Author Topic: Tutorial: Region Unlock iQue Switch  (Read 4316 times)

Offline CarlTrek

  • End User
  • *
  • Posts: 8
    • View Profile
Tutorial: Region Unlock iQue Switch
« on: July 18, 2020, 02:32:26 PM »
    P. S. If you want to know more about iQue Switches, read my other articles in the same section as this.
    First things first, I am not responsible to any damage dealt to your Switch in this operation process, even you have exactly followed my steps correctly !
    The reply I made on GBATemp, saying this is impossible, is wrong ! The reason I failed is injecting modified Prodinfo by Incognito itself, which doesn't really work. Dunno why, but seems the SX Core chip is getting in the way.
    A. Before We Start
    • You cannot go online multiplayer or use eShop with this unless you want an insta ban, even if you don't use any kind of unlicensed or pirated software. And actually, this will even increase the banning possibility since there will be things that cannot match up in your device identification after such operation, like your device serial will still begin with XKC, which is iQue specific. Wiping out or modify serial and other console-specific data may help out a little, but we don't suggest you doing such operation, since using wrong tools and/or wrong methods while manipulating Prodinfo partition could result in irreversible brick (e.g. incognito module in Tinfoil).
    • It's NOT recommended to do this operation on your sysNand since this operation involves dangerous procedures like manipulating Prodinfo partition. Only try it on emuNand.
    • You can actually region lock an international version Switch in the same manner, but seems it doesn't make much sense.
    • You will lose all your NSP games, updates, DLCs, and game saves in this operation. Please back them up if they are still needed.
    • Currently I don't sure if you will gain/lose the ability to run iQue eShop games and iQue cartridges after this operation, for I don't sure if some kind of key derivation process is done in factory reset process, and I have no iQue cartridges, let alone my iQue Switch is banned.  :-[ If you found you lost such ability and there is necessity for you to run iQue eShop games and iQue cartridges, you can still boot to your unmodified sysNand and enjoy them. Also, if that do happen, contact me to let me know.

    B. How it works
    There is a partition called Prodinfo in Switch Nand, and there is a part called CAL0 inside, which contains some device identification information, including region code.  Here is a link for you to know more: https://switchbrew.org/wiki/Calibration

    Despite so many weird features and behaviors on iQue Switch OS, what's under the hood is surprisingly simple: On the first boot, it only check the region code in Prodinfo. If it's "CN" (0x04), then it activates iQue Switch features; otherwise, it activates international features. This is quite different compared to its ancestors like iQue 3DS which got major difference in software, and sometimes even in hardware compared to their equivalent international models.

    So, we just modify Prodinfo and then get back to first boot status, then we will be able to change region lock status.

    0. Software Needed
    • Lockpick.nro (not LockpickRCM. that one won't work since there is no way to push payload on Mariko units.)
    • Incognito.nro (again, not it's RCM version.)
    • GoldLeaf.nro
    • CheckPoint.nro/JKSV.nro (this is not required, but definitely useful, since you will lose everything )
    • NxNandManager
    • HxD
    These tools should be easy to get just by Googling their name, so download links are not given out here to make it tidy.
    [/list]

    1. Pick The Keys

    Firstly, get your tools prepared. After you downloaded all those tools, put NxNandManager and HxD on your PC, and everything else goes into the root of the SD card of your Switch.

    And then, launch LockPick. It's a homebrew, just click the album and then choose "HOMEBREW" in CFW menu and then click on LockPick.




    When you see this, the process is done. Press + to exit. Now you got the key which we need to decrypt the Prodinfo later.

    2. Dump Decrypted Prodinfo



    Launch Incognito. When you see this menu, press "B" to get prodinfo.bin . When it tells you success (usually in less than 1 second), it's done. Press + to exit.

    3. Modify Prodinfo

    Eject the SD card in your Switch, get it in a reader and hook it up to your PC. You will find a prodinfo.bin file in sdcard:/backup . copy that file to somewhere safe in case something went wrong later on. Open HxD, and open that prodinfo.bin . Press Ctrl+G, type in "3510", and then enter, since what we gonna modify is at offset 0x3510 (also 0x351E) . Notice these two values shown in the picture:



    Left one is at offset (you can think that offset is just a fancy name of "location") 0x3510, and the right one is at offset 0x351E. That "03 00" is the region code, while "63 3B" is the checksum. You can change them to these values :

    Code: [Select]
    0x3510 0x351E Region
    00 00 66 FF JP
    01 00 66 3E US
    ------------------------------
    04 00 63 3B iQue
    For those who have never used a hex editor: click directly on the number you want to modify and then key in the number. Don't type anything in that "dotty" area. The content in the "dotty" area may change when you are keying in numbers on the left, no need to worry.

    Actually which region code doesn't really matter. It only cares whether it's iQue or not. Notice that 0x3510 and 0x351E must match up or you will get a brick !

