#BLACKLIVESMATTER
UPDATE: I am currently still not banned utilizing this method as of 1/16/2022!
THIS METHOD CURRENTLY WORKS WITH POKEMON SWORD AND SHIELD USING PKHEX AS WELL AS ANIMAL CROSSING: NEW HORIZONS USING NHSE
THANKS TO @Kaphotics FOR BOTH EDITORS

Hello! This tutorial will share how I managed to successfully edit my games' save data from OFW NAND and play them without any issue after restoring. When I initially began searching for info on how to do this, it wasn't as readily available as it could've been. Because of that, the process was not very easy to figure out; however, I hope this tutorial can be a useful "all-in-one" reference for anyone looking to do the same! If anything is unclear or missing, always feel free to reply below or send me a PM. Enjoy!

What you'll need:

• A Nintendo Switch system that has not been physically patched for the Fusee Gelee exploit (firmware version won't matter)
• Preferably a microSD card large enough to fit an entire NAND backup onto (I use a 128gb card) to save a TON of time
• A way to connect your Switch to your computer (I have a USB-C MacBook charging cable)
• A method of booting the Switch into RCM mode (I use a bent paperclip) which user @Technicmaster0 has a great list of here
• A Fusee Gelee payload exploit program like TegraRcmGUI (fusee-launcher for macOS/Linux)
• Lockpick_RCM for your Switch's console keys
• hekate for NAND backup and restoring
• HacDiskMount found here for mounting NAND backups
• hactoolnet found here for extracting/injecting editable save data (WARNING: hactoolnet v0.7.0 is BROKEN and will not consistently resign)
• A save editor(s) for the game(s) of your choice
• OPTIONAL: I don't use this myself, but if you prefer, you can use memloader to read the microSD card while your Switch is connected instead of taking the card out and inserting it into your computer (found here with a tutorial here)

The process:
Following this guide got me into the Switch hacking scene in the first place. I was curious and found it during a Google search, and I found it to be very helpful! It outlines how to boot your Switch into RCM mode, how to find out if your Switch can use the Fusee Gelee exploit for payloads, how to prepare your microSD card, and how to create a NAND backup (Safety Precautions page)! My advice is to follow this guide to the point where a NAND backup is created on your microSD card, as that's the point where this tutorial will begin. The backup process does take time. Always remember to hold the volume down button when injecting the hekate payload as well.

Something very important to ensure you include during this initial setup is the sept folder on your microSD card. It is included in the Kosmos Defaults ZIP build, and you must include everything within the sd folder from the ZIP build you download. This helps guarantee that you have the appropriate and correct prod.keys for successful save data signing. You likely cannot do this guide correctly without the sept folder on your microSD card.

Once a rawnand.bin (~30gb) has been created in the root\backup\XXxXXXXX folder of your microSD card utilizing hekate, you will also want to run the Lockpick_RCM payload via TegraRcmGUI in order to obtain all the console-specific keys you'll need. This will create a prod.keys file within the root\switch folder of your microSD card. Once you've successfully gotten your rawnand.bin NAND backup and prod.keys console keys file, you can proceed to your computer.

Take your microSD card from the Switch and insert it into your computer (or utilize memloader as mentioned above in the What you'll need section). CREATE A BACKUP OF YOUR RAWNAND.BIN AND BOOT0 AND BOOT1 FILES SOMEWHERE SAFE (you should have the two boot files if you followed the sdsetup guide mentioned at the start of this section). I cannot stress this enough. If something goes wrong, these will be what saves your system from becoming a brick.

Open HacDiskMount and select File > Open file, and then get to the rawnand.bin in the root\backup\XXxXXXXX folder and Open. Scroll all the way down until you find the USER partition and open it via double-click. At this point, you will need the specified BIS Key X indicated in the top-left corner of the Operations on USER window. For example: mine needed BIS Key 3, the Crypto (Upper) and Tweak (Lower) keys. To get those, go to the root of your microSD card, then the switch folder, and prod.keys should be located there. Right-click prod.keys and Open with Notepad. Locate the necessary key (in my case this was bis_key_03), and copy the first 32 characters, then paste them into the Crypto (Upper) field back in HacDiskMount (spaces will automatically populate every two characters), and then do the same thing for Tweak (Lower) except copy and paste the remaining 32 characters. Once done, press the Test button to make sure you've copied correctly, and then Save so you don't have to copy and paste every time later on.

Under the Virtual drive section of the Operations on USER window, click on the Install button to get the appropriate driver for mounting NAND backups. Once it's finished installing the driver, press Mount. After about 10 seconds or so, you can find your NAND has been mounted as drive A: on your computer. Its files can now be explored! Navigate to the A:\save folder. All of the files listed here are your games' save data files. They aren't easily discernible, so some trial and error is required for locating the right game save you want to edit. Here's a guide on a pretty great method for extracting all the data at once. I used this and then figured out Let's Go only has a file called savedata.bin, and FFX has ffx_00X files and a GameSettings file where X is the save slot in the game. Every game probably has its own distinguishing characteristics, so you might have to get creative in order to find out which save file is the game you want to edit for.

Once you know exactly which file in A:\save is the one of the game you want to edit, this is where hactoolnet comes in. I currently have individual hactoolnet folders for EVERY game whose saves I edit. You can come up with your own system, but to keep it organized, I have a main hactoolnet folder, and within that, folders of all the games I edit such as FFX hactoolnet and LGE hactoolnet. Then within each of those folders (FFX hactool for example), my setup looks as follows:

Notice the out and sav folders, the extract.bat and inject.bat, and the prod.keys files. These are all required for this to work properly if you follow my method. Everything else should come with the hactoolnet download in the What you'll need section. The extract.bat and inject.bat files will be edited via Notepad. To create them from scratch, right click in your hactoolnet folder window and go to New > Text Document and rename it appropriately. The files will contain the following:

extract.bat:

hactoolnet.exe -k prod.keys -t save sav/savefilename --outdir out/savefilename
pause

For this example, my FFX save data file in A:\save is 0000000000000019, so my script would be:

hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --outdir out/0000000000000019
pause

inject.bat:

hactoolnet.exe -k prod.keys -t save sav/savefilename --replacefile /savefile out/savefilename/savefile
pause

To maintain the example, the FFX save data I want to edit is specifically the ffx_002 file WITHIN the 0000000000000019 save data file found in the NAND backup, so the script I use would be:

hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --replacefile /ffx_002 out/0000000000000019/ffx_002
pause

prod.keys:
This is just your prod.keys file from earlier. Copy and paste it here from your microSD card root\switch folder.

Once this has been set up, we can run a test to make sure it works properly. Go back to A:\save and copy the save data file of the game you want to edit. Paste it in the sav folder in our hactoolnet setup. I also recommend making a backup somewhere safe just in case you wreck the save data. After that, run the extract.bat file. This will execute the script we wrote which extracts an editable save file from the save data in the sav folder, and then place it in the out folder. The resulting command prompt window should look similar to this to indicate success (sensitive data removed):

Spoiler: extract.bat

...\Desktop\Switch\hactoolnet\FFX hactoolnet>hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --outdir out/0000000000000019
Failed to match key eticket_rsa_kek_source
Failed to match key eticket_rsa_kekek_source
Failed to match key rsa_oaep_kek_generation_source
Failed to match key rsa_private_kek_generation_source
Failed to match key ssl_rsa_kek_source_x
Failed to match key ssl_rsa_kek_source_y
/ffx_002
/ffx_001
/GameSettings

Savefile:
CMAC Signature (GOOD):
Title ID:
User ID:
Save ID:
Save Type:
Owner ID:
Timestamp:
Save Data Size:
Journal Size:
Free Space:
Header Hash (GOOD):
Number of Files:
Magic:
Version:
Salt Seed:
Level 0:
Data Offset:
Data Size:
Hash Offset:
Hash BlockSize:
Level 1:
Data Offset:
Data Size:
Hash Offset:
Hash BlockSize:
Level 2:
Data Offset:
Data Size:
Hash Offset:
Hash BlockSize:
Level 3:
Data Offset:
Data Size:
Hash Offset:
Hash BlockSize:


...\Desktop\Switch\hactoolnet\FFX hactoolnet>pause
Press any key to continue . . .

Ignore the "Failed" signals at the very top, because as long as your CMAC Signature and Header Hash are both (GOOD), that should be indicative of a successful extract.

After you get a successful extraction, head into the out folder. There you will now see a folder with the same name as the save data file we took from the NAND's A:\save folder. For me, the folder was 0000000000000019. When I go into that folder, I can see my ffx_002, ffx_001, and GameSettings files. These are the editable save files at this point. If a save editor exists for your game, you'll want to open these files with that program now and make your changes. I will stick to editing just my ffx_002 file in this instance as that's what's outlined in my inject.bat script.

