Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

[Undi]

1) Interesting, try this file and see what dependency you are "missing"

https://gist.github.com/SocraticBliss/ee41a7fabe35230ed54b9e1b1e2080b5

2) Can't run it like that in python 3...

Microsoft Windows [version 10.0.17134.81]
(c) 2018 Microsoft Corporation. Tous droits réservés.

C:\Users\Undi>cd C:\Users\Undi\Desktop\CertNXtraction

C:\Users\Undi\Desktop\CertNXtraction>python Convert_to_der.py
Traceback (most recent call last):
  File "Convert_to_der.py", line 143, in <module>
    main()
  File "Convert_to_der.py", line 106, in main
    E, N = get_pubk(clcert)
  File "Convert_to_der.py", line 65, in get_pubk
    clcert_decoder.enter() # Seq, 3 elem
  File "C:\Python27\lib\site-packages\asn1.py", line 448, in enter
    raise Error('Cannot enter a non-constructed tag.')
asn1.Error: Cannot enter a non-constructed tag.

 

[SocraticBliss]

Microsoft Windows [version 10.0.17134.81]
(c) 2018 Microsoft Corporation. Tous droits réservés.

C:\Users\Undi>cd C:\Users\Undi\Desktop\CertNXtraction

C:\Users\Undi\Desktop\CertNXtraction>python Convert_to_der.py
Traceback (most recent call last):
  File "Convert_to_der.py", line 143, in <module>
    main()
  File "Convert_to_der.py", line 106, in main
    E, N = get_pubk(clcert)
  File "Convert_to_der.py", line 65, in get_pubk
    clcert_decoder.enter() # Seq, 3 elem
  File "C:\Python27\lib\site-packages\asn1.py", line 448, in enter
    raise Error('Cannot enter a non-constructed tag.')
asn1.Error: Cannot enter a non-constructed tag.

K, out of curiosity, remove the import asn1 from the top of the script and lets see if there is anything failing before that/blocking something...

 

[Undi]

K, out of curiosity, remove the import asn1 from the top of the script and lets see if there is anything failing before that/blocking something...

Traceback (most recent call last):
  File "Convert_to_der.py", line 142, in <module>
    main()
  File "Convert_to_der.py", line 105, in main
    E, N = get_pubk(clcert)
  File "Convert_to_der.py", line 62, in get_pubk
    clcert_decoder = asn1.Decoder()
NameError: global name 'asn1' is not defined

Can I PM you my PRODINFO.bin for you to extract my CERT?
I don't really have the time to do that and my PC in slowly diying, not really fun to work on it.
Thanks in advance!

 

[SocraticBliss]

Traceback (most recent call last):
  File "Convert_to_der.py", line 142, in <module>
    main()
  File "Convert_to_der.py", line 105, in main
    E, N = get_pubk(clcert)
  File "Convert_to_der.py", line 62, in get_pubk
    clcert_decoder = asn1.Decoder()
NameError: global name 'asn1' is not defined

Can I PM you my PRODINFO.bin for you to extract my CERT?
I don't really have the time to do that and my PC in slowly diying, not really fun to work on it.
Thanks in advance!

Yup

 

[SocraticBliss]

I have updated the python scripts with the correct error code and clearer instructions

https://gist.github.com/SocraticBliss/4410790b6e5a27161f521c45d1eb2684

 

[nero99]

Yup

could I also PM you for cert extraction? not sure wheat I'm doing wrong, but whenever I try to install asn1 and pycrypto, I keep getting "syntax error" with no error code or anything

 

[SocraticBliss]

could I also PM you for cert extraction? not sure wheat I'm doing wrong, but whenever I try to install asn1 and pycrypto, I keep getting "syntax error" with no error code or anything

Go for it, here to help

 

[seanzscreams]

Go for it, here to help

im having the hardest time decrypting the prodinfo

i have fully dumped the nand twice just to ensure a good dump

i use hac disk
mount nand backup
extract prodinfo (inputting correct biskeys)


no errors

just your prod info is still encrypted


i have python 3.6 on top of 2.7

i have pip installed future asn1 enum 34 pycrypto and pycryptodome

im using the latest pull you posted with the cmd line CertNXtractionPack.cmd

inserted the 4keys into the CertNXtractionPack.py




nothing



i have my keys biskey dumped
got my keys.py


any help would be appreciated


can i pm you my prod info to decrypt please im pulling my hair out

 

[SocraticBliss]

im having the hardest time decrypting the prodinfo

i have fully dumped the nand twice just to ensure a good dump

i use hac disk
mount nand backup
extract prodinfo (inputting correct biskeys)


no errors

just your prod info is still encrypted


i have python 3.6 on top of 2.7

i have pip installed future asn1 enum 34 pycrypto and pycryptodome

im using the latest pull you posted with the cmd line CertNXtractionPack.cmd

inserted the 4keys into the CertNXtractionPack.py




nothing



i have my keys biskey dumped
got my keys.py


any help would be appreciated


can i pm you my prod info to decrypt please im pulling my hair out

Go for it, as a FYI, I am currently using Python 2.7...

If you open your PRODINFO.bin file, does it start with CAL0? If not, then it isn't decrypted, remember, in HacDiskMount you have to Save to file the PRODINFO.bin.

 

[seanzscreams]

Go for it, as a FYI, I am currently using Python 2.7...

If you open your PRODINFO.bin file, does it start with CAL0? If not, then it isn't decrypted, remember, in HacDiskMount you have to Save to file the PRODINFO.bin.

yeah i have done that step to no avail.

i originally tried all of this on 2.7 but i coudnt get any of the modules to install


heres my p info please let me know when you have it and can delete this ... i forgot i cant send dms

just trying to get my cert please

lost my old account zman and cant remember the email login

 

[SocraticBliss]

yeah i have done that step to no avail.

i originally tried all of this on 2.7 but i coudnt get any of the modules to install


heres my p info please let me know when you have it and can delete this ... i forgot i cant send dms

just trying to get my cert please

lost my old account zman and cant remember the email login

Got it, next time just send a PM

 

[seanzscreams]

Got it, next time just send a PM

last question so far so good on cert dump thanks again

 

[Killoso32]

I have a Problem with 03_save_as_pfx.bat:

C:\Users\Killoso\Desktop\Xci>03_save_as_pfx.bat

C:\Users\Killoso\Desktop\Xci>openssl x509 -inform DER -in clcert.der -outform PEM -out clcert.pem
C:\Users\Killoso\Desktop\Xci>openssl rsa -inform DER -in privkey.der -outform PEM -out privkey.pem
writing RSA key
C:\Users\Killoso\Desktop\Xci>cat clcert.pem privkey.pem  1>nx_tls_client_cert.pem
"cat" is not recognized as an internal or external command
C:\Users\Killoso\Desktop\Xci>openssl pkcs12 -export -in nx_tls_client_cert.pem -out nx_tls_client_cert.pfx -passout pass:switch
Loading 'screen' into random state - done
unable to load private key

?

EDIT: I got it. I renamed the "cat" in 03_save_as_pfx.bat to "type."

 

[Shajk00]

hi everyone, I tried hactool and kezplez in order to obtain rsa_private_kek_generation_source, key_x and key_y but with no success, how am I supposed to dump this key?
EDIT: nevermind, did not pay enough attenction to the OP, my fault

 

[imedox]

@Shajk00 how you resolved ? to get the 3 keys!

edit sorry it resolved !

 

[snoofly]

Nice.
Finally get my pem file (after a bit of trial and error).
Cheers guys.

 

[jelbo]

Ok, for the last hour I've been trying this.

• Python 3.7.0 is all set up in Windows, with pip, pycryptodome, future and asn1.
• I've dumped my 5.0.1 Switch's rawnand.bin using Hekate CTCaer mod and TegraRcmGUI.
• I've extracted some keys using Rajkosto's biskeydumpv6.
• Using those keys (BIS KEY 0 (crypt) and BIS KEY 0 (tweak)) and Rajkosto's HacDiskMount, I've dumped a PRODINFO.bin, that has CAL0 as the first string.
• I'm using @SocraticBliss' scripts, with the 4 needed keys entered in CertNXtractionPack.py.
  
• I've extracted openssl.exe and other files from this OpenSSL Windows build in the scripts dir.
  
• I put PRODINFO.bin in the scripts dir.

Running CertNXtractionPack.cmd I get:

E:\Switch\>CertNXtractionPack.cmd
SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.


Error: Your PRODINFO.bin is still encrypted!

0) Get your BIS Keys (via biskeydump)
1) Save your SYSNAND backup (via hekate)
2) Decrypt your PRODINFO (via HacDiskMount) with BIS Key 0
3) Save to file -> PRODINFO.bin (to your working directory)
4) Run the CertNXtractionPack.cmd script again!

Press any key to continue . . .

 

[SocraticBliss]

Ok, for the last hour I've been trying this.

• Python 3.7.0 is all set up in Windows, with pip, pycryptodome, future and asn1.
• I've dumped my 5.0.1 Switch's rawnand.bin using Hekate CTCaer mod and TegraRcmGUI.
• I've extracted some keys using Rajkosto's biskeydumpv6.
• Using those keys (BIS KEY 0 (crypt) and BIS KEY 0 (tweak)) and Rajkosto's HacDiskMount, I've dumped a PRODINFO.bin, that has CAL0 as the first string.
• I'm using @SocraticBliss' scripts, with the 4 needed keys entered in CertNXtractionPack.py.
  
• I've extracted openssl.exe and other files from this OpenSSL Windows build in the scripts dir.
  
• I put PRODINFO.bin in the scripts dir.

Running CertNXtractionPack.cmd I get:

E:\Switch\>CertNXtractionPack.cmd
SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.


Error: Your PRODINFO.bin is still encrypted!

0) Get your BIS Keys (via biskeydump)
1) Save your SYSNAND backup (via hekate)
2) Decrypt your PRODINFO (via HacDiskMount) with BIS Key 0
3) Save to file -> PRODINFO.bin (to your working directory)
4) Run the CertNXtractionPack.cmd script again!

Press any key to continue . . .

Crap, sorry about that dude, can you try with Python 2.7?

Another idea, it currently is looking at the first four bytes for the CAL0 text, you can simply comment out the raise exception Line if you really know that the PRODINFO.bin you have in the directory of the Python script is decrypted

Again, my bad!

 

[snoofly]

Got my nand off my 1.0 and cert files as well now, thx again.
I had that problem above doing it first time but can’t remember how i fixed it sorry.
I think I just reextracted prodinfo (although I’d already done it before) and tried it again

 

[jelbo]

Crap, sorry about that dude, can you try with Python 2.7? Again, my bad!

Uninstalled 3.7.0, installed 2.7.15, but now pip or pip3 isn't recoginised as a command from cmd.exe