The vulnerability that has been revealed is not déjà vu, it was a form of warmboothax that has been known since late 2017.
Mariko's bootrom was actually closer to T210 than T186 due to T214 being derived from T210 very early in development.
That's not true, development of T214 has simply been moved away from public view since it's now exclusive to the Switch (much like what happened before with the "Odin" branch of T210).
Either way, yes, it's highly likely that this particular issue has already been patched internally since it has been, allegedly, reported in the past to Google and NVIDIA.
Mariko's bootrom was actually closer to T210 than T186 due to T214 being derived from T210 very early in development.
That's not true, development of T214 has simply been moved away from public view since it's now exclusive to the Switch (much like what happened before with the "Odin" branch of T210).
Either way, yes, it's highly likely that this particular issue has already been patched internally since it has been, allegedly, reported in the past to Google and NVIDIA.
I'll update the post here.
I'm not able to confirm this because the unit I had access had the bootrom completely locked in all boot modes and no exploit worked in order to get it.
That unit was dated somewhere between july-sept. APB_MISC_GP_HIDREV matched and the relevant id fuses were different.
The soc as a soc wasn't exclusive. At least not before end of September or so. Also that unit had most warmboot exploits fixed. Not all though. The released one was included in the fixed ones.
Indeed, as far as I know even failure analysis is protected now.
I believe the exclusivity move is quite recent (it aligns with some gitweb commit from last month or so), but yes I'm quite sure this particular issue had been fixed for some time now. Luckily, warmboot handling is flawed enough for some bugs to still be around.
hekate v4.6 is released!
Check OP or HERE for changelog or more..
I also updated the guide a little bit, to match the current hekate's state.
Warning: The "sleep mode fuses fix" has nothing to do with the warmboot into CFW exploit.
- Fixes sleep mode for units that are downgraded and have a higher fuse count than required
- Fixed a major bug with update.bin chainloading. This is a breaking fix. You must update your dongle/modchip.
- Archive fix was redesigned based on latest info. It now can properly fix Nintendo folder.
- And more
Check OP or HERE for changelog or more..
I also updated the guide a little bit, to match the current hekate's state.
Warning: The "sleep mode fuses fix" has nothing to do with the warmboot into CFW exploit.
Last edited by CTCaer,
So super newb question here so if i have hekate_ipl.ini at the root of my card with kip1patch=nogc within the ini file should I be fine not to burn fuses within my game card reader or do I need to add them to hekate_ipl.ini within the /bootloader/ directory?
The hekate_ipl.ini in the root of the card doesn't do anything anymore, so put it in the one in the /bootloader directory
Well I didnt think so but I had removed the ini file from the root, and moved it to /bootloader/ After that I installed a switchme, then flashed with with ctcaer .46 Then I noticed the ini repopulated at the root of the sd card.....so that is why i questioned if it needed to be at root or not
If you use this version of Hekate (or a later version), sleep would work
Hekate - CTCaer mod v4.6
* Hekate is a Bootloader with fw patching, recovery tools and many more features. *
* hekate or Εκάτη (in Greek) is a goddess in ancient greek religion and mythology. *
* She was one of the main deities worshiped in Athenian households as a protective goddess and one who bestowed prosperity and daily blessings on the family. *
* Here, it blesses your Nintendo Switch. *
* CFW Launching for ALL current updates (1.0.0 - 6.2.0)
* Supports booting of all current CFWs, Linux chainloading, payload tools
* Auto boot
* Modules/Plug-ins support
* Full Atmosphère support w/Exosphère booting
* Automatic RAW eMMC partial dumping
* Restore eMMC
* Working Sleep Mode on ALL firmware and downgraded ones with higher fuse count.
* And many more
Before you continue:
Hekate - ipl, is a custom bootloader with extra features.
It must not be confused with CFW, hbmenu and anything else that is on the Horizon OS (Switch's OS) side.
E.g., hekate supports exFAT formatted sd cards, but if you never downloaded the exFAT update, it will not work on horizon os or any homebrew.
So, please don't report problems that happen after leaving hekate - ipl (hbmenu can't see apps, etc).
Summary:
CTCaer mod is based on naehrwert's hekate - ipl. hekate is basically a custom Nintendo Switch bootloader with many advanced features.
It supports all sd cards (except SDSC) and automatically chooses if it will dump in parts or not, based on your free space and sd card filesystem.
Supports CFW launching in the following Switch updates (all current):
Comes with many additional features. For example you can see your SoC's fuses, eMMC info, SD card info, etc.
- 1.0.0
- 2.X.X (all)
- 3.X.X (all)
- 4.X.X (all)
- 5.X.X (all)
- 6.X.X
Features guide:
Launch & OptionsToolsConsole Infoother options
- Launch
Used to launch CFW and various Payloads.
The main entries come from hekate_ipl.ini inside the bootloader/ folder.
Inside you'll always find 2 options:- Payloads
Let's you launch any binary payload inside the bootloader/payloads/ folder. This is useful for chainloading any released open source or closed source CFW bootloader. It can also launch any tool that comes in the form of a fusee payload.
- More configs
This combines all .ini found in bootloader/ini/ folder into one list based on the alphabetical order of the inis. Can be used for "drag n drop" releases, or uncluttering the main .ini file.
- Options
This lets you configure the auto boot options
- Auto boot
Let's you choose which CFW to autoboot.
- Boot time delay
Wait time on boot to allow you to enter bootloader menu by pressing VOL- (not volume up. It's volume down).
- Custom boot logo
Enable the use of a custom boot logo when auto booting.
If a log is specified in the selected boot entry, it will be used
If not or the logo was not found, bootlogo.bmp will be used.
If nothing is found or custom boot logo is disabled, hekate's built in logo will be used.
- Backlight
Choose the preferred backlight value in %.
Notice: All the backup/restore functions support verification.
That means, that when the bar turns green, hekate checks that the sd card written data and the eMMC data match.
Verification options:
As described above, this are the options for your backup and restore verification.
You can disable it here if you want. Default is Full.
Sparse: Only checks 4 bytes every 128Bytes. This is normally enough for block errors.
Full: It creates sha256 hashes of your sd backup and eMMC data and compares it byte to byte.
Backup eMMC BOOT0/1 (important!):
This will backup the physical eMMC partitions BOOT0 and BOOT1. These are needed to complete your eMMC full backup.
Backup eMMC RAW GPP (important!):
Let's you backup the whole general purpose partition from your Switch's eMMC. This includes Switch system and user files.
It's one of the 4 physical partitions that your eMMC has. The other are BOOT0, BOOT1 and RPMB (unused).
Because the whole GPP is 29.1 GiB (31,268,536,320 B), there several automatic ways to back it up.
1. Using exFAT formatted sd card which is 32GiB* and up:Notice on errors: If the errors persist, try to do a low level (full) format or try to run chkdsk /f /r /x Z: (where Z is your drive letter).
(* Some 32GB cards have less available free space than 29.1 GiB, so they may trigger partial backup)
This will backup the whole physical partition as one big file.
Troubleshooting when error occurs:
There are some cases that your sd card will spit errors, either because of bad sectors, or bad I/O. In these cases from v1.5 and up, it will show a specific error, which you need to right it down to find out why.
Sometimes though it can't be fixed.
In these cases you can force partial backup, by creating a new file called partial.idx. You have to open it in a HEX editor and write these exactly hex values: 00 00 00 00 (the red is the LSB, because Little-endianess).
The next time you'll try to run Backup eMMC RAW GPP, it will backup in parts of 2GB.
(This specific file is attached here, if you have difficulties with hex editors. Just rename it from .idx.txt to .idx.)
2. Using a FAT32 or an exFAT with smaller space than 29.1GiB:
This will trigger the automatic partial backup.
In this mode it will start backing up in 2GB parts or in 1GB if you have 8GB and smaller card.
It backups your eMMC, until it fills your card. It also uses a file called partial.idx, so it know which is the next part to backup.
When this is done you will see a similar message like the following procedure:
For step 6, there are also scripts inside a zip, provided in the download link below. Choose the correct one based on the parts size (15 x 2GB or 30 x 1GB) and based on your OS.
- After the session is done, press any key and Power off or Reboot rcm (if you want to skip step 3) Switch from the main menu
- Move the files from SD card to your PC to free some space
Don't move the partial.idx file! This file, keeps tabs on which is the next part to backup.- Unplug and re-plug USB while pressing Vol+ (skip if you rebooted into rcm from hekate's main menu)
- Run hekate_ctcaer_1.5.1.bin again and press Backup eMMC RAW GPP to continue with the next parts.
- Repeat steps 1-4 until you have 15 2GiB or 30 1GB files
- Join the files with your favorite cmd/app or use the scripts provided
Notice 1: Users that have a 8GB SD card and less, it will automatically backups with 1GB parts.
Notice 2: If you have an unfinished partial backup and want to start anew, delete the partial.idx file first.
Warning: When backing up the eMMC, in parts, you should not power on the switch normally and boot to Switch OS before done. Otherwise your finished backup will probably corrupt, because Switch OS writes on your eMMC even if it seems you done nothing.
Troubleshooting when error occurs (write it down for better support):
In this mode, it's easier to skip the problematic area of your sd card.
You may hit these problematic SD card areas. In this case, rinse and repeat the above steps, with always keeping the partial.idx file as it is.
- First try to run Dump RAW eMMC again right away. It will try to continue from the last part it was trying to backup.
- If this does not work, move the already backed up files to your PC, without deleting/moving the partial.idx file.
- Run Backup eMMC RAW GPP again, and it will start backup.
Backup eMMC SYS (uneeded if you already backed up the RAW eMMC):
The General Purpose physical partition, contains several GPT partitions.
By using this option, you can backup all these partitions, except USER, as separate files.
Backup eMMC USER (uneeded if you already backed up the RAW eMMC):
As described above, this will backup the USER partition from your eMMC's General Purpose partition.
Restore eMMC RAW GPP (Dangerous!):
Do not use that if you don't know what you are doing! No one is responsible for messing with your device.
You have a 10 second mandatory wait time before letting you start restore by pressing POWER.
This let's you restore your eMMC general purpose partition. If hekate find the /Backup/<eMMC S/N>/Restore/rawnand.bin it will restore it and verify it.
If it does not find it, it does nothing and shows Error (4).
For now only exFAT is supported. No partial restoring.
Restore eMMC BOOT0/1 (Dangerous!):
Do not use that if you don't know what you are doing! No one is responsible for messing with your device.
You have a 10 second mandatory wait time before letting you start restore by pressing POWER.
This let's you restore your eMMC BOOT0 and BOOT1 partitions.
It will only restore the files at /Backup/<eMMC S/N>/Restore/BOOT0 and /Backup/<eMMC S/N>/Restore/BOOT1.
If a file does not exists, it will be skipped and shows Error (4).
Restore eMMC GPP partitions (Dangerous!):
Do not use that if you don't know what you are doing! No one is responsible for messing with your device.
You have a 10 second mandatory wait time before letting you start restore by pressing POWER.
This let's you restore your eMMC GPP partitions.
It restores only the files found in /Backup/<eMMC S/N>/Restore/Partitions/*
Any file that is not found, it is skipped and shows Error (4).
The USER partition requires exFAT.
-------------------------------------
Dump package1/2:
This will dump and decrypt package1 and package2 from BOOT0 and BCPKG2-1-Normal-Main. It will also extract from it the secure monitor, warmboot, INI1 and kernel binaries.
The above feature is intended for developer use.
Fix SD files archive bit attribute:
This was redesigned to fix the following:
The proposed usage is to run the first option and then the 2nd one. The 2nd one is especially needed if you restored Nintendo folder because you upgraded your SD card or you had corruption problems and needed to restore.
- All folders/files in SD card except Nintendo folder
- Nintendo folder only
Fix battery de-sync:
This fixes the low battery monitor missconfiguration at PMIC max77160, produces by linux builds.
The fix is instant and you can just boot into Horizon OS after that.
AutoRCM:
The AutoRCM, also known as briccmii, it is based on @Reisyukaku AutoRCM v2 and it smartly corrupts the boot configuration in BOOT0 partition.
This allows the user to always boot/reboot into RCM, without the need of a jig.
Because it writes to the eMMC, it must be used with caution and only if needed.
