Hello everyone,
For the last few days, I've been working on a missing eMMC Switch.
I was able to recover HWI, SBK, TSEC KEY with biskeydump
I was able to recover BIS keys with sdsetup/biskeygen
I was able to recover BOOT0 encrypted_keyblob_00 to encrypted_keyblob_05 with linkle keygen -k prod.keys
I was able to recover Device ID with fuse_get_device_id() and small RCM payload I wrote
Rebuilt the filesystem with ChoiDujour
Now the Switch boots to NINTENDO SWITCH logo and hangs
What I am missing is a correct PRODINFO EccB233DeviceCertificate (0x0480)
Which is completely identical to 3DS "CTCert" or even Nintendo Wii "IOSC::GetDeviceCertificate()"
Very interesting piece of code was "convert_otp_to_device_cert" from SciresM/otptool
It copies the signature directly from OTP, meaning I wont be able to create it and any modification to an existing certificate is impossible
A solution might be to make a patch for Hekate or Atmosphere
The only reference to where the patch might be required is this line:
Where should I look into?
Ghidra is ready.
For the last few days, I've been working on a missing eMMC Switch.
I was able to recover HWI, SBK, TSEC KEY with biskeydump
I was able to recover BIS keys with sdsetup/biskeygen
I was able to recover BOOT0 encrypted_keyblob_00 to encrypted_keyblob_05 with linkle keygen -k prod.keys
I was able to recover Device ID with fuse_get_device_id() and small RCM payload I wrote
Rebuilt the filesystem with ChoiDujour
Now the Switch boots to NINTENDO SWITCH logo and hangs
What I am missing is a correct PRODINFO EccB233DeviceCertificate (0x0480)
Which is completely identical to 3DS "CTCert" or even Nintendo Wii "IOSC::GetDeviceCertificate()"
Very interesting piece of code was "convert_otp_to_device_cert" from SciresM/otptool
It copies the signature directly from OTP, meaning I wont be able to create it and any modification to an existing certificate is impossible
A solution might be to make a patch for Hekate or Atmosphere
The only reference to where the patch might be required is this line:
NIM checks if this item matches the set:cal DeviceId with byte7 cleared. If they don't match, a panic is thrown.
Where should I look into?
Ghidra is ready.
keyblob_00 = ...
keyblob_01 = ...
keyblob_02 = ...
keyblob_03 = ...
keyblob_04 = ...
keyblob_05 = ...
keyblob_key_source_00 = ...
keyblob_key_source_01 = ...
keyblob_key_source_02 = ...
keyblob_key_source_03 = ...
keyblob_key_source_04 = ...
keyblob_key_source_05 = ...
keyblob_mac_key_source = ...
secure_boot_key = ...
tsec_key = ...
keyblob_01 = ...
keyblob_02 = ...
keyblob_03 = ...
keyblob_04 = ...
keyblob_05 = ...
keyblob_key_source_00 = ...
keyblob_key_source_01 = ...
keyblob_key_source_02 = ...
keyblob_key_source_03 = ...
keyblob_key_source_04 = ...
keyblob_key_source_05 = ...
keyblob_mac_key_source = ...
secure_boot_key = ...
tsec_key = ...
encrypted_keyblob_00 @ 0x180000
encrypted_keyblob_01 @ 0x180200
encrypted_keyblob_02 @ 0x180400
encrypted_keyblob_03 @ 0x180600
encrypted_keyblob_04 @ 0x180800
encrypted_keyblob_05 @ 0x180A00
encrypted_keyblob_01 @ 0x180200
encrypted_keyblob_02 @ 0x180400
encrypted_keyblob_03 @ 0x180600
encrypted_keyblob_04 @ 0x180800
encrypted_keyblob_05 @ 0x180A00