Hacking Asking a favor - OEM USER.BIN from your rawnand ...

Escape1975 · Jan 21, 2021

I have followed a guide posted here that allowed me to shrink my rawnand backup from 30.0 GB to 2.5 GB (when RAR'd)
and it involved mounting the USER partition via HackDiskMount, saving original data, formatting USER partition and then
moving original files back. It worked great and I can confirm my switch runs fine using that modified rawnand, however ...

I've noticed using a hex editor that the original OEM partition is actually different before and after the format procedure,
and I've included an image to illustrate this below. It shows the SYSTEM partition as I don't have the original USER one.

What I'm asking for is a clean empty copy of someone's USER partition taken from a rawnand backup, here's the instructions:

Make sure to use a copy of your rawnand.bin as this modifies the file, and after we're done you will delete the file anyways.

1) Open HackDiskMount, load a copy of rawnand.bin, double click USER partition, enter BIS Key 3, click Test, should say OK, don't click Save.
2) Next click Mount as drive S:, don't check "Passthrough" or "Read Only".
3) In Windows Explorer go that mounted drive S: and remove everything.
4) Next click Unmount in HackDiskMount, and close the software.
5) Now open NxNandManager, load that same rawnand.bin, click USER, then Advanced Copy, Select "Decrypt" and "Passthrough Zeros", and click Dump.
6) Next use WinRAR to compress that file and it should shrink from 26 GB down to 1.4 MB, because it's 99.9% zeros!

The file created will be completely empty but it will contain the OEM FAT32 info I need.

Thanks!

The Real Jdbye · Jan 21, 2021

Escape1975 said:
I have followed a guide posted here that allowed me to shrink my rawnand backup from 30.0 GB to 2.5 GB (when RAR'd)
and it involved mounting the USER partition via HackDiskMount, saving original data, formatting USER partition and then
moving original files back. It worked great and I can confirm my switch runs fine using that modified rawnand, however ...

I've noticed using a hex editor that the original OEM partition is actually different before and after the format procedure,
and I've included an image to illustrate this below. It shows the SYSTEM partition as I don't have the original USER one.

What I'm asking for is a clean empty copy of someone's USER partition taken from a rawnand backup, here's the instructions:

Make sure to use a copy of your rawnand.bin as this modifies the file, and after we're done you will delete the file anyways.

1) Open HackDiskMount, load a copy of rawnand.bin, double click USER partition, enter BIS Key 3, click Test, should say OK, don't click Save.
2) Next click Mount as drive S:, don't check "Passthrough" or "Read Only".
3) In Windows Explorer go that mounted drive S: and remove everything.
4) Next click Unmount in HackDiskMount, and close the software.
5) Now open NxNandManager, load that same rawnand.bin, click USER, then Advanced Copy, Select "Decrypt" and "Passthrough Zeros", and click Dump.
6) Next use WinRAR to compress that file and it should shrink from 26 GB down to 1.4 MB, because it's 99.9% zeros!

The file created will be completely empty but it will contain the OEM FAT32 info I need.

Thanks!

What's the point in modifying a rawnand to remove the USER partition? You could have just made sys + boot0/boot1 backups, that's really all you need.

Escape1975 · Jan 21, 2021

The Real Jdbye said:
What's the point in modifying a rawnand to remove the USER partition? You could have just made sys + boot0/boot1 backups, that's really all you need.

Except none of the tools actually properly restore / make the USER partition, as I've indicated above ...
Sure the unit will still work but it won't look OEM anymore.

Also I know that removing anything from SYSTEM / USER will potentially set off a red flag,
however I'm not talking about removing anything just data that's already been marked as deleted
and simply using space on the raw nand. By doing this I can get my raw nand to compress from
about 30 gigs to 1.5 gigs without any data loss or setting off any red flags.

The above procedure doesn't leave any personal data on the backup as far as I know,
in fact an OEM partition doesn't even contain a partition serial number vs. windows one.

BigOnYa · Jan 21, 2021

Why the need to get it compressed to 1.5 gigs tho? Why risk messing up things just to save space? Not hating on you at all, Just curious :grog:

Escape1975 · Jan 21, 2021

BigOnYa said:
Why the need to get it compressed to 1.5 gigs tho? Why risk messing up things just to save space? Not hating on you at all, Just curious

Mainly because I've already done it, and wanted to fix it.

But most importantly like I said there was a guide on here about doing this, plus also for people
that didn't get a proper backup, this would be good in order to re-create a proper USER partition.

Or if someone just wanted a clean NAND without the deleted leftovers that could be restored.

BigOnYa · Jan 21, 2021

Not sure many are willing to give u a copy of they're clean NAND tho... not sure if it's device specific either, or if any harm can come from it but since I've been banned recently, don't think you'd want mine. Nor is it an original clean NAND, sorry but wish you luck

Escape1975 · Jan 21, 2021

BigOnYa said:
Not sure many are willing to give u a copy of they're clean NAND tho... not sure if it's device specific either, or if any harm can come from it but since I've been banned recently, don't think you'd want mine. Nor is it an original clean NAND, sorry but wish you luck

I don't care if it's banned or not plus it's only the USER partition so it will have no info whatsoever,
as long as you haven't used windows format utility on the USER partition it would be very useful to me

BigOnYa · Jan 21, 2021

OK give me a few, I'll PM u

dotmehdi · Jan 21, 2021

What's your Switch version ? HOS version ? Maybe I can help you. Also there is an empty rawNAND file available on an AIO system restore pack, I beleive you can find it on xbins.

I really don't understand the point of this :/ you should've bought a 32Gb sd card to keep your rawnand.bin safe, these backups we make before hacking our consoles are made to be exact snapshots of the NAND so that, in any case, we can just roll back as if nothing happened until we made it.

Escape1975 · Jan 21, 2021

dotmehdi said:
What's your Switch version ? HOS version ? Maybe I can help you. Also there is an empty rawNAND file available on an AIO system restore pack, I beleive you can find it on xbins.

I really don't understand the point of this :/ you should've bought a 32Gb sd card to keep your rawnand.bin safe, these backups we make before hacking our consoles are made to be exact snapshots of the NAND so that, in any case, we can just roll back as if nothing happened until we made it.

Exactly I should've, but after doing my thing I didn't think the modified partition would be any different.
Also, I checked out that blank rawNAND and both the SYSTEM & USER partitions have been formatted from windows in it,
so end result is that anyone using that will possibly have a red flag because they're using non oem partitions ...

I would like to help make a new blank nand that doesn't have these issues

I'm on 11.0.1 on a exploitable switch, by the way.

I could possibly use my SYSTEM partition, blank it out and transplant to USER to keep the OEM format ...

RHOPKINS13 · Jan 21, 2021

I don't get the point, from the screenshot you already have the header info for both the OEM format and the Windows format, why can't you just hex edit it yourself to make it match what it should?

I have to wonder whether it'll return to the OEM format if you just do a system format on the console from Horizon.

Escape1975 · Jan 21, 2021

RHOPKINS13 said:
I don't get the point, from the screenshot you already have the header info for both the OEM format and the Windows format, why can't you just hex edit it yourself to make it match what it should?

I have to wonder whether it'll return to the OEM format if you just do a system format on the console from Horizon.

It does not, already tried, and also it never actually removes any data from your nand when you do that

I have the SYSTEM partition differences, I don't have the USER one, most likely they're the same
but I would like to confirm ...

Escape1975 · Jan 22, 2021

Here's my cleaned up USER and SYSTEM files in case someone needs them,
they contain no personal info as well as no files, but have correct FAT32 structures,
please have a look at the readme.txt for more info about removed data in sector: 3

Note: after uncompressing the files will be about 30 gigs.

The files are unencrypted of course, and might be useful for fixing corrupt raw NAND backups.
Big thanks to BigOnYa for his help!

I have previously used a windows format on my USER partition so used this file to
re-create an original FAT32 format, and also converted to emuMMC to test things ...

PS: I still don't know what information lies in sector: 3 ...
(Sector 0,1 is FAT32 table, Sector 6,7 is FAT32 backup)

If anyone know please share ...

Draxzelex · Jan 31, 2021

Escape1975 said:
Here's my cleaned up USER and SYSTEM files in case someone needs them,
they contain no personal info as well as no files, but have correct FAT32 structures,
please have a look at the readme.txt for more info about removed data.

Note: after uncompressing the files will be about 30 gigs.

The files are unencrypted of course, and might be useful for fixing corrupt raw NAND backups.

I don't think anything can save corrupted backups. Plus we have ways of recovering bricks without eMMC backups even if PRODINFO is damaged.

Escape1975 · Jan 31, 2021

Draxzelex said:
I don't think anything can save corrupted backups. Plus we have ways of recovering bricks without eMMC backups even if PRODINFO is damaged.

True, this would probably work if someone's dump was cut off, so the user portion which is biggest was missing let's say ...

--------------------- MERGED ---------------------------

@BigOnYa wow, you're here like 24/7

BigOnYa · Jan 31, 2021

Escape1975 said:
@BigOnYa wow, you're here like 24/7

You betcha, What else can we do, stuck at home these days. Pc screen to my left, Tv screen w the Switch to my right. :grog:

That and I'm always curious what your tinkering w today...

Escape1975 · Jan 31, 2021

BigOnYa said:
You betcha, What else can we do, stuck at home these days. Pc screen to my left, Tv screen w the Switch to my right.
That and I'm always curious what your tinkering w today...

Well I've discovered that the unknown data in sectors 2,3,4,5 in user and system partitions
is basically just encrypted zeros so it's garbage except what's in sector 3 ..

That one has some sort of recovery purpose for the pr2 file system, but nobody knows what purpose, even on ReSwitched.

--------------------- MERGED ---------------------------

To summarize ..

At offset 0x600 there's just ASCII string: PRF2SAFE
At offset 0x610 there's 1 byte: 0x64
At offset 0x620 there's 2 bytes: 0x803C
At offset 0x624 there's 1 byte: 0x19
At offset 0x7FC there's 4 bytes: 0x9E98B673

As you can see there's not much data there, only 8 bytes,
and I don't know if it differs between units and system/user parts,
but it seems that it does except the ascii string and possibly offset 0x610 ...

BigOnYa · Jan 31, 2021

That's all beyond me, but good job on your quest. :grog:

Draxzelex · Feb 1, 2021

To be fair, not everything about the Nintendo Switch has been fully reverse engineered or fully understood. Hacking was only meant to allow people to run unsigned code, not take the device apart. For example, the Switch cartridge slot aka Lotus has yet to be fully taken apart. This is due to in part of the chance that someone may create an authentic .XCI Loader (all .XCI file dumps are incomplete according to blawar) but moreso that SciresM has had no reason to go after it.

LyuboA · Feb 1, 2021

Draxzelex said:
To be fair, not everything about the Nintendo Switch has been fully reverse engineered or fully understood. Hacking was only meant to allow people to run unsigned code, not take the device apart. For example, the Switch cartridge slot aka Lotus has yet to be fully taken apart. This is due to in part of the chance that someone may create an authentic .XCI Loader (all .XCI file dumps are incomplete according to blawar) but moreso that SciresM has had no reason to go after it.

Maybe after end of live this will happen

Hacking Asking a favor - OEM USER.BIN from your rawnand ...

Well-Known Member

Attachments

*is birb*

Well-Known Member

Has A Very Big

Well-Known Member

Has A Very Big

Well-Known Member

Has A Very Big

Well-Known Member

Well-Known Member

Geek

Well-Known Member

Well-Known Member

Attachments

Well-Known Member

Well-Known Member

Has A Very Big

Well-Known Member

Has A Very Big

Well-Known Member

Unknown Entity

Similar threads

Popular threads in this forum

is birb