Toggle sidebar

Hacking Bought a bricked Nintendo Switch

  • Thread starter Thread starter SanderJ
  • Start date Start date
  • Views Views 11,013
  • Replies Replies 53
SanderJ said:
Here's what I also found out, I get into RCM right. Hold my thumb down on the shield. It lets me inject hekate. Now, if I want hekate to display my fuse information, etc, I have to hold my thumb on the shield. If not, it will show nothing. But when I hold it down, all the fuse information is displayed eg this one burnt 11/64
Click to expand...
Try booting into Horizon normally while holding it down.
 
SanderJ said:
Here's what I also found out, I get into RCM right. Hold my thumb down on the shield. It lets me inject hekate. Now, if I want hekate to display my fuse information, etc, I have to hold my thumb on the shield. If not, it will show nothing. But when I hold it down, all the fuse information is displayed eg this one burnt 11/64
Click to expand...
Cracked solder joint underneath the RAM. It will need to be reflowed (reballing is better of course, but that's harder and requires specialist equipment)
Possibly the Switch could have been dropped at some point stressing the PCB enough to crack one or more of the solder joints, or if it's one of the bent ones (which seems to be most of them judging by what I have seen) that could also stress the PCB enough over time to crack solder joints.
 
  • Like
Reactions: laramie and ZachyCatGames
ZachyCatGames said:
Try booting into Horizon normally while holding it down.
Click to expand...
Still BSOD

--------------------- MERGED ---------------------------

The Real Jdbye said:
Cracked solder joint underneath the RAM. It will need to be reflowed (reballing is better of course, but that's harder and requires specialist equipment)
Possibly the Switch could have been dropped at some point stressing the PCB enough to crack one or more of the solder joints, or if it's one of the bent ones (which seems to be most of them judging by what I have seen) that could also stress the PCB enough over time to crack solder joints.
Click to expand...

Yeah, if that's the case. Probably best not to as buying the equipment would be far more expensive that the Switch itself. I do however have a heatgun.

--------------------- MERGED ---------------------------

Yes,

I do believe it's probably a cracked solder joint. Buying a probler reflow machine, soldering iron, reballing jig... yeah would be cheaper to just buy an unpatched switch:P But maybe if anyone has this problem out of the blue in future. Try that as a solution. But I can inject any payload, just SD card currently throwing errors.
 
SanderJ said:
Still BSOD

--------------------- MERGED ---------------------------



Yeah, if that's the case. Probably best not to as buying the equipment would be far more expensive that the Switch itself. I do however have a heatgun.

--------------------- MERGED ---------------------------

Yes,

I do believe it's probably a cracked solder joint. Buying a probler reflow machine, soldering iron, reballing jig... yeah would be cheaper to just buy an unpatched switch:P But maybe if anyone has this problem out of the blue in future. Try that as a solution. But I can inject any payload, just SD card currently throwing errors.
Click to expand...
A heat gun or a hot air station? They are not the same thing. Heat gun is meant more for stripping wallpaper than precision jobs like soldering.
 
The Real Jdbye said:
A heat gun or a hot air station? They are not the same thing. Heat gun is meant more for stripping wallpaper than precision jobs like soldering.
Click to expand...

Hot air station. Sorry, I just call it a heat gun. I could possibly remove the shield, then lightly I guess on something like 300-350C maneuver in circular movements around the chips. Maybe if my SD card slot was working. It was working one day, now it's not. Maybe it's a software thing as the pins on the motherboard look completely fine and nothing looks bent, I could've dumped the NAND and possibly restore it to a working order.
 
SanderJ said:
Hot air station. Sorry, I just call it a heat gun. I could possibly remove the shield, then lightly I guess on something like 300-350C maneuver in circular movements around the chips. Maybe if my SD card slot was working. It was working one day, now it's not. Maybe it's a software thing as the pins on the motherboard look completely fine and nothing looks bent, I could've dumped the NAND and possibly restore it to a working order.
Click to expand...
Try it! What have you got to lose? I've reflowed many xbox360's back in the day with standard off the shelf heat gun. Hell I've even used a blow dryer before.
 
Idea...

Try the "Memloader Test" as I call it.

See if the Minerva Training Cell can work.

Send Memloader... See if it fails or not.

Will give you an idea of whats working and what isn`t. Make sure you use latest memloader with Minerva.

If it fails: With 246400 bytes
I`ve had a few consoles with this fault. It seems to be a hard fault between the Tegra and the RAM.

MAX77620 are functional, fuel gauge, bq, m92, all mosfets are fully working. Ref. Oscillator crystal working... Hekate boots... Correctly built and rebuilt eMMC, I thought "cracked ball under RAM". Reflowed. Nothing. Even reballed a RAM chip(without a jig. Took hours.)

It may be related. Or you may be lucky in that its a cracked joint.

If you can get BIS key 0 and PRODINFO is intact, you can build emmc from scratch, with fresh keyblobs if need be.

Just trying to give a few pointers. :)

--------------------- MERGED ---------------------------

As Jdbye says, you can indeed remove certs and recalc hashes in PRODINFO, but you will struggle with the Device Cert(ecc-b233) if its missing. Offset 0x480 if I remember correctly
 
mattytrog said:
Idea...

Try the "Memloader Test" as I call it.

See if the Minerva Training Cell can work.

Send Memloader... See if it fails or not.

Will give you an idea of whats working and what isn`t. Make sure you use latest memloader with Minerva.

If it fails: With 246400 bytes
I`ve had a few consoles with this fault. It seems to be a hard fault between the Tegra and the RAM.

MAX77620 are functional, fuel gauge, bq, m92, all mosfets are fully working. Ref. Oscillator crystal working... Hekate boots... Correctly built and rebuilt eMMC, I thought "cracked ball under RAM". Reflowed. Nothing. Even reballed a RAM chip(without a jig. Took hours.)

It may be related. Or you may be lucky in that its a cracked joint.

If you can get BIS key 0 and PRODINFO is intact, you can build emmc from scratch, with fresh keyblobs if need be.

Just trying to give a few pointers. :)

--------------------- MERGED ---------------------------

As Jdbye says, you can indeed remove certs and recalc hashes in PRODINFO, but you will struggle with the Device Cert(ecc-b233) if its missing. Offset 0x480 if I remember correctly
Click to expand...
That is one of the things Incognito wipes so that shouldn't be a problem, as long as online is not a big deal. But PRODINFO contains a lot of calibration data and such that don't seem to be so easy to regenerate.
 
The Real Jdbye said:
That is one of the things Incognito wipes so that shouldn't be a problem, as long as online is not a big deal. But PRODINFO contains a lot of calibration data and such that don't seem to be so easy to regenerate.
Click to expand...
The standard version, yes. Or might be device key. I'm writing from memory. And I'm drunk.

One of the offsets cannot be regenerated.

I'll have to check.

It's ecc encrypted and to my knowledge, without the signing key, you cannot regenerate that. It might be known, unencrypted, but you won't be able to encrypt it without nintys key.

In my messing around with prodinfo and recalcing hashes etc... That was the only stumbling block.

I'll update this post tomorrow after the headache subsides and I've found my notes.txt I made.
 
mattytrog said:
The standard version, yes. Or might be device key. I'm writing from memory. And I'm drunk.

One of the offsets cannot be regenerated.

I'll have to check.

It's ecc encrypted and to my knowledge, without the signing key, you cannot regenerate that. It might be known, unencrypted, but you won't be able to encrypt it without nintys key.

In my messing around with prodinfo and recalcing hashes etc... That was the only stumbling block.

I'll update this post tomorrow after the headache subsides and I've found my notes.txt I made.
Click to expand...
Both of them are wiped by Incognito. But maybe not every offset, IDK.
 
The Real Jdbye said:
Both of them are wiped by Incognito. But maybe not every offset, IDK.
Click to expand...
That's exactly what I thought!

But if you have 10 mins, have a go at making a prodinfo and getting it to boot. You can delete serials, regen the sha hashes etc... Just the one piece of the puzzle.

It can only be done with this encrypted "key". Like I say, my memory is sketchy at best. Cannot remember exactly which one.

If you run through the sections one at a time, it will become clear.

Unless I'm missing something blindingly obvious, I could replace cal0 stuff, serials, certs even. And the device will boot. But it was that one bit that tripped me up.

Will update tomorrow :)
 
mattytrog said:
That's exactly what I thought!

But if you have 10 mins, have a go at making a prodinfo and getting it to boot. You can delete serials, regen the sha hashes etc... Just the one piece of the puzzle.

It can only be done with this encrypted "key". Like I say, my memory is sketchy at best. Cannot remember exactly which one.

If you run through the sections one at a time, it will become clear.

Unless I'm missing something blindingly obvious, I could replace cal0 stuff, serials, certs even. And the device will boot. But it was that one bit that tripped me up.

Will update tomorrow :)
Click to expand...
The client cert has a hash that needs to be updated.
https://github.com/blawar/incognito/blob/master/source/incognito.cpp#L143
 
Last edited by mattytrog,

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew  Full List of N64 Recompilation Switch ports

Feedback Homebrew  Essential Homebrew

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

running 20.5 Is it worth upgrading my firmware...?

Is it fixable

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port