Skip to content

Instantly share code, notes, and snippets.

@CTCaer
Created July 11, 2018 14:07
Show Gist options
  • Save CTCaer/13c02c05daec9e674ba00ce5ac35f5be to your computer and use it in GitHub Desktop.
Save CTCaer/13c02c05daec9e674ba00ce5ac35f5be to your computer and use it in GitHub Desktop.
###############################################
# TX SX Pro Custom Payload Packer - by CTCaer #
###############################################
import struct
import hashlib
from os import unlink
"""
typedef struct boot_dat_hdr
{
unsigned char ident[0x10];
unsigned char sha2_s2[0x20];
unsigned int s2_dst;
unsigned int s2_size;
unsigned int s2_enc;
unsigned char pad[0x10];
unsigned int s3_size;
unsigned char pad2[0x90];
unsigned char sha2_hdr[0x20];
} boot_dat_hdr_t;
"""
def sha256(data):
sha256 = hashlib.new('sha256')
sha256.update(data)
return sha256.digest()
boot_fn = 'boot.dat'
# Custom payload filename.
stage2_fn = 'hekate_ctcaer_3.2.bin'
boot = open(boot_fn, 'wb')
with open(stage2_fn, 'rb') as fh:
stage2 = bytearray(fh.read())
stage2 = bytes(stage2)
# Re-create the header.
header = b''
# Magic ID.
header += b'\x43\x54\x43\x61\x65\x72\x20\x42\x4F\x4F\x54\x00'
# Version 2.5.
header += b'\x56\x32\x2E\x35'
# Set sha256 hash of stage2 payload.
header += sha256(stage2)
# Set stage2 payload destination to 0x40010000.
header += b'\x00\x00\x01\x40'
# Stage2 payload size.
header += struct.pack('I', len(stage2))
# Disable Stage2 encryption.
header += struct.pack('I', 0)
# Add padding. Stage3 size is 0.
header += b'\x00' * 0xA4
# Add header's sha256 hash.
sha256 = hashlib.new('sha256')
sha256.update(header)
header += sha256.digest()
# Write header and the plaintext custom payload.
boot.write(header)
boot.write(stage2)
boot.close()
@mlemiam
Copy link

mlemiam commented Oct 26, 2023

# TX SX Pro Custom Payload Packer - by CTCaer, edited by mleb :p

import struct, hashlib, sys

def sha256(data):
    sha256 = hashlib.sha256()
    sha256.update(data)
    return sha256.digest()

def pack_payload(file_path, output_file):
    with open(file_path, "rb") as fh:
        stage2 = bytearray(fh.read())

    header = b"CTCaer BOOT\x00"
    header += b"V2.5"

    stage2_hash = sha256(stage2)
    header += stage2_hash

    header += b"\x00\x00\x01\x40"

    header += struct.pack("I", len(stage2))
    header += struct.pack("I", 0)

    header += b"\x00" * 0xA4

    header_hash = hashlib.sha256()
    header_hash.update(header)
    header += header_hash.digest()

    with open(output_file, "wb") as boot:
        boot.write(header)
        boot.write(stage2)

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python tx_custom_boot.py <input_file> <output_file>")
        sys.exit(1)

    input_file = sys.argv[1]
    output_file = sys.argv[2]
    pack_payload(input_file, output_file)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment