RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by SimonMKWii, May 14, 2018 at 8:15 AM.

  1. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
    Don't worry, I've got you covered!
    Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

    Usage:
    • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
    • Next, copy your PRODINFO.bin partition into the folder
    • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
    • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
    • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
    • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
    • Voila! You can now find your generated certificate in the new folder named "Out"!
    How 2 get dem keyz???
    • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
    • The second key is the original master key, you can extract it from your keyblobs using hactool.
    • The third and fourth keys are plaintext in the ssl sysmodule NSO.
    • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
    Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
     

    Attached Files:

  2. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    CDN meaning the game download servers?? Content Distribution Network?
     
    Last edited by link42586, May 14, 2018 at 8:20 AM
  3. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Stay tuned ;)
     
  4. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    Don't do this to me right now..I'm tired. How important is this really and is this something EVERYONE will need/do at some point in switch hacking? This seems big. Didn't know they could do this on switch already with 3.0.0
     
  5. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Well, finding and extracting games from your SD card to back them up or to datamine them (what I do) is a huge hassle!
    What if you could skip that, and an entire layer of encryption?
     
  6. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    This could be big for the scene if i'm understanding this correctly.
     
    Last edited by link42586, May 14, 2018 at 10:30 AM
  7. ZoNtendo

    ZoNtendo GBAtemp Fan

    Member
    3
    May 25, 2015
  8. Ericthegreat

    Ericthegreat Not New Member

    Member
    5
    Nov 8, 2008
    United States
    Vana'diel
    Wait, can we share "legal backups" this way?
     
  9. DaveLister

    DaveLister Advanced Member

    Newcomer
    1
    Apr 27, 2018
    Afghanistan
    lv426
  10. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    That's what i'm wondering.
     
    Last edited by link42586, May 14, 2018 at 10:30 AM
  11. Muskusrat

    Muskusrat GBAtemp Regular

    Member
    4
    Jul 31, 2003
    Netherlands
    That was the missing piece for the recently created key site. Now to figure it all out and start downloading haha
     
  12. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
  13. zoogie

    zoogie playing around in the dsiware

    Member
    19
    Nov 30, 2014
    Micronesia, Federated States of
    ( ͡° ͜ʖ ͡°)/━━━❚

    I can't believe you guys are seriously thinking about recreating freeshop on switch.
    Nintendo is so going to nuke every account from orbit that tries this, lol.
     
    Last edited by zoogie, May 14, 2018 at 8:46 AM
  14. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    This is clearly not for freeshop at all, lol, you wouldn't even need to extract your cert to do that, as it's already on the console...
     
    Vorde and Ericthegreat like this.
  15. Ericthegreat

    Ericthegreat Not New Member

    Member
    5
    Nov 8, 2008
    United States
    Vana'diel
    This sounds very important for our legal needs.

    — Posts automatically merged - Please don't double post! —

    We all plan to be banned anyway, and EVERYONE who does ANY modification should.
     
  16. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    Very. The game carts are small. Would be nice to keep the put up.
     
    Last edited by link42586, May 14, 2018 at 10:19 AM
  17. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    You still need to own the game to extract the titlekey from your own Switch, so if you download games you don't own, you can't do anything with them unless you have the key...
     
  18. ZoNtendo

    ZoNtendo GBAtemp Fan

    Member
    3
    May 25, 2015
  19. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    6
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    But, but... don't you want your games neatly organised into named folders?
     
    Proto-Propski likes this.
  20. link42586

    link42586 Advanced Member

    Newcomer
    1
    May 9, 2018
    United States
    Tickets are always signed by Nintendo (RSA-2048 over a SHA-256 hash with PKCS#1 padding), meaning they cannot be forged. Finding the private key to the public key is currently considered computationally infeasible.
    So idk if freeshop is anytime soon.

    Much of the Switch's CDN/eShop design seems motivated to address some of the piracy problems faced by the 3DS/Wii U, and in particular users' ability download games directly from Nintendo and retrieve their titlekeys from a communal keystore. "cetks" (tickets signed for every console) now only exist for game updates, preventing the "Legit" CIA sharing problem from previous consoles -- and, on top of that, tickets' titlekey data is now protected by console-unique keys that never leave TrustZone, making it much, much more difficult for users to dump and share their titlekeys.

    We have access to the trustzone with our hacks I take it but this sounds A little more involved.
     
    Last edited by link42586, May 14, 2018 at 10:19 AM
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice