Hacking Process of the eMMC backup and restore in Hekate? Are backups en-, or decrypted?

T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
I have a patched switch, which is bricked. I mixed up a few eMMCs during a repair, and one burned an eFuse in this patched switch. I was able to bring the others back to life (since they were unpatched), but not this one. I am literally pulling my hair out.

So, let the fun begin:
I made a NAND backup with a different switch (Hekate, not raw backup). Later, I tried to recreate the eMMC content with the higher firmware that the 12 burnt fuses required. Flashed it (with an unpatched switch), but no charm.

Today I have installed an Sx Core chip in it (because it allows running payloads). Restored the original backup with hekate, but it won't boot. Neither with Atmosphére. I was hoping for that the CFW would skip the fuse check (maybe won't work on patched SoCs?)

Also: 0% of the USB features work in any payload.

So... I fear that my backups are "decrypted". (this would be bad, since another switch was used for the backup process - different bis keys would turn the backup into garbage)
But if they are decrypted, the restore would encrypt it, right? That needs the BIS keys again - which i was not able to retrieve from this console. It just hangs when i try to dump them. Tried to restore with the exact switch the backup was made with, but no success either.

Any ideas?

And again, sorry for my broken english. It may have to do something with sleeping only every other day....
 
scandal_uk

scandal_uk

Not Really There
Member
Level 5
Joined
Oct 3, 2005
Messages
322
Trophies
0
Location
UK
XP
580
Country
United Kingdom
It’s a shame you reflashed that eMMC because CFW wouldn’t have been affected by the fuse count. However, it is what it is - you really need those keys, can you get them to display on-screen in Lockpick_RCM?

Edit: does it even work with SX Core??
 
Last edited by scandal_uk,
T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
It wont boot with Sx Core either. (Sx logo comes in, boot menu is operational, can boot payloads too) I know, it was a huge mistake to reflash it.
But the question remains: Are the backups decrypted or bit-to-bit perfect from the eMMC?

Also: Low battery and charging icon comes in. IIRC this only happens when using the right eMMC (with the switch specific data on it).

It only boots to Nintendo logo. Sometimes right after rewriting the BOOT0/BOOT1 the SEPT logo comes in. One time, ive seen the Atmosphére logo - but it hanged after that.

With SX Core it shows the low battery/charging screens when the battery is depleted, otherwise it hangs after the Nintendo logo.

EDIT:
Tried Lockpick RCM again. When I start the process, it flashes some info, along with Press Power or Vol +/- to reboot to Sept..., but it goes blank immediately without pressing anything. It just halts.
lprcm.jpg


EDIT2:
Biskeydump throws an error. "Keyblob decrypted using current SBK & TSEC keys NOT VALID!" Is the TSEC key sensitive data? If not, I'll post a pic of the biskeydump final screen.

SBK key is FFFFFFFFFFFFFFFFFFFF... So... Noting...
Where is the SBK key stored?
 
Last edited by tomsek68,
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,012
Trophies
2
Age
29
Location
New York City
XP
13,390
Country
United States
tomsek68 said:
It wont boot with Sx Core either. (Sx logo comes in, boot menu is operational, can boot payloads too) I know, it was a huge mistake to reflash it.
But the question remains: Are the backups decrypted or bit-to-bit perfect from the eMMC?

Also: Low battery and charging icon comes in. IIRC this only happens when using the right eMMC (with the switch specific data on it).

It only boots to Nintendo logo. Sometimes right after rewriting the BOOT0/BOOT1 the SEPT logo comes in. One time, ive seen the Atmosphére logo - but it hanged after that.

With SX Core it shows the low battery/charging screens when the battery is depleted, otherwise it hangs after the Nintendo logo.

EDIT:
Tried Lockpick RCM again. When I start the process, it flashes some info, along with Press Power or Vol +/- to reboot to Sept..., but it goes blank immediately without pressing anything. It just halts.
View attachment 216756

EDIT2:
Biskeydump throws an error. "Keyblob decrypted using current SBK & TSEC keys NOT VALID!" Is the TSEC key sensitive data? If not, I'll post a pic of the biskeydump final screen.

SBK key is FFFFFFFFFFFFFFFFFFFF... So... Noting...
Where is the SBK key stored?
Click to expand...
Lockpick_RCM was updated so give it another shot.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

DBI language error

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Last switch firmware blocking MIG SWITCH?

Hacking  Loader.kip for AMS 1.7.0 with FW 17.0.1 - sys-clk error ??

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Playing the Judge Dredd arcade game prototype lol I can see why they didn't finish it but at the...