Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

SocraticBliss · Sep 12, 2018

Hi guys,

i tried this and get the following error

Code:

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory (via HacDiskMount)
-- A hactool format keys.txt (ie. key = 32 digit hex value) file with the following keys...
-- master_key_00
-- rsa_private_kek_generation_source
-- ssl_rsa_kek_source_x
-- ssl_rsa_kek_source_y

Checking python module dependencies...

Verifying keys...
Traceback (most recent call last):
  File "CertNXtractionPack.py", line 180, in <module>
    main()
  File "CertNXtractionPack.py", line 145, in main
    if 'master_key_00' in line:
TypeError: a bytes-like object is required, not 'str'

can someone help me?

Python 2 or Python 3?

Does your keys.txt file look like...

Code:

# Replace the FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF's with the proper key, case doesn't matter

master_key_00 = ABCDEF123456789ABCDEF123456789
rsa_private_kek_generation_source = ABCDEF123456789ABCDEF123456789
ssl_rsa_kek_source_x = ABCDEF123456789ABCDEF123456789
ssl_rsa_kek_source_y = ABCDEF123456789ABCDEF123456789

?

od1n89 · Sep 12, 2018

Python 3 and Windows 10 and yes i just replaced the F´s with the keys

SocraticBliss · Sep 12, 2018

od1n89 said:
Python 3 and Windows 10 and yes i just replaced the F´s with the keys

Crap okay, then it's python 3 related issue, I'll try and make it more compatible really quick...

od1n89 · Sep 12, 2018

Well if its only because of Python 3 i will try it with 2.7. No need to rewrite the script just for me

edit: well with Python 2.7 i can install pycrypto but it wont be recognized

so i installed 3 again

SocraticBliss · Sep 12, 2018

od1n89 said:
Well if its only because of Python 3 i will try it with 2.7. No need to rewrite the script just for me

edit: well with Python 2.7 i can install pycrypto but it wont be recognized so i installed 3 again

I'll change the cmd script to use pycryptodome... bah

Here ya go, use the scripts here...

https://gist.github.com/SocraticBliss/4410790b6e5a27161f521c45d1eb2684

od1n89 · Sep 12, 2018

now its working with python 2.7. Thank you

SocraticBliss · Sep 12, 2018

od1n89 said:
now its working with python 2.7. Thank you

Should work for both

od1n89 · Sep 12, 2018

I did it with python 3 first and got the same message. With 2.7 no problem

SocraticBliss · Sep 12, 2018

od1n89 said:
I did it with python 3 first and got the same message. With 2.7 no problem

Maybe you don't have the latest scripts? I updated them pretty recently... doesn't seem to have problems on my end...

od1n89 · Sep 12, 2018

Hmm i dont know. I havent installed python before. So it should be the actual scripts. But maybe im wrong.

SocraticBliss · Sep 12, 2018

od1n89 said:
Hmm i dont know. I havent installed python before. So it should be the actual scripts. But maybe im wrong.

Sorry, I meant the latest scripts that I uploaded to my gist...

https://gist.github.com/SocraticBliss/4410790b6e5a27161f521c45d1eb2684

I also updated the zip file in the previous post based on your feedback/testing

od1n89 · Sep 12, 2018

Ah ok sry i missunderstood that. I had only the new CMD File.

Rikikoo · Sep 12, 2018

About those keys, using a dict would be much clearer imo.
Something like:

Code:

keys = {}
with open('keys.txt', 'r') as f:
    for l in f:
        if '=' not in l:
            raise ValueError('Malformatted key file')
        n, k = l.replace('\n', '').split('=')
        keys[n.strip()] = uhx(k.strip())

for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'):
    if n not in keys:
        raise KeyError('Missing key %s' % n)

Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py

SocraticBliss · Sep 12, 2018

Rikikoo said:
About those keys, using a dict would be much clearer imo.
Something like:

Code:

keys = {} with open('keys.txt', 'r') as f: for l in f: if '=' not in l: raise ValueError('Malformatted key file') n, k = l.replace('\n', '').split('=') keys[n.strip()] = uhx(k.strip()) for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'): if n not in keys: raise KeyError('Missing key %s' % n)

Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py

Beautiful, I was up late re-working the script and by the time I got to the part where I messed with the keys I think I was was half brain dead...

I'll go ahead and toss a modified version of that in there, if there are any additional suggestions let me know!

shchmue · Sep 13, 2018

Rikikoo said:
About those keys, using a dict would be much clearer imo.
Something like:

Code:

keys = {} with open('keys.txt', 'r') as f: for l in f: if '=' not in l: raise ValueError('Malformatted key file') n, k = l.replace('\n', '').split('=') keys[n.strip()] = uhx(k.strip()) for n in ('master_key_00', 'rsa_private_kek_generation_source', 'ssl_rsa_kek_source_x', 'ssl_rsa_kek_source_y'): if n not in keys: raise KeyError('Missing key %s' % n)

Then build a dict of hashes, etc.
Doing this makes it much clearer to know what key you're using in your script (keys['master_key_00'] instead of keys[0] for instance).

More generally, if you want to parse a hactool-like key file (prod.keys, dev.keys or title.keys), have a look at something I made:
https://github.com/Rikikooo/pyswitch/blob/master/NXKeys.py

that's how this did it https://gist.github.com/tesnos/531c3fdf68bb936aadd9add6d071558a

magico29 · Sep 13, 2018

SimonMKWii said:
Stay tuned

Hi there, what about if i have a 3.0.0 nand backup? How i do use

SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

First, make sure Python3 and both the asn1 and pycrypto modules are installed.

Next, copy your PRODINFO.bin partition into the folder

Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.

Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.

Then, run "02_convert_to_der.py", which will convert the extracted files into DER.

Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!

Voila! You can now find your generated certificate in the new folder named "Out"!

How 2 get dem keyz???

The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).

The second key is the original master key, you can extract it from your keyblobs using hactool.

The third and fourth keys are plaintext in the ssl sysmodule NSO.

Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)

Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.

how i do run the pegaswitch script on 3.0.0?

shchmue · Sep 13, 2018

magico29 said:
Hi there, what about if i have a 3.0.0 nand backup? How i do use

how i do run the pegaswitch script on 3.0.0?

that was before the RCM exploit was out. you can follow switch.hacks.guide I suppose.

magico29 · Sep 13, 2018

shchmue said:
that was before the RCM exploit was out. you can follow switch.hacks.guide I suppose.

Ummmm sounds good!!
Thanks for reply!!

Rikikoo · Sep 14, 2018

shchmue said:
that's how this did it https://gist.github.com/tesnos/531c3fdf68bb936aadd9add6d071558a

Well I assume inputted keys are correct, so I don't need to check hashes.
Although come to think of it, one could probably use the built-in INI-file parser.

luk_pop · Sep 14, 2018

Which key is which?

Code:

rsa_private_kek_generation_source = uhx('EF2CXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
master_key_00 = uhx('C2CAAXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
key_x = uhx('7F5BXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
key_y = uhx('9A38XXXXXXXXXXXXXXXXXXXXXXXXXXXX')

rsa_private_kek_generation_source = aes_kek_generation_source ??
master_key_00 = master_key_00 ??
key_x = ??
key_y = ??

In file keys.txt by hekate_ctcaer_4.0

Code:

secure_boot_key =
tsec_key =
keyblob_mac_key_source =
keyblob_key_source_00 =
master_key_source =
keyblob_key_source_01 =
keyblob_key_source_02 =
keyblob_key_source_03 =
keyblob_key_source_04 =
keyblob_key_00 =
keyblob_key_01 =
keyblob_key_02 =
keyblob_key_03 =
keyblob_key_04 =
keyblob_mac_key_00 =
keyblob_mac_key_01 =
keyblob_mac_key_02 =
keyblob_mac_key_03 =
keyblob_mac_key_04 =
keyblob_00 =
keyblob_01 =
keyblob_02 =
keyblob_04 =
master_key_00 =
master_key_01 =
master_key_02 =
master_key_03 =
master_key_04 =
package1_key_00 =
package1_key_01 =
package1_key_02 =
package1_key_03 =
package1_key_04 =
package2_key_source =
aes_kek_generation_source = 
titlekek_source =
package2_key_00 =
package2_key_01 =
package2_key_02 =
package2_key_03 =
package2_key_04 =
titlekek_00 =
titlekek_01 =
titlekek_02 =
titlekek_03 =
titlekek_04 =
aes_key_generation_source =
key_area_key_application_source =
key_area_key_ocean_source =
key_area_key_system_source =
sd_card_kek_source =
sd_card_save_key_source =
sd_card_nca_key_source =
header_kek_source =
header_key_source =
encrypted_header_key =
header_key =
key_area_key_application_00 =
key_area_key_application_01 =
key_area_key_application_02 =
key_area_key_application_03 =
key_area_key_application_04 =
key_area_key_ocean_00 =
key_area_key_ocean_01 =
key_area_key_ocean_02 =
key_area_key_ocean_03 =
key_area_key_ocean_04 =
key_area_key_system_00 =
key_area_key_system_01 =
key_area_key_system_02 =
key_area_key_system_03 =
key_area_key_system_04 =

Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Member

Well-Known Member

Developer

Well-Known Member

Developer

Well-Known Member

Member

Well-Known Member

Similar threads

Popular threads in this forum