[RCM Payload] Hekate - CTCaer mod

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by CTCaer, May 1, 2018.

  1. CTCaer
    OP

    CTCaer GBAtemp Fan

    Member
    5
    Mar 22, 2008
    Greece
    Hekate - CTCaer mod v1.6

    * CFW Launching for 1.0.0, 2.X, 3.0.0, 4.X, 5.X
    * Automatic RAW eMMC partial dumping
    * And many more




    [​IMG] [​IMG] [​IMG]



    Before you continue:
    Hekate - ipl, is a custom bootloader with extra features.
    It must not be confused with CFW, hbmenu and anything else that is on the Horizon OS (Switch's OS) side.
    E.g., hekate supports exFAT formatted sd cards, but if you never downloaded the exFAT update, it will not work on horizon os or any homebrew.
    So, please don't report problems that happen after leaving hekate - ipl (sleep problems, hbmenu can't see apps, etc).



    Summary:
    CTCaer mod is based on naehrwert's hekate - ipl.
    It supports all sd cards (except SDSC) and automatically chooses if it will dump in parts or not, based on your free space and sd card filesystem.
    Supports CFW launching in the following Switch updates:
    • 1.0.0
    • 2.X.X (all)
    • 3.0.0
    • 4.X.X (all)
    • 5.X.X (all)
    Comes with many additional features. For example you can see your SoC's fuses, eMMC info, SD card info, etc.
    Lastly, it does not currently support CFW launching for updates 3.0.1 and 3.0.2. It will come in the future.



    Features guide:
    • Launch firmware
      Used to launch CFW. This CFW is actually Atmosphere.

      There's only one release currently, which is actually not the full one.
      That one, is used to launch any hbmenu or any homebrew with the filename hbmenu.nro through Album icon.
      Check for @Jan4V 's sdfiles.zip
      Notice: Because this version of atmosphere is not final, it does not support "sleep mode". If your console sleeps, you need to press the power button for 12 sec to power off.

    -------------------------------------
    • Tools (menu)
      • Dump RAW eMMC
      • Dump eMMC BOOT
      • Dump eMMC SYS
      • Dump eMMC USER
      • Dump package1
      • AutoRCM

    Dump RAW eMMC (important!):

    Let's you dump the whole general purpose partition from your Switch's eMMC. This includes Switch system and user files.
    It's one of the 4 physical partitions that your eMMC has. The other are BOOT0, BOOT1 and RPMB (unused).

    Because the whole GPP is 29.1 GiB (31,268,536,320 B), there several automatic ways to dump it.

    1. Using exFAT formatted sd card which is 32GiB* and up:
    (* Some 32GB cards have less available free space than 29.1 GiB, so they may trigger partial dumping)
    This will dump the whole physical partition as one big file.


    Troubleshooting when error occurs:
    There are some cases that your sd card will spit errors, either because of bad sectors, or bad I/O. In these cases from v1.5 and up, it will show a specific error, which you need to right it down to find out why.
    Sometimes though it can't be fixed.
    In these cases you can force partial dumping, by creating a new file called partial.idx. You have to open it in a HEX editor and write these exactly hex values: 00 00 00 00
    The next time you'll try to run Dump RAW eMMC, it will dump in parts of 2GB.
    (This specific file is attached here, if you have difficulties with hex editors. Just rename it from .idx.txt to .idx.)


    2. Using a FAT32 or an exFAT with smaller space than 29.1GiB:
    This will trigger the automatic partial dumping.
    In this mode it will start dumping in 2GB parts or in 1GB if you have 8GB and smaller card.
    It dumps your eMMC, until it fills your card. It also uses a file called partial.idx, so it know which is the next part to dump.
    When this is done you will see a similar message like the following procedure:
    1. After the session is done, press any key and Power off or Reboot rcm (if you want to skip step 3) Switch from the main menu
    2. Move the files from SD card to your PC to free some space
      Don't move the partial.idx file! This file, keeps tabs on which is the next part to dump.
    3. Unplug and re-plug USB while pressing Vol+ (skip if you rebooted into rcm from hekate's main menu)
    4. Run hekate_ctcaer_1.5.1.bin again and press Dump RAW eMMC to continue with the next parts.
    5. Repeat steps 1-4 until you have 15 2GiB or 30 1GB files
    6. Join the files with your favorite cmd/app or use the scripts provided
    For step 6, there are also scripts inside a zip, provided in the download link below. Choose the correct one based on the parts size (15 x 2GB or 30 x 1GB) and based on your OS.

    Notice 1: Users that have a 8GB SD card and less, it will automatically dump with 1GB parts.
    Notice 2: If you have an unfinished partial dumping and want to start anew, delete the partial.idx file first.
    Warning: When dumping the eMMC, in parts, you should not power on the switch normally and boot to Switch OS before done. Otherwise your finished backup will probably corrupt, because Switch OS writes on your eMMC even if it seems you done nothing.


    Troubleshooting when error occurs (write it down for better support):
    In this mode, it's easier to skip the problematic area of your sd card.
    1. First try to run Dump RAW eMMC again right away. It will try to continue from the last part it was trying to dump.
    2. If this does not work, move the already dumped files to your PC, without deleting/moving the partial.idx file.
    3. Run Dump RAW eMMC again, and it will start dumping.
    You may hit these problematic SD card areas. In this case, rinse and repeat the above steps, with always keeping the partial.idx file as it is.

    Notice on errors: If the errors persist, try to do a low level (full) format or try to run chkdsk /f /r /x Z: (where Z is your drive letter).


    Dump eMMC SYS
    (uneeded if you already dumped the RAW eMMC):
    The General Purpose physical partition, contains several GPT partitions.
    By using this option, you can dump all these partitions, except USER, as separate files.


    Dump eMMC USER (uneeded if you already dumped the RAW eMMC):
    As described above, this will dump the USER partition from your eMMC's General Purpose partition.


    Dump eMMC BOOT (important!):
    This will dump the physical eMMC partitions BOOT0 and BOOT1. These are needed to complete your eMMC full backup.


    AutoRCM (Dangerous!):
    The AutoRCM, also known as briccmii, it is based on @Reisyukaku AutoRCM v2 and it smartly corrupts the boot configuration in BOOT0 partition.
    This allows the user to always boot/reboot into RCM, without the need of a jig.
    Because it writes to the eMMC, it is considered a dangerous operation and must be used with caution and only if needed.
    Warning: The various auto rcm solutions are incompatible between them.
    That means, that if you used AutoRCM v2, you need to use the same again to restore it back. Not another solution.


    -------------------------------------
    • Console info (menu)
      • Print fuse info
      • Print kfuse info
      • Print TSEC keys
      • Print eMMC info
      • Print SD Card info

    Print fuse info:

    This will print your Tegra X1's fuses on your screen.
    It also includes an option to dump them on the sd card, so you can examine them easier.


    Print kfuse info:
    This will print your Tegra X1's kfuses on your screen.
    It also includes an option to dump them on the sd card, so you can examine them easier.


    Print TSEC keys:
    This will print your Tegra X1's security co-processor's keys on your screen.


    Print eMMC info:
    This will print your eMMC info.
    You can see many things, like maximum speed allowed, manufacturer and model, all the physical partitions,all the GPT partitions, etc.


    Print SD Card info:
    This will print your current SD Card info.
    You can see many things, like maximum speed classes and speed grades allowed, manufacturer and model, total user space, free space, cluster size, etc.


    -------------------------------------
    • Reboot (normal)
      Reboot normally, without any mods and CFW
    • Reboot (rcm)
      Reboot into Recovery mode again. Useful if you want to run another payload or you want to remove your sd card.
    • Power off
      Powers off the console.
      When this is used, it's better to remove any sd card with homebrew/CFW/eMMC files and reboot into Horizon OS.
    • About
      Displays info about this payload.

    Warning:
    Don't forget your console into RCM. This will drain your battery without a cable. And because, it does not have a battery cuttoff, it will completely drain it.
    If this happens, you should power of your console, and let it charge into normal mode (red battery icon top-left) for 20-30 minutes, to open. Better remove the sd card, if it has payloads/homebrew/eMMC files, because it will boot into Horizon OS.



    Changelog:
    v1.6:
    • Added upstreamed @Reisyukaku's AutoRCM v2
    • Now the menus have captions and sections for easier use
    • Power button selection works better than before and completely eliminates double presses
    • Bugfixes

    v1.5.1:
    • Fixed a stray message (v1.5.1)
    • [Firmware] Add support for 3.0.0 CFW firmware launching.
    • [Tools] Better dumping algorithm (fixes many problems and new features like force partial dumping).
      Forced partial dumping now works for big sd cards with exFAT and partial.idx is written correctly when a fatal write error occurs.
    • [Tools] Automatic switch to 1GB parts dumping for 8GB sd cards and lower. No need to use another binary.
    • [FatFS] Add error printing. No more vague error 1.
    • [SD] Proper SD card unmounting on reboot/poweroff.
    • [SD] Fix SD status info and add write protect info.
    • Better error printing.
    • Change background color and add logo.
    • Many bugfixes and improvements.

    v1.3
    :
    • [Firmware] Add upstream changes for 4.xx/5.xx firmware launching support
    • [SD/MMC] More fixes for SDHC/SDXC sd cards.
    • [Tools] Add dumping fuses/kfuses to sd card
    • [Tools] Some small fixes on raw dumping edge cases
    • [Info] Add Info printing for eMMC and SD card

    v1.2:
    • Write errors to SD card are now fatal (as per FatFs/Diskio guidelines). You can still choose what to do though:
      • Abort and try again right away from the last part (recommended)
      • Continue (and potentially have a corrupt dump)
    • Fix SD card not mounting (by fixing the switch to low voltage 1.8v for these cards. Normally happening in Samsung sd cards)
    • Add high speed support for high voltage SD Cards



    Download v1.6



    In windows, you can then use rajkosto's biskeydump and HacDiskMount to manipulate your raw eMMC dump.

    Thanks:
    naehrwert for the original code: http://github.com/nwert/hekate
    @rajkosto for his hekate - ipl commits and tools: http://github.com/rajkosto/
    And all other contributors in hekate repo.
     

    Attached Files:

    Last edited by CTCaer, May 25, 2018 at 9:19 PM
  2. Taffy

    Taffy AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    Member
    3
    Mar 3, 2017
    United States
    Student
    Ah....this is clever! But how do you consolidate/re-join the parts afterwards?
     
  3. DSpider

    DSpider GBAtemp Fan

    Member
    3
    Mar 14, 2015
    Romania
    A better question would be is there a way to restore it?
     
  4. CTCaer
    OP

    CTCaer GBAtemp Fan

    Member
    5
    Mar 22, 2008
    Greece
    Check OP, I've added a simple solution.
    You can still use whatever filer joiner exists though.
     
    Taffy likes this.
  5. Taffy

    Taffy AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    Member
    3
    Mar 3, 2017
    United States
    Student
    iirc we only are able to dump things at this point.

    And if you're concerned about restoring things then you probably shouldn't be screwing with the console in the first place.

    edit: ninja'd

    I like it! Saves me a little money so I don't need to buy a bigger card!

    still will probably get one though
     
    Last edited by Taffy, May 1, 2018
  6. TheZander

    TheZander King of the Level 7's

    Member
    7
    Feb 1, 2008
    United States
    Level 7
    What's the firmware patching functionality of this?
     
  7. CTCaer
    OP

    CTCaer GBAtemp Fan

    Member
    5
    Mar 22, 2008
    Greece
    You can replace various firmwares and functions with your own.
     
  8. rajkosto

    rajkosto GBAtemp Regular

    Member
    3
    Apr 6, 2017
    if you have enough space on your microSD for all of USER you should probably use mine, this one seems a LOT hackier.
     
    CymraegAce and CTCaer like this.
  9. sweetlilmre

    sweetlilmre Member

    Newcomer
    2
    Aug 15, 2010
    The instructions state "Warning: When dumping the USER partition, you should not power on the switch normally before done. Otherwise the USER contents will change."

    Why would reading the contents change the partition?

    -(e)
     
  10. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    2
    Mar 15, 2017
    Australia
    If only one bit is written to the Filesystem which you are currently dumping xou have good chances to have it corrupted.
    And you are reading it in parts...
     
    CTCaer likes this.
  11. tecfreak

    tecfreak Member

    Newcomer
    1
    Apr 24, 2018
    Germany
    How do you know that it only reads from this partition?
     
  12. sweetlilmre

    sweetlilmre Member

    Newcomer
    2
    Aug 15, 2010
    If the warning means the dump would be corrupted then that makes sense. The wording was ambiguous.

    -(e)
     
  13. sweetlilmre

    sweetlilmre Member

    Newcomer
    2
    Aug 15, 2010
    Because I looked at the code and writing to the partition when dumping would be insane?

    -(e)
     
  14. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    2
    Mar 15, 2017
    Australia
    That is the key, yes.
    I see no reason why the dumper should write to emmc. This would be verry dangerous and there is no reason to do so
     
  15. tecfreak

    tecfreak Member

    Newcomer
    1
    Apr 24, 2018
    Germany
    ^^
    The warning says that you shouldn't boot into the OFW while you are dumping your user partition in the case when you need to restart the system because you have not enough space on your sd card for a complete dump.

    Got it now?
     
    CTCaer likes this.
  16. CTCaer
    OP

    CTCaer GBAtemp Fan

    Member
    5
    Mar 22, 2008
    Greece
    Because booting to Switch OS writes to the user partition.
    And that may render your unfinished backup corrupted, because one part of it changed.

    This tool does not write to your emmc by any means.

    EDIT:
    Fixed the ambiguous description in github
     
    Last edited by CTCaer, May 1, 2018
  17. sweetlilmre

    sweetlilmre Member

    Newcomer
    2
    Aug 15, 2010
    Thanks, makes sense :)
     
  18. TheZander

    TheZander King of the Level 7's

    Member
    7
    Feb 1, 2008
    United States
    Level 7
    Is this how they messed with the FW version field in the screenshots from months ago? What other system firmware changes are possible threw this?
     
  19. Ghost92

    Ghost92 GBAtemp Regular

    Member
    2
    Jun 29, 2017
    Colombia
    Do you think there is a possibility to dump the data directly to the PC ?. Like adding a driver to the useful load that allows to explore the data or transfer it to the connected PC after loading the Payload
     
  20. Carlos Escobar

    Carlos Escobar Member

    Newcomer
    2
    Jan 19, 2016
    Spain
    I have dumped the nand several times but part 6 is always skipped... I use a 32 gb sd and I dump all parts until part 6 hat I have to copy all contents of the sd to my pc and then boot again hetake to finish part 6 and 7 but 6 is always skipped. Anyone knows the reason?

    Regards,
     
    Last edited by Carlos Escobar, May 1, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice