Tutorial  Updated

NAND Rebuilding (for no backup / broken eMMC)

Disclaimer: I'm not responsible for any damage related to the following guide

NAND Rebuilding Guide

This rebuild of NAND is to use donor NAND from Switch (A) (which you may obtain from internet) with device ID (A) on Switch (D) which certainly has device ID (D)

It means that we are tricking the Switch (D) to see itself with device ID (A) so it will boot into NAND with device ID (A) encrypted by keys from Switch (D)

By this method, you can't go online and can't boot OFW
In theory, if the files are modified to match device ID, it should be possible to build NAND that can let Switch (D) to boot OFW or even go online, which I don't know how

Guide:
Before we start
Make sure that your Dead Switch (D) can use Hekate -> Tools -> USB Tools -> eMMC RAW GPP
and connect to PC
Otherwise you will need a EMMC reader like mmcblknx
However, a dead eMMC can also lead to unreadable problem when connected.
Please test your own situation before buying anything.
Normally, injecting Hekate payload directly from PC should let you connect.

Remarks:
(A) from good Switch;
(D) from dead Switch;
(O) for output files

0.1 Hardware

a working emmc module, which can let a normal switch to boot OFW normally
a good (donor) Switch (A) with good emmc (A)
a Switch (D) with dead emmc (D)
Windows PC
For mmcblknx user, also need Linux PC

0.2 Files Preparation
[On Switch]
Payloads: Lockpick v1.9.4.bin, prodinfo_gen v0.3.4.bin
Hekate v5.6.0 & Nyx v1.0.6

[On PC]
Suitable OFW, on my Switch OFW 12.0.2 works
Search for darthsternie's firmware on google should get you one
EmmcHaccGen v2.2.3
HacDiskMount v1.0.5-5
NxNandManager v5.0
(Optional) BalenaEtcher: Flash BOOT0 and BOOT1. For users mounting eMMC by Hekate or mmcblknx users with Windows PC only
(Optional) You can try to use PikaFix Pack's dump (Start from Step 5), which I didn't

*PC needs to be able to view all files including "Protected operating system files"

Assuming that you have 2 Switch (A) and (D)
and have 1 eMMC chips (A) with data you do not need

Let's get started
*For PikaFix Pack used, start from Step5 and consider PikaFix Pack as Switch (A)

  1. On Switch (A), inject Lockpick.bin to get prod.keys (A)
  2. On Switch (A), boot Hekate -> Tools -> Backup eMMC, select eMMC RAW GPP to dump rawnand.bin (A)
  3. On PC, copy prod.keys (A) and rawnand.bin (A) to PC from microsd (A)
  4. (a) start NxNandManager v5.0
    (b) import keys (Ctrl + K)
    (c) find key.dat (A), which contains the BIS keys, located under the NxNandManager v5.0 folder and copy to somewhere convenient
    (d) open rawnand.bin (A) (Ctrl + O)
    (e) export decrypted PRODINFO.bin (A), PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A)
    (f) close NxNandManager v5.0
  5. Put eMMC chip from Switch (A) (or any good eMMC chip) to Switch (D)
  6. Dump prod.keys (D) by Lockpick.bin
  7. Copy PRODINFO.bin (A) prod.keys (D) to microsd (D) and rename PRODINFO.bin to donor_prodinfo.bin
  8. On Switch (D), inject payload prodinfo_gen.bin to get PRODINFO.bin (O)
    *if you encounter error about missing master keys, copy the following lines from prod.keys (A) to prod.keys (D) then try again:
    master_key_00 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_01 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_02 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_03 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_04 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_05 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_source = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    **Do not confuse with the lines master_kek
    ***PikaFix Pack users may need to find your own ways to obtain master keys
  9. Copy PRODINFO.bin (O) to PC
  10. (a) Copy prod.keys (D) to EmmcHaccGen.2.2.3 folder and rename the file to keys.txt
    (b) Unzip OFW in EmmcHaccGen.2.2.3 folder and rename the folder to fw
    i.e.
    Code:
    EmmcHaccGen.2.2.3 folder
    |--EmmcHaccGen.exe
    |--keys.txt
    |--fw
        |--firmware .nca files
    (c) Start CMD and nevigate to EmmcHaccGen.2.2.3 folder
    (d) use the following code to generate firmware file for Switch (D)
    Code:
    EmmcHaccGen.exe --keys keys.txt --fw fw
    (e) In my case OFW 12.0.2 is used, then a folder named NX-12.0.2_exFAT is generated, which contains
    Code:
    Folders SAFE (O), SYSTEM (O), USER (O),
    Files BOOT0.bin (O), BOOT1.bin (O), BCPKG2-1 to BCPKG2-4 (O)
    boot.bis is not used
    (f) Close CMD
  11. Open key.dat (A) in step 4(c) by text editor (or rename to key.txt first if you want to)
  12. !CAUTION! From now on, remember to use the eMMC chip you want to empty its content, all saved data on the chip will be deleted
    (a) start HacDiskMount v1.0.5-5 with Administrator permission

