SX OS's Request for Licence Validation

Console Fingerprint

Section Value AA ?? This could be eMMC USER's LBA Sector. On my console, AA is 34, and my USER LBA Sector is 0x34 BBBBBBBB eMMC -> Card ID -> S/N in Big Endian (e.x.: AABBCCDD in eMMC Info should be: DDCCBBAA) C 0B (static? same for everyone?) DDDDD eMMC -> Card ID -> Model (in regular old ASCII -> HEX)

Decrypting boot.dat

The Licence.dat Signer/Downloader

Let's discuss PROGRESS here.Let's make something clear. SX OS payload/boot.dat does NOT make ANY requestsIt ONLY does a request on the Licence Code Redeem section.The Payload for RCM itself does not do any external website requests for validation. NONE.Everything is handled by the boot.dat file.Hexadecimal Base - Big Endian as UInt64Format: [A-F0-9]{32}/AABBBBBBBBCDDDDDIt could be possible to use a pre-existing licence.dat if we are able to spoof our "CF".Since the boot.dat checks "licence.dat" to see if it is in fact matching the Console Fingerprint, then it will let you through.Otherwise it tells you features will be disabled.So if we can figure out AA,Spoof eMMC S/N (may not be easy)and since CCCCCC may be static, we dont need to do anything to that.So for example, someone could edit there licence-request.dat file to 99133713370B5234Use a key on it, and if we all spoof our AA to 99, BBBBBBBB to 13371337 and just leave CCCCCC alone, we everyone would be able to enter.The boot.dat seems to be encrypted with aes-128-ctrIt seems to contain 4 (payloads?)"stage2" at 0x40020000"arm64" at 0x80FFFE00"fb" at 0xF0000000"data" at 0x80000000sx.xecuter.com has a page for Signing and Downloading the signed licences.These CANNOT be exploited.For example this request did NOT result in the requester having a usable licence.dat at all.All that happened, was he downloaded the licence.dat that someone already signed.The "csr_data"'s contents is exactly what the licence.dat is. This is what the "Launch Custom Firmware" button checks with your Console Fingerprint.Why we cant sign our own Console Fingerprint into the value given, is because we don't know the keys used for encryption and we don't know the value when decrypted.If we knew the value in plaintext, we could brute keys until we end up encrypting it to the same value. That way, we would know which keys were used, could make our own "plaintext" with our own Console Fingerprint and then encrypt it with said keys, and it would work.But since the entire thing is on a website serverside, we have no idea what the plaintext or keys are.Only way to get those would be with either SQLi Injection (very unlikely and that would only work if the plaintext or keys were stored their for some reason) or getting into the entire servers code (impossible)