More actions
Hactool | |
---|---|
File:Hactoolswitch.png | |
General | |
Author | SciresM |
Type | PC Utilities |
Version | 1.4.0 |
License | ISC |
Last Updated | 2020/06/02 |
Links | |
Download | |
Website | |
Source | |
Hactool is a software application that enables users to access information, decrypt, and extract popular file formats for the Nintendo Switch console, including Nintendo Content Archives. This tool draws significant inspiration from ctrtool.
Features
- Support for reading plaintext Package2 files was added.
- NPDM -> JSON conversion was added.
- KIP1 -> JSON conversion was added.
- Keygen can now be performed without passing a BOOT0 file.
- Support for newer XCIs with a logo partition was added.
- Support for pre-1.0.0 NCA0 files was added.
- Support for uncompressing NSO0 and KIP1 files was added via --uncompressed=
- Titlekeys can now be loaded from an external "title.keys" file, located in the same directory as prod.keys or dev.keys. -Titlekeys should be stored in the format hexadecimal_rights_id = hexadecimal_title_key.
- Various [WARN]s were added when odd behavior is detected.
- Added support for NAX0 (Nintendo Aes Xts File(system), SD Card content).
- Added support for key derivation using EKS (keyblobs) and sbk/tsec key.
- Support was added for pre-1.0.0 "NCA2" content.
The following Switch file formats are supported:
- NCA
- XCI
- HFS0
- PFS0
- RomFS
- NPDM
- Package1 (PK11)
- Package2 (PK21)
- INI1
- KIP1
- NAX0
- NSO0
- Save files
Usage
Usage: hactool [options...] <file> Options: -i, --info Show file info. This is the default action. -x, --extract Extract data from file. This is also the default action. -r, --raw Keep raw data, don't unpack. -y, --verify Verify hashes and signatures. -d, --dev Decrypt with development keys instead of retail. -k, --keyset Load keys from an external file. -t, --intype=type Specify input file type [nca, xci, pfs0, romfs, hfs0, npdm, pk11, pk21, ini1, kip1, nax0, save, keygen] --titlekey=key Set title key for Rights ID crypto titles. --contentkey=key Set raw key for NCA body decryption. --disablekeywarns Disables warning output when loading external keys. NCA options: --plaintext=file Specify file path for saving a decrypted copy of the NCA. --header=file Specify Header file path. --section0=file Specify Section 0 file path. --section1=file Specify Section 1 file path. --section2=file Specify Section 2 file path. --section3=file Specify Section 3 file path. --section0dir=dir Specify Section 0 directory path. --section1dir=dir Specify Section 1 directory path. --section2dir=dir Specify Section 2 directory path. --section3dir=dir Specify Section 3 directory path. --exefs=file Specify ExeFS file path. Overrides appropriate section file path. --exefsdir=dir Specify ExeFS directory path. Overrides appropriate section directory path. --romfs=file Specify RomFS file path. Overrides appropriate section file path. --romfsdir=dir Specify RomFS directory path. Overrides appropriate section directory path. --listromfs List files in RomFS. --baseromfs Set Base RomFS to use with update partitions. --basenca Set Base NCA to use with update partitions. --basefake Use a fake Base RomFS with update partitions (all reads will return 0xCC). --onlyupdated Ignore non-updated files in update partitions. NPDM options: --json=file Specify file path for saving JSON representation of program permissions to. KIP1 options: --json=file Specify file path for saving JSON representation of program permissions to. --uncompressed=f Specify file path for saving uncompressed KIP1. NSO0 options: --uncompressed=f Specify file path for saving uncompressed NSO0. PFS0 options: --pfs0dir=dir Specify PFS0 directory path. --outdir=dir Specify PFS0 directory path. Overrides previous path, if present. --exefsdir=dir Specify PFS0 directory path. Overrides previous paths, if present for ExeFS PFS0. RomFS options: --romfsdir=dir Specify RomFS directory path. --outdir=dir Specify RomFS directory path. Overrides previous path, if present. --listromfs List files in RomFS. HFS0 options: --hfs0dir=dir Specify HFS0 directory path. --outdir=dir Specify HFS0 directory path. Overrides previous path, if present. --exefsdir=dir Specify HFS0 directory path. Overrides previous paths, if present. XCI options: --rootdir=dir Specify XCI root HFS0 directory path. --updatedir=dir Specify XCI update HFS0 directory path. --normaldir=dir Specify XCI normal HFS0 directory path. --securedir=dir Specify XCI secure HFS0 directory path. --logodir=dir Specify XCI logo HFS0 directory path. --outdir=dir Specify XCI directory path. Overrides previous paths, if present. Package1 options: --package1dir=dir