This might be out of scope, but could support for mounting files be added? So files can be accessed without taking up extra space on the hard drive).

I'm running this on windows 10

NAX0:
    Magic:                          NAX0
    Content Type:                   NCA
    Content Size:                   00035ec40000
    Header HMAC:                    B428EE167EAA94B83887462A805742652625E4D0D1EF47243ACA4EC0BF0CA96F
    Encrypted Keys:                 78D1653A79DC83FDE2E64112F26497785182DD2B8264A1E757E3FC9DFC5AE310
    Decrypted Keys:                 AC1285A13B72AE9BCF2E7E615AC7C8A60240E2C4BDFA992B799956EC5B30831F
Saving Decrypted NAX0 Content to game.nca...
Failed to read file!

The user should have some way of importing keys from a file, so that new keys don't need to be manually compiled in every time.

Add before 1.0 release.

The program can't open and just says:
Cannot convert "C:\Users\Čeněk" to UTF-16

Could the ability to extract data from a container within a container be added? E.g. extract romfsdir from XCI.

ncatool reads filedata directly into structs. This will fail on big endian systems. Needs fixing in the moderate-to-long term.

ASAN log: https://hastebin.com/fajijidacu.go
crashing sample: heapoverflownpdm.zip
found through afl-fuzz

I have already built the newest version using source code.

When I try to extract update romfs of Taiko no Tatsujin, I used the command:
hactool -k keys.txt taiko103.nca --titlekey=xxxxxxxx --baseromfs=baseromfs.bin --romfsdir=romfs
I'm sure titlekey and baseromfs have no problem.
Then it looks extracting the romfs files,but when it extracted about 98% files of romfs,the tool will give a massage'fail to open romfs' and stop extarting.
(I extracted the baseromfs,it has no problem,just extracted all files of romfs.)

I'm looking for a plug-in that can be used to open the kip1 to the IDA

==19624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000b00 at pc 0x0001000020d3 bp 0x7ffeefbc6960 sp 0x7ffeefbc6958
READ of size 8 at 0x606000000b00 thread T0
    #0 0x1000020d2 in save_remap_init_segments save.c:91
    #1 0x100007f90 in save_process save.c:640
    #2 0x1000aae50 in main main.c:731

The logic in this function doesn't really make sense. It repeatedly sets seg->entries to newly allocated buffers of size sizeof(remap_entry_ctx_t) (i.e. only one element), then at the end tries to use it like an array (seg->entries[seg->entry_count - 1]).

When I try to use extract taiko no tatsujin v1.0.11 update file(nsp) with the command:
hactool -t pfs0 xxx.nsp --outdir=xxx
It shows 'Error:PFS0 is corrupt!'
Then I open the nsp file in UltraEdit,and cut the ncas manually.The ncas can be decrypted with no problem.
I compare v1.0.11 update file with v1.0.10's,the different is that in v1.0.11,cert and tik files are not first two files in nsp,they are last two files.So,is this the reason hactool can't read the nsp file?

when I run
Saschas-MBP:HACTOOL Sn0wden$ ./hactool -x mk8.xci -k keys.ini
Invalid NCA header! Are keys correct?
Done!
Saschas-MBP:HACTOOL Sn0wden$
when only trying to specify the keys file by running:
Saschas-MBP:HACTOOL Sn0wden$ ./hactool -k keys.ini
unable to open : No such file or directory
Saschas-MBP:HACTOOL Sn0wden$
the keys.ini file exists. proof:
Saschas-MBP:HACTOOL Sn0wden$ file keys.ini
keys.ini: ASCII text, with very long lines
Saschas-MBP:HACTOOL Sn0wden$

macos 10.13.6 (17G65)

Currently, ncatool doesn't give very good output when keys are wrong. Needs improvement.

