Tutorial  Updated

How to get Switch Keys for Hactool/XCI Decrypting

This thread is deprecated
For a faster, easier and more up-to-date way of getting keys use Lockpick_RCM by shchmue
If you still want to follow this tutorial and end up with less keys, continue reading the Thread.


WARNING
  • DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
  • DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DON'T OWN! SOME ARE CONSOLE-UNIQUE
  • DO NOT ASK ME FOR KEYS


LEGEND
  • SBK
    SecureBootKey
  • TSEC
    Tegra Security Co-processor Key
  • eMMC
    Embedded MultiMediaCard (Switch's Onboard Storage)


GOAL
End up with 83+ keys including SBK and TSEC keys. Get Master Key's 0-5. (Master Keys 6 onwards is not done in this tutorial)
Reminder, if you want more up-to-date and much more convenient way to get your Switch's Keys, use Lockpick by shchmue (available in nx-appstore/homebrew store)


Tutorial — (Outdated for Switch's on firmware 6.x or newer)


#1 - Dumping System Keys (Biskeydump)#2 - Dumping Required Files#3 - Hactool Preparation#4 - Dumping KeysFinal WordsTroubleshooting


  1. We need to get your Secure Boot Key (SBK) and Tegra Security Co-processor Key (TSEC) before we can get the main keys.
    These are 100% console unique.

    1. Download and extract biskeydump.bin from biskeydumpvx.zip
      - Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file
      - If the QR Code is Blue, Scan the QR Code with your Phone, Laptop e.t.c
      - If you cant find a device you can scan with, type them out into your PC/Laptop (Its highly recommended to scan the QR Code, as a lot of characters can look like another, O0, Il, rn can look like m, e.t.c)
    2. Once you have the biskeydump of your System, store all the keys you received somewhere safe, I recommend a secure cloud storage aswell as a USB Stick, perhaps even print it.
      - Don't give this to ANYONE, Seriously.

    If you get any errors please go to the Troubleshooting Tab.

    1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      - "Tools" -> "Backup..." -> "Backup eMMC BOOT0/1"
      - "Tools" -> "Backup..." -> "Backup eMMC SYS"
      - Back all the way to the first menu, and choose "Power off"
    2. Take the microSD Card out of your Switch and into your PC.
    3. Copy both "BOOT0" and "BCPKG2-1-Normal-Main" from "sd:/backup/xxxxxx/" (xxxxxx is different for everyone) to "hactool" on your Desktop (create the "hactool" folder)
      - Rename them with .bin at the end, "BOOT0.bin", "BCPKG2-1-Normal-Main.bin"

    1. Download and install Python 2.7.x - NOT Python 3.x.x
      When installing, it will ask you what features you want installed, scroll to the bottom and make sure "Add Python to Path" has "Entire Feature Installed to HDD" option chose (No Red X Icon), otherwise the scripts wont find Python and WILL fail
    2. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      On Linux/MacOS: clone and build hactool manually
    3. Right-click this (script originally by tesnos6921, patched by shadowninja108, jakibaki and shchmue)
      - Click "Save link as" / "save as"
      - Set "Save as type" to "All Files"
      - Name it "keys.py"
      And finally save it to the hactool folder you placed in the Desktop.
      NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.

    1. Press WIN(Btn)+R to open "Run", type "cmd" and press Ctrl+Shift then Enter to open Command Prompt as an Administrator
    2. Type (in order) or Copy the following and paste into Command Prompt (Some Windows Versions use Right Click to Paste, some use CTRL+C)
      python -m pip install --upgrade pip
      pip install lz4
      cd Desktop/hactool
      python keys.py SBK_Here_From_Biskeydump TSEC_Here_From_Biskeydump
    3. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and there's no warning messages, you're good to go! :O
    If you get any errors please go to the Troubleshooting Tab.

  5. You now have a keys.txt file with your console-specific keys inside.
    Rename as needed by any software that requires a different name or file extension, it doesn't matter.
    Though I highly recommend renaming it to prod.keys as this filename for Key file's is becoming a popular choice with other software
    There may be more keys, as the Switch's lifecycle goes on, more and more keys will be needed as the firmwares grow and grow.
    • The Hactool warning:
      Code: 
      [WARN] prod.keys does not exist.
      can be safely ignored.
      - if you want to place your "keys.txt" file their, put "keys.txt" on your Desktop and run the following with Administrator Command Prompt (Step #4.1 for instructions):
      Code: 
      mkdir -p %USERPROFILE%\.switch
move "%USERPROFILE%\Desktop\keys.txt" "%USERPROFILE%\.switch\prod.keys"

  6. #1 ISSUES:
    • Code: 
      Red QR Code Outline
      - The reasons this can occur is quite a rarity, all I can say is to keep rebooting and trying again.
      - If there's a new version of biskeydump out, try using the newer biskeydump.bin
    • Code: 
      QR Code not being scanned by your Reader
      - Align your QR Code Readers alignment overlay with the Blue Square's Corners/Edges, NOT the QR Code's Corners/Edges.
      - Clean your camera lens
      - Be in a bright room

    #4 ISSUES:
    • Code: 
      File "keys.py", line ...
print message
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?
      - You didn't place SBK and TSEC in the 4th line of the Command in Step #4.2
      - You installed Python 3.x.x when you must use 2.7.x, uninstall python, logout of windows (important it removes python from PATH) and follow Step #3.2 then move back to #4.1
    • Code: 
      import lz4.block
File "C:\Python27\lib\site-packages\lz4\__init__.py", line 17, in <module>
from ._version import ( # noqa: F401
ImportError: DLL load failed: The specified module could not be found.
      - The 2nd line of the Command in Step #4.2 failed without you noticing. Try running the 1st line to upgrade pip and if that goes successfully run the 2nd line to install lz4 and see if it successfully installs.
 
Last edited by shchmue,
  • Like
Reactions: Anonymous42456, fobins, GaaraPrime and 38 others
Click to expand...
bluedart

bluedart

Well-Known Member
Member
Level 10
Joined
Nov 13, 2016
Messages
270
Trophies
0
XP
2,221
Country
United States
Nice tutorial. I followed it twice, to the same result both times. There are no errors thrown, but as mentioned at least twice in this forum:
Haki said:
this only dumped Master keys 00 and 04 for me-
Click to expand...

Nemean said:
I have created my keys.txt however i only have master key 00 and 03 am i doing something wrong? I have found the other keys and want to add them to the file is there a specific way to do this or do i just add 01, 02 and 04 at the end?
Click to expand...

this doesn't seem to create all the master keys. In fact, I only got 0 and 4. I did not receive 1-3. I'm not sure what to do here. When I try to decrypt an xci all I get is a romfs.bin file. That doesn't seem right. I'm pretty sure there is supposed to be an exefs folder, but it never makes one whatever xci I decrypt. Posted below is a redacted screenshot I took of the process and key names given. Can anyone figure out what's going wrong here?

output.jpg


Names of keys dumped:
header_key_source
key_area_key_system_00
tsec_key
key_area_key_system_04
titlekek_04
aes_key_generation_source
sd_card_nca_key_source
titlekek_00
key_area_key_system_source
master_key_00
keyblob_mac_key_00
master_key_04
keyblob_mac_key_04
aes_kek_generation_source
encrypted_header_key
keyblob_mac_key_source
sd_card_kek_source
keyblob_04
key_area_key_ocean_00
keyblob_00
key_area_key_ocean_04
key_area_key_application_source
package1_key_00
package2_key_source
package1_key_04
key_area_key_application_04
key_area_key_ocean_source
key_area_key_application_00
sd_card_save_key_source
header_kek_source
secure_boot_key
header_key
titlekek_source
keyblob_key_04
keyblob_key_source_04
keyblob_key_00
keyblob_key_source_00
master_key_source
package2_key_00
package2_key_04
 
mcmrc1

mcmrc1

Well-Known Member
Newcomer
Level 2
Joined
Mar 11, 2018
Messages
49
Trophies
0
Age
41
XP
186
Country
Germany
Same here also just the 00 nd 04 files... Just google for a key file on the world wide web and add them to your key file...
 
bluedart

bluedart

Well-Known Member
Member
Level 10
Joined
Nov 13, 2016
Messages
270
Trophies
0
XP
2,221
Country
United States
mcmrc1 said:
Same here also just the 00 nd 04 files... Just google for a key file on the world wide web and add them to your key file...
Click to expand...

A novel idea. However after trying to find those keys for over 10 minutes and finding neither hide nor hair of them, I suppose I'm googled out. Also, since I have no idea where to put them in what exact format once I did find them, giving up at that point seemed prudent.
 
N

Nemean

Well-Known Member
Newcomer
Level 2
Joined
May 16, 2018
Messages
76
Trophies
0
Age
33
XP
183
Country
United Kingdom
bluedart said:
Nice tutorial. I followed it twice, to the same result both times. There are no errors thrown, but as mentioned at least twice in this forum:




this doesn't seem to create all the master keys. In fact, I only got 0 and 4. I did not receive 1-3. I'm not sure what to do here. When I try to decrypt an xci all I get is a romfs.bin file. That doesn't seem right. I'm pretty sure there is supposed to be an exefs folder, but it never makes one whatever xci I decrypt. Posted below is a redacted screenshot I took of the process and key names given. Can anyone figure out what's going wrong here?

