Hacking Process of the eMMC backup and restore in Hekate? Are backups en-, or decrypted?

T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
I have a patched switch, which is bricked. I mixed up a few eMMCs during a repair, and one burned an eFuse in this patched switch. I was able to bring the others back to life (since they were unpatched), but not this one. I am literally pulling my hair out.

So, let the fun begin:
I made a NAND backup with a different switch (Hekate, not raw backup). Later, I tried to recreate the eMMC content with the higher firmware that the 12 burnt fuses required. Flashed it (with an unpatched switch), but no charm.

Today I have installed an Sx Core chip in it (because it allows running payloads). Restored the original backup with hekate, but it won't boot. Neither with Atmosphére. I was hoping for that the CFW would skip the fuse check (maybe won't work on patched SoCs?)

Also: 0% of the USB features work in any payload.

So... I fear that my backups are "decrypted". (this would be bad, since another switch was used for the backup process - different bis keys would turn the backup into garbage)
But if they are decrypted, the restore would encrypt it, right? That needs the BIS keys again - which i was not able to retrieve from this console. It just hangs when i try to dump them. Tried to restore with the exact switch the backup was made with, but no success either.

Any ideas?

And again, sorry for my broken english. It may have to do something with sleeping only every other day....
 
scandal_uk

scandal_uk

Not Really There
Member
Level 5
Joined
Oct 3, 2005
Messages
322
Trophies
0
Location
UK
XP
580
Country
United Kingdom
It’s a shame you reflashed that eMMC because CFW wouldn’t have been affected by the fuse count. However, it is what it is - you really need those keys, can you get them to display on-screen in Lockpick_RCM?

Edit: does it even work with SX Core??
 
Last edited by scandal_uk,
T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
It wont boot with Sx Core either. (Sx logo comes in, boot menu is operational, can boot payloads too) I know, it was a huge mistake to reflash it.
But the question remains: Are the backups decrypted or bit-to-bit perfect from the eMMC?

Also: Low battery and charging icon comes in. IIRC this only happens when using the right eMMC (with the switch specific data on it).

It only boots to Nintendo logo. Sometimes right after rewriting the BOOT0/BOOT1 the SEPT logo comes in. One time, ive seen the Atmosphére logo - but it hanged after that.

With SX Core it shows the low battery/charging screens when the battery is depleted, otherwise it hangs after the Nintendo logo.

EDIT:
Tried Lockpick RCM again. When I start the process, it flashes some info, along with Press Power or Vol +/- to reboot to Sept..., but it goes blank immediately without pressing anything. It just halts.
lprcm.jpg


EDIT2:
Biskeydump throws an error. "Keyblob decrypted using current SBK & TSEC keys NOT VALID!" Is the TSEC key sensitive data? If not, I'll post a pic of the biskeydump final screen.

SBK key is FFFFFFFFFFFFFFFFFFFF... So... Noting...
Where is the SBK key stored?
 
Last edited by tomsek68,
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,021
Trophies
2
Age
29
Location
New York City
XP
13,424
Country
United States
tomsek68 said:
It wont boot with Sx Core either. (Sx logo comes in, boot menu is operational, can boot payloads too) I know, it was a huge mistake to reflash it.
But the question remains: Are the backups decrypted or bit-to-bit perfect from the eMMC?

Also: Low battery and charging icon comes in. IIRC this only happens when using the right eMMC (with the switch specific data on it).

It only boots to Nintendo logo. Sometimes right after rewriting the BOOT0/BOOT1 the SEPT logo comes in. One time, ive seen the Atmosphére logo - but it hanged after that.

With SX Core it shows the low battery/charging screens when the battery is depleted, otherwise it hangs after the Nintendo logo.

EDIT:
Tried Lockpick RCM again. When I start the process, it flashes some info, along with Press Power or Vol +/- to reboot to Sept..., but it goes blank immediately without pressing anything. It just halts.
View attachment 216756

EDIT2:
Biskeydump throws an error. "Keyblob decrypted using current SBK & TSEC keys NOT VALID!" Is the TSEC key sensitive data? If not, I'll post a pic of the biskeydump final screen.

SBK key is FFFFFFFFFFFFFFFFFFFF... So... Noting...
Where is the SBK key stored?
Click to expand...
Lockpick_RCM was updated so give it another shot.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Hacking Misc Tutorial  Eiyuden Chronicle Hundred Heroes save editing

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

Help a noob with if I need to update CFW to 18.0 or not

Emulation Misc  Is a totk memory editor possible? If so why has no one made one yet?

General chit-chat
Help Users
  • No one is chatting at the moment.
  • K3Nv2 @ K3Nv2:
    https://www.newegg.com/p/0D9-002V-0...=snc-social-_-sr-_-0D9-002V-00AA1R-_-05202024
  • SylverReZ @ SylverReZ:
    @mthrnite, Cheetah Girls, the sequel to Action 52's Cheetah Men.
     +2
  • Psionic Roshambo @ Psionic Roshambo:
    Pokemon Black I played that one a lot
  • K3Nv2 @ K3Nv2:
    Honestly never messed with Pokémon on ds much
  • mthrnite @ mthrnite:
    I played pokemon once, was bored, never tried again
  • Psionic Roshambo @ Psionic Roshambo:
    Oh Dragon Quest IX
  • K3Nv2 @ K3Nv2:
    Spent like 5 hours on switch one never touched it again
  • Psionic Roshambo @ Psionic Roshambo:
    Sentinel of the stary skies
  • K3Nv2 @ K3Nv2:
    Ds is 20 years old this year
  • Psionic Roshambo @ Psionic Roshambo:
    So MJ no longer wants to play with it?
  • K3Nv2 @ K3Nv2:
    He put it down when the 3ds came out
  • K3Nv2 @ K3Nv2:
    https://youtube.com/shorts/eTlZ0qcSZf4?si=0vpkdIWplaLMFVqv
  • K3Nv2 @ K3Nv2:
    https://youtu.be/40XQ8L9wsCA?si=GzpPBaHQQLU0plt_ Neat
  • SylverReZ @ SylverReZ:
    @K3Nv2, RIP Felix does great videos on the PS3 yellow-light-of-death.
  • Jayro @ Jayro:
    Eventhough the New 3DS XL is more powerful, I still feel like the DS Lite was a more polished system. It's a real shame that it never got an XL variant keeping the GBA slot. You'd have to go on AliExpress and buy an ML shell to give a DS phat the unofficial "DS Lite" treatment, and that's the best we'll ever get I'm afraid.
     +1
  • Jayro @ Jayro:
    The phat model had amazingly loud speakers tho.
     +1
  • SylverReZ @ SylverReZ:
    @Jayro, I don't see whats so special about the DS ML, its just a DS lite in a phat shell. At least the phat model had louder speakers, whereas the lite has a much better screen.
     +1
  • SylverReZ @ SylverReZ:
    They probably said "Hey, why not we combine the two together and make a 'new' DS to sell".
  • Veho @ Veho:
    It's a DS Lite in a slightly bigger DS Lite shell.
     +1
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
    Veho @ Veho: +1