Skip to content

@eliboa eliboa released this Aug 13, 2019 · 5 commits to master since this release

NAND decryption/encryption (AES-XTS)

NxNandManager can now decrypt or encrypt NAND file/drive (rawnand or encrypted partition file "PRODINFO", "SAFE", "SYSTEM", etc).
A keyset file containing biskeys must be provided.

CLI Usage :

Use -d argument to decrypt, -e to encrypt.

Keys can be provided by the -keyset argument to the keyset filename.
The program can parse keyset files made with biskeydump or lockpick :

   BIS Key 0 (crypt): <16-byte hex key>
   BIS Key 0 (tweak): <16-byte hex key>


   bis_key_00 = <32-byte hex key>
   bis_key_01 = <32-byte hex key>


Decrypt full rawnand :
NxNandManager.exe -i rawnand.bin -o rawnand.dec -d -keyset keys.dat

Decrypt single partition file :
NxNandManager.exe -i PRODINFO -o PRODINFO.dec -d -keyset keys.dat

Encrypt single partition file :
NxNandManager.exe -i PRODINFO.dec -o PRODINFO.enc -e -keyset keys.dat

Decrypt & restore single partition file to physical drive
NxNandManager.exe -i PRODINFO.dec -o \\.\PhysicalDrive3 -part=PRODINFO -e -keyset keys.dat

Encrypt & restore full rawnand
NxNandManager.exe -i rawnand.dec -o \\.\PhysicalDrive3 -e -keyset keys.dat


GUI has been updated to support crypto operations.
Keys can be added through 'Configure keyset' entry in 'Options' menu


An "incognito" option has been implemented. As blawar's incognito does, it will wipe out all console unique id's and certificates from CAL0. It can be useful since Atmosphere prevents writing to CAL0.

The program will need bis keys to apply incognito on encrypted file/drive

CLI usage : To apply incognito, use --incognito argument (applies to input -i type : RAWNAND or PRODINFO). For example : NxNandManager.exe --incognito -i rawnand.bin -d -keyset keys.dat

GUI : Use appropriate entry in "Options" menu


  • When keys are provided or if content is already decrypted, the program can retrieve additional information (CLI :--info, GUI : File > Properties)
    • Firmware version & ExFat driver (based on .nca filenames is SYSTEM, the exact same way FVI does it, or from journal/play reports in SYSTEM)
    • Serial Number (from PRODINFO or journal in SYSTEM)
    • Last boot time (from SYSTEM/save/8000000000000060, same way FVI does it)
  • Bootloader version is now retrieved from BOOT0
  • The program prevents the system from entering sleep mode when copy is is progress.


MCMrARM for switch_decrypt
blawar for incognito
shchmue for FVI

Assets 4
You can’t perform that action at this time.