View attachment 132484

Names of keys dumped:
header_key_source
key_area_key_system_00
tsec_key
key_area_key_system_04
titlekek_04
aes_key_generation_source
sd_card_nca_key_source
titlekek_00
key_area_key_system_source
master_key_00
keyblob_mac_key_00
master_key_04
keyblob_mac_key_04
aes_kek_generation_source
encrypted_header_key
keyblob_mac_key_source
sd_card_kek_source
keyblob_04
key_area_key_ocean_00
keyblob_00
key_area_key_ocean_04
key_area_key_application_source
package1_key_00
package2_key_source
package1_key_04
key_area_key_application_04
key_area_key_ocean_source
key_area_key_application_00
sd_card_save_key_source
header_kek_source
secure_boot_key
header_key
titlekek_source
keyblob_key_04
keyblob_key_source_04
keyblob_key_00
keyblob_key_source_00
master_key_source
package2_key_00
package2_key_04
Click to expand...

mcmrc1 said:
Same here also just the 00 nd 04 files... Just google for a key file on the world wide web and add them to your key file...
Click to expand...

Out of curiosity what firmware did you both receive your switch on and any idea about update history just wondering if this effects what we get as far as master keys.
 
bluedart

bluedart

Well-Known Member
Member
Level 10
Joined
Nov 13, 2016
Messages
270
Trophies
0
XP
2,221
Country
United States
Nemean said:
Out of curiosity what firmware did you both receive your switch on and any idea about update history just wondering if this effects what we get as far as master keys.
Click to expand...

Good question. I'm actually using a launch switch I pre-ordered months in advance. So 1.0.0. It's currently on 5.1.0, the most current firmware.
 
xXxSwagnemitexXx

xXxSwagnemitexXx

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Member
Level 7
Joined
Dec 7, 2016
Messages
674
Trophies
0
Age
27
Location
New Donk City
XP
1,003
Country
United Kingdom
kevandkkim said:
Im not sure how else to install lz4? requirements say it is good for 2.7.

Traceback (most recent call last):
File "keys.py", line 25, in <module>
import lz4.block
File "C:\Python27\lib\site-packages\lz4\__init__.py", line 11, in <module>
from ._version import ( # noqa: F401
ImportError: DLL load failed: The specified module could not be found.
Click to expand...
yes, im having this same problem

--------------------- MERGED ---------------------------

Phenj said:
anyone with the "ImportError" after doing "python keys.py"?
Click to expand...
i have this tooooo
 
N

Nemean

Well-Known Member
Newcomer
Level 2
Joined
May 16, 2018
Messages
76
Trophies
0
Age
33
XP
183
Country
United Kingdom
So I got 00 and 03 seems to me and it’s just a guess that the program grabs 00 and most recent master key so 03 on my 4.1 system and 04 on a 5.1 system?
Anybody know better than me able to refute or confirm?
 
mcmrc1

mcmrc1

Well-Known Member
Newcomer
Level 2
Joined
Mar 11, 2018
Messages
49
Trophies
0
Age
41
XP
186
Country
Germany
Nemean said:
So I got 00 and 03 seems to me and it’s just a guess that the program grabs 00 and most recent master key so 03 on my 4.1 system and 04 on a 5.1 system?
Anybody know better than me able to refute or confirm?
Click to expand...

So after long time testing i have found something who is nice to now...
-> h ttps://gist.github.com/roblabla/d8358ab058bbe3b00614740dcba4f208 -> There is also a test.ini who you see what keys are relevant and also what order they shout be.

*
Here's why the order is important:
  • keyblob_key_source, keyblob_mac_key_source and master_key_source gives package1_key
  • package1_key is used to decrypt package1, which contains Secure_Monitor.bin, in which you'll find some key sources and package2_key_source.
  • package2_key_source and master_key are then used to decrypt package2, which contains everything else....
This tutorial is written that we can obtain all the keys by our own... But you see that you need first some keys to decrypt another file, who contains again another key who generates another key in another file and so one... And that is that what doesnt work if you have not the right keys and maybe the script doesnt work to 100% as well so it fails...

I have now managed to use the PRAGMAsLayeredFSKit-v1.2.exe without problems...

Just dont hustle with all the keys there is google where all of them are there and you just need to use them...Because

OUR Switches have just 2 keys who you need to get by yourself. This is via the biskeydump.bin for your CONSOLE UNIQUE 2 keys SBK and TSEC . Put them ontop of the key file and add the other mentioned in the test.ini via google search v201805.14r2 and dont forget the Order because it seems relevant...

TheKeys.ini can you easaly open with notepad++ <-(better for editing then txt editor ^^ ) and save as txt and bin if you need it :)

not relevant but also good to know...
*Note that all the seeds (the keys that end with _source) are used along with the master_key_## to derive an actual key. If you have somehow obtained the key without the seed, you can rename xxx_source to xxx_## (where ## is the master key number) and put your key there.
*
-> Again source key generate with master key another key and so on... ^^ -> BUT who cares !! just use your 2 Console Unique keys and the others are floating around in the deep deep web ^^

After i had all keys in the right i had no problems with any app or false key....
 
  • Like
Reactions: guliver
M

Mario497

Member
Newcomer
Level 1
Joined
Jun 20, 2018
Messages
5
Trophies
0
Age
24
XP
92
Country
Canada
In step 4 when I type in admin cmd cd Desktop/hactool it says something like "System cannot find specified" I have the folder on the desktop.
 
mcmrc1

mcmrc1

Well-Known Member
Newcomer
Level 2
Joined
Mar 11, 2018
Messages
49
Trophies
0
Age
41
XP
186
Country
Germany
Mario497 said:
In step 4 when I type in admin cmd cd Desktop/hactool it says something like "System cannot find specified" I have the folder on the desktop.
Click to expand...

type -> that one what @shchmue ^ wrote ^^

c: / -> ENTER/RETURN
now type cd user
cd YOURUSERNAME
-> cd desktop -
> cd hactool
 
M

Mario497

Member
Newcomer
Level 1
Joined
Jun 20, 2018
Messages
5
Trophies
0
Age
24
XP
92
Country
Canada
shchmue said:
yes. mcmrc1's instructions also work but it should be "cd users" instead of "cd user" or you can just do all at once
Code: 
cd\users\USERNAME\desktop\hactool
either way means the same thing
Click to expand...
Oh... Alrighty, thanks

--------------------- MERGED ---------------------------

mcmrc1 said:
type -> that one what @shchmue ^ wrote ^^

c: / -> ENTER/RETURN
now type cd user
cd YOURUSERNAME
-> cd desktop -
> cd hactool
Click to expand...
Thanks!

--------------------- MERGED ---------------------------

Was I suppose to put the code where it says SBK and TSEC?
 

Attachments

  • Screenshot_27.png
    Screenshot_27.png
    17.6 KB · Views: 222
  • Like
Reactions: mcmrc1
shchmue

shchmue

Developer
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
Mario497 said:
Oh... Alrighty, thanks

--------------------- MERGED ---------------------------


Thanks!

--------------------- MERGED ---------------------------

Was I suppose to put the code where it says SBK and TSEC?
Click to expand...
yep ReplaceMeWithSBK and the other needs to be replaced with your actual SBK and TSEC
 
  • Like
Reactions: Mario497
M

Mario497

Member
Newcomer
Level 1
Joined
Jun 20, 2018
Messages
5
Trophies
0
Age
24
XP
92
Country
Canada
shchmue said:
yep ReplaceMeWithSBK and the other needs to be replaced with your actual SBK and TSEC
Click to expand...
Thanks

--------------------- MERGED ---------------------------

shchmue said:
yep ReplaceMeWithSBK and the other needs to be replaced with your actual SBK and TSEC
Click to expand...
I replaced it with the keys but in cmd it says index error in some lines. But it still gave me the keys.txt file. and saying that I could use it with hactool
 
C

Cyberevan

Well-Known Member
Newcomer
Level 7
Joined
Oct 16, 2014
Messages
89
Trophies
0
Age
36
Location
Manila, Philippines
XP
1,041
Country
Can someone help, getting this error when "pip install lz4"
Traceback (most recent call last):
File "C:\Python27\lib\runpy.py", line 174, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "C:\Python27\lib\runpy.py", line 72, in _run_code
exec code in run_globals
File "C:\Python27\Scripts\pip.exe\__main__.py", line 5, in <module>
File "C:\Python27\lib\site-packages\pip\__init__.py", line 4, in <module>
import logging
File "C:\Python27\lib\logging\__init__.py", line 26, in <module>
import sys, os, time, cStringIO, traceback, warnings, weakref, collections
File "C:\Python27\lib\weakref.py", line 14, in <module>
from _weakref import (
ImportError: cannot import name _remove_dead_weakref
Click to expand...
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

General chit-chat
Help Users
    SylverReZ @ SylverReZ: https://www.youtube.com/watch?v=8ptLqnNMcQk