Hardware My Switch is a 2019 v6.2.0 XAJ4008278 UNPATCHED unit!

PRAGMA

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
2,228
Trophies
1
Location
Ireland
Website
github.com
XP
4,883
Country
Ireland
qz4BY2O.png
Gbr6Hb4.png

a.png


Edition: Gray + £30 eShop Included with Sticker advertising this on the corner.
Revision: Original Launch Edition (White Box)
Original Firmware Version: Probably 6.2.0, I can't remember, but definitely 8.1.1 or older.
Shell: Original Launch Edition, not the glittery and more metallic shells you typically see on 2019+ units.
Merchant: Scan.co.uk
Purchase Date: 23rd of August, 2019

1671806066733.png


This was purchased just around the time that the merchant was struggling to get Nintendo Switch's, especially as the new V2 Red Box versions were just around the corner.




I bought this brand new a couple of days ago and it arrived today. I checked the serial on ismyswitchpatched.com and based on its result it should be "definitely patched".

ynDLXUO.png


However, I tried to send a payload anyway and it worked! At first, I thought this is a shell swap but it isn't. I matched the serial number on the shell's sticker with the serial numbers inside the settings.




Interestingly enough, BIS Key generation for this unit failed on Atmosphere, Lockpick_RCM, and biskeydump. It seems to have revised BIS key generation. SciresM who created Atmosphere said my console needs a fix that he will help with in ~6 hours.

RV1Mr1t.png


Because of this, I cannot safely use this Switch as I cannot get valid BIS keys to keep with my eMMC backup. BIS keys are required for decrypting eMMC backups and without them, the backup is more or less useless.




On the 29th of August, 2019, SciresM pushed a fix for BIS Key generation to Atmosphere: https://github.com/Atmosphere-NX/Atmosphere/commit/600d68bd1aa6f13b47b1482e48110b2e3c2684ed and then 15 days later released Atmosphere v0.9.4 with this fix.

On the 16th of September, 2019, Shchmue pushed a similar fix to Lockpick_RCM: https://github.com/shchmue/Lockpick_RCM/commit/6540ddc24ba65fdf4863c78b0119869f8dfd0ed8 and then a day later released Lockpick_RCM v1.5.0 with this fix.

All that needs updating is rajkosto's biskeydump project.

I can confirm the fixes made on both projects work and dump the correct BIS Keys on my unit. I managed to decrypt SYSTEM.bin, and mount it with HacDiskMount and the BIS Key's entropy was Valid.




Just in case there was anything interesting about my specific system, or if anything of interest was left on my eMMC, SciresM took a look at the NCA headers of my decrypted SYSTEM.bin and found nothing of interest.




Take from this thread what you will, but just know that you cannot take the Serial number or the Serial checker websites at face value. It may be worth taking the time to try and send a Payload even if the websites say it's "definitely patched". You can't blame these websites either as they only have limited data to work on and can only go by what seems to be the common path for serials. After all, this unit can be considered a bit of a weird one.
 
Last edited by PRAGMA,

antiNT

:)
Member
Joined
Sep 14, 2015
Messages
607
Trophies
0
Location
Doha - Qatar
XP
2,427
Country
Qatar
This is absolutely remarkable to say the least. I would've never guessed that could be possible. I hope the opposite isn't though (i.e switch that's definitely supposed to be vulnerable but isn't)
 
D

Deleted-452294

Guest
The OS prints the serial on PRODINFO. I will be interested in knowing whether the Device ID in eFuses matches the Device ID in PRODINFO.
Feel free to DM me if you want me to calculate your BIS keys. This will require a FUSE+KFUSE dump for your console, though.
 

Nerdtendo

Your friendly neighborhood idiot
Member
Joined
Sep 29, 2016
Messages
1,725
Trophies
1
XP
4,073
Country
United States
At first I thought this was one of those "I got a patched switch, can I hack?" Threads.

Can it actually boot CFW or is it unable to with what's available
 
  • Like
Reactions: Budsixz

PRAGMA

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
2,228
Trophies
1
Location
Ireland
Website
github.com
XP
4,883
Country
Ireland
At first I thought this was one of those "I got a patched switch, can I hack?" Threads.

Can it actually boot CFW or is it unable to with what's available
It can actually boot CFW.

--------------------- MERGED ---------------------------

The OS prints the serial on PRODINFO. I will be interested in knowing whether the Device ID in eFuses matches the Device ID in PRODINFO.
Feel free to DM me if you want me to calculate your BIS keys. This will require a FUSE+KFUSE dump for your console, though.
I would check that but I don't have BIS keys to read PRODINFO. Id rather wait for the fix from sciresm though.
 
  • Like
Reactions: Nerdtendo

Milenko

Well-Known Member
Member
Joined
Oct 16, 2017
Messages
3,428
Trophies
1
XP
4,884
Country
Australia
So basically everyone with a patched switch needs to try it, and even buying a patched switch could be actually unpatched?
 
  • Like
Reactions: ELY_M

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
22,374
Trophies
4
Location
Space
XP
12,081
Country
Norway
So basically everyone with a patched switch needs to try it, and even buying a patched switch could be actually unpatched?
Yeah it seems like they sometimes have old stock that are shipped with new serial numbers. Not the first report I've heard of this.
qz4BY2O.png
Gbr6Hb4.png

ELxr7ht.png


I bought this new a couple of days ago and it arrived today, checked serial and based on it, assumptions was that it was "definitely patched".

ynDLXUO.png


However I tried anyway and it worked.
At first I thought this is a shell swap but it isn't. I matched the serial numbers with the serial numbers inside the OS against the shell's sticker.
And interestingly enough, BIS Key generation isn't working properly, apparently according to SciresM my console needs a "fix" that he will help with in "~6 hours".

RV1Mr1t.png


This also means that it isnt a first revision unit due to it having revised BIS key generation.
Because of this, as of right now I cannot safely use the switch as I cannot get a proper backup as the BIS keys currently gotten from Lockpick_RCM/biskeydump isn't working, it's entropy doesn't match the NAND.

Pretty odd stuff.
Which edition Switch is it? Neon, gray, etc.
 

Essometer

Needs data
Member
Joined
Oct 22, 2010
Messages
723
Trophies
1
Age
31
Location
Bielefeld
Website
none.de
XP
3,166
Country
Germany
Guys, chill out. Comparing Serials was never an accurate science. To make predictions, we need data, the less data we have the less good are the predictions.
This is the reason why we can pretty accurately tell if a Switch is unpatched. Since this is a hacking community, people bought the unpatched Switches and
the potential patched Switches stayed mostly in the shelf. Since we had to establish a boarder somewhere, the cutoff point to "patches" was more or less
arbitrarily. It just means that where was never a Switch with this high of a firmware reported to be unpatched. Your find means that the boarders for potential
unpatched units will be moved.

That it doesn't support the BIS Key Generation is intersting however.
 

PRAGMA

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
2,228
Trophies
1
Location
Ireland
Website
github.com
XP
4,883
Country
Ireland
Yeah it seems like they sometimes have old stock that are shipped with new serial numbers. Not the first report I've heard of this.

Which edition Switch is it? Neon, gray, etc.
Gray

--------------------- MERGED ---------------------------

yours isnt the latest version right? the one with better battery?
No its the original
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
  • M4x1mumReZ @ M4x1mumReZ:
    Welcome new user
  • trepp0 @ trepp0:
    Just got the notice that school is being released 2 hours early cause of the winter storm
  • trepp0 @ trepp0:
    lets go
  • Psionic Roshambo @ Psionic Roshambo:
    Better than 3 hours late from a lockdown lol
    +1
  • FAST6191 @ FAST6191:
    While I know you mean in case of someone confusing schooling establishment from shooting establishment (many of the same letters) I am still going to read that as lockdown (also known as lock in) for a pub
  • FAST6191 @ FAST6191:
    where if you were in the club you could be invited to be there as a guest of the landlords after things are supposed to stop being served
  • FAST6191 @ FAST6191:
    Have technically done that in a school but it was the sports centre associated with the school more than the school itself
  • FAST6191 @ FAST6191:
    being drunk in school was either because drunk on playing field or could not be arsed with one particular Thursday afternoon so went and had some beers and played some games instead before returning for an ill advised last lesson/period
  • K3N1 @ K3N1:
    Being drunk and high in school was cool
  • K3N1 @ K3N1:
    It was high school
  • The Real Jdbye @ The Real Jdbye:
    my power cut out twice
  • The Real Jdbye @ The Real Jdbye:
    my pi running octoprint wiped all my plugins and i cba to fix it
  • Psionic Roshambo @ Psionic Roshambo:
    No pi for you lol
  • Sonic Angel Knight @ Sonic Angel Knight:
    Psi, you didn't spell your name right
  • Sonic Angel Knight @ Sonic Angel Knight:
    It's "Psionic" not "PI"
  • Psionic Roshambo @ Psionic Roshambo:
    So R Kelly is probably pissing himself right now
    +1
  • K3N1 @ K3N1:
    R Kelly knows how to piss on himself?
    +1
  • Veho @ Veho:
    Is it better to be pissed off than pissed on?
    ZeroT21 @ ZeroT21: :rofl2: