1. shchmue

    OP shchmue Developer
    Developer

    Joined:
    Dec 23, 2013
    Messages:
    739
    Country:
    United States
    I've seen this asked a lot over the years and since someone asked it today and I recently mapped out all the Settings saves, I decided to test my theory that the answer was there. It was.

    Use case: You are stuck at the system initialize screen with the 'connect joycons' animation but you don't have joycons or one or both rails is broken.

    TL;DR for those who already know how to edit system saves: Dump the SystemSettings save 8000000000000050, change the byte at offset 0x29484 from 0 to 1, repack, sign and replace the save.

    Tools required:
    • hactoolnet (fire up your command line skills)
    • Lockpick_RCM (if you have an existing dump from this console a fresh dump is not required)
    • TegraExplorer (if you're familiar with HacDiskMount you can use that instead)
    • HxD (or hex editor of choice, this one is just free, lightweight, capable, and ad-free)
    Steps:
    1. Use Hekate/Nyx and make a full Raw EMMC backup if you never have! This is the first rule of any hacking endeavor.
    2. If you don't have a key file, use Lockpick_RCM to dump keys from either sysnand or emunand, it doesn't matter which for this purpose. This will dump the key file to SD in /switch/prod.keys.
    3. Reboot to RCM if needed and push the TegraExplorer payload.
    4. Use the Volume keys to navigate to either [SYSTEM:/] EMMC (for sysnand) or [SYSTEM:/] EMUMMC (for emunand).
    5. Acknowledge the warning regarding modifying your system NAND and breathe easy since you made a backup, right? RIGHT? Please go back and do that if you haven't. Press Power to continue.
    6. Select save (this might take a minute to load if using file-based emunand).
    7. Select 8000000000000050, then select Copy to clipboard.
    8. Navigate back to the main menu by selecting Folder -> previous folder twice.
    9. Select [SD:/] SD CARD.
    10. Select Clipboard -> Current folder and wait for the copy to complete.
    11. Navigate back to the main menu by selecting Folder -> previous folder.
    12. Select Exit then either reboot to RCM or power off.
    13. Mount the SD card on your computer either using a card reader or by pushing the Memloader payload (this is always recommended to reduce stress on the SD reader connector component).
    14. Open a command prompt (eg. press Win+R and type cmd then press Return).
    15. Navigate to where you unzipped hactoolnet or drag the executable onto the command prompt window (this is a handy trick that makes the next few steps easier; Windows automatically enters the whole path to whatever you drop on it).
    16. I don't know what drive letter you mounted your SD as, but you do! So I'm going to pretend it's Z: but if it's something else, use that instead.
    17. If you dragged hactoolnet into the window, you'll have c:\whatever\hactoolnet.exe already populated, so after that, type a space then -t save -k z:\switch\prod.keys z:\8000000000000050 --outdir z:\syssave so your whole command should look like:
      Code:
      c:\whatever\hactoolnet.exe -t save -k z:\switch\prod.keys z:\8000000000000050 --outdir z:\syssave
      Again, please edit this so it matches your own path to hactoolnet and SD mount point.
    18. Open z:\syssave\file in HxD.
    19. Press Ctrl+G to open the Go to Offset dialogue, and type in the number 29484 then select OK. The cursor should be hovering over a byte that reads 00.
    20. Type 01 then press Ctrl+S to Save.
    21. Go back to your command prompt and similarly enter c:\whatever\hactoolnet.exe -t save -k z:\switch\prod.keys z:\8000000000000050 --replacefile file z:\syssave\file. Verify that hactoolnet prints:
      Code:
      Replaced file /file
      Successfully signed save file with key <key>
    22. Eject the SD from the computer, reinsert into console, however you did it, get back to RCM with the SD inserted and inject TegraExplorer.
    23. Select [SD:/] SD CARD.
    24. Select 8000000000000050, then select Copy to clipboard.
    25. Navigate back to the main menu by selecting Folder -> previous folder.
    26. Use the Volume keys to navigate to either [SYSTEM:/] EMMC (for sysnand) or [SYSTEM:/] EMUMMC (for emunand), making the same choice as in Step 4.
    27. Acknowledge the warning, press Power to continue.
    28. Select save (as before, this might take a minute to load if using file-based emunand).
    29. Select 8000000000000050, then select Delete file.
    30. Acknowledge the warning, press Power to delete, wait for completion.
    31. Select Clipboard -> Current folder and wait for the copy to complete.
    32. Navigate back to the main menu by selecting Folder -> previous folder twice.
    33. Select Exit then do whatever you need to do to reboot, with or without CFW.
    34. You're done! Instead of the joycon connect animation you should get a screen asking you to accept the Eula then reboot, after which you should be in the OS!
     
    Last edited by shchmue, Mar 10, 2020 - Reason: missing a step
  2. 0bvious

    0bvious GBAtemp Regular
    Member

    Joined:
    Oct 1, 2007
    Messages:
    152
    Country:
  3. CompSciOrBust

    CompSciOrBust GBAtemp Regular
    Member

    Joined:
    Sep 9, 2019
    Messages:
    145
    Country:
    United Kingdom
    Good work Shchmue! Too bad this can't be used on those low firmware switch lites.
     
  4. QuestionSleep1984

    Newcomer

    Joined:
    Jun 10, 2019
    Messages:
    2
    Country:
    Mexico
    Thank you so much bro, love you <3
     
    Last edited by QuestionSleep1984, Mar 14, 2020
  5. Olmectron

    Olmectron GBAtemp Addict
    Member

    Joined:
    Dec 31, 2012
    Messages:
    2,396
    Country:
    Mexico
    I created a thread about this some months ago.

    I thank you from the bottom of my heart.
     
  6. Campbell915

    Campbell915 Newbie
    Newcomer

    Joined:
    Mar 15, 2020
    Messages:
    1
    Country:
    United States
    Hey I am a total noob at this whole switch hacking stuff and found this post to be the only one on the internet that would solve my problem. The connector for one of my rails broke and I got used to it. For some reason I factory reset my switch and forgot about the broken connector, causing me to be stuck at the connecting screen. Is their anything you can do to help me understand the instructions more clearly because as of now I dont even know how to do any of the steps.

    Thanks
     
  7. GinGear

    GinGear Newbie
    Newcomer

    Joined:
    Jun 24, 2018
    Messages:
    4
    Country:
    United States
    Would it be a good idea to try loading the edited file via layeredfs to see if you patched it correctly? Before making the change more permanent
     
  8. shchmue

    OP shchmue Developer
    Developer

    Joined:
    Dec 23, 2013
    Messages:
    739
    Country:
    United States
    LayeredFS is for assets not saves. please do keep an unmodified save if you want, but that’s covered by the Nand backup I advised
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Connect, Joycons, system