Tutorial  Updated

NAND Rebuilding (for no backup / broken eMMC)

Disclaimer: I'm not responsible for any damage related to the following guide

NAND Rebuilding Guide

This rebuild of NAND is to use donor NAND from Switch (A) (which you may obtain from internet) with device ID (A) on Switch (D) which certainly has device ID (D)

It means that we are tricking the Switch (D) to see itself with device ID (A) so it will boot into NAND with device ID (A) encrypted by keys from Switch (D)

By this method, you can't go online and can't boot OFW
In theory, if the files are modified to match device ID, it should be possible to build NAND that can let Switch (D) to boot OFW or even go online, which I don't know how

Guide:
Before we start
Make sure that your Dead Switch (D) can use Hekate -> Tools -> USB Tools -> eMMC RAW GPP
and connect to PC
Otherwise you will need a EMMC reader like mmcblknx
However, a dead eMMC can also lead to unreadable problem when connected.
Please test your own situation before buying anything.
Normally, injecting Hekate payload directly from PC should let you connect.

Remarks:
(A) from good Switch;
(D) from dead Switch;
(O) for output files

0.1 Hardware

a working emmc module, which can let a normal switch to boot OFW normally
a good (donor) Switch (A) with good emmc (A)
a Switch (D) with dead emmc (D)
Windows PC
For mmcblknx user, also need Linux PC

0.2 Files Preparation
[On Switch]
Payloads: Lockpick v1.9.4.bin, prodinfo_gen v0.3.4.bin
Hekate v5.6.0 & Nyx v1.0.6

[On PC]
Suitable OFW, on my Switch OFW 12.0.2 works
Search for darthsternie's firmware on google should get you one
EmmcHaccGen v2.2.3
HacDiskMount v1.0.5-5
NxNandManager v5.0
(Optional) BalenaEtcher: Flash BOOT0 and BOOT1. For users mounting eMMC by Hekate or mmcblknx users with Windows PC only
(Optional) You can try to use PikaFix Pack's dump (Start from Step 5), which I didn't

*PC needs to be able to view all files including "Protected operating system files"

Assuming that you have 2 Switch (A) and (D)
and have 1 eMMC chips (A) with data you do not need

Let's get started
*For PikaFix Pack used, start from Step5 and consider PikaFix Pack as Switch (A)

  1. On Switch (A), inject Lockpick.bin to get prod.keys (A)
  2. On Switch (A), boot Hekate -> Tools -> Backup eMMC, select eMMC RAW GPP to dump rawnand.bin (A)
  3. On PC, copy prod.keys (A) and rawnand.bin (A) to PC from microsd (A)
  4. (a) start NxNandManager v5.0
    (b) import keys (Ctrl + K)
    (c) find key.dat (A), which contains the BIS keys, located under the NxNandManager v5.0 folder and copy to somewhere convenient
    (d) open rawnand.bin (A) (Ctrl + O)
    (e) export decrypted PRODINFO.bin (A), PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A)
    (f) close NxNandManager v5.0
  5. Put eMMC chip from Switch (A) (or any good eMMC chip) to Switch (D)
  6. Dump prod.keys (D) by Lockpick.bin
  7. Copy PRODINFO.bin (A) prod.keys (D) to microsd (D) and rename PRODINFO.bin to donor_prodinfo.bin
  8. On Switch (D), inject payload prodinfo_gen.bin to get PRODINFO.bin (O)
    *if you encounter error about missing master keys, copy the following lines from prod.keys (A) to prod.keys (D) then try again:
    master_key_00 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_01 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_02 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_03 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_04 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_05 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    master_key_source = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    **Do not confuse with the lines master_kek
    ***PikaFix Pack users may need to find your own ways to obtain master keys
  9. Copy PRODINFO.bin (O) to PC
  10. (a) Copy prod.keys (D) to EmmcHaccGen.2.2.3 folder and rename the file to keys.txt
    (b) Unzip OFW in EmmcHaccGen.2.2.3 folder and rename the folder to fw
    i.e.
    Code: 
    EmmcHaccGen.2.2.3 folder
|--EmmcHaccGen.exe
|--keys.txt
|--fw
    |--firmware .nca files
    (c) Start CMD and nevigate to EmmcHaccGen.2.2.3 folder
    (d) use the following code to generate firmware file for Switch (D)
    Code: 
    EmmcHaccGen.exe --keys keys.txt --fw fw
    (e) In my case OFW 12.0.2 is used, then a folder named NX-12.0.2_exFAT is generated, which contains
    Code: 
    Folders SAFE (O), SYSTEM (O), USER (O),
Files BOOT0.bin (O), BOOT1.bin (O), BCPKG2-1 to BCPKG2-4 (O)
boot.bis is not used
    (f) Close CMD
  11. Open key.dat (A) in step 4(c) by text editor (or rename to key.txt first if you want to)
  12. !CAUTION! From now on, remember to use the eMMC chip you want to empty its content, all saved data on the chip will be deleted
    (a) start HacDiskMount v1.0.5-5 with Administrator permission

