Tutorial
Updated
NAND Rebuilding (for no backup / broken eMMC)
Disclaimer: I'm not responsible for any damage related to the following guide
NAND Rebuilding Guide
This rebuild of NAND is to use donor NAND from Switch (A) (which you may obtain from internet) with device ID (A) on Switch (D) which certainly has device ID (D)
It means that we are tricking the Switch (D) to see itself with device ID (A) so it will boot into NAND with device ID (A) encrypted by keys from Switch (D)
By this method, you can't go online and can't boot OFW
In theory, if the files are modified to match device ID, it should be possible to build NAND that can let Switch (D) to boot OFW or even go online, which I don't know how
Guide:
Thanks for reading.
Credit to all the payloads, software creators, and advices in this post and Unbricking Guide:
SciresM and the ReSwitched team for Atmosphere
CTCaer for Hekate
Shchmue for Lockpick_RCM
CaramelDunes for prodinfo_gen
SuchMemeManySkill for eMMC Hacc Gen
Rajkosto for HacDiskMount
Eliboa for NXNandManager
ignasurba for mmcblkNX
Balena for Balena Etcher
NAND Rebuilding Guide
This rebuild of NAND is to use donor NAND from Switch (A) (which you may obtain from internet) with device ID (A) on Switch (D) which certainly has device ID (D)
It means that we are tricking the Switch (D) to see itself with device ID (A) so it will boot into NAND with device ID (A) encrypted by keys from Switch (D)
By this method, you can't go online and can't boot OFW
In theory, if the files are modified to match device ID, it should be possible to build NAND that can let Switch (D) to boot OFW or even go online, which I don't know how
Guide:
Before we start
Make sure that your Dead Switch (D) can use Hekate -> Tools -> USB Tools -> eMMC RAW GPP
and connect to PC
Otherwise you will need a EMMC reader like mmcblknx
However, a dead eMMC can also lead to unreadable problem when connected.
Please test your own situation before buying anything.
Normally, injecting Hekate payload directly from PC should let you connect.
Remarks:
(A) from good Switch;
(D) from dead Switch;
(O) for output files
0.1 Hardware
a working emmc module, which can let a normal switch to boot OFW normally
a good (donor) Switch (A) with good emmc (A)
a Switch (D) with dead emmc (D)
Windows PC
For mmcblknx user, also need Linux PC
0.2 Files Preparation
[On Switch]
Payloads: Lockpick v1.9.4.bin, prodinfo_gen v0.3.4.bin
Hekate v5.6.0 & Nyx v1.0.6
[On PC]
Suitable OFW, on my Switch OFW 12.0.2 works
Search for darthsternie's firmware on google should get you one
EmmcHaccGen v2.2.3
HacDiskMount v1.0.5-5
NxNandManager v5.0
(Optional) BalenaEtcher: Flash BOOT0 and BOOT1. For users mounting eMMC by Hekate or mmcblknx users with Windows PC only
(Optional) You can try to use PikaFix Pack's dump (Start from Step 5), which I didn't
*PC needs to be able to view all files including "Protected operating system files"
Assuming that you have 2 Switch (A) and (D)
and have 1 eMMC chips (A) with data you do not need
Let's get started
*For PikaFix Pack used, start from Step5 and consider PikaFix Pack as Switch (A)
boot Atmospher with fusee-primary.bin
This may give an error and need to press power button to reboot once, then can boot into Atmosphere
I don't know if this is related to the use of device ID spoofing.
If you encounter infinite boot loop to Atmosphere splash screen / error screen, it's abnormal
After repairing NAND, OFW 12.1.0 is installed using Daybreak under emummc Atmosphere 0.20.1
Remember to use corresponding sigpatch
Make sure that your Dead Switch (D) can use Hekate -> Tools -> USB Tools -> eMMC RAW GPP
and connect to PC
Otherwise you will need a EMMC reader like mmcblknx
However, a dead eMMC can also lead to unreadable problem when connected.
Please test your own situation before buying anything.
Normally, injecting Hekate payload directly from PC should let you connect.
Remarks:
(A) from good Switch;
(D) from dead Switch;
(O) for output files
0.1 Hardware
a working emmc module, which can let a normal switch to boot OFW normally
a good (donor) Switch (A) with good emmc (A)
a Switch (D) with dead emmc (D)
Windows PC
For mmcblknx user, also need Linux PC
0.2 Files Preparation
[On Switch]
Payloads: Lockpick v1.9.4.bin, prodinfo_gen v0.3.4.bin
Hekate v5.6.0 & Nyx v1.0.6
[On PC]
Suitable OFW, on my Switch OFW 12.0.2 works
Search for darthsternie's firmware on google should get you one
EmmcHaccGen v2.2.3
HacDiskMount v1.0.5-5
NxNandManager v5.0
(Optional) BalenaEtcher: Flash BOOT0 and BOOT1. For users mounting eMMC by Hekate or mmcblknx users with Windows PC only
(Optional) You can try to use PikaFix Pack's dump (Start from Step 5), which I didn't
*PC needs to be able to view all files including "Protected operating system files"
Assuming that you have 2 Switch (A) and (D)
and have 1 eMMC chips (A) with data you do not need
Let's get started
*For PikaFix Pack used, start from Step5 and consider PikaFix Pack as Switch (A)
- On Switch (A), inject Lockpick.bin to get prod.keys (A)
- On Switch (A), boot Hekate -> Tools -> Backup eMMC, select eMMC RAW GPP to dump rawnand.bin (A)
- On PC, copy prod.keys (A) and rawnand.bin (A) to PC from microsd (A)
- (a) start NxNandManager v5.0
(b) import keys (Ctrl + K)
(c) find key.dat (A), which contains the BIS keys, located under the NxNandManager v5.0 folder and copy to somewhere convenient
(d) open rawnand.bin (A) (Ctrl + O)
(e) export decrypted PRODINFO.bin (A), PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A)
(f) close NxNandManager v5.0 - Put eMMC chip from Switch (A) (or any good eMMC chip) to Switch (D)
- Dump prod.keys (D) by Lockpick.bin
- Copy PRODINFO.bin (A) prod.keys (D) to microsd (D) and rename PRODINFO.bin to donor_prodinfo.bin
- On Switch (D), inject payload prodinfo_gen.bin to get PRODINFO.bin (O)
*if you encounter error about missing master keys, copy the following lines from prod.keys (A) to prod.keys (D) then try again:
master_key_00 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_01 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_02 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_03 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_04 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_05 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
master_key_source = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
**Do not confuse with the lines master_kek
***PikaFix Pack users may need to find your own ways to obtain master keys - Copy PRODINFO.bin (O) to PC
- (a) Copy prod.keys (D) to EmmcHaccGen.2.2.3 folder and rename the file to keys.txt
(b) Unzip OFW in EmmcHaccGen.2.2.3 folder and rename the folder to fw
i.e.
Code:EmmcHaccGen.2.2.3 folder |--EmmcHaccGen.exe |--keys.txt |--fw |--firmware .nca files
(d) use the following code to generate firmware file for Switch (D)
Code:EmmcHaccGen.exe --keys keys.txt --fw fw
Code:Folders SAFE (O), SYSTEM (O), USER (O), Files BOOT0.bin (O), BOOT1.bin (O), BCPKG2-1 to BCPKG2-4 (O) boot.bis is not used
- Open key.dat (A) in step 4(c) by text editor (or rename to key.txt first if you want to)
- !CAUTION! From now on, remember to use the eMMC chip you want to empty its content, all saved data on the chip will be deleted
(a) start HacDiskMount v1.0.5-5 with Administrator permission
Read eMMC by Hekate, go to Step12(b)
Read eMMC by mmcblknx, go to Step12(c)
(b) (i) On Switch (D), boot to Hekate -> Tools -> USB Tools -> (!!read only OFF!!) eMMC RAW GPP
__(ii) Connect Switch (D) to PC, then go to Step 12(d)
(c) Connect the eMMC chip to mmcblknx and connect mmcblknx to PC
(d) On HacDiskMount, select File -> Open physical drive
(e) Double click on your eMMC chip, should have size of 29.xx GB
(f) (i) Double click PRODINFO
__(ii) Copy corresponding BIS keys from key.dat (D)
_____*Make sure that you copied correct BIS keys x, where x ranged from 0 to 2
__(iii) Click Test then Save. If error occurs, please stop here and leave comment and let's discuss
__(iv) Browse PRODINFO.bin (O) and click Start to copy to eMMC
__(v) Close the window
(g) Repeat Step 12(f) for PRODINFOF.bin (A), SAFE.bin (A), SYSTEM.bin (A), USER.bin (A) obtained from Step 4(e) or PikaFix Pack
(h) (i) Double click BCPKC2-1-Normal-Main
__(ii) Browse BCPKC2-1-Normal-Main (O) from Step 10(e) and click Start to copy to eMMC
__(iii) Close the window
(i) Repeat Step 12(h) for BCPKC2-2 to BCPKC2-4 (O)
(k) Double click SAFE, under Virtual Drive, click Install
(l) (i) Select a Drive Letter, I use "Y:"
__(ii) Tick box for Passthrough zeroes
__(iii) Click mount
__(iv) Find your mounted drive on PC, which is Y:/ for me
__(v) Delete all content and replace by that from Step 10(e)
__(vi) Close the window
(m) repeat (l) for SYSTEM and USER
**Reminder: there are system files hidden, please make sure that you can see ALL files
If you don't know how, Here it is. Tick the box for "Protected operating system files"
(n) Close HacDiskMount
If you use Linux PC with mmcblknx, unplug Switch and turn it off then go to (p)
(o) (i) On Switch (D), unplug USB cable and reinsert with BOOT0 or
__(ii) Use BalenaEtcher to flash BOOT0.bin (O) from Step 10(e)
__(iii) repeat (o) for BOOT1.bin (O)
Go to Step 13
(p) (i) Copy BOOT0.bin (O) and BOOT1.bin(O) to Linux PC
__(ii) With eMMC connected, open terminal and navigate to folder containing BOOT0.bin (O) and BOOT1.bin (O)
__(iii) Enter the following code to flash BOOT0 and BOOT1
Code:sudo su echo 0 > /sys/block/mmcblk0/force_ro echo 0 > /sys/block/mmcblk0boot0/force_ro echo 0 > /sys/block/mmcblk0boot1/force_ro exit sudo dd if=boot0.bin of=/dev/mmcblk0boot0 sudo dd if=boot1.bin of=/dev/mmcblk0boot1
- Plug eMMC chip back to Switch (D) if you haven't
- Insert microsd with all necessary CFW files then boot to CFW
- Switch (D) is alive
boot Atmospher with fusee-primary.bin
This may give an error and need to press power button to reboot once, then can boot into Atmosphere
I don't know if this is related to the use of device ID spoofing.
If you encounter infinite boot loop to Atmosphere splash screen / error screen, it's abnormal
After repairing NAND, OFW 12.1.0 is installed using Daybreak under emummc Atmosphere 0.20.1
Remember to use corresponding sigpatch
Thanks for reading.
Credit to all the payloads, software creators, and advices in this post and Unbricking Guide:
SciresM and the ReSwitched team for Atmosphere
CTCaer for Hekate
Shchmue for Lockpick_RCM
CaramelDunes for prodinfo_gen
SuchMemeManySkill for eMMC Hacc Gen
Rajkosto for HacDiskMount
Eliboa for NXNandManager
ignasurba for mmcblkNX
Balena for Balena Etcher
Last edited by ewabc886,