Once I'm finished making my changes, I overwrite the ffx_002 file and save it. I am now ready to inject it back into the 0000000000000019 file in the sav folder. To do so, all I have to do at this point is run the inject.bat file. This will replace the ffx_002 file inside the 0000000000000019 file and sign the save correctly. Again, the resulting command prompt window should look similar to this to indicate success:

Spoiler: inject.bat

...\Desktop\Switch\hactoolnet\FFX hactoolnet>hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --replacefile /ffx_002 out/0000000000000019/ffx_002
Failed to match key eticket_rsa_kek_source
Failed to match key eticket_rsa_kekek_source
Failed to match key rsa_oaep_kek_generation_source
Failed to match key rsa_private_kek_generation_source
Failed to match key ssl_rsa_kek_source_x
Failed to match key ssl_rsa_kek_source_y
Replaced file /ffx_002
Successfully signed save file

...\Desktop\Switch\hactoolnet\FFX hactoolnet>pause
Press any key to continue . . .

Again, you can ignore the "Failed" signals. If you see Replaced file /savefile and Successfully signed save file, then those are very good signs! All that's left to do is get it back into the NAND and then restore.

In order to successfully inject and sign save data correctly for a game like Animal Crossing: New Horizons, you must use the repack function as opposed to the replacefile function. The extract.bat is the same, but here is the appropriate inject.bat:

hactoolnet.exe -k prod.keys -t save sav/00000000000000xx --repack out/00000000000000xx
pause

Where you replace "xx" with your own appropriate save file name. Special thanks to this post as well as this one, both by @Max89, for the information!

Once the inject.bat is finished, you'll be able to go into the sav folder and see your save data file still there; only this time, it's been injected with your edited save file! Copy the save data file (in my example it's the 0000000000000019 file) and go back to the NAND's A:\save folder. Once there paste and overwrite the save data file. After that's finished, go back to HacDiskMount and click Unmount, and close the Operations on USER window. Click File > Close, and then go to root\backup\XXxXXXXX on your microSD card. Move the rawnand.bin file into the restore folder.

Eject your microSD card from your computer, insert it back into your Switch, and go back to TegraRcmGUI if your Switch isn't still running the hekate payload. Inject the hekate payload while holding the volume down button on the Switch, but skip this step if hekate is still up and running on your Switch from when you made the NAND backup.

Go to Tools > Restore > Restore eMMC RAW GPP to restore the NAND we pasted our edited and signed save data file into. This, like the NAND backup process, will take some time to complete. Once it's done, though, you're all set! Start the game whose save data file(s) you edited, and see the results of your hard work!

Some notes:
As you can probably tell, this process isn't simple by any means. Due to this, and the amount of time it takes to just make a NAND backup and then restore it, I recommend you make a list of edits you'd like to do beforehand in order to make the most of this process each time you do it. To make future save edits, you will have to make another NAND backup again and repeat this process. With my 128gb microSD card, it takes roughly 30 minutes to make a backup, and roughly 30 minutes to restore a backup.

Thanks for checking out my tutorial! Let me know if it's helpful, and if anyone has anything they'd like to add to the tutorial, please send a PM my way or make a reply here with your recommendation!

Here are nearly all the resources I found while figuring all of this out for myself:

Spoiler: links to resources

NAND and boots backup tutorial: https://switch.homebrew.guide/hacking/fuseegelee/safetyprecautions
Info on save file extracting: https://gbatemp.net/threads/safest-...witch-to-a-hacked-switch.536619/#post-8603706
Info on key loading: https://gbatemp.net/threads/anyone-...data-extracting-pls-help.534451/#post-8568492
Info on extraction & injection process: https://gbatemp.net/threads/libhac-hactoolnet-v0-1-3.521599/#post-8431352
Info on signing save data: https://github.com/Thealexbarney/LibHac/issues/19
NAND and boots restore tutorial: https://nh-server.github.io/switch-guide/extras/nandrestore/
Info on key files: https://github.com/Thealexbarney/LibHac/blob/master/KEYS.md

FAQ:

Spoiler: Can I use any of the new Switch consoles?

Unfortunately, you need a Switch specifically susceptible to the Fusee Gelee exploit. Until a new exploit is discovered on newer consoles, this can only be done on consoles manufactured prior to Nintendo's hardware patching. Refer above in this guide to What you'll need.
You can, however, use the official save file transfer service Nintendo implemented in a firmware update to move save data from older, exploitable consoles to newer ones.

Spoiler: Can this get me banned?

Of course! I am myself taking a risk by doing this, but I understand that the risk is spectacularly low with this specific method. As long as you aren't making outrageous edits, you should be fine. That is the entire reason I drummed up this tutorial is to provide a ridiculously safe method outside the realm of CFW. Do NOT do this if you are uncomfortable with the process or its potential consequences.

Spoiler: Can't I just use Checkpoint/CFW?

Absolutely. But using CFW is naturally riskier than this method. If you have a safe way of doing so and are comfortable, more power to you! I personally do not wish to dabble in CFW on my main, clean Switch.

Spoiler: Can I use this method to transfer save files between CFW and clean consoles?

Yes! As long as the clean Switch is exploitable via Fusee Gelee, you can put save files onto its NAND from a CFW Switch, and, of course, vice versa. Just make sure you've played the game on the receiving console so there is save data to replace.

Spoiler: Can I use someone else's save file?

Sure! Make sure the console you're injecting the external save into has played the game at least once so you have something to replace. Crossing user profiles does not matter.

Spoiler: How do I combine a bunch of separate NAND files?

If your microSD card is not large enough to have your entire NAND on it, it was probably broken up into many bin files. To create your single NAND file with them, go to this releases page for hekate and find and download the latest joiner_scripts_for_windows_linux_macos.zip file. Make sure to move the appropriate bat file to your folder with all your NAND bin files. If you have 15 bin files, run the join_15_2GBparts_windows.bat file. If 30, run the join_30_1GBparts_windows.bat file.

Spoiler: Why do I keep getting "Unable to sign save file. Do you have all the required keys?" when I have prod.keys?

Likely because you forgot to include the sept folder when generating your prod.keys console file. Refer above early on to The process.

Spoiler: Why don't I also have a bunch of dll files in my hactoolnet folder? Where are they?

Don't be concerned. In more recent releases of hactoolnet, the dll files were embedded, so you won't see them in your hactoolnet folder.

Spoiler: Is there a quicker method than backing up and restoring the entire NAND?

Yes, but it's slightly riskier since there's not a backup every time. When you have TegraRcmGUI open with your Switch connected in RCM mode, go to the Tools tab and select "eMMC rawNAND (DANGEROUS)" from the drop down menu, and click the USB icon button to the left. This will allow you to then use HacDiskMount normally as stated above under The process. This directly mounts and edits the NAND without a backup, so please do this at your own risk and only if you know exactly what you're doing.

Spoiler: Will this work on macOS or Linux?

I have only tried this on Windows, so I really don't know. Sorry!

 

[MushroomGod]

ikithme, I did. I'll try again tonight and post whatever happens.

 

[ikithme]

ikithme, I did. I'll try again tonight and post whatever happens.

Hm were your prod.keys in the same folder as hactoolnet? If so I'm really not sure past checking those things.

 

[MushroomGod]

Hm were your prod.keys in the same folder as hactoolnet? If so I'm really not sure past checking those things.

They were, yes.

 

[ikithme]

Yes, I’ve heard of SSBU saves getting either consoles or users banned, can’t remember exactly. Have you heard of certain games affecting in particular? Is this occurring no matter the game?

Hey Kimbra,

One thing I just noticed is you're relying on a NAND backup when you can just use HacDiskMount to mount the physical devices user partition, it will cut most of the work out of this as when mounted you can read and write so no need to wait for NAND backup and restore every edit. (You can mount your devices NAND partitions in RCM under the tools tab of TegraRCMSmashGUI).

Let me know if you have any questions about that.

Thanks.

 

[kimbra]

Hey Kimbra,

One thing I just noticed is you're relying on a NAND backup when you can just use Hactool to mount the physical devices user partition, it will cut most of the work out of this as when mounted you can read and write so no need to wait for NAND backup and restore every edit. (You can mount your devices NAND partitions in RCM under the tools tab of TegraRCMSmashGUI).

Let me know if you have any questions about that.

Thanks.

No way. You’re saying that Hactool can mount the User Partition AND make it editable right off the console’s direct NAND??

 

[ikithme]

No way. You’re saying that Hactool can mount the User Partition AND make it editable right off the console’s direct NAND??

Ick my bad, not hactool but HakDiskMount can mount the partition and read/write to the partition, instead of having to backup the nand, mount it, etc you can just mount the user partition on the device.

--------------------- MERGED ---------------------------

Basically open TegraRCMGUI under tools theres a "Memloader v3/UMS Tool (by rajkosto)" if you drop down the box and hit "eMMC rawNAND (DANGEROUS)" and click the USB icon it will allow mounting the devices partitions on your PC, all you need to do at that point is open HacDiskMount and click "File > Open Physical Device" and select the device that's something like "Linux UMS", it will present you with a list of partitions and yeah normal procedures from there, make sure to unmount when you're done moving stuff around and boom, no need for nand backup.

 

[kimbra]

Ick my bad, not hactool but HakDiskMount can mount the partition and read/write to the partition, instead of having to backup the nand, mount it, etc you can just mount the user partition on the device.

--------------------- MERGED ---------------------------

Basically open TegraRCMGUI under tools theres a "Memloader v3/UMS Tool (by rajkosto)" if you drop down the box and hit "eMMC rawNAND (DANGEROUS)" and click the USB icon it will allow mounting the devices partitions on your PC, all you need to do at that point is open HacDiskMount and click "File > Open Physical Device" and select the device that's something like "Linux UMS", it will present you with a list of partitions and yeah normal procedures from there, make sure to unmount when you're done moving stuff around and boom, no need for nand backup.

This is incredible. What are the dangers of this method since TegraRcmGUI feels the need to scare people away from mounting the NAND?

 

[ikithme]

This is incredible. What are the dangers of this method since TegraRcmGUI feels the need to scare people away from mounting the NAND?

The dangers are people accidentally wiping out files etc, basically since this isn't a backup and it's editing the actual NAND if something gets screwed its done.

I'd make a backup before editing saves like this just in case but once a backup is made if something gets screwed up you can restore it.

 

[bootmonster]

Hey Kimbra,

One thing I just noticed is you're relying on a NAND backup when you can just use HacDiskMount to mount the physical devices user partition, it will cut most of the work out of this as when mounted you can read and write so no need to wait for NAND backup and restore every edit. (You can mount your devices NAND partitions in RCM under the tools tab of TegraRCMSmashGUI).

Let me know if you have any questions about that.

Thanks.

While this is correct, I would still highly recommend editing and restoring the nand backup rather than mounting the nand as there is more risk of corrupting the nand mounting directly.

And I wouldn’t say it removes “most of the work”, it literally only removes the restoring nand part, which is a walk away and leave thing so all it does is save some time. You 100% should be making a backup of your untouched nand to your PC regardless.

 

[ikithme]

While this is correct, I would still highly recommend editing and restoring the nand backup rather than mounting the nand as there is more risk of corrupting the nand mounting directly.

And I wouldn’t say it removes “most of the work”, it literally only removes the restoring nand part, which is a walk away and leave thing so all it does is save some time. You 100% should be making a backup of your untouched nand to your PC regardless.

Hm if it is possible to corrupt your NAND using this method yes its a bit more risky.

Along the lines of saving time, it really depends on how many times you intend to edit your save, with something like Zelda I can see once or twice being fitting, but with a game like Pokemon you could be editing a lot of times meaning turning a 5-10 minute job in to 1-2 hours.

Anyway, there is a reason it says its dangerous, and all in all it does save time if you're willing to take the risk. Having a backup of your NAND is a must no matter what though.

 

[eyeliner]

If you only meddle in the user partition, no greater danger will come than having a few user settings corrupted.

Backup the partition before changing it, and restore it if needed (ie games corrupted, saves borked, etc)

Leave the other partitions alone and you should be fine.

 

[MushroomGod]

Did the extract.bat script say your CMAC Signature and Header Hash were (GOOD)?

After trying again last night. When I extract, CMAC Signature (Fail).

 

[ikithme]

After trying again last night. When I extract, CMAC Signature (Fail).

CMAC sig fail on extract is fine, if it doesn't sign after you edit the save, that's when you have a problem.

 

[MushroomGod]

CMAC sig fail on extract is fine, if it doesn't sign after you edit the save, that's when you have a problem.

I mean that is the problem I'm having. I'm just trying to figure out why.

 

[bootmonster]

I mean that is the problem I'm having. I'm just trying to figure out why.

Can you provide a screenshot of your folder structure and what it shows in cmd prompt?

 

[MushroomGod]

Can you provide a screenshot of your folder structure and what it shows in cmd prompt?

Sure, I'll do it when I get home tonight. I re-pulled prod.keys again, 77 keys, failed package2. I don't know if that makes a difference. Firmware 8.0.1.

 

[ikithme]

Sure, I'll do it when I get home tonight. I re-pulled prod.keys again, 77 keys, failed package2. I don't know if that makes a difference. Firmware 8.0.1.

When pulling the keys do you have the sept/ folder and appropriate files within when you run lockpick_rcm?

• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

 

[MushroomGod]

When pulling the keys do you have the sept/ folder and appropriate files within when you run lockpick_rcm?

I don't, this might be it! Thank you, I will try again tonight!

 

[MushroomGod]

It worked! Thank you to everyone for the help! Kimbra you rock, this makes editing saves on a "clean" switch a breeze.

 

[ikithme]

It worked! Thank you to everyone for the help! Kimbra you rock, this makes editing saves on a "clean" switch a breeze.

Great to hear!