Hacking HacDiskMount BIS Keys fail to verify

Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
Short Backstory: I bought a Switch from ebay with good serial. The seller told me that after an update the switch won't boot anymore(to my knowledge he didn't put cfw on it). After I got the switch I turned it on and the nintendo logo appeard but after that just blackscreen. After pressing the power button for about 20 seconds to shut it down I tried to boot into hekate which worked and dumped all the stuff and made boot and emmc backup.

My first problem was dumping the keys via Lockpick_RCM. I get 6 errors for keyblob 0 through 5. I don't know if this is a significant problem but I nevertheless got 78 keys which include tsec_key and secure_boot_key which are used to generate the bis keys.
IMG_20200102_014951.jpg
Also biskeydump only dumps the 3 keys: HWI, SBK and TSEC KEY. No individual bis keys.
biskeydump.jpg
I am currently follow this guide: https://switch.homebrew.guide/usingcfw/manualchoiupgrade to try to restore it to 4.1.0 to get ChoiDujourNX to upgrade it back to 9.1.0 (11 fuses are burnt, so I think that means 9.1.0) but now I am at the point where I need to access the emmc via memloader and HacDiskMount and none of my Bis Keys work.

I used this website https://sdsetup.com/biskeygen to get my bis keys but here is the funny part is that i get different keys when I use tsec and sbk or fuse_cached.bin and tsec_keys.bin but if i use the bin files the tsec and sbk fiels are populated with the same keys as provided earlier. This only happens if I use the keys from prod.keys which have lower case letters in them but are otherwise the same as the ones I got from biskeydump. This is an error on the website which I already submitted a new issue for: https://github.com/noahc3/SDSetup/issues/146

TL;DR
My dumped TSEC and SBK keys (or fuse_cached.bin and tsec_keys.bin files) don't generate the correct BIS keys which I need to decrypt the emmc in HacDiskMount.
bis_from_bins.png hacdiskmount.png
 
Last edited by Toby4213,
Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
Could the problem be that the latest biskeydump v9 only supports keydumps for fw 8.1.0 and lower? Since the switch has 11 burnt fuses I think the current fw version of the switch is 9.0.0+ so I would have to wait for a newer version... This would also mean that the biskeygen tool is outdated and doesn't generate the right keys for 9.1.0. Is that the problem or is it something else?

Could I use the keys from my first switch and just delete everything on this one? Or heck just restore the full boot and emmc backup from my own to this new broken one. That should work right? Is there any downside in doing that? I vaguely remember reading something about never going online with one of them...
 
Last edited by Toby4213,
Lacius

Lacius

Well-Known Member
Member
Level 26
Joined
May 11, 2008
Messages
18,099
Trophies
3
XP
18,338
Country
United States
Which version of Hekate did you use when dumping your Fuses and TSEC Keys? Also, redownload the latest version of Atmosphere from GitHub, delete the sept folder from your SD card, and put the new sept folder onto the SD card. After that, try Lockpick_RCM again.

Toby4213 said:
Could I use the keys from my first switch and just delete everything on this one? Or heck just restore the full boot and emmc backup from my own to this new broken one. That should work right? Is there any downside in doing that? I vaguely remember reading something about never going online with one of them...
Click to expand...
Definitely not. Some of these keys, and all NAND backups, are console-specific, and you would permanently brick the system in a way that cannot be recovered without a proper NAND backup. In fact, even though the system doesn't work, I'd make a NAND and BOOT0/1 backup now.
 
Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
Lacius said:
Which version of Hekate did you use when dumping your Fuses and TSEC Keys? Also, redownload the latest version of Atmosphere from GitHub, delete the sept folder from your SD card, and put the new sept folder onto the SD card. After that, try Lockpick_RCM again.
Click to expand...
Hekate version is 5.1.1. I redownloaded the latest atmosphere and hekate from their respective github pages and put the files on a completely wiped sd card. Unfortunately Lockpick_RCM still has the same errors as before.

Lacius said:
Definitely not. Some of these keys, and all NAND backups, are console-specific, and you would permanently brick the system in a way that cannot be recovered without a proper NAND backup. In fact, even though the system doesn't work, I'd make a NAND and BOOT0/1 backup now.
Click to expand...
Ok thanks for the advice I will not do that then. Basically the first thing I did was a nand and boot backup, so I am good if I fuck up trying to fix anything...

After running biskeydump again and deriving the bis keys via those keys and the tsec and sbk bin files from hekate I still get the same not working bis keys...
 
Last edited by Toby4213,
Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
Ok so i have an idea. The keys I've got from lockpick are defenitly correct, right? So what if I format system and data by mounting them via HacDisk with the bis keys which are defenitely correct but show as Fail... Would that work or does Fail mean that the bis keys wont work with some key that is saved somewhere else like in the SoC? The only problem would be the two prodinfo partitions but do I really need them to boot into the os? From what I read people have been using incognito(github page is down, so i assume the project is dead) to clean their prodinfo to not get banned. Since I'm at the point where I would be happy with just a homebrew switch that would be ok...
 
Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
Does the switch need prodinfo to boot? If yes, then I am completely screwed because the above method wont work. Would it be at all possible to decrypt prodinfo without the bis keys? How difficult would it be to brute force the encryption? Is that even possible? By that I mean does prodinfo contain some bytes that are always the same?
 
Toby4213

Toby4213

Member
OP
Newcomer
Level 1
Joined
Dec 7, 2019
Messages
14
Trophies
0
Age
26
XP
91
Country
Austria
I just looked into it. One bis key is 256 bit long which is basically impossible to brute force. So now i am thinking that one byte of the tsec or sbk key was corrupted and those generate wrong bis keys. Is this a valid assumption or are the tsec and sbk defenitely correct and crc checked or something? Why is there a mismatch between the generated bis keys with tsec/sbk and the encrypted prod info. The only possiblity would be that the previous owner of the switch flashed wrong boot images...
 
Elgado

Elgado

New Member
Newbie
Level 2
Joined
Mar 6, 2020
Messages
2
Trophies
0
Age
42
XP
161
Country
Turkey
Toby4213 said:
I just looked into it. One bis key is 256 bit long which is basically impossible to brute force. So now i am thinking that one byte of the tsec or sbk key was corrupted and those generate wrong bis keys. Is this a valid assumption or are the tsec and sbk defenitely correct and crc checked or something? Why is there a mismatch between the generated bis keys with tsec/sbk and the encrypted prod info. The only possiblity would be that the previous owner of the switch flashed wrong boot images...
Click to expand...


Hi

did you solve the problem?
 
V

VictorStruggling

New Member
Newbie
Level 1
Joined
Mar 22, 2020
Messages
4
Trophies
0
Age
28
XP
48
Country
United States
I am having the same issue. Lockpick_rcm does not provide the same BIS keys that I need. There is not BIS key 01 (tweak).

The hactool step actually went smoothly for me when I entered BIS key 00 (crypt) and BIS key 00(tweak) for PRODINFO

And then saved the prefilled keys for PRODINFOF

However, when I do the same for the SAFE folder using the BIS key01 (crypt) and BIS key01(tweak), I keep getting failed Entropy: 7.989

Has anyone figured out a fix for this yet?
 
T

Thousah

Member
Newcomer
Level 5
Joined
Mar 19, 2020
Messages
12
Trophies
0
Age
42
XP
638
Country
Netherlands
VictorStruggling said:
I am having the same issue. Lockpick_rcm does not provide the same BIS keys that I need. There is not BIS key 01 (tweak).

The hactool step actually went smoothly for me when I entered BIS key 00 (crypt) and BIS key 00(tweak) for PRODINFO

And then saved the prefilled keys for PRODINFOF

However, when I do the same for the SAFE folder using the BIS key01 (crypt) and BIS key01(tweak), I keep getting failed Entropy: 7.989

Has anyone figured out a fix for this yet?
Click to expand...
I have a similar issue, but with the biskey for the USER partition. I still did not found a solution yet.
 
  • Like
Reactions: luankiki
hell_night

hell_night

Member
Newcomer
Level 1
Joined
Nov 3, 2016
Messages
22
Trophies
0
XP
76
Country
Oman
Same here... I derived the BIS key from the website using my two other keys. Unfortunately, I can't save any of them as it seems the old Nand I had on Hekate running 4.0.1 has corrupted my BIS keys somehow. I'm not sure what is exactly wrong with it..

I was on 6.0.1 before I reverted to 4.0.1 (hekate nand backup) not knowing that I had 6 brunt fuses on my nintendo switch and figured it out too late. Now following the tutorial to try and go back to 6.0.1, but the BIS keys don't match unfortunately..
 
L

luankiki

Member
Newcomer
Level 1
Joined
Apr 23, 2020
Messages
5
Trophies
0
Age
34
XP
53
Country
Brazil
I did the test with the updated lockpick and the error continues when testing BisKey 3 on USER; I did a lot of silly not having backed up the nand.
 
Thundermofocat

Thundermofocat

Member
Newcomer
Level 1
Joined
Jun 30, 2020
Messages
23
Trophies
0
Age
22
XP
76
Country
United States
anyone found a fix? i'm close to fix this problem but i no have any idea (basically i get one Nand without keys) "Unbrick_pack" by @mattytrog. but i no have any idea how i put my keys in nand.



edit: i have access "system" and "user" partitions with null keys
 
Last edited by Thundermofocat,

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: https://youtu.be/MddR6PTmGKg?si=mU2EO5hoE7XXSbSr