Hacking Info on SHA-256 hashes on FS patches

[admin]

If you want to know where those hashes came, here is what I've got so far.

1. Download Firmware 11.0.1.zip and extract the contents.

2. 2 ncas will contains "nx" folder (fat32 and exfat). I don't yet know how to identity which specific nca but it's always around 3mb.

Spoiler: Firmware files

12/13/2020 03:43 PM 3,268,608 e399b2e4b955c41a211176371478e728.nca
12/13/2020 03:43 PM 3,286,528 2ce2f151943a80fc719bd4179d7f6270.nca
12/13/2020 03:43 PM 3,327,488 0fd89afc0d0f1ee7021084df503bcc19.nca
12/13/2020 03:43 PM 3,420,160 295926145fbd59982228a9c90f28c064.nca
12/13/2020 03:43 PM 3,430,912 5c24763e70d04b110b25cddb1ad79c4c.nca
12/13/2020 03:43 PM 3,499,520 683e91ab70dd03dc744e8bff803739e8.nca
12/13/2020 03:43 PM 3,665,920 7a9f1fcd81ac310985ba5a3c90516a4b.nca
12/13/2020 03:43 PM 3,775,488 da2887605681bb45a2fbfc24c754368e.nca
12/13/2020 03:43 PM 3,803,136 c38ed0eff5b83338e8f60a37a2047262.nca
12/13/2020 03:43 PM 3,806,208 18e2372b9fb75ed2f5bc44eebf122c02.nca
12/13/2020 03:43 PM 3,853,824 55c413b83f79870e91fa8464b2bcf0e3.nca

3. Extract the contents using hactool to get bct, package1 and package2.

Spoiler: hactool

hactool.exe -t nca --romfsdir=c:\out\2ce2f151943a80fc719bd4179d7f6270 2ce2f151943a80fc719bd4179d7f6270.nca
hactool.exe -t nca --romfsdir=c:\out\0fd89afc0d0f1ee7021084df503bcc19 0fd89afc0d0f1ee7021084df503bcc19.nca

01/24/2021 11:34 AM 10,240 bct
01/24/2021 11:34 AM 193,600 package1
01/24/2021 11:34 AM 2,793,984 package2

4. Extract the contents of package2 to get Kernel1.bin, Decrypted.bin and INI1.bin. In case it fails to extract, compile the latest hactool.

Spoiler: package2

hactool.exe -t pk21 package2 --outdir=.

01/24/2021 11:34 AM 10,240 bct
01/24/2021 11:34 AM 193,600 package1
01/24/2021 11:34 AM 2,793,984 package2
01/24/2021 12:11 PM 2,793,472 Kernel.bin
01/24/2021 12:11 PM 2,793,984 Decrypted.bin
01/24/2021 12:11 PM 2,342,260 INI1.bin

5. Extract the contents of INI1.bin to get FS.kip1

Spoiler: INI1.bin

hactool.exe -t ini1 INI1.bin --outdir=.


01/24/2021 11:34 AM 10,240 bct
01/24/2021 11:34 AM 193,600 package1
01/24/2021 11:34 AM 2,793,984 package2
01/24/2021 12:11 PM 2,793,472 Kernel.bin
01/24/2021 12:11 PM 2,793,984 Decrypted.bin
01/24/2021 12:11 PM 2,342,260 INI1.bin
01/24/2021 12:52 PM 1,312,124 FS.kip1
01/24/2021 12:52 PM 152,840 Loader.kip1
01/24/2021 12:52 PM 308,884 NCM.kip1
01/24/2021 12:52 PM 99,840 ProcessMana.kip1
01/24/2021 12:52 PM 75,112 sm.kip1
01/24/2021 12:52 PM 94,980 spl.kip1

6. SHA-256 of FS.kip1 would be the filename of the FS patch.

Spoiler: SHA-256

C:\out\2ce2f151943a80fc719bd4179d7f6270\nx>"c:\Program Files\7-Zip\7z.exe" h -scrcsha256 FS.kip1
SHA256 Size Name
---------------------------------------------------------------- ------------- ------------
E399156E844EB0AA3CC5152979961C879F5E90696C1224A1BBE0FF1BCDBFD7DC 1312124 FS.kip1
---------------------------------------------------------------- ------------- ------------
E399156E844EB0AA3CC5152979961C879F5E90696C1224A1BBE0FF1BCDBFD7DC 1312124

C:\out\0fd89afc0d0f1ee7021084df503bcc19\nx>"c:\Program Files\7-Zip\7z.exe" h -scrcsha256 FS.kip1
SHA256 Size Name
---------------------------------------------------------------- ------------- ------------
0BA15BB304B505633B6DA6B2C6E991B6A06EBAFB3378DF02BF6B494075976F06 1350048 FS.kip1
---------------------------------------------------------------- ------------- ------------
0BA15BB304B505633B6DA6B2C6E991B6A06EBAFB3378DF02BF6B494075976F06 1350048

7. Decompress FS.kip1

Spoiler: kip1decomp

kip1decomp d FS.kip1 FS.decomp.kip1

8. Open FS.decomp.kip1 using a hex editor. The offset on 11.0.1 is 0E3014 and replacing 4 bytes with 1F2003D5 which is NOP on ARM64 arch.


Hope someone can make a script to find the sha256 of fs.kip1 and the offset to automate FS patching.