Hacking WIP SXOS is bundling with the emmc chip, and possible to clone. (research thread)

HheuerZzhang · Jul 29, 2018

This thread is not about crack the SXOS, but may able to clone it.
The approach may only working on SAMSUNG emmc (details will explain below)

A brief illustrate, will update time to time:

a,how sxos bundle with your console ?
1, when sxos boot.dat running up, it read the emmc CID(16byte) and CSD(16byte), then combine them to generate 32byte "Fingerprint"
2, send the fingerprint to Server, generate licence file that only valid for the single fingerprint (from step one)
3, every time, when power-up(after lunch the fusee) SXOS scan the emmc, and compare the fingerprint and license.

b, about CID and CSD
1,CID and CSD are unique for each emmc chip, and normally speak：read only not rewrite able.
2,There always an exception ! SAMSANG emmc5.1 and below chips are able to write the CID, CSD (RCA, DSR and OCR as well)
3,So, if we can 100% clone an emmc chip, that means we can clone SXOS as well.

c, emmc on tiny pcb (with 30 pin mezzanine)
1, Switch use 32G 5.1 emmc chip from SAMSUNG and TOSHIBA， with a tiny PCB connected to the main board. that's convince for apply mode/hack.
Detail, please google: ifix+switch
2, TOSHIBA chip:THGBMHG8C2LBAIL (32GB -20~85 deg.C, 153 BGA) ; SAMSUNG chip:KLMBG2JENB-B041(32GB, 153BGA) ;
15X2 mezzanine： Molex 51338-0374, SlimStack™ 0.40mm Pitch Board-to-Board Connectors

d, emmc pcb pin-out v.s. BGA-pot analysis (come later)

e, Build microSD-emmc adapter (come later)

f, Build mezzanine connector break-out cable for SD adaptor (come later)

g, Migrate SXOS to another console
this is easy, e.g. migr from A to B ：
1， just back-up NAND of B, buck-up the boot.bin and licence file as well
2， move emmc pcb from A and mount to B
3， recover NAND of B from step-1
4, copy boot.bin and licence to TF(microSD) card on B, or simple unplug it from A the plug into B.

e, How to edit SAMSUNG emmc CID，CSD， RCA， DSR， OCR (come later)

f, How to Clone the SXOS to SAMSUNG emmc (details come later)
like section-g
1, Patch SAMSUNG emmc, make up it, acting as SXOS licenced emmc.
note: SXOS on any type of emmc, can clone to SAMSUNG emmc (no matter TOSHIBA, SAMSUNG or maybe other vendor)
2, same procedure as step 1,3,4 (skip 2).

I will try to upload pictures, but seems I am not able to do it yet (new member)

HheuerZzhang · Jul 29, 2018

photo of the emmc pcb, with TOSHIBA chip

HheuerZzhang · Jul 29, 2018

photos,shown the emmc PCB with SAMSUNG chip, and the 15X2 0.4mm pitch connector.

garyopa · Jul 29, 2018

the only problem is nintendo bootrom knows the installed 'emmc details' also, i doubt you can install 'cloned' emmc' into another switch, it would detect the swap.

--------------------- MERGED ---------------------------

cost is not much different than just getting another sx os license, which is only $25, another emmc is at least $19 plus shipping.

If you going to go to all that work in replacing the emmc module, might as well replace it with a 128gb version.

And use the new hekate payload when it arrives which will support 'dual-nand' and 'increased-nand', you could bootup into 32gb original untouched, or boot into 96gb cfw setup.

DocKlokMan · Jul 29, 2018

That's a lot of effort over patching the SX OS binary to approve any fingerprint.

HheuerZzhang · Jul 29, 2018

I will try it out , step by step, with pictures records.
the two ns i have on hands are all TOSHIBA emmc, and I am trying to get a SAMSUNG emmc pcb (15usd), it's will shipping from China in tow days.
Hope I can got the samsung emmc by next weekend
For SAMSUNG emmc CID patch， already done （SAMSUNG microSD actually based on emmc）
Reference：
http://theroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf
https://github.com/beaups/SamsungCID
and
https://richard.burtons.org/2016/07/01/changing-the-cid-on-an-sd-card/

And there is commercial tool kit, able to do the work, but cost 100+ usd. (emmc-pro box)

garyopa said:
the only problem is nintendo bootrom knows the installed 'emmc details' also, i doubt you can install 'cloned' emmc' into another switch, it would detect the swap.

--------------------- MERGED ---------------------------

cost is not much different than just getting another sx os license, which is only $25, another emmc is at least $19 plus shipping.

If you going to go to all that work in replacing the emmc module, might as well replace it with a 128gb version.

And use the new hekate payload when it arrives which will support 'dual-nand' and 'increased-nand', you could bootup into 32gb original untouched, or boot into 96gb cfw setup.

http://www.emmc-pro.com/dynamic.php?ID=32

--------------------- MERGED ---------------------------

Bigger emmc NOT work on switch
Replace emmc with NAND back-up does work~!

--------------------- MERGED ---------------------------

new hakate will support addtional emmc space ?
Great，then I do have a better reason to try it out！

HheuerZzhang · Jul 29, 2018

actually replace emmc then restore back-up works.
That's the reason, nintendo design separate pcb for emmc, more easy to repair, also with possibility to release new version with bigger build-in storage capability.

rrocha · Jul 29, 2018

I do agree that this might not be a very cost-effective solution but it should be a very interesting and fun research project.

Hacking WIP SXOS is bundling with the emmc chip, and possible to clone. (research thread)

Active Member

Active Member

Active Member

Admin @ MaxConsole

Plugin Dev

Active Member

Active Member

Developer

Similar threads

Popular threads in this forum