Homebrew Question Would it be "legal" for me to post "blank" boot0 / 1 for repair purposes?

[KINGFRIKI]

Hi all guys!. @mattytrog i need your help.

I try update my 8.0.0 firmware to 9.0.0 with choidojourNX and now I'm stuck with a blue screen (because the beta version 2.9 of OS xtreme). I have backup nand of 7.0.0 and biskeys but no Boot0 and Boot1. I try restore backup raw but not working. I try this guide but i have a error when i try take Keys of boot0.

gbatemp.net/threads/how-to-get-switch-keys-for-hactool-xci-decrypting.506978/

"Could not find keyblob_mac_key_source! Please check the integrity of the data used in the current stage!"

This guide i think is the key for fix this problem but need the boot0 and 1 that no have

gbatemp.net/threads/how-to-install-run-any-switch-firmware-unofficially-without-burning-any-fuses.507461/

I can use payloads (hekate, mmemoloader..etc) but cant start OF or any CF (Sx, atmosphere etc)

I'm new to this and have difficulties to understand what does what. Thanks for reading and sorry for my bad english.

 

[linuxares]

Keyblobs.

Somehow, 16 bytes are being lost in (FTP?) dumps/transfers.

If these boot0 were restored, keyblobs would be permanently messed up, leading to incorrect key derivation. Though keyblobs are not used in derivation of most(all?) keys nowadays.

Yeah I used FTP to copy it to my computer, but that shouldn't have modified the data. That just sounds strange.

 

[ZachyCatGames]

If your emmc is intact, try it, if its just boot0/1


BTW: Uploaded new pack to the usual place. v9.0.0 blanks.

Need some 9.0.1 boot0/1 if anyone wants to email me them.

Usual password fellow anime haters.

These are files that assist with UNBRICKING UNITS ONLY. Just before some bloody dogooder tries saying "Piwacey".

PSX PUPS are allowed after all. I class them as the same. No keys, BOOT0 are NOT encrypted and just exist on the REMOVABLE Emmc. Nothing here of any value unless your console is fooked.

massive thanks to @linuxares for being a patient soul!

9.0.1 boot0/1s are identical to 9.0.0 boot0/1s (firm packages weren’t updated in 9.0.1 ).

 

[mattytrog]

9.0.1 boot0/1s are identical to 9.0.0 boot0/1s (firm packages weren’t updated in 9.0.1 ).

Are they?

Haven`t checked.

Never mind

 

[flduch]

Do you have a theme installed?

No I haven't any theme installed

 

[shchmue]

is the rest of your BOOT0 file aligned right lol
system doesn't use keyblobs at all starting with firmware 6.2.0. doesn't read or write, and really shouldn't be writing to that area ever

 

[mattytrog]

is the rest of your BOOT0 file aligned right lol
system doesn't use keyblobs at all starting with firmware 6.2.0. doesn't read or write, and really shouldn't be writing to that area ever

Yep. So in theory, it shouldn't matter if it is misaligned.

Still, would be nice to get to the bottom of how these bytes are going missing.

I think FTP is dropping a "packet" somewhere. Might be wrong.

But even for posterity, of you want your keyblobs to be right, they start at 0x180000. As shchmue says, not needed +6.2.0.

Though if keyblobs can become misaligned, anything can.

Be warned! You could brick!

 

[flduch]

No I haven't any theme installed

I just follow your tuto and write le directory "Dump to SD" to the SD card.

What write the keyblobs of my switch into Boot 0 ? (Switchboot ?)

 

[mattytrog]

I just follow your tuto and write le directory "Dump to SD" to the SD card.

What write the keyblobs of my switch into Boot 0 ? (Switchboot ?)

Once you have written all the partitions, drag contents of the "Dump to SD" folder to SD.

Then launch hekate_switchboot_mod with TegraRCMGIU or whatever.

You will see:

Restore rawnand
Restore Boot0
Restore boot1.

Restore boot0/1

Then go to launch.

Click UNBRICK_FIRST_BOOT or whatever and it should launch.