Notice: Hekate is able to remove all variations of AutoRCM.
Ipatches & bootrom info:
This will print your ipatches.
It also includes an option to dump them and the unpatched/patched bootrom to the sd card, so you can examine them easier.
Print fuse info:
This will print your Tegra X1's fuses on your screen (plus your burnt fuses).
It also includes an option to dump them to the sd card, so you can examine them easier.
Print kfuse info:
This will print your Tegra X1's kfuses on your screen.
It also includes an option to dump them tothe sd card, so you can examine them easier.
Print TSEC keys:
This will print your Tegra X1's security co-processor's keys on your screen.
Print eMMC info:
This will print your eMMC info.
You can see many things, like maximum speed allowed, manufacturer and model, all the physical partitions,all the GPT partitions, etc.
Print SD Card info:
This will print your current SD Card info.
You can see many things, like maximum speed classes and speed grades allowed, manufacturer and model, total user space, free space, cluster size, etc.
Print battery info:
Lot's of info about your Battery Charger IC and Fuel Gauge IC.
- Reboot (normal)
Reboot normally, without any mods and CFW- Reboot (rcm)
Reboot into Recovery mode again. Useful if you want to run another payload or you want to remove your sd card.- Power off
Powers off the console.
- About
Displays info about this payload.
Warning:
Don't forget your console into RCM. This will drain your battery without a cable. And because, it does not have a battery cuttoff, it will completely drain it.
If this happens, you should power off (if it didn't all ready) your console, and let it charge into normal mode (red battery icon top-left) for 20-30 minutes, to open. Better remove the sd card, if it has payloads/homebrew/eMMC files, because it will boot into Horizon OS.
Changelog:
v4.6:
- Fixed sleep for downgraded units with efuses count more than required.
- Fixed update.bin chainloading and also forced hw init on update, in case it changes again in the future.
This is a breaking fix and requires to have v4.6 to your modchip/dongle.- New archive bit fix
It can now also fix the Nintendo folder. No more "corrupted" sd when upgrading sd card or restoring Nintendo folder.- Fixed UART debug printing. Thanks @hyln9
- Auto HOS power is now disabled by default. Probably, most people learned what it does and can enable it from the Options menu.
- Some small SMMU emulation for TSEC fixes for the unluckiest out there. Max wait time remains small.
- Many many many fixes and also added some error msgs for restore and boot options.
v4.5:
- Full 6.2.0 support. Many thanks to @nwert and @balika011 for their help!
-Supports Ninty's Secure Monitor and new Exosphere
-Supports booting 6.2.0 with less than 8 fuses and custom pkg2
-It has 100% success ratio
-Added support to "Print TSEC keys" and "Dump pkg1/2" tools- Fixed YouTube HDCP issue. Thanks @hexkyz for taking the time to investigate.
- Every file lister is now ignoring hidden files and .dot files. Thanks @StevenMattera
- The Minerva Training Cell library for hekate was updated to latest version (v1.1)
- Added "silent option to Auto HOS power off option. You can now choose if you want the logo to be shown. Thanks @Huntereb
- Refactored the monolithic main.c to simpler grouped sections. Additionally hos.c took some love.
- Many many bugfixes
v4.2:
- Support "*" folder wildcard in kip1 key
Using <folder>/* can now parse and load all kip and kip1 files inside that folder.- Add option to enable/disable Auto HOS power off
If you don't use a modchip/dongle you may find this feature annoying. Options->Auto HOS power off to disable.- Allow canceling of the verification process
Now you can cancel backup and verification process. If backup phase is done, canceling in verification, will keep your files.- Some small bugfixes and support certain cfw on its stock version
v4.1:
- Full 6.0.0 support
Secmon/ kernel patches, FS patches, sleep mode, hw config, etc.- Improved .ini/payload handling
hekate_ipl.ini is no longer required and hekate does not hang on empty folders.- PWM backlight
You can now change the backlight brightness.- Auto full power off when the device woke up from HOS' power off
Usefull with modchips/dongles when using AutoRCM. (You can see it as a breathing backlight with hekate's logo).- Backup can be now cancelled when in the writing process (white bar), by pressing VOL UP + DOWN.
