Mike Heskin @hexkyz Twitter profile

Pinned Tweet

Mike Heskin

3 months

Insert "It's been 3000 years…" meme here. sha512sum mariko_feks.bin 065ad23e65bae859096ba1f9886a4da5d15a37266bedc2c6e1b2f27e153764b0844a90b1775ad47a0b50dc72c5bbc768027a1868a10de94807ca4e5e828b6872

11

29

155

Last Seen Profiles

@HamzaSoyucok20

@kurdishfindomme

@bnbpay

@dfytanid

@IsabellaPappas1

@manuueelle

@justbeingzeee

@ss_porn98142

@yay

@TheBroJordan

@jvsr14

@Ambedkar_Boys

@bokeplokalmalam

@TMCKolkata

@molvki

@mikejosep

@DonGelsomino

@puspresnas

@Halaa5moh20

@nhehs

@pu70

@_thegreg

@MalcolmWHW

@sharmilanath38

@SEIKO_ECOLOGIA

@sahityaprkshna

@caitlcunningham

@orion_rd_pw

@JayPatrol

@MIL_SPEC_Q17

@hesleeknow

@YTsubasa1313

@hnmn173

@Kuori_Olavi

@tiucoo

@spicyxbt

Mike Heskin

@hexkyz

4 years

Firmware 10.0.0 adds preliminary support for a new hardware model: "nx-abcd". 3 of the 5 new DRAM profiles are for this new hardware type and there's evidence of a secondary display of sorts being added exclusively on this model. ( ͡° ͜ʖ ͡°)

81

334

1K

Mike Heskin

@hexkyz

3 years

It finally happened, rw-r-r-0644 did the impossible and found a boot1 coldboot exploit: Amazing job!

19

106

529

Mike Heskin

@hexkyz

4 years

It seems some misinterpretations are floating around regarding the next Switch model. Since I was asked to clarify, here's what we know so far about it: 1) A new retail model is definitely being worked on for release. There have been references to it since firmware 10.0.0;

8

99

417

Mike Heskin

@hexkyz

6 years

PSA: SX OS contains brick code. How do I know this? Take a guess... :/ Anyway, the concept is the same that was used by Gateway for the 3DS: your eMMC will be locked with a specific password. Sadly, in my case, the password was generated from random garbage on the stack. :(

39

126

375

Mike Heskin

@hexkyz

4 years

After stumbling upon this tweet, we were able to use this bug to dump the Gateway/TX modchip's firmware. It's important to remember that this is the exact same issue that led to fusee-gelee/shofel2, but on a different USB stack, meaning this might be even more widespread.

Grzegorz Wypych

@horac341

4 years

Hello enjoy CVE-2020-15808 for STMicroelectronics, no response to patch it. CDC USB class is vulnerable for buffer overflow via req->wLength pointer and allows to read up to 65KB of memory by crafting special USB descriptor message. Impacted entire series.

10

106

329

11

85

351

Mike Heskin

@hexkyz

4 months

Very proud of my 2nd successful glitch attack against a real-life target after about 2 years of learning from scratch. sha512sum mariko_bootrom.bin 6c02c0d488311c60b7d626cf2cf55d759e1264ef57d166c8e4a630f380cfbbf930b52d69d06b47feecb3a1c2daefdcf20c71b8356bc6f11748cbe51521b23bbb

17

52

344

Mike Heskin

@hexkyz

7 months

I'm seeing a lot of confusion around the flashcart thing which is understandable given how (likely deliberately) vague they are being on what it can or can't do. I'll try to cover here a few facts known about the Gamecard ecosystem in general that may provide some answers. (1/20)

6

56

261

Mike Heskin

@hexkyz

5 years

Now that the first Mariko based Switch has finally been announced, I believe it's a good time to provide some insight on what has been going on inside the Switch's HOS regarding new hardware.

5

92

253

Mike Heskin

@hexkyz

6 years

The Switch - A Memoir

10

73

245

Mike Heskin

@hexkyz

5 years

sha256(9.1.0 master key) = 4EC5A237A75A083A9C5F6CF615601522A7F822D06BD4BA32612C9CEBBB29BD45

10

48

244

Mike Heskin

@hexkyz

6 years

So, TX's OS is up.... Main file ("boot.dat") has a small header (0x100) and the body is AES-128-CTR encrypted with: KEY: 47E6BFB05965ABCD00E2EE4DDF540261 CTR: 8E4C7889CBAE4A3D64797DDA84BDB086 Decrypted file has another payload to "deobfuscate" the "OS"...

14

62

203

Mike Heskin

@hexkyz

6 years

Sneak peak of TX's enterprise-ready filesystem layer totally developed from scratch! But why does it look so familiar? "embeddedfs:/titles/%016lx/exefs/main.npdm" 🤔

13

39

192

Mike Heskin

@hexkyz

5 years

At least it's over now :P SHA256(8.1.0 Master key) == 2998E2E23609BC2675FF062A2D64AF5B1B78DFF463B24119D64A1B64F01B2D51

Michael

@SciresM

5 years

What a pain... @hexkyz SHA256(8.1.0 Package1 key) == 1F8FE8A1CC59AF021DD7772EFA50C0D0048AB361E9D6751ECC7BDAF1A7EF2E93

19

33

249

9

39

191

Mike Heskin

@hexkyz

3 years

It's finally here! The story of how @SciresM and myself broken the Nvidia's TSEC with the help of many friends along the way. I hope you have as much fun reading our work as we did writting about it! Enjoy!

Michael

@SciresM

3 years

Je Ne Sais Quoi - Falcons over the Horizon A blogpost/writeup on TSEC co-authored by @hexkyz and myself. Enjoy!

9

75

261

4

38

185

Mike Heskin

@hexkyz

6 years

We finally lost (the original) nvhax: This was the original exploit chain @qlutoo , @SciresM and I used to create gmmuhax. May it rest in peace... I'll be publishing a writeup for this one in due time. And yes, there are still other bugs. ;)

4

34

169

Mike Heskin

@hexkyz

6 years

Goodbye TSEC, was fun until it lasted: 032adf0a6be7dd7c11a4fa5cd64a1575e469b9da5d8bd56a12d0fbc0eb84e8e7 @SciresM @qlutoo

11

38

168

Mike Heskin

@hexkyz

6 years

There we go, Switch is back from brickland. Many thanks to rajkosto for making the process quite painless!

11

159

Mike Heskin

@hexkyz

6 years

Full v1.3 unpacking (older versions will be added eventually): Namaste ;)

tx_unpack.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

14

38

165

Mike Heskin

@hexkyz

8 months

"Flashcart" TLDR in 5 bullet points: 1) Lotus3 must have been decapped. This is necessary to obtain certain secret hardware keys used for communications and to decrypt gamecard certificates;

3

34

166

Mike Heskin

@hexkyz

5 years

sha256(9.0.0 PK11): 584B8D688235E2D70E9029A46699DF8399E304841263B07015A88AF6D8BD8D50 ¯\_(ツ)_/¯

12

21

151

Mike Heskin

@hexkyz

4 years

While the DRM imposed by the modchip was already bypassed months ago, the modchip's firmware remained impossible to dump without glitching. And yes, I do realize Gateway's modchip being affected by this particular bug is irony at it's finest. Top quality meme material even.

4

11

144

Mike Heskin

@hexkyz

7 years

And Now for Something Completely Different...

7

42

137

Mike Heskin

@hexkyz

6 years

Updated script for extracting the ROMMENU (TX menu app): As many have guessed, the new NSP installer is Tinfoil... lol...

tx_unpack.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

13

32

126

Mike Heskin

@hexkyz

6 years

Bear with me, this is going to be a long thread... First of all, suing TX? I don't think we care enough for that. On the other hand, calling them out was more than necessary. I've seen many people bashing those who claimed they would steal/use public code.

5

40

124

Mike Heskin

@hexkyz

4 years

It's still unclear how the output signal will be generated (new dock?), but the evidence suggests the dp2hdmi chip lives *inside* the new display and not in an external PCB.

4

8

126

Mike Heskin

@hexkyz

4 years

Considering the information we've extracted and observed, we speculate this new dp2hdmi chip is designed for upscaling HDMI output to 4K. This is further corroborated by changes in the HDCP DRM ("nvhost_tsec" firmware inside "nvservices") and by looking at RTD2173 as example.

2

13

123

Mike Heskin

@hexkyz

6 years

As for the brick code, I was wrong. Not only it is more destructive than I originally thought (it tries to corrupt boot partitions too), but it's also deployed on *multiple* stages across the boot chain. It is also way more likely to be triggered on accident than expected.

7

28

116

Mike Heskin

@hexkyz

6 years

Updated the wiki with 6.2.0 TSEC and pkg1ldr changes:

3

27

115

Mike Heskin

@hexkyz

5 years

( ͡° ͜ʖ ͡°) FWIW the repo contains source code of critical software (bootrom included) tailored for Android running in Tegra platforms up to T124 (before Switch). All this was already RE'd on the T210/Switch, but it has never before seen names, debug symbols and amusing comments.

Michael

@SciresM

5 years

"FOR SECURITY REASONS, THIS FILE SHOULD BE DISTRIBUTED ONLY IN BINARY FORM." That's...really not how this works. Oh, NVidia... (thanks @balika011 for link)

19

92

378

1

16

111

Mike Heskin

@hexkyz

4 years

Stay tuned for a writeup/paper from @SciresM and I, to be published soon, detailing the whole process involved in taking over this obscure secure processor and all the fun we've had working with many of our friends to accomplish this feat!

1

9

110

Mike Heskin

@hexkyz

3 years

It's finally here! Honestly, and I think I can safely speak for @SciresM here, we were kinda expecting a better name... Other than that, it's exactly what we thought it would be (minus the 64GB storage; we had our suspicions, but it's not something observable in firmware).

Michael

@SciresM

3 years

Oh hey @hexkyz , they finally announced Aula :)

10

24

159

5

19

109

Mike Heskin

@hexkyz

4 years

4) The new display requires special handling in code, suggestive of OLED/MiniLED technology, and is tied to a new manufacturer;

1

9

109

Mike Heskin

@hexkyz

4 years

5) The SoC is still Mariko/T214/T210B01/TegraX1+; 6) DRAM is now being produced with 10nm process, but no new sizes or types can be observed. This means "Aula" will keep the usual 4GB LPDDR4X.

3

15

110

Mike Heskin

@hexkyz

4 years

3) "Aula" will feature an improved display of some sort and it bundles a dp2hdmi chip from Realtek (likely RTD2173 or from the same family). Communication with this chip is done by the "nvservices" system module using new ioctls for sending/getting panel messages via DPAUX;

3

6

107

Mike Heskin

@hexkyz

4 years

Ok so, considering that: a) Nvidia has moved away from Falcon for good, replacing it with a RISC-V based solution ("Peregrine"); b) Nintendo no longer uses the TSEC for secure boot on new Switch units;

6

20

104

Mike Heskin

@hexkyz

6 years

PSA: 6.2.0 changed everything. Package1 crypto now heavily relies on TSEC.

Michael

@SciresM

6 years

New Switch firmware introduces huge changes to key generation -- looking forward to cracking it :)

15

51

357

4

22

100

Mike Heskin

@hexkyz

6 years

I actually bricked my console again (for science!) and was able to unlock the eMMC with the "WANNA PLAY? :)" password, but I don't recommend anyone to try this unless you are really sure on what you're doing.

6

7

100

Mike Heskin

@hexkyz

6 years

Sorry for missing my own ETA on the browserhax + nvhax release. I wasn't counting on spending the last days dealing with food poisoning. The exploit will, obviously, be released during this week (there isn't that much left to justify another delay).

16

15

98

Mike Heskin

@hexkyz

6 years

Happy Birthday Switch! As expected, you have been fully ( ͡° ͜ʖ ͡°)'d. So young...

5

16

102

Mike Heskin

@hexkyz

6 years

Anyway, browserhax + nvhax for < 6.2.0 will be released later this week (along with the writeup) so people with ipatched units can play around a bit in userland. It's not much, but hopefully will lead to more people researching other attack vectors in the latest firmwares.

18

23

99

Mike Heskin

@hexkyz

4 years

2) The next model's codename is "Aula" (for comparison, the Lite model is called "Hoag") and its form factor is codenamed nx-abcd (for comparison, the Lite is nx-abcc);

3

7

100

Mike Heskin

@hexkyz

4 years

Scripts for the leaked SXOS v3.0.0 (SHA-256 of 54ce0f58cac9643559991b0b86252424c1bbc59c5c77496110d999814a4a7d52):

tx_decompress_v3_internal.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

4

22

100

Mike Heskin

@hexkyz

6 years

Jokes aside: - LayeredFS support - Public code; - eShop NSP support - Using DevMenu... Seriously? - Battery desync fix - Available in @CTCaer 's hekate fork; - Hide OSX temp files - A real improvement; - Removed eMMC password lock - Is this a joke? Please, keep up the hard work.

11

18

97

Mike Heskin

@hexkyz

6 years

Just added DRAM training into Atmosphère for a faster boot time and future... stuff. Many thanks to @CTCaer 's awesome Minerva project which helped squash bugs and improve my code base (originated from RE'd code and Peter De Schrijver's patches)!

