NAND decryption/encryption (AES-XTS)
NxNandManager can now decrypt or encrypt NAND file/drive (rawnand or encrypted partition file "PRODINFO", "SAFE", "SYSTEM", etc).
A keyset file containing biskeys must be provided.
CLI Usage :
-d argument to decrypt,
-e to encrypt.
Keys can be provided by the
-keyset argument to the keyset filename.
The program can parse keyset files made with biskeydump or lockpick :
BIS Key 0 (crypt): <16-byte hex key> BIS Key 0 (tweak): <16-byte hex key> ...
bis_key_00 = <32-byte hex key> bis_key_01 = <32-byte hex key> ...
Decrypt full rawnand :
NxNandManager.exe -i rawnand.bin -o rawnand.dec -d -keyset keys.dat
Decrypt single partition file :
NxNandManager.exe -i PRODINFO -o PRODINFO.dec -d -keyset keys.dat
Encrypt single partition file :
NxNandManager.exe -i PRODINFO.dec -o PRODINFO.enc -e -keyset keys.dat
Decrypt & restore single partition file to physical drive
NxNandManager.exe -i PRODINFO.dec -o \\.\PhysicalDrive3 -part=PRODINFO -e -keyset keys.dat
Encrypt & restore full rawnand
NxNandManager.exe -i rawnand.dec -o \\.\PhysicalDrive3 -e -keyset keys.dat
GUI has been updated to support crypto operations.
Keys can be added through 'Configure keyset' entry in 'Options' menu
An "incognito" option has been implemented. As blawar's incognito does, it will wipe out all console unique id's and certificates from CAL0. It can be useful since Atmosphere prevents writing to CAL0.
The program will need bis keys to apply incognito on encrypted file/drive
CLI usage : To apply incognito, use
--incognito argument (applies to input
-i type : RAWNAND or PRODINFO). For example :
NxNandManager.exe --incognito -i rawnand.bin -d -keyset keys.dat
GUI : Use appropriate entry in "Options" menu
- When keys are provided or if content is already decrypted, the program can retrieve additional information (CLI :
--info, GUI : File > Properties)
- Firmware version & ExFat driver (based on .nca filenames is SYSTEM, the exact same way FVI does it, or from journal/play reports in SYSTEM)
- Serial Number (from PRODINFO or journal in SYSTEM)
- Last boot time (from
SYSTEM/save/8000000000000060, same way FVI does it)
- Bootloader version is now retrieved from BOOT0
- The program prevents the system from entering sleep mode when copy is is progress.