Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

SocraticBliss

SocraticBliss

Well-Known Member
Member
Level 3
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
36
XP
273
Country
United States
od1n89 said:
Hi guys,

i tried this and get the following error
Code: 
PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory (via HacDiskMount)
-- A hactool format keys.txt (ie. key = 32 digit hex value) file with the following keys...
-- master_key_00
-- rsa_private_kek_generation_source
-- ssl_rsa_kek_source_x
-- ssl_rsa_kek_source_y

Checking python module dependencies...

Verifying keys...
Traceback (most recent call last):
  File "CertNXtractionPack.py", line 180, in <module>
    main()
  File "CertNXtractionPack.py", line 145, in main
    if 'master_key_00' in line:
TypeError: a bytes-like object is required, not 'str'

can someone help me?
Click to expand...

Python 2 or Python 3?

Does your keys.txt file look like...
Code: 
# Replace the FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF's with the proper key, case doesn't matter

master_key_00 = ABCDEF123456789ABCDEF123456789
rsa_private_kek_generation_source = ABCDEF123456789ABCDEF123456789
ssl_rsa_kek_source_x = ABCDEF123456789ABCDEF123456789
ssl_rsa_kek_source_y = ABCDEF123456789ABCDEF123456789

?
 
O

od1n89

Member
Newcomer
Level 5
Joined
Sep 12, 2018
Messages
14
Trophies
0
Age
35
XP
573
Country
Germany
Well if its only because of Python 3 i will try it with 2.7. No need to rewrite the script just for me ;)

edit: well with Python 2.7 i can install pycrypto but it wont be recognized :( so i installed 3 again
 
Last edited by od1n89,
SocraticBliss

SocraticBliss

Well-Known Member
Member
Level 3
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
36
XP
273
Country
United States
Last edited by SocraticBliss,
R

Rikikoo

Member
Newcomer
Level 2
Joined
Aug 1, 2018
Messages
21
Trophies
0
Age
26
XP
246
Country
France
About those keys, using a dict would be much clearer imo.
Something like:
Code: 
keys = {}
with open('keys.txt', 'r') as f:
    for l in f:
        if '=' not in l:
            raise ValueError('Malformatted key file')
        n, k = l.replace('\n', '').split('=')
        keys[n.strip()] = uhx(k.strip())

for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'):
    if n not in keys:
        raise KeyError('Missing key %s' % n)
Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py
 
Last edited by Rikikoo,
  • Like
Reactions: SocraticBliss
SocraticBliss

SocraticBliss

Well-Known Member
Member
Level 3
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
36
XP
273
Country
United States
Rikikoo said:
About those keys, using a dict would be much clearer imo.
Something like:
Code: 
keys = {}
with open('keys.txt', 'r') as f:
    for l in f:
        if '=' not in l:
            raise ValueError('Malformatted key file')
        n, k = l.replace('\n', '').split('=')
        keys[n.strip()] = uhx(k.strip())

for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'):
    if n not in keys:
        raise KeyError('Missing key %s' % n)
Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py
Click to expand...

Beautiful, I was up late re-working the script and by the time I got to the part where I messed with the keys I think I was was half brain dead...

I'll go ahead and toss a modified version of that in there, if there are any additional suggestions let me know!
 
Last edited by SocraticBliss,
shchmue

shchmue

Developer
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
Rikikoo said:
About those keys, using a dict would be much clearer imo.
Something like:
Code: 
keys = {}
with open('keys.txt', 'r') as f:
    for l in f:
        if '=' not in l:
            raise ValueError('Malformatted key file')
        n, k = l.replace('\n', '').split('=')
        keys[n.strip()] = uhx(k.strip())

for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'):
    if n not in keys:
        raise KeyError('Missing key %s' % n)
Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py
Click to expand...
that's how this did it https://gist.github.com/tesnos/531c3fdf68bb936aadd9add6d071558a
 
M

magico29

Well-Known Member
Member
Level 9
Joined
Aug 2, 2017
Messages
1,586
Trophies
0
XP
1,895
Country
United States
SimonMKWii said:
Stay tuned ;)
Click to expand...
Hi there, what about if i have a 3.0.0 nand backup? How i do use
SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:
  • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
  • Next, copy your PRODINFO.bin partition into the folder
  • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
  • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
  • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
  • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
  • Voila! You can now find your generated certificate in the new folder named "Out"!
How 2 get dem keyz???
  • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
  • The second key is the original master key, you can extract it from your keyblobs using hactool.
  • The third and fourth keys are plaintext in the ssl sysmodule NSO.
  • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
Click to expand...
how i do run the pegaswitch script on 3.0.0?
 
luk_pop

luk_pop

Well-Known Member
Member
Level 10
Joined
Apr 30, 2017
Messages
129
Trophies
0
Age
42
Location
mytown
XP
1,954
Country
Poland
Which key is which?

Code: 
rsa_private_kek_generation_source = uhx('EF2CXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
master_key_00 = uhx('C2CAAXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
key_x = uhx('7F5BXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
key_y = uhx('9A38XXXXXXXXXXXXXXXXXXXXXXXXXXXX')

rsa_private_kek_generation_source = aes_kek_generation_source ??
master_key_00 = master_key_00 ??
key_x = ??
key_y = ??

In file keys.txt by hekate_ctcaer_4.0

Code: 
secure_boot_key =
tsec_key =
keyblob_mac_key_source =
keyblob_key_source_00 =
master_key_source =
keyblob_key_source_01 =
keyblob_key_source_02 =
keyblob_key_source_03 =
keyblob_key_source_04 =
keyblob_key_00 =
keyblob_key_01 =
keyblob_key_02 =
keyblob_key_03 =
keyblob_key_04 =
keyblob_mac_key_00 =
keyblob_mac_key_01 =
keyblob_mac_key_02 =
keyblob_mac_key_03 =
keyblob_mac_key_04 =
keyblob_00 =
keyblob_01 =
keyblob_02 =
keyblob_04 =
master_key_00 =
master_key_01 =
master_key_02 =
master_key_03 =
master_key_04 =
package1_key_00 =
package1_key_01 =
package1_key_02 =
package1_key_03 =
package1_key_04 =
package2_key_source =
aes_kek_generation_source = 
titlekek_source =
package2_key_00 =
package2_key_01 =
package2_key_02 =
package2_key_03 =
package2_key_04 =
titlekek_00 =
titlekek_01 =
titlekek_02 =
titlekek_03 =
titlekek_04 =
aes_key_generation_source =
key_area_key_application_source =
key_area_key_ocean_source =
key_area_key_system_source =
sd_card_kek_source =
sd_card_save_key_source =
sd_card_nca_key_source =
header_kek_source =
header_key_source =
encrypted_header_key =
header_key =
key_area_key_application_00 =
key_area_key_application_01 =
key_area_key_application_02 =
key_area_key_application_03 =
key_area_key_application_04 =
key_area_key_ocean_00 =
key_area_key_ocean_01 =
key_area_key_ocean_02 =
key_area_key_ocean_03 =
key_area_key_ocean_04 =
key_area_key_system_00 =
key_area_key_system_01 =
key_area_key_system_02 =
key_area_key_system_03 =
key_area_key_system_04 =
 
Last edited by luk_pop,

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

Hacking Hardware  Picofly on "old" Samsung EMMC glitching fails sometimes

General chit-chat
Help Users
  • Materia_tofu @ Materia_tofu:
    im not a very bright individual, but we live and we learn
  • SylverReZ @ SylverReZ:
    @Materia_tofu, We do learn a lot from plenty of talented individuals.
  • Materia_tofu @ Materia_tofu:
    this is true! i learned how to make soundfont remixes from a friend back in 2021
     +1
  • BakerMan @ BakerMan:
    Update on my brother: He's home now, tired and hungry, obviously, but other than that, seems to be doing fine.
     +2
  • Veho @ Veho:
    That's a relief to hear. Do you know what happened?
  • SylverReZ @ SylverReZ:
    @BakerMan, Any idea what happened? I hope that your brother's doing good.
  • BakerMan @ BakerMan:
    Well, from what I've heard from my parents, he had a seizure last night, perhaps an epileptic episode, fucking died, had a near death experience, my dad called the paramedics, they showed up, took him to the hospital, and he woke up covered in tubes, and started complaining.
  • BakerMan @ BakerMan:
    He couldn't eat until after his MRI, when he had a bomb pop.
  • BakerMan @ BakerMan:
    What matters now is that he's doing alright.
  • Veho @ Veho:
    But you still don't know what it was?
  • Veho @ Veho:
    Has he had seizures before?
  • The Real Jdbye @ The Real Jdbye:
    apparently stress can cause seizures, my brother had one during a test once
  • The Real Jdbye @ The Real Jdbye:
    never had one before that, and never had one since
  • Veho @ Veho:
    https://i.imgur.com/bG1pQld.mp4
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=_9PnFJMnYT0
  • Redleviboy123 @ Redleviboy123:
    Question about game texture chanching Do i need an own game id?
  • The Real Jdbye @ The Real Jdbye:
    @Veho for those that want to
    experience being sonic the hedgehog
  • Veho @ Veho:
    Ah, you mean
    furries.
  • The Real Jdbye @ The Real Jdbye:
    well, sonic fans are a whole separate thing from furries
  • The Real Jdbye @ The Real Jdbye:
    like bronys
  • The Real Jdbye @ The Real Jdbye:
    sonic porn is too weird even for me
  • Dumpflam @ Dumpflam:
    bruh
  • Dumpflam @ Dumpflam:
    guys how do i delete a post
  • The Real Jdbye @ The Real Jdbye:
    you don't
  • The Real Jdbye @ The Real Jdbye:
    you can report it and request deletion
    The Real Jdbye @ The Real Jdbye: you can report it and request deletion