    Read eMMC by Hekate, go to Step12(b)
    Read eMMC by mmcblknx, go to Step12(c)

    (b) (i) On Switch (D), boot to Hekate -> Tools -> USB Tools -> (!!read only OFF!!) eMMC RAW GPP
    __(ii) Connect Switch (D) to PC, then go to Step 12(d)

    (c) Connect the eMMC chip to mmcblknx and connect mmcblknx to PC

    (d) On HacDiskMount, select File -> Open physical drive
    (e) Double click on your eMMC chip, should have size of 29.xx GB
    (f) (i) Double click PRODINFO
    __(ii) Copy corresponding BIS keys from key.dat (D)
    _____*Make sure that you copied correct BIS keys x, where x ranged from 0 to 2
    __(iii) Click Test then Save. If error occurs, please stop here and leave comment and let's discuss
    __(iv) Browse PRODINFO.bin (O) and click Start to copy to eMMC
    __(v) Close the window
    (g) Repeat Step 12(f) for PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A) obtained from Step 4(e) or PikaFix Pack
    (h) (i) Double click BCPKC2-1-Normal-Main
    __(ii) Browse BCPKC2-1-Normal-Main (O) from Step 10(e) and click Start to copy to eMMC
    __(iii) Close the window
    (i) Repeat Step 12(h) for BCPKC2-2 to BCPKC2-4 (O)
    (k) Double click SAFE, under Virtual Drive, click Install
    (l) (i) Select a Drive Letter, I use "Y:"
    __(ii) Tick box for Passthrough zeroes
    __(iii) Click mount
    __(iv) Find your mounted drive on PC, which is Y:/ for me
    __(v) Delete all content and replace by that from Step 10(e)
    __(vi) Close the window
    (m) repeat (l) for SYSTEM and USER
    **Reminder: there are system files hidden, please make sure that you can see ALL files
    If you don't know how, Here it is. Tick the box for "Protected operating system files"
    (n) Close HacDiskMount

    If you use Linux PC with mmcblknx, unplug Switch and turn it off then go to (p)

    (o) (i) On Switch (D), unplug USB cable and reinsert with BOOT0 or
    __(ii) Use BalenaEtcher to flash BOOT0.bin (O) from Step 10(e)
    __(iii) repeat (o) for BOOT1.bin (O)

    Go to Step 13

    (p) (i) Copy BOOT0.bin (O) and BOOT1.bin(O) to Linux PC
    __(ii) With eMMC connected, open terminal and navigate to folder containing BOOT0.bin (O) and BOOT1.bin (O)
    __(iii) Enter the following code to flash BOOT0 and BOOT1
    Code: 
    sudo su
echo 0 > /sys/block/mmcblk0/force_ro
echo 0 > /sys/block/mmcblk0boot0/force_ro
echo 0 > /sys/block/mmcblk0boot1/force_ro
exit
sudo dd if=boot0.bin of=/dev/mmcblk0boot0
sudo dd if=boot1.bin of=/dev/mmcblk0boot1
  13. Plug eMMC chip back to Switch (D) if you haven't
  14. Insert microsd with all necessary CFW files then boot to CFW
  15. Switch (D) is alive
Notes:
boot Atmospher with fusee-primary.bin
This may give an error and need to press power button to reboot once, then can boot into Atmosphere
I don't know if this is related to the use of device ID spoofing.
If you encounter infinite boot loop to Atmosphere splash screen / error screen, it's abnormal

After repairing NAND, OFW 12.1.0 is installed using Daybreak under emummc Atmosphere 0.20.1
Remember to use corresponding sigpatch

Thanks for reading.

