Hacking keyblob 0 to 5 corrupted

Alschepmist

Active Member
OP
Newcomer
Joined
Aug 29, 2019
Messages
28
Trophies
0
Age
28
XP
121
Country
Germany
hello is there a way to restore keyblob 0 to 5 ?
i think boot0 and boot 1 partition is corrupted or maybe prodinfo when i start with hekate i came only at nintendo logo then blackscreen anyone can help?
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,261
Trophies
1
Location
Hell
XP
3,309
Country
United States
so i readed that is possible to recreate the keyblob but i dont understend how to insert the keyblob

Keyblobs start at 0x180000 in boot0 and are each 0x200 apart (keyblob 0 is at 0x180000, keyblob 1 is at 0x180200, etc), just open your boot0 in a hex editor and copy your new keyblobs to the first 6 spots. As for generating them, I believe linkle (https://github.com/MegatonHammer/linkle) can do that, you'll need your keys.
 
  • Like
Reactions: Ericthegreat

Alschepmist

Active Member
OP
Newcomer
Joined
Aug 29, 2019
Messages
28
Trophies
0
Age
28
XP
121
Country
Germany
linkle ? on the description on github only for PFS0/NSP and 64 bits NRO/NSO. is that right or how i have to use it?
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,261
Trophies
1
Location
Hell
XP
3,309
Country
United States
linkle ? on the description on github only for PFS0/NSP and 64 bits NRO/NSO. is that right or how i have to use it?
It has a keygen option that you can give your key file to and it should generate all keys that can be generated from the supplied keys (including encrypted keyblobs if you have the correct keys). I don't remember exactly how it's used linkle keygen -k prod.keys
 
Last edited by ZachyCatGames,

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,261
Trophies
1
Location
Hell
XP
3,309
Country
United States
UPDATE: They did get new encrypted keyblobs that do work and generate keys properly. But unfortunately the console's prodinfo was nuked (it was on of those ebay consoles that had it's emmc nuked, and OP was trying to fix it) so the console still doesn't work :/
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,261
Trophies
1
Location
Hell
XP
3,309
Country
United States
@ZachyCatGames how did you end up getting new keyblobs? Im without my prod.keys but my prodinfo is intact.
Code:
linkle keygen -k prod.keys
prod.keys only needs to contain keyblob 0-5, keyblob_key_source 0-5, keyblob_mac_key_source, secure boot key, and tsec_key
secure boot key and tsec key are console unique (but are easily dumpable), the rest can come from another console.

EDIT: They'll show up as `encrypted_keyblob_xx`, and you can just copy them over to your boot0
 
Last edited by ZachyCatGames,
  • Like
Reactions: designgears

designgears

Well-Known Member
Member
Joined
Aug 8, 2016
Messages
289
Trophies
0
XP
630
Country
United States
Code:
linkle keygen -k prod.keys
prod.keys only needs to contain keyblob 0-5, keyblob_key_source 0-5, keyblob_mac_key_source, secure boot key, and tsec_key
secure boot key and tsec key are console unique (but are easily dumpable), the rest can come from another console.

EDIT: They'll show up as `encrypted_keyblob_xx`, and you can just copy them over to your boot0

Ahh, was missing that last bit... got them in BOOT0, do I need to do anything with BOOT1?

I lost my BOOT0/1 and accidentally flashed ones from my other console. I was able to find my prod.keys, ran linkle, used hxd to insert them at the right addresses, and it still comes back bad in lockpick

image0.jpg

Am I missing something? Is it possible to recover at this point?
 
Last edited by designgears,

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,261
Trophies
1
Location
Hell
XP
3,309
Country
United States
Ahh, was missing that last bit... got them in BOOT0, do I need to do anything with BOOT1?

I lost my BOOT0/1 and accidentally flashed ones from my other console. I was able to find my prod.keys, ran linkle, used hxd to insert them at the right addresses, and it still comes back bad in lockpick

View attachment 192264

Am I missing something? Is it possible to recover at this point?
BOOT1 doesn’t need anything.

From my experience it seems like lockpick complains when non-original keyblobs are installed for whatever reason, looks like it was able to derive the masterkeys which probably means the keyblobs are fine though. Have you tried booting it yet?
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    kenenthk @ kenenthk: MacMiller was better