Hacking RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

[SocraticBliss]

Uninstalled 3.7.0, installed 2.7.15, but now pip or pip3 isn't recoginised as a command from cmd.exe

Pip should be, reinstall 2.7.15 and ensure you check the box that says add to path!

You can also do python pip install blah blah blah...

 

[snoofly]

fwiw i did everything on python 3.7

 

[SocraticBliss]

fwiw i did everything on python 3.7

Ok then it sounds like there was a problem with his PRODINFO.bin, it needs to be in the same directory with the same name as above... your encrypted version must be named something else (without the bin extension)

 

[jelbo]

Pip should be, reinstall 2.7.15 and ensure you check the box that says add to path!

I had to use the x86 version of Python, not the x64 build.

After a succesful pip install pycryptodome, pip install future and pip install asn1, and running your .cmd, I now get:

SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.

Traceback (most recent call last):
  File "CertNXtractionPack.py", line 5, in <module>
    from pip._internal import main as pipmain
ImportError: No module named _internal

Press any key to continue . . .

 

[SocraticBliss]

I had to use the x86 version of Python, not the x64 build.

After a succesful pip install pycryptodome, pip install future and pip install asn1, and running your .cmd, I now get:

SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.

Traceback (most recent call last):
  File "CertNXtractionPack.py", line 5, in <module>
    from pip._internal import main as pipmain
ImportError: No module named _internal

Press any key to continue . . .

I had x64 installed, this is weird...

 

[jelbo]

Changing

from pip._internal import main as pipmain

to

from pip import main as pipmain

in both .py scripts gets me further. But another error:

SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.

Verifying keys...

ssl_rsa_kek = <snip>

Script #1 Completed Successfully!
Saved clcert.der and privk.bin to your working directory.

Checking Dependencies...

  Cache entry deserialization failed, entry ignored
enum34 successfully installed!
future successfully installed!
asn1 successfully installed!
Traceback (most recent call last):
  File "Convert_to_der.py", line 162, in <module>
    main()
  File "Convert_to_der.py", line 117, in main
    E, N = get_pubk(clcert)
  File "Convert_to_der.py", line 74, in get_pubk
    clcert_decoder = asn1.Decoder()
NameError: global name 'asn1' is not defined

Press any key to continue . . .

I do have both clcert.der (2,00 KB (2.048 bytes)) and privk.bin (256 bytes) now though.

/edit: got it to work, finally.

1. Revert my changes to the .py scripts (so it's from pip._internal import main as pipmain again)
2. Upgraded pip using python -m pip install --upgrade pip
3. Ran CertNXtractionPack.cmd

SocraticBliss and SimonMKWii (R)

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.

Verifying keys...

ssl_rsa_kek = <snip>

Script #1 Completed Successfully!
Saved clcert.der and privk.bin to your working directory.

Script #2 Completed Successfully!
Saved privkey.der to your working directory.

Program Completed Successfully!
Saved nx_tls_client_cert.pfx to your working directory.
password = switch

 

[SocraticBliss]

snip

Updated the GIST to update pip + setuptools before installing modules

https://gist.github.com/SocraticBliss/4410790b6e5a27161f521c45d1eb2684

Guys let me know if this doesn't work so I can update it if needed!

 

[peteruk]

There is an automated bot on switch hacks Discord that does the whole process for you, just drop your prodinfo.bin with the command .cert and job done file dumped for you

 

[Kupie]

GCNBot#4388 on discord, if you message with ".cert" and your prodinfo attached, will send you your cert right away.

Just used it, confirmed it works with CDNSP. I think it's actually a bot made by @SimonMKWii himself, based on the name.

 

[t1op]

Want your cert to access Nintendo's CDN, but you're not on 3.0.0 anymore so you can't run the PegaSwitch script?
Don't worry, I've got you covered!
Included in the pack is everything you need to generate a pfx certificate file from a NAND dump!

Usage:

• First, make sure Python3 and both the asn1 and pycrypto modules are installed.
• Next, copy your PRODINFO.bin partition into the folder.

...
How 2 get dem keyz???

• The first key is generated by XORing the AES_KEK (kek_mask 0) with the CryptoUsecase_RsaPrivate seed (kek_seed 1).
• The second key is the original master key, you can extract it from your keyblobs using hactool.
• The third and fourth keys are plaintext in the ssl sysmodule NSO.
• Or alternatively, you can skip this entire step by finding the ssl_kek online, not giving links for obvious reasons... (Trust me, it's out there!

I want to run CDNSP. I have a NAND backup.
I have installed Python 3.7. I don't understand the "modules" part.
How do I get PRODINFO.bin? I put in "the folder" with the scripts?
I don't understand any of the above key stuff, nor do I know what I am supposed to do with them .

 

[CorrellRoy]

I've been doing this for 4hours, got my BIS Keys and PRODINFO.bin and so lost on what all to do so I can get the nx_tls_client_cert.pem

 

[CorrellRoy]

Ok heres what all I did so far

Downloaded and extract CertNXtractionPack
Downloaded CertNXtractionPack.py
Used biskeydump and gotten all BIS keys, HWI, SBK, TSEC Keys, eMMC Id key, and Device key
Ran HacDiskMount, Opened PRODINFO, Tested the keys and saved PRODINFO.bin
Ran CMD on "01_decrypt_privk_extract_cert " and Failed to open PRODINFO.bin

 

[valyndaslayer]

Does anyone really want to tell how are we gonna get this key:

rsa_private_kek_generation_source
ssl_rsa_kek_source_x
ssl_rsa_kek_source_y

I saw this included in full 80 keys list on other forum, but I cannot find any tutorial that is able to generate all 80 keys.. (or at least tutorial written with human language, not crypto geeks )

 

[Mario119]

I followed the instructions in post #160 (can't post a link to it because I'm new) and I'm receiving the following error upon running 00_generate_ssl_kek.py.

00_generate_ssl_kek.py", line 21, in <module>
    rpk_key = GenerateAesKek(rsa_private_kek_generation_source, key_x_gak, key_x_gak)
NameError: name 'key_x_gak' is not defined

 

[shchmue]

Does anyone really want to tell how are we gonna get this key:

rsa_private_kek_generation_source
ssl_rsa_kek_source_x
ssl_rsa_kek_source_y

I saw this included in full 80 keys list on other forum, but I cannot find any tutorial that is able to generate all 80 keys.. (or at least tutorial written with human language, not crypto geeks )

not sure about the first, the last two are hard coded in the ES title along with some others

 

[andybarrn]

I've been working on trying to get my certs for 2 days. Using Windows 10
Uninstalled python 3.6, installed 2.7.8
Used get-pip.py to install pip
Verified PRODINFO.bin is decrypted - it's showing CAL0 at the start of the file
Have copied the correct keys into CertNXtractionPack.py
I have CertNXtractionPack.py, CertNXtractionPack.cmd, openssl.exe, PRODINFO.bin, & Convert_to_der.py in python folder
Have verified python is installed to my PATH

When running CertNXtraction.cmd from powershell in C:\Python27\ folder still getting the following error:

PRE-REQUISITES:
-- Get your BIS Keys (via biskeydump)
-- Dump your SYSNAND (via hekate)
-- Decrypt your PRODINFO (BIS 0 Key) and Save to file - PRODINFO.bin to your working directory.
-- Insert the 4 required keys in the top of the CertNXtractionPack.py script.
-- Hint: lines 10, 11, 12, 13, replace only the 32 F's with the correct key.

Press any key to continue . . .
Error: Install Python to your path then run again!

Any help would be greatly appreciated.

 

[andybarrn]

So I changed pycrypto to cryptodome in CertNXtractionPack.py, and have gotten slightly farther.

I now believe the CertNXtranctionPack.py finishes completely, but am getting stuck with Script #2.

I now get the attached output.

I changed some of the directory information to xxx, as I wasn't sure if the information was good to put out.

 

[andybarrn]

Nevermind, I appear to have resolved my issue. Ended up having to do manual pip install for ans1 and future, but then I was able to get the script to run properly.

 

[Mario119]

So I was able to progress pass the error I had prior, but now I'm running into a new problem upon running '02_convert_to_der.py'

  File "C:\Users\username\AppData\Local\Programs\Python\Python37-32\lib\site-packages\asn1.py", line 541, in _read_bytes
    raise Error('Premature end of input.')
asn1.Error: Premature end of input.

Help would be appreciated!

 

[TheExpertNoob]

yes @SimonMKWii these need help please. I also have premature input error.