Credit to all the payloads, software creators, and advices in this post and Unbricking Guide:
SciresM and the ReSwitched team for Atmosphere
CTCaer for Hekate
Shchmue for Lockpick_RCM
CaramelDunes for prodinfo_gen
SuchMemeManySkill for eMMC Hacc Gen
Rajkosto for HacDiskMount
Eliboa for NXNandManager
ignasurba for mmcblkNX
Balena for Balena Etcher
 
Last edited by ewabc886,
  • Like
Reactions: Blythe93, iTech_Console, de9ed and 9 others
Click to expand...
impeeza

impeeza

¡Kabito!
Member
Level 27
Joined
Apr 5, 2011
Messages
6,318
Trophies
3
Age
46
Location
At my chair.
XP
18,561
Country
Colombia
LuckyCat said:
On step 4(b) i can use prod.keys D(dead switch) or A(keys form donor switch) ?
Click to expand...
1669476121085.png
 
  • Like
Reactions: LuckyCat
darthxa

darthxa

Member
Newcomer
Level 1
Joined
Jan 9, 2023
Messages
7
Trophies
0
Age
36
XP
25
Country
Brazil
A little brief,
i bought a bricked nintendo switch online, Erista unpatched, the previous owner had unblock and didn't make a bkp and the switch don't boot neither cfw or ofw, so i rebuilded a nand using this tutorial with a donor rawnand...he boot into atmosphere, but with fatal error 010000000005 like the other guy said, he has 17 burnt fusees, so it's 15.01, correct? my donor nand it's in the 12.0.2, so probably if i can get a 15.0.1 dump´may i rebuild with sucess?
 
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,155
Country
United States
darthxa said:
A little brief,
i bought a bricked nintendo switch online, Erista unpatched, the previous owner had unblock and didn't make a bkp and the switch don't boot neither cfw or ofw, so i rebuilded a nand using this tutorial with a donor rawnand...he boot into atmosphere, but with fatal error 010000000005 like the other guy said, he has 17 burnt fusees, so it's 15.01, correct? my donor nand it's in the 12.0.2, so probably if i can get a 15.0.1 dump´may i rebuild with sucess?
Click to expand...
Boot with Hekate and your fuses don’t matter. Regardless, here’s the official fuse count:

FusesHekate bypasses the anti-downgrade fuse process but you still might be curious how many fuses are expected to burn for each FW version
 
  • Like
Reactions: impeeza
darthxa

darthxa

Member
Newcomer
Level 1
Joined
Jan 9, 2023
Messages
7
Trophies
0
Age
36
XP
25
Country
Brazil
binkinator said:
Boot with Hekate and your fuses don’t matter. Regardless, here’s the official fuse count:

Hekate bypasses the anti-downgrade fuse process but you still might be curious how many fuses are expected to burn for each FW version
Click to expand...
thx mate, but the switch boot into hekate, blank the screen then enter rcm again
 
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,155
Country
United States
darthxa

darthxa

Member
Newcomer
Level 1
Joined
Jan 9, 2023
Messages
7
Trophies
0
Age
36
XP
25
Country
Brazil
binkinator said:
Interesting. Did you create the SDCard from scratch or are you dealing with a mystery card from the original owner that bricked it to begin with?
Click to expand...
i've recreated from 0, he just boot, open the date config, than blank and turn back to rcm
Post automatically merged:

darthxa said:
i've recreated from 0, he just boot, open the date config, than blank and turn back to rcm
Click to expand...
perhaps the boot0 and boot1 didn't flash correct...any ideas?
 
Last edited by darthxa,
  • Like
Reactions: impeeza
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,155
Country
United States
darthxa said:
i've recreated from 0, he just boot, open the date config, than blank and turn back to rcm
Click to expand...
Great. Just checking the basics. If it’s just atmosphere/hekate and you’re using a working /bootloader/hekate_ipl.ini file it should just work.
darthxa said:
perhaps the boot0 and boot1 didn't flash correct...any ideas?
Click to expand...
Perhaps. I would just go over everything again and see if you missed anything. No silver bullet I’m afraid.

Anyone else have any ideas?
 
  • Like
Reactions: impeeza
darthxa

darthxa

Member
Newcomer
Level 1
Joined
Jan 9, 2023
Messages
7
Trophies
0
Age
36
XP
25
Country
Brazil
binkinator said:
Great. Just checking the basics. If it’s just atmosphere/hekate and you’re using a working /bootloader/hekate_ipl.ini file it should just work.

Perhaps. I would just go over everything again and see if you missed anything. No silver bullet I’m afraid.

Anyone else have any ideas?
Click to expand...
i'll do that, tomorrow we'll see. thx mate
 
  • Like
Reactions: binkinator and impeeza
Adran_Marit

Adran_Marit

Walküre's Hacker
Member
Level 14
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,548
Country
Australia
darthxa said:
A little brief,
i bought a bricked nintendo switch online, Erista unpatched, the previous owner had unblock and didn't make a bkp and the switch don't boot neither cfw or ofw, so i rebuilded a nand using this tutorial with a donor rawnand...he boot into atmosphere, but with fatal error 010000000005 like the other guy said, he has 17 burnt fusees, so it's 15.01, correct? my donor nand it's in the 12.0.2, so probably if i can get a 15.0.1 dump´may i rebuild with sucess?
Click to expand...

Did you have the original prodinfo for the console, If not you need to generate one using prodinfogen
 
  • Like
Reactions: binkinator
darthxa

darthxa

Member
Newcomer
Level 1
Joined
Jan 9, 2023
Messages
7
Trophies
0
Age
36
XP
25
Country
Brazil
Adran_Marit said:
Did you have the original prodinfo for the console, If not you need to generate one using prodinfogen
Click to expand...
i did not, but i generated one already, i'll start over again and see what's happening
Post automatically merged:

ok, i did all over again, with no errors, and had same problem, if i boot fusee.bin i get this message:
A fatal error occurred when running atmosphere.
Program ID: 010000000000005
Error Desc: std: :abort() called (0xffe)

otherwise if i boot to hekate 6.0.1 the splash art from hekate blanks then show the home menu and turn off to rcm

i have no more ideias....

any help?
Post automatically merged:

darthxa said:
i did not, but i generated one already, i'll start over again and see what's happening
Post automatically merged:

ok, i did all over again, with no errors, and had same problem, if i boot fusee.bin i get this message:
A fatal error occurred when running atmosphere.
Program ID: 010000000000005
Error Desc: std: :abort() called (0xffe)

otherwise if i boot to hekate 6.0.1 the splash art from hekate blanks then show the home menu and turn off to rcm

i have no more ideias....

any help?
Click to expand...
This is my new NAND
 

Attachments

  • mew nand.png
    mew nand.png
    33.7 KB · Views: 63
  • new nand 2.png
    new nand 2.png
    22.7 KB · Views: 67
Last edited by darthxa,
  • Like
Reactions: impeeza and binkinator
DragonCrash

DragonCrash

New Member
Newbie
Level 1
Joined
Jan 15, 2023
Messages
4
Trophies
0
Age
32
XP
78
Country
Italy
Hello everybody
I followed the guide in all its steps. But he keep getting black screen after the Nintendo logo.
I used prod.key and NAND from a friend's Switch.
I am using a mmcblkNX usb NAND reader to write to the NAND.
On NXNandManager, with my prod.key I can access the NAND, in fact I can see my friend's name in the "Switch Nickname".
How can I fix?

PS.
I solved it a while ago.
I had skipped the transfer of files to the SYSTEM partition because it didn't mount it as a readable file system.
I tried to reassemble it and I was able to access the files, delete the existing ones and put the generated ones.
Now the Switch turns on as if it came from the factory.
Thank you all the same
 
Last edited by DragonCrash,
  • Like
Reactions: impeeza
losth1ghway

losth1ghway

Member
Newcomer
Level 1
Joined
Nov 3, 2022
Messages
5
Trophies
0
Age
34
XP
71
Country
Germany
Hi,

Can someone please clarify 4. (c) for me.
It says find key.dat (D) in the NxNandManager directory.
I have a file called keys.dat, but this was generated from importing the prod.keys from switch (A) into NxNandManager as in the previous steps.

Is this the right file? I'm confused as to why it says this file should be from switch (D) when so far this switch hasn't been used in the guide yet.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: https://www.youtube.com/watch?v=pnRVIC7kS4s