Switch联网证书浅谈

更新于 分类于 阅读次数: 阅读时长 ≈ 19 分钟

Nintendo Switch联网证书

有什么用

认识Switch各个分区, 以及用处、特点等

备份或还原联网功能, 还原联网证书, 可连接eshop;

(前提是机器是因为软件或硬件故障, 而导致证书丢失, 未被ban的情况下)

开机已恢复正常,序列号,联网都恢复完毕。

手动, 线刷或卡刷 Switch的系统, 也可借鉴本文的恢复/还原 分区的方法

原理都一样, 还原硬盘中的各个分区数据;

相关内容

还原证书(恢复联网功能)方法

使用大气层的自动备份文件

如果有大气层自动备份文件, 这是假设主机已经硬解,

并且之前就已经成功进入过大气层虚拟系统(大气层系统会自动生成备份文件)

文件: 存放在SD卡的atmosphere - autobackup 文件夹下;

可以使用‘NxNand Manager 3’还原

How can I restore a console’s PRODINFO from Atmosphere’s auto backup file?

I.e. 比如这样的自动备份文件
XTJ10904519904_BISKEYS.bin
XTJ10904519904_PRODINFO_7DD0FD91.bin

工具:

NxNand Manager 3

步骤(这个步骤不可逆, 请谨慎操作):

  1. 提取prod.key文件
    1. 进入Hekate选择payload,先选择lockpick_RCM或picklock_RCM,按音量+-切换选项按开机键确定
  2. 把Switch连接Windows电脑, 开机进入hekate,选择tools - 选择usb-tools - 点击read-only,从ON改成OFF
  3. 点击emmc raw gpp后,连接数据线到电脑。
  4. 右键管理员运行-NxNandManager
  5. 点击file-open drive
  6. 选择emmc gpp hekate
    1. 点击options-configure keyset
    2. 选择import keys from file
    3. 选择Prod.keys后选择打开
    4. 点击save
    5. prod.keys没问题的话,会自动显示设备信息(这一步很重要, 可验证key是否正确)
  7. 右键prodinfo-选择restore from file…
  8. 选择自己序列号的prodinfo.bin,点击打开

image-20250619090244242

断开数据线,正常开机,序列号正常,联网正常,修复完毕。

本小节鸣谢: ns 2026-0002(0x41a) 报错修复方法 大气层automatic_backups 恢复prodinfo

相关的信息:

  1. NxNand Manager 3 dump/saved a prodinfo.bin

  2. Put your prodinfo_backup.bin to the root of your sdcard and use Incognito_RCM to restore it.

I’m in the proccess of creating a prodifo.bin from the stored cal0.bin Dumped from the hekate 5.3.2 payload under console info then dumped which shows the xaw00000000 serial nbr and editing it with a binary editor on windows and then save the file and rename prodinfo.bin and restore with NxNandManager I’ve literally been at this a month no biskeys wiped out, no backup nothing all from scratch but got the biskeys back and everything it’s lengthy I have so many bookmarks but hopefully This will work I believe it should in theory

使用FULL nand备份还原联网证书

这是假设, 主机已经硬解, 并且做了Full Nand备份的情况下;

如果正版机字库坏了, 可以先尝试硬解后, 做full nand 备份(只要能完成前面百分30%左右的备份就够了)

方法是使用HacDiskMount, 加载full nand备份文件, 通过prod.key解密后, 导出证书(Prodinfo.bin)

然后更换硬盘/字库后, 重新导入证书证书. [这时, 是否需要重新生成Prod.key, 有待验证, 因为硬盘换了, cpu依旧]

工具:

HacDiskMount

从Nand备份导出证书prodinfo.bin步骤:

  1. 提取prod.key文件
    1. 进入Hekate选择payload,先选择lockpick_RCM或picklock_RCM,按音量+-切换选项按开机键确定
  2. 用hacdiskmount打开nand备份文件并使用prod.key解密prodinfo分区。
  3. 选择备份的rawnand.bin.00 或者 选择备份的rawnand.bin
  4. 双击prodinfo
  5. 将提取的prod.key内的bis key00分两段进行填入,点击test
  6. 提示Ok!后,点击save
  7. Dump to file 位置. 点击browse选择保存位置后,点击start将文件提取至桌面。

使用导出的证书prodinfo.bin写入主机证书分区步骤:

  1. 开机进入hekate,选择tools
  2. 点击read-only,从ON改成OFF
  3. 点击emmc raw gpp后,连接数据线到电脑。
  4. 右键管理员运行HacDiskMount
  5. 选择-open physical drive; 选择hekate emmc gpp
  6. 双击Prodinfo
  7. 点击test-提示Ok后,点击browse-选择刚才从nand导出的prodinfo
  8. Restore from file; 点击start开始恢复
  9. 恢复完毕,开机已恢复正常,序列号,联网都恢复完毕。

本小节鸣谢: ns 2026-0002(0x41a) 报错修复方法 大气层automatic_backups 恢复prodinfo

Prodinfo Restore TegraScript

https://github.com/JeffVi/Prodinfo-Restore-TegraScript

A script to restore a prodinfo backup on your Switch

Can restore a full PRODINFO backup, or an automatic backup from Atmosphère, on sysMMC and emuMMC.

Before restoration, a backup of your current PRODINFO is made /tegraexplorer/prodinfo/PRODINFO_BAK.bin

This script uses TegraScript v3.

You can restore from AMS automatic backup or from prodinfo.bin on the root of your sd.

How To Use

You will need the latest release of TegraExplorer.

如何修改prodinfo进行安全连接

步骤前提: 是修改大气层虚拟系统的prodinfo分区内容

  1. 下载所有需要的文件

    1. Lockpick_RCM.bin
    2. prodinfo_gen.bin
    3. donor.keys
    4. donor_prodinfo.bin

  2. 打开所在文件夹”破坏联网证书”

  3. 将donor.keys和donor_prodinfo.bin复制到switch文件夹下

将Lockpick_RCM.bin和prodinfo_gen.bin”复制到bootloader\payloads文件夹下

4.插卡开机

5.进入Hekate选择payload,先选择lockpick_RCM或picklock_RCM,按音量+-切换选项按开机键确定

6.选择dump from EmuNAND,提取结束后暗任意键返回

7.切换到 reboot to hakate 按开机键确定

8.进入kakate选择payload,再选择prodinfo_gen.bin

9.切换到build Prodinfo file from donor 按开机键确定 完成后任意键返回

10.选择poweroff关机拔卡插电脑

11.打开tf卡盘符看看证书是否生成完毕 generated_prodinfo_form_doner.bin,prod.keys也生成完毕,将两个文件复制到电脑的”破坏联网证书”文件夹

12.右键管理员运行HacDiskMount.exe

13.这里破坏的是虚拟系统,点击open file 找到emummc-sd00-emmc文件夹,右下角文件类型修改为all files

14.选择00点击打开

15.分别对prodinfo以及prodinfof进行解密替换

16.双击prodinfo 打开电脑刚刚复制过来的prod.keys,将bis_key_00=后面的值分割为两段,前半段复制到BISKey 0的Crypto(Upper),后半段复制到BISKey 0的Tweak(Lower),点击两下Test(提示OK!就好)

17.点击最下面的Restore from file,选择生成的prodinfo_from_doner进行导入(“破坏联网证书”文件夹下),点击Start

18.双击prodinfof,击两下Test(提示OK!就好)点击最下面的Restore from file,导入”破坏联网证书”文件夹下的prodinof,点击Start

破坏完毕,点击左上角file-close退出

如何检测是否破坏成功:

1.打开主机查看序列号信息是否变化

2.点击手柄查看平板颜色是否变成彩色

如何修改prodinfo数据本身 - PRODIFY

工具: https://github.com/sthetix/PRODIFY

PRODIFY - The Nintendo Switch PRODINFO Editor

PRODIFY is a tool for editing decrypted prodinfo files on Nintendo Switch consoles. It lets users modify the serial number and adjust the body or bezel color. Primarily for banned consoles, it can also normalize serial and body color when using a donor NAND generated by prodinfo_gen.

前提

Before using PRODIFY, ensure you have:

Operating System: Windows 7 or higher.
Decrypted prodinfo File: Ensure the prodinfo file is decrypted; encrypted files are not supported.

用法

Launch PRODIFY:

Double-click prodify.exe to start the application.
Load prodinfo File:

Click the “Load PRODINFO” button and select the decrypted prodinfo file you wish to edit.
Edit Serial Number:

The current serial number is displayed. Enter a new serial number if needed (14 characters max).
Customize Colors:

Modify the “Bezel Color” and “Main Color” by either entering a HEX color code directly or using the color picker. The tool automatically calculates and updates the CRC-16 checksum to ensure the integrity of the changes.
Update prodinfo File:

Click “Update PRODINFO” to save your changes. The tool will update the serial number, colors, and calculate the SHA-256 hash for the file.

相关基础信息

认识Switch硬盘/字库分区

先了解一下switch系统都有那些分区。
一,启动分区
包含boot0,boot1
二,证书分区
包含prodinfo,prodinfof
三,系统分区
包含pkg1,safe,system,user
四,部分通用分区
这里的通用是指不用prod key解密的文件

The following types are supported by NxNandManager :

