Hacking Question Restore NAND Backup without Boot0/Boot1

[Heavens7thCloud]

A buddy hacked his switch. When He found out that I had set up SysNAND and EmuMMC he brought his hacked switch over and asked if i could setup the same deal. He said he originally created a nand backup. Well, when i started looking for his backup I didn't see a backup folder on the root of his memory card. After digging a bit i discovered that the only 'backup' files i could find are located in Toolkit -> dump. It contains 10 nand.bin.# files that are each 3,053,568 KB in size, a combinerScript.sh and combinerScript.bat file. I can't find a boot0 or boot1 file anywhere on his card. Upon pressing the issue with him it sounds like he originally used ReiNX and created the backup there. He isn't sure but he thought it was created after booting into the HBMenu. Here are a few questions:

1. Is it possible that ReiNX put his boot0 and boot1 somewhere on the card i haven't looked?
2. If he doesn't have boot0 and boot1 is it impossible to restore his Nand? Or Can i restore the nand without these boot files?
3. I have his switch and his SD card. Assuming they are necessary for a Nand restore...Is there a way to recreate the boot0 and boot1 files?

I've asked him for specifics but its been a while since he originally ran CFW (and he can't recall details). He knows that he started on one OFW (he thinks 5.0) and then applied the CFW. A bit later he updated (he thinks to 6.0). Does this update path change the options we have for restoring his nand? Ideally, he wants to end with a clean sysnand he can take online, and an EmuMMC that he keeps offline. Thanks in advance for any help/assistance you can provide!

 

[Lacius]

You can restore "blank" BOOT0/1 files to comport with the rawnand backup. Which system version is the nand backup on?

 

[Heavens7thCloud]

You can restore "blank" BOOT0/1 files to comport with the rawnand backup. Which system version is the nand backup on?

Are you asking what version firmware his switch was running when he created the nand? I would have to ask. Its been a while so i'm guessing 5.0. If you are asking what version his switch is on now i believe he is on 6.1.0

 

[Heavens7thCloud]

You can restore "blank" BOOT0/1 files to comport with the rawnand backup. Which system version is the nand backup on?

Can anyone elaborate on this?

1. Where do i get "Blank" BOOT0/1 files at? Or how do I generate them myself?
2. Do they have to match up with the firmware the switch was on when the nand backup was created? If so, how do i tell for sure what firmware it was created on?
3. Does the order I restore Nand and BOOT0/1 in matter? Should one be done before the other?

I really appreciate any help that can be provided. As soon as I restore his nand i'm going to update his switch to the latest firmware (9.0.1 as of writing this) and then create EmuMMC.

 

[Lacius]

Can anyone elaborate on this?

1. Where do i get "Blank" BOOT0/1 files at? Or how do I generate them myself?
2. Do they have to match up with the firmware the switch was on when the nand backup was created? If so, how do i tell for sure what firmware it was created on?
3. Does the order I restore Nand and BOOT0/1 in matter? Should one be done before the other?

I really appreciate any help that can be provided. As soon as I restore his nand i'm going to update his switch to the latest firmware (9.0.1 as of writing this) and then create EmuMMC.

Parts of BOOT0/1 are universal across systems and merely need to be generated with the correct system version in mind. The system-specific parts won't be overwritten. If this rawnand backup is on 6.1.0 or lower, this can be accomplished with ChoiDujour.

The order you restore them doesn't matter, since you aren't booting into Horizon until they're both restored.

 

[flduch]

As I understand, Boot0 :

- is specific for a system version
- has a common part to all switchs
- and a specific parts encrypted using some keys (keyblobs) of the switch

So a "blank but valid" Boot0 like choidujour or one found on the web can't be used on every switchs.

 

[linuxares]

@flduch our friendly neighbourhood anti-anime hardware tinkerer @mattytrog have some "blank" boot0 and boot1 on Xbins.
I cannot link you these directly since it involves going to their FTP server. You just need to Google Xbins and you will find all the instructions how to access it.

https://discord.gg/C29hYvh - these fellows are quite helpful as well.


https://github.com/shchmue/FVI - this tool can tell us/you which version the NAND dump is for. So you get the correct boot0 and boot1 files.

 

[mattytrog]

@flduch our friendly neighbourhood anti-anime hardware tinkerer @mattytrog have some "blank" boot0 and boot1 on Xbins.
I cannot link you these directly since it involves going to their FTP server. You just need to Google Xbins and you will find all the instructions how to access it.

https://discord.gg/C29hYvh - these fellows are quite helpful as well.


https://github.com/shchmue/FVI - this tool can tell us/you which version the NAND dump is for. So you get the correct boot0 and boot1 files.

I need to make some v9.00 and 9.0.1 versions.

I don't have anything here running 9.0.1 or 9.0.0 so If anyone can email me some boot0/1 for the above, please do so.

It's important to note that these boot0 will only work if you already have the version on your system.

If it's a failed downgrade, I am making a new universal unbrick package. Containing an empty rawnand bin image, 6.2.0 with nocmac package with all tools included.

Will be a ihateanime package check usual places in about 4 hours

 

[flduch]

@mattytrog :

- I'm new in this site und it will be nice if you could tell me a bit more that "check usual places" ?
- I wonder that we can find working Boot0 that aren't specific to a switch. To have a full Boot0 apaired with a switch, a part of the file has to be encrypted with the keyblobs ? Am I wrong ?

 

[mattytrog]

Yep. Not the whole boot0 is overwritten. Only up to the keyblobs.

Even so, 6.2.0 onwards do not require keyblobs for key generation.

 

[flduch]

Ok, that's mean that Boot0 is common for all switchs running the same OS version (6.2.0 or higher) ?

 

[linuxares]

Ok, that's mean that Boot0 is common for all switchs running the same OS version (6.2.0 or higher) ?

The little I know is that all boot0 and boot1 files are unique to said version. For example if your Nand backup is for 8.0, you need a 8.0 boot0 and boot1. Else it will fail.

 

[flduch]

What I think to know : a part of Boot0 is encrypted with some keys (keyblob) owned by the switch but I'm maybe wrong.

 

[linuxares]

Well to make it simple. Use the tool I listed to find out what firmware that nandbackup is for. Then we can figure out which Boot0/1 file you need.

 

[flduch]

I last worked with 6.01 (I should have a rawnand for this version). I can build up any version with choidujour, so 5.1, 6.01, 6.2 is as well ok for me. May then someone generate an usable Boot0 for my switch without anything else ?

 

[linuxares]

I last worked with 6.01 (I should have a rawnand for this version). I can build up any version with choidujour, so 5.1, 6.01, 6.2 is as well ok for me. May then someone generate an usable Boot0 for my switch without anything else ?

Matty can probably help you generate them. Or the Discord group. As I say, for safety so no brick accure. Use the tool I linked. It's a python, so it will check so everything. It will be less of a headache.

 

[flduch]

@linuxares : many thx for your informations. My switch is already brick and the only problem i can see is how to regenerate a valid Boot0 (the one that works with my switch). As I said at the beginning of this thread, Boot0 is version specific and switch specific. So no way to build a generic Boot0 for a specific version and common to all switchs. In other word, Boot0 is to build in accordance to the switch and cannot be "found" easily on the web

 

[linuxares]

@linuxares : many thx for your informations. My switch is already brick and the only problem i can see is how to regenerate a valid Boot0 (the one that works with my switch). As I said at the beginning of this thread, Boot0 is version specific and switch specific. So no way to build a generic Boot0 for a specific version and common to all switchs. In other word, Boot0 is to build in accordance to the switch and cannot be "found" easily on the web

And I guess no keys have gotten dumped? As @mattytrog said. Only a tiny amount is unique in the boot0. Mostly it's the same.

 

[flduch]

No, I have all the keys. I've made backup of all them and Boot0/1 + rawnand but (i don't know why), both Boot0/1 are just empty (containing a lot of zeros).

That's right that the most part of Boot0 is common to all switchs but without the tiny one -> switch is brick !

I know that some people are able to recover from this situation but I can't help myself because I don't know how to do that.

 

[Heavens7thCloud]

Hello. OP here. Sorry for leaving the thread high and dry I was away on work.

I was able to use the tool that was linked to get the following information.
1) The rawnand.bin file was created on 6.2.0
2) The switch is now on 7.0.1
Can someone please tell me the following?
1) Where can i get the 6.2.0 boot0 and boot1? I am on discord and have used ftp i am just unsure where to go.
2) Once i have the blank files how do i add my console specific parts to them?
I REALLY appreciate the help. Thanks much everyone.