4

14

94

Mike Heskin

@hexkyz

7 years

boot1 is now documented at:

1

27

102

Mike Heskin

@hexkyz

6 years

This should prevent a lot of headaches for anyone looking into TX's OS: This script further decrypts the "data" file you get from @naehrwert 's script. I missed a few CTRs, but I'll update the gist asap.

8

28

99

Mike Heskin

@hexkyz

6 years

Documented the TSEC Keygen and SecureBoot payloads on the wiki: Still need to write down relevant methods, but this should give a nice overview of the TSEC SecureBoot process.

1

34

96

Mike Heskin

@hexkyz

5 years

While the patchers were updated to fix several issues with FS, the KIPS were updated solely to fix a very funny issue. Turns out, all hardcoded file paths in version 2.9 were using "atmosphere" as root directory. Version 2.9.1 renamed everything to "sxos".

4

17

94

Mike Heskin

@hexkyz

5 years

SOON™

m4xw

@m4xwdev

5 years

emuMMC when? (excuse shaky hands 😏)

20

54

299

6

13

92

Mike Heskin

@hexkyz

6 years

Insane work from @fail0verflow

GitHub - fail0verflow/switch-linux: Linux for the Switch

Linux for the Switch. Contribute to fail0verflow/switch-linux development by creating an account on GitHub.

github.com

3

28

94

Mike Heskin

@hexkyz

8 years

@yifanlu @DaveeFTW HENkaku's payload key's hash (SHA-1): eacac4a780065c8c106349e412696aabd1b1b8d1 Where's my trophy? :P

4

27

92

Mike Heskin

@hexkyz

6 years

Found very strong evidence of a whole new PCB and 8GB memory for new T214 Switch (Mariko):

5

33

91

Mike Heskin

@hexkyz

6 years

Retweeting for visibility. It's important we get ninupdates up and running before 6.x drops. Yes, 6.0.0 is real and is getting very close to an official release.

8

33

85

Mike Heskin

@hexkyz

6 years

Just gonna leave this here...

7

17

88

Mike Heskin

@hexkyz

5 years

Finally, there's absolutely no evidence of an actual "Pro" version. At least not in the sense that it would be based off of the Tegra X2 or have massive performance and/or memory improvements.

10

14

89

Mike Heskin

@hexkyz

7 years

REMINDER: Switch homebrew will be firmware 3.0.0 only for quite a while. Future hacks belong to an uncertain future and homebrew development will begin and be maintained on firmware 3.0.0 for as long as necessary.

13

26

84

Mike Heskin

@hexkyz

6 years

In case you missed it, you can relive @yifanlu and @DaveeFTW 's "Viva la Vita Vida" talk here (raw stream): TLDR: Someone in Sony's HQ is now hunting down the cat that mashed the A key on the F00D development team's keyboard.

5

25

88

Mike Heskin

@hexkyz

6 years

As you've probably seen already, the CDN "leaked" 6.0.0 a couple days ago and we were able to start tearing it apart. It seems people are confused over some of the publicly shared details on the update, so I'll try to give a more technical view about it in this thread.

8

33

85

Mike Heskin

@hexkyz

6 years

I think this deserves attention. Folks over at have been finding hilarious vulns and documenting the inner workings of the long forgotten iQue Player console!

stuck pixel

@pixel_stuck

6 years

game over for the iQue player, you lasted a very long time o7

2

6

30

3

27

81

Mike Heskin

@hexkyz

6 years

Still working on fixing browserhax, pushing nvhax and 7.0.0 support for AMS. Meanwhile, I finally had some spare minutes to update these for 2.5.3:

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

2

12

82

Mike Heskin

@hexkyz

6 years

Yes, that is SX's bootloader's plaintext. ;) WANNA PLAY? :)

naehrwert

@naehrwert

6 years

ohhhhhh snap

11

40

214

3

8

79

Mike Heskin

@hexkyz

5 years

Details on deja vu and TSEC carveout access blacklisting are now public. The TSEC stuff was an expected mitigation after it's full compromise, but deja vu... R.I.P. 2017-2019

Michael

@SciresM

5 years

Good night, Deja Vu -- we hardly knew ye:

6

30

164

4

14

81

Mike Heskin

@hexkyz

6 years

"While others moan on social media we work day and night..." Didn't think it would take this little to piss Gatewa... err... Team Xecuter off. 🤣

3

10

78

Mike Heskin

@hexkyz

6 years

Spot the differences!

8

12

72

Mike Heskin

@hexkyz

6 years

And finally: "The Secret of Monkey Hax: Chapter 1" 99c6cedf71e56852b656a1122f45bdde238ba037f84355052073ab3aa7a1340b The important lesson here is that I suck at boasting hashes.

2

17

77

Mike Heskin

@hexkyz

6 years

Since people have been asking, I've updated the unpack script for all versions except 1.1 (can't find it): I've also cleaned up and uploaded a script I've been using to decompress the KIP files and the inner NSO files:

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

7

21

74

Mike Heskin

@hexkyz

6 years

All this will be discussed in a future write-up by @naehrwert and myself, but in the mean time, if you are that eager to disprove us, feel free to run their "data_80000000.bin" payload using something like hekate. Reboot your console and enjoy the brick magic!

3

71

Mike Heskin

@hexkyz

7 years

Small Switch update/don't update FAQ: If you have any questions that went unanswered feel free to ask.

5

25

74

Mike Heskin

@hexkyz

6 years

Interesting fact: Tegra systems are code-named after Marvel characters. TK1 was "Logan", TX1 was "Erista" and now T214 SoC's name "Mariko" comes from Mariko Yashida, Wolverine's lover. Whether this symbolizes Nvidia and Nintendo's scorching "romance" remains to be seen. ;)

2

25

74

Mike Heskin

@hexkyz

6 years

Updated scripts for SX OS v1.5: Only ROMMENU and Loader changed and everybody already knows which project got copy-pasted this time.

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

4

19

73

Mike Heskin

@hexkyz

5 years

Ipatch decoder for T210 and T214 (based off of @shuffle2 's original code):

ipatch_decode.c

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

6

9

70

Mike Heskin

@hexkyz

5 years

Scripts updated for SX OS v2.6:

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

3

21

71

Mike Heskin

@hexkyz

6 years

Fully documented the Tegra X1 + Switch only bootrom ipatches:

2

23

71

Mike Heskin

@hexkyz

4 years

Since the modchip uses a GD32, this was hardly unexpected as those are straight up clones of STM32. Nonetheless, I believe this demonstrates how this bug may be affecting way more devices than we thought.

3

6

69

Mike Heskin

@hexkyz

4 years

Scripts updated for SX OS 3.1.0:

tx_unpack.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

4

15

71

Mike Heskin

@hexkyz

6 years

Sad day as we finally have confirmation that one of the most useful bugs in the déjà-vu exploit chain was reported for a bounty by @daeken . The nvservices transfer memory leak was originally found by @qlutoo and I back in June 2017 and it was part of the nvhax chain.

1

21

71

Mike Heskin

@hexkyz

5 years

FWIW, this was the same bug I was using on Switch to try getting browserhax on 6.1.0+, but it got promptly patched on 7.0.0 :P

Specter

@SpecterDev

5 years

I'm releasing the WebKit code execution RCE I spoke of yesterday targetting PS4 6.20 firmware. Gadgets and potentially the code execution strategy will need to be adjusted for lower firmwares. Have fun :)

247

320

1K

5

11

72

Mike Heskin

@hexkyz

6 years

On a more serious note, AFAICT the SX OS brick code has indeed been stubbed. The "WANNA PLAY :)" password is still generated and the code is still there, but now instead of trying to lock the eMMC it will just get stuck on a loop.

6

12

68

Mike Heskin

@hexkyz

6 years

Updated scripts for SX OS v1.4: Things to note: - fs.mitm KIP has been renamed to "y so salty" (LMAO); - Patchers have been updated for NCA stuff; - TX NSO has been replaced with a loader that grabs the actual thing.

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

5

17

67

Mike Heskin

@hexkyz

6 years

By mistake I posted the wrong hash (HOVI_KEK_KEY_PRD for 6.2.0) and @shchmue quickly noticed it... :P So, let's try this again: sha_256(HOVI_ENC_KEY_PRD for 6.2.0): b7ac0d53f675ec20844fb693d69208f00f28ae546b5e658763c7f747a440c874

Mike Heskin

@hexkyz

6 years

Goodbye TSEC, was fun until it lasted: 032adf0a6be7dd7c11a4fa5cd64a1575e469b9da5d8bd56a12d0fbc0eb84e8e7 @SciresM @qlutoo

11

38

168

3

19

71

Mike Heskin

@hexkyz

5 years

Due to this, it was uncertain if keys in future updates could be extracted or not... Until now. Third time's the charm. I found a critical design flaw a few weeks ago and after a short brainstorm session with @SciresM , we were able to obliterate the TSEC's crypto scheme forever.