Type Description Can be restored from
BOOT0 BOOT0 partition (single file) BOOT0 or FULL NAND (partial restore)
BOOT1 BOOT1 partition (single file) BOOT1 or FULL NAND (partial restore)
PRODINFO PRODINFO partition (single file). Also known as “CAL0” PRODINFO or FULL NAND, RAWNAND (partial restore)
PRODINFOF PRODINFO partition (single file) PRODINFOF or FULL NAND, RAWNAND (partial restore)
BCPKG2-1-Normal-Main BCPKG2-1-Normal-Main partition (single file) BCPKG2-1-Normal-Main or FULL NAND, RAWNAND (partial restore)
BCPKG2-2-Normal-Sub BCPKG2-2-Normal-Sub partition (single file) BCPKG2-2-Normal-Sub or FULL NAND, RAWNAND (partial restore)
BCPKG2-3-SafeMode-Main BCPKG2-3-SafeMode-Main partition (single file) BCPKG2-3-SafeMode-Main or FULL NAND, RAWNAND (partial restore)
BCPKG2-4-SafeMode-Sub BCPKG2-4-SafeMode-Sub partition (single file) BCPKG2-4-SafeMode-Sub or FULL NAND, RAWNAND (partial restore)
BCPKG2-5-Repair-Main BCPKG2-5-Repair-Main partition (single file) BCPKG2-5-Repair-Main or FULL NAND, RAWNAND (partial restore)
BCPKG2-6-Repair-Sub BCPKG2-6-Repair-Sub partition (single file) BCPKG2-6-Repair-Sub partition or FULL NAND, RAWNAND (partial restore)
SAFE SAFE partition (single file) SAFE or FULL NAND, RAWNAND (partial restore)
SYSTEM SYSTEM partition (single file) SYSTEM or FULL NAND, RAWNAND (partial restore)
USER USER partition (single file) USER or FULL NAND, RAWNAND (partial restore)
RAWNAND RAWNAND contains: - GPT (partition table) - PRODINFO - PRODINFOF - BCPKG2-1-Normal-Main - BCPKG2-2-Normal-Sub - BCPKG2-3-SafeMode-Main - BCPKG2-4-SafeMode-Sub - BCPKG2-5-Repair-Main - BCPKG2-6-Repair-Sub - SAFE - SYSTEM - USER - GPT backup RAWNAND or FULL NAND or any valid partition (partial restore)
FULL NAND FULL NAND contains: - BOOT0 - BOOT1 - GPT (partition table) - PRODINFO - PRODINFOF - BCPKG2-1-Normal-Main - BCPKG2-2-Normal-Sub - BCPKG2-3-SafeMode-Main - BCPKG2-4-SafeMode-Sub - BCPKG2-5-Repair-Main - BCPKG2-6-Repair-Sub - SAFE - SYSTEM - USER - GPT backup FULL NAND or RAWNAND (partial restore) or any valid partition (partial restore)

比如从Nand备份中的提取证书PRODINFO的方法如下:

image-20250619092722234

熔断数和系统固件版本的关系

正常系统版本每次大更新都会烧毁soc里面的微型保险丝,防止用户降级,如出现熔断数对不上系统版本,则会无法开机。
但是,atmosphere,有个warmboot_mariko,针对续航的补丁,他可以绕开熔断数,直接进真实破解。
查熔断数方法
通过注入hekate,点击主机信息(console info),点击硬件和fuses(HW fuses),在左侧,burnt fuses后面,有2个数字,第一个数字是熔断数,第二个是HOS(switch系统)版本。
那么有了熔断数,如何查看对应版本呢?
点击下面的网站查看。
https://switchbrew.org/wiki/Fuses#Anti-downgrade
那么要熔断数和对应版本干什么?
因为要做刷机包,而刷机包需要固件版本。
比如说,熔断数是10,对应版本是8.10
刷机包必须用8.10固件包制作,不能用别的版本。

I’m in the proccess of creating a prodifo.bin from the stored cal0.bin Dumped from the hekate 5.3.2 payload under console info then dumped which shows the xaw00000000 serial nbr and editing it with a binary editor on windows and then save the file and rename prodinfo.bin and restore with NxNandManager I’ve literally been at this a month no biskeys wiped out, no backup nothing all from scratch but got the biskeys back and everything it’s lengthy I have so many bookmarks but hopefully This will work I believe it should in theory

no major editing was needed convert the cal.bin file to cal.txt and pull up in notepad on left side as shown edit the 000000000 to the serial nbr on your switch and save and convert back to .bin file and flash with NxNandManager For prodinfo.

incognito/匿名

Wipes some personal information from your Nintendo Switch by removing it from PRODINFO (CAL0).

NOTE: Atmosphere blocks writes to PRODINFO, so you must use ReiNX, SX OS, or a custom KIP to install this. Once installed, you can switch back to Atmosphere.

  • This application does not remove all personal information from your Switch, and should not be treated as a true preventative measure against getting banned.
  • ALWAYS have a NAND backup. I am not responsible for any bricks or bans. Use at your own risk, as this is an experimental program.
  • This application backs up your PRODINFO to the SD card, as backup/PRODINFO.bin You should keep this backup in a more secure location, and not leave it on the SD card where it could be subject to corruption or be read by malicious applications.

https://github.com/blawar/incognito

相关文章:

Use Prodinfo from another switch

How can I restore a console’s PRODINFO from Atmosphere’s auto backup file?

Switch Unbrick Guide

(请输入关键字以后回车,检索内容涵盖全局站点)

个性化需求沟通 扫客服加V加群: