Hacking Switch won't boot - pkg1 Loaded pkg1 & keyblob

[HelpRafi]

Hello,
i recently got an Nintendo Switch. The previous owner says that it has no firmware installed but it came with a work Android Version. I have no working backups.
Now i'm trying to fix it. Here is what i tried:
I figured out that firmware 9.0.1 was installed. (because of the fuses)
I followed this guide

• Upgrading/Downgrading Manually With a PC on sdsetup

and

• How to install/run ANY Switch firmware UNOFFICIALLY (WITHOUT burning any fuses) which i found here.

I couldn't get the keys.txt from my console. Lockpick said that keyblob 0-5 is corrupted. I found some keys which i used. I tried downgrading to 6.1 and 5.1 and 4.1. I always get stuck at the first start. You supposd to start hektate with the provided ini file and launch "FS_XXX-exfat_nocmac_nogc" after klick on this point i got the message: "Initializing... found pkg1 identified pkg1 and keyblob 3" and it freze there.
When i tried to boot into cfw (with the normal hektate_ipl.ini) i get "pk2 decryption failed"

I have no idea what else i can try maybe someone could give me a hint or help me.

Best regards

 

[HelpRafi]

Another detail which i noticed:
Charing seems to work (according to RCM and hektate) gut wegen switched off there ist nö charging symbol.

 

[FXDX]

Watch this video carefully. Maybe it helps you.

 

[HelpRafi]

Thx. I will watch and try it but at First sight it is the same guide i allready followed.

 

[FXDX]

Thx. I will watch and try it but at First sight it is the same guide i allready followed.

Maybe you missed something.....

 

[HelpRafi]

I will try it on sunday. Is it possible that the Keys are wrong although choidujour accepte them?

 

[FXDX]

Did you fix anything?

 

[HelpRafi]

Thanks for asking....
I'm currently not at home. I will try it tomorrow. I watch the youtube Clip a little bit. I tried to create the files with Choidujour and firmware 8.1 but get an error. (Exception: Error: section 0 is corrupted!). I tried it with firmware version 6.2 and it says "Everthing is ok" but then i get an error (error: re-signing save). more i couldn't do because i didn't have the switch with me.
As soon as i could follow the instrucation i post it here. But it's really hard to follow the instrucation. my spanish is rather bad :-)

 

[lpoolm]

is there an english version to this guide?
i think i have the same issue
thanks

 

[HelpRafi]

You can follow the guide by watching the Video and doing what he is doing. At least i assume you could do that. I haven't tried itt yet.
But an english version would be really great....

 

[FXDX]

You can follow the guide by watching the Video an doing what he is doing. At least i assume you could do that. I haven't Trier ist yet.
But an english version would be really great....

I found it in German

 

[HelpRafi]

So, i followed the spanish video. I did nearly everthing he did. Execept i had to use Stockfirmware 6.0 because it was the only one which gave me the results that he has in his video. I get to the point where i have been before. I boot into RetroReloaded (or directly into hekate) and start to boot an Firmware. SX just ended with an black screen. Renix gave me the same message as before "Error Package2 Magic invalid! There is a good chance your Renix build is outdated...."
I could get into hekate and tried to boot AMS (atmosphere, i assume) it ended up with this error: Error Fatal Error NXBOOT Key derivation failed!
After that i tried to follow the steps from the last tutorials :
"
Step 13: Launching the First Time After Downgrading

1. Insert your SD card into your PC
2. Navigate to the “/bootloader” folder on your SD card
3. Rename “hekate_ipl.ini” to “hekate_bak.ini”
4. Navigate to “/NX-X.X.X/microSD” folder which was generated with ChoiDujour.
5. Copy the “FSXXX-exfat_nocmac_nogc.kip1” file to the root of your SD card
6. Copy the “hekate_ipl.ini” file to the “/bootloader” folder on your SD card
7. Safely eject your SD card and insert it into your Switch
8. Enter RCM and send the “hekate-ctcaer-5.0.1.bin” payload
9. In Hekate, navigate to Tools > Archive bit - AutoRCM > Unset archive bit
10. Return to the main menu, then select ‘Launch > FS_XXX-exfat_nocmac_nogc’ where XXX is the firmware version you downgraded to.

" (https://switch.homebrew.guide/usingcfw/manualchoiupgrade)
it gave me the same message and the freeze like in the beginnig. ("Initializing... Found pkg1 (,20180802162753') Identified pkg1 & Keyblob 5 Loaded pkg1 & Keyblob)


I will try another stock Firmware tomorrow maybe i get an other result but i honestly doubt it

 

[HelpRafi]

I tried stock Firmware 7.0. While launching for the first time i get the same message ("Initializing... Found pkg1 (,20180802162753') Identified pkg1 & Keyblob 7 Loaded pkg1 & Keyblob) but now there is a red line saying n"o mandatory secmon or warm boot provided!" after that it boots back to hekate

I tried use retrogamer and wanted to start atmosphere, sx OS or Reinx. Atmosphere shows the boot screen and freezes there. SX OS shows a black screen and reinx shows the bootlogo then the sept boot screen and finaly a black screen

also i found a tweet which says that you had to add "secmon=path/to/exosphere.bin warmboot=path/to/lp0fw.bin atmosphere=1" to your hekate_ipl.ini. Didn't changed something :-(

 

[FXDX]

The important parts are the PC version ChoiDuJour only supports up to 6.1, don’t use anything newer…
the exact key’s you’d need -i gave them to you in private- the values for downgrading to 6.1 are these and only these:

master_key_00 =
master_key_01 =
master_key_02 =
master_key_03 =
master_key_04 =
master_key_05 =
master_key_06 =
sd_card_kek_source =
sd_card_nca_key_source =
package1_key_00 =
header_key =
titlekek_source =
header_kek_source =
header_key_source =
package2_key_source =
aes_kek_generation_source =
aes_key_generation_source =
key_area_key_application_source =
key_area_key_ocean_source =
key_area_key_system_source =

 

[HelpRafi]

I tried different Stock firmwares (4.0;5.1;6.1) it didn't work.
In the YouTube Video you send me he ist using the Stock Firmware 8.1 with the PC Version of choidujour.

EDIT: I once again tried Stockfirmware 5.1 and get the same error :-(

 

[HelpRafi]

OMG it worked!!!!! After weeks of trying, crying and praying. The Switch booted in the CFW Firmware. It's currently running Version 5.1.0.
Give me a few minutes and i will give you discription of what i did.
@ FXDX thank you verry verry much. You are my hero! This is so great!!!


OK, here ist what i did: [please note: a lot of this stuff is copy and past frome this tutorial https://switch.homebrew.guide/usingcfw/manualchoiupgrade] everybody should read an follow it. I will just mention the things which i done different.
i used the keys which FXDX gave me. I downloaded switch stock firmware 5.1.
I used the choiDuJour Version 1.2.1 (https://github.com/StarDustCFW/ChoiDujour/releases/tag/1.2.1) the version 1.2.2b didn't worked for me.


I did all of this:
1: Preparing Files

1. Make sure your SD card includes a basic Hekate/Atmosphere setup (such as the one installed when following this guide)
2. Insert your SD card into your PC
3. Go to switchtools.sshnuke.net
4. Download the latest version of ChoiDujour (NOT ChoiDujourNX) by rajkosto <-- use the version above
5. Download the latest version of HacDiskMount by rajkosto
6. Download the latest version of memloader by rajkosto <-- i used the memloader function in TegraRCMGui
7. Extract each downloaded .ZIP file to separate folders on your PC
8. Copy your hactool keys.txt into the ChoiDujour folder <-- i take the keys which FXDX gave me and saved it as "prod.keys". I don't know if this makes any difference.
9. Create a folder named “fw” inside of your ChoiDujour folder
10. Extract the contents of your firmware .ZIP file to the newly created “fw” folder
11. Go to www.balena.io/etcher/, download and install Etcher for your system
12. In File Explorer, make sure Hidden Files are set to be shown. <-- also:
    1. Select Large or Small icons from the View by menu if one of them is not already selected.
    2. Select File Explorer Options (sometimes called Folder options)
    3. Open the View tab.
    4. Uncheck Hide protected operating system files.
    5. Click Yes when prompted to confirm.
    6. Click OK.

Then do Step 2 -3 in the manual above.

Next step:

Converting Firmware Files

1. Navigate to your ChoiDujour folder with File Explorer
2. In the address bar at the top, type “cmd” and press enter. A command prompt should open.

1. In the command prompt, type “ChoiDujour.exe --keyset=prod.keys fw” without quotes <-- note: i used the keys in the file prod.keys otherwise you must unse the command keyset=keys.txt
   
   • If ChoiDujour says it cannot find firmware files or keys.txt, you likely put keys.txt or the firmware files in the wrong location. Try steps 1.9-1.13 again.
   • If the script fails otherwise, your keys.txt may be incompatible with ChoiDujour.
2. Once finished, you should see a message similar to “All files verified! Prepared firmware update is in folder NX-X.X.X” in the command prompt. Make sure you can find this folder, it will be used later.

Don't close the command prompt! Instead use this command: bin\hactoolnet.exe -t save -k prod.keys NX-5.1.0_exfat\SYSTEM\save\8000000000000120

You should see a message similar to "
Savefile:
CMAC Signature (GOOD): XXXXXXXXXXXXXXXXXXXXXXXXXX
Title ID: 0000000000000000
User ID: 00000000-0000-0000-0000-000000000000
Save ID: 8000000000000120
Save Type: SystemSaveData
Owner ID: 0000000000000000
Timestamp: 2018-01-01 00:00:45 UTC
Save Data Size: 0x000000000006c000 (432 KB)
Journal Size: 0x000000000006c000 (432 KB)
Free Space: 0x0000000000060000 (384 KB)
Header Hash (GOOD): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Number of Files: 1

The "CMAC Signature" and "Header Hash" should say "GOOD"!


Follow the steps 5 - 12 in the manual above.

I then tried step 13 but i couldn't boot anything. I then tried to use RetroReloaded (https://github.com/RetroGamer74/RR_RetroReloaded/releases) i used version 3.77. I copied everything on the microSD Card and injected the payload "Payload". In RetroReloaded i used the option "Atmosphere" and could boot the cfw.


I hope this helps somebody. I really want to thank FXDX for helping me out! Thank you verry verry much!

 

[FXDX]

Congratulations on your working Switch!

 

[PabloZaiden]

Hey, I'm having similar issues after trying to revive a switch with a nuked nand and no backups.

I've flashed everything to install a 6.1.0 or 5.1.0 firmware, but no boot.
Question: @HelpRafi: why did you do this: bin\hactoolnet.exe -t save -k prod.keys NX-5.1.0_exfat\SYSTEM\save\8000000000000120

When I try, it says CMAC Signature (FAIL).

Also, in my case, it's still not booting after finishing the process. Already tried with RR with no luck. Any idea?

 

[HelpRafi]

Hey Pablo,
to be honest, i really can't rember why i did this command. I think it has someting to do with verrifiy the firmware files. I was also just following the guide i mention above.
You can try to workaround this problem by repeating the command several times. Some times I get a GOOD result after 3 runs, others 8 runs maybe this will work for you.


Maybe the solution in the thread will help you:
https://github.com/Thealexbarney/LibHac/issues/102

wish you good luck

 

[Canna]

Always try to pull the Biskeys first from any console, as its mostly untouched state, This is achieved via LockPickRCM payload.

Secondly would to make a backup of the Nand, And boot0,boot1.

As a rule, any switch that is sent to me to be fixed. I do the above first.
But always restore or manually use choidujour.exe cmd, to build a 5.1.0 image, If the console is not booting. I find 5.1.0 build with choidujour has the best chances of booting up, from there you can upgrade to higher system versions with ease.

Dont forget to restore or flash the boot0 and boot1 to match the system.

Big Congrats to the OP that fixed there own switch..
As a reminder to you all. Backup your switch and your Biskeys. Before doing any CFW or tinkering with CFW or FW.