Hacking Question Switch won't boot after restore nand but can run RCM

vividiorem · Jun 3, 2019

Greetings,
Just yesterday I would to restore my NAND backup, but I backup BOOT 0/1 and Partitions only,
Then i cannot turn on my switch after restore those, I tried to spend almost 20 hours to solving this problem, of course, I failed.

The firmware version was 6.02 when I did the backup, but the switch's real version should be 7.0,
yes, fuse burnt 8/64, but this not important,

My backup NAND data might be corrupted, because the size of BOOT 1/0 both are 4096 kb, so I am not sure is the Partitions has same problem,
I didn't realize these problems when I restore it,

Now switch won't turn on, it just show the white Nintendo logo 1 sec,
I would to update my switch by ChoiDujour to refresh the system, but not sure how to use ChoiDujour at RCM.

then I referenced a thread by rajkosto, but I cannot get device key and bis key by biskeydump or Lockpick_RCM because the key was corrupted.

Is anyone had same question or have some suggest?

toxic9 · Jun 3, 2019

Boot 0/1 are 4Mb in size.
They should be OK. but you don't need them without a Nand backup.

And why people love to mess with things they are not familiar with!?

https://github.com/mattytrog/Switchboot_PART_2/blob/master/BOOT_REPAIR_PACKAGE_iha2.7z

1) Unzip file

2) Make folders on SD card like this...

a) Make "backup" folder
b) Go into backup folder and make a BACKUP_1 folder inside of it
c) Go into backup/BACKUP_1 folder and make another folder called BOOTS
d) Drop the included 8.0.1 BOOT0/1 into this BOOTS folder

3) Launch included switchboot with tegraRCMsmash... Go to backup/restore

4) Go to restore

5) go to restore with no size check

6) New boot0/1 will be written...

7) It will take you to RCM menu if you want to enable autoRCM or not... all on screen

8) boot normally.

vividiorem · Jun 4, 2019

thanks, i

toxic9 said:
Boot 0/1 are 4Mb in size.
They should be OK. but you don't need them without a Nand backup.

And why people love to mess with things they are not familiar with!?

1) Unzip file

2) Make folders on SD card like this...

a) Make "backup" folder
b) Go into backup folder and make a BACKUP_1 folder inside of it
c) Go into backup/BACKUP_1 folder and make another folder called BOOTS
d) Drop the included 8.0.1 BOOT0/1 into this BOOTS folder

3) Launch included switchboot with tegraRCMsmash... Go to backup/restore

4) Go to restore

5) go to restore with no size check

6) New boot0/1 will be written...

7) It will take you to RCM menu if you want to enable autoRCM or not... all on screen

8) boot normally.

Thank you a lot,
it need a password when I unzip this file,
I tried to search it from the explain thread and replay but I didn't find it.

smf · Jun 4, 2019

vividiorem said:
thanks, i

Thank you a lot,
it need a password when I unzip this file,
I tried to search it from the explain thread and replay but I didn't find it.

I think you're supposed to PM mattyrog for the password

https://gbatemp.net/threads/possible-brick.537961/#post-8628204

Or scroll down...

vividiorem · Jun 4, 2019

smf said:
I think you're supposed to PM mattyrog for the password

Or scroll down...

genius dude, scroll down is genius solution,
i just saw the password,
its ihateanime2.......

vividiorem · Jun 4, 2019

toxic9 said:
Boot 0/1 are 4Mb in size.
They should be OK. but you don't need them without a Nand backup.

And why people love to mess with things they are not familiar with!?

1) Unzip file

2) Make folders on SD card like this...

a) Make "backup" folder
b) Go into backup folder and make a BACKUP_1 folder inside of it
c) Go into backup/BACKUP_1 folder and make another folder called BOOTS
d) Drop the included 8.0.1 BOOT0/1 into this BOOTS folder

3) Launch included switchboot with tegraRCMsmash... Go to backup/restore

4) Go to restore

5) go to restore with no size check

6) New boot0/1 will be written...

7) It will take you to RCM menu if you want to enable autoRCM or not... all on screen

8) boot normally.

I restore the new boot,
then its total blue color when I boot normally

vividiorem · Jun 5, 2019

Maybe there have a way can be refresh the original system on the RCM,
I ll try to start on there.

GothicIII · Jun 5, 2019

If biskeydump shows corrupted keys and you dont have a working nand backup nor the BIS keys - you are screwed. When you restored your nand you overwrote the section with the console specific bis keys.

Without the correct consolespecific BIS keys you can't run horizon.

I am sorry but atm there is no bringing back the console to life. You can use it as a ubuntu tablet now, though.

EDIT: I am no switch developer I could be wrong. For me I don't get why the bis key dump doesn't work. Are they really saved on the emmc? If yes you are screwed if not you need to find out why biskeydump does not work.

EDIT2: Please somebody confirm/deny.
I read the switchbrew wiki and the github of lockpick. If I understand this correctly all your console unique BIS keys (and other keys) are inside BOOT0 in the keyblob area starting at 0x180000. There is just a problem: They are encrypted and nobody knows the package1 key to decrypt them.
To get the BIS keys there is some other trickery going on and it seems to require a (partly) working system to get those.

vividiorem · Jun 5, 2019

GothicIII said:
If biskeydump shows corrupted keys and you dont have a working nand backup nor the BIS keys - you are screwed. When you restored your nand you overwrote the section with the console specific bis keys.

Without the correct consolespecific BIS keys you can't run horizon.

I am sorry but atm there is no bringing back the console to life. You can use it as a ubuntu tablet now, though.

EDIT: I am no switch developer I could be wrong. For me I don't get why the bis key dump doesn't work. Are they really saved on the emmc? If yes you are screwed if not you need to find out why biskeydump does not work.

EDIT2: Please somebody confirm/deny.
I read the switchbrew wiki and the github of lockpick. If I understand this correctly all your console unique BIS keys (and other keys) are inside BOOT0 in the keyblob area starting at 0x180000. There is just a problem: They are encrypted and nobody knows the package1 key to decrypt them.
To get the BIS keys there is some other trickery going on and it seems to require a (partly) working system to get those.

Thanks for you replay ,
I tried many way to get the bis key,
Just before I extracted this list, but I never saw the uncorrupted keys,
Could you please tell me is this list looks can be use?
This account a newbie so I cannot update photo, Im not sure if you can see it.

GothicIII · Jun 5, 2019

EDIT: Corrected my information.

ZachyCatGames pointed out that the keys are readonly. You must be able to recreate your BIS-Keys as long there is no hardware error involved.
Look for bis_key_00 and it is everything you need to proceed.

The bis keys are needed to decrypt/encrypt your emmc partition(s).
If you have them you can recreate a new nand. But even if you have them you need PRODINFO partition because there is your unique console certificate. If it is missing even if you recreate a nand it won't boot past the nintendo logo.
To see if PRODINFO is intact you need
-hacdiskmount
-the keyfile you made a screenshot of
-bis key 0 crypt+tweak (which is derived of bis_key_00)

You load up hacdiskmount and point it to your nand backup. If it can't read any partitions or crashes etc. then this will be a problem and the cause of your brick.

Before you ask: No it is not possible to use a 2nd switch to restore the brick.

ZachyCatGames · Jun 5, 2019

GothicIII said:
If biskeydump shows corrupted keys and you dont have a working nand backup nor the BIS keys - you are screwed. When you restored your nand you overwrote the section with the console specific bis keys.

Without the correct consolespecific BIS keys you can't run horizon.

I am sorry but atm there is no bringing back the console to life. You can use it as a ubuntu tablet now, though.

EDIT: I am no switch developer I could be wrong. For me I don't get why the bis key dump doesn't work. Are they really saved on the emmc? If yes you are screwed if not you need to find out why biskeydump does not work.

EDIT2: Please somebody confirm/deny.
I read the switchbrew wiki and the github of lockpick. If I understand this correctly all your console unique BIS keys (and other keys) are inside BOOT0 in the keyblob area starting at 0x180000. There is just a problem: They are encrypted and nobody knows the package1 key to decrypt them.
To get the BIS keys there is some other trickery going on and it seems to require a (partly) working system to get those.

You’re wrong

. BIS keys are generated using your device key, which is generated using your TSEC key and Secureboot key, and both of those are read only. You can recover from ANY software brick as long as you have a copy of your prodinfo

GothicIII · Jun 5, 2019

ZachyCatGames said:
You’re wrong . BIS keys are generated using your device key, which is generated using your TSEC key and Secureboot key, and both of those are read only. You can recover from ANY software brick as long as you have a copy of your prodinfo

So this is good news for him. I am not that deep into the scene so I didn't know. Thanks for clearing this up!

NoNAND · Jun 5, 2019

So it appears that the prodinfo partition is crucial to NAND decryption as ZachyCatGames implied above.
Here's hoping his PRODINFO partition is left intact and undamaged so that he nay unbrick his switch somehow if possible.

vividiorem · Jun 5, 2019

GothicIII said:
EDIT: Corrected my information.

ZachyCatGames pointed out that the keys are readonly. You must be able to recreate your BIS-Keys as long there is no hardware error involved.
Look for bis_key_00 and it is everything you need to proceed.

The bis keys are needed to decrypt/encrypt your emmc partition(s).
If you have them you can recreate a new nand. But even if you have them you need PRODINFO partition because there is your unique console certificate. If it is missing even if you recreate a nand it won't boot past the nintendo logo.
To see if PRODINFO is intact you need
-hacdiskmount
-the keyfile you made a screenshot of
-bis key 0 crypt+tweak (which is derived of bis_key_00)

You load up hacdiskmount and point it to your nand backup. If it can't read any partitions or crashes etc. then this will be a problem and the cause of your brick.

Before you ask: No it is not possible to use a 2nd switch to restore the brick.

Thanks everyone who has seen this thread,
your replay was exciting,
but......................The keyfile looks doesn't have the keydate for key 0 tweak,
because its always notice me the keyblob 012345 was corrupt though it be listed,
may I have some way to get the key 0 tweak by myself?
In fact, i think if i can get the both key that ill fix this bricked switch. :rofl2:

I think I am almost succeeded.

GothicIII · Jun 5, 2019

So in the end you got your BIS-Keys

Only thing is missing is a valid PRODINFO.

take bis_key_00 It holds bis_key_0 tweak and crypt.

The first 32 characters are BIS KEY 0 (crypt) and the last 32 characters are BIS KEY 0 (tweak)

Use my post above to check for PRODINO. If it is valid and intact your Switch is recoverable.

crazy_p · Jun 5, 2019

You can also use This Site to gernerate your Biskeys. (SBK Key = secure_boot_key)

vividiorem · Jun 6, 2019

crazy_p said:
You can also use This Site to gernerate your Biskeys. (SBK Key = secure_boot_key)

thanks, that's really useful.

vividiorem · Jun 6, 2019

GothicIII said:
So in the end you got your BIS-Keys Only thing is missing is a valid PRODINFO.

take bis_key_00 It holds bis_key_0 tweak and crypt.

The first 32 characters are BIS KEY 0 (crypt) and the last 32 characters are BIS KEY 0 (tweak)

Use my post above to check for PRODINO. If it is valid and intact your Switch is recoverable.

Its hardly to bring it up, but my bis key looks are corrupted,
I using HacDiskMount to operation on prodinef,
But the test failed, that means this key was incorrect what I extracted, in fact I am already restore the backup nand,
Its should be uncorrupted at that moment.
I guess I have seen the ending, a brick, forever.
Anyway, thank everyone who helped or replay. :bow:

And please let me ask last question,

is there have any way to get the original key?

GothicIII · Jun 6, 2019

vividiorem said:
Its hardly to bring it up, but my bis key looks are corrupted,
I using HacDiskMount to operation on prodinef,
But the test failed, that means this key was incorrect what I extracted, in fact I am already restore the backup nand,
Its should be uncorrupted at that moment.
I guess I have seen the ending, a brick, forever.
Anyway, thank everyone who helped or replay.

And please let me ask last question,
is there have any way to get the original key?

The Bis keys cannot be corrupted. They are readonly and can't be tempered with. The problems lies in your nand backup. It is messed up.

Are you sure this is the backup of your switch? If you open the nandbackup in hacdiskmount does it show PRODINFO in the main window?

You could zip/rar your nand backup, upload it somewhere and pm me with your keys. I could look into it and see how much of the backup is broken.

vividiorem · Jun 6, 2019

GothicIII said:
The Bis keys cannot be corrupted. They are readonly and can't be tempered with. The problems lies in your nand backup. It is messed up.

Are you sure this is the backup of your switch? If you open the nandbackup in hacdiskmount does it show PRODINFO in the main window?

You could zip/rar your nand backup, upload it somewhere and pm me with your keys. I could look into it and see how much of the backup is broken.

thank you a lot :bow:

,
it is succeed be open by hacdiskmount and showed every part in the main window,
but I dont know why, its cannot work.
:bow:

*snip*

Hacking Question Switch won't boot after restore nand but can run RCM

Member

Well-Known Member

Member

Well-Known Member

Member

Member

Member

Well-Known Member

Member

Well-Known Member

Well-Known Member

Well-Known Member

Give me back my legions!

Member

Well-Known Member

Well-Known Member

Member

Member

Well-Known Member

Member

Similar threads

Popular threads in this forum