Hacking Question Help with bricked Switch [Advanced]

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
Hi All,

I Have a Switch that Won't boot after Nintendo Logo, Witch means I have no Access to the Recovery...

The Switch has 9 blown fuses and all keys a shown correctly. As far as I can tell, the hardware is fine, I can run Android fine...

Before I explain the problem I wanna say that I know the importance of backing up the switch before messing with it, but the fact is, that I don't have any... Wasn't me who tried to hack the Switch.

I've used the https://switch.homebrew.guide/usingcfw/manualchoiupgrade Choidujour guide with firmware 5.1 and 6.2 (I found the restore files on xbins for 6.2) and none of them worked. The Switch still doesn't boot, CFW or OFW.

I have the system keys, the key dump payloads all work fine, when I try to teste the BIS Keys with HacDiskMount it says they are correct, but I thought that maybe someone might have restored boot0 and boot1 from a different switch, is that possible? the payload and desktop apps says the keys are correct but they really check If the keys are in the right switch?

Does someone have restore files for choidujour for a later version of the firmware maybe 7.0.0-8.0.1 ?

Any extra information helps, I'm a programmer with some knowledge of python, maybe someone can direct me to create a program to help diagnostics or something like that, I would be willing to update Choidujour so it can work with a later firmware.

Thank you all for you time reading this, and again, any information helps.
 

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
I have his boot0 and boot1 files from different firmware version. I think that that maybe the rest is busted.
 

Canna

Bad Ass Poisonous Mushroom
Member
Joined
Jul 14, 2018
Messages
1,396
Trophies
0
Age
34
Location
AZ
XP
1,514
Country
United States
I have his boot0 and boot1 files from different firmware version. I think that that maybe the rest is busted.

Choidujour, if worked correctly will output the correct boot0 /1 files to use in the output folder..
Manual method as far as im aware does not work over version 6.0 or 6.2 ( I could be wrong its been a little while)...

Your fuse count indicates that your system was updated to
either 7.0.0-8.0.1..

So,

If you have your correct biskeys, which you should as lockpick rcm or biskey dump will eorror out if they do not match the system..

Then personally, i would create a 5.1.0 rebuild image using choidujour manually,
Once the command window finishes, transfer the boot 0 and 1 from the 5.1.0 output folder
to the switch using etcher and memloader..
(Do not try to boot the switch until you get the 5.1.0 Update on the switch.)
Now using hacdiskmount transfer the 5.1.0 files from choidujour output folder. making sure to input the biskeys and save and test them..

(Once you transferred do not forget to use the hekate FS patch included in the output folder and its ini.. For first boot, to populate the Boot 0/1)

Run hekate and launch the FS patch option should be the only option in the menu.

Give this a moment and it should boot fine...

This has always been my goto way of booting the switch after a bad update, as i know for sure 5.1.0 with correct boot 0/1 and fs patch always works...

You have the biskeys for that system so your safe, just need a stable system image to boot .


Good luck..
 

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
Choidujour, if worked correctly will output the correct boot0 /1 files to use in the output folder..
Manual method as far as im aware does not work over version 6.0 or 6.2 ( I could be wrong its been a little while)...

Your fuse count indicates that your system was updated to
either 7.0.0-8.0.1..

So,

If you have your correct biskeys, which you should as lockpick rcm or biskey dump will eorror out if they do not match the system..

Then personally, i would create a 5.1.0 rebuild image using choidujour manually,
Once the command window finishes, transfer the boot 0 and 1 from the 5.1.0 output folder
to the switch using etcher and memloader..
(Do not try to boot the switch until you get the 5.1.0 Update on the switch.)
Now using hacdiskmount transfer the 5.1.0 files from choidujour output folder. making sure to input the biskeys and save and test them..

(Once you transferred do not forget to use the hekate FS patch included in the output folder and its ini.. For first boot, to populate the Boot 0/1)

Run hekate and launch the FS patch option should be the only option in the menu.

Give this a moment and it should boot fine...

This has always been my goto way of booting the switch after a bad update, as i know for sure 5.1.0 with correct boot 0/1 and fs patch always works...

You have the biskeys for that system so your safe, just need a stable system image to boot .


Good luck..
Thank you man, I'll try that later today, I've tried before manual 5.1 update but I wasn't carefully like that. I'll get back to you whatever happens.
 
  • Like
Reactions: Canna

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
Just use the unbrick_my_switch pack. Will get you back to 6.2.0
So, I tried doing that and it didn't work. After I launched UNBRICK_FIRST_BOOT_ONLY, the system didn't boot anymore. not even to the Nintendo Logo.

One thing that I checked before doing this, I've downloaded NxNandManager and connected to the switch to backup PRODINFO, I did an encrypted backup, but when I tried to decrypt it, it didn't work, even with the right keys.
I noticed that in manual upgraded you don't actually mess with PRODINFO, only set the key with HacDiskMount.

It's possible that my PRODINFO is busted? maybe PRODINFOF, Repair-Main and Repair-Sub are busted too.
 

Canna

Bad Ass Poisonous Mushroom
Member
Joined
Jul 14, 2018
Messages
1,396
Trophies
0
Age
34
Location
AZ
XP
1,514
Country
United States
So, I tried doing that and it didn't work. After I launched UNBRICK_FIRST_BOOT_ONLY, the system didn't boot anymore. not even to the Nintendo Logo.

One thing that I checked before doing this, I've downloaded NxNandManager and connected to the switch to backup PRODINFO, I did an encrypted backup, but when I tried to decrypt it, it didn't work, even with the right keys.
I noticed that in manual upgraded you don't actually mess with PRODINFO, only set the key with HacDiskMount.

It's possible that my PRODINFO is busted? maybe PRODINFOF, Repair-Main and Repair-Sub are busted too.
re build
 
  • Like
Reactions: DBOA

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
I tried again and got the message while executing UNBRICK_FIRST_BOOT_ONLY:
Read pkg2
Pkg2 decryption failed!
Firmware failed.
 

Canna

Bad Ass Poisonous Mushroom
Member
Joined
Jul 14, 2018
Messages
1,396
Trophies
0
Age
34
Location
AZ
XP
1,514
Country
United States
So I've tried a couple of times and keep getting Pkg2 decryption fail
https://imgur.com/oZOFNLA

Any Ideas anyone?

--------------------- MERGED ---------------------------


Apparently @mattytrog hates anime...
ihateanime2

Like i said
rebuild yourself a 5.1.0 image
Use choidujour.exe With commandline and a downloaded 5.1.0 image from the web..

Build a 5.1.0 image
Use the files from the choidujour output folder, into hacdiskmount,
and test save biskeys, transfer the boot0/1 provided by choidujour transfer flash the boot0/1 with etcher first. then the system files with hacdiskmount...

You can follow the no burn fuse guide to guide you how to rebuild a nand image..

Clear ya sd card for now..

And transfer the hekate fs patch and ini file provided in the choidujour output folder to the sd card and make sure to run the fs ;aumch option in hekate first ,..

Not sure why you havent tried my idea
as i believe a nand rebuild will get you back and running again.


No fuse burn guide
https://gbatemp.net/threads/how-to-...nofficially-without-burning-any-fuses.507461/
 
  • Like
Reactions: DBOA

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
Not sure why you havent tried my idea
Mattytrog's process is the same only with firmware 6.2.

Anyways, I just tried it, the way you explained and the boot stops after Nintendo Logo.

I've done the manual upload with 5.1 and 6.2 numerous times, none of them worked.
I'm sure there's some other problem I need to identify.
I don't know what happened to the switch before I got it.

Let me just ask you guys something, by doing the repair process e substituting the partitions and files from the manual upgrade, what other parts of the firmware would stop the switch from booting? PRODINFO, PRODINFOF, Repair-Main and Repair-Sub? Any other parts of the other partitions could be damaged?

There's any per-console data on any of those?

Thank you guys for the help
 

mattytrog

You don`t want to listen to anything I say.
Member
Joined
Apr 27, 2018
Messages
3,708
Trophies
0
Age
46
XP
4,299
Country
United Kingdom
If there are other problems with your consoles, ie hardware faults, the pack will not help.

All the pack does, is give you fresh 6.2.0 partitions, partial 6.2.0 boot0/1 files, up to keyblobs.

And does a nocmac boot to get it running.

If the pack is not working for you, double check everything. Check your prodinfo isn't borked.

Check you have no hardware faults.

If you have fuses burned for a lesser firmware than 6.2.0, then use the manual choi downgrade, which is exactly the same as the pack but with a different firmware.

The pack works. It's been tested and retested on different consoles. It's a last chance saloon really.
 
  • Like
Reactions: Canna

DBOA

Active Member
OP
Newcomer
Joined
Apr 11, 2019
Messages
37
Trophies
0
Age
36
XP
225
Country
Brazil
If the pack is not working for you, double check everything. Check your prodinfo isn't borked.
I think PRODINFO is effd...
I couldn't decrypt it when downloading with NxNandManager and when I downloaded with Hacdiskmount, the first 4 characteres did'nt matched with the Magic NUMBER 'CAL0'.

Is it possible to rebuild PRODINFO? Even if online functionality is not present.

As for the hardware, I tested Switchroot Android and Lakka and they work fine. There's any diagnostics tool I could try?

Also I tried you pack for 6.2 a couple of times and I get a "Pkg2 decryption failed!" message.
 
Last edited by DBOA,

mattytrog

You don`t want to listen to anything I say.
Member
Joined
Apr 27, 2018
Messages
3,708
Trophies
0
Age
46
XP
4,299
Country
United Kingdom
I think PRODINFO is effd...
I couldn't decrypt it when downloading with NxNandManager and when I downloaded with Hacdiskmount, the first 4 characteres did'nt matched with the Magic NUMBER 'CAL0'.

Is it possible to rebuild PRODINFO? Even if online functionality is not present.

As for the hardware, I tested Switchroot Android and Lakka and they work fine. There's any diagnostics tool I could try?

Also I tried you pack for 6.2 a couple of times and I get a "Pkg2 decryption failed!" message.
If prodinfo is buggered, you are snookered. The only possible way to get the console r to boot would be to get the device key (think it's in ECC form) from the borked prodinfo and then you can probably create a blank one.

You can remove certs, serials etc, recompute the hashes (there are two that need to be generated) and make one that will boot as long as your device key is intact. Think it's at 0x480 offset in prodinfo

I think lockpick/ or is it that tool that blahblah made that does a similar thing.

I'm trying to recall this from memory, as I'm sat in a hotel in Spain, about 1500 miles away from home.

So double check everything I say as I'm a simpleton.

Though alas, looks like you are snookered forever if your prodinfo is completely unencryptable.

Unless atmosphere can somehow patch out the device key check? Maybe?
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: https://youtube.com/shorts/0PLynroGlRs?feature=share