RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by SimonMKWii, May 14, 2018.

  1. Dudamax

    Dudamax GBAtemp Regular

    Member
    2
    May 30, 2017
    United States
    Alright thanks
     
  2. yyoossk

    yyoossk Advanced Member

    Newcomer
    3
    Oct 18, 2017
    Japan
    import binascii, sys, random, asn1
    File "C:\Python33\lib\site-packages\
    from enum import IntEnum
    ImportError: No module named 'enum'
     
  3. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    Crap yet another pre-req I forgot....

    pip install enum34
     
  4. yyoossk

    yyoossk Advanced Member

    Newcomer
    3
    Oct 18, 2017
    Japan
    ok
    thx!
     
  5. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    EDIT: Here, I made it easier for you, if you have a keys.txt file in the same directory (in the hactool format, ie. key = 32 digit hex value), it will automatically use the key, so you don't have to edit the script at all! :)

    EDIT: I have added @JupiterJesus 's commit!

    EDIT: Refer to latest post
     
    Last edited by SocraticBliss, Sep 12, 2018
    jelbo likes this.
  6. scottgl

    scottgl Advanced Member

    Newcomer
    1
    Jan 4, 2016
    United States
    Has anyone tried using their pfx cert with CDNX (https://github.com/Reisyukaku/CDNX) to attempt to download game updates or demos? I'm not sure if CDNX just doesn't work correctly, but I'm not able to download anything. Also something interesting I noticed is that PRODINFO from 4.1.0 and PRODINFO from 5.0.2 is identical, also BIS keys don't seem to change from the software update.
     
  7. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    PRODINFO (Calibrations) are burned in at the factory, it shouldn't change...
     
  8. scottgl

    scottgl Advanced Member

    Newcomer
    1
    Jan 4, 2016
    United States
    Ok good to know. wasn't sure if it was because I was using the pfx cert created from older firmware.
     
  9. aslk

    aslk Member

    Newcomer
    3
    Oct 30, 2013
    Canada
    [​IMG]
    getting the same problem?
     
  10. Miqote

    Miqote GBAtemp Regular

    Member
    4
    May 2, 2018
    Macedonia, The Former Yugoslav Republic of
    @SimonMKWii Please upload this code to a repo so people can submit PRs for the fixed versions.
     
  11. Dudamax

    Dudamax GBAtemp Regular

    Member
    2
    May 30, 2017
    United States
    How do I decrypt the Bis Key, and I dont get the PRODINFO after dumping using biskeydump v6, i get a pkg_decr.bin, and the bis keys, but its just text
     
    Last edited by Dudamax, May 16, 2018
  12. Ghost92

    Ghost92 GBAtemp Fan

    Member
    4
    Jun 29, 2017
    Colombia
    All the CDNs fell
     
  13. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    You should have gotten your BIS keys with the biskeydump payload, you need to dump the SYSNAND with something like hekate... then open the 31GB binary into HacDiskMount.
     
    Last edited by SocraticBliss, May 16, 2018
  14. Dudamax

    Dudamax GBAtemp Regular

    Member
    2
    May 30, 2017
    United States
    What do you mean I didn't dump the sysnand? There was no option to do that it only showed me the keys, a smiley face, and a qr code that just copied the keys
    I uploaded a picture of what it looks like (blurry for reasons)
     

    Attached Files:

    Last edited by Dudamax, May 16, 2018
  15. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    Yea, I'm an idiot on this one, use Hekate, I prefer rajkosto's, I got by with using v3, I see there is a v5 now...

    https://github.com/rajkosto/hekate/releases
     
  16. Dudamax

    Dudamax GBAtemp Regular

    Member
    2
    May 30, 2017
    United States
    1. The one that I tried is similar to rajkostos because it dumped it in parts, how do I get it into 1 rawnand.bin
     
  17. SimonMKWii
    OP

    SimonMKWii GBAtemp Advanced Fan

    Member
    9
    Nov 18, 2017
    Australia
    Melbourne, Victoria
  18. Ptrk25

    Ptrk25 GBAtemp Advanced Fan

    Member
    6
    Sep 6, 2015
    Germany
    ::1
    Can someone help me? If I try to run the scripts, I get the following error:
    Code:
    Traceback (most recent call last):
      File "Convert_to_der.py", line 150, in <module>
        main()
      File "Convert_to_der.py", line 106, in main
        E, N = get_pubk(clcert)
      File "Convert_to_der.py", line 65, in get_pubk
        clcert_decoder.enter() # Seq, 3 elem
      File "/usr/lib/python3.6/site-packages/asn1.py", line 448, in enter
        raise Error('Cannot enter a non-constructed tag.')
    asn1.Error: Cannot enter a non-constructed tag.
    
    
    I have asn1, pycrypto, future, enum34 installed.
     
  19. SocraticBliss

    SocraticBliss GBAtemp Regular

    Member
    2
    Jun 3, 2017
    United States
    Ensure you are using a decrypted version of your PRODINFO.bin, can't be the encrypted version...
     
    Ptrk25 likes this.
  20. aslk

    aslk Member

    Newcomer
    3
    Oct 30, 2013
    Canada
    since the whole process is aids to figure out without any prior experience, I'll provide steps:

    step 1: Download TegraRcmSmash https://gbatemp.net/threads/tegrarcmsmash-a-fusee-launcher-for-windows.502334/

    step 2: Get payload https://gbatemp.net/threads/rcm-payload-hekate-mod-raw-full-nand-backup.502604/

    step 3: Put an empty microSD card on exFAT with at least 32GB of space into your switch

    step 4: Plug the switch into your comp, get into RCM

    step 5: Boot hekate 1.3 and select rawNAND backup (something like that) and wait for it.

    step 6: Get next payload (biskey) https://switchtools.sshnuke.net

    step 7: Open the folder with TegraRcmSmash and place biskeydump.bin next to it

    step 8: While in the TegraRcmSmash folder, Shift + Right Click in an empty space and press "Open command window here"

    step 9: Plug the switch into your comp, get into RCM (microsd card not required)

    step 10: Back where you opened the command window, type TegraRcmSmash.exe -w out/biskeydump.bin BOOT:0x0

    step 11: biskeydump will now show your keys on the console AND on your computer in the command window

    step 12: Open hacdiskmount https://switchtools.sshnuke.net

    step 13: file > open > rawnand.bin (extracted from your switch)

    step 14: select PRODINFO

    step 15: put the keys in that it asks you for from the command window earlier.

    step 16: You now have PRODINFO

    step 17: download op's CertNXtractionPack

    step 18: open up the pack and edit 00_generate_ssl_kek.py

    step 19: insert the keys within the quotations

    *EDIT: there's also a key in 01_decrypt_privk_extract_cert.py that you have to insert

    step 20: replace "ssl_aes_key_x" with "key_x_gak", and replace "ssl_rsa_key_y" with "rpk_key_y"

    EDIT: the rest you'll need to figure out for now lul. I was wrong the first time
     
    Last edited by aslk, May 17, 2018
Loading...