/FVI

Switch NAND dump firmware version inspector

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Firmware Version Inspector License

Scans a Nintendo Switch NAND dump and identifies its firmware version and whether exFAT is present based on the names of the .nca files in SYSTEM:/Contents/registered.

Usage

Requires Python 3 with pycryptodome (pycrypto works too):

pip install pycryptodome

FVI uses BIS key 2 if the System partition is still encrypted (i.e. a backup made with Hekate). Get BIS keys with biskeydump and save the output to a text file to pass to FVI via the -b option.

Then run from command line:

python FVI.py [-b=/path/to/biskeyfile] <dumpfile>

 biskeyfile must contain the following lines:
   BIS Key 2 (crypt): <32-digit hex key>
   BIS Key 2 (tweak): <32-digit hex key>
  omit -b if System partition already decrypted (eg. dumped with HacDiskMount)

 dumpfile must be NAND dump (eg. Hekate rawnand.bin dump) or System partition

Tested under Windows 10 with Anaconda Python 3.6.5 and Ubuntu 16.04 LTS with Python 3.5.2.

Theory

Until now, this could only be done by manually checking the files in that folder after mounting with HacDiskMount or memloader then either comparing to an existing list or decrypting and inspecting each .nca file with hactool in search of the System Version Title.

This program consults a hard-coded file list obtained using these techniques. It will be updated as future firmware versions are released to keep it fast and low on dependencies.

Most recent boot time is determined by examining the modify date on the system save 8000000000000060 'SslSave' which my testing showed is modified on every boot.

Note: This script detects exFAT by looking for 010000000000081B which means that a 'hacked' exFAT implementation that only patches 0100000000000819 will not register as a dump containing exFAT. This is by design to keep the script fast and simple by avoiding decryption of system titles.

Credits

crypto.py module is from switchfs under MIT license - it was in turn ported to Python 3 from crypto.py gist by plutooo

Big thanks to the Wikipedia entry on FAT layout :) - being able to read the dump disjointly means FVI only needs to fetch and decrypt a small handful of clusters rather than the entire 2 or 32GB file!