If you take the URLs on your github page for the 11.0 NATIVE_FIRM and replace the last part of the url with cetk, you get an encrypted titlekey (I think) for the firmware. Run it though dump_ticket_keys.py, then Decrypt9, then chop off all but the last 16 bytes of the result.That makes sense, I suppose, considering they're just title keys.
I was able to check my process by comparing with an O3DS key I still had from an old version of the hack.
Edit: I found how it all works from the Cakes instructions thread.
Last edited by Kirtai,