May 2025
This is a short post I’m doing as a way to fix this knowledge
somewhere, because I’ve found myself having to reinvent the wheel every
time I’ve wanted to do this.
Nintendo Switch dumps tend to be quite heavy and unwieldy, so it sucks
when you want to extract a single file from them and have to first
unpeel several layers of partitioning, while extracting huge files over
and over.
By chaining a few tools and utilities, you can achieve a passthrough mount from the raw nand dump, to the actual filesystem.
busehac.
Use
make RELEASE=1 -j$(nproc)I’ve
hit some kind of obscure bug last time, where mbedtls global state was
somehow corrupted on executable load. This might’ve been because the
mbedcrypto library was compiled in release mode, while the tool was
compiled in debug mode. If busehac stops responding on
launch, make sure to compile on release mode.-DRELEASE to the CFLAGS in
the Make script to remove the noisy debug logging.sudo modprobe nbd.fdisk -l rawnand.bin.
Verify the sector size, which should be 0x200 bytes. Note the partition
start and size (I’ll refer to those as pstart and
psize).sudo losetup -f --show --offset $((0x200*pstart)) --sizelimit $((0x200*psize)) rawnand.bin.
This will output a loop device node, loopnode.busehac:
sudo busehac --keyfile keys.txt N loopnode /dev/nbd0, where
N is the bis key number (see switchbrew for mapping). The
keys file should contain the BIS keys for this nand dump.sudo mount -o ro /dev/nbd0 mount.Make
sure to mount as read-only. I wouldn’t trust busehac for
writes.You can also read the decrypted partition data directly:This is useful if you want to extract the decrypted Prodinfo.
$ sudo dd if=/dev/nbd0 bs=$((0x100)) count=1 status=none | xxd
00000000: ebe9 9000 0000 0000 0000 0000 0220 2000 ............. .
00000010: 0200 0000 00f8 0000 3f00 1000 0000 0000 ........?.......
00000020: 0000 e006 006e 0000 0000 0000 0200 0000 .....n..........
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8001 2900 0000 004e 4f20 4e41 4d45 2020 ..)....NO NAME
00000050: 2020 4641 5433 3220 2020 0000 0000 0000 FAT32 ......
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................sudo umount mount.busehac.sudo losetup -d loopnode.This describes the steps required to boot a console using a donor Prodinfo, which can be used to temporarily unban a unit.
PRODINFO (no extension), navigate to it, copy
it to the clipboard, navigate to the eMMC/emuMMC filesystem, and flash
the clipboard
contents.You
might get a warning that the flashed file is smaller than the partition,
you can ignore it.EccB233DeviceCertificate,Some
consoles (OLED models in particular) have been observed to use
Rsa2048DeviceCertificate instead, at offset 0x3d70. If the
EccB233 one is cleared, check this location instead.
which itself is at offset
0x480.See
switchbrew here
and there.
The format is NX0011223344556677-X, what you want is the
0..7 string.return 0x11223344556677ull;).secmon=path/to/exosphere.bin, after the
fss0/pkg3 line, to your
hekate_ipl.ini.