|
| 1 | +------------------------------------------------ |
| 2 | +Patch SSL certificates in DEX vsh.self on 4.91.2 |
| 3 | +------------------------------------------------ |
| 4 | +Fix for the error code 80710A06 which is a SSL connect handshake error, it occurs because |
| 5 | +DEX VSH does not have any reference to a valid certificate authority (CA) from the file CA_LIST.cer |
| 6 | + |
| 7 | +Github and other URLs: |
| 8 | +* Uses DigiCert Global Root G2 in CA_LIST.cer, in this case to download PKGs from Github |
| 9 | +* DEX vsh.self file has no reference to this certificate (CEX does have it) |
| 10 | +* We need to add DigiCert Global Root G2 hardcoded in DEX vsh.self in an offset with enough space |
| 11 | + |
| 12 | +If we open DEX vsh.self (4.84) in a HEX Editor and we go to the offset 0x703A20, |
| 13 | +we can see info about the last CA available in CA_LIST.cer (Security Communication RootCA3) in 4.84 DEX. |
| 14 | + |
| 15 | +0x703A20: |
| 16 | +00 6A 8E A0 00 00 4C 57 00 00 05 24 2F 4C 84 5C |
| 17 | +5B CA DB 94 CF E5 04 3C 38 63 E0 BC 3D EE 8A 4F |
| 18 | +C9 0B C3 7D 00 00 00 00 |
| 19 | + |
| 20 | +Offset 0x703A20 - Value 0x6A8EA0: Reference to /dev_flash/data/cert/CA_LIST.cer |
| 21 | +Offset 0x703A24 - Value 0x372B: Offset where starts the certificate in CA_LIST.cer, in this case Security Communication RootCA3 (-----BEGIN CERTIFICATE-----) |
| 22 | +Offset 0x703A28 - Value 0x07D0: Certificate size |
| 23 | +Offset 0x703A2C - Value 0xBC3436AAEB3459A7AAB55B5614467BB7E3B43AB5: SHA1 hash (Thanks to @aldostools for checking it) |
| 24 | +Offset 0x703A40 - Value 0x6F7454B3: Unknown |
| 25 | + |
| 26 | +Luckily the next 0x28 bytes in offset 0x703A50 are available and there is enough space to be able to add the reference: |
| 27 | + |
| 28 | +Offset 0x703A50 - Value 0x6A8EA0: Reference to /dev_flash/data/cert/CA_LIST.cer |
| 29 | +Offset 0x703A54 - Value 0x4C57: Offset where starts the certificate in CA_LIST.cer, in this case Security Communication RootCA3 (-----BEGIN CERTIFICATE-----) |
| 30 | +Offset 0x703A58 - Value 0x0524: Certificate size |
| 31 | +Offset 0x703A5C - Value 0x2F4C845C5BCADB94CFE5043C3863E0BC3DEE8A4F: SHA1 hash (Thanks to @aldostools for checking it) |
| 32 | +Offset 0x703A70 - Value 0xC90BC37D: Unknown |
| 33 | + |
| 34 | +0x703A50: |
| 35 | +00 6A 8E A0 00 00 4C 57 00 00 05 24 2F 4C 84 5C |
| 36 | +5B CA DB 94 CF E5 04 3C 38 63 E0 BC 3D EE 8A 4F |
| 37 | +C9 0B C3 7D 00 00 00 00 |
| 38 | + |
| 39 | +For CEX (4.84 and 4.85) |
| 40 | + |
| 41 | +Search |
| 42 | +6F 74 54 B3 00 00 00 00 00 00 00 00 00 00 00 00 |
| 43 | +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 44 | +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 45 | +00 00 00 00 00 00 00 00 00 06 40 00 00 6A 0C B0 |
| 46 | + |
| 47 | +Replace |
| 48 | +6F 74 54 B3 00 00 00 00 00 00 00 00 00 00 00 00 |
| 49 | +00 6A 08 B0 00 00 4C 57 00 00 05 24 2F 4C 84 5C |
| 50 | +5B CA DB 94 CF E5 04 3C 38 63 E0 BC 3D EE 8A 4F |
| 51 | +C9 0B C3 7D 00 00 00 00 00 06 40 00 00 6A 0C B0 |
| 52 | + |
| 53 | +--------------------------------------------------------------------------- |
| 54 | +Patch DEX kernel to bypass ambulance beep brick (DEX kernel loaded with CEX TargetID) |
| 55 | +--------------------------------------------------------------------------- |
| 56 | +To patch it, you need to decrypt 4.84 DEX lv2_kernel.self and patch the following: |
| 57 | + |
| 58 | +Offset: 0x283A7C |
| 59 | +Original Value: 0xE86219787C0802A6 |
| 60 | +Replace with: 0x386000004E800020 (return 0) |
| 61 | + |
1 | 62 | --------------------------------------------------------------------------- |
2 | 63 | Patches to enable hidden trophy's title on XMB/INFO (4.90 CEX and 4.84 DEX) |
3 | 64 | --------------------------------------------------------------------------- |
|
0 commit comments