Tutorial  Updated

How to transplant savedata (system and user) from other switches

All firmware versions, guide here, kinda obsolete now that we have ChoiDujour which does this as the first step automatically:
https://pastebin.com/hXs4VCgs

Lets you transplant savedata as raw files (including system savedata) which means you can recover these consoles by using other people's firmware/partition images (restored with proper BIS keys, of course), except for PRODINFO/PRODINFOF which is absolutely console specific and you should never replace.
It also means you can get fakenews installed on your 1.0.0 console without PPT JPN, simply by replacing your SYSTEM:/save/8000000000000090 file with a friend's who already has it (make sure to back yours up first) using HacDiskMount after mounting SYSTEM partition, then launching 1.0.0 using Hekate and this FS.kip1 patch applied, using the fake news entry to launch the browser and install fake news AGAIN via pegaswitch, which should fix the CMAC so you don't have to boot using Hekate anymore.
 
Last edited by rajkosto,

Xandroz

Well-Known Member
Member
Joined
Mar 19, 2018
Messages
865
Trophies
0
Age
34
XP
1,550
Country
Egypt
for a start yes, things will progress then.

thanks for the file btw.

im waiting for a replacement screen for my 1.0 will try it once i get it.

anyone else who tries it kindly confirm everything worked as intened
 

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
Firstly, extract the entire FakeNewsHBL.zip to your Desktop...

Alright guys you owe us big, the below instructions are also in the zip...

FakeNewsHBL by @rajkosto and @SocraticBliss

Thanks to rajkosto for biskeydump, HacDiskMount and hashes/improvements
Thanks to nwert and CTCaer for hekate & payload
Thanks to ReSwitched for everything!



Stage 0 - Getting your Console Unique Keys

1. Connect one end of your USB-C cable to your PC and the other end to your Switch
2. Boot your Switch into RCM (via a jig)
3. On your PC, navigate to the Stage0 directory (FakeNewsHBL/Stage0)
4. Double click on the Stage0.cmd file
5. After you see your keys appear on your Switch, power off your Switch


Stage 1 - Getting your BCPKG2-1-Normal-Main.bin and initially installing FakeNews

1. Copy the contents inside the Stage1/CopyInsideContentsToSwitchSD directory, to your Switch'es microSD card
2. Boot your Switch into RCM
3. On your PC, navigate to the Stage1 directory (FakeNewsHBL/Stage1)
4. Drag & drop the memloader.bin file onto TegraRcmSmash.exe
5. On your Switch, use the volume keys to highlight the ums_emmc.ini option, then press the Power button to confirm the option

NOTE: The Switch display will still be slightly illuminated but nothing will be shown on the screen, THIS IS OKAY/EXPECTED!

6. On your PC, run HacDiskMount.exe (as an Administrator!)
7. File > Open physical drive
8. Choose the Linux UMS disk 0 (29.121GiB)
9. Double click on BCPKG2-1-Normal-Main
10. In the "Dump to File" section:
  • Click on the Browse button
  • Save the file as BCPKG2-1-Normal-Main.bin to the FakeNewsHBL directory
11. Close the Operations on BCPKG2-1-Normal-Main window
12. Double click on SYSTEM
13. In the "BIS Key 2" section:
  • Enter your Switch'es BIS 2 Keys into the upper and lower boxes
  • Click on the Test button (and ensure that it passes)
  • Click on the Save button
14. In the "Virtual drive" section:
  • Click the Install button
  • Select an unoccupied drive letter in the Drive Letter drop-down (ex. J)
  • Click the Mount button
15. In the "Dump to file" section:
  • Click on the Browse button
  • Save the file as SYSTEM.bin to some place safe on your PC (this is your BACKUP!)
16. In the File Explorer, double click on the Stage1.cmd file

NOTE: If you are having problems with the Stage1.cmd file, just run the FakeNewsSave.exe and extract it to the current directory

17. In the File Explorer, overwrite the 8000000000000090 file in the save directory of the Switch drive with the one just extracted (ex. J:\save\8000000000000090)
18. Return to HacDiskMount and click on the Unmount button
19. Close out of HacDiskMount.exe


Stage 2 - Launching the new FS.kip1 and re-installing FakeNews from Pegaswitch

rajkosto's instructions located at https://pastebin.com/hXs4VCgs

1. Populate/replace/remove the keys.txt file for hactool
2. Install Python (ensure the PATH environment variable is configured)
3. On your PC, navigate to the FakeNewsHBL directory
4. Double click on the FakeNewsHBL.cmd file

NOTE: If you are having problems with the FakeNewsHBL.cmd file, just run the below command in this directory...
python FakeNewsHBL.py

5. Remove the contents on your Switch'es microSD card
6. Copy the contents inside the FakeNewsHBL/Stage2/CopyInsideContentsToSwitchSD directory, to your Switch'es microSD card
7. Boot your Switch into RCM

NOTE: If you mess up and load into the switch OS, DONT PANIC!! You will simply get an error/crash when booting, just power off the Switch and try again

8. On your PC, navigate to the Stage2 directory (FakeNewsHBL/Stage2)
9. Drag & drop the hekate_ctcaer_2.3.bin file onto TegraRcmSmash.exe
10. On your Switch, press the power button to confirm the Load FW option
11. Use the volume keys to highlight the FakeNewsHBL option, then press the power button to confirm the option
12. Once booted into the Switch OS, you should see FakeNews in the News section!
13. On your PC, set up a PegaSwitch server (remember --webapplet if on 1.0.0!)
14. On your Switch, setup your Wi-Fi and set the DNS Server 1 to the IP address PegaSwitch gives you
15. Open FakeNews and issue the below command when connected...

evalfile usefulscripts/installFakeNews.js

NOTE: Pegaswitch crashed the first attempt for me, which sucks, if this happens, return to step 7
 
Last edited by SocraticBliss,
  • Like
Reactions: snam11 and Xandroz

rajkosto

Well-Known Member
OP
Member
Joined
Apr 6, 2017
Messages
819
Trophies
0
Age
32
XP
2,754
Country
if someone has hekate SYSTEM & BOOT backups of the following firmwares: 2.0.0, 2.2.0, 2.3.0, 4.0.1 can they send me a PM, thanks.
 
  • Like
Reactions: Xandroz

Milenko

Well-Known Member
Member
Joined
Oct 16, 2017
Messages
3,545
Trophies
1
XP
5,132
Country
Australia
Stage 2 is really throwing me, hactool just zooms through everything then closes

Having trouble getting the keys for hactool and I can't go any further til I work that out
 
Last edited by Milenko,

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
i'm doing the user backup now, as soon i'll finish i'll have a try too (25gb over lan is quite slow...)
now i'm stucked at half of stage1
 
Last edited by snam11,

Milenko

Well-Known Member
Member
Joined
Oct 16, 2017
Messages
3,545
Trophies
1
XP
5,132
Country
Australia
Re dumped boot0 over and over and trying to get keys I get this...

Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!
 

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
Re dumped boot0 over and over and trying to get keys I get this...

Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!
same happens to me.
i did at least 10 dumps with no luck (CTCaer mod 1.3 and 2.3)


i own a 1.0 switch
 
Last edited by snam11,

Xandroz

Well-Known Member
Member
Joined
Mar 19, 2018
Messages
865
Trophies
0
Age
34
XP
1,550
Country
Egypt
@SocraticBliss

--------------------- MERGED ---------------------------

i want to try with you guys but i broke the ribbon cable for the screen and waiting for the replacement to show up.
hopefully i can get it soon
 

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
Re dumped boot0 over and over and trying to get keys I get this...

Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!

same happens to me.
i did at least 10 dumps with no luck (CTCaer mod 1.3 and 2.3)

i own a 1.0 switch

After you have your BOOT0.bin, use hactool with the following command...

Code:
hactool.exe -tkeygen --sbk=YourKeyHere --tseckey=YourKeyHere BOOT0.bin
 
  • Like
Reactions: snam11

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
hactool.exe -tkeygen --sbk=YourKeyHere --tseckey=YourKeyHere BOOT0.bin

@SocraticBliss thanx for your quick reply.

i've typed the command and after a lot of encryption data i get a wonderful Done! at the end
but the tool didin't made any key.txt or fs.kip1, am i doing something wrong?
i also tried again the command: python keys.py <SBKSecureBootKey> <TSEC>
but i'm still getting the error:
Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!

i know this fs.kip1 is mandatory to proceed to the stage2...
i'm quite a noob, but i don't understand how to do this:
Get your existing FS.kip1 by getting the INI1 from your Package2 using hactool, and then extract the INI1 to get all the builtins

any tips?

thanx!
 
Last edited by snam11,

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
@SocraticBliss thanx for your quick reply.

i've typed the command and after a lot of encryption data i get a wonderful Done! at the end
but the tool didin't made any key.txt or fs.kip1, am i doing something wrong?
i also tried again the command: python keys.py <SBKSecureBootKey> <TSEC>
but i'm still getting the error:
Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!

i know this fs.kip1 is mandatory to proceed to the stage2...

any tips?

thanx!

Well, that keys.py isn't part of my package, so I can't really debug it since I don't have it :P

I'd suggest not using that keys.py python script... (as it appears to be broken for 1.0.0 systems)

Instead, put the BOOT.bin in the FakeNewsHBL directory, then open a command window in that directory and issue the following command...

Code:
hactool.exe -tkeygen --sbk=TypeYourKeyHereInstead --tseckey=TypeYourKeyHereInstead BOOT0.bin > keys.txt

example...

hactool.exe -tkeygen --sbk=0123456789ABCDEF0123456789ABCDEF --tseckey=0123456789ABCDEF0123456789ABCDEF BOOT0.bin > keys.txt
 
  • Like
Reactions: snam11

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
thanx again for your reply, i was doing the same thing manually (coping the terminal output to have a test with those encrypted_keylob keys).

but how to get this fs.kip1 file? i don't have any clues on how to do this step:
Get your existing FS.kip1 by getting the INI1 from your Package2 using hactool, and then extract the INI1 to get all the builtins

using your python script FakeNewsHBL of stage 2 gives me error related to fs.kip1
Code:
Press Enter to patch your FS...
Opening BCPKG2-1-Normal-Main.bin...
Extracting package2.bin from BCPKG2-1-Normal-Main.bin...
Extracting INI1 from package2.bin...
Failed to decrypt PK21! Is correct key present?
Copying original FS.kip1 to Current Directory...
Traceback (most recent call last):
  File "FakeNewsHBL.py", line 107, in <module>
    main(len(sys.argv), sys.argv)
  File "FakeNewsHBL.py", line 77, in main
    copyfile('ini1/FS.kip1', 'FS.orig.kip1')
  File "C:\Python27\lib\shutil.py", line 96, in copyfile
    with open(src, 'rb') as fsrc:
IOError: [Errno 2] No such file or directory: 'ini1/FS.kip1'
 
Last edited by snam11,

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
thanx again for your reply, i was doing the same thing manually (coping the terminal output to have a test with those encrypted_keylob keys).

but how to get this fs.kip1 file? i don't have any clues on how to do this step:
Get your existing FS.kip1 by getting the INI1 from your Package2 using hactool, and then extract the INI1 to get all the builtins

using your python script FakeNewsHBL of stage 2 gives me error because related to fs.kip1

Are you using the zip file that I provided a link for above? Just use that, makes everything a lot easier :)

The fs.kip1 comes from the BCPKG2-1-Normal-Main.bin file, it gets extracted from it using hactool.exe, again, just use the zip and instructions I provided above, it should help considerably...
 

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
The fs.kip1 comes from the BCPKG2-1-Normal-Main.bin file, it gets extracted from it using hactool.exe, again, just use the zip and instructions I provided above, it should help considerably...
of course i'm using your zip, it's a really good tutorial, but i'm not so smart :(

that's the point, i don't know hot to extract it using hactool. should i do same thing i did with boot0?
the tutorial doesn't mention it, or i don't see it...(maybe is an easy step, but not for a dumb like me)
 

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
of course i'm using your zip, it's a really good tutorial, but i'm not so smart :(

that's the point, i don't know hot to extract it using hactool. should i do same thing i did with boot0?
the tutorial doesn't mention it, or i don't see it...(maybe is an easy step, but not for a dumb like me)

Nah, I should have coded my script to tell you more information, it looks like hactool fails to extract the INI1 file...

Extracting package2.bin from BCPKG2-1-Normal-Main.bin...
Failed to decrypt PK21! Is correct key present?

It's trying to Extract the INI1 directory from the created package2.bin... do you have a package2.bin file that is roughly 8176 KB?
  • If not, then it failed to create the correct package2.bin (issue with your BCPKG2-1-Normal-Main.bin file or keys entered)
  • If you do have it, and it's the correct size, it's trying to extract the package2.bin with the following command...
Code:
hactool.exe --keyset=keys.txt -tpk21 --package2dir=package2 --ini1dir=ini1 package2.bin
 
Last edited by SocraticBliss,

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
the package2.bin file is created as soon the python script ends.
size is about 8176kb
also using the command
hactool.exe --keyset=keys.txt -tpk21 --package2dir=package2 --ini1dir=ini1 package2.bin
it pops out the error:
Failed to decrypt PK21! Is correct key present?

i'm dumping again the bcpkg2 file...

edit: i deleted boot0 and bcpkg2, dumped it again. hactool boot0 to get keys.txt and launched python script. Same error
 
Last edited by snam11,

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
the package2.bin file is created as soon the python script ends.
size is about 8176kb
also using the command
hactool.exe --keyset=keys.txt -tpk21 --package2dir=package2 --ini1dir=ini1 package2.bin
it pops out the error:
Failed to decrypt PK21! Is correct key present?

i'm dumping again the bcpkg2 file...

edit: i deleted boot0 and bcpkg2, dumped it again. hactool boot0 to get keys.txt and launched python script. Same error

Are you sure you used the correct sbk and tseckey? Each are 32 digits, you get these from the Stage0 step.

Your keys.txt should be roughly 19 KB, if it is smaller than this, look in the file, and see if there was an error with the command...
 

snam11

Well-Known Member
Member
Joined
Jan 10, 2007
Messages
108
Trophies
0
XP
1,118
Country
United States
i've used all 3 version of biskeydump (4,5,6) available to do a triple check on keys.
sbk/tsec are the same on all dumps. i'm 101% positive i've copied/pasted hex values in the right place.
i'm out of clues :(

q: after the boot0 extraction i need to edit keys.txt to add some (sbk/tsec?) or is not needed?
 
Last edited by snam11,

SocraticBliss

Well-Known Member
Member
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
35
XP
263
Country
United States
i've used all 3 version of biskeydump (4,5,6) available to do a triple check on keys.
sbk/tsec are the same on all dumps. i'm 101% positive i've copied/pasted hex values in the right place.
i'm out of clues :(

q: after the boot0 extraction i need to edit keys.txt to add some (sbk/tsec?) or is not needed?

keys.txt should be empty (0 KB) UNLESS you ran the following code... or have a keys.txt file already

Code:
hactool.exe -tkeygen --sbk=KEY --tseckey=KEY BOOT0.bin > keys.txt
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Skelletonike @ Skelletonike: No idea what that is tbh, is that like the iso or something?