Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

[Dudamax]

Is the fact that my sd is not exFAT (i dont remember what it is) the reason to why rawnand gets dumped in parts?

 

[aslk]

Is the fact that my sd is not exFAT (i dont remember what it is) the reason to why rawnand gets dumped in parts?

yes

 

[JaRocker]

Hey I'm having some problems getting everything set up with python on Windows is there any other easier way of getting cert from my nand dump I already got my PRODINFO

 

[nachuz]

...
For reasons like this one, TX is working on an all-in-one

 

[aslk]

...
For reasons like this one, TX is working on an all-in-one

you'll still need this if you plan on downloading games from nintendo's cdn in the near future 0.o

 

[Leonidas87]

There is a lot of steps involved in this portion of everything to get the main app/downloader up and running.

It's at least a 20 step process.

Must be some way this can be streamlined or made into and app or executable on a pc.

It's hard to explain but I'm sure you get what direction I am going in. There must be a way to cut this 20 step process down to a 5 step process.

Every step has a chance for mistake and I'm sure one mistake along the process and you will fail.

Just an idea but should be considered.

Once we have the nand backup for example copy it to the computer and run a program that does most of the steps in one.

you'll still need this if you plan on downloading games from nintendo's cdn in the near future 0.o

It's so difficult to do I'm having trouble following this tutorial the way it is described.

 

[chronoss]

How to obtain PRODINFO.bin file please ?

 

[Imancol]

since the whole process is aids to figure out without any prior experience, I'll provide steps:

step 1: Download TegraRcmSmash https://gbatemp.net/threads/tegrarcmsmash-a-fusee-launcher-for-windows.502334/

step 2: Get payload https://gbatemp.net/threads/rcm-payload-hekate-mod-raw-full-nand-backup.502604/

step 3: Put an empty microSD card on exFAT with at least 32GB of space into your switch

step 4: Plug the switch into your comp, get into RCM

step 5: Boot hekate 1.3 and select rawNAND backup (something like that) and wait for it.

step 6: Get next payload (biskey) https://switchtools.sshnuke.net

step 7: Open the folder with TegraRcmSmash and place biskeydump.bin next to it

step 8: While in the TegraRcmSmash folder, Shift + Right Click in an empty space and press "Open command window here"

step 9: Plug the switch into your comp, get into RCM (microsd card not required)

step 10: Back where you opened the command window, type TegraRcmSmash.exe -w out/biskeydump.bin BOOT:0x0

step 11: biskeydump will now show your keys on the console AND on your computer in the command window

step 12: Open hacdiskmount https://switchtools.sshnuke.net

step 13: file > open > rawnand.bin (extracted from your switch)

step 14: select PRODINFO

step 15: put the keys in that it asks you for from the command window earlier.

step 16: You now have PRODINFO

step 17: download op's CertNXtractionPack

step 18: open up the pack and edit 00_generate_ssl_kek.py

step 19: insert the keys within the quotations

step 20: replace "ssl_aes_key_x" with "key_x_gak", and replace "ssl_rsa_key_y" with "rpk_key_y"

step 21: save it and drag your PRODINFO onto the 03_save_pft.bat

step 22: your cert is in the "Out" folder. gratz

How to obtain PRODINFO.bin file please ?

I should add it in a new thread. So avoid that the last messages like this are not read and keep asking how to do it.

 

[chronoss]

I should add it in a new thread. So avoid that the last messages like this are not read and keep asking how to do it.

Ok thanks !

 

[Kafluke]

since the whole process is aids to figure out without any prior experience, I'll provide steps:

step 1: Download TegraRcmSmash https://gbatemp.net/threads/tegrarcmsmash-a-fusee-launcher-for-windows.502334/

step 2: Get payload https://gbatemp.net/threads/rcm-payload-hekate-mod-raw-full-nand-backup.502604/

step 3: Put an empty microSD card on exFAT with at least 32GB of space into your switch

step 4: Plug the switch into your comp, get into RCM

step 5: Boot hekate 1.3 and select rawNAND backup (something like that) and wait for it.

step 6: Get next payload (biskey) https://switchtools.sshnuke.net

step 7: Open the folder with TegraRcmSmash and place biskeydump.bin next to it

step 8: While in the TegraRcmSmash folder, Shift + Right Click in an empty space and press "Open command window here"

step 9: Plug the switch into your comp, get into RCM (microsd card not required)

step 10: Back where you opened the command window, type TegraRcmSmash.exe -w out/biskeydump.bin BOOT:0x0

step 11: biskeydump will now show your keys on the console AND on your computer in the command window

step 12: Open hacdiskmount https://switchtools.sshnuke.net

step 13: file > open > rawnand.bin (extracted from your switch)

step 14: select PRODINFO

step 15: put the keys in that it asks you for from the command window earlier.

step 16: You now have PRODINFO

step 17: download op's CertNXtractionPack

step 18: open up the pack and edit 00_generate_ssl_kek.py

step 19: insert the keys within the quotations

step 20: replace "ssl_aes_key_x" with "key_x_gak", and replace "ssl_rsa_key_y" with "rpk_key_y"

step 21: save it and drag your PRODINFO onto the 03_save_pft.bat

step 22: your cert is in the "Out" folder. gratz

In step 20 you say to replace the "ssl_aes_key_x" with "key_x_gak", and replace "ssl_rsa_key_y" with "rpk_key_y". The output from the BIS payload gives me these keys. Which ones go where in the certnxtractionpack?

HWI: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SBK: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TSEC KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DEVICE KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 1 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 1 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 2 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 2 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 3 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 3 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[aslk]

In step 20 you say to replace the "ssl_aes_key_x" with "key_x_gak", and replace "ssl_rsa_key_y" with "rpk_key_y". The output from the BIS payload gives me these keys. Which ones go where ni the certnxtractionpack?

HWI: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SBK: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TSEC KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DEVICE KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 1 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 1 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 2 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 2 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 3 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 3 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

BIS KEY 0 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[Kafluke]

BIS KEY 0 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

So just to be clear, are you telling me to replece the words "ssl_aes_key_x" with "key_x_gak"? Or are you just saying put those keys in inside the parenthesis? Also what about the rsa_private_kek_generation_source and master_key? Do I need to change those lines or insert something?

Last question for more clarity. When I insert my BIS KEY 0 (crypt) and BIS KEY (tweak) keys do I leave the single apostrophe or just delete everything between ( and ) and replace with key?

 

[SimonMKWii]

BIS KEY 0 (crypt): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BIS KEY 0 (tweak): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

No, no, no!!!
That's completely incorrect.
Assuming you're on 5.0.2, find "F5D06292E093C651E67AA7C1A93B3880.nca" then decrypt and extract it in hactool.
Open the main file in a hex editor, then search for the hint bytes I gave in the script. Both are 16-bytes (32 characters) long.

 

[Kafluke]

No, no, no!!!
That's completely incorrect.
Assuming you're on 5.0.2, find "F5D06292E093C651E67AA7C1A93B3880.nca" then decrypt and extract it in hactool.
Open the main file in a hex editor, then search for the hint bytes I gave in the script. Both are 16-bytes (32 characters) long.

I'm on 4.1

--------------------- MERGED ---------------------------

No, no, no!!!
That's completely incorrect.
Assuming you're on 5.0.2, find "F5D06292E093C651E67AA7C1A93B3880.nca" then decrypt and extract it in hactool.
Open the main file in a hex editor, then search for the hint bytes I gave in the script. Both are 16-bytes (32 characters) long.

How do I find that .nca file on 4.1? I followed the 20 steps by @aslk and I don't have that file

 

[aslk]

No, no, no!!!
That's completely incorrect.
Assuming you're on 5.0.2, find "F5D06292E093C651E67AA7C1A93B3880.nca" then decrypt and extract it in hactool.
Open the main file in a hex editor, then search for the hint bytes I gave in the script. Both are 16-bytes (32 characters) long.

o shit, so I did it wrong? rip

 

[SimonMKWii]

I'm on 4.1

--------------------- MERGED ---------------------------


How do I find that .nca file on 4.1? I followed the 20 steps by @aslk and I don't have that file

If you're on 4.1.0, find "1FD444259440E23722CC0E0D0D8D0F0B.nca" in the system partition, and extract the exefs in hactool.
Then, put the main file in a hex editor, and search for the leading bytes.

 

[Kafluke]

If you're on 4.1.0, find "1FD444259440E23722CC0E0D0D8D0F0B.nca" in the system partition, and extract the exefs in hactool.
Then, put the main file in a hex editor, and search for the leading bytes.

Not sure how to find that .nca in the system partition. Do I use hacdiskmount to extract system first to a bin file and then hactool to find that .nca file? I'm not sure how to use hactool

 

[SimonMKWii]

Not sure how to find that .nca in the system partition. Do I use hacdiskmount to extract system first to a bin file and then hactool to find that .nca file? I'm not sure how to use hactool

It's a bit annoying to keep messaging back and forth, do you have a Discord account?
If so, hop onto my Switch Hacking / general gaming server! Anyone is welcome.
We'll help you out, (unless you ask how to get free games.)
Invite link: https://discord.gg/K5nyTyj

 

[chronoss]

I have the file but it....

 

[bgbrendan]

is there a method to install the files you download from the CDN to switch yet? wouldnt mind using this to get the mario tennis demo if so