HCS Forum - Decryption of Switch eShop titles: mark 2!

Decryption of Switch eShop titles: mark 2! by simonmkwii at 7:46 AM EDT on April 30, 2018: As I'm sure you're aware, there was a massive exploit that was discovered for Switch that allows you do basically anything.

You can now dump your NAND, and it is possible to extract tickets, which contain title keys, from saves in your NAND.

Game update tickets have the title key stored in plaintext, so I can retrieve those easily.

Unfortunately, game data and DLC tickets are encrypted with a console-unique RSA-2048 key.

Luckily, this key is easy to retrieve, but unfortunately, it's stored encrypted, and it requires an RSA_KEK (key encryption key, which is common, not console-unique) to decrypt the RSA key.

The KEK source is stored in the es system applet binary, but requires a GenerateAesKek() function to derive the actual KEK.

I have no idea how to do this, so if anyone knows about the Switch's cryptosystem, please help!

I have an insane number of games to rip, I bought over 200 Switch games from the eShop, so the sooner, the better!
by simonmkwii at 7:49 AM EDT on April 30, 2018: By the way, these are the keys that I extracted from the binary:

68896AFE432FED37E26F13CA5F5000A0

77A03A306AB1CB1C181C57F06434A514

AF44F33E824E8392ED38E12F29CF6F4D

88875090A62F7570A2D77151AE6D3987

BEC0BC8E75A0F60C4A5664023ED49CD5

DBA451124CA0A9836814F5ED95E3125B

466E57B74A447F02F321CDE58F2F5535

7F5BB0847B25AA67FAC84BE23D7B6903

I have no idea what any of them do, or which one is which, all I know is that one of them is the RSA_KEK source.
by furrybob at 11:07 AM EDT on April 30, 2018: The SHA256 of the key you're looking for is 46CCCF288286E31C931379DE9EFA288C95C9A15E40B00A4C563A8BE244ECE515
by simonmkwii at 11:43 AM EDT on April 30, 2018: @furrybob - I'm very well aware!
It's in SciresM's python script.
The issue is, it only hashes to that value after being generated by GenerateAesKek.
by simonmkwii at 11:39 AM EDT on May 1, 2018: I have been racking my brain over this shit, anyone have any leads?
by simonmkwii at 12:09 AM EDT on May 2, 2018: No need for this thread anymore ;)
by simonmkwii at 12:14 AM EDT on May 2, 2018: So yeah, generation chain is as follows:

master_key_00 > usecase3_key > eticket_rsa_kekek_source > eticket_rsa_kek_source
by simonmkwii at 8:39 AM EDT on May 2, 2018: Made a python script and posted the key sources to RS, I kindly request nobody posts the rsa_kek in full yet.

Go to Page 0

Search this thread

Show all threads

Reply to this thread:

HCS Forum Index
Halley's Comet Software
forum source

User Name		Tags: bold: [b]bold[/b] italics: [i]italics[/i] emphasis: [em]emphasis[/em] underline: [u]underline[/u] small: [small]small[/small] Link: [url=http://www.google.com]Link[/url] [img=https://www.hcs64.com/images/mm1.png]
Password
Subject
Message