Specify Package1 directory path. --outdir=dir Specify Package1 directory path. Overrides previous path, if present. Package2 options: --package2dir=dir Specify Package2 directory path. --outdir=dir Specify Package2 directory path. Overrides previous path, if present. --extractini1 Enable INI1 extraction to default directory (redundant with --ini1dir set). --ini1dir=dir Specify INI1 directory path. Overrides default path, if present. INI1 options: --ini1dir=dir Specify INI1 directory path. --outdir=dir Specify INI1 directory path. Overrides previous path, if present. --saveini1json Enable generation of JSON descriptors for all INI1 members. NAX0 options: --sdseed=seed Set console unique seed for SD card NAX0 encryption. --sdpath=path Set relative path for NAX0 key derivation (ex: /registered/000000FF/cafebabecafebabecafebabecafebabe.nca). Save data options: --outdir=dir Specify save directory path. --listfiles List files in save file. Key Derivation options: --sbk=key Set console unique Secure Boot Key for key derivation. --tseckey=key Set console unique TSEC Key for key derivation.```
Usage of External Keys
To provide external keys, one can use the -k/--keyset argument followed by the filename of the keyset. These keysets are text files that contain keys written in the format "key_name = HEXADECIMALKEY". The case of the keys and the presence of whitespace doesn't matter.
Alternatively, if the -k/--keyset option is not set, hactool will search for a keyset file named prod.keys in $HOME/.switch/ directory (or dev.keys if -d/--dev is set) and automatically load it, if available.
Media
Decrypting Switch Firmwares with hactool: a tutorial - ((C)ode e(X)ecute)
Screenshots
Changelog
(v.1.4.0)
- Support was fixed for parsing save files (thanks @shchmue)!
- Support was fixed for extracting package1 binaries newer than 4.0.0.
- Support was added for performing mariko-specific key derivation.
- Support was added for decrypting and extracting mariko package1 binaries.
(v.1.3.3)
- Support was added for parsing Chinese game cards, which use a new hashing algorithm to validate HFS0 partitions.
(v.1.3.2)
- Support was added for validating new NCA header fixed-keys (9.x+)
- Romfs is now parsed via an iterative loop instead of recursion to prevent possible stack exhaustion.
(v.1.3.1)
- Output was fixed for displaying certain SDK versions.
- Support was added for validating new ACID keys (9.x+)
(v.1.3.0)
- Support was fixed for new (8.0.0+) key generation.
- Support was added for extracting 8.0.0+ Package2 binaries.
- SVC and key generation names were updated to latest definitions.
- Support was added for parsing and extracting save files (thanks @shchmue!)
- Support was added for decrypting and parsing the encrypted XCI header area (thanks @jakcron!).
- NPDM output was corrected when parsing the version field.
- Support was added for suppressing output of sensitive/decrypted keys.
- Support was added for only extracting NCAs if the content type is one specified.
- Support was added for automatically appending the NCA section type to extracted section content paths if an option is specified.
- Key derivation was fixed when deriving master keks from keyblobs.
- title.keys content restrictions were made looser (non-key lines are now allowed).
- Support was added for skipping output of invalid key warnings.
- A bug was fixed that caused PFS0 file entry calculations to fail.
(v.1.2.2)
- Support was added for 6.2.0+ new key derivation using tsec_root_key and master_kek_source_##.
- 6.2.0 keydata will no longer be called "Unknown".
- A bug was fixed involving argument violation to mbed_tls aes routines.
(v.1.2.1)
- Update extraction support should no longer cause errors.
- NPDM JSON output has been switched over to the new format.
- 6.x keydata will no longer be called "Unknown".
(v.1.2.0)
- NAX0 decryption failed when reading at unaligned offsets.
- NCAs making use of AES-XTS crypto are no longer completely broken
- Support for pre-1.0.0 NCA2 files was fixed, and now works properly
- Getopt is no longer broken on arm-linux (thanks @jakibaki!)
- Too many small ones to count :)
- "encrypted_header_key" was changed in keyset loading to "header_key_source", in order to be consistent with other key names.
(v.1.1.0)
- BKTR did not support the non-single bucket case, affecting games with huge patches (Splatoon 2, maybe others)
- Too many small ones to count :)
(v.1.0.1)
- Memory corruption when parsing some NPDMs
- Invalid AES mode used for titlekey decryption
- BKTR section validity unchecked before accessing decrypted data
- Edge case in BKTR subsection layout would cause infinite recursion
(v.1.0)
- First Release.