How to get Switch Keys for Hactool/XCI Decrypting

Discussion in 'Switch - Tutorials' started by PRAGMA, Jun 10, 2018.

  1. PRAGMA
    OP

    PRAGMA GBAtemp Advanced Maniac

    Member
    9
    Dec 29, 2015
    Ireland
    127.0.0.1

    IMPORTANT:
    • DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
    • DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DONT OWN! THEY ARE UNIQUE
    • DO NOT ASK ME FOR KEYS


    NOTES:
    • This currently only results in 40 keys including SBK and TSEC while there are a total of 80 keys currently documented.
      While 40 will do for most decrypting, you MIGHT need more keys for some titles.
      Any tips to get the other 40 would be appreciated.
      Source
    • This does give you Master Key 0-4.


    Tutorial — RISEofProBB



      1. We need your SBK (Secure Boot Key) and TSEC (Tegra X1's Security Co-processor Keys) before we can get the main keys. These are 100% console unique.
      2. Download biskeydump from https://switchtools.sshnuke.net/
      3. Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file.
      4. It will present you with a QR code. If the background of the QR code is red, it failed, re-boot and retry until its blue.
      5. Scan the QR code with your phone, laptop, e.t.c to easilly copy and paste it to your PC. You can just type it out onto your PC, but its faster and more efficient (you dont want to have an O when its actually a 0 or l when its an I, could you even tell which one was an I and which was an L here? :P).
      6. Save SBK and TSEC from biskeydump on your system somewhere. Make sure you remember which one is for SBK and TSEC.
      7. You now have SBK and TSEC. We now have the main keys to continue onwards! :D

      1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      2. Dumping BOOT0 - "Tools" -> "Dump eMMC BOOT". We now have BOOT0 and BOOT1
      3. Dumping BCPKG2-1-Normal-Main - "Tools" -> "Dump eMMC SYS". We now have BCPKG2-1-Normal-Main aswell as a couple other things we dont need. But it still spares us time from dumping the entire nand with regular hekate.
      4. We now have both required switch-nand based files we need to get and derive keys from.

      1. Go here and right-click > save as > save as type - All Files > Name keys.py > Save. (script by reswitched)
      2. NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
      3. Download and install Python 2.7.x - NOT Python 3.x.x (IMPORTANT: When installing, it will ask you what features you want installed, if you scroll to the bottom you should see a RED X where the rest are grey HDD icons. Click that red X and change it to "Entire feature installed to HDD". This sets Python in your environment path. I cannot stress how important this is. If you dont do this, you cannot continue)
      4. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      5. Put the keys.py inside the folder for hactool, next to hactool.exe
      6. Copy the "BOOT0" file from Switch's SD card to the folder for hactool, next to hactool.exe and rename BOOT0 to BOOT0.bin to give it an extension of .bin
      7. Copy the "BCPKG2-1-Normal-Main" file from Switch's SD card to the folder for hactool, next to hactool.exe and rename BCPKG2-1-Normal-Main to BCPKG2-1-Normal-Main.bin to give it an extension of .bin

      1. Open Windows Search Bar and type "cmd" or "command prompt", right click and run as admin.
      2. Type the following:
        pip install lz4
      3. Once that finishes installing, Type the following:
        cd Desktop/hactool
      4. You should now be in the "hactool" folder.
      5. Once installed, type the following (Replace as it says):
        python keys.py ReplaceMeWithSBK ReplaceMeWithTSEC
      6. It will now execute the key extractor. In simple terms, what it's doing is extracting Package1 from BOOT0 -> Extracting keys from Package1 -> Using those keys to get other keys.
      7. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and theres no warning messages, your good to go! :O
      If you get the following error on Part 5:
      Code:
      File "keys.py", line 259
      print message
      ^
      SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?
      Then you typed: python keys.py ReplaceMeWithSBK ReplaceMeWithTSEC literally when your meant to replace ReplaceMeWithSBK and ReplaceMeWithTSEC with the keys you got.
      AND/OR your using Python 3.x.x when I told you to use 2.7.x, uninstall python, reboot (important) and install 2.7.x

      1. You now have a keys.txt file. Rename this to keys.ini to change it to an ini.
      2. Your done. You now have all the keys you need and your good to go.
        (do remember, that only 40 of the 80 total known keys are gotten via this tutorial, i'll try to improve the tutorial in the future to get all 80)
     
    Last edited by PRAGMA, Jun 16, 2018
  2. Haugh645

    Haugh645 Member

    Newcomer
    2
    Jul 12, 2011
    United States
    when you install python make sure to also pip install lz4 or it wont work.
     
  3. xXxSwagnemitexXx

    xXxSwagnemitexXx meme machine

    Member
    3
    Dec 7, 2016
    United Kingdom
    New Donk City
    nice use of tabs and information boxes

    i may use this turorial in the future
     
    Hoppy and PRAGMA like this.
  4. evans112682

    evans112682 Member

    Newcomer
    2
    Mar 30, 2009
    United States
    @RISEofProBB I followed the tutorial but your instructions on the keys.ini file are incomplete. Read over everything and it does not say what is supposed to be in the .ini file. Also when I tried to execute the command it gives me an error for LZ4. I see @Haugh645 mentions it needs installed but can you link the file and how to install it on Windows. Thanks
     
  5. PRAGMA
    OP

    PRAGMA GBAtemp Advanced Maniac

    Member
    9
    Dec 29, 2015
    Ireland
    127.0.0.1
    Forgot, updated, Thanks.

