Hacking Question Bought a faulty board, NO BOOT0/1, unknown PKG1, no BISkeys

T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
I bought a "faulty" board from ebay. No charging symbol, no Nintendo logo.
  • MT92T36 and BQ chip was replaced by original owner/shop.
    • I had to redo these, they did a rather sloppy job.
  • Seller sent it with the eMMC plugged in the wrong way.
  • RCM OK, boots Hekate IPL. BQ reports correctly, MT voltages are OK.

It wont go into RCM mode automacially.
  • hekate reports that AutoRCM is ON
  • If i try to disable it hangs, than it says it was successful.
  • After a reboot, it still says its on. Still no RCM automacially.

Hekate reports "Uknown pkg1 version for reading TSEC firmware".
After dumping i have noticed (with hex editor):
  • PKG1 (hekate says that it is "encrypted") - All zeros
  • BOOT0 and BOOT1 are almost completely zeros, with some @ symbols.

Also:
  • Biskeydump's keys wont pass in HacDiskMount.
  • Tried lockpick/hactool, no success.
  • The console *can* make a dump of a known good eMMC.
  • I think this is NOT the original nand, because the double sided tape pieces are not matching on the WIFI shield/eMMC.
What do you suggest? (Dumps attached...)
 

Attachments

  • dba9058.zip
    10.1 KB · Views: 156
Last edited by tomsek68,
T

thesjaakspoiler

Well-Known Member
Member
Level 8
Joined
Nov 20, 2018
Messages
976
Trophies
0
Age
124
XP
1,486
Country
Afghanistan
Sounds like they replaced the original eMMC with new/clean eMMC.
They sell those on Aliexpress and other sites.

But without the original eMMC, there is not much hope of installing a new system on it.
That is something that still hasn't been figured out yet.

You could consider installing Android on it as it uses the SD card and not the eMMC afaik.
Or sell it off for parts on eBay.
 
T

tomsek68

Well-Known Member
OP
Newcomer
Level 2
Joined
May 19, 2018
Messages
46
Trophies
0
Age
22
XP
233
Country
Hungary
I am thinking about circumventing the encription of the eMMC. What does HOS do with these partitions apart from booting the system and online verification?
Maybe with an unencrypted installion of HOS and a payload to pull the data from the eMMC?

I have a board which was in my personal switch.
It had wifi and other problems, so i decided to salvage the tegra and use it on this board. It has the eMMC (and backups ofc), so it shoud be good if the board is fine.
 
Last edited by tomsek68,

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Homebrew Tutorial  Setup a DevKitPro environment on Windows.

Homebrew Tutorial  Install MSYS Environment

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: https://www.ebay.com/itm/386617469929?mkcid=16&mkevt=1&mkrid=711-127632-2357-0&ssspo=2T8UwYf_Qse&...