Merge pull request #113 from jakcron/v1.9.0-release

Update NSTool to v1.9.0
jakcron · Jan 20, 2024 · 9056cf1 · 9056cf1
2 parents 5cf2ef9 + 5b2d17c
commit 9056cf1
Show file tree

Hide file tree

Showing 7 changed files with 145 additions and 35 deletions.
diff --git a/SWITCH_KEYS.md b/SWITCH_KEYS.md
@@ -203,4 +203,18 @@ nstool <32 char rightsid>.tik
 ##### Personalised Tickets
 If the ticket is personalised (encrypted with console unique RSA key), NSTool will not support it. You will need to use extract the title key with another tool and pass the encrypted title key directly with the `--titlekey` option.
 
-# Title
+# Title Keys (title.keys)
+In order for NSTool to decrypt NCA files that use external content keys, the ticket or key data be provided to NSTool. For convience NSTool supports the hactool `title.keys` format. This file can store a dictionary of title keys, so that specifying a ticket or key data manually is not required, provided it is present in `title.keys`. This file must be present in: ___$HOME/.switch/___ .
+
+## Format
+* This file is in the format of (rights_id = title_key) pairs, each on their own line. 
+* There is no limit on the number of pairs. 
+* The `;` is the comment indicator. When parsing a file, it is treated as a new line character.
+* The format is case insensitive
+
+
+### Example
+For example if rights id `010003000e1468000000000000000008` had a title key `8fa820b219781d331cca08968e6e5b52`, the row would look like this:
+```
+010003000e1468000000000000000008 = 8fa820b219781d331cca08968e6e5b52
+```
diff --git a/src/KeyBag.cpp b/src/KeyBag.cpp
@@ -12,19 +12,24 @@
 #include <pietendo/hac/es/CertificateBody.h>
 #include <pietendo/hac/es/TicketBody_V2.h>
 
-nstool::KeyBagInitializer::KeyBagInitializer(bool isDev, const tc::Optional<tc::io::Path>& keyfile_path, const tc::Optional<tc::io::Path>& tik_path, const tc::Optional<tc::io::Path>& cert_path)
+nstool::KeyBagInitializer::KeyBagInitializer(bool isDev, const tc::Optional<tc::io::Path>& keyfile_path, const tc::Optional<tc::io::Path>& titlekeyfile_path, const std::vector<tc::io::Path>& tik_path_list, const tc::Optional<tc::io::Path>& cert_path)
 {
 	if (keyfile_path.isSet())
 	{
 		importBaseKeyFile(keyfile_path.get(), isDev);
 	}
+	if (titlekeyfile_path.isSet())
+	{
+		importTitleKeyFile(titlekeyfile_path.get());
+	}
 	if (cert_path.isSet())
 	{
 		importCertificateChain(cert_path.get());
 	}
-	if (tik_path.isSet())
+	if (!tik_path_list.empty())
 	{
-		importTicket(tik_path.get());
+		for (auto itr = tik_path_list.begin(); itr != tik_path_list.end(); itr++)
+			importTicket(*itr);
 	}
 
 	// this will populate known keys if they aren't supplied by the user provided keyfiles.
@@ -447,7 +452,41 @@ void nstool::KeyBagInitializer::importBaseKeyFile(const tc::io::Path& keyfile_pa
 
 void nstool::KeyBagInitializer::importTitleKeyFile(const tc::io::Path& keyfile_path)
 {
+	std::shared_ptr<tc::io::FileStream> keyfile_stream = std::make_shared<tc::io::FileStream>(tc::io::FileStream(keyfile_path, tc::io::FileMode::Open, tc::io::FileAccess::Read));
+
+	// import keyfile into a dictionary
+	std::map<std::string, std::string> keyfile_dict;
+	processResFile(keyfile_stream, keyfile_dict);
+
+	// process title keys
+	tc::ByteData tmp;
+	KeyBag::rights_id_t rights_id_tmp;
+	KeyBag::aes128_key_t title_key_tmp;
+	for (auto itr = keyfile_dict.begin(); itr != keyfile_dict.end(); itr++)
+	{
+		//fmt::print("RightsID[{:s}] = TitleKey[{:s}]\n", itr->first, itr->second);
 
+		// parse the rights id
+		tmp = tc::cli::FormatUtil::hexStringToBytes(itr->first);
+		if (tmp.size() != rights_id_tmp.size())
+		{
+			fmt::print("[nstool::KeyBagInitializer WARNING] RightsID: \"{}\" has incorrect length. Skipping...\n", itr->first);
+			continue;
+		}
+		memcpy(rights_id_tmp.data(), tmp.data(), rights_id_tmp.size());
+
+		// parse the title key
+		tmp = tc::cli::FormatUtil::hexStringToBytes(itr->second);
+		if (tmp.size() != title_key_tmp.size())
+		{
+			fmt::print("[nstool::KeyBagInitializer WARNING] TitleKey for \"{}\": \"{}\" has incorrect length. Skipping...\n", itr->first, itr->second);
+			continue;
+		}
+		memcpy(title_key_tmp.data(), tmp.data(), title_key_tmp.size());
+
+		// save to encrypted key dict
+		external_enc_content_keys[rights_id_tmp] = title_key_tmp;
+	}
 }
 
 void nstool::KeyBagInitializer::importCertificateChain(const tc::io::Path& cert_path)
@@ -551,10 +590,7 @@ void nstool::KeyBagInitializer::importTicket(const tc::io::Path& tik_path)
 		memcpy(enc_title_key.data(), tik.getBody().getEncTitleKey(), enc_title_key.size());
 
 		// save the encrypted title key as the fallback enc content key incase the ticket was malformed and workarounds to decrypt it in isolation fail
-		if (fallback_enc_content_key.isNull())
-		{
-			fallback_enc_content_key = enc_title_key;
-		}
+		external_enc_content_keys[rights_id] = enc_title_key;
 
 		// determine key to decrypt title key
 		byte_t common_key_index = tik.getBody().getCommonKeyId();
@@ -581,7 +617,7 @@ void nstool::KeyBagInitializer::importTicket(const tc::io::Path& tik_path)
 		aes128_key_t dec_title_key;
 		tc::crypto::DecryptAes128Ecb(dec_title_key.data(), enc_title_key.data(), sizeof(aes128_key_t), etik_common_key[common_key_index].data(), sizeof(aes128_key_t));
 
-		// add to key dict
+		// add to decrypted key dict
 		external_content_keys[rights_id] = dec_title_key;
 
 	}

diff --git a/src/KeyBag.h b/src/KeyBag.h
@@ -39,6 +39,7 @@ struct KeyBag
 
 	// external content keys (nca<->ticket)
 	std::map<rights_id_t, aes128_key_t> external_content_keys;
+	std::map<rights_id_t, aes128_key_t> external_enc_content_keys; // encrypted content key list to be used when external_content_keys does not have the required content key (usually taken raw from ticket)
 	tc::Optional<aes128_key_t> fallback_enc_content_key; // encrypted content key to be used when external_content_keys does not have the required content key (usually taken raw from ticket)
 	tc::Optional<aes128_key_t> fallback_content_key; // content key to be used when external_content_keys does not have the required content key (usually already decrypted from ticket)
 
@@ -70,7 +71,7 @@ struct KeyBag
 class KeyBagInitializer : public KeyBag
 {
 public:
-	KeyBagInitializer(bool isDev, const tc::Optional<tc::io::Path>& keyfile_path, const tc::Optional<tc::io::Path>& tik_path, const tc::Optional<tc::io::Path>& cert_path);
+	KeyBagInitializer(bool isDev, const tc::Optional<tc::io::Path>& keyfile_path, const tc::Optional<tc::io::Path>& titlekeyfile_path, const std::vector<tc::io::Path>& tik_path_list, const tc::Optional<tc::io::Path>& cert_path);
 private:
 	KeyBagInitializer();
 

diff --git a/src/NcaProcess.cpp b/src/NcaProcess.cpp
@@ -176,6 +176,15 @@ void nstool::NcaProcess::generateNcaBodyEncryptionKeys()
 		{
 			mContentKey.aes_ctr = mKeyCfg.fallback_content_key.get();
 		}
+		else if (mKeyCfg.external_enc_content_keys.find(mHdr.getRightsId()) != mKeyCfg.external_enc_content_keys.end())
+		{
+			tmp_key = mKeyCfg.external_enc_content_keys[mHdr.getRightsId()];
+			if (mKeyCfg.etik_common_key.find(masterkey_rev) != mKeyCfg.etik_common_key.end())
+			{
+				pie::hac::AesKeygen::generateKey(tmp_key.data(), tmp_key.data(), mKeyCfg.etik_common_key[masterkey_rev].data());
+				mContentKey.aes_ctr = tmp_key;
+			}
+		}
 		else if (mKeyCfg.fallback_enc_content_key.isSet())
 		{
 			tmp_key = mKeyCfg.fallback_enc_content_key.get();

diff --git a/src/Settings.cpp b/src/Settings.cpp
@@ -260,6 +260,40 @@ class SingleParamAesKeyOptionHandler : public tc::cli::OptionParser::IOptionHand
 	std::vector<std::string> mOptRegex;
 };
 
+class SingleParamPathArrayOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	SingleParamPathArrayOptionHandler(std::vector<tc::io::Path>& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegex()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegex;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		mParam.push_back(params[0]);
+	}
+private:
+	std::vector<tc::io::Path>& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegex;
+};
+
 class FileTypeOptionHandler : public tc::cli::OptionParser::IOptionHandler
 {
 public:
@@ -504,7 +538,7 @@ nstool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>&
 	mVerbose(false),
 	mNcaEncryptedContentKey(),
 	mNcaContentKey(),
-	mTikPath(),
+	mTikPathList(),
 	mCertPath()
 {
 	// parse input arguments
@@ -532,29 +566,16 @@ nstool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>&
 	// locate key file, if not specfied
 	if (mKeysetPath.isNull())
 	{
-		std::string home_path_str;
-		if (tc::os::getEnvVar("HOME", home_path_str) || tc::os::getEnvVar("USERPROFILE", home_path_str))
-		{
-			tc::io::Path keyfile_path = tc::io::Path(home_path_str);
-			keyfile_path.push_back(".switch");
-			keyfile_path.push_back(opt.is_dev ? "dev.keys" : "prod.keys");
-
-			try {
-				tc::io::FileStream test = tc::io::FileStream(keyfile_path, tc::io::FileMode::Open, tc::io::FileAccess::Read);
-
-				mKeysetPath = keyfile_path;
-			}
-			catch (tc::io::FileNotFoundException&) {
-				fmt::print("[WARNING] Failed to load \"{}\" keyfile. Maybe specify it with \"-k <path>\"?\n", opt.is_dev ? "dev.keys" : "prod.keys");
-			}
-		}
-		else {
-			fmt::print("[WARNING] Failed to located \"{}\" keyfile. Maybe specify it with \"-k <path>\"?\n", opt.is_dev ? "dev.keys" : "prod.keys");
-		}
+		loadKeyFile(mKeysetPath, opt.is_dev ? "dev.keys" : "prod.keys", "Maybe specify it with \"-k <path>\"?\n");
+	}
+	// locate title key file, if not specfied
+	if (mTitleKeysetPath.isNull())
+	{
+		loadKeyFile(mTitleKeysetPath, "title.keys", "");
 	}
 
 	// generate keybag
-	opt.keybag = KeyBagInitializer(opt.is_dev, mKeysetPath, mTikPath, mCertPath);
+	opt.keybag = KeyBagInitializer(opt.is_dev, mKeysetPath, mTitleKeysetPath, mTikPathList, mCertPath);
 	opt.keybag.fallback_enc_content_key = mNcaEncryptedContentKey;
 	opt.keybag.fallback_content_key = mNcaContentKey;
 
@@ -618,9 +639,10 @@ void nstool::SettingsInitializer::parse_args(const std::vector<std::string>& arg
 
 	// get user-provided keydata
 	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(mKeysetPath, {"-k", "--keyset"})));
+	//opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(mTitleKeysetPath, {"--titlekeyset"})));
 	opts.registerOptionHandler(std::shared_ptr<SingleParamAesKeyOptionHandler>(new SingleParamAesKeyOptionHandler(mNcaEncryptedContentKey, {"--titlekey"})));
 	opts.registerOptionHandler(std::shared_ptr<SingleParamAesKeyOptionHandler>(new SingleParamAesKeyOptionHandler(mNcaContentKey, {"--contentkey", "--bodykey"})));
-	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(mTikPath, {"--tik"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathArrayOptionHandler>(new SingleParamPathArrayOptionHandler(mTikPathList, {"--tik"})));
 	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(mCertPath, {"--cert"})));
 
 	// code options
@@ -967,6 +989,30 @@ void nstool::SettingsInitializer::dump_rsa_key(const KeyBag::rsa_key_t& key, con
 	}
 }
 
+void nstool::SettingsInitializer::loadKeyFile(tc::Optional<tc::io::Path>& keyfile_path, const std::string& keyfile_name, const std::string& cli_hint)
+{
+	std::string home_path_str;
+	if (tc::os::getEnvVar("HOME", home_path_str) || tc::os::getEnvVar("USERPROFILE", home_path_str))
+	{
+		tc::io::Path tmp_path = tc::io::Path(home_path_str);
+		tmp_path.push_back(".switch");
+		tmp_path.push_back(keyfile_name);
+
+		try {
+			tc::io::FileStream test = tc::io::FileStream(tmp_path, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			keyfile_path = tmp_path;
+		}
+		catch (tc::io::FileNotFoundException&) {
+			fmt::print("[WARNING] Failed to load \"{}\" keyfile.{}\n", keyfile_name, cli_hint);
+		}
+	}
+	else {
+		fmt::print("[WARNING] Failed to locate \"{}\" keyfile.{}\n", keyfile_name, cli_hint);
+	}
+
+}
+
 
 bool nstool::SettingsInitializer::determineValidNcaFromSample(const tc::ByteData& sample) const
 {

diff --git a/src/Settings.h b/src/Settings.h
@@ -136,11 +136,15 @@ class SettingsInitializer : public Settings
 	bool mVerbose;
 
 	tc::Optional<tc::io::Path> mKeysetPath;
+	tc::Optional<tc::io::Path> mTitleKeysetPath;
 	tc::Optional<KeyBag::aes128_key_t> mNcaEncryptedContentKey;
 	tc::Optional<KeyBag::aes128_key_t> mNcaContentKey;
-	tc::Optional<tc::io::Path> mTikPath;
+	std::vector<tc::io::Path> mTikPathList;
+	//tc::Optional<tc::io::Path> mTikPath;
 	tc::Optional<tc::io::Path> mCertPath;
 
+	void loadKeyFile(tc::Optional<tc::io::Path>& keyfile_path, const std::string& keyfile_name, const std::string& cli_hint);
+
 	bool determineValidNcaFromSample(const tc::ByteData& raw_data) const;
 	bool determineValidEsCertFromSample(const tc::ByteData& raw_data) const;
 	bool determineValidEsTikFromSample(const tc::ByteData& raw_data) const;

diff --git a/src/version.h b/src/version.h
@@ -2,6 +2,6 @@
 #define APP_NAME	"NSTool"
 #define BIN_NAME	"nstool"
 #define VER_MAJOR	1
-#define VER_MINOR	8
-#define VER_PATCH   1
+#define VER_MINOR	9
+#define VER_PATCH   0
 #define AUTHORS		"jakcron"