Patching DevMenu v6.0.1 to remove startup notification

Discussion in 'Switch - Tutorials' started by OperationNT, Dec 23, 2018.

  1. OperationNT
    OP

    OperationNT GBAtemp Regular

    Member
    5
    May 1, 2016
    France
    This tutorial implies that you found DevMenu v6.0.1 on some other sites. With this forum rules, links to the required copyrighted material are forbidden.

    Problem

    This version of DevMenu checks the FW version and displays a message on its startup if it's higher than 6.0:

    [​IMG]

    The purpose of this tutorial is to remove this panel.


    Step 1 - Uncompress executable "main"

    First, you need HacTool (http://github.com/SciresM/hactool/releases/tag/1.2.2) and the DevMenu executable "main". This executable should have the following properties:

    Size: 5807948 bytes
    SHA256: DD1BA1C488AF2CD6EAC1B1DCAAB143BF4F2003C0DB7B3FEA74113D80D25C274E​

    If you got an NSP file (not a LayeredFS version), you must extract the NSP then the biggest NCA file with the following commands:
    • hactool -t pfs0 -k keys.txt DevMenuApp.nsp --pfs0dir=extract
    • hactool -k keys.txt --exefsdir=exefs --romfsdir=romfs BiggestFileInExtractDir.nca
    Now, you should have a "main" file in "exefs" directory. You need to uncompress it with the following command:
    • hactool -t nso0 -k keys.txt exefs/main --uncompressed=mainDec
    The uncompressed executable file "mainDec" should have the following properties:

    Size: 15011376 bytes (14 MiB)
    SHA256: E802D200640E0F0E4A86913BBB616C682DA0BE3D3F47A82F976F37FC4B3DF125​


    Step 2 - Patch executable "mainDec"

    Open "mainDec" with an hexadecimal editor and replace the following bytes:
    • Binary ARM code: E80345391F19007161000054E8074539 => 080080521F0100716100005408008052
    • Hash check: EA43FE633F51336D3169BBFC70E280BAD95C4EF501AFC7E9D6C2310B745C8FBE => C1BEBE80DFE604D933F049090E95F5DFB60287E2CF65E46DFD70262954EB711D
    The modified "mainDec" file should have the following properties:

    Size: 15011376 bytes (14 MiB)
    SHA256: 82F604C51F2B71D14571308DD5B87273BE1448F68432841BFB244986BA71CCBD​

    Now, you can replace "exefs/main" by the patched "mainDec" (rename it to "main").

    If you were using a LayeredFS version of DevMenu, you don't have anything more to do. If it was an NSP version, you will have to rebuild the NSP using hacPack (http://github.com/The-4n/hacPack/releases/tag/v1.33).


    Method used to find the patch

    The executable was opened with IDA Pro 7.0 and the loader "nxo64" available here:
    http://github.com/reswitched/loaders

    There was a tracking on "Found version" string usage and it leads to the following code which gets and checks the firmware version:

    [​IMG]

    Parts of this code have been replaced (thanks to http://armconverter.com website which was used to get equivalent binary code):

    [​IMG]

    Those changes makes that, whatever the retrieved FW version, it's not checked anymore and conditions to avoid the notification panel are met.

    Finaly, in order to make the executable accepted when it's launched, the NSO0 header has to be modified where the ".text" part hash is located (see http://switchbrew.org/wiki/NSO for further details).


    Happy hacking! :)
     
    Last edited by OperationNT, Dec 23, 2018
    ioann1s, Hmed, CraftLegend and 5 others like this.
  2. JerryWeary

    JerryWeary Member

    Newcomer
    2
    Jul 28, 2018
    United States
    ok.... why not just post a link to the patched .nsp? OH yeah... can you do it on that other site? Thanks.
     
    NutymcNuty, Hmed and Ericthegreat like this.
  3. AliciaBurrito

    AliciaBurrito Member

    Newcomer
    2
    Sep 8, 2018
    United States
    Rei's Mommy
    I mean, there is a DevMenu for 6.2 that you could use while on 6.2 and you wouldn't have to patch anything ;)
     
  4. OperationNT
    OP

    OperationNT GBAtemp Regular

    Member
    5
    May 1, 2016
    France
    When there will be a FW 6.3 or 7.0, the DevMenu v6.2 will pop up the panel again. With those modifications, the DevMenu v6.0.1 will never pop up the panel so you won't have to track the next version.
    Of course, there can be another incompatibility in future version (like it happens with DevMenu v5.0 on FW 6.0).

    In addition, the tutorial part "Method used to find the patch" will allow you to also replicate the process on any future version of DevMenu.
     
    Hmed, Ericthegreat and alienware777 like this.
  5. HughNeutron2018

    HughNeutron2018 Member

    Newcomer
    1
    Jul 16, 2018
    United States
    im using hxd, how do i replace the hashcheck of the mainDec file? i got all the other steps done correctly
     
    Hmed likes this.
  6. OperationNT
    OP

    OperationNT GBAtemp Regular

    Member
    5
    May 1, 2016
    France
    The hash check is located at in the header of the NSO file, position 0xA0. You just have to find "EA43FE633F51336D3169BBFC70E280BAD95C4EF501AFC7E9D6C2310B745C8FBE" (it should place you at position 0xA0) and replace it by "C1BEBE80DFE604D933F049090E95F5DFB60287E2CF65E46DFD70262954EB711D".
     
    Hmed likes this.
  7. Hmed

    Hmed Member

    Newcomer
    2
    Sep 20, 2017
    Algeria
    Batna
    Thanx
     
  8. fixingmytoys

    fixingmytoys GBAtemp Fan

    Member
    4
    Jan 4, 2018
    Australia
    That is very good to know
     
Loading...