pointless.
  • Veho @ Veho:
    But the number of (accidental) poisonings dropped because drinking an entire package of ibuprofen pills went from "I need a new liver" to "I need a new box of Ibuprofen".
  • Veho @ Veho:
    Here we have ketoprofen that used to be prescription-only because of the risk of toxic dosages, but then they halved the dose per pill and sell them in bottles of six pills apiece instead of twenty and it doesn't need a prescription any more. Yes you can buy more than one bottle but people simply don't.
  • Psionic Roshambo @ Psionic Roshambo:
    Usually accidentally overdose of ibuprofen here is from people taking like cold medicine then ibuprofen for a headache and the combination is over what they need
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=1hp24nDVKvY
  • Veho @ Veho:
    https://imgur.com/gallery/QQkYnQu
    Veho @ Veho: https://imgur.com/gallery/QQkYnQu