Hacking Booting to hekate without eMMC?

[Bradlin]

I have a V2 switch with a dead eMMC. It's completely dead, I've checked with a scope and nothing comes out of DAT0, it stays at 1.8V all the time.

I want to boot to hekate to dump the keys and rebuild a sysnand, for which I have ordered the replacement eMMC board (which hasn't arrived yet). I've already installed a picofly on the switch.

I wanted to boot to hekate without the eMMC to get going, but the picofly cannot do that. I've checked the code of the firmware and it depends on the activity from the eMMC chip to glitch at the right time. So no glitching possible without eMMC. As far as I know this can be done with unpatched consoles through RCM.

It should be technically possible to modify the picofly firmware to simulate the eMMC and get the console to glitch and boot to hekate. While I'm waiting for the replacement eMMC, I'd like to try that. Maybe it's already been done? Any information is welcome.

 

[l7777]

I'm sure someone will correct me if I'm wrong but I'm pretty sure the keys you're after are stored on the EMMC

 

[Hayato213]

I have a V2 switch with a dead eMMC. It's completely dead, I've checked with a scope and nothing comes out of DAT0, it stays at 1.8V all the time.

I want to boot to hekate to dump the keys and rebuild a sysnand, for which I have ordered the replacement eMMC board (which hasn't arrived yet). I've already installed a picofly on the switch.

I wanted to boot to hekate without the eMMC to get going, but the picofly cannot do that. I've checked the code of the firmware and it depends on the activity from the eMMC chip to glitch at the right time. So no glitching possible without eMMC. As far as I know this can be done with unpatched consoles through RCM.

It should be technically possible to modify the picofly firmware to simulate the eMMC and get the console to glitch and boot to hekate. While I'm waiting for the replacement eMMC, I'd like to try that. Maybe it's already been done? Any information is welcome.

You can boot into hekate but you need lockpick_rcm for the key, but without an emmc no keys.

 

[Bradlin]

I'm sure someone will correct me if I'm wrong but I'm pretty sure the keys you're after are stored on the EMMC

I will reconstruct an eMMC from a backup of another console, that's not a problem.

But for that, if I understand correctly, I need the BIS keys which are derived from the TSEC key and SBK key, both of which are console-unique and not on the eMMC. SBK can be read from fuses and TSEC can be cracked from a partial dump (partial_aes.bin).

You can boot into hekate but you need lockpick_rcm for the key, but without an emmc no keys.

I can't boot into hekate since the picofly firmware requires a working eMMC chip to glitch; mine is completely dead.

 

[Hayato213]

I will reconstruct an eMMC from a backup of another console, that's not a problem.

But for that, if I understand correctly, I need the BIS keys which are derived from the TSEC key and SBK key, both of which are console-unique and not on the eMMC. SBK can be read from fuses and TSEC can be cracked from a partial dump (partial_aes.bin).


I can't boot into hekate since the picofly firmware requires a working eMMC chip to glitch; mine is completely dead.

You can't as key are console specific

 

[Bradlin]

You can't as key are console specific

Yes it's possible, you can have a look at sthetix guide about doing this.

 

[Hayato213]

Yes it's possible, you can have a look at sthetix guide about doing this.

You can't use the key or nand backup of another system unless you want to brick. To rebuild a nand you need the key for that specific system.

 

[Bradlin]

You can't use the key or nand backup of another system unless you want to brick. To rebuild a nand you need the key for that specific system.

That's what I was saying, sorry if that was unclear.

I want to run RCM lockpick to get the BIS keys from the switch with the dead eMMC, then rebuild an eMMC by decrypting a backup from another switch, and re-encrypting it with the BIS keys from the switch with the dead eMMC.

 

[Hayato213]

That's what I was saying, sorry if that was unclear.

I want to run RCM lockpick to get the BIS keys from the switch with the dead eMMC, then rebuild an eMMC by decrypting a backup from another switch, and re-encrypting it with the BIS keys from the switch with the dead eMMC.

You won't be able too, you need key from the dead emmc switch, you can't get the key when the emmc is dead.

 

[Bradlin]

You won't be able too, you need key from the dead emmc switch, you can't get the key when the emmc is dead.

The BIS keys are derived from the device key which is on the tegra chip. I've looked at Lockpick_RCM's code, and it will dump the BIS keys even if the eMMC is dead.

 

[duckbill007]

You are right. All you need is to run lockpick RCM

 

[Hayato213]

The BIS keys are derived from the device key which is on the tegra chip. I've looked at Lockpick_RCM's code, and it will dump the BIS keys even if the eMMC is dead.

If you don't have an emunand setup, you need a working sysmmc eMMC to dump key with lockpick_rcm. You can use a modified hekate to restore the nand if you did have a nand back for this unit.

 

[Bradlin]

Reporting back on this after I got a replacement eMMC chip.

The Picofly boots to hekate without any issue, and lockpick is able to dump some keys, although it cannot read the eMMC. As expected, among these keys are the BIS keys, and all the device unique keys (which are stored on the CPU ROM).

Then I used prodinfo_gen to generate a PRODINFO partition which is usable by the switch (but will be rejected by nintendo's servers: it's like having a banned switch).

Finally, using an eMMC dump from another working switch, I was able to recreate a working eMMC dump by following sthetix's guide, and flash it to the new eMMC chip. It took some time, but I have now a working switch, which can even boot fully stock. The only strange part is that the switch initially refused to boot stock (black screen after Nintendo logo). I had to boot atmosphere on the sysMMC once before it accepted to boot stock.

TL;DR: yes, it is possible to revive a switch with a dead eMMC and without a backup.

 

[linuxares]

Reporting back on this after I got a replacement eMMC chip.

The Picofly boots to hekate without any issue, and lockpick is able to dump some keys, although it cannot read the eMMC. As expected, among these keys are the BIS keys, and all the device unique keys (which are stored on the CPU ROM).

Then I used prodinfo_gen to generate a PRODINFO partition which is usable by the switch (but will be rejected by nintendo's servers: it's like having a banned switch).

Finally, using an eMMC dump from another working switch, I was able to recreate a working eMMC dump by following sthetix's guide, and flash it to the new eMMC chip. It took some time, but I have now a working switch, which can even boot fully stock. The only strange part is that the switch initially refused to boot stock (black screen after Nintendo logo). I had to boot atmosphere on the sysMMC once before it accepted to boot stock.

TL;DR: yes, it is possible to revive a switch with a dead eMMC and without a backup.

Good job . Reminds me a bit how pikabrick fixer works

 

[xiran64]

Reporting back on this after I got a replacement eMMC chip.

The Picofly boots to hekate without any issue, and lockpick is able to dump some keys, although it cannot read the eMMC. As expected, among these keys are the BIS keys, and all the device unique keys (which are stored on the CPU ROM).

Then I used prodinfo_gen to generate a PRODINFO partition which is usable by the switch (but will be rejected by nintendo's servers: it's like having a banned switch).

Finally, using an eMMC dump from another working switch, I was able to recreate a working eMMC dump by following sthetix's guide, and flash it to the new eMMC chip. It took some time, but I have now a working switch, which can even boot fully stock. The only strange part is that the switch initially refused to boot stock (black screen after Nintendo logo). I had to boot atmosphere on the sysMMC once before it accepted to boot stock.

TL;DR: yes, it is possible to revive a switch with a dead eMMC and without a backup.

The emmc that comes to you, are in blank? I know, or i've think, at least it needs boot0 and boot1 partition, or not?

 

[Bradlin]

The emmc that comes to you, are in blank? I know, or i've think, at least it needs boot0 and boot1 partition, or not?

They were not blank but it doesn't matter, in the end you have to do a full restore of the raw nand data.

You get the boot0 and boot1 partition for the backup of another nand.

 

[xiran64]

They were not blank but it doesn't matter, in the end you have to do a full restore of the raw nand data.

You get the boot0 and boot1 partition for the backup of another nand.

Ok, but You can put a blank emmc? I mean, totally blank, no boot0/1 partitions, and no other partitions (the question is to don't do, the step to partitioning and write boot0/1 with data, basically)

 

[evil_santa]

Ok, but You can put a blank emmc? I mean, totally blank, no boot0/1 partitions, and no other partitions (the question is to don't do, the step to partitioning and write boot0/1 with data, basically)

If you have a picofly or an modchip with the newer hwfly-nx firmware you can boot to a completely empty emmc.
After this you can dump your key's and rebuild a new nand.
I did this a while ago.

 

[xiran64]

If you have a picofly or an modchip with the newer hwfly-nx firmware you can boot to a completely empty emmc.
After this you can dump your key's and rebuild a new nand.
I did this a while ago.

Ok! Thx! It's only a doubt, i revive My oled with an emmc from an old celular, i've revive it writing Hidden partitions with octoplus

 

[Mn3s]

Ok! Thx! It's only a doubt, i revive My oled with an emmc from an old celular, i've revive it writing Hidden partitions with octoplus

If you have a picofly or an modchip with the newer hwfly-nx firmware you can boot to a completely empty emmc.
After this you can dump your key's and rebuild a new nand.
I did this a while ago

Is this possible only on V2, or also on oled. Asking because after changing sk hynix emmc to a samsung blank one, picofly gives *=* error without further succes.