    After you are done, press "save" and then exit HxD.

    4. Inject Modified Prodinfo Into Emunand

    Notice: this is assuming you save your Emunand as files. If you save your Emunand as a hidden partition, you may have take extra steps to unhide the partition and assign it a drive letter before continuing. This is kinda complex and off topic so I don't want to talk about it too much; Google is your friend.

    Open NxNandMgr, and click Options - Configure Keyset, since we need to set up our keys first. Click "import keys from file", then select your prod.keys file. It's under sdcard:/switch . Then those empty boxes will be filled up automatically. Then you can close that window. If it tells you that it failed to parse the key file, close NxNandMgr, right click on its icon, and select "run as administrator", then try again.



    Click File - Open File, then select your Emunand part 0, which is in sdcard:/sxos/emunand/full.00.bin, (if your emunand is saved as partition, then you should click File - Open drive, then select your emunand partition.) then click "PRODINFO". Click "Restore from file", and then select your modified prodinfo.bin, which is under sdcard:/backup/prodinfo.bin . Click OK in the pop up window and when it's done, close NxNandManager.



    5. Send Switch Back to First Boot

    You will lose all your game saves by doing this ! Backup them with Checkpoint/JKSV first !

    Put the SD card back into Switch and turn it on. Run Goldleaf and select "Explore Content - Console Memory(System) ," and then focus the cursor on "save" folder. Press Y button and then select "Delete". then do the same with "savemeta" folder. You may find that "save" folder is still there, but all the contents inside are gone. This is as expected.

    And then, Exit GoldLeaf by pressing +, then go to system settings and do a factory reset. You may find your Switch suddenly turn off very short after it begin to factory reset: this is as expected. Just turn it back on, and you got a region unlocked iQue Switch.

    Z. Thanks
    • zestiva, for purposing such procedure as as idea on GBATemp.
    • HenryMin, for confirming such procedure is possible, and pointed out why my first few attempts failed.
    • CBPS, for running the form I post this tutorial on.
    • TX, I mean both TX, both for creating weird and fun hardware for us to research on.

    We are free, We are free !


    « Last Edit: July 18, 2020, 02:42:06 PM by CarlTrek »

    Offline cai_miao

    • End User
    • *
    • Posts: 4
      • View Profile
    Re: Tutorial: Region Unlock iQue Switch
    « Reply #1 on: July 20, 2020, 05:05:16 PM »
    I have to point out that, the system title saves are already initialized during the factory setup stage, means the bit to control Tencent feature (assuming to be the region code according to my research) included in savegames are already written in the NAND before customer's first boot. So this method of modification is not by any mean legal.

    I own a Tencent Switch and dumped factory clean NAND before my first boot, and finished my research of region changing around 10th July.

    Also I have the dump of the stock NSMBUDX demo game. The one bundled is not encrypted.
    Yeah the eShop downloaded titles (base and probably dlcs) do use new personalized ticket format (uses console specific keys), but this not only apply to Tencent Switch but also all Mariko products. But I can tell you update titles are confimed to use common tickets. (The Neon Abyss demo includes an update title).
    « Last Edit: July 20, 2020, 05:16:55 PM by cai_miao »

    Offline CarlTrek

    • End User
    • *
    • Posts: 8
      • View Profile
    Re: Tutorial: Region Unlock iQue Switch
    « Reply #2 on: July 21, 2020, 02:17:47 AM »
    Quote
    So this method of modification is not by any mean legal.
    I don't really understand what you are trying to argue about by using the word "not legal".

    If you mean "it has break the law by doing this", no, this is totally legal, since the Switch I own is my private property and it's definitely legal for me to chooser how I deal with it, unless the Switch is acquired illegally (stolen, robbed), illegal procedures involved in hacking (using Nintendo confidental data), or the Switch is being used for illegal activities after being hacked (piracy). All of those are not involved in such hacking tutorial.

    If you mean "it has violated Nintendo EULA", yes. But remember, for the very moment you disassembled the Switch for installing SX Core, you have already violated Nintendo EULA. That is why I need to warn all of you not to go online with such modified console since Nintendo won't take chance on behaviours that violate EULA.

    If you mean "your theory/procedure makes no sense", why don't you try it first before drawing conclusion ? The worst result you can get is losing every game and save and probably bricking emunand, just recreate one and it will be okay.

    Offline cai_miao

    • End User
    • *
    • Posts: 4
      • View Profile
    Re: Tutorial: Region Unlock iQue Switch
    « Reply #3 on: July 21, 2020, 02:54:32 AM »
    I don't really understand what you are trying to argue about by using the word "not legal".

    Well... I did forget to add quote mark. Keep calm. I would define "archive something without humanly overwrite things that is not readonly materials" as "legal" (delete is treated as writing massive zeroes) a.k.a. clean. PRODINFO is readonly while savegames is not. And because you are already Tentcent feature flag active before your (customer) first boot so you have to remove (write zeroes to) some savegames, causing your "legal" (clean) status is just gone as a potential illegal log that will be sent via the telemetry service is generated.

    The reason why I don't use the "clean" term is, writing some datas to known block of rw files is still clean IMO, your legal logs retains and your are mostly safe to go online with this kind of modification (like "legal Pokemons").

    Plusmore, there's already a homebrew forked from the blawar incognito and modded by an user from the infamous 91wii forum, dedicated to region change the Horizon (Tencent feature to global feature and vise versa). The method behind the tool is the same but it terminates more system processes so more savegames can be deleted.
    I have uploaded this to the Temp, source code is included.
    https://gbatemp.net/threads/switch-region.569965/#post-9133316

    And I have been reserching on the region change method from 6th July around, a guy solves this first so I just gave up and turned to verify the "legality" of the method, and concluded illegal with help of my factory savegames.
    « Last Edit: July 21, 2020, 03:03:59 AM by cai_miao »

    Offline CarlTrek

    • End User
    • *
    • Posts: 8
      • View Profile
    Re: Tutorial: Region Unlock iQue Switch
    « Reply #4 on: July 21, 2020, 03:54:21 AM »
      Quote
      there's already a homebrew forked from the blawar incognito and modded by an user from the infamous 91wii forum, dedicated to region change the Horizon (Tencent feature to global feature and vise versa).
      Wow, that's way faster than I expected. I have thought about making an automatic region changing tool, but I odn't have any knowledge on console programming.

      Quote
      And because you are already Tentcent feature flag active before your (customer) first boot...
      I guess it's possible to do it "legally" but that would require another NAND chip.
      • Dump the NAND inside the Switch (named NAND1) before its first boot.
      • Recover the spare NAND (named NAND2) with that dump externally (by a flash ROM burner etc.)
      • Boot up Switch with NAND1 and run lockpick to pick the key.
      • Decrypt NAND2 with the key picked, modify its Prodinfo and those saves.
      • Replace the NAND on Switch motherboard from NAND1 to NAND2.
      And futhermore, I think it's possible to design some kind of Xbox 360 styled multiNAND circuit to swap between NAND1 and NAND2 so you can use both iQue and international eShop.

      And probably you don't need 2 NAND chips. Making an emunand before your first boot and modify it may also do the trick ?[/list]
      « Last Edit: July 21, 2020, 04:09:17 AM by CarlTrek »

      Offline cai_miao

      • End User
      • *
      • Posts: 4
        • View Profile
      Re: Tutorial: Region Unlock iQue Switch
      « Reply #5 on: July 21, 2020, 10:30:27 AM »
        • Decrypt NAND2 with the key picked, modify its Prodinfo and those saves.

        Now the only problem is how to modify: I don't know which bit is responsible for this, nor the way to fix the CMAC verification manually (I assume there's more verification)
        Not enough information at switchbrew or else homebrews, no one bother to write system save games yet.

        Only thing I can confirm now is, the bit exists in saves for system setting (8xx50~8xx54). I don't have time to further inspect it.[/list]
        « Last Edit: July 21, 2020, 10:34:13 AM by cai_miao »

        Offline CarlTrek

        • End User
        • *
        • Posts: 8
          • View Profile
        Re: Tutorial: Region Unlock iQue Switch
        « Reply #6 on: July 21, 2020, 11:02:28 AM »
        Quote
        I don't know which bit is responsible for this, nor the way to fix the CMAC verification manually
        Probably no need since NxNandMgr could get it done on itself. You won't have any problem modifing PRODINFO or any partition and injecting it back.
        Also, NAND2 hasn't been booted yet at this step. You don't need to even edit the save precisely , just by removing/modding those saves to what it should be like in an international Switch and then it should notice no problem.  There are no things like security processor or hypervisior in Switch, so besides NAND there is nowhere for it to hide information.

        Offline cai_miao

        • End User
        • *
        • Posts: 4
          • View Profile
        Re: Tutorial: Region Unlock iQue Switch
        « Reply #7 on: July 21, 2020, 06:15:07 PM »
        Probably no need since NxNandMgr could get it done on itself. You won't have any problem modifing PRODINFO or any partition and injecting it back.

        I was mentioning the savegames. Prodinfo validation is relatively simple. As I say deleting (writing zeroes) is unknown to be safe, and I can't just port other console save because the validation is console specific.

        Offline CarlTrek

        • End User
        • *
        • Posts: 8
          • View Profile
        Re: Tutorial: Region Unlock iQue Switch
        « Reply #8 on: July 22, 2020, 04:56:21 AM »
        Quote
        I can't just port other console save because the validation is console specific.

        So, even international models also got those savefiles ?