Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

[yyoossk]

NameError: name 'key_x_gak' is not defined

 

[Imancol]

pip install pycryptodome

--------------------- MERGED ---------------------------

Do you even know how to write Python code ???
I mean that code looks horrible... and btw what are rpk_key_y and key_x_gak ? both variables are undefined...

Thank you!. Now I get this xd

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, key_x_gak, master_key)
NameError: name 'key_x_gak' is not defined

 

[Gnarmagon]

Thank you!. Now I get this xd

the last error is because the OP uploaded unfinished code, can't help you with that

Btw here is a slightly improved version: (still gives the error but it's now a lot more consistent...)

 

[yyoossk]

print("eticket_ssl_rpk = " + hx(rpk_key).upper())
TypeError: Can't convert 'bytes' object to str implicitly

 

[zizoux]

• "Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek."

Required keydata?

 

[SocraticBliss]

Here you go guys, you can use this instead of the 00 and 01 python scripts in you are having trouble, just put your decrypted PRODINFO.bin in the same folder as the script, fill in the keys and run...

python CertNXtractionPack.py

https://gist.github.com/socraticbliss/4410790b6e5a27161f521c45d1eb2684

 

[salamandrusker]

Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

• First, make sure Python3 and both the asn1 and pycrypto modules are installed.
• Next, copy your PRODINFO.bin partition into the folder
• Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
• Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
• Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
• Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
• Voila! You can now find your generated certificate in the new folder named "Out"!

How 2 get dem keyz???

• The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
• The second key is the original master key, you can extract it from your keyblobs using hactool.
• The third and fourth keys are plaintext in the ssl sysmodule NSO.
• Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)

Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.

you have a magic power on your hands !!! congrats!! thanks!!

 

[NANASHI89]

Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

• First, make sure Python3 and both the asn1 and pycrypto modules are installed.
• Next, copy your PRODINFO.bin partition into the folder
• Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
• Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
• Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
• Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
• Voila! You can now find your generated certificate in the new folder named "Out"!

How 2 get dem keyz???

• The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
• The second key is the original master key, you can extract it from your keyblobs using hactool.
• The third and fourth keys are plaintext in the ssl sysmodule NSO.
• Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)

Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.

But how do I dump the NAND? @SimonMKWii

 

[yyoossk]

how to decrypt PRODINFO?
dump from raw nand is decrypted?

 

[Gnarmagon]

how to decrypt PRODINFO?
dump from raw nand is decrypted?

hence the keys....

 

[ut0pia]

cat clcert.pem privkey.pem > nx_tls_client_cert.pem

.bat with cat command, that's why you end up with 0 filesize nx_tls_client_cert.pem

 

[SocraticBliss]

cat clcert.pem privkey.pem > nx_tls_client_cert.pem

.bat with cat command, that's why you end up with 0 filesize nx_tls_client_cert.pem

Could probably use type...

type clcert.pem privkey.pem > nx_tls_client_cert.pem

 

[yyoossk]

how to find rsa private kek generation source?

 

[Gnarmagon]

how to find rsa private kek generation source?

http://bfy.tw/I7jf

 

[zizoux]

nvm. got it

 

[Sonicbrawler]

Could probably use type...

type clcert.pem privkey.pem > nx_tls_client_cert.pem

changed his .bat file to have this change but still spits out an empty file.

 

[yyoossk]

http://bfy.tw/I7jf

--------------------- MERGED ---------------------------

lol

 

[zizoux]

yep. it still creates a 0kb pfx

 

[Mazamin]

print("eticket_ssl_rpk = " + hx(rpk_key).upper())
TypeError: Can't convert 'bytes' object to str implicitly

I fixed the code

import sys
from binascii import unhexlify as uhx, hexlify as hx
from Crypto.Cipher import AES

def decrypt(inputkey, iv):
    return AES.new(iv, AES.MODE_ECB).decrypt(inputkey)

def unwrap(wrappedkey, iv):
    return decrypt(wrappedkey, iv)

rsa_private_kek_generation_source = uhx('X')
master_key = uhx('X')
ssl_aes_key_x = uhx('X')
ssl_rsa_key_y = uhx('X')

def GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_xk, master_key):
    unwrapped_kek = unwrap(rsa_private_kek_generation_source, master_key)
    unwrapped_kekek = unwrap(ssl_aes_key_x, unwrapped_kek)
    return unwrap(ssl_rsa_key_y, unwrapped_kekek)

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_x, master_key)
rpk_key_b = hx(rpk_key).upper()
print("eticket_ssl_rpk = " + "".join(map(chr, rpk_key_b)))

 

[SocraticBliss]

Thank you all. I was able to make the file Der. But when I want to create the "nx_tls_client_cert.pfx" with "03_save_as_pfx.bat" it does not build it and it creates a 0KB file...

--------------------- MERGED ---------------------------


ROLF

EDIT: Here, I made it easier for you, if you have a keys.txt file in the same directory (in the hactool format, ie. key = 32 digit hex value), it will automatically use the key, so you don't have to edit the script at all!

EDIT: I have added @JupiterJesus 's commit!

EDIT: Refer to latest post