I'm using this command line to use the update.nca with the base_game.nca to dump the full game:
hactool location\of\update.nca --romfsdir=C:\location\of\romfs --exefsdir=C:\location\of\exefs --basenca C:\location\of\base_game.nca
And I can -i the update or the base_game.nca separately and they'll show the correct titlekeys, because I have the titlekeys in the ~/.switch folder
however when used together with that command line, I get this: [WARN] Unable to match rights id to titlekey. Update title.keys?
but again, when I -i them separately, their correct titlekeys show up beneath the rightsID in the headers
And all that is output is:

Saving main.npdm to C:\Switch\Games\01007EF00011E000 - Breath of the Wild - Test\exefs\main.npdm...
Saving rtld to C:\Switch\Games\01007EF00011E000 - Breath of the Wild - Test\exefs\rtld...
Saving sdk to C:\Switch\Games\01007EF00011E000 - Breath of the Wild - Test\exefs\sdk...
Saving subsdk0 to C:\Switch\Games\01007EF00011E000 - Breath of the Wild - Test\exefs\subsdk0...

and it stops dumping, nothing in romfs

Failed to save romfs using section1dir=, section1=, romfs= and romfsdir= but works on 1.10 using these options.

aes.o: In function aes_calculate_cmac': aes.c:(.text+0x1c5): undefined reference to mbedtls_cipher_cmac_starts'
aes.c:(.text+0x1d7): undefined reference to mbedtls_cipher_cmac_update' aes.c:(.text+0x1e6): undefined reference to mbedtls_cipher_cmac_finish'
collect2: error: ld returned 1 exit status
Makefile:17: recipe for target 'hactool' failed
make[1]: *** [hactool] Error 1
make[1]: Leaving directory '/mnt/c/GITHUB/SWITCH/hactool'
Makefile:10: recipe for target 'all' failed
make: *** [all] Error 2

Currently, we use libgcrypt for cryptographic operations.

This is somewhat undesirable, because we'd like to have zero external dependencies -- however, libgcrypt provides an AES-XTS implementation that mbedTLS does not.

Consider switching anyway?

This will also necessitate removing the libiconv dependency, if we do so.

Hi @SciresM How are you? I want to open the game update and extract the contents.I get this error.

Note: cannot save BKTR section without base romfs.

Thanks.

Edit: I can extract game files without problems.

Please look.

Hi

need your help

I am trying to get a static build command using an Alpine OS, but always failed in error

omfs.o nca0_romfs.c nca0_romfs.c: In function 'nca0_romfs_print': nca0_romfs.c:140:41: warning: unused parameter 'ctx' [-Wunused-parameter] 140 | void nca0_romfs_print(nca0_romfs_ctx_t *ctx) { | ~~~~~~~~~~~~~~~~~~^~~ gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o romfs.o romfs.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o utils.o utils.c romfs.c: In function 'romfs_print': romfs.c:137:31: warning: unused parameter 'ctx' [-Wunused-parameter] 137 | void romfs_print(romfs_ctx_t *ctx) { | ~~~~~~~~~~~~~^~~ gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o nax0.o nax0.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o nso.o nso.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o lz4.o lz4.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o nca.o nca.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o xci.o xci.c gcc -I ./mbedtls/include -c -O2 -Wall -Wextra -pedantic -std=gnu11 -fPIC -D_BSD_SOURCE -D_POSIX_SOURCE -D_POSIX_C_SOURCE=200112L -D_DEFAULT_SOURCE -D__USE_MINGW_ANSI_STDIO=1 -D_FILE_OFFSET_BITS=64 -o main.o main.c main.c: In function 'usage': main.c:112:9: warning: string length '5102' is greater than the length '4095' ISO C99 compilers are required to support [-Woverlength-strings] 112 | "\n", __TIME__, __DATE__, prog_name); | ^~~~ main.c: In function 'main': main.c:372:44: error: increment of pointer to an incomplete type 'FILE' {aka 'struct _IO_FILE'} 372 | nca_ctx.tool_ctx->base_file++; /* Guarantees base_file != NULL. I'm so sorry. */ | ^~ make[1]: *** [Makefile:14: main.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/WARP/hactool' make: *** [Makefile:11: all] Error 2
gcc --version
gcc (Alpine 9.2.0) 9.2.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Command used :

git clone https://github.com/SciresM/hactool.git
cd hactool
mv config.mk.template config.mk
export CPPFLAGS="--static -static"
export CFLAGS="--static -static "
export LDFLAGS="--static -static -Wl,--no-as-needed -ldl -lpthread -pthread"
make -j$(nproc)

thanks for your help,

When I try to extrating data from update 1.0.5 of Taiko no Tatsujin,I find some data could not be decrypted.

For example(I have already used --onlyupdated to gnore non-updated files in update partitions),
From 1.0.1-1.0.4,I can use gzip to unzip the file 'Data/NX/datatable/wordlist.bin' (this file is updated in every patch)after I extracted the update patch with baseromfs_raw/basenca.
But in 1.0.5,I can't unzip it(The header of the file is not 1F 8B 08).It looks like be encrypted.
In the same time,the file 'Data/NX/datatable/shougou.bin' is all right.I can unzip it in both 1.0.4 and 1.0.5(it is different in 1.0.4 and 1.0.5).

I don't know whether it's a bug of hactool or just the format of wordlist.bin is changed in 1.0.5.

The NCAID of update 1.0.5 is bd352fb419fb6ce22a670b1d1bacaed1
The NCAID of basegame is 1adf729f7da40d33b068997adbac355c

hactool rejects pfs0 files and says they're corrupt if the first file's offset isn't 0, but the switch OS has no problem opening these same files. The same probably applies if there's unused space between files but I have not tested it.

I'm trying to extract a nca update file from a .nca folder with a single 00 file inside (it is Pokémon Sword update). I downloaded last hactool.exe release and used this command:

hactool -k foldername/prod.keys -t nax0 --sdseed=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --sdpath="/foldername/folder.nca" --plaintext=game.nca "D:/foldername/folder.nca/00"

prod.keys file is inside the correct folder, i extracted it using Lockpick_RCM. Changed the Xs with sd_seed found inside prod.keys file. I'm getting this (i removed the values between the ""):

[WARN] prod.keys does not exist.
[WARN]: Failed to match key "bis_kek_source", (value "")
[WARN]: Failed to match key "bis_key_00", (value "")
[WARN]: Failed to match key "bis_key_01", (value "")
[WARN]: Failed to match key "bis_key_02", (value "")
[WARN]: Failed to match key "bis_key_03", (value "")
[WARN]: Failed to match key "bis_key_source_00", (value "")
[WARN]: Failed to match key "bis_key_source_01", (value "")
[WARN]: Failed to match key "bis_key_source_02", (value "")
[WARN]: Failed to match key "device_key", (value "")
[WARN]: Failed to match key "device_key_4x", (value "")
[WARN]: Failed to match key "eticket_rsa_kek", (value "")
[WARN]: Failed to match key "eticket_rsa_kek_source", (value "")
[WARN]: Failed to match key "eticket_rsa_kekek_source", (value "")
[WARN]: Failed to match key "retail_specific_aes_key_source", (value "")
[WARN]: Failed to match key "rsa_oaep_kek_generation_source", (value "")
[WARN]: Failed to match key "rsa_private_kek_generation_source", (value "")
[WARN]: Failed to match key "save_mac_key", (value "")
[WARN]: Failed to match key "save_mac_sd_card_kek_source", (value "")
[WARN]: Failed to match key "save_mac_sd_card_key_source", (value "")
[WARN]: Failed to match key "sd_card_custom_storage_key_source", (value "")
[WARN]: Failed to match key "sd_seed", (value "")
[WARN]: Failed to match key "ssl_rsa_kek", (value "")
[WARN]: Failed to match key "ssl_rsa_kek_source_x", (value "")
[WARN]: Failed to match key "ssl_rsa_kek_source_y", (value "")
Error: File has invalid NAX0 magic!
Done!

What is the problem?

I've been trying to dump a full game by combining an update.nca and the base_game.nca both taken from the SD card for a bit now, and I want to get someone's knowledgeable take on what I could be doing wrong.

I can correctly dump the base_game.nca, as seen by this image. I have the prod.keys and the title.keys in the correct ~/.switch folder, so that when running the the -i command, there is no error about any title key issues. The same can be seen in this image for the update.nca

Here is an image of an .szs file when created by just the base_game.nca: image. The header is clearly marked by the compression algorithm, along with the file type.

And here is the same file after being created by dumping the base_game.nca with the update.nca: image. Nothing is recognizable, just pure corruption.

Here is an image of the command line passed to get these files: image. There's a [warn] about titlekeys that wasn't present before, but aside from that you wouldn't be able to tell anything was wrong without looking at the files.

If there's a correct way to do this, then I would just love to learn it.

I've previously been successful in combining an update.nca and a base_game.nca if they came from the rawnand.bin and the sd card respectively.

Hello there,

I was trying to use this on my mac running firmware version 10.11.6 but there is just a .exe file in the folder of the unpacked release 1.1.0, I know you just provided a hactool version for windows user, it is not supposed to have a .dmg (or any format supported by Mac) file in the folder. That is why I tried to open the .exe file with wineBottler (running windows based programs on Mac) but somehow wineBottler wont react if I open zhe .exe file.

Can someone please say mehow we can use this on Mac?

I appreciate every answer/possible solution

Trying to extract an NCA from Nintendo's servers, af428a1 broke (some) decryption, one NCA works, another doesn't, both verified with the SHA-256. 1.1.0 works (both pre-built and compiled), straight from repo does not. Bisected(?) it, everything up to that commit works fine. Not sure why one works and another doesn't.

The seed and the path are valid. Was attempting to dump Minecraft: Nintendo Switch Edition until I got this.

The NAND dump I got this from is a Switch running on latest FW (5.0.2)

I have compiled hactool on Raspberry Pi (raspbian) and command-line parsing is not working.
Hactool always prints usage information and exits with error code with any command line flags supplied.

Everything seems to work fine if variable type for getopt_long call is changed form char to int:

Everytime i click on it the cmd opens and closes immediatly(i have Python 2.7 and i have tried admin mode too) please help

Why do I get these errors? How do I fix them?

[WARN]: Failed to match key "per_console_key_source", (value "4F025F0EB66D110EDC327D4186C2F478")
[WARN]: Failed to match key "rsa_oaep_kek_generation_source", (value "A8CA938434127FDA82CC1AA5E807B112")
[WARN]: Failed to match key "rsa_private_kek_generation_source", (value "EF2CB61A56729B9157C38B9316784DDD")
[WARN]: Failed to match key "eticket_rsa_kek_source", (value "DBA451124CA0A9836814F5ED95E3125B")
[WARN]: Failed to match key "eticket_rsa_kekek_source", (value "466E57B74A447F02F321CDE58F2F5535")
[WARN]: Failed to match key "eticket_rsa_kek", (value "19C8B441D318802BAD63A5BEDA283A84")
[WARN]: Failed to match key "ssl_rsa_kek", (value "B011100660D1DCCBAD1B1B733AFA9F95")
[WARN]: Failed to match key "ssl_rsa_key_source_x", (value "7F5BB0847B25AA67FAC84BE23D7B6903")
[WARN]: Failed to match key "ssl_rsa_key_source_y", (value "9A383BF431D0BD8132534BA964397DE3")
[WARN]: Failed to match key "sd_card_save_key", (value "8F696AEED967F492041CD7DACE7BAFB2F20A25AD13108ED9BAB662A09C28CC86")
[WARN]: Failed to match key "sd_card_nca_key", (value "2A34D7A63F1F6C87EA8068E8A67DD66F9637EAFF943686D74F5AB43FCBCEC6DA")
[WARN]: Failed to match key "capsrv_hmac_key", (value "287AABF9FED34D4E995CC7BE0D914A3221B9822A45524649B0A2CBCDD4B98E4A")
Invalid NCA header! Are keys correct?

In order for it to build needed to change :
extern int fseeko64 (FILE *__stream, _off64_t __off, int __whence);

to :
extern int fseeko64 (FILE *__stream, off64_t __off, int __whence);

I don't know why, but Windows Defender for some reason thinks newest hactool (1.3.3) release has a virus.

ZIP: https://www.virustotal.com/gui/file/563327399cddabf5313f2058ac176b81a7587ff9b4b5244205d4163771652f25/detection
EXE: https://www.virustotal.com/gui/file/ba2c8267b85a7285ee736b92c4907b050d508b99c2d111603cb1cbec6baf7dfd/detection

Just to show that this is only MS thing. :P

Any older release is not flagged by Windows Defender.

It looks like latest release is now not compatible with newest games from cartridges. So it's not useful anymore for newest releases from eshop and cartridges. But last build from here works correctly with both formats. So maybe it's time to share next release for windows?

Basically, I'm trying to extract the romfs from a NSP, but the tool says that section 0 and 1 are corrupted, the only thing worth noting is that the Master Key Revision field says 7 (Unknown)

So I have Hactool, I've been trying for the past 2 hours to get my SSBU modded and I run into this:
Failed to match key errors running down my cmd

I'm trying my hardest to know whats going on... I've put prod.keys into a .switch folder and i have my gamedump in my Hactool directory. Please someone help!

Rajkosto's biskeydump displays it in little-endian byte order, but since Kate's sample payload is more easily accessible, more people would have dumped their SBK using it.
A good solution would be to attempt derivation once again with endianness reversal if the keyblob MAC is detected as invalid, then if that fails, display the "check SBK/TSEC" error.

Hi, I was wondering if you could release a version of this tool that was already built? I have no idea on how to compile it manually.

If not possible, could you maybe create a video on how to do it?

Currently, ncatool does not support BKTR partitions (update RomFS).

Implementing this will be complicated, but is necessary. Currently the highest priority item.

The --romfs option is completely ignored when extracting an update section.
Extracting to a directory (--romfsdir) works fine so I assume this is an oversight.

We'd like to have no external dependencies, but we're dependent on libiconv. What's the best way to convert utf-8 to utf-16le without it?

Having an issue with hactool, stating that Section 0 and Section 1 are corrupted. This only happens on some, not all. I've checked and verified that some NCAs verify correctly.

I have all keys up to 05, and it is pulling them. I can successfully use nut to convert the NSX to NSP with the supplied titlekey, so I am not sure where the disconnect is.

Not sure where the issue lies.

Hi,

is it possible to use the script on macOS?
Because in releases tab there is only a windows one if i understood correctly.

Another question: Could you please add an example which parameters are necessary to decrypt and extract an xci file?
Would be great because couldn't find a tutorial for that and the GUI's are all only for windows.

Would be really nice if it would work :)

Hello. Have some problem with HACTOOL and Onimusha Warlords. Want unpack romfs for translation purpose. But there is a problem. XCI (NTSC-J) unpacked normally, but when it's time for unpack NCA... Well, GUI-version just can't unpack, scripts from GBATemp get this:

SDK version - 4. How i can solve this problem?

Code in package.h dont seem to follow the proper layout per firmware version. Also seems the offsets might be messed up too since the output files are all messed up.

Could be really cool to return non zero code when something went wrong ^^

(Thanks for this incredible tool).

The game: Cube Creator X (JPN), xci contains 4 partitions: update, logo, normal, secure.
hactool exit with: "Error: Invalid XCI partition!"

package1_key is derived here but this code is never reached if key revision >= 6
https://github.com/SciresM/hactool/blob/master/pki.c#L1121

ncatool currently only supports NCAs.

In the moderate-to-long term:
-XCI support (gamecart image -> partitions/ncas, this will include HFS0)
-add "-t" argument, support for "nca", "pfs0", "romfs", etc.
-Add support for Package1/Package2 archives?

Loading a DLC NCA (e.g. Octo Expansion) shows up with an unknown type. The RomFS can be dumped and extracted, but there might be a lot more information than that.

I ported your code to Visual Studio and found a critical bug in aes_decrypt() code (AES decryption worked in a wrong way).
It's forbidden to pass same buffers as input and output to mbedtls_cipher_update.

Quote from mbedtls_cipher_update description:

param output: buffer for the output data. Should be able to hold at least ilen + block_size. Cannot be the same buffer as input!

Possible fix (with extra buffer allocation):

void aes_decrypt(aes_ctx_t *ctx, void *dst, const void *src, size_t l) 
{
    int bExtraBuff = 0; 

    if (src == dst)
    {
        bExtraBuff = 1;

        dst = malloc(l);
        assert(dst);
    }

    size_t out_len = 0;
    
    /* Prepare context */
    mbedtls_cipher_reset(&ctx->cipher_dec);
    
    /* XTS doesn't need per-block updating */
    if (mbedtls_cipher_get_cipher_mode(&ctx->cipher_dec) == MBEDTLS_MODE_XTS)
        mbedtls_cipher_update(&ctx->cipher_dec, (const unsigned char * )src, l, (unsigned char *)dst, &out_len);
    else
    {
        unsigned int blk_size = mbedtls_cipher_get_block_size(&ctx->cipher_dec);
        
        /* Do per-block updating */
        for (int offset = 0; (unsigned int)offset < l; offset += blk_size)
        {
            int len = ((unsigned int)(l - offset) > blk_size) ? blk_size : (unsigned int) (l - offset);
            mbedtls_cipher_update(&ctx->cipher_dec, (const unsigned char * )src + offset, len, (unsigned char *)dst + offset, &out_len);
        }
    }
    
    /* Flush all data */
    mbedtls_cipher_finish(&ctx->cipher_dec, NULL, NULL);

    if (bExtraBuff)
    {
        memcpy( (void*)src, dst, l );
        free(dst);
    }
}

Since a few things were broken in 1.2.0, including update extraction, I think it'd be best if a new release was issued soon:tm: