Hacking Discussion Cracked SX OS recovery

[Rel]

Looks like the story of the fake crack made it to SpawnWave

 

[mugendc4]

he is a member of gbatemp so he's bound to stumbled into these threads.

 

[guily6669]

My opinion for who have the Switch on this bad situation is maybe buy a used cheap broken LCD Switch from ebay and change the board to yours (if u have no backup) .

 

[darrin41]

i was successfully able to recover from my brick by not downloading from untrusted site

people seriously. i dont know how many times its been said to make a back up of your nand dump. i bet you will start listening now.

 

[Subtle Demise]

What we need is leak, dump of the 'factory setup' launcher:

Source: http://switchbrew.org/index.php?title=Factory_Setup

Setup Process
At the factory, a minimal version of the Switch OS is installed. A modified version of the boot2 title (boot2.manuBoot) is installed that launches an additional "Manu" sysmodule, and the system config title specifies to launch "Test Application Launcher" instead of qlaunch.

Test Application Launcher is used to launch a number of tests, "CAL0" calibration data is written to NAND, and retail firmware is installed.

Titles
Overview
Factory firmware contains a stripped down version of the Switch's OS with unnecessary titles removed, and a number of additional debug titles installed. The version of the OS installed at the factory is receiving updates as new switches are manufactured. At least four revisions of factory firmware are known to have been used in production.

[IMG]http://switchbrew.org/images/thumb/0/0f/TestApplicationLauncher.jpg/400px-TestApplicationLauncher.jpg[/IMG]
TestApplicationLauncher running on a console.
Removed Titles
[LIST]
[*]The following system data archive titles are present in retail firmware, but not installed at the factory: 0100000000000801, 0100000000000803, 0100000000000804, 0100000000000805, 0100000000000808, 010000000000080A, 010000000000080B, 010000000000080C, 010000000000080D, 010000000000081A, 010000000000081B, 010000000000081E.
[/LIST]
[LIST]
[*]Every System Applet "10XX" title is not installed.
[/LIST]
[LIST]
[*]01008BB00013C000 ("flog") is not installed.
[/LIST]
Factory-Only Titles
Title ID Name Description
0100000000002000 BoardFunction Board testing.
0100000000002001 A3Wireless Wireless testing.
0100000000002002 C1LcdAndKey LCD/Keyboard testing.
0100000000002003 C2UsbHpmic USB testing.
0100000000002004 C3Aging Graphics/Framerate testing.
0100000000002005 C4SixAxis Sixaxis (controller peripheral) testing.
0100000000002006 C5Wireless Wireless testing.
0100000000002007 "FinalCheck"
0100000000002044 "HB-TBIntegrationTest"
010000000000204E A4BoardCalWriti Writes calibration data to NAND.
010000000000209C TestApplication "Test Application Launcher", factory qlaunch replacement. Used to launch other tests.
010000000000B14A Manu Manufacturing sysmodule.
1000000000000001 SystemInitializ Strings internally refer to this as "SystemInitializer". See here.
1000000000000004 CalWriterManu  ?
1000000000000007 "ApplicationLauncer"

This app, products the 'prodinfo' section, so if we could find this app, maybe we could make a payload that generates new nand setup?

Yes, we need this. Who's willing to do some corporate espionage?

 

[Mat37]

I have my PRODINFO but it didn't worked for me ...

 

[wurstpistole]

I have my PRODINFO but it didn't worked for me ...

There is one guy in the old thread who said a full raw nand restored did fix the issue. Maybe just PRODINFO is not enough.

 

[Mat37]

There is one guy in the old thread who said a full raw nand restored did fix the issue. Maybe just PRODINFO is not enough.

Because of the GPT thing

 

[wurstpistole]

Because of the GPT thing

No idea dude. But thanks for the info, will additionally make a full raw backup later.

 

[mranonymous]

Depends on your SD card speed. Mine took 45 mins but my console was completely clean at the time. It just had my profile on it and nothing else. I'm not sure if that makes any difference.

How big is the backup? Also, which app did you use to backup the Nand? Can a Nand backup restore most soft bricks?

Thanks for any help

 

[Mat37]

How big is the backup? Also, which app did you use to backup the Nand? Can a Nand backup restore most soft bricks?

Thanks for any help

A nand backup is 32GB (the size of your eMMC), you can restore it with the same payload you back it up with (hekate) and yes it can recover most (if not all) soft bricks

 

[eXhumer]

How big is the backup? Also, which app did you use to backup the Nand? Can a Nand backup restore most soft bricks?

Thanks for any help

29.1GB. Hekate Payload. Most probably yes, but can't say for certain.