Hacking Question Uniqueness of NAND pairing with hardware

[ewabc886]

Disclaimer: I'm not responsible for any damage related to the following guide

Redirecting to proper section:
NAND Rebuilding Guide


Update:

It's great that I managed to rebuild a bootable NAND and tried some games on it.
Other than not having a normal bootable OFW, it seems good.
In conclusion, I've used

brief/unexplained steps:

Spoiler

[(A) stands for things from good Switch; (D) from dead Switch; (O) for output files]

rawnand.bin (A) with its complete prod.keys (A) file from a good Switch
prod.keys (D) from bad Switch and added common master keys (source, 00 to 05) from good prod.keys (A)
prodinfo_gen.bin
OFW 12.0.2
mmcblknx: emmc chip reader. can flash BOOT1 and BOOT0 on linux
(Tried OFW 3.0.0 and 9.0.0 both failed)

Other files already on sdcard which I'm not so sure with the versions:
Atmosphere
Hekate & Nyx

then use

1. EmmcHaccGen v2.2.3
Building folders SAFE (O), SYSTEM (O), USER (O)
Building files BCPKG2-1 to BCPKG2-4 (O)
Building files boot.bis (O), BOOT0.bin(O), BOOT1.bin (O)

2. NxNandManager v5.0
Import a very limited prod.keys (D) file to output BIS keys (keys.dat (O))
Export decrypted PRODINFO.bin (A), PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A)

3. prodinfo_gen.bin
Generate PRODINFO.bin (O) from PRODINFO.bin (A) with prod.keys (D)

4. HacDiskMount v1.0.5-5
Save BIS keys from keys.dat (O) for PRODINFO.bin, PRODINFOF.bin, SAFE.bin, SYSTEM.bin, USER.bin
Import PRODINFO.bin (O), PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A), BCPKG2-1 to BCPKG2-4 (O)
Mount SAFE, SYSTEM, USER, and delete all of the content and filled with files in SAFE (O), SYSTEM (O), USER (O)

5. By mmcblknx / Hekate / SXOS
Flash / Restore BOOT0.bin(O), BOOT1.bin (O)
I tried to use both mmcblknx to flash them on a linux system
and Hekate EMMC restore
Both worked just fine even Hekate gave warning of mismatch of sizes, it's save to do for me.

boot with fusee-primary.bin
This may give an error and need to press power button to reboot once, then can boot into Atmosphere
If you encounter boot loop to Atmosphere splash screen / error screen, it's not normal

After repairing NAND, OFW 12.1.0 is installed using Daybreak
Atmosphere 0.20.1
Remember to use corresponding sigpatch

Original Post:

Spoiler

Questions about
"Uniqueness of NAND pairing with hardware"

As searched, all I know about Switch's hardware is that the NAND is paired with the hardware, and are not interchangeable with other units.
Now I haven't backed up my NAND, then the MMC chip somehow went faulty.
Even if I managed to get a chip, I cannot restore my NAND files on it, then the Switch is already bricked.

All I would like to know from creating this thread is that, which component actually causes the problems? And which components are uniquely bind to the NAND?
Now I have a Switch (A) with good MMC chip with it's NAND in good condition, and most parts of the Switch are good, but I just don't want to use this board anymore.
Another Switch (B) has a faulty MMC chip with no NAND backup done, and the unit is bricked.
If I want to swap MMC (A) to Switch (B) without rebuilding NAND, can I actually move some more components (such as APU) from (A) to (B) together, to make the NAND usable on (B) ?

Do we have enough knowledge about which components are responsible for the binding of NAND with hardware?

And at the end of all the thoughts, why is Nintendo doing this, that the MMC are not interchangable at all? Is there any good?
Isn't it easier for them to have the same (or nearly the same) NAND on all Switches.
If a clean NAND is installed on the MMC, the Switch starts to bind with the MMC afterwards. (The idea came from PSVita memory card)

Thanks for reading.

Credit to all the payloads, software creators, and advices in this post and Unbricking Guide:
SciresM and the ReSwitched team for Atmosphere
CTCaer for Hekate
Shchmue for Lockpick_RCM
CaramelDunes for prodinfo_gen
SuchMemeManySkill for eMMC Hacc Gen
Rajkosto for HacDiskMount
Eliboa for NXNandManager
ignasurba for mmcblkNX
Balena for Balena Etcher

 

[Hayato213]

NAND backup only work with their original motherboard, you can't put NAND back of unit A into unit B and expect it to work.

 

[ewabc886]

NAND backup only work with their original motherboard, you can't put NAND back of unit A into unit B and expect it to work.

Sure I understand this, and I didn't expect this to work.

 

[reminon]

If your switch is unpatched, I'm pretty sure you can rebuild a nand using the keys you can obtain from hekate.

Sent from my SM-G998B using Tapatalk

 

[ewabc886]

If your switch is unpatched, I'm pretty sure you can rebuild a nand using the keys you can obtain from hekate.

Sent from my SM-G998B using Tapatalk

Really?
I obtained the prod.keys when the good MMC is installed. And it seems not complete.
The lockpick response is like this:
"""
MMC init... done in 11810 us
TSEC key(s)... done in 10659 us
Keyblob 0 corrupt.
Keyblob 1 corrupt.
Keyblob 2 corrupt.
Keyblob 3 corrupt.
Keyblob 4 corrupt.
Keyblob 5 corrupt.
Master keys... done in 2099 us
BIS keys... done in 221 us

[FatFS] Error: NOFAT
Unable to mount system partition.
Found 63 keys.
Lockpick totally done in 32456 us
Found through master_key_05.

Wrote ... and so on is not important
"""
But I doubt why prod.keys are totally "undumpable" when the faulty MMC is used.
So I concluded that MMC is also bind to prod.keys, and didn't hope if the dumped keys can help to rebuild the NAND.

Please let me know if it is really possible to rebuild NAND from only the prod.keys.
I have searched and saw a website about the rebuilding (EmmcHaccGen), with the use of prod.keys and a firmware folder i guess.
However, I cannot provide the firmware it mentioned, and errors occur if I use clean official FW.

Thanks for the reply

 

[impeeza]

its interesting, the contents of the MMC are encrypted, using the keys you can dump on prod.keys, theoretically you could create a new encrypted NAND decrypting and re-encrypting with the correct keys, tools like https://github.com/eliboa/NxNandManager could be helping

 

[ewabc886]

its interesting, the contents of the MMC are encrypted, using the keys you can dump on prod.keys, theoretically you could create a new encrypted NAND decrypting and re-encrypting with the correct keys, tools like https://github.com/eliboa/NxNandManager could be helping

I've tried to use ChoiDujour and EmmcHaccGen to make a new NAND from prod.keys and OFW
But it seems that there is problem with the keys.
Some errors like "Invalid NCA header", "Failed to match key"
Does it means that the OFW needs to be the exact version that the prod.keys has?
or is OFW actually not work in my case?
If it's only version problem, I can simply download and try all OFW i guess

 

[Hayato213]

I've tried to use ChoiDujour and EmmcHaccGen to make a new NAND from prod.keys and OFW
But it seems that there is problem with the keys.
Some errors like "Invalid NCA header", "Failed to match key"
Does it means that the OFW needs to be the exact version that the prod.keys has?
or is OFW actually not work in my case?
If it's only version problem, I can simply download and try all OFW i guess

Keys are unique to each unit, you can't use that with another board.

 

[ewabc886]

Keys are unique to each unit, you can't use that with another board.

I understand this.
Now the question is if it is possible to dump a valid prod.keys for a unit that has no NAND backup

 

[Hayato213]

I understand this.
Now the question is if it is possible to dump a valid prod.keys for a unit that has no NAND backup

Don't think so , you can try loading lockpick_rcm if it doesn't generate a key then there is no way you can rebuild with that specific board.

 

[ewabc886]

Don't think so , you can try loading lockpick_rcm if it doesn't generate a key then there is way you can rebuild with that specific board.

lockpick can only be loaded with a good MMC installed
its original MMC cannot load up lockpick

 

[Hayato213]

lockpick can only be loaded with a good MMC installed
its original MMC cannot load up lockpick

Then no keys then, you need either keys or NAND backup to recover if you swap emmc module.

 

[ewabc886]

Then no keys then, you need either keys or NAND backup to recover if you swap emmc module.

I guess that it's not a key's problem anymore.
Even if I use prod.keys from good unpatched switches, the ChoiDujour.exe cannot give good building.
It seems that the process has problem already.
And I also guess that with good MMC used, part of the prod.keys from the same unit remains the same
.
I don't understand why, but 2 prod.keys files with different MMC installed are totally the same with
aes_kek_generation_source
aes_key_generation_source
bis_kek_source
bis_key_00
bis_key_01
bis_key_02
bis_key_03
bis_key_source_00
bis_key_source_01
bis_key_source_02
device_key
so on

are all the same

I have multiple good unpatched switches
By comparing the files,
normally at least BIS and device keys are different between Switches
It seems that MMC is only initialized for the Switch to get keys information.
Original MMC should not be need for keys like BIS and device.


--------------
I go back to see the difference between key files, and tried again on EmmcHaccGen to make NAND files from OFW and key files.
I managed to process it by keys from good switch and failed for keys from the bad switch.
However, I copied some common keys from the good key files, which are actually publicly known on web.
With the "common keys" and the unique BIS, device keys, it somehow processed.
Now trying to transfer the files to the MMC and give it a try

 

[impeeza]

I've tried to use ChoiDujour and EmmcHaccGen to make a new NAND from prod.keys and OFW
But it seems that there is problem with the keys.
Some errors like "Invalid NCA header", "Failed to match key"
Does it means that the OFW needs to be the exact version that the prod.keys has?
or is OFW actually not work in my case?
If it's only version problem, I can simply download and try all OFW i guess

you need the matching keys of the NAND backup you start with, in order to decrypt it. then you need THE ORIGINAL SET of keys of the Switch with damaged EMMC in order to re-encrypt in a manner the switch can read it. if you have a BOOT0 and BOOT1 files will help a lot.

 

[lsp199308]

In nand, only system/save/80000000000120 needs prod.keys/save_mackey from switch, to my understanding, the key is stored in the cpu, you need an intact emmc (only unencrypted boot0, boot1, and bcpkg are needed in nand,) to dump your prod.keys, then rebuild your nand, switch should start, you also need to fix your prodinfo, I think prodinfo_gen is a good tool, my English is terrible, please excuse me

 

[ewabc886]

you need the matching keys of the NAND backup you start with, in order to decrypt it. then you need THE ORIGINAL SET of keys of the Switch with damaged EMMC in order to re-encrypt in a manner the switch can read it. if you have a BOOT0 and BOOT1 files will help a lot.

I've also dumped BOOT0 and BOOT1, but all NOT with the original EMMC.
Managed to make NAND files, but don't know why cant mount EMMC as drive by memloader.
"USB device not recognized" error occurs, but TegraRcmGUI worked fine, just can't get HacDiskMount read the EMMC.

--------------------- MERGED ---------------------------

In nand, only system/save/80000000000120 needs prod.keys/save_mackey from switch, to my understanding, the key is stored in the cpu, you need an intact emmc (only unencrypted boot0, boot1, and bcpkg are needed in nand,) to dump your prod.keys, then rebuild your nand, switch should start, you also need to fix your prodinfo, I think prodinfo_gen is a good tool, my English is terrible, please excuse me

I see your point, and this is what i'm experiencing.
It seems that the prod.keys dumped is good with the good EMMC installed.
Trying to fix prodinfo now with HacDiskMount, which doesn't read the EMMC somehow.
Anyway, thanks for the advice, and your English is good.

Now the problem is how to get the PRODINFO on the Switch to change BIS keys I have
and to change to the new files just made

 

[ewabc886]

It's great that I managed to rebuild a bootable NAND and tried some games on it.
See updated #1 if you're interested.

 

[Zeeko]

OP that is great and brilliant. There is hope in reviving NS I bought on somewhere with bad emmc. The seller told me porky pies and I bought it. Though I do not understand the process you used yet, I will continue to ensure I read enough to understand the process before I attempt on mine. One question can nand be rebuilt just by only using computer as I cannot use the switch as constantly failing to initialise emmc. Thank you.

 

[lsp199308]

I don't quite understand your guide. I'm terrible at English, if you have a corrupt switch, you just need to buy emmc, fix gpt with sxos, connect your computer via usbtool in hekate, fill in the biskey of the corrupt switch again in HacDiskMount, it will report an error, it doesn't matter, mount it, in the computer you just format it and you're done. Ok, the partition is encrypted, the rest follow your instructions, it will take much less time, 10 minutes actually, and it will be done, my English is terrible, sorry

 

[ewabc886]

OP that is great and brilliant. There is hope in reviving NS I bought on somewhere with bad emmc. The seller told me porky pies and I bought it. Though I do not understand the process you used yet, I will continue to ensure I read enough to understand the process before I attempt on mine. One question can nand be rebuilt just by only using computer as I cannot use the switch as constantly failing to initialise emmc. Thank you.

I guess it will at least need good BOOT0.bin and BOOT1.bin on the emmc to have the switch boot lockpick and give usable prod.keys, and this must be done by Hekate or Lockpick on switch to my knowledge

Maybe you will need to have a good emmc module from another switch (which I did) to install on the Switch being repaired.
Once prod.keys is obtained, it should help to generate BIS keys on PC.
With donor prodinfo and prod.keys (may need modification), prodinfo can be generated by Switch
Then with (1) BIS keys, (2) proinfo, and (3) modified prod.keys, all files for emmc can be generated