Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Imancol

Imancol

Otak Productions
Member
Level 11
Joined
Jun 29, 2017
Messages
1,376
Trophies
0
XP
2,771
Country
Colombia
Gnarmagon said:
pip install pycryptodome

--------------------- MERGED ---------------------------

Do you even know how to write Python code ???
I mean that code looks horrible... and btw what are rpk_key_y and key_x_gak ? both variables are undefined...
Click to expand...

Thank you!. Now I get this xd

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, key_x_gak, master_key)
NameError: name 'key_x_gak' is not defined
Click to expand...
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
794
Country
Germany
Ghost92 said:
Thank you!. Now I get this xd
Click to expand...
the last error is because the OP uploaded unfinished code, can't help you with that :(

Btw here is a slightly improved version: (still gives the error but it's now a lot more consistent...)
 

Attachments

  • CertNXtractionPack.zip
    732.5 KB · Views: 727
Z

zizoux

Member
Newcomer
Level 1
Joined
May 7, 2010
Messages
23
Trophies
0
XP
55
Country
United States
  • "Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek."
Required keydata?
 
salamandrusker

salamandrusker

Well-Known Member
Member
Level 2
Joined
Mar 12, 2018
Messages
100
Trophies
0
Age
34
XP
225
Country
Spain
SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:
  • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
  • Next, copy your PRODINFO.bin partition into the folder
  • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
  • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
  • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
  • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
  • Voila! You can now find your generated certificate in the new folder named "Out"!
How 2 get dem keyz???
  • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
  • The second key is the original master key, you can extract it from your keyblobs using hactool.
  • The third and fourth keys are plaintext in the ssl sysmodule NSO.
  • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
Click to expand...


you have a magic power on your hands !!! congrats!! thanks!!
 
NANASHI89

NANASHI89

Well-Known Member
Member
Level 16
Joined
May 3, 2012
Messages
2,475
Trophies
1
XP
5,368
Country
United States
SimonMKWii said:
Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:
  • First, make sure Python3 and both the asn1 and pycrypto modules are installed.
  • Next, copy your PRODINFO.bin partition into the folder
  • Now, add the required keydata into "00_generate_ssl_kek.py", then run it; this will output the ssl_kek.
  • Add the generated ssl_kek into "01_decrypt_privk_extract_cert.py", then run it, that will decrypt your private key and extract your cert.
  • Then, run "02_convert_to_der.py", which will convert the extracted files into DER.
  • Lastly, run "03_save_as_pfx.bat" to save it as an installable PFX certificate!
  • Voila! You can now find your generated certificate in the new folder named "Out"!
How 2 get dem keyz???
  • The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
  • The second key is the original master key, you can extract it from your keyblobs using hactool.
  • The third and fourth keys are plaintext in the ssl sysmodule NSO.
  • Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!)
Massive thanks to @SocraticBliss for helping me out with the python stuff and @SciresM for the RSA calcs required in script 02.
Click to expand...
But how do I dump the NAND? @SimonMKWii
 
Last edited by NANASHI89,
ut0pia

ut0pia

Member
Newcomer
Level 2
Joined
Apr 30, 2018
Messages
17
Trophies
0
Age
42
XP
216
Country
France
cat clcert.pem privkey.pem > nx_tls_client_cert.pem

.bat with cat command, that's why you end up with 0 filesize nx_tls_client_cert.pem
 
Mazamin

Mazamin

Well-Known Member
Member
Level 12
Joined
Sep 4, 2014
Messages
1,895
Trophies
0
XP
3,108
Country
Italy
yyoossk said:
print("eticket_ssl_rpk = " + hx(rpk_key).upper())
TypeError: Can't convert 'bytes' object to str implicitly
Click to expand...
I fixed the code
Code: 
import sys
from binascii import unhexlify as uhx, hexlify as hx
from Crypto.Cipher import AES

def decrypt(inputkey, iv):
    return AES.new(iv, AES.MODE_ECB).decrypt(inputkey)

def unwrap(wrappedkey, iv):
    return decrypt(wrappedkey, iv)

rsa_private_kek_generation_source = uhx('X')
master_key = uhx('X')
ssl_aes_key_x = uhx('X')
ssl_rsa_key_y = uhx('X')

def GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_xk, master_key):
    unwrapped_kek = unwrap(rsa_private_kek_generation_source, master_key)
    unwrapped_kekek = unwrap(ssl_aes_key_x, unwrapped_kek)
    return unwrap(ssl_rsa_key_y, unwrapped_kekek)

rpk_key = GenerateAesKek(rsa_private_kek_generation_source, ssl_aes_key_x, master_key)
rpk_key_b = hx(rpk_key).upper()
print("eticket_ssl_rpk = " + "".join(map(chr, rpk_key_b)))
 
  • Like
Reactions: ExAqua
SocraticBliss

SocraticBliss

Well-Known Member
Member
Level 3
Joined
Jun 3, 2017
Messages
130
Trophies
0
Age
36
XP
273
Country
United States
Ghost92 said:
Thank you all. I was able to make the file Der. But when I want to create the "nx_tls_client_cert.pfx" with "03_save_as_pfx.bat" it does not build it and it creates a 0KB file...

--------------------- MERGED ---------------------------


ROLF
Click to expand...

EDIT: Here, I made it easier for you, if you have a keys.txt file in the same directory (in the hactool format, ie. key = 32 digit hex value), it will automatically use the key, so you don't have to edit the script at all! :)

EDIT: I have added @JupiterJesus 's commit!

EDIT: Refer to latest post
 
Last edited by SocraticBliss,

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Hacking Misc Tutorial  Eiyuden Chronicle Hundred Heroes save editing

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

Emulation Misc  Is a totk memory editor possible? If so why has no one made one yet?

Help a noob with if I need to update CFW to 18.0 or not

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: https://youtube.com/shorts/ykuU8hnotr0?si=HzEN_fL2UyOn35HQ +1