This guide assumes you have previous experience with hactool and messing with your NAND. You aren't supposed to blindly copy commands in this, so read before pasting!
Also, the Python sections require Python 2.7 and pycrypto.
- Open
sd:/Nintendo/contents/private
in a hex editor. - Copy the hex representation of it and put it somewhere for later.
- Mount your NAND's SYSTEM partition.
- Open
/save/8000000000000043
in a hex editor. - Search for the contents of
private
. - Copy the 16 bytes after that. This is your SD seed. Don't lose it!
- Replace
put_eticket_rsa_kek_here
in get_titlekeys.py with the actual eticket_rsa_kek. - Copy
/save/80000000000000e1
and/save/80000000000000e2
to your computer. - Run both files using through get_ticketbins.py. This should give you a personal_ticketblob.bin and common_ticketblob.bin.
python get_ticketbins.py 80000000000000e1
python get_ticketbins.py 80000000000000e2
- Run get_titlekeys.py with the first argument being a raw backup of your PRODINFO.bin and the second being a ticketblob.
python get_titlekeys.py /path/to/PRODINFO.bin personal_ticketblob.bin
python get_titlekeys.py /path/to/PRODINFO.bin common_ticketblob.bin
- Save the outputs somewhere safe. These are your title keys! If you buy another title and want to dump it, you'll have to do these steps again.
- Open
sd:/Nintendo/Contents/registered
. There should be a lot of folders with hexadecimal names. (e.g. 0000004C) - Use a tool like WizTree to find the sizes of each folder. This can help pinpoint what title you should dump. Taking a look at the creation dates can help, too.
- Time for the part everyone messes up:
Let's say the title you want to dump is at F:/Nintendo/Contents/registered/00001337/cafebebecafebebecafebebecafebebe.nca/00
.
The command you would write would look something like this:
hactool -k path/to/your.keys -t nax0 --sdseed=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --sdpath="/registered/00001337/cafebebecafebebecafebebecafebebe.nca" --plaintext=game.nca "F:/Nintendo/Contents/registered/00001337/cafebebecafebebecafebebecafebebe.nca/00"
If it works, great! If you get Error: NAX0 key derivation failed. Check SD card seed and relative path?
, you probably messed up typing the command.
On certain titles, hactool will complain about sectors as of version 1.1.0. A patch has been merged into the repo, but a release has yet to be made as of this guide.
- It's not over yet! The dumped NCA is still title key encrypted. Run
hactool -k path/to/your.keys your.nca
. Since it's encrypted, hactool will complain about it being corrupted. - Check the output for the
Rights ID
. For example, Splatoon 2 USA would sayRights ID: 01003BC0000A00000000000000000000
. - Look for the corresponding title key in your title key dump.
- Finally, run this command:
hactool -k path/to/your.keys game.nca --plaintext=game_decrypted.nca --titlekey=put_your_title_key_here
- You're done! Now you can do whatever you want with that decrypted NCA.
Shoutouts to Simpleflips whoever writes those python scripts. You guys are the best!