RELEASE CertNXtractionPack - Get your Switch cert from a NAND dump!

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by SimonMKWii, May 14, 2018.

  1. scottgl

    scottgl Member

    Newcomer
    1
    Jan 4, 2016
    United States
    Awesome finally got my nx_tls_client_cert.pfx. Note that if you are able to get your public certificate but private key seems non-valid, make sure you run 02_convert_to_der.py! So can I only use this to download content that I have access to? Perhaps we could setup some kind of web server to have something similar to eshop.
     
  2. PatrickJr

    PatrickJr GBAtemp Regular

    Member
    2
    Jan 5, 2017
    Bridgwater
    I seem to be getting Error: rsa_private_kek_generation_source is incorrect (hash mismatch detected) I filled out all the information, I still get that issue.
     
  3. MeteK

    MeteK GBAtemp Regular

    Member
    2
    Dec 31, 2012
    France
    Hello !

    Do the final files generated must be "clcert.der" and "privk.bin" ?
     
    Last edited by MeteK, May 15, 2018
  4. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Well, I guess you could change them to output in whatever name you want, but the scripts generate those files if you provide the keys and the decrypted PRODINFO.bin...
     
  5. MeteK

    MeteK GBAtemp Regular

    Member
    2
    Dec 31, 2012
    France
    Ok, i think i have made it ... around 4Ko for the correct pfx ?

    [​IMG]
     
    Last edited by MeteK, May 15, 2018
  6. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    yep :)
     
  7. MeteK

    MeteK GBAtemp Regular

    Member
    2
    Dec 31, 2012
    France
    Ok, thanks a lot ;)
     
  8. mooglazer

    mooglazer GBAtemp Regular

    Member
    3
    Jun 24, 2007
    United States
    Same error as @ehnoah - tried this both under Windows and Linux.

    edit: extracted PRODINFO.bin using hactool. Under Linux, I tried using both python2 and python3. On Windows, only python3.

    The gist posted by SocraticBliss does generate privk.bin and clcert.der from PRODINFO.bin.

    $ python3 02_convert_to_der.py
    Traceback (most recent call last):
    File "02_convert_to_der.py", line 144, in <module>
    main()
    File "02_convert_to_der.py", line 100, in main
    E, N = get_pubk(clcert)
    File "02_convert_to_der.py", line 58, in get_pubk
    clcert_decoder.enter() # Seq, 3 elem
    File "/usr/lib/python3.4/site-packages/asn1.py", line 448, in enter
    raise Error('Cannot enter a non-constructed tag.')
    asn1.Error: Cannot enter a non-constructed tag.

    $ python2 02_convert_to_der.py
    Traceback (most recent call last):
    File "02_convert_to_der.py", line 144, in <module>
    main()
    File "02_convert_to_der.py", line 100, in main
    E, N = get_pubk(clcert)
    File "02_convert_to_der.py", line 58, in get_pubk
    clcert_decoder.enter() # Seq, 3 elem
    File "/usr/lib/python2.7/site-packages/asn1.py", line 448, in enter
    raise Error('Cannot enter a non-constructed tag.')
    asn1.Error: Cannot enter a non-constructed tag.

     
    Last edited by mooglazer, May 15, 2018
  9. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Yea I am currently tweaking the scripts a bit more to give a little help, now when you at least run the file from my gist, it will tell you if you missing installing the pycrypto dependency...

    http://gist.github.com/socraticbliss/4410790b6e5a27161f521c45d1eb2684

    Let me know if you guys have issues with this... either comment in the gist or comment here...
     
    SimonMKWii likes this.
  10. SimonMKWii
    OP

    SimonMKWii GBAtemp Fan

    Member
    7
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Thanks so much for this!
    Hopefully this should solve the issues people were having...
     
  11. mooglazer

    mooglazer GBAtemp Regular

    Member
    3
    Jun 24, 2007
    United States
    So could the issue I'm running into be caused by invalid output from CertNXtractionPack.py?

    $ openssl x509 -in clcert.der -inform der -text
    unable to load certificate
    139976002414480:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:

    I believe I'm getting the right ssl_kek, but perhaps it's something specific to the output of clcert.der?

    edit: The system is 4.1.0, if it matters
     
    Last edited by mooglazer, May 15, 2018
  12. scottgl

    scottgl Member

    Newcomer
    1
    Jan 4, 2016
    United States
    Now that we have the pfx cert, are there any tools available for downloading from CDN and possibly unpacking content from CDN? It seems very doable, I'd like to know what is currently blocking us from unpacking content from CDN to SD and loading onto the NSW.
     
  13. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Ensure that you are using a valid/good PRODINFO.bin, I have noticed that there are quite a few people who have been using the encrypted version of the file without first using their BIS 0 key to decrypt it...

    I have also put all the scripts in my gist (http://gist.github.com/socraticbliss/4410790b6e5a27161f521c45d1eb2684), download all the files, toss them in a folder with the PRODINFO.bin, and double click/run the CertNXtractionPack.cmd
     
    Last edited by SocraticBliss, May 15, 2018
  14. mooglazer

    mooglazer GBAtemp Regular

    Member
    3
    Jun 24, 2007
    United States
    That was my issue, thanks for the pointer.
     
  15. Dudamax

    Dudamax Advanced Member

    Newcomer
    1
    May 30, 2017
    United States
    Can't get ssl_kek to generate, command prompt just closes quickly
     
  16. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Try the scripts from my gist, it has a pause in them so it doesn't close the window automatically...
     
  17. Dudamax

    Dudamax Advanced Member

    Newcomer
    1
    May 30, 2017
    United States
    And how do I get prodinfo.bin btw
     
  18. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Gotta dump your SYSNAND, it will be part of that, easiest way is with a 64 GB MicroSD card (can use 32 possibly...)
     
  19. Dudamax

    Dudamax Advanced Member

    Newcomer
    1
    May 30, 2017
    United States
    Sorry for the repetitiveness of questions, but how do I dump the sysnand?
     
  20. SocraticBliss

    SocraticBliss Advanced Member

    Newcomer
    1
    Jun 3, 2017
    United States
    Cmon dude, searching the forum is a bit faster than answering questions back and forth, gotta boot your switch into RCM then load a payload to your switch and dump your SYSNAND, can use something like TegraRcmSmash, biskeydumpv6 and hekate... http://switchtools.sshnuke.net/
     
    Last edited by SocraticBliss, May 16, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice