Hello guys, this is my first post here! I just got a MIG Switch card out of curiosity and I was tinkering with it. For those who don't know, it's used by placing XCI dumps as well as other game specific bin files in the sd card of the MIG Switch, and are obtained from the original cartridge by using an app like nxdumptool. Two of these bin files are mandatory to get the game to boot: Initial Data.bin and Certificate.bin. They stay the same for every cartridge of a specific game. Now, if you want to use an XCI dump from a shady website it's impossible to get it to work without those files. By using the Certificate.bin from another game it has no problem, but this does not count for the Initial Data.bin. So I looked for a way to obtain this Initial Data from an XCI file and read a bit of the XCI file documentation from switchbrew dot org. Here's what I understood so far: The Switch checks if the cartridge is valid by doing a challenge–response authentication on the Initial Data. The Package ID is contained both on the XCI and the Initial Data, on positions 0x110 and 0x0 respectively. The Initial Data hash is on the XCI at position 0x160. It is calculated by doing a SHA-256 hash on the full Initial Data content. So I was wondering, is there a way to to construct a functional Initial Data file starting from an XCI dump? I also tried a reverse approach by editing the Package ID in the Initial Data from another game, generating the Initial Data hash and putting it in the XCI file but is not enough to get the Switch believe it's a real game. Sorry if this may seem stupid but let me know what you think.

DBI language error

kevinxyz · 2024-04-01T01:04:31+00:00

My dbi language change every time i open it. How to change it to default eng?

Implement Jamais vu?

M7L7NK7

Well-Known Member

Member

Level 16

Sep 1, 2018

Jamais vu is a warmboot exploit for Switches on firmware 1.0.0 which is public but needs to be implemented.
@SciresM released a write up on how to achieve it
here and @TuxSH released sample code to take over the BPMP

#define IRAM(a) ((void *)((a)-0x40000000+iramBaseVa))

#define BPMP_VECTOR_RESET (*(vu32 *)(vectorsBaseVa + 0x200))
#define CLK_RST_CONTROLLER_RST_DEV_L_SET_0 (*(vu32 *)(clockResetBaseVa + 0x300))
#define CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 (*(vu32 *)(clockResetBaseVa + 0x304))

#define FLOW_CTLR_HALT_COP_EVENTS_0 (*(vu32 *)(flowControllerBaseVa + 4))

#define IRAM_PAYLOAD_ADDRESS 0x40030000 /* address to copy the payload to; arbitrary -- as long as TZ doesn't overwrite it */
u64 iramBaseVa, vectorsBaseVa, clockResetBaseVa, flowControllerBaseVa;

static Result fetchIoRegs(void) {
/* NOTE: you need to edit the NPDM for this function to work! */
Result rc;
rc = svcQueryIoMapping(&iramBaseVa, 0x40000000, 0x40000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&vectorsBaseVa, 0x6000F000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&clockResetBaseVa, 0x60006000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&flowControllerBaseVa, 0x60007000, 0x1000);
return rc;
}

void writePayload(void) {
memcpy(IRAM(IRAM_PAYLOAD_ADDRESS), bpmp_bin, bpmp_bin_size);
}

void resetBpmpExecutePayload(void) {
BPMP_VECTOR_RESET = IRAM_PAYLOAD_ADDRESS;

CLK_RST_CONTROLLER_RST_DEV_L_SET_0 = BIT(1); /* Assert BPMP reset */
svcSleepThread(2000); /* Values from 1.0 AM */

CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 = BIT(1); /* Deassert BPMP reset */
FLOW_CTLR_HALT_COP_EVENTS_0 = 0;
svcSleepThread(1000 * 1000);
}

Due to devs working on Atmosphere this isn't a priority at the moment but does anyone out there with the knowledge want to try it?

Reactions: KingBlank