5

10

65

Mike Heskin

@hexkyz

6 years

The "Loader" is the meat of the "OS", but it's nothing more than: - An old build of nx-hbmenu; - Atmosphère's loader code. Backup loading is mostly achieved by parsing and decrypting XCI files and feeding them directly to the FS sysmodule (which has signature checks disabled).

4

10

65

Mike Heskin

@hexkyz

6 years

Even the code for talking to their license server uses an open-source crypto library so, yes, there are multiple license violations here. However, none of us expected differently, to be honest.

3

64

Mike Heskin

@hexkyz

6 years

Chill, shills...

5

19

66

Mike Heskin

@hexkyz

8 years

HENkaku exploit teardown series Part 1: Part 2: Extra:

HENkaku exploit teardown - Payload update - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

1

28

65

Mike Heskin

@hexkyz

8 years

Stage 3 is up:

6

33

67

Mike Heskin

@hexkyz

4 years

I like to think 9.2.0 update, while serving it's technical purpose, is also symbolic as it adds 33 (March 3) to a system resource limit. Coincidentally, Atmosphère's release ends in 3, as the Switch celebrates it's 3rd anniversary. Thank you Nintendo for this awesome console! :)

Michael

@SciresM

4 years

Happy June 15th! Atmosphere 0.10.3 has released: More bugfixes, some memory savings, and support for 9.2.0. I hope you all enjoy! :)

14

65

340

1

8

63

Mike Heskin

@hexkyz

7 months

However, it is completely possible that future hardware would now force you to verify older gamecards online to assert its legitimacy, for example. (20/20)

9

0

66

Mike Heskin

@hexkyz

4 months

Already saw the real codename being dropped on a popular forum (albeit in an indirect, enigmatic way) so this probably won't stay a secret for too long. Fun fact: Nintendo themselves leaked the name over a year ago by adding it to a single file in the retail Switch firmware.

Michael

@SciresM

4 months

I'm not in the business of leaking this kind of thing (sorry), but for my future self's ability to prove I know what I'm talking about: ed099f81f8ffcf020b5eb0b93db313ee603155d5826e623c178a9e7b8367cd7d

13

11

328

6

5

66

Mike Heskin

@hexkyz

3 years

@Hassan__Zayed I totally forgot to mention that on the tweet, lol. This is for the Wii U.

3

1

62

Mike Heskin

@hexkyz

6 years

Scripts updated for SX OS 1.6: "Stealth Mode" is not creport or anything equivalent. It's a simple custom DNS simulation solution.

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

7

16

57

Mike Heskin

@hexkyz

6 years

After stripping down all the obfuscation we can now say for sure that the SX OS is made of: - Custom bootloader to display their main menu; - Set of kernel + INI1/KIP1 patches to disable signature checking; - Modified KIP1 Loader.

1

6

56

Mike Heskin

@hexkyz

4 years

A number of mistakes in Loader paired with the re-use of all DRM payloads and overall changes in code style, strongly suggest this is not the work of the same programmers (which could explain the sudden jump from 3.0.5 to 3.1.0 with so minimal changes).

6

2

59

Mike Heskin

@hexkyz

6 years

Updated @naehrwert 's script for SX 1.1:

5

13

57

Mike Heskin

@hexkyz

6 years

Finally got around to add this: This is everything your Switch can log for telemetry purposes.

1

23

59

Mike Heskin

@hexkyz

6 years

New release, new scripts (1.7 and 1.8):

tx_decompress.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

0

14

59

Mike Heskin

@hexkyz

5 years

Once again, big shout out to @qlutoo , @shuffle2 , @SciresM and @elmirorac for all the work involved and also to the nouveau/envytools' people for the amazing work in documenting the Falcon and other obscure controllers over the years!

4

2

56

Mike Heskin

@hexkyz

5 years

As usual, don't update until further notice. 8.0.0 fixes several bugs including the last piece of the dejá-vu exploit chain.

ylws8bot (@[email protected])

@ylws8bot

5 years

Sysupdate detected for Switch:

9

23

83

6

19

59

Mike Heskin

@hexkyz

5 years

It seems my tweets from yesterday confused some people. I don't blame you. Me failing at basic english ("until" instead of "while", smh) *and* posting the wrong hash didn't help at all, but what can I say? I was too excited and tired to even notice. :P

5

10

58