Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Imancol

Imancol

Otak Productions
Member
Level 11
Joined
Jun 29, 2017
Messages
1,376
Trophies
0
XP
2,766
Country
Colombia
Gnarmagon said:
pip install pycryptodome

--------------------- MERGED ---------------------------

Do you even know how to write Python code ???
I mean that code looks horrible... and btw what are rpk_key_y and key_x_gak ? both variables are undefined...
Click to expand...

Thank you!. Now I get this xd

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, key_x_gak, master_key)
NameError: name 'key_x_gak' is not defined
Click to expand...
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
794
Country
Germany
Ghost92 said:
Thank you!. Now I get this xd
Click to expand...
the last error is because the OP uploaded unfinished code, can't help you with that :(

Btw here is a slightly improved version: (still gives the error but it's now a lot more consistent...)
 

Attachments

  • CertNXtractionPack.zip
    732.5 KB · Views: 724
Z

zizoux

Member
Newcomer
Level 1
Joined
May 7, 2010
Messages
23
Trophies
0
XP
55
Country
United States
  • "Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek."
Required keydata?
 
salamandrusker

salamandrusker

Well-Known Member
Member
Level 2
Joined
Mar 12, 2018
Messages
100
Trophies
0
Age
34
XP
225
Country
Spain
SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:
  • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
  • Next, copy your PRODINFO.bin partition into the folder
  • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
  • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
  • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
  • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
  • Voila! You can now find your generated certificate in the new folder named "Out"!
How 2 get dem keyz???
  • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
  • The second key is the original master key, you can extract it from your keyblobs using hactool.
  • The third and fourth keys are plaintext in the ssl sysmodule NSO.
  • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
Click to expand...


you have a magic power on your hands !!! congrats!! thanks!!
 
NANASHI89

NANASHI89

Well-Known Member
Member
Level 15
Joined
May 3, 2012
Messages
2,473
Trophies
1
XP
5,358
Country
United States
SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:
  • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
  • Next, copy your PRODINFO.bin partition into the folder
  • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
  • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
  • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
  • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
  • Voila! You can now find your generated certificate in the new folder named "Out"!
How 2 get dem keyz???
  • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
  • The second key is the original master key, you can extract it from your keyblobs using hactool.
  • The third and fourth keys are plaintext in the ssl sysmodule NSO.
  • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
Click to expand...
But how do I dump the NAND? @SimonMKWii
 
Last edited by NANASHI89,
ut0pia

ut0pia

Member
Newcomer
Level 2
Joined
Apr 30, 2018
Messages
17
Trophies
0
Age
42
XP
216
Country
France
cat clcert.pem privkey.pem > nx_tls_client_cert.pem

.bat with cat command, that's why you end up with 0 filesize nx_tls_client_cert.pem
 
Mazamin

Mazamin

Well-Known Member
Member
Level 12
Joined
Sep 4, 2014
Messages
1,895
Trophies
0
XP
3,094
Country
Italy
yyoossk said:
print("eticket_ssl_rpk = " + hx(rpk_key).upper())
TypeError: Can't convert 'bytes' object to str implicitly
Click to expand...
I fixed the code
Code: 
import sys
from binascii import unhexlify as uhx, hexlify as hx
from Crypto.Cipher import AES

def decrypt(inputkey, iv):
    return AES.new(iv, AES.MODE_ECB).decrypt(inputkey)

def unwrap(wrappedkey, iv):
    return decrypt(wrappedkey, iv)

rsa_private_kek_generation_source = uhx('X')
master_key = uhx('X')
ssl_aes_key_x = uhx('X')
ssl_rsa_key_y = uhx('X')

def GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_xk, master_key):
    unwrapped_kek = unwrap(rsa_private_kek_generation_source, master_key)
    unwrapped_kekek = unwrap(ssl_aes_key_x, unwrapped_kek)
    return unwrap(ssl_rsa_key_y, unwrapped_kekek)

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_x, master_key)
rpk_key_b = hx(rpk_key).upper()
print("eticket_ssl_rpk = " + "".join(map(chr, rpk_key_b)))
 
  • Like
Reactions: ExAqua
SocraticBliss

SocraticBliss

Well-Known Member
Member
Level 3
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
36
XP
273
Country
United States
Ghost92 said:
Thank you all. I was able to make the file Der. But when I want to create the "nx_tls_client_cert.pfx" with "03_save_as_pfx.bat" it does not build it and it creates a 0KB file...

--------------------- MERGED ---------------------------


ROLF
Click to expand...

EDIT: Here, I made it easier for you, if you have a keys.txt file in the same directory (in the hactool format, ie. key = 32 digit hex value), it will automatically use the key, so you don't have to edit the script at all! :)

EDIT: I have added @JupiterJesus 's commit!

EDIT: Refer to latest post
 
Last edited by SocraticBliss,

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

DBI language error

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Last switch firmware blocking MIG SWITCH?

Crosscode Hacking thread

Hacking  Loader.kip for AMS 1.7.0 with FW 17.0.1 - sys-clk error ??

General chit-chat
Help Users
  • TwoSpikedHands @ TwoSpikedHands:
    Do I restart now using what i've learned on the EU version since it's a better overall experience? or do I continue with the US version since that is what ive been using, and if someone decides to play my hack, it would most likely be that version?
  • Sicklyboy @ Sicklyboy:
    @TwoSpikedHands, I'll preface this with the fact that I know nothing about the game, but, I think it depends on what your goals are. Are you trying to make a definitive version of the game? You may want to refocus your efforts on the EU version then. Or, are you trying to make a better US version? In which case, the only way to make a better US version is to keep on plugging away at that one ;)
  • Sicklyboy @ Sicklyboy:
    I'm not familiar with the technicalities of the differences between the two versions, but I'm wondering if at least some of those differences are things that you could port over to the US version in your patch without having to include copyrighted assets from the EU version
  • TwoSpikedHands @ TwoSpikedHands:
    @Sicklyboy I am wanting to fully change the game and bend it to my will lol. I would like to eventually have the ability to add more characters, enemies, even have a completely different story if i wanted. I already have the ability to change the tilemaps in the US version, so I can basically make my own map and warp to it in game - so I'm pretty far into it!
  • TwoSpikedHands @ TwoSpikedHands:
    I really would like to make a hack that I would enjoy playing, and maybe other people would too. swapping to the EU version would also mean my US friends could not legally play it
  • TwoSpikedHands @ TwoSpikedHands:
    I am definitely considering porting over some of the EU features without using the actual ROM itself, tbh that would probably be the best way to go about it... but i'm sad that the voice acting is so.... not good on the US version. May not be a way around that though
  • TwoSpikedHands @ TwoSpikedHands:
    I appreciate the insight!
  • The Real Jdbye @ The Real Jdbye:
    @TwoSpikedHands just switch, all the knowledge you learned still applies and most of the code and assets should be the same anyway
  • The Real Jdbye @ The Real Jdbye:
    and realistically they wouldn't

    be able to play it legally anyway since they need a ROM and they probably don't have the means to dump it themselves
  • The Real Jdbye @ The Real Jdbye:
    why the shit does the shitbox randomly insert newlines in my messages
  • Veho @ Veho:
    It does that when I edit a post.
  • Veho @ Veho:
    It inserts a newline in a random spot.
  • The Real Jdbye @ The Real Jdbye:
    never had that i don't think
  • Karma177 @ Karma177:
    do y'all think having an sd card that has a write speed of 700kb/s is a bad idea?
    trying to restore emunand rn but it's taking ages... (also when I finished the first time hekate decided to delete all my fucking files :wacko:)
  • The Real Jdbye @ The Real Jdbye:
    @Karma177 that sd card is 100% faulty so yes, its a bad idea
  • The Real Jdbye @ The Real Jdbye:
    even the slowest non-sdhc sd cards are a few MB/s
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=SjCivnt5t50
  • Karma177 @ Karma177:
    @The Real Jdbye it hasn't given me any error trying to write things on it so I don't really think it's faulty (pasted 40/50gb+ folders and no write errors)
  • DinohScene @ DinohScene:
    run h2testw on it
     +1
  • DinohScene @ DinohScene:
    when SD cards/microSD write speeds drop below a meg a sec, they're usually on the verge of dying
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Samsung SD format can sometimes fix them too
  • Purple_Heart @ Purple_Heart:
    yes looks like an faulty sd
  • Purple_Heart @ Purple_Heart:
    @Psionic Roshambo i may try that with my dead sd cards
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    It's always worth a shot
  • TwoSpikedHands @ TwoSpikedHands:
    @The Real Jdbye, I considered that, but i'll have to wait until i can get the eu version in the mail lol
    TwoSpikedHands @ TwoSpikedHands: @The Real Jdbye, I considered that, but i'll have to wait until i can get the eu version in the...