RELEASE biskeydump and HacDiskMount - Switch eMMC decryption/real-time mounting tools

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by rajkosto, Apr 29, 2018.

  1. rajkosto
    OP

    rajkosto GBAtemp Advanced Fan

    Member
    11
    Apr 6, 2017
    biskeydump - Dumps all your Switch BIS keys for eMMC contents decryption, to be used as a fusee payload (upload via the normal fusee-launcher or my TegraRcmSmash.exe).

    HacDiskMount - use your BIS keys and your RawNand.bin (or the physical eMMC attached via microSD reader or using a mass storage gadget mode in u-boot/linux) to dump, restore or REAL-TIME MOUNT AND EXPLORE/MODIFY partitions from the dump file or attached physical device !

    Binaries available at http://switchtools.sshnuke.net
    When appropriate, README.txt file inside the archive points to the source code location

    (Yes I know these have been out for a few days, but only since today was biskeydump redistributable as a precompiled binary)
     
  2. blinkzane

    blinkzane Panic at your moms house

    Member
    5
    GBAtemp Patron
    blinkzane is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 24, 2012
    United States
    Florida
    what is the Partial AES Key Overwrite vulnerability ?
     
  3. rajkosto
    OP

    rajkosto GBAtemp Advanced Fan

    Member
    11
    Apr 6, 2017
  4. blinkzane

    blinkzane Panic at your moms house

    Member
    5
    GBAtemp Patron
    blinkzane is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 24, 2012
    United States
    Florida
    Reecey likes this.
  5. FoxofGrey

    FoxofGrey Advanced Member

    Newcomer
    3
    Jul 1, 2016
    United States
    Cant wait for people turning their Switches into true bricks. :^)
     
    retrofan_k and Baoulettes like this.
  6. rajkosto
    OP

    rajkosto GBAtemp Advanced Fan

    Member
    11
    Apr 6, 2017
    Figuring out SciresM's SBK from his screenshot of the partially overwritten key encryptions :P
    It's not really important, don't know why you're focusing on it so much.
     
    Last edited by rajkosto, Apr 30, 2018
  7. blinkzane

    blinkzane Panic at your moms house

    Member
    5
    GBAtemp Patron
    blinkzane is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 24, 2012
    United States
    Florida
    you were the one who shared it.
     
  8. Raugo

    Raugo GBAtemp Fan

    Member
    4
    Nov 22, 2014
    How? With f-g we can rewrite our nand backups.
     
  9. PatrickJr

    PatrickJr GBAtemp Regular

    Member
    4
    Jan 5, 2017
    Bridgwater
    What do I do with the QR Code? it won't scan via my phone.. for me anyways.
     
  10. DocAmes1980

    DocAmes1980 GBAtemp Advanced Fan

    Member
    6
    Oct 31, 2016
    United States
    The QR code contains the key data. Scan, copy the text, and paste into a .txt file. Worked on my phone but it was a little tricky getting it to scan.

    — Posts automatically merged - Please don't double post! —

    I used biskeydump.bin. It shows the keys but I'm getting a low framerate with screen tearing. How is performance for everybody else?
     
  11. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    Is there a Way to achieve the Keys from a Nand dump?
    I do have dumped boot0,boot1 and the whole EMMC also TSECFW

    Unfortuanally i factory resetted the console, not mentioning i had to do the biskeydump in prior. ;)
     
  12. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    I did a fresh NAND dump and repeated biskeydump with the payload v4.

    Trying to use hacdiskmount, but when testing the Key i always get an FAIL! about Entropy

    Dump seems to be valid (the used script to dump it generates and validates md5 of Flash and binary)
    Log of kacdiskmount:
    Code:
    [08:06:18:427262] [info] Loaded primary GPT, checking secondary from offset 31268535808
    
    [08:06:18:428085] [info] Secondary GPT is okay
    
    [08:06:18:428347] [info] Using primary GPT as backup GPT is identical
    
     
  13. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    Did some further investigations:
    Dumped another Console (brand new, never booted into OS, Firmware 4.01) biskeydump payload v4.
    The same behaviour as on the other console.
    Also i mentioned that Bis Keys 2 and 3 are identical on both readouts...

    Another Test with payload v3 (generated by the script which is used for dumping the nand):
    HWI and SBK are equal as expected.
    Keys are different , Bis Keys 2 and 3 are identical
     
    Last edited by aut0mat3d, Apr 30, 2018
  14. subcon959

    subcon959 teh retro

    Member
    12
    Dec 24, 2008
    For me too, but maybe it's normal as I can decrypt everything fine?
     
    aut0mat3d likes this.
  15. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    Thanks!
    Please, can you tell me what payload you used to achieve the bis keys?
    Also your nand dumping mehtod would be interesting. - I got it by that method: http://mike-dawson.com/threads/tutorial-how-to-dump-switch-nand-using-linux.502201/
    In principe this is dumping via dd on Linux - the script also generates MD5 sums to verify the dump. I am pretty sure it is valid as hacddiskmount does not complain about missing GPT,....
     
  16. subcon959

    subcon959 teh retro

    Member
    12
    Dec 24, 2008
    I used biskeydumpv4 via TegraRcmSmash to get the keys and did the nand dump in Arch with GNOME manually:
    Code:
    $ dcfldd if=/dev/mmcblk1 of=/home/alarm/SwitchNAND_dump.bin bs=512
    $ dcfldd if=/dev/mmcblk1boot0 of=/home/alarm/SwitchNAND_boot0_dump.bin bs=512
    $ dcfldd if=/dev/mmcblk1boot1 of=/home/alarm/SwitchNAND_boot1_dump.bin bs=512
     
    aut0mat3d likes this.
  17. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    exact the same here - now i am lost :(
     
  18. annson24

    annson24 The Patient One

    Member
    6
    May 5, 2016
    Philippines
    The switch's nand is really 32GB in size? and all of this is used only by system files? It's hard to believe all of the 32gb is solely for the system files only. I thought the 32gb also includes the storage space available for games. Am I not correct?
     
  19. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    3
    Mar 15, 2017
    Australia
    You are correct, there are about 26 gig for user data, the whole EMMC storage has 32Gb
     
  20. annson24

    annson24 The Patient One

    Member
    6
    May 5, 2016
    Philippines
    Thanks for the clarification. So not all is lost when we create an emunand then, at least we still get to use the 26GB from the emunand. Maybe 64GB of sd card will already be fine for me.
     
Loading...