 

[flduch]

Ok mattyrog,

First, I don't believe we are working on the same tuto : I use this from your message on friday (last week) at 1:46 PM
Where can I found the right one ?

Second, can you tell me what write the keyblobs of my switch into Boot 0 ? (Switchboot, hekate_switchboot_mod?)

Thx

 

[mattytrog]

Ok mattyrog,

First, I don't believe we are working on the same tuto : I use this from your message on friday (last week) at 1:46 PM
Where can I found the right one ?

Second, can you tell me what write the keyblobs of my switch into Boot 0 ? (Switchboot, hekate_switchboot_mod?)

Thx

Keyblobs arent written to. Ever.

In the pack, there is a brief write-up on the steps to take. I assume you have found the UNBRICK_PACK?

 

[smf]

Yeah I used FTP to copy it to my computer, but that shouldn't have modified the data. That just sounds strange.

You have to be careful with ftp, especially if you set it to auto. If it decides it is an ascii file then it will do line ending translations.
Binary should be fine, but even then it's a very simple protocol and there are many failure points.

 

[flduch]

Keyblobs arent written to. Ever.

In the pack, there is a brief write-up on the steps to take. I assume you have found the UNBRICK_PACK?

I've may be understand, there are two tutos right ? The first one I've used is on \Unbrick_Your_Switch_iha2 and the second one is on \Unbrick_Your_Switch_iha2\Unbrick_Your_Switch_iha2.
Now I've tried the second one and goes until the step "launch hekate_switchboot_mod and ... the switch started successfuly (6.2). Greath job, many thanks ... but I do not understand why the switch started normaly instead launching hekate_switchboot_mod. May be I wasn't in CF mode ? I never restored again Boot0/1 and also never launch unbrick_first_boot_only. Vers strange.

I read that a part of Boot0 was specific for the switch. An encrypted form of the keyblobs was in. May be it was for version < 6.2 ?

Anyway, I'm very happy and thanks You a lot

 

[mattytrog]

I've may be understand, there are two tutos right ? The first one I've used is on \Unbrick_Your_Switch_iha2 and the second one is on \Unbrick_Your_Switch_iha2\Unbrick_Your_Switch_iha2.
Now I've tried the second one and goes until the step "launch hekate_switchboot_mod and ... the switch started successfuly (6.2). Greath job, many thanks ... but I do not understand why the switch started normaly instead launching hekate_switchboot_mod. May be I wasn't in CF mode ? I never restored again Boot0/1 and also never launch unbrick_first_boot_only. Vers strange.

I read that a part of Boot0 was specific for the switch. An encrypted form of the keyblobs was in. May be it was for version < 6.2 ?

Anyway, I'm very happy and thanks You a lot

The boot0 is smaller than normal. This keeps your keyblobs intact.

The important thing is that you are up and running.

Well done!

Now, upgrade to 9.0.1 with choidujournx, initialising the system

 

[flduch]

If the keyblobs are intact, why for exemple Lockpick_RCM saying me that they are corrupted now ? Is that normal ?

I use many times a procedure using choidujour to bring my switch back. It nevers work (even choidujour create smaller Boot0/1) I've used the files generated by choidujour and my own biskeys. To write Boot0/1 I used balenaEtcher.

Can you explain me the difference betwen the two methods ? The only difference I can see is that the files BCPKG2-1-Normal-Main.bin, ..., Boot0, ... have may be not the same origin.

In my special case, I've broken my switch by restoring full Boot0/1 (not the smaller one) containing only zero value with hekate / restore / ... . That's why I was pretty shure that I've erased the keyblobs in Boot0.

 

[mattytrog]

If the keyblobs are intact, why for exemple Lockpick_RCM saying me that they are corrupted now ? Is that normal ?

I use many times a procedure using choidujour to bring my switch back. It nevers work (even choidujour create smaller Boot0/1) I've used the files generated by choidujour and my own biskeys. To write Boot0/1 I used balenaEtcher.

