Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - CarlTrek

Pages: [1]
1
iQue Switch / Tutorial: Region Unlock iQue Switch
« on: July 18, 2020, 02:32:26 PM »
    P. S. If you want to know more about iQue Switches, read my other articles in the same section as this.
    First things first, I am not responsible to any damage dealt to your Switch in this operation process, even you have exactly followed my steps correctly !
    The reply I made on GBATemp, saying this is impossible, is wrong ! The reason I failed is injecting modified Prodinfo by Incognito itself, which doesn't really work. Dunno why, but seems the SX Core chip is getting in the way.
    A. Before We Start
    • You cannot go online multiplayer or use eShop with this unless you want an insta ban, even if you don't use any kind of unlicensed or pirated software. And actually, this will even increase the banning possibility since there will be things that cannot match up in your device identification after such operation, like your device serial will still begin with XKC, which is iQue specific. Wiping out or modify serial and other console-specific data may help out a little, but we don't suggest you doing such operation, since using wrong tools and/or wrong methods while manipulating Prodinfo partition could result in irreversible brick (e.g. incognito module in Tinfoil).
    • It's NOT recommended to do this operation on your sysNand since this operation involves dangerous procedures like manipulating Prodinfo partition. Only try it on emuNand.
    • You can actually region lock an international version Switch in the same manner, but seems it doesn't make much sense.
    • You will lose all your NSP games, updates, DLCs, and game saves in this operation. Please back them up if they are still needed.
    • Currently I don't sure if you will gain/lose the ability to run iQue eShop games and iQue cartridges after this operation, for I don't sure if some kind of key derivation process is done in factory reset process, and I have no iQue cartridges, let alone my iQue Switch is banned.  :-[ If you found you lost such ability and there is necessity for you to run iQue eShop games and iQue cartridges, you can still boot to your unmodified sysNand and enjoy them. Also, if that do happen, contact me to let me know.

    B. How it works
    There is a partition called Prodinfo in Switch Nand, and there is a part called CAL0 inside, which contains some device identification information, including region code.  Here is a link for you to know more: https://switchbrew.org/wiki/Calibration

    Despite so many weird features and behaviors on iQue Switch OS, what's under the hood is surprisingly simple: On the first boot, it only check the region code in Prodinfo. If it's "CN" (0x04), then it activates iQue Switch features; otherwise, it activates international features. This is quite different compared to its ancestors like iQue 3DS which got major difference in software, and sometimes even in hardware compared to their equivalent international models.

    So, we just modify Prodinfo and then get back to first boot status, then we will be able to change region lock status.

    0. Software Needed
    • Lockpick.nro (not LockpickRCM. that one won't work since there is no way to push payload on Mariko units.)
    • Incognito.nro (again, not it's RCM version.)
    • GoldLeaf.nro
    • CheckPoint.nro/JKSV.nro (this is not required, but definitely useful, since you will lose everything )
    • NxNandManager
    • HxD
    These tools should be easy to get just by Googling their name, so download links are not given out here to make it tidy.
    [/list]

    1. Pick The Keys

    Firstly, get your tools prepared. After you downloaded all those tools, put NxNandManager and HxD on your PC, and everything else goes into the root of the SD card of your Switch.

    And then, launch LockPick. It's a homebrew, just click the album and then choose "HOMEBREW" in CFW menu and then click on LockPick.




    When you see this, the process is done. Press + to exit. Now you got the key which we need to decrypt the Prodinfo later.

    2. Dump Decrypted Prodinfo



    Launch Incognito. When you see this menu, press "B" to get prodinfo.bin . When it tells you success (usually in less than 1 second), it's done. Press + to exit.

    3. Modify Prodinfo

    Eject the SD card in your Switch, get it in a reader and hook it up to your PC. You will find a prodinfo.bin file in sdcard:/backup . copy that file to somewhere safe in case something went wrong later on. Open HxD, and open that prodinfo.bin . Press Ctrl+G, type in "3510", and then enter, since what we gonna modify is at offset 0x3510 (also 0x351E) . Notice these two values shown in the picture:



    Left one is at offset (you can think that offset is just a fancy name of "location") 0x3510, and the right one is at offset 0x351E. That "03 00" is the region code, while "63 3B" is the checksum. You can change them to these values :

    Code: [Select]
    0x3510 0x351E Region
    00 00 66 FF JP
    01 00 66 3E US
    ------------------------------
    04 00 63 3B iQue
    For those who have never used a hex editor: click directly on the number you want to modify and then key in the number. Don't type anything in that "dotty" area. The content in the "dotty" area may change when you are keying in numbers on the left, no need to worry.

    Actually which region code doesn't really matter. It only cares whether it's iQue or not. Notice that 0x3510 and 0x351E must match up or you will get a brick !

    After you are done, press "save" and then exit HxD.

    4. Inject Modified Prodinfo Into Emunand

    Notice: this is assuming you save your Emunand as files. If you save your Emunand as a hidden partition, you may have take extra steps to unhide the partition and assign it a drive letter before continuing. This is kinda complex and off topic so I don't want to talk about it too much; Google is your friend.

    Open NxNandMgr, and click Options - Configure Keyset, since we need to set up our keys first. Click "import keys from file", then select your prod.keys file. It's under sdcard:/switch . Then those empty boxes will be filled up automatically. Then you can close that window. If it tells you that it failed to parse the key file, close NxNandMgr, right click on its icon, and select "run as administrator", then try again.



    Click File - Open File, then select your Emunand part 0, which is in sdcard:/sxos/emunand/full.00.bin, (if your emunand is saved as partition, then you should click File - Open drive, then select your emunand partition.) then click "PRODINFO". Click "Restore from file", and then select your modified prodinfo.bin, which is under sdcard:/backup/prodinfo.bin . Click OK in the pop up window and when it's done, close NxNandManager.



    5. Send Switch Back to First Boot

    You will lose all your game saves by doing this ! Backup them with Checkpoint/JKSV first !

    Put the SD card back into Switch and turn it on. Run Goldleaf and select "Explore Content - Console Memory(System) ," and then focus the cursor on "save" folder. Press Y button and then select "Delete". then do the same with "savemeta" folder. You may find that "save" folder is still there, but all the contents inside are gone. This is as expected.

    And then, Exit GoldLeaf by pressing +, then go to system settings and do a factory reset. You may find your Switch suddenly turn off very short after it begin to factory reset: this is as expected. Just turn it back on, and you got a region unlocked iQue Switch.

    Z. Thanks
    • zestiva, for purposing such procedure as as idea on GBATemp.
    • HenryMin, for confirming such procedure is possible, and pointed out why my first few attempts failed.
    • CBPS, for running the form I post this tutorial on.
    • TX, I mean both TX, both for creating weird and fun hardware for us to research on.

    We are free, We are free !



    2
    iQue Switch / Review of hacked iQue Switch
    « on: June 24, 2020, 03:31:39 PM »
    Okay, now I got my iQue Switch hacked by using Xecuter SX Core product.
    This review could be much shorter than you expected since I won't show the exact same things as regular Switches.

    1.Game booting splash

    Every Switch user will know that there is a splash screen shown when Switch is starting a game, which contains a Nintendo logo (top left corner) and a Switch logo (bottom right corner). According to Nintendo Homebrew Discord server, this splash is stored in game executive files. However, what's in the iQue Switch has exceed what we have known about the booting splash.

    When starting any NSP or legit eShop games (no matter what the game region is, and even applies to NSP that are not games e.g. Tinfoil installed as a game), it shows a boot splash containing 3 parts: a Nintendo logo (top left corner) , a Switch logo (bottom right corner), and a "notice about healthy gaming" in the middle.



    Let's talk a little more about that "notice about healthy gaming". It's required by law that all video games legally released in China mush show such notice in game (wherever though, on loading screen, on intro screen, even in ingame chats, at the favor of developers.), very similar to "Winners Don't Use Drugs" in arcade machines back in 1990s. I guess that's why iQue Switch just baked it into the OS and affect every NSP since every game will need one. The content of that notice is :
    Code: [Select]
    Protest against vulgur games and say no to pirated games.
    Take care to self-protections and avoid being scammed ingame.
    Casual gaming is good for brain while gaming addiction is bad for health.
    Plan your time wisely and enjoy a healthy life.

    However, when starting XCI games or foreign cartridges (I haven't tried iQue cartridges or XCIs dumped from them), it just shows a regular boot splash.



    So, there are two things quite new to us:
    1. The boot splash could contain more than 2 parts and it's customizable at least in some extent;
    2. The boot splash doesn't always come from game executive files, at least for iQue Switch.

    2. Language Fallback Issues

    Some games are multilingual, which means it can change to different languages automatically according to what language and region you have selected in your OS. However there are always times that you selected a language that the game doesn't support, so it will display in its "default language" , usually English, and that's "language fallback".

    All games (including XCI and NSP) will display in simplified Chinese if they support. However, since there is no language or region settings on iQue Switch, if they don't support simplified Chinese, they will fallback to usually English even if they provide similar language like traditional Chinese and users will have no control on this, unless it provides a dedicated language selector ingame.

    For games that are not multilingual, they will still run normally and display in their original language.

    3. NES/SNES online
    A pretty surprising thing is, NES/SNES online on iQue Switch could be played totally offline, with all games accessable. However, NES/SNES online is not in iQue eShop so piracy is required. On regular Switches, you need an Nintendo Account, an membership subscripion and get online to play NES/SNES online. You could bypass the Nintendo account, but the game would hang up on game selection page, with no games shown.

    4. A little extra: Super Mario Bros. U trial for iQue Switch

    Actually this should be in the part of that OFW review. But when I realized that there is the trial version of Super Mario Bros. U trial for iQue Switch, I have already packed my Switch up and ready to mail it to the pirate for modification.

    I have said I would like to dump such trial game to let you guys try it yourself, but unfortunately, none of the tools (including Tinfoil, SX Dumper and LockPick) could dump iQue eShop titles properly. According to Team Xecuter, iQue Switch use different titleKey format to encrypt eShop games, which those tools are not adapted to.

    Download the game is the same process as regular Switch, so not so much to talk about.



    Loading screen. You can see they translated "Now Loading...". And this is not because they think someone would not understand what's "Now Loading". It's actually because of the video game censorship rules in China: Anything could be written in simplified Chinese must be written in simplified Chinese.  Using unnecessary amounts of foreign language (which finally turned into do use unnecessary amounts of Chinese) in game will decrease the chance for it to pass censorship. Also using traditional Chinese in game is prohibited since it's the language for Taiwan or HongKong which is capitalism.

    Intro screen of the game. The name of the game definitely needs to be translated.



    Only 6 levels are playable in this trial version: 3 from Super Mario Bros. U and another 3 from Super Luigi Bros. U.



    They also translated level names.



    The gameplay is the same as regular version. But there is a little but quite a shocking difference: They translated "1UP" into "加1" which means "+1". I dunno that even such a little thing is in the scope of censorship. It happened too fast and I don't have time to capture it though. Even commies will know what is "1UP" without someone translate it for them; remember we are grown up with Dendy.



    Well, that's all. Thanks for your reading. In this hot summer, chill yourself with a cold war.





    3
    iQue Switch / Probably the first iQue Switch review in the west
    « on: June 15, 2020, 02:03:46 PM »
    Well, as probably the only commie here, I got an iQue Switch (actual name is Tencent-Nintendo Switch) at the price of about $211.45 . And I am probably the first guy to actually review such thing to western public.

    "In this hot summer, chill yourself with a cold war."

    Looking

    Well, what can I say. It's a Switch, just like any Switch. Even it's a Tencent product, it's still named "Nintendo Switch" on it's back.
    The model number is HAC-001(-01), that means it's a Mariko. Since the iQue Switch hit the market so late (probably at least Dec. 2019), all of them are Marikos.


    It got a serial number beginning with "XKC". For this, I have to post a pull request for Nintendo Homebrew Discord server's KurisuBot, for its serial number checker doesn't even think "XKC" is a valid serial number back then.


    Software

    It's quite long so I will seperate it into different sections.
    Before you ask: No, it's not hacked for now. But sooner or later. If kept unhacked it's literally garbage, you will know why soon.

    1. First-time-setup

    Boot screen is the same as regular Switch.


    The very beginning of the setup is kinda different: You won't get the screen to set up language, and you will get jumped directly to EULA. iQue Switch doesn't support other language except Chinese. And, when you begin to setup account, things will get interesting:



    It doesn't even support Nintendo Account. All it support is Wechat account. When you choose that, a QR will pop up and you need to scan it in Wechat on your Cellphone.



    After scanning:



    It says Nintendo Switch has been successfully registered.
    After that it recommend you to subscribe to Tencent's Switch official Wechat channel. You can just skip it.



    And after few steps just like regular Switch, it's finally done.
    Main menu is the same as regular Switch so no point to show it here.

    2. eShop
    iQue Switch got a cripped eShop, or to say, "e商店", which still means "e Shop". They even made a new logo for it.



    There are only 5 games in the eShop due to strict game censorship rules in China. Stop complaining. Better than nothing isn't it.
    Also for anyone who got an international Switch, tell me if Shio and Rainbow Fallen (the 1st tile shown in the image) are iQue exclusive games.



    You can't directly buy games on the iQue Switch for you cannot bind any payment methods (credit cards, Paypal, Alipay, whatever) to your account. You have to buy it on your cellphone. When you choose to buy a game it shows this QR:



    You scan this QR on the phone with Wechat to pay for it. I don't know what will happen after payment though; I don't want to buy crippled games due to censorship (Yeah they even managed to get Mario Kart crippled. "Pirate hat" has been removed.)

    3. Channels

    It's really surprising that even there are only 5 games in the eShop, Tencent is still making shitpost news in the channels. The iQue Switch got only a few channels though, just like it's eShop.



    4. System Settings

    I will only show differences and interesting spots.

    The webpage for customer supports has been changed. It use an independent website (nintendoswitch.com.cn) rather than Nintendo's main website.



    Surprisingly, the parental control settings are still there. There is no point for this in China, since the regulations require all games must be rated at most equal to ESRB T to be sold legally. I feel I am lacking some settings here. If you have an international Switch, tell me what this page should look like.



    Cannot change language or region. You are trying to betray your glorious Soviet motherland ?



    5. Conclusion

    As AVGN said, "this game sucks." nope, this console sucks. But remember one thing: it's relatively not easy for commies to get smuggled consoles here and even if you, you gonna pay almost double the price for that. And now Xec guys are able to hack Mariko... Yeah maybe this thing is okay. :yarrthink: No. We never care about intellectual property. That's capitalism dogs do.

    My Switch friend code is SW-3314-4020-8061. Make sure you add it with another iQue Switch: iQue friend codes cannot be added on regular Switches and vice versa.

    4
    N GBA / Some iQue GBA Prototype games
    « on: February 05, 2020, 09:56:24 AM »
    Shhh... Let's not leak our hard work!!
    These are some iQue GBA games prototype that never released. Most of them are in playable state on both real GBA and emulators since iQue GBA has no any difference than regular ones.
    https://mega.nz/#!rxVBSKQS!aYYEc9fYmWpW_wIY8oVl1_yDZ-sofyE6Vl6S1mDOobQ

    Advance_Wars  陆海空大战  高级战争
    Densetsu_no_Stafy  斯塔非传说  传说的斯塔非
    Densetsu_no_Stafy2  斯塔非传说2  传说的斯塔非2
    DK_King_of_Swing  摇摆森喜钢  大金刚摇摆之王
    Famicom_Mini_Collection  红白机合集
    Fire_Emblem  火纹战记封印之剑  火焰之纹章封印之剑
    Kuru_Kuru_Kuruin  转转棒  咕噜咕噜滚滚棒
    Kuruin_Paradise  转转棒天堂
    Mario_Kart_Super_Circuit  马力欧卡丁车超级赛道 马里奥赛车超级巡回赛
    Mario_Luigi_Super_Star_Saga  马力欧与路易吉RPG
    Polarium_Advance  通勤一笔
    Tomato_Adventure  番茄大冒险  西红柿王国大冒险

    Pages: [1]