    Read eMMC by Hekate, go to Step12(b)
    Read eMMC by mmcblknx, go to Step12(c)

    (b) (i) On Switch (D), boot to Hekate -> Tools -> USB Tools -> (!!read only OFF!!) eMMC RAW GPP
    __(ii) Connect Switch (D) to PC, then go to Step 12(d)

    (c) Connect the eMMC chip to mmcblknx and connect mmcblknx to PC

    (d) On HacDiskMount, select File -> Open physical drive
    (e) Double click on your eMMC chip, should have size of 29.xx GB
    (f) (i) Double click PRODINFO
    __(ii) Copy corresponding BIS keys from key.dat (D)
    _____*Make sure that you copied correct BIS keys x, where x ranged from 0 to 2
    __(iii) Click Test then Save. If error occurs, please stop here and leave comment and let's discuss
    __(iv) Browse PRODINFO.bin (O) and click Start to copy to eMMC
    __(v) Close the window
    (g) Repeat Step 12(f) for PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A) obtained from Step 4(e) or PikaFix Pack
    (h) (i) Double click BCPKC2-1-Normal-Main
    __(ii) Browse BCPKC2-1-Normal-Main (O) from Step 10(e) and click Start to copy to eMMC
    __(iii) Close the window
    (i) Repeat Step 12(h) for BCPKC2-2 to BCPKC2-4 (O)
    (k) Double click SAFE, under Virtual Drive, click Install
    (l) (i) Select a Drive Letter, I use "Y:"
    __(ii) Tick box for Passthrough zeroes
    __(iii) Click mount
    __(iv) Find your mounted drive on PC, which is Y:/ for me
    __(v) Delete all content and replace by that from Step 10(e)
    __(vi) Close the window
    (m) repeat (l) for SYSTEM and USER
    **Reminder: there are system files hidden, please make sure that you can see ALL files
    If you don't know how, Here it is. Tick the box for "Protected operating system files"
    (n) Close HacDiskMount

    If you use Linux PC with mmcblknx, unplug Switch and turn it off then go to (p)

    (o) (i) On Switch (D), unplug USB cable and reinsert with BOOT0 or
    __(ii) Use BalenaEtcher to flash BOOT0.bin (O) from Step 10(e)
    __(iii) repeat (o) for BOOT1.bin (O)

    Go to Step 13

    (p) (i) Copy BOOT0.bin (O) and BOOT1.bin(O) to Linux PC
    __(ii) With eMMC connected, open terminal and navigate to folder containing BOOT0.bin (O) and BOOT1.bin (O)
    __(iii) Enter the following code to flash BOOT0 and BOOT1
    Code:
    sudo su
    echo 0 > /sys/block/mmcblk0/force_ro
    echo 0 > /sys/block/mmcblk0boot0/force_ro
    echo 0 > /sys/block/mmcblk0boot1/force_ro
    exit
    sudo dd if=boot0.bin of=/dev/mmcblk0boot0
    sudo dd if=boot1.bin of=/dev/mmcblk0boot1
  13. Plug eMMC chip back to Switch (D) if you haven't
  14. Insert microsd with all necessary CFW files then boot to CFW
  15. Switch (D) is alive
Notes:
boot Atmospher with fusee-primary.bin
This may give an error and need to press power button to reboot once, then can boot into Atmosphere
I don't know if this is related to the use of device ID spoofing.
If you encounter infinite boot loop to Atmosphere splash screen / error screen, it's abnormal

After repairing NAND, OFW 12.1.0 is installed using Daybreak under emummc Atmosphere 0.20.1
Remember to use corresponding sigpatch

Thanks for reading.

Credit to all the payloads, software creators, and advices in this post and Unbricking Guide:
SciresM and the ReSwitched team for Atmosphere
CTCaer for Hekate
Shchmue for Lockpick_RCM
CaramelDunes for prodinfo_gen
SuchMemeManySkill for eMMC Hacc Gen
Rajkosto for HacDiskMount
Eliboa for NXNandManager
ignasurba for mmcblkNX
Balena for Balena Etcher
 
Last edited by ewabc886,

Oriordan

Well-Known Member
Member
Joined
Mar 27, 2018
Messages
219
Trophies
0
Age
35
XP
1,070
Country
Algeria
Errors
 

Attachments

  • IMG_20220124_174051.jpg
    IMG_20220124_174051.jpg
    6.4 MB · Views: 146
  • IMG_20220124_174249.jpg
    IMG_20220124_174249.jpg
    1.8 MB · Views: 151

fatherboard

New Member
Newbie
Joined
Mar 2, 2022
Messages
1
Trophies
0
Age
25
Location
Madrid, Spain
XP
29
Country
Spain
Followed the guide but bumped into a problem, after opening HacDiskMount and insertin the PRODINFO BIS keys, I get a "FAIL! Entropy 7,990 (tested 16384 out of 16384 bytes).
Tried with another donor prod.keys but still get the same error.
 

Adran_Marit

Walküre's Hacker
Member
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,538
Country
Australia
Followed the guide but bumped into a problem, after opening HacDiskMount and insertin the PRODINFO BIS keys, I get a "FAIL! Entropy 7,990 (tested 16384 out of 16384 bytes).
Tried with another donor prod.keys but still get the same error.
you need to use your own console keys you dump initially to decrypt, then you can use the donor ones
 
  • Like
Reactions: impeeza

StringIsNullOrEmpty

Well-Known Member
Newcomer
Joined
Feb 15, 2022
Messages
78
Trophies
0
Age
35
Location
Taiwan
XP
818
Country
Taiwan
Trying to fix my switch with broken eMMC with one bought from the internet and running into problems, hoping someone can help:

*I don't have a donor switch, so I'm using Pikafix pack. I did manage to dump my prod.keys from my console.

Problem 1: Pikafix pack doesn't have USER.bin and I can see that a few steps down I need that, how can I get this?

Problem 2: Step 11 says to copy key.dat (D) but I don't have that (since no donor switch) and Pikafix pack doesn't have this, can I use NxNandManager and the prod.keys I dumped to generate my own? (the guide specifically says to skip this step if using pikafix though so I'm not sure)

Problem 3: Step 12(e) says to select the eMMC partition, which I did, but since it was bought online and not from a donor switch it is completely empty. It first complains that it doesn't see a complete eMMC dump, and prompts to continue. If I click continue it says both primary and secondary GPT are bad. I'm completely stuck now and don't know how to proceed.
 
Last edited by StringIsNullOrEmpty,

Adran_Marit

Walküre's Hacker
Member
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,538
Country
Australia
Trying to fix my switch with broken eMMC with one bought from the internet and running into problems, hoping someone can help:

*I don't have a donor switch, so I'm using Pikafix pack. I did manage to dump my prod.keys from my console.

Problem 1: Pikafix pack doesn't have USER.bin and I can see that a few steps down I need that, how can I get this?

Problem 2: Step 11 says to copy key.dat (D) but I don't have that (since no donor switch) and Pikafix pack doesn't have this, can I use NxNandManager and the prod.keys I dumped to generate my own? (the guide specifically says to skip this step if using pikafix though so I'm not sure)

Problem 3: Step 12(e) says to select the eMMC partition, which I did, but since it was bought online and not from a donor switch it is completely empty. It first complains that it doesn't see a complete eMMC dump, and prompts to continue. If I click continue it says both primary and secondary GPT are bad. I'm completely stuck now and don't know how to proceed.

Pikafix author here

1) User can be blank. Only keys are needed.

2) Keys.dat and prod.keys are the same (mostly); the only real difference is the biskeys which are the important ones needed to access the emmc stuff, which is console unique. Dumped with lockpick_rcm and are located in prod.keys

3) you might need to use gpt restore, otherwise you will likely need to use a gpart and linux to manually create the partitions and table.


For reference, if you can find a correct dump, you can more or less image that back on the emmc and then fix it from there. Which is what I did when I got my upgrade nand chip with bad partitions
 

StringIsNullOrEmpty

Well-Known Member
Newcomer
Joined
Feb 15, 2022
Messages
78
Trophies
0
Age
35
Location
Taiwan
XP
818
Country
Taiwan
Pikafix author here

1) User can be blank. Only keys are needed.

2) Keys.dat and prod.keys are the same (mostly); the only real difference is the biskeys which are the important ones needed to access the emmc stuff, which is console unique. Dumped with lockpick_rcm and are located in prod.keys

3) you might need to use gpt restore, otherwise you will likely need to use a gpart and linux to manually create the partitions and table.


For reference, if you can find a correct dump, you can more or less image that back on the emmc and then fix it from there. Which is what I did when I got my upgrade nand chip with bad partitions
Thanks! That's really helpful information. I will look into how to do the 3 you mentioned :D
 

LostInTheSauce

New Member
Newbie
Joined
Aug 27, 2022
Messages
4
Trophies
0
Age
37
Location
USA
XP
24
Country
United States
@ewabc886 Great write up! I've been able to follow it easily up until hacdiskmount.

You had mentioned to post here if errors occurred. I'm getting FAIL! Entropy 7.988 (tested16384 out of 16384 bytes) I got the key.dat file by pulling the prod.keys off the dead switch with the donor ( spare emmc I had) emmc installed (the dead emmc is actually not even on hand)

Any suggestions?
 

Adran_Marit

Walküre's Hacker
Member
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,538
Country
Australia
@ewabc886 Great write up! I've been able to follow it easily up until hacdiskmount.

You had mentioned to post here if errors occurred. I'm getting FAIL! Entropy 7.988 (tested16384 out of 16384 bytes) I got the key.dat file by pulling the prod.keys off the dead switch with the donor ( spare emmc I had) emmc installed (the dead emmc is actually not even on hand)

Any suggestions?

IIRC you need the original keys for the console for the console you are trying to restore, including the partition keys from the nand. Don't quote me on that as I'm hella tired but that seems most logical to me
 
  • Like
Reactions: impeeza

LostInTheSauce

New Member
Newbie
Joined
Aug 27, 2022
Messages
4
Trophies
0
Age
37
Location
USA
XP
24
Country
United States
IIRC you need the original keys for the console for the console you are trying to restore, including the partition keys from the nand. Don't quote me on that as I'm hella tired but that seems most logical to me
So without the original nand it's can't be rebuilt or even cloned from the other (good) nand? Even if I don't care about being able to get on OFW and go online?
 

LostInTheSauce

New Member
Newbie
Joined
Aug 27, 2022
Messages
4
Trophies
0
Age
37
Location
USA
XP
24
Country
United States
IIRC you need the original keys for the console for the console you are trying to restore, including the partition keys from the nand. Don't quote me on that as I'm hella tired but that seems most logical to me
I some how was able to rebuild prod.keys from another switch, then rebuild the rawnand. I used tegra to get it flashed to the emmc and now have a bootable device on both OFW and CFW. I believe it shares the same information as the donor switch I used so I don't think I'll be trying to connect to nintendo on this one.
 

Adran_Marit

Walküre's Hacker
Member
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,538
Country
Australia
So without the original nand it's can't be rebuilt or even cloned from the other (good) nand? Even if I don't care about being able to get on OFW and go online?

I some how was able to rebuild prod.keys from another switch, then rebuild the rawnand. I used tegra to get it flashed to the emmc and now have a bootable device on both OFW and CFW. I believe it shares the same information as the donor switch I used so I don't think I'll be trying to connect to nintendo on this one.

From memory when I wrote the initial pikafix guide which is linked in the OP you needed the keys from the bricked console, namely the biskeys which were used to resign the donor prodinfo with the appropriate key allowing it to boot.

Glad you got it working and no probably don't connect online XD
 
  • Like
Reactions: impeeza

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended