Hacking Question Possible to change MAC address in emu?

veekay

Well-Known Member
OP
Member
Joined
Jan 30, 2008
Messages
227
Trophies
1
XP
806
Country
United States
Wish I knew an easier way, but this does work if you change the prodinfo in a nand backup and then restore to emunand. I now have two completely different mac addresses.
 
  • Like
Reactions: NoNAND

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
875
Country
Germany
The question is, does the Switch actually use cal0 to "set" the MAC or is it just informative because it has no other way to get the MAC via request from the actual WIFI hardware...
 

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
875
Country
Germany
Slight problem - the MAC tends to change randomly when rebooting. Back to the drawing board.
Not for me, I always have the same. Do you have active Incognito?

I just tried and changed the mac address in cal0, but there must be a checksum that failed so I got a fallback mac instead of my chosen one...
When checking how incognito clears cal0, they create a checksum.
 

veekay

Well-Known Member
OP
Member
Joined
Jan 30, 2008
Messages
227
Trophies
1
XP
806
Country
United States
Not using incognito - just changed the string in the prodinfo with a hex editor. Some boots it will still the same, sometimes it will have none, but usually it cycles between different ones.

I only changed two digits, yet I went from starting with
Code:
98:B6:E9 to always having something with 40:D2:8A
 
Last edited by veekay,

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
875
Country
Germany
I just tried again, softbricking and fixing the checksum. It still ends up with a fallback address.
Its the same 40:D2:8A for me.

In the dump, there are 2 more bytes behind the actual wifi/bd mac address... This might be some kind of checksum, but its not a common one like CRC8/16 or Checksum-8/16
 

veekay

Well-Known Member
OP
Member
Joined
Jan 30, 2008
Messages
227
Trophies
1
XP
806
Country
United States
I just tried again, softbricking and fixing the checksum. It still ends up with a fallback address.
Its the same 40:D2:8A for me.

In the dump, there are 2 more bytes behind the actual wifi/bd mac address... This might be some kind of checksum, but its not a common one like CRC8/16 or Checksum-8/16

Are you able to edit it in a manner that doesn't involve making a nand backup, extracting the file, editing and then writing it back? I hate having to take an hour or so for each attempt.
 

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
875
Country
Germany
I use TegraRcmGui to push Memloader to access rawNand.
From there I open it with HacDiskMount and my keys.
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,406
Trophies
1
Location
Hell
XP
4,163
Country
United States
Saw mention of doing it that way, but thought it only applied to the sysnand and not emu
On Linux you can install ninfs and use something like the following:
python3 -mninfs nandhac -e —keys BIS_keys.txt /dev/sdb2 (or whatever your emummc partition is) mountpoint (replace this with the directory you want to mount it at)

and then in the directory you mounted it in, there should an image file for each partition (which includes prodinfo ofc).
 

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
875
Country
Germany
No matter what I change, i can't seem to make HOS accept it as valid data.
I changed my Serial by one character, updated the hash, pushed CAL0 and rebooted.
The serial is not being displayed at all anymore :D

I don't see what the problem is. At this point it might be better to just make a kip that interfaces with the broadcom module via I2C and tell it what mac to use, but who wants to reverse this?
 

veekay

Well-Known Member
OP
Member
Joined
Jan 30, 2008
Messages
227
Trophies
1
XP
806
Country
United States
No matter what I change, i can't seem to make HOS accept it as valid data.
I changed my Serial by one character, updated the hash, pushed CAL0 and rebooted.
The serial is not being displayed at all anymore :D

I don't see what the problem is. At this point it might be better to just make a kip that interfaces with the broadcom module via I2C and tell it what mac to use, but who wants to reverse this?


Well, the good thing is it seems this should be possible. Will require someone with more knowledge than I have. For now I'll just have to block/unlock everything depending on which I am booting.
 

PabloZaiden

Member
Newcomer
Joined
Apr 29, 2020
Messages
19
Trophies
0
Age
36
XP
114
Country
United States
You need to apply the same crc16 used for the other values in PRODINFO, but this time only on the first 6 bytes, and the crc value goes as the 7th and 8th byte. Do that and it works
 
  • Like
Reactions: hippy dave
General chit-chat
Help Users
    SylverReZ @ SylverReZ: :rofl2: