Hardware eMMC Issue when connected to board

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
I got an unpatched switch off eBay that was sold as not turning on.

The issue seems to be related to the eMMc. If I disconnect the eMMC and plug into the computer RCM is detected and I can boot Hekate. If the eMMc is connected to the board the PC won't see the console.

As this is from eBay I don't have any sort of Nand backup.

Here is an image of the HW and Cached Fuses info, TSEC Keys and Bootrom info with the eMMc disconnect.

imgur (dot) com / VhSnKQU
imgur (dot) com / PLx3x3s
imgur (dot) com / skYENU2

Since I'm new to all this the question is, is there anything I can do?

Any advice appreciated
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
I've managed to get it working with the eMMc plugged in. Had to get the Jig and then it was able to correctly get into recovery mode and dump a full nand backup and boot/0, boot/1 .bins

Still wont boot into anything. Hekate says it has burnt 12 fuses which would put the firmware at 9.1.0-9.2.0. But running Firmware Version Inspector on the raw dump says it's on 5.1.0.

I cant dump the biskkeys correctly, but when i open HackDiskMount the keys are pre filled for the safe, system and user which is what was used for Firmware Version Inspector.

At a lost at the moment
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
I've managed to get it working with the eMMc plugged in. Had to get the Jig and then it was able to correctly get into recovery mode and dump a full nand backup and boot/0, boot/1 .bins

Still wont boot into anything. Hekate says it has burnt 12 fuses which would put the firmware at 9.1.0-9.2.0. But running Firmware Version Inspector on the raw dump says it's on 5.1.0.

I cant dump the biskkeys correctly, but when i open HackDiskMount the keys are pre filled for the safe, system and user which is what was used for Firmware Version Inspector.

At a lost at the moment


Why can't you dump the biskeys correctly? Did you try biskeydumpv9 or Lockpick_RCM?

It sounds like the previous owner might have been running CFW on it or tried to downgrade the firmware for some reason.

What is your end goal with this switch? If you just want to return it to stock, you should be able to do that using choidujourNX to update to firmware 9.1.0 and then boot it normally.
 
  • Like
Reactions: rblackburnuk

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Firstly thanks for helping :)

Using biskeydumpv9 it will show the following

HWI: xxxx...
SBK: xxxx...
SBK AESE 0 (test) : xxx....
eMMC initialized, looking for TSEC FW...
Found TSEC FW at offset 0x00101900 of boot0...
TSEC FW CRC32: b035021f - CORRECT
TSEC using carveout 0x4003b000 rev 1
TSEC Key: XXX...
TSEX AESE 0 (test): XXXX....
Keyblob decrypted using current SBK & TSEC keys NOT VALID!
ERROR deriving device keydata (retVal -14), cannot continue

Shows the emoji and the small QR code in the red box which only scans as the HWI, SBK and the TSEC Key.

My end goal would be to get the stock firmware booting and then I can go from there.

Tried to follow some guides relating to choidujourNX but no CFW will boot and using the Windows methods says I need some keys and none of the ones I found online seem to work when trying to make the install files from the Firmware.

I'm new to this so I've spent the best part of a week going through as much as I can so forgive me if I use the wrong terminology here and there.
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
Firstly thanks for helping :)

Using biskeydumpv9 it will show the following

HWI: xxxx...
SBK: xxxx...
SBK AESE 0 (test) : xxx....
eMMC initialized, looking for TSEC FW...
Found TSEC FW at offset 0x00101900 of boot0...
TSEC FW CRC32: b035021f - CORRECT
TSEC using carveout 0x4003b000 rev 1
TSEC Key: XXX...
TSEX AESE 0 (test): XXXX....
Keyblob decrypted using current SBK & TSEC keys NOT VALID!
ERROR deriving device keydata (retVal -14), cannot continue

Shows the emoji and the small QR code in the red box which only scans as the HWI, SBK and the TSEC Key.

My end goal would be to get the stock firmware booting and then I can go from there.

Tried to follow some guides relating to choidujourNX but no CFW will boot and using the Windows methods says I need some keys and none of the ones I found online seem to work when trying to make the install files from the Firmware.

I'm new to this so I've spent the best part of a week going through as much as I can so forgive me if I use the wrong terminology here and there.


You have both the SBK and TSEC keys, did you try getting the biskeys using the the online generator at https://sdsetup.com/biskeygen?

See if you can decrypt the PRODINFO and check that the serial number matches the sticker on the bottom of the switch. The serial number should be located at offset 0x0250.

Is it possible the eMMC was swapped from a different switch? As long as you have a valid PRODINFO, you should be able to get it working again.
 
  • Like
Reactions: rblackburnuk

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Using the link you sent I was able to get the BIS 0,1,2,3 Crypt and Tweak keys. Hacdiskmount actually has these pre filled and they are the same and all test ok.

I can confirm the serial at this offset is the same as my console sticker

1o7Opnj.png
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Using LockPick it was able to generate a prod.key file with lots of keys (45 in total) however during this process it shows some errors

lO1ipOs.jpg


Keyblob Source 0 - 5 where generated but I guess if I use these I'll get the same issues?
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
Using the link you sent I was able to get the BIS 0,1,2,3 Crypt and Tweak keys. Hacdiskmount actually has these pre filled and they are the same and all test ok.

I can confirm the serial at this offset is the same as my console sticker

1o7Opnj.png
Wow, that's great! It sounds like you have everything you need to get it working again.

I don't know if it's necessary, but I would probably try fixing the keyblobs using linkle to regenerate your encrypted keyblobs as discussed in this thread.
https://gbatemp.net/threads/keyblob-0-to-5-corrupted.548659/

You'll need your SBK and TSEC key, but the other keys you can get from the internet. You only need the following keys in your prod.keys file
keyblob_key_00
keyblob_key_01
keyblob_key_02
keyblob_key_03
keyblob_key_04
keyblob_key_05
keyblob_key_source_00
keyblob_key_source_01
keyblob_key_source_02
keyblob_key_source_03
keyblob_key_source_04
keyblob_key_source_05
keyblob_mac_key_source
secure_boot_key =
tsec_key =

After that, you should be able to get all your keys using bisdump. You can use them to make a new firmware using choidujour (not choidujouNX). Just follow the manual downgrade guide on the internet.

Finally, you should be able to launch Atmosphere and run ChoidujourNX to upgrade back to stock firmware.

Good Luck
 
  • Like
Reactions: rblackburnuk

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Brilliant, thank you

Just one more question if I may.

I saw on another thread that choidujour only works up to FW 6.1 so given that the tools I can find suggest its on 5.1.0 but my fuse burn count of 12 says it's 9.1.0 - 9.2.0 I should try doing this using FW 5.1 then updating to the correct firmware for the fuse count?
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
Brilliant, thank you

Just one more question if I may.

I saw on another thread that choidujour only works up to FW 6.1 so given that the tools I can find suggest its on 5.1.0 but my fuse burn count of 12 says it's 9.1.0 - 9.2.0 I should try doing this using FW 5.1 then updating to the correct firmware for the fuse count?

I think that should work.
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Sorry to be a pain in the ass lol

I found a prod.keys file from Yuzu emulator which was added on the 22 March. Used this in my prod.key file but replaced only the tsec and secure boot keys with my dumped ones.

Ran linkle and it did output lots of data including keyblob_00 - 05, encrypted_keyblob_00 - 05 and a new set of keyblob_key_00.

part of the encrypted_keyblob_00 - 05 looks like this : 52C7F95B437DEFB2B9ADBC0C8B3AC66F000000000000000000000000000000004EC388FA....

Does look about right?

I assume I have to open my hex editor and copy each the encrypted_keyblob_00 - 05 to each offset as these are the same length. Then use TegraRCM to mount the Boot0 and then Ether to reinsert this boot0 file?

Or can i skip this step and use this new prod.key linkle made to create the new firmware using choidujour.
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
Sorry to be a pain in the ass lol

I found a prod.keys file from Yuzu emulator which was added on the 22 March. Used this in my prod.key file but replaced only the tsec and secure boot keys with my dumped ones.

Ran linkle and it did output lots of data including keyblob_00 - 05, encrypted_keyblob_00 - 05 and a new set of keyblob_key_00.

part of the encrypted_keyblob_00 - 05 looks like this : 52C7F95B437DEFB2B9ADBC0C8B3AC66F000000000000000000000000000000004EC388FA....

Does look about right?

I assume I have to open my hex editor and copy each the encrypted_keyblob_00 - 05 to each offset as these are the same length. Then use TegraRCM to mount the Boot0 and then Ether to reinsert this boot0 file?

Or can i skip this step and use this new prod.key linkle made to create the new firmware using choidujour.

I believe firmware version 5.1 still uses the keyblobs, so you would need them for that. You just need to edit the encrypted keyblobs into the BOOT0 file at the proper offset as described in the other thread. You can verify that they are in correct by checking that biskeydump and lockpick should no longer give you the error. You might actually be able to boot the 5.1 that is on the eMMC through hekate once you fix the keyblobs.

Choidujour needs the following keys (which are different from the ones used by linkle)
aes_kek_generation_source
aes_key_generation_source
header_kek_source
header_key
header_key_source =
key_area_key_application_source =
key_area_key_ocean_source =
key_area_key_system_source =
master_key_00 =
master_key_01 =
master_key_02 =
master_key_03 =
master_key_04 =
master_key_05 =
master_key_06 =
master_key_07 =
master_key_source =
package2_key_source =
sd_card_kek_source =
sd_card_nca_key_source =
titlekek_source =
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
Getting closer now after fixing the keyblob :)

Through hakate if I press Stock (sysnand) the Nintendo logo shows then blank screen which is more than I've had so far...

Ill continue with the firmware side of things now
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
So... With the fixed keyblob biskeydumpv9 reports no errors and dumps the keys

If I then follow the steps and use Choidujour to create the 5.1.0 firmware bins and put them on the console following this guide https://www.youtube.com/watch?time_continue=1926&v=JTYmXY0YbJw and try to run CFW via hekate i get the atmosphere logo then an error at the top it gets an error saying PKG2 decryption failed, failed to launch HOS and then if I try biskeydumpv9 again the keys are corrupt

Followed the video to letter. Will take a break for a few hours i think and revisit it.
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
So... With the fixed keyblob biskeydumpv9 reports no errors and dumps the keys

If I then follow the steps and use Choidujour to create the 5.1.0 firmware bins and put them on the console following this guide https://www.youtube.com/watch?time_continue=1926&v=JTYmXY0YbJw and try to run CFW via hekate i get the atmosphere logo then an error at the top it gets an error saying PKG2 decryption failed, failed to launch HOS and then if I try biskeydumpv9 again the keys are corrupt

Followed the video to letter. Will take a break for a few hours i think and revisit it.

That is strange. Maybe double check each step and try again. Did you use the updated hekate_ipl.ini and FS510-exfat_nocmac_nogc.kip1 files from choidujour? Also, make sure you transfer the BCPKG2-1-Normal-Main.bin and BCPKG2-2-Normal-Sub.bin as unencrypted (biskey should be blank).

Did you try following the guide here? https://switch.homebrew.guide/usingcfw/manualchoiupgrade
 

rblackburnuk

Member
OP
Newcomer
Joined
May 7, 2020
Messages
18
Trophies
0
Age
35
XP
61
Country
United Kingdom
I must be doing something wrong.

Followed the guide to the letter (im 100% sure of it)

When it comes to step 13.10 "Return to the main menu, then select ‘Launch > FS_XXX-exfat_nocmac_nogc’ where XXX is the firmware version you downgraded to."

I see the Kosmos Atmosphere screen and it just hangs on this until I hold the power button down. If I then go back into RCM and use lockpick to dump the keys im back to the same keyblob error as my screenshot above.

I can only assume this is something wrong with my keys file for Linkle but after running this and then uploaded Boot0/ boot/1 lock pick dumps all the keys fine so really not sure where I'm going wrong.
 

LIY2012

Well-Known Member
Newcomer
Joined
Apr 29, 2020
Messages
50
Trophies
0
Age
48
XP
134
Country
Japan
I must be doing something wrong.

Followed the guide to the letter (im 100% sure of it)

When it comes to step 13.10 "Return to the main menu, then select ‘Launch > FS_XXX-exfat_nocmac_nogc’ where XXX is the firmware version you downgraded to."

I see the Kosmos Atmosphere screen and it just hangs on this until I hold the power button down. If I then go back into RCM and use lockpick to dump the keys im back to the same keyblob error as my screenshot above.

I can only assume this is something wrong with my keys file for Linkle but after running this and then uploaded Boot0/ boot/1 lock pick dumps all the keys fine so really not sure where I'm going wrong.


It seems so close. I've never ran into that error before. Maybe someone else here with more experience can help you. Just to confirm, You did restore the BCPKG files without encryption. Also, have you tried the Step 14: First launch failed? Finally, are you using the latest version of everything?
 
General chit-chat
Help Users
    KenniesNewName @ KenniesNewName: I like to hunt chickens with c4 precooked at the ready