Any way to edit profile and fake link account?

Sigh.

 

Thanks for the guide. I am currently on 7.01, and I can get as far as replacing the 800..10 file and then running REINX, but it just sits on the switch logo indefinitely, I presume because the donor profile is from 6.0? Thankfully I backed up my original file, so just replacing that was enough to unbrick my switch rather than having to restore my full nand backup.

Have you attempted to upgrade any of the consoles to 7.X, does this work do you know?

Also, would anyone be willing to provide a donor save from a 7.x console to try?

I assume I could downgrade and then try, but would much rather avoid that step if I can!

 

Same situation, stuck on logo on 7.0.1, i was dumb and restored only the rawnand without the boot0/1 (it worked) instead of just the save file..

This is what i did, downgraded to 6.2.0 with choixdujour, followed the tutorial again, and once it was linked, updated back to 7.0.1, it was all flawless, i still only have 2 burnt fuses
I now have a linked account, thanks to this guide!

Only problem now, i can't find how to add a friend offline in order to play wireless minecraft locally, but local stardew valley multiplayer works.

 

Could you possibly do me a huge favour then and dump your current 7.01 8000..10 file?

I’ve been doing some digging and know how to extract the save using hactool. Can even set a custom icon.

I’m hoping to find a way to manually apply the flag without having to use a donor profile!

 

I PM'd you the link to it.
If it work i will share it.

Edit: ow i just understood what you want to do. But if you try to compare files, keep in mind that i changed some things like profile name and icon

 

I haven't upgraded any of my switches past 6.2 yet.
bootmonster or deadf1sh, would you be willing to upload your 8000..10 file from 7.0.1 here for users starting on 7+ firmwares? The file is only 7MB so you can upload it by just adding the .txt extension. (Which, of course, everyone would need to be removed before usage.)

I can test your 7.0 file on one of my 6.2 switches to see if it works on the older firmware or not.
Originally, this was supposedly only working on 6.1.0, but I have successfully used the same file on both 6.0.0 and 6.2.0.
If anyone can test on a firmware lower than 6.0 that would also be helpful, so that we can confirm instructions for those to whom that would apply. (Is it necessary to match the save file to a firmware range, or is a newer file backward compatible?)

PS To whomever moderates this forum, since the OP has not been involved in this discussion for a long while, would it be helpful if I created a new thread with the above instructions and the attached save file, in order to make the information more accessible? I would also be willing to update the first post of such a thread as needed.

 

I pm'd you the link because i managed to do it thanks to your guide, but really, bootmonster seems to be coming with a better way of linking an account without the need of a donor file AND Reinx, so for the time being i would wait for his response before doing anything else.
If you want to update your linked account to 7.0.1, i can simply confirm that it worked for me.

 

I have tried to use the 7.01 file but still I am getting the freeze on the Switch logo when running ReinX unfortunately. Either something has changed between 6.x and 7.x, or I am doing something wrong.

What version of ReinX was it that you were using t1op?

I may have to downgrade after all and go from there.

Some further info I have been able to establish;

I have been able to extract both my original save (top) and the donor profile (bottom), and there are some extra files that exist in the folders for the online one. I'm hoping profiles.dat may be the key to how a profile is flagged, and that the other files aren't required. The cache file doesn't exist in the 7.01 donor profile incidentally so that file at least isn't required.



You can extract the save easily with libhac / hactoolnet using the following command if anyone is curious

hactoolnet.exe -t save 8000000000000010 --outdir <output folder name>

You can also use the tool to resign the save, which if I can get working hopefully should avoid at the very least the reinx step. This requires a dump of your keys from lockpick.

Another thing you can do with the tool is replace files then resign, so hopefully just a change to profiles.dat is enough to flag the profile as being an online one.

To that end, I have a second switch which is not hacked, I am going to reset it to factory and add some user accounts, dump the nand, then connect each of them to nintendo online accounts, then dump the nand again and compare the profiles.dat files between both. I know I could use hacdiskmount for this step but feel safer dumping the nand to do this step.

Hopefully if we work out what needs to be changed homebrew could be developed to do so, or even something developers could add to checkpoint!

 

Personnaly i used ReiNX_v2.1.1

When i compare my linked 7.0.1 profiles.dat to the linked 6.0.1(?) profiles.dat downloaded from here, they are almost the same, just a few bytes changed before and after the username, apart from the username..
That is the only different file between 6.0.1 and 7.0.1 that i can find (exept the cache file that i personaly don't have on my account)

if i compare my unlinked profiles.dat to the linked one, they are a a lot more different. (both 7.0.1)

There is a lot of info in the ***_user.json file: id, email, "isNnLinked":false (weird?) Those info might be required for it to be considered as a linked account maybe.

 

So good news, I have been able to get the 7.01 donor profile to work. I haven't tested it but suspect the 6.0 file would likely work as well.

The 800..10 files is just a save file, so running it through hactoolnet and resigning it just works, no faffing with ReiNX.

You need to dump your keys using lockpick or another method, then place the prod.keys file in with hactoolnet.

To resign the save I used

hactoolnet.exe -k prod.keys -t save 8000000000000010 --sign

Then just replaced the file using hacdiskmount

ReiNX must have been resigning the save data on first run for whatever reason, though this is a better method and works on 7.01.

 

Nice! Thanks for sharing!
Are you able to provide a more step by step instruction?

 

Dump your biskeys with biskeydump.bin or lockpick_rcm. (from the implant console)

You can get a donor 8000000000000010 four different ways... (from a donor console)

#1. grab the zip earlier in this thread with donor account and pull the file from \UES\save.
#2. use HacDiskMount on donor nand backup and pull it from \System\save
#3. use HacDiskMount on donor console and pull it from \System\save
#4. use Goldleaf on donor console to copy it from \System\save to your sdcard

Resign 8000000000000010; (prod.keys from the implant console)
hactoolnet.exe -k prod.keys -t save 8000000000000010 --sign

Use one of the methods above (#2, #3, or #4) to put it on your device. (to the implant console)

Tools for the job;
hactoolnet:
https://github.com/Thealexbarney/LibHac/releases

Goldleaf:
https://github.com/XorTroll/Goldleaf/releases

Lockpick_RCM
https://github.com/shchmue/Lockpick_RCM/releases

memloader, biskeydump, and HacDiskMount
https://switchtools.sshnuke.net/

The basics of how to use memloader, biskeydump, and HacDiskMount and can be found here;
Don't follow the guide, just look at how the various apps/payloads are used.
https://guide.sdsetup.com/usingcfw/manualchoiupgrade

 

Does this work for 7.0.1?

 

Should work on any version.

 

If you don't want to download the whole zip file, I uploaded just that one file in post #66. You just have to delete the ".txt" extension. (An extension was required for upload here)

If you want a step by step guide for using BISKEYDUMP, MEMLOADER, and HACDISKMOUNT, you can follow my guide in post #63.
You would just add the above instructions using hactoolnet to use your product keys (named "device.keys" by BISKEYDUMP) to resign the save file.

Then you could continue to following my guide to inject the resigned save file. Resigning should make the need to boot ReiNX afterward obsolete.

Designgears suggests that you can make the whole process simpler by extracting your product keys with Lockpick rather than BISKEYDUMP. And that you can reinject your modified save file with Goldleaf instead of using Memloader and Hacdiskmount.
When I tried to use Goldleaf it just crashed. If resigning fixes this problem, then Goldleaf is definitely a simpler option.

Bootmonster also suggested that resigning makes the donated 6.x linked profile work on 7.x; whereas, before you apparently had to downgrade to 6.x to inject the 6.x profile.

If you are able to link the 6.x profile attached here (post #66) to a 7.x console, using Lockpick, Goldleaf, and Hacktoolnet, please add a reply to this thread to confirm that this simpler method worked for you.

 

Going to give goldleaf a go and see what happens, I'm using the latest commits from github.

Edit: can't even see the file in there, very strange

 

I couldn't see it in Goldleaf either. When I tried to paste the file in regardless, that's when it crashed.

 

Works like a charm on 8.0.1, thanks, guys!

 

So you downloaded the 6.x profile attached earlier in this thread, resigned it and got it working in 8.0.1? Or did you find your own donor profile elsewhere?

 

I have a second switch (with 8.0.1, for online and eshop games) as donor.