Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

[SimonMKWii]

Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

• First, make sure Python3 and both the asn1 and pycrypto modules are installed.
• Next, copy your PRODINFO.bin partition into the folder
• Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
• Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
• Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
• Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
• Voila! You can now find your generated certificate in the new folder named "Out"!

How 2 get dem keyz???

• The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
• The second key is the original master key, you can extract it from your keyblobs using hactool.
• The third and fourth keys are plaintext in the ssl sysmodule NSO.
• Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)

Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.

 

[link42586]

Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

• First, make sure Python3 and both the asn1 and pycrypto modules are installed.
• Next, copy your PRODINFO.bin partition into the folder
• Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
• Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
• Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
• Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
• Voila! You can now find your generated certificate in the new folder named "Out"!

How 2 get dem keyz???

• The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
• The second key is the original master key, you can extract it from your keyblobs using hactool.
• The third and fourth keys are plaintext in the ssl sysmodule NSO.
• Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)

Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.

CDN meaning the game download servers?? Content Distribution Network?

 

[SimonMKWii]

CDN meaning the game download servers??

Stay tuned

 

[link42586]

Stay tuned

Don't do this to me right now..I'm tired. How important is this really and is this something EVERYONE will need/do at some point in switch hacking? This seems big. Didn't know they could do this on switch already with 3.0.0

 

[SimonMKWii]

Don't do this to me right now..I'm tired. How important is this really and is this something EVERYONE will need/do at some point in switch hacking?

Well, finding and extracting games from your SD card to back them up or to datamine them (what I do) is a huge hassle!
What if you could skip that, and an entire layer of encryption?

 

[link42586]

Well, finding and extracting games from your SD card to back them up or to datamine them (what I do) is a huge hassle!
What if you could skip that, and an entire layer of encryption?

This could be big for the scene if i'm understanding this correctly.

 

[ZoNtendo]

This is something to allow you to use this beauty:
https://github.com/Reisyukaku/CDNX

 

[Ericthegreat]

Wait, can we share "legal backups" this way?

 

[DaveLister]

gotta get me some
https://media1.tenor.com/images/1e713932ab3c0e1ac2a1de10a112f113/tenor.gif?itemid=4754550

 

[link42586]

Wait, can we share "legal backups" this way?

That's what i'm wondering.

 

[Muskusrat]

This is something to allow you to use this beauty:
https://github.com/Reisyukaku/CDNX

That was the missing piece for the recently created key site. Now to figure it all out and start downloading haha

 

[SimonMKWii]

This is something to allow you to use this beauty:
https://github.com/Reisyukaku/CDNX

Who needs that when I just released this: https://gbatemp.net/threads/hacdn-download-game-nca-files-directly-from-nintendos-cdn.503847/

 

[zoogie]

( ͡° ͜ʖ ͡°)/━━━❚

I can't believe you guys are seriously thinking about recreating freeshop on switch.
Nintendo is so going to nuke every account from orbit that tries this, lol.

 

[SimonMKWii]

I can't believe you guys are seriously thinking about recreating freeshop on switch.

Nintendo is so going to nuke every account from orbit that tries this, lol.

This is clearly not for freeshop at all, lol, you wouldn't even need to extract your cert to do that, as it's already on the console...

 

[Ericthegreat]

That's what i'm getting at. Straight downloads of games send to system/SD. Install game/ticket and bam. U got the game..Or something more complicated than that but i'm basic.

This sounds very important for our legal needs.

--------------------- MERGED ---------------------------

I can't believe you guys are seriously thinking about recreating freeshop on switch.

Nintendo is so going to nuke every account from orbit that tries this, lol.

We all plan to be banned anyway, and EVERYONE who does ANY modification should.

 

[link42586]

This sounds very important for our legal needs.

Very. The game carts are small. Would be nice to keep the put up.

 

[SimonMKWii]

You still need to own the game to extract the titlekey from your own Switch, so if you download games you don't own, you can't do anything with them unless you have the key...

 

[ZoNtendo]

Who needs that when I just released this: https://gbatemp.net/threads/hacdn-download-game-nca-files-directly-from-nintendos-cdn.503847/

Do you seriously use hactool for that ?

I'll stick with the "old" one.

 

[SimonMKWii]

Do you seriously use hactool for that ?

I'll stick with the "old" one.

But, but... don't you want your games neatly organised into named folders?

 

[link42586]

Tickets are always signed by Nintendo (RSA-2048 over a SHA-256 hash with PKCS#1 padding), meaning they cannot be forged. Finding the private key to the public key is currently considered computationally infeasible.
So idk if freeshop is anytime soon.

Much of the Switch's CDN/eShop design seems motivated to address some of the piracy problems faced by the 3DS/Wii U, and in particular users' ability download games directly from Nintendo and retrieve their titlekeys from a communal keystore. "cetks" (tickets signed for every console) now only exist for game updates, preventing the "Legit" CIA sharing problem from previous consoles -- and, on top of that, tickets' titlekey data is now protected by console-unique keys that never leave TrustZone, making it much, much more difficult for users to dump and share their titlekeys.

We have access to the trustzone with our hacks I take it but this sounds A little more involved.