Xecuter's SX OS v3.0 Leaks And Then Obsessed Hacker Tears It Apart

Xecuter's SX OS v3.0 Leaks And Then Obsessed Hacker Tears It Apart

Mike Heskin (aka hexkyz) the hacker who has an unhealthy obsession with Team Xecuter has managed to get his hands on a leaked version of SX OS v3.0. Contrary to his claims that "no new features have been added" the new version ads the unique features of interacting and booting CFW on iPatched, Mariko v2 and Nintendo Switch Lite consoles. He also claims that the new chips will replace boot0 with a custom bootloader and that the entire software package is encrypted with new techniques (to prevent clones).

These new cold boot modchips that work on every single Nintendo Switch console will boot directly into SX OS as soon as you power on your console. Xecuter's claim of being able to chain-load your own payloads still stands, but you must first boot into SX OS to select any external payloads. As previously stated, most Switch consoles on the market could not be hacked until the release of these chips, which has also lead to Nintendo suing various USA based resellers of these products (as they fear the impact these chips could have on their market share if they are used by the end user for piracy).

Mike Heskin's claims that he despises Xecuter is often called into question as his main purpose of hacking their commercial products is to then provide them to others for free of cost. Xecuter's SX OS offers features not found in other CFW and end users simply want to use it for free. Even if he succeeds in releasing a DRM free version of SX OS v3.0 end users will still need an Xecuter SX Core or SX Lite modchip installed internally into their Switch console for it to boot CFW on the majority Switch models as the only people who could use it would be the current fusee-gelee exploit users.

Hypothetically, you could use your own modchip or a clone of Xecuter's products with a cracked version of SX OS, but then you'll still have to pay for the chip, solder it in your console and you would have to wait for each new version of SX OS that comes out to be cracked before using it. Sure, you wouldn't be directly supporting Xecuter, but hexkyz own obession with their products does nothing, but give them loads of free press release distribution to users who simply don't care about scene drama and just want to use CFW on consoles (as the software only group can't provide that solution for you).

The exploit being used by Xecuter is of their creation and is not the "old one" that "could be fixed with a firmware update" that hexkyz was spreading via rumors. hexkyz's bias against Xecuter usually results in him passing off assumptions as fact, but when the facts surface he keeps getting proved wrong. There has been many rumors surrounding these chips and most of them ended up being complete nonsense. It might be best to not listen to a group of people that bash a company for using their open source code without adhering to licenses and then go alter, steal and use other companies work without their permission. Most of what hexkyz says about Xecuter should be gone over with a fine tooth comb before believing it. It would seem that in this situation jealously and envy gone unchecked has detrimental effects on one's self.

It's usually not a  good idea to say "never" or "impossible" in a hacking scene, but as these chips work on a hardware level and do so before the Switch's bootloader loads it's unlikely Nintendo will be able to stop them from working. While you may still have a ban risk for using homebrew at the same time as having a Nintendo Account it's unlikely a simple firmware patch could disabled these chips. Even if that was the case you can update them using the included Micro USB port to ward off any sort of protections Nintendo could come up with.

Mike also claims that during his research that these new Xecuter chips still glitch the Switch consoles PKC hash check, which happens during boot. Once it does this it will boot its custom firmware. His claims that the chips won't boot other payloads in his Tweets are misleading as it will, but it won't boot them first (as you must first go through the SX OS menu to load them).

I'll leave you with a wall of tweets ...

Quote: hexkyz

As for a changelog, this version's purpose is to support Mariko and the modchip ecosystem, so there are no new features.

Aside from removing all KIPs except for Loader, most of the changes are DRM related.

Bootloader has new code to interact with and update the modchip.
Patchers now include full copies of each Mariko package1 encrypted with a T210B01/T214 specific key.

All applications have been updated and rebuilt to match current AMS and libnx.

On the very first boot the bootloader will attempt to update the modchip from version 1.0 to 1.1. Update firmware is stored encrypted inside the bootloader and is likely meant to patch a handful of vulnerabilities and broken code already identified.

The modchip itself flashes a custom BCT and bootloader to the boot0 partition on the eMMC. These are stored encrypted with the Mariko BEK (Boot Encryption Key) and signed with TX's own key. Once the glitch succeeds, TX's bootloader will run instead of Nintendo's.

The initial stages focus mostly on DRM and clear out all keyslots (except keyslot number 6) that were filled by the bootrom as a way to block any other third party from obtaining Mariko keys using the modchip. This is, however, ineffective.

It's not a new exploit per se, in fact it's the exact same technique used to achieve code execution on the original units: glitch the PKC hash check.
This was made more difficult with Mariko but the modchip is capable of self-adapting the timings.

It has support for booting other payloads, but it's currently broken. The boot.dat file is now also RSA signed by TX to force everyone to always boot through SXOS first.

Related: SX Core Nintendo Switch (Mariko) Mod Installation Video Published

Post a Comment