Hacking Downgrade 9.0.3 Ipatched switch

[linuxares]

But with which tool we can downgrade ? If it's possible.

I thought maybe Mattytrog might know how to raw write it. Classic write every 0101 directly to the nand. I let him answer and we shall see. It might not be possible at all.

 

[Emris93]

Okay .

 

[FR0ZN]

You would still run into a fuse mismatch.

 

[Emris93]

Don't know if it's possible but maybe just run into RCM (vol + and -) and try to inject the sysnand ?

 

[mattytrog]

@mattytrog and/or @MatinatorX
Wouldn't it be possible to do a raw dump of the nand? I guess you need the keys to do a "raw" downgrade as well?

The only way of getting a raw NAND dump for this gentleman, is to unplug his eMMC from his Switch, fit into another fusee vuln Switch and dump rawnand via Hekate, remembering associated boot0/1.

But a downgrade won`t boot because 9.0.1 fusecount is active.

So, yes. You can fully downgrade.

But if your fuses are cooked, forget about actually booting it on an ipatched unit.

I don`t have any ipatched units here sadly.

But I am more convinced we can glitch it into booting. The Tegra oscillator circuit (38.4Mhz) is right there. I`m thinking of a Trinket yet again, use a spare pin, connect a strap to the oscillator testpoint and pulse it (pull it high / low - see if it can dizzy the Tegra into running unsigned code).

I cannot actually try this and I`m sure more knowledgeable people than me have already tried this.

 

[Emris93]

Maybe I have a backup of the rawnand (same with nand?) I will confirm you tonight.
You are a lovely Guy @mattytrog

Have a ipatched switch but I'm very noob on "DIY" so too risky for me.

 

[LoggerMan]

Yes it's 9.0.1 a mistake of my part sorry.

omg you nearly gave me a heart attack with this 9.0.3 stuff. I updated my sysnand to that too recently, burning fuses, because it’s compatible with os sx anyway. I’m so lazy. I think I used the safe update method to update emunand though.

 

[Emris93]

omg you nearly gave me a heart attack with this 9.0.3 stuff. I updated my sysnand to that too recently, burning fuses, because it’s compatible with os sx anyway. I’m so lazy. I think I used the safe update method to update emunand though.

I'm very sorry for that

 

[ZachyCatGames]

I think yes in choixdujourNX you have the choice to update sysnand or emunand. The mistake that I had is leaving tick sysnand by default.
Just simple search in Google can confirme that.

No, it doesn’t. I’ve been using Choi a shit ton recently, there’s definitely no option like that.

 

[Emris93]

No, it doesn’t. I’ve been using Choi a shit ton recently, there’s definitely no option like that.

I don't have a game cartridge and I blocked the nintendo updates with the DNS so I don't see how my switch could be updated and the only update that I made it's with choixdujourNX.

 

[ZachyCatGames]

I don't have a game cartridge and I blocked the nintendo updates with the DNS so I don't see how my switch could be updated and the only update that I made it's with choixdujourNX.

You probably accidentally booted into your sysmmc instead of emummc when you went to update. Writing to sysmmc from emummc isn’t really something that can be easily done, also the last Choi update released before emummc did

 

[Emris93]

You probably accidentally booted into your sysmmc instead of emummc when you went to update. Writing to sysmmc from emummc isn’t really something that can be easily done, also the last Choi update released before emummc did

I think I found : unintentionally I installed atm in sysnand and when i updated atm it update also the sysnand.

 

[The Real Jdbye]

I think I found : unintentionally I installed atm in sysnand and when i updated atm it update also the sysnand.

That's not really how it works, you must have had a boot entry for sysNAND in Hekate and booted into it like I said.

 

[Emris93]

That's not really how it works, you must have had a boot entry for sysNAND in Hekate and booted into it like I said.

That's what I said I installed atm in the sysnand and when booting I booted directly to the sysnand via hekate without creating the emunand and I made the update with choidujourNX everything being in the sysnand believing I was in emunand.

 

[The Real Jdbye]

That's what I said I installed atm in the sysnand and when booting I booted directly to the sysnand via hekate without creating the emunand and I made the update with choidujourNX everything being in the sysnand believing I was in emunand.

Oh.
For future reference you can check by looking at the firmware version in System Settings, there should be an E after the version if you're in emuNAND.
Also a good idea to change the theme and user icons so they're different between the two.

 

[Emris93]

Oh.
For future reference you can check by looking at the firmware version in System Settings, there should be an E after the version if you're in emuNAND.
Also a good idea to change the theme and user icons so they're different between the two.

Yeah I know but to late now. Then I have two solutions :
- a miracle occurs to be able to downgrade before January.
- waiting for the solution tx in January.

 

[tivu100]

You can update with choidujournx, but it won't help as you can't avoid burning the fuses with an ipatched switch.

How that works is you force into RCM on every boot and then use a payload, but that can't possibly work for you. Either choidujournx will refuse to enable autorcm, or your switch will be bricked and require you to remove autorcm using a hard mod. Either way as soon as you boot then fuses will be burned.

If you want the latest version on an ipatched switch then you need to setup emunand, but of course you need to be on a quite low firmware to be able to trigger that right now.

Echo this point here but short Andy simple:

Don’t use AutoRCM on ipatched Switch

 

[tivu100]

Oh.
For future reference you can check by looking at the firmware version in System Settings, there should be an E after the version if you're in emuNAND.
Also a good idea to change the theme and user icons so they're different between the two.

The more OP said, the more I feel like it’s just lying to cover for his mistake:

Clearly said OP didn’t make an EMUNAND, yet somehow wishful thinking booting via Hetake would magically create EMUNAND!

“...in choixdujourNX you have the choice to update sysnand or emunand...”

Nothing can be further from truth, just as Hekate point.

People, please stop suggesting with downgrading using raw NAND dump. It’s an ipatched Switch and it’s running on latest firmware (fuses burned)! Clearly no fuses protection enabled.

Edit:

Not trying to burn anyone. The point is everyone make mistake. Own it up, and learn from it, or you make the same mistake again (doesn’t understand what you’re doing and don’t ask for help when you should).