- Self update chainloading properly checks for version number now to avoid uneeded loads.
- Support payloads with broken/bad hw init...
- Added ipatches info and dumping of patched/unpatched bootrom and ipatches
- Corrected some hw config changes found in 5.x-6.0.0
- More boot reasons and bootrom registers restores to normal
- It now properly restores BCT on dev units from where it's supposed to.
- Added warning message when the bootloader library for sleep mode is missing.
- And many many bugfixes
v4.0:
- Added Payload launching. Supports: All current CFW bootloaders, Linux chainloading and payload tools.
Use the new entry in Launch, Payloads. Autoboot is supported via inis to all payloads.- Added Ianos, our module support loading and launching. First module is LP0 (sleep mode).
- Added support for split ini
They should be located to bootloader/ini. All cfw bootloaders, payloads and linux payloads are supported, along with Horizon files.
Autoboot support. Use the More configs menu in autoboot configuration.- Auto launch update for modchips. For users that do not like to always update their eeprom.
- Add KIP1 patching support
- Backup speed is now faster, by having bigger write speeds.
- Backup folder now uses eMMC serial number.
- AutoRCM now shows status and can unbrick all AutoRCM versions and types.
- If sd card is missing asks to continue. No more accidental stock HOS launching.
- Allow dumping of TSEC keys to sd card
- Fixed display sanitization for all firmwares. No more white flash or black screen.
- Fix critical bug to FatFs
- Countless fixes and bugfixes
- And many more..
Everything hekate related, moved to bootloader folder.
Check readme.md for more.
Old Changelog:
v3.2:
- Fixed sleep mode for 3.0.0 - 3.0.2
- Add status bar with battery info
Now you can always see your battery when into a time-consuming backup/restore.- Add background color support from bitmap's first pixel
If your logo is smaller than 720x1280, it will now use the first pixel as background color, instead of dark grey.- Add dumping of package2
- Unset archive bit to all sd card files re-added
Now it does not touch Nintendo folder. Keep in mind that this can mess with some homebrew.- Fixed an issue with a non-working firmware launching when "Dump package1" was used before.
- Changed partial backup message to inform about the sd card unmounting when in a menu.
- Some small bugfixes.
v3.1:
v3.0:
- Implement millisecond timer
This is a must and a very important feature, because we expect to use the bootloader more than 71 minutes (Backup/Restore). This has the side-effect of fixing a lot of stuff. Especially on SDMMC operations.
If you had problems with read/write/verify on eMMC or SD, the new version is a must.- Fix the verification code at last!
Another side-effect of using a 32bit ms timer (from the μs original one). Plus the additional fixes to variables that could not fit in u32 storage, makes the fix completely. Thanks to all the testers that helped to tackle these dreaded bugs.
Better redo that backup!- The Fusée patches for 4.X are now fixed
- The sd files archive bit removal tool, now only applies to switch folder
Warning: The restore options are DANGEROUS! Do not use that if you don't know what you are doing!
- Auto boot
with hekate logo or custom logo support
When enabled, press VOL- to go into the bootloader menu- Full Atmosphère support w/Exosphère boot
It can now properly boot through Exosphère.- Completely fix Backup & Restore Verifying algorithm
Better do a new backup to make sure.- Restore options
You can now restore your BOOT0/1, GPP physical partitions and all GPP partitions. Individually. Read the warning!- Configuration
Support configuration loading and saving- Add Battery charger and Fuel gauge info
- Support styling in hekate .ini file
- Add battery "de-sync" fix
- Add Fix sd files attributes
- Show battery stats in menu
- Raise sd card power limit for faster transfer speeds
- Update FatFS to 0.13b /w hotfix
- Other features that I forgot. Check commit log
- Countless (really!) bugfixes, memory leak fixes and general fixes
No one is responsible for your actions!
v2.3:
- Sleep mode now works on 1.0.0-2.3.0, 4.0.0-5.1.0
v2.2:
- Added Disable SVC verification for 5.X.X kernel patch (enabled by using fullsvcperm=1 in hekate ini)
- Better support for SDR50 sd card speed (mitigates a T210 hardware bug)
- Fixed a bug with scrambled tex
- And many other bugfixes
v2.1:
- Backup/dump verification
Automatically verifies every written part or single dump file. When this process is on, the bar turns green.- Fix booting into CFW for 1.0.0
Relocated security monitor to leave a lot of free space for hekate- Kernel patching
Added Disable Svc Verification and Enable Debug mode.
Can be enabled via the hekate .ini, using the keys: fullsvcperm=1, debugmode=1.- Inform user that console halted in sleep mode
Actually this corrects sdram cfg parsing in LP0.
The sleep mode though, still does not work. But now it tries to enter/leave sleep and halts with the backlight on.
At least, this reminds the user to power off the console to not deplete the battery completely.- And many bug fixes, wording fixes, etc
v2.0:
v1.6:
- Added support for 3.0.1 and 3.0.2
- Added more write retries to sd card. May fix some sd card busy errors reported by users
- Now with bigger font - 16px. Don't squint your eyes anymore. (It's still WIP though)
- Many bugfixes
v1.5.1:
- Added upstreamed @Reisyukaku's AutoRCM v2
- Now the menus have captions and sections for easier use
- Power button selection works better than before and completely eliminates double presses
- Bugfixes
- Fixed a stray message (v1.5.1)
- [Firmware] Add support for 3.0.0 CFW firmware launching.
- [Tools] Better dumping algorithm (fixes many problems and new features like force partial dumping).
Forced partial dumping now works for big sd cards with exFAT and partial.idx is written correctly when a fatal write error occurs.- [Tools] Automatic switch to 1GB parts dumping for 8GB sd cards and lower. No need to use another binary.
- [FatFS] Add error printing. No more vague error 1.
- [SD] Proper SD card unmounting on reboot/poweroff.
- [SD] Fix SD status info and add write protect info.
- Better error printing.
- Change background color and add logo.
- Many bugfixes and improvements.
v1.3:
- [Firmware] Add upstream changes for 4.xx/5.xx firmware launching support
- [SD/MMC] More fixes for SDHC/SDXC sd cards.
- [Tools] Add dumping fuses/kfuses to sd card
- [Tools] Some small fixes on raw dumping edge cases
- [Info] Add Info printing for eMMC and SD card
v1.2:
- Write errors to SD card are now fatal (as per FatFs/Diskio guidelines). You can still choose what to do though:
- Abort and try again right away from the last part (recommended)
- Continue (and potentially have a corrupt dump)
- Fix SD card not mounting (by fixing the switch to low voltage 1.8v for these cards. Normally happening in Samsung sd cards)
- Add high speed support for high voltage SD Cards
Download v4.6
In windows, you can then use rajkosto's biskeydump and HacDiskMount to manipulate your raw eMMC dump.
Thanks:
naehrwert for the original code: https://github.com/nwert/hekate
@rajkosto for his hekate - ipl commits and tools: https://github.com/rajkosto/
And all other contributors in hekate repo.
Do I follow here for backing my nand up or This link? I was given in noob thread?
https://gbatemp.net/threads/backup-...-your-biskeys-tseckeys-keys-txt-guide.513386/
Last edited by Zap2000,
Backing up your eMMC (nand) is fairly easy:
- Inject latest hekate
- Go to Tools -> Backup
- Run Backup eMMC BOOT0/1 (boot partitions)
- Run Backup eMMC RAW GPP (generic rawnand.bin partition. This will take a lot of time, because it is also verifying it)
- Done
Together all 3, are your full backup.
Yeah I got them easy enough it was the other guide I was sent to I had probs half way through
https://gbatemp.net/threads/backup-...-your-biskeys-tseckeys-keys-txt-guide.513386/
Wats all them extra info keys txts and dumps?
Are they needed in case I wanna downgrade?
Not sure why it wants me to backup the extra stuff? Biskeys etc?
Similar threads
-
Xdqwerty
what are you looking at? -
realtimesave
-
Psionic Roshambo
-
-
@
SylverReZ:
@Psionic Roshambo, JonTron's back yet again until he disappears into the void for another 6 or so months.+1 -
-
-
-
-
-
-
-
-
-
-
-
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
-
-
-
-
-
-
-
-