Can you explain me the difference betwen the two methods ? The only difference I can see is that the files BCPKG2-1-Normal-Main.bin, ..., Boot0, ... have may be not the same origin.

In my special case, I've broken my switch by restoring full Boot0/1 (not the smaller one) containing only zero value with hekate / restore / ... . That's why I was pretty shure that I've erased the keyblobs in Boot0.

Your keyblobs will only be corrupt if something has corrupted them.

If you have restored a full boot0 with wrong / incorrect / missing keyblobs, they are gone.

In practice, all this means is that you can no longer downgrade past 6.2.0. And Lockpick etc will complain that keyblobs are corrupt.

If, after everything that has happened, your console is now booting and running, you are able to load a cartridge, play it and able to go online, I call that an acceptable outcome.

It won`t get better than that sir!

 

[flduch]

I've check the content of Boot0. The keyblobs should start at offset 0x180000 increment of 0x200 for each one (keyblob 0 is at offset 0x180000, keyblob1 is at 0x180200, etc). In the Boot0 at 0x180000 : I see "
[config]..autoboot=0..autoboot_list ..." The other keyblob are all 00" The keyblobs haven't been writen into the Boot0. Lockpic_RCM and biskeydump say "corrupted keyblobs" That's the true.

As I said, I couldn't launch hekate_switchboot_mod so I couldn't restore special Boot0/1. I think they were restored before from the other tuto. If I tried to launch hekate_switch_mod, the switch do a normal boot.

Now I just can boot my switch in 6.2 and play normal games. That's all.

Do you think that your tuto can reinitialize a full Boot0 (with the keyblobs) ?

Maybe https://github.com/MegatonHammer/linkle can help to generate the encrypted keyblobs to be put in Boot at the right locations ?

 

[mattytrog]

I've check the content of Boot0. The keyblobs should start at offset 0x180000 increment of 0x200 for each one (keyblob 0 is at offset 0x180000, keyblob1 is at 0x180200, etc). In the Boot0 at 0x180000 : I see "
[config]..autoboot=0..autoboot_list ..." The other keyblob are all 00" The keyblobs haven't been writen into the Boot0. Lockpic_RCM and biskeydump say "corrupted keyblobs" That's the true.

As I said, I couldn't launch hekate_switchboot_mod so I couldn't restore special Boot0/1. I think they were restored before from the other tuto. If I tried to launch hekate_switch_mod, the switch do a normal boot.

Now I just can boot my switch in 6.2 and play normal games. That's all.

Do you think that your tuto can reinitialize a full Boot0 (with the keyblobs) ?

Maybe https://github.com/MegatonHammer/linkle can help to generate the encrypted keyblobs to be put in Boot at the right locations ?

You are seeing a Hekate_ipl.ini in your keyblobs. How on earth has that happened?

NOTHING should ever write to the keyblob area, even if it isn`t used nowadays.

Regenerating them? Yep, I think it can be done.

Looks like you accidentally flashed a Hekate binary to your BOOT0 region.
If so, you have been extremely lucky. If it was a raw restore, you could have overwritten your PRODINFO then you would have been fooked.

You have two options as I see it. Unless the Discord / Kosmos lot know of anything better... I don`t frequent them channels.

Leave the "keyblobs"(which are knackered) as is, or zero them out.

 

[flduch]

When you write "Regenerating them? Yep, I think it can be done.", I believe you don't say how ?

To be certain : no way to encrypt the keyblobs into Boot0 = nothing to do excepted use originals gaming cartridges ?

 

[mattytrog]

When you write "Regenerating them? Yep, I think it can be done.", I believe you don't say how ?

To be certain : no way to encrypt the keyblobs into Boot0 = nothing to do excepted use originals gaming cartridges ?

I don`t say how for good reason. I had a method I thought was accurate, but it wasn`t.

I don`t believe anyone can re-encrypt the keyblob payloads once they are missing. Unless I am missing something.
SciresM can probably provide some pointers. He is VASTLY more up to speed on the Switch crypto system than I am.