Hacking RELEASE biskeydump and HacDiskMount - Switch eMMC decryption/real-time mounting tools

rajkosto

Well-Known Member
OP
Member
Joined
Apr 6, 2017
Messages
819
Trophies
0
Age
30
XP
2,731
Country
biskeydump - Dumps all your Switch BIS keys for eMMC contents decryption, to be used as a fusee payload (upload via the normal fusee-launcher or my TegraRcmSmash.exe).

HacDiskMount - use your BIS keys and your RawNand.bin (or the physical eMMC attached via microSD reader or using a mass storage gadget mode in u-boot/linux) to dump, restore or REAL-TIME MOUNT AND EXPLORE/MODIFY partitions from the dump file or attached physical device !

Binaries available at https://switchtools.sshnuke.net
When appropriate, README.txt file inside the archive points to the source code location

(Yes I know these have been out for a few days, but only since today was biskeydump redistributable as a precompiled binary)
 

blinkzane

Panic at your moms house
Member
Joined
Jul 24, 2012
Messages
944
Trophies
0
Location
Florida
XP
1,624
Country
United States
biskeydump - Dumps all your Switch BIS keys for eMMC contents decryption, to be used as a fusee payload (upload via the normal fusee-launcher or my TegraRcmSmash.exe).

HacDiskMount - use your BIS keys and your RawNand.bin (or the physical eMMC attached via microSD reader or using a mass storage gadget mode in u-boot/linux) to dump, restore or REAL-TIME MOUNT AND EXPLORE/MODIFY partitions from the dump file or attached physical device !

Binaries available at https://switchtools.sshnuke.net
When appropriate, README.txt file inside the archive points to the source code location

(Yes I know these have been out for a few days, but only since today was biskeydump redistributable as a precompiled binary)
what is the Partial AES Key Overwrite vulnerability ?
 

DocAmes1980

Well-Known Member
Member
Joined
Oct 31, 2016
Messages
873
Trophies
0
Age
41
XP
955
Country
United States
What do I do with the QR Code? it won't scan via my phone.. for me anyways.

The QR code contains the key data. Scan, copy the text, and paste into a .txt file. Worked on my phone but it was a little tricky getting it to scan.

--------------------- MERGED ---------------------------

I used biskeydump.bin. It shows the keys but I'm getting a low framerate with screen tearing. How is performance for everybody else?
 

aut0mat3d

Well-Known Member
Member
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
537
Country
Australia
Is there a Way to achieve the Keys from a Nand dump?
I do have dumped boot0,boot1 and the whole EMMC also TSECFW

Unfortuanally i factory resetted the console, not mentioning i had to do the biskeydump in prior. ;)
 

aut0mat3d

Well-Known Member
Member
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
537
Country
Australia
Is there a Way to achieve the Keys from a Nand dump?
I do have dumped boot0,boot1 and the whole EMMC also TSECFW

Unfortuanally i factory resetted the console, not mentioning i had to do the biskeydump in prior. ;)

I did a fresh NAND dump and repeated biskeydump with the payload v4.

Trying to use hacdiskmount, but when testing the Key i always get an FAIL! about Entropy

Dump seems to be valid (the used script to dump it generates and validates md5 of Flash and binary)
Log of kacdiskmount:
Code:
[08:06:18:427262] [info] Loaded primary GPT, checking secondary from offset 31268535808

[08:06:18:428085] [info] Secondary GPT is okay

[08:06:18:428347] [info] Using primary GPT as backup GPT is identical
 

aut0mat3d

Well-Known Member
Member
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
537
Country
Australia
Did some further investigations:
Dumped another Console (brand new, never booted into OS, Firmware 4.01) biskeydump payload v4.
The same behaviour as on the other console.
Also i mentioned that Bis Keys 2 and 3 are identical on both readouts...

Another Test with payload v3 (generated by the script which is used for dumping the nand):
HWI and SBK are equal as expected.
Keys are different , Bis Keys 2 and 3 are identical
 
Last edited by aut0mat3d,

aut0mat3d

Well-Known Member
Member
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
537
Country
Australia
For me too, but maybe it's normal as I can decrypt everything fine?
Thanks!
Please, can you tell me what payload you used to achieve the bis keys?
Also your nand dumping mehtod would be interesting. - I got it by that method: https://gbatemp.net/threads/tutorial-how-to-dump-switch-nand-using-linux.502201/
In principe this is dumping via dd on Linux - the script also generates MD5 sums to verify the dump. I am pretty sure it is valid as hacddiskmount does not complain about missing GPT,....
 
Joined
Dec 24, 2008
Messages
4,241
Trophies
3
XP
6,417
Country
United Kingdom
Thanks!
Please, can you tell me what payload you used to achieve the bis keys?
Also your nand dumping mehtod would be interesting. - I got it by that method: https://gbatemp.net/threads/tutorial-how-to-dump-switch-nand-using-linux.502201/
In principe this is dumping via dd on Linux - the script also generates MD5 sums to verify the dump. I am pretty sure it is valid as hacddiskmount does not complain about missing GPT,....
I used biskeydumpv4 via TegraRcmSmash to get the keys and did the nand dump in Arch with GNOME manually:
Code:
$ dcfldd if=/dev/mmcblk1 of=/home/alarm/SwitchNAND_dump.bin bs=512
$ dcfldd if=/dev/mmcblk1boot0 of=/home/alarm/SwitchNAND_boot0_dump.bin bs=512
$ dcfldd if=/dev/mmcblk1boot1 of=/home/alarm/SwitchNAND_boot1_dump.bin bs=512
 
  • Like
Reactions: aut0mat3d

annson24

The Patient One
Member
Joined
May 5, 2016
Messages
1,185
Trophies
0
Age
29
XP
1,598
Country
Philippines
The switch's nand is really 32GB in size? and all of this is used only by system files? It's hard to believe all of the 32gb is solely for the system files only. I thought the 32gb also includes the storage space available for games. Am I not correct?
 

aut0mat3d

Well-Known Member
Member
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
537
Country
Australia
The switch's nand is really 32GB in size? and all of this is used only by system files? It's hard to believe all of the 32gb is solely for the system files only. I thought the 32gb also includes the storage space available for games. Am I not correct?
You are correct, there are about 26 gig for user data, the whole EMMC storage has 32Gb
 

annson24

The Patient One
Member
Joined
May 5, 2016
Messages
1,185
Trophies
0
Age
29
XP
1,598
Country
Philippines
You are correct, there are about 26 gig for user data, the whole EMMC storage has 32Gb
Thanks for the clarification. So not all is lost when we create an emunand then, at least we still get to use the 26GB from the emunand. Maybe 64GB of sd card will already be fine for me.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://imgur.com/gallery/THrBdLQ