    — Posts automatically merged - Please don't double post! —

    I updated the tutorial and keys.ini you never have to mess with, the keys.py creates the keys.txt then u just change it to an .ini, done.
     
  6. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    20
    Oct 27, 2002
    France
    Engine room, learning
    Nice to see users start using tabs for better tutorials layout :)
    Tables have been added recently too.
     
    Last edited by Cyan, Jun 11, 2018
  7. evans112682

    evans112682 Member

    Newcomer
    2
    Mar 30, 2009
    United States
    @RISEofProBB I was referring to the keys.ini file you refer to in "Step 3 - File Preparation". Step 6 of that section says to put the keys.ini file next to hactool.exe. if we do not have that file until the final output than how are we supposed to add it in this step?

    Also how do we install LZ4 in Windows? What file do we need?
     
  8. PRAGMA
    OP

    PRAGMA GBAtemp Advanced Maniac

    Member
    9
    Dec 29, 2015
    Ireland
    127.0.0.1
    My bad, removed, skip that step.
     
    evans112682 likes this.
  9. Tommy084

    Tommy084 GBAtemp Regular

    Member
    2
    Feb 24, 2013
    Norway
    Type in «pip install lz4» in cmd

    i get this error tho
    Using BOOT0.bin to get keys from package1...
    Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!
    Windows 10 32 bit
    Switch 2.3.0

    Thanks for reply, but after dumping boot0 with ctchekate 2.3 and renameing it, still the same error.
    Gonna try with fat32 formated sd and dump again
     
    Last edited by Tommy084, Jun 11, 2018
  10. PRAGMA
    OP

    PRAGMA GBAtemp Advanced Maniac

    Member
    9
    Dec 29, 2015
    Ireland
    127.0.0.1
    Your boot0 is probably corrupt in some way or you didnt rename it to .bin
     
    Tommy084 likes this.
  11. Davelo

    Davelo Member

    Newcomer
    1
    Feb 10, 2018
    Bahrain
    I have a problem where i did "pip install lz4" but still get the lz4 error message

    Traceback (most recent call last):
    File "keys.py", line 25, in <module>
    import lz4.block
    ModuleNotFoundError: No module named 'lz4'

    any solution?
     
  12. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    5
    Aug 20, 2017
    United States
    Crap Mountain
    Are there any console-unique keys besides TSEC and SBK? If so, does this dump them?

    — Posts automatically merged - Please don't double post! —

    Try sudo pip install lz4
    Also try (can’t sure if this is correct, might be off) py -mpip instal lz4
    I haven’t used pip in a long time but if i remember correctly that might work.
     
    Endlessclouds likes this.
  13. Davelo

    Davelo Member

    Newcomer
    1
    Feb 10, 2018
    Bahrain
    It worked somehow but now i get these errors

    Using BOOT0.bin to get keys from package1...
    Deriving keys...
    Traceback (most recent call last):
    File "keys.py", line 374, in <module>
    stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
    File "/usr/lib/python2.7/subprocess.py", line 212, in check_output
    process = Popen(stdout=PIPE, *popenargs, **kwargs)
    File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
    errread, errwrite)
    File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
    raise child_exception
    OSError: [Errno 2] No such file or directory
     
  14. Clydefrosch

    Clydefrosch GBAtemp Psycho!

    Member
    9
    Jan 2, 2009
    Germany
    just to be sure, the keys this generates, are they unique in any way, or are they the same ones you can find with a google search?
     
  15. PRAGMA
    OP

    PRAGMA GBAtemp Advanced Maniac

    Member
    9
    Dec 29, 2015
    Ireland
    127.0.0.1
    Then you didnt install lz4 properly.

    — Posts automatically merged - Please don't double post! —

    Realistically all the keys are derived from the SBK, TSEC and Master Key 0-4, so realistically all of them are, but arent.

    — Posts automatically merged - Please don't double post! —

    There are no keys on google. Those are SHA digests used to find the keys in files. They are NOT keys.
     
  16. kevandkkim

    kevandkkim Member

    Newcomer
    1
    Nov 22, 2016
    United States
    Im not sure how else to install lz4? requirements say it is good for 2.7.

    Traceback (most recent call last):
    File "keys.py", line 25, in <module>
    import lz4.block
    File "C:\Python27\lib\site-packages\lz4\__init__.py", line 11, in <module>
    from ._version import ( # noqa: F401
    ImportError: DLL load failed: The specified module could not be found.
     
  17. LordVe

    LordVe Member

    Newcomer
    1
    May 28, 2018
    United States
    Question: Does this derive the SDSeed key for NAX0 decrypting? That is the only key I haven't a clue how to get...
     
  18. strangequark

    strangequark Newbie

    Newcomer
    1
    May 15, 2018
    United States
    I also got this problem, can someone help?
     
  19. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    5
    Aug 20, 2017
    United States
    Crap Mountain
    Actually, they are on Google, you just know what to search for (found a file containing every single key, not the SHAs).
     
  20. dfsfds2

    dfsfds2 Member

    Newcomer
    1
    Apr 7, 2018
    China
    The following error occurred while using the "python keys.py <SBKSecureBootKey> <TSEC>" command
     

    Attached Files:

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice