Edit OFW clean Switch save data from NAND backup/restoring via Fusee Gelee payloads

Discussion in 'Switch - Tutorials' started by kimbra, Jun 17, 2019.

  1. kimbra
    OP

    kimbra Member

    Newcomer
    2
    Jun 6, 2019
    United States
    United States
    Hello! This tutorial will share how I managed to successfully edit my games' save data from OFW NAND and play them without any issue after restoring. When I initially began searching for info on how to do this, it wasn't as readily available as it could've been. Because of that, the process was not very easy to figure out; however, I hope this tutorial can be a useful "all-in-one" reference for anyone looking to do the same! If anything is unclear or missing, always feel free to reply below or send me a PM. Enjoy!

    What you'll need:
    • A Nintendo Switch system that has not been physically patched for the Fusee Gelee exploit (firmware version won't matter)
    • Preferably a microSD card large enough to fit an entire NAND backup onto (I use a 128gb card) to save a TON of time
    • A way to connect your Switch to your computer (I have a USB C MacBook charging cable)
    • A method of booting the Switch into RCM mode (I use a bent paperclip) which user Technicmaster0 has a great list of here
    • A Fusee Gelee payload exploit program like TegraRcmGUI (fusee-launcher for OSX/Linux)
    • Lockpick_RCM for your Switch's console keys
    • hekate for NAND backup and restoring
    • HacDiskMount found here for mounting NAND backups
    • hactoolnet found here for extracting/injecting editable save data
    • A save editor(s) for the game(s) of your choice
    • OPTIONAL: I don't use this myself, but if you prefer, you can use memloader to read the microSD card while your Switch is connected instead of taking the card out and inserting it into your computer (found here with a tutorial here)
    The process:
    Following this guide got me into the Switch hacking scene in the first place. I was curious and found it during a Google search, and I found it to be very helpful! It outlines how to boot your Switch into RCM mode, how to find out if your Switch can use the Fusee Gelee exploit for payloads, how to prepare your microSD card, and how to create a NAND backup (Safety Precautions page)! My advice is to follow this guide to the point where a NAND backup is created on your microSD card, as that's the point where this tutorial will begin. The backup process does take time. Always remember to hold the volume down button when injecting the hekate payload as well.

    Once a rawnand.bin (~30gb) has been created in the root\backup\XXxXXXXX folder of your microSD card utilizing hekate, you will also want to run the Lockpick_RCM payload via TegraRcmGUI in order to obtain all the console-specific keys you'll need. This will create a prod.keys file within the root\switch folder of your microSD card. Once you've successfully gotten your rawnand.bin NAND backup and prod.keys console keys file, you can proceed to your computer.

    Take your microSD card from the Switch and insert it into your computer (or utilize memloader as mentioned above in the What you'll need section). CREATE A BACKUP OF YOUR RAWNAND.BIN AND BOOT0 AND BOOT1 FILES SOMEWHERE SAFE (you should have the two boot files if you followed the sdsetup guide mentioned at the start of this section). I cannot stress this enough. If something goes wrong, these will be what saves your system from becoming a brick.

    Open HacDiskMount and select File > Open file, and then get to the rawnand.bin in the root\backup\XXxXXXXX folder and Open. Scroll all the way down until you find the USER partition and open it via double-click. At this point, you will need the specified BIS Key X indicated in the top-left corner of the Operations on USER window. For example: mine needed BIS Key 3, the Crypto (Upper) and Tweak (Lower) keys. To get those, go to the root of your microSD card, then the switch folder, and prod.keys should be located there. Right-click prod.keys and Open with Notepad. Locate the necessary key (in my case this was bis_key_03), and copy the first 32 characters, then paste them into the Crypto (Upper) field back in HacDiskMount (spaces will automatically populate every two characters), and then do the same thing for Tweak (Lower) except copy and paste the remaining 32 characters. Once done, press the Test button to make sure you've copied correctly, and then Save so you don't have to copy and paste every time later on.

    Under the Virtual drive section of the Operations on USER window, click on the Install button to get the appropriate driver for mounting NAND backups. Once it's finished installing the driver, press Mount. After about 10 seconds or so, you can find your NAND has been mounted as drive A: on your computer. Its files can now be explored! Navigate to the A:\save folder. All of the files listed here are your games' save data files. They aren't easily discernible, so some trial and error is required for locating the right game save you want to edit. Here's a guide on a pretty great method for extracting all the data at once. I used this and then figured out Let's Go only has a file called savedata.bin, and FFX has ffx_00X files and a GameSettings file where X is the save slot in the game. Every game probably has its own distinguishing characteristics, so you might have to get creative in order to find out which save file is the game you want to edit for.

    Once you know exactly which file in A:\save is the one of the game you want to edit, this is where hactoolnet comes in. I currently have individual hactoolnet folders for EVERY game whose saves I edit. You can come up with your own system, but to keep it organized, I have a main hactoolnet folder, and within that, folders of all the games I edit such as FFX hactoolnet and LGE hactoolnet. Then within each of those folders (FFX hactool for example), my setup looks as follows:

    [​IMG]

    Notice the out and sav folders, the extract.bat and inject.bat, and the prod.keys files. These are all required for this to work properly if you follow my method. Everything else should come with the hactoolnet download in the What you'll need section. The extract.bat and inject.bat files will be edited via Notepad. To create them from scratch, right click in your hactoolnet folder window and go to New > Text Document and rename it appropriately. The files will contain the following:

    extract.bat:
    Code:
    hactoolnet.exe -k prod.keys -t save sav/savefilename --outdir out/savefilename
    pause
    For this example, my FFX save data file in A:\save is 0000000000000019, so my script would be:
    Code:
    hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --outdir out/0000000000000019
    pause
    inject.bat:
    Code:
    hactoolnet.exe -k prod.keys -t save sav/savefilename --replacefile /savefile out/savefilename/savefile
    pause
    To maintain the example, the FFX save data I want to edit is specifically the ffx_002 file WITHIN the 0000000000000019 save data file found in the NAND backup, so the script I use would be:
    Code:
    hactoolnet.exe -k prod.keys -t save sav/0000000000000019 --replacefile /ffx_002 out/0000000000000019/ffx_002
    pause
    prod.keys:
    This is just your prod.keys file from earlier. Copy and paste it here from your microSD card root\switch folder.

    Once this has been set up, we can run a test to make sure it works properly. Go back to A:\save and copy the save data file of the game you want to edit. Paste it in the sav folder in our hactoolnet setup. I also recommend making a backup somewhere safe just in case you wreck the save data. After that, run the extract.bat file. This will execute the script we wrote which extracts an editable save file from the save data in the sav folder, and then place it in the out folder. The resulting command prompt window should look similar to this to indicate success (sensitive data removed):
    extract.bat
    Ignore the "Failed" signals at the very top, because as long as your CMAC Signature and Header Hash are both (GOOD), that should be indicative of a successful extract.

    After you get a successful extraction, head into the out folder. There you will now see a folder with the same name as the save data file we took from the NAND's A:\save folder. For me, the folder was 0000000000000019. When I go into that folder, I can see my ffx_002, ffx_001, and GameSettings files. These are the editable save files at this point. If a save editor exists for your game, you'll want to open these files with that program now and make your changes. I will stick to editing just my ffx_002 file in this instance as that's what's outlined in my inject.bat script.

    Once I'm finished making my changes, I overwrite the ffx_002 file and save it. I am now ready to inject it back into the 0000000000000019 file in the sav folder. To do so, all I have to do at this point is run the inject.bat file. This will replace the ffx_002 file inside the 0000000000000019 file and sign the save correctly. Again, the resulting command prompt window should look similar to this to indicate success:
    inject.bat
    Again, you can ignore the "Failed" signals. If you see Replaced file /savefile and Successfully signed save file, then those are very good signs! All that's left to do is get it back into the NAND and then restore.

    Once the inject.bat is finished, you'll be able to go into the sav folder and see your save data file still there; only this time, it's been injected with your edited save file! Copy the save data file (in my example it's the 0000000000000019 file) and go back to the NAND's A:\save folder. Once there paste and overwrite the save data file. After that's finished, go back to HacDiskMount and click Unmount, and close the Operations on USER window. Click File > Close, and then go to root\backup\XXxXXXXX on your microSD card. Move the rawnand.bin file into the restore folder.

    Eject your microSD card from your computer, insert it back into your Switch, and go back to TegraRcmGUI if your Switch isn't still running the hekate payload. Inject the hekate payload while holding the volume down button on the Switch, but skip this step if hekate is still up and running on your Switch from when you made the NAND backup.

    Go to Tools > Restore > Restore eMMC RAW GPP to restore the NAND we pasted our edited and signed save data file into. This, like the NAND backup process, will take some time to complete. Once it's done, though, you're all set! Start the game whose save data file(s) you edited, and see the results of your hard work!

    Some notes:
    As you can probably tell, this process isn't simple by any means. Due to this, and the amount of time it takes to just make a NAND backup and then restore it, I recommend you make a list of edits you'd like to do beforehand in order to make the most of this process each time you do it. To make future save edits, you will have to make another NAND backup again and repeat this process. With my 128gb microSD card, it takes roughly 30 minutes to make a backup, and roughly 30 minutes to restore a backup.

    Thanks for checking out my tutorial! Let me know if it's helpful, and if anyone has anything they'd like to add to the tutorial, please send a PM my way or make a reply here with your recommendation!

    Here are nearly all the resources I found while figuring all of this out for myself:
     
  2. bootmonster

    bootmonster GBAtemp Fan

    Member
    7
    Oct 26, 2002
    United States
    I previously used this method to get my Mario Oddysey save from my hacked switch to my legit switch, worked perfectly!

    Nice job on the tutorial dude.
     
    TyoLoki and kimbra like this.
  3. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    I asked about this a bit back after I ran through this myself (before this Tut was made) and was told it is still possible to get banned as Nintendo can pick up on edited saves. Might be a good idea to add a "use this at your own risk" type of thing?
     
  4. kimbra
    OP

    kimbra Member

    Newcomer
    2
    Jun 6, 2019
    United States
    United States
    Yes, I’ve heard of SSBU saves getting either consoles or users banned, can’t remember exactly. Have you heard of certain games affecting in particular? Is this occurring no matter the game?
     
  5. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    I'm not exactly sure, I proof of concepted this procedure myself in another thread but when I asked about doing it on my clean switch to inject a BOTW save I was told "Nintendo can detect edited saves and if you go online with that switch you will be banned" now I'm really not sure if they care about Single Player games but honestly not willing to risk my clean switch over an edited save when I have a hacked switch I can play edited saves on.
     
  6. kimbra
    OP

    kimbra Member

    Newcomer
    2
    Jun 6, 2019
    United States
    United States
    It makes sense for online games. SSBU and Splatoon 2 have been ones I recall hearing ban stories of over edited saves. It’s a great point to add an at your own risk clause though, so thanks for the idea!

    I guess I’ll see how this goes with my own Switch and keep updated if anything happens.
     
  7. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    Please do I'd personally like to know if Nintendo gives a darn about SP game save editing.
     
  8. loler55

    loler55 GBAtemp Advanced Fan

    Member
    6
    Jan 4, 2012
    Gambia, The
    i use checkpoint its easyer
     
  9. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    Checkpoint requires CFW, this does not.
     
    Fabian Schuchhardt likes this.
  10. RHOPKINS13

    RHOPKINS13 Geek

    Member
    8
    Jan 31, 2009
    United States
    Thanks for the tutorial.

    I don't really do any save "editing", but I've used Checkpoint on an otherwise clean nand to restore individual game saves from when I was playing with CFW. I know this is risky, but so far I haven't been banned for it.

    Still, I'd love it if someone came out with a save manager that worked from RCM, so you could backup and restore game saves without booting into CFW or going through these tedious steps.
     
    kimbra likes this.
  11. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    If you are using CFW online (Checkpoint requires CFW) you will be banned eventually, you're only safe if you're offline until you run a clean NAND or if you're using some sort of emunand (also offline only).
     
    Last edited by ikithme, Jun 17, 2019
  12. RHOPKINS13

    RHOPKINS13 Geek

    Member
    8
    Jan 31, 2009
    United States
    As I said, I know it's risky. I keep these "Clean NAND Checkpoint Sessions" offline and as brief as I can. I know there are a few others on this forum that have done the same and haven't been banned. If creport is doing it's job keeping homebrew errors out of the sysnand error log, and no NSPs are being installed, I think there are minimal, if any, signs of tampering.

    I'll basically say that in one instance, I had made significant progress in Let's Go Pikachu while on a "dirty" nand, and then later got the pokeball accessory and wanted to go online and get the mew from it (with a legit cartridge). I've never used a save editor or cheat codes, I just use Checkpoint for backup and restore. I backed up my Let's Go save on my dirty nand, restored my "clean" nand, ran Atmosphere and used Checkpoint to restore my save.

    This was at least a few months ago. I've used Checkpoint for other saves too. Like I said, I know there is an element of risk in it, but so far I've been lucky and I'm not the only one.
     
  13. MushroomGod

    MushroomGod Member

    Newcomer
    1
    Apr 22, 2019
    United States
    Chicago
    Hey thanks for all the work. When I do my Let's Go file I get "Unable to sign save file. Do you have all the required keys?" Which I do in the same folder. Any idea?

    Edit: Maybe I'm using an old key file? I pulled it in December. However, I doubt anything has changed since then.
     
    Last edited by MushroomGod, Jun 17, 2019
  14. bootmonster

    bootmonster GBAtemp Fan

    Member
    7
    Oct 26, 2002
    United States
    Are you on a different firmware version since then? Some of the keys will change dependent on firmware.
     
  15. MushroomGod

    MushroomGod Member

    Newcomer
    1
    Apr 22, 2019
    United States
    Chicago
    Everything was pulled at the same time. It's older because I was just using this as a test.
     
  16. bootmonster

    bootmonster GBAtemp Fan

    Member
    7
    Oct 26, 2002
    United States
    So were the keys extracted on an older firmware than you are on now?

    You are about as clear as mud here!
     
  17. MushroomGod

    MushroomGod Member

    Newcomer
    1
    Apr 22, 2019
    United States
    Chicago
    Lol. I re-pulled everything and got the same error. So up to date firmware and new key file.
     
  18. kimbra
    OP

    kimbra Member

    Newcomer
    2
    Jun 6, 2019
    United States
    United States
    Did the extract.bat script say your CMAC Signature and Header Hash were (GOOD)?
     
  19. MushroomGod

    MushroomGod Member

    Newcomer
    1
    Apr 22, 2019
    United States
    Chicago
    I'll have to check when i get home, thanks for this btw.
     
  20. ikithme

    ikithme GBAtemp Regular

    Member
    2
    Mar 28, 2015
    United States
    Mushroom, you should be able to use lockpick_rcm to get your full list of keys (prod.keys I believe) this will allow you to resign your saves after editing.
     
Quick Reply
Draft saved Draft deleted
Loading...