This guide is outdated, use this easier guide instead: guide, original thread: ChoiDujourNX

*************

Warning: Use at your own risk, using a wrong version of a game dump could prevent the console from booting.

Warning: Because we install the driver without ever requesting this from Nintendo, this could be detected if you go online and result in a ban.


Intro:

How to install the exFAT driver without updating you console.
I used the game dump "Penny.Punching.Princess.NSW-BigBlueBox" on my 3.0.2 Switch.
I'm assuming you know how FG works and how to send payloads to the console before proceeding.

There are two methods of installing this:
1, Stock: Installing it to the system like a cartridge would. This works on stock firmware but exFAT support would be lost after a system update.
2, CFW: When booting Horizon via hekate, a .kip1 file will be injected. The console's eMMC remains unaltered and will not have the driver loaded when booting normally and not via hekate.

Method 1, Stock:

Necessities:

- A console with firmware version 2.0 or higher (does not work on 1.0.0)
- A Game dump with an update on it that is the same version as the console (tested: trimmed xci works)
- Switch encryption keys (these can't be shared, Google 'nswroms' to find them)
- patch.zip: link
- TegraRcmGUI / TegraRcmSmash (TegraRcmGUI)
- memloader (https://switchtools.sshnuke.net/)
- HacDiskMount (https://switchtools.sshnuke.net/)

Steps:

step 1: Copy the contents of the sample directory of memloaderv1.zip to the root of your SD card.
step 2: Enter RCM using your prefered method: how-to-test-fusee-gelee.
step 3: Inject the memloader.bin payload that is located inside of memloaderv1.zip.
step 4: Select 'ums_emmc.ini' by navigating with the volume buttons and confirming with the power button.
step 5: open HacDiskMount as administrator and select 'Linux UMS disk 0':

Spoiler

step 6: Double click BCPKG2-1-Normal-Main and a window will pop-up:

Spoiler

step 7: Use the 'Start' button in the 'Dump to file' section to extract the partition.
step 8: (!) Create a backup of BCPKG2-1-Normal-Main.bin and store it somewhere safe.
step 9: Create a new directory and extract the contents of patch.zip into it.
step 10: Copy the game dump and BCPKG2-1-Normal-Main.bin to the same directory.
step 11: Create a file named keys.txt in the same directory.
step 12: Copy all of the Switch encryption keys to this file.

Spoiler

The keys.txt file should contain at least the following keys, replace the ... with the keys you found online.

master_key_00 = ...
master_key_01 = ...
master_key_02 = ...
master_key_03 = ...
master_key_04 = ...
aes_kek_generation_source = ...
aes_key_generation_source = ...
key_area_key_application_source = ...
header_kek_source = ...
header_key_source = ...

step 13: Inside of the directory we created, drag the game dump .xci onto the patch.bat file.
step 14: If the process executed successfully you should see something like this:

(The number of bytes can vary)
(Don't worry about the 'Failed to match key' warnings)
step 15: Go back to HacDiskMount and click on 'Browse' in the 'Restore from file' section and select BCPKG2-1-Normal-Main.bin that we just patched.
step 16: Close the pop-up window and doucle click on BCPKG2-2-Normal-Sub.
step 17: Repeat step 15 and restore the same BCPKG2-1-Normal-Main.bin file (optional, but advised).
step 18: Hold the power button on your Switch for 12 seconds to turn it off and then boot it again to see the results!

Results:

Before:

Spoiler

After:

Spoiler

Credits:

@Raugo for creating the original Spanish tutotial: link

Method 2, CFW:

Necessities:

- Everything from method 1, except: memloader and HacDiskMount
- sdfiles.zip (https://github.com/tumGER/SDFilesSwitch/releases)
- hekate (https://github.com/CTCaer/hekate/releases)

Steps:

step 1: Create a new directory and extract the contents of patch.zip into it.
step 2: Copy the game dump to the same directory.
step 3: Create a file named keys.txt in the same directory.
step 4: Copy all of the Switch encryption keys to this file.

Spoiler

The keys.txt file should contain at least the following keys, replace the ... with the keys you found online.

master_key_00 = ...
master_key_01 = ...
master_key_02 = ...
master_key_03 = ...
master_key_04 = ...
aes_kek_generation_source = ...
aes_key_generation_source = ...
key_area_key_application_source = ...
header_kek_source = ...
header_key_source = ...

step 6: Inside of the directory we created, drag the game dump .xci onto the patch-cfw.bat file.
step 7: If the process executed successfully you should see something like this:

step 8: Copy the file FS.kip1 that was just created in the 'out' directory, to the root of your SD card.
step 8: Copy the contents of sdfiles.zip to the root of your SD card.
step 9: On your SD card, open hekate_ipl.ini inside of a text editor.
step 10: Add the following line below each boot entry that you want to inject:

kip1=FS.kip1

A boot entry is a line that starts with [ and ends with ], for example:

[CFW]
kip1=modules/newfirm/loader.kip
kip1=modules/newfirm/sm.kip
kip1=FS.kip1

step 11: Put the SD card back into your Switch.
step 12: Enter RCM using your prefered method: how-to-test-fusee-gelee.
step 13: Inject the hekate.bin payload

After booting hekate and selecting either 'stock' or 'CFW' from the 'Launch firmware' section, the exFAT driver will be injected!

 

[coolbird22]

Will there ever be an exFat driver for 1.0.0 ? Instead of there being more exploits for 1.0.0, there are more resources for 5.1.0 now.
Don't update 1.0.0 they said.

 

[B0unce]

I am unable to run the patch script, it keeps saying things like hactool aren't recognized as internal or external commands.

 

[Mat37]

Do

I am unable to run the patch script, it keeps saying things like hactool aren't recognized as internal or external commands.

Do you have hactool in the same directory as the script ?

 

[B0unce]

Do

Do you have hactool in the same directory as the script ?

I have extracted the entire zip in a folder with all the files that were in it.

 

[XxShalevElimelechxX]

I use method 1 (modified a binary in the NAND) for like 2 weeks now and everything's great as expected.

 

[P4wn4g3]

I'm trying method 2. I keep finding game dumps that are split up in part's with a bunch of rar files... I have no idea how to use these. Each rar has a .xci files in them and they seem identical. Do I need to compile these or something before dragging them onto the .bat file? Or can I just unrar one xci and use it...?

 

[Medo]

Troubles from the start.
Method 1 on FW 4.0.1.
On Mac Os running Parallels W10.

1. I open the TegraRcmGUI_v2.0_portable
2. I connect rcm SW and update the driver
3. inject the memloader payload, but black screen on SW

Tried these Solutions with fail:

1. delete apx NSW driver and start again, no luck

2. on Mac Os use the web loader to inject memeloader without any troubles It loads the memeloader menu
I choose ums_emmc.ini and disconnect SW from computer
I load the VM W10 again and reconnect SW and choose W10 as primary USB connection
In device manager, I see a yellow exclamation
I try Hacdiskmount as admin but don't see the device after 'open physical drive'

What am I doing wrong?

Is there a solution for Mac OS?

 

[riyyi]

I'm trying method 2. I keep finding game dumps that are split up in part's with a bunch of rar files... I have no idea how to use these. Each rar has a .xci files in them and they seem identical. Do I need to compile these or something before dragging them onto the .bat file? Or can I just unrar one xci and use it...?

The .xci is split into the multiple rar files, so that means it's the same file. If you extract just the first one you should be good (most extraction software automatically looks for the next parts).

Is there a solution for Mac OS?

I'd install bootcamp or use a friends computer honestly, it's an one time installation.

 

[willhack]

will this work with TX SX?

 

[riyyi]

will this work with TX SX?

Method 1 will work with SX OS, yes.

 

[willhack]

Method 1 will work with SX OS, yes.

okay thank you i will start the process now. one more question. is there a way to revert back to stock if i want to incase a new update comes out that could brick this?

 

[riyyi]

okay thank you i will start the process now. one more question. is there a way to revert back to stock if i want to incase a new update comes out that could brick this?

Updating will simply install the new firmware without the exFAT driver on it, it will not brick the system. But if you want to revert the modification simply restore the backup you make of "BCPKG2-1-Normal-Main.bin" during the tutorial (restore the same file on BCPKG2-1-Normal-Main and BCPKG2-2-Normal-Sub).

 

[P4wn4g3]

You can install apt-get on Mac. Not sure if that would work exactly the same, but programs installed through it seem to work fine.

 

[DuelUtility]

nevermind I sorted it. thank you

Could you please let us know what you did to fix it? I'm having the same PK21 issue.

 

[KTroopA]

Could you please let us know what you did to fix it? I'm having the same PK21 issue.

i had to have these keys in my keys.txt file and it worked.

master_key_00 = C2CA...
master_key_01 = 54E1...
master_key_02 = 4F6B...
master_key_03 = 84e0...
master_key_04 = CFA2...
aes_kek_generation_source = 4D87...
aes_key_generation_source = 8961...
key_area_key_application_source = 7F59...
header_kek_source = 1F12...
header_key_source = 5A3E...
header_key = AEAA...
package1_key_00                                 = F4EC...
package1_key_01                                 = F8C6...
package1_key_02                                 = C580...
package1_key_03                                 = C320...
package1_key_04                                 = EDE3...
package2_key_source                             = FB8B...
package2_key_00                                 = A35A...
package2_key_01                                 = A0DD...
package2_key_02                                 = 7E5B...
package2_key_03                                 = BF03...
package2_key_04                                 = 09DF...

 

[DuelUtility]

i had to have these keys in my keys.txt file and it worked.

Looks like I was missing a few keys, thank you.

 

[KTroopA]

Looks like I was missing a few keys, thank you.

yep i followed the OP instructions and not sure why but still it would not work, until i added those extra keys.

 

[darkfortedx]

awesome, this worked on 2.3.0 Thanks!!

 

[tehlers]

Hello,

I'm sorry to maybe ask dump questions, but I don't have any "Windows" machine. I only have Linux systems. So I try to find out *what* is the purpose of the steps and what are they doing, so I can find a solution for linux.

For the beginning: I am on firmware 3.0.0 and I want to patch the firmware permanently (Method 1).

So first steps are injecting memloader.bin with fusee-gelee, selecting ums_emmc.ini and find the Switch as /dev/sdb (with 11 encrypted partitions). I first dumped the whole /dev/sdb to a file to be able to work the next steps offline and have a full backup.

Having dumped all needed individual keys with biskeydump, I could use "YASDU" (D.a.n, at github: DacoTaco/YASDU.git) as tool for getting the decrypted partitions (losetup the dumped file, creating individual partitions with kpartx and patching main.c in D.a.n to use these devices instead of /dev/mmcblk1p* + patching the decryption of p3_BCPKG2-1-Normal-Main to get this partition, too).

Now I have the decrypted BCPKG2-1-Normal-Main.bin and I have a dump of "Pokken Tournament DX", containing the firmware update version 3.0.0.

Now I try to understand, what "patch.bat" does, first (hactool.exe -t xci --updatedir=update %1):

hactool -k keys.txt -t xci --updatedir=update Pokken.Tournament.xci

This seems to dump the update content from the game into the directory "update", so far so good:

XCI:
Magic:                              HEAD
[...]
Saving Update Partition...
Saving 0142353377d612f706a5eb96f23c550b.cnmt.nca to update/0142353377d612f706a5eb96f23c550b.cnmt.nca...
[...]
Done!

Looks good, next is "hactool -i -k keys.txt update/%%f | findstr 010000000000081b>NULL", seems to check if the dump is valid and searches for files with string output 010000000000081b. Then these files are processed with "hactool -k keys.txt --romfsdir=out update/%%f".

Ok on my system:

%> for i in update/*; do ~/switch/hactool/hactool -i -k keys.txt $i | grep 010000000000081b; done
Title ID:                           010000000000081b
Title ID:                           010000000000081b
%> for i in update/*; do ~/switch/hactool/hactool -i -k keys.txt $i | grep -q 010000000000081b && echo $i; done
update/72704f8649651373ae0a9fdd1c7900c2.cnmt.nca
update/9e5c73ec938f3e1e904a4031aa4240ed.nca

Then I process these two files, the second one indeed produces the files in "romfsdir":

%> ~/switch/hactool/hactool -k keys.txt --romfsdir=out update/9e5c73ec938f3e1e904a4031aa4240ed.nca
NCA:
Magic:                              NCA3
[...]
Saving out/nx/bct...
Saving out/nx/package1...
Saving out/nx/package2...

Done!

Now I have the file "package2", which seems to be needed for the final step:

bincmp out/nx/package2 -writeto BCPKG2-1-Normal-Main.bin -offs2=16384".
@RD /S /Q %~dp0"\out"
@RD /S /Q %~dp0"\update"
del %~dp0"\NULL"

Here I don't understand the process. "bincmp" is for comparison of binaries and can also inject something into a binary? What is "@RD" and what do these commands?

Finally I don't understand the whole mechanism yet, I have a gamedump with the firmware update of the same version like on my switch (3.0.0). I don't see any driver injection other than from the gamedump. But firmware 3.0.0 does not have the exFAT support (otherwise I would not need to patch anything). Where the heck does the driver come from in the end?

Thanks for enlightening me!

Best

EDIT: I think I at least understood the bincmp. This should be equal to:

cat out/nx/package2 | dd seek=16384 bs=1 conv=notrunc of=BCPKG2-1-Normal-Main.bin

Shall I now risk to write the partition back to the switch?

 

[riyyi]

@tehlers Thanks for your research!

What is "@RD" and what do these commands?

@RD is simply a "remove directory" command, the directories get deleted because they aren't needed anymore.

Where the heck does the driver come from in the end?

The driver is inside of the update partition in the game dump, but it will only get installed if you "marked" you Switch by inserting an exFAT formatted SD card and accepting the update. Nintendo does this for offline compatibility. The "marking" is needed so Nintendo can register the amount of Switches with the update to pay royalties (for the usage of exFAT) to Microsoft.

For example: you accept the update right now, it will go online and get 5.1.0 including the exFAT driver and installs it to the system. Then in the far future a game gets released that requires 6.0.0, you insert the cart and the game requests an update. You accept this update but because your Switch was "marked" for exFAT compatibility it will install 6.0.0 + exFAT driver from the cart without the internet.

Shall I now risk to write the partition back to the switch?

If you want to test it out, you could restore just the BCPKG2-1-Normal-Main partition and leave the BCPKG2-2-Normal-Sub partition alone. The second partition is simply a copy of the first that gets loaded if something goes wrong.
If this is successful and the exFAT driver works you can then restore BCPKG2-2-Normal-Sub as well.

 

[tehlers]

@tehlers Thanks for your research!


@RD is simply a "remove directory" command, the directories get deleted because they aren't needed anymore.


The driver is inside of the update partition in the game dump, but it will only get installed if you "marked" you Switch by inserting an exFAT formatted SD card and accepting the update. Nintendo does this for offline compatibility. The "marking" is needed so Nintendo can register the amount of Switches with the update to pay royalties (for the usage of exFAT) to Microsoft.

For example: you accept the update right now, it will go online and get 5.1.0 including the exFAT driver and installs it to the system. Then in the far future a game gets released that requires 6.0.0, you insert the cart and the game requests an update. You accept this update but because your Switch was "marked" for exFAT compatibility it will install 6.0.0 + exFAT driver from the cart without the internet.


If you want to test it out, you could restore just the BCPKG2-1-Normal-Main partition and leave the BCPKG2-2-Normal-Sub partition alone. The second partition is simply a copy of the first that gets loaded if something goes wrong.
If this is successful and the exFAT driver works you can then restore BCPKG2-2-Normal-Sub as well.

Thanks for clarifying!

At first: It worked!

Two more things for other linux users: The detour with YASDU and trying to patch is unnecessary! There are only 5 partitions encrypted of the 11 and BCPKG2-2-Normal-Main (and BCPKG2-2-Normal-Sub) are unencrypted! And the second thing: there is the mentioned backup partition BCPKG2-2-Normal-Sub (partition 4), absolutely equal to partition 3, I did not read the tutorial until end when I wrote the first post. So we need to rewrite both.

So just "dd" partition 3 and 4, check with "diff", that they are really equal, patch one of the dumps and rewrite them back with "dd" to the switch.

Thanks!