Hacking Question switch semi bricked

Andre993

Member
OP
Newcomer
Joined
Jun 23, 2019
Messages
22
Trophies
0
Age
32
XP
114
Country
Italy
hi guys, i try to restore my backup from 6.2 to 5.1 but no success, i use manual choi and never happening
i have a full backup, my biskey but i ask to mattytrog's to rebuild my nand and i found out i have a corrupt boot0/boot1, and we missing my keyblobs
teh switch start only in rcmmode, nothing to OFW or CFW
lockprick give me this error:
keyblob 0 corrupt
keyblob 1 corrupt
keyblob 2 corrupt
keyblob 3 corrupt
keyblob 4 corrupt
keyblob 5 corrupt
failed to decrypt package2

this is my boot0/boot1 https://drive.google.com/open?id=123KwJkxDYHZB_4BfmrRcSGtzI_n58Vc6
mattytrog's tell me this
OK... The problem you have is your keyblobs are missing. If your keyblobs were intact, we could have made you a new boot0.
Any firmware before 6.2 requires keyblobs. And manual choi wont work beyond 6.2.
You need to somehow generate your keyblobs again

there is any way to recover/generate my keyblobs?

thanks in advance
 

DBOA

Active Member
Newcomer
Joined
Apr 11, 2019
Messages
41
Trophies
0
Age
38
XP
282
Country
Brazil
I'm having the same problem you are having.
i trying to understanding how boot0 and boot1 work, so I can rebuld them, but it's kinda complicated.
 

youngc29

Active Member
Newcomer
Joined
Jan 12, 2017
Messages
35
Trophies
0
Age
48
XP
145
Country
Have you tried restoring the partitions also? Full emmc inc gppt partitions, my issue may have been different though but that's how I fixed mine.
 

Andre993

Member
OP
Newcomer
Joined
Jun 23, 2019
Messages
22
Trophies
0
Age
32
XP
114
Country
Italy
Have you tried restoring the partitions also? Full emmc inc gppt partitions, my issue may have been different though but that's how I fixed mine.
i don't know how; in hekate 5.0 have a eMMC RAW GPP (rawnand.bin) and i don't have any success and eMMC ALL but i don't know how to restore this
 

youngc29

Active Member
Newcomer
Joined
Jan 12, 2017
Messages
35
Trophies
0
Age
48
XP
145
Country
Rawnand.bin and boot 0/1 sit in the sd card directory: backup/8digitserial/restore you then have a partition folder in here that contains your partition backups including system.bin (don't worry about restoring safe.bin as this can be quite large.
When I initially took my backup I must have saved all these also. If you don't have them then you can't restore them.
When you run the full gpp restore in hekate it will tell you what's missing and also generate the folders on the sd card (although empty)
In hacdisk tool you can also mount this using memloader payload, choose emmc on the switch (I think thats second from the bottom) obviously remember not to hit format when it pops up in Windows. In hacdisktool do your biskeys entropy match (green) for system and prodinfo?
I may be wrong but it's what I learned in the 18 hours yesterday in front of my pc trying to recover mine's yesterday :)
Edit: just read the keyblob thing above, I really don't know anything about that, smarter guy's in here could probably help. What I've said above may be all shit in your case :)
 
Last edited by youngc29,

Andre993

Member
OP
Newcomer
Joined
Jun 23, 2019
Messages
22
Trophies
0
Age
32
XP
114
Country
Italy
Rawnand.bin and boot 0/1 sit in the sd card directory: backup/8digitserial/restore you then have a partition folder in here that contains your partition backups including system.bin (don't worry about restoring safe.bin as this can be quite large.
When I initially took my backup I must have saved all these also. If you don't have them then you can't restore them.
When you run the full gpp restore in hekate it will tell you what's missing and also generate the folders on the sd card (although empty)
In hacdisk tool you can also mount this using memloader payload, choose emmc on the switch (I think thats second from the bottom) obviously remember not to hit format when it pops up in Windows. In hacdisktool do your biskeys entropy match (green) for system and prodinfo?
I may be wrong but it's what I learned in the 18 hours yesterday in front of my pc trying to recover mine's yesterday :)
Edit: just read the keyblob thing above, I really don't know anything about that, smarter guy's in here could probably help. What I've said above may be all shit in your case :)

it's similar manual choidojour downgrade, if i understand, i extract from rawnand.bin the prodinfo system safe ecc... right?
 

mattytrog

You don`t want to listen to anything I say.
Member
Joined
Apr 27, 2018
Messages
3,708
Trophies
0
Age
48
XP
4,328
Country
United Kingdom
What we need to do is generate you a new boot0/1

This shouldn`t be a problem(however, we normally have something to work with).

We can generate everything upto offset 0x180000. After offset 0x180000, this is the keyblob area.

Yours is blank.

If you need a firmware <6.2, this is a big problem.

After this firmware, you don`t need the keyblobs (due to TSEC/ Sept changes)

This leaves the NAND patrol area. No keys are stored in this area as far as I can tell, and is unencrypted.

I can provide some boot0/1 blank to test.


Next...
PRODINFO.

This MUST be intact. However, you can generate a new one without serials and certificate and you will never be able to use the eshop.

You are better off sending it in Andre. PM me if you would like me to take a look.
 

DBOA

Active Member
Newcomer
Joined
Apr 11, 2019
Messages
41
Trophies
0
Age
38
XP
282
Country
Brazil
Hey man, I managed to put the keyblob in my boot0, it didn't fixed my switch, but maybe it will be different for you.
I had an old backup of boot0, i don't know if you have one.

I downloaded a file splitter and split in files of 1572864 bites. (That's the size of the blank file that mattytrog gracefully shared.)
I took the second file it split it in files of 16384 bytes (the size of the keyblob)

Took the first file I generated and renamed it keyblob for posterity and used a file joiner app to join the blank boot0 with the keyblob file.
Now the keys are correct. But maybe I'm still missing something. I need to study it further, maybe is missing the PRODINFO, i don't know.

I got this sizes on https://switchbrew.org/wiki/Flash_Filesystem.

Hope that help someone
 
  • Like
Reactions: Andre993

Andre993

Member
OP
Newcomer
Joined
Jun 23, 2019
Messages
22
Trophies
0
Age
32
XP
114
Country
Italy
Hey man, I managed to put the keyblob in my boot0, it didn't fixed my switch, but maybe it will be different for you.
I had an old backup of boot0, i don't know if you have one.

I downloaded a file splitter and split in files of 1572864 bites. (That's the size of the blank file that mattytrog gracefully shared.)
I took the second file it split it in files of 16384 bytes (the size of the keyblob)

Took the first file I generated and renamed it keyblob for posterity and used a file joiner app to join the blank boot0 with the keyblob file.
Now the keys are correct. But maybe I'm still missing something. I need to study it further, maybe is missing the PRODINFO, i don't know.

I got this sizes on https://switchbrew.org/wiki/Flash_Filesystem.

Hope that help someone

i try that, but it's seems to difficult for me, i don't understand very well the passage
anyway thanks so much :D

EDIT: i split my boot0 first in 1572864 bites and i have 3 file of 1536kb i take the second file and split in 16384 bytes i have 96 file of 16kb, now i take only the first file and join in blank boot0 right?
where i find the blank boot0?
 
Last edited by Andre993,

DBOA

Active Member
Newcomer
Joined
Apr 11, 2019
Messages
41
Trophies
0
Age
38
XP
282
Country
Brazil
i try that, but it's seems to difficult for me, i don't understand very well the passage
anyway thanks so much :D

EDIT: i split my boot0 first in 1572864 bites and i have 3 file of 1536kb i take the second file and split in 16384 bytes i have 96 file of 16kb, now i take only the first file and join in blank boot0 right?
where i find the blank boot0?
Sorry it took so long to answer
You can get it here:

https://github.com/mattytrog/Switchboot_PART_2/blob/master/BOOT_REPAIR_PACKAGE_iha2.7z
 
  • Like
Reactions: Andre993

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    PandaPandel @ PandaPandel: my roflcopter sounds like soisoisoisoisoi