AnalogMan151
Information about cert file
Hello,
I am developing a script using nut, which is itself using hactool, to automate the modification of NSPs in order to unlink the NCA from the TIK file and remove the fake ticket from the NSP. But I've been wondering if I should keep the CERT file in the process.
From your thread on a certain forum (well I guess it was you since it's the official CDNSP thread), I read the following sentence regarding the CERT file :
for private content the CERT (non console nor game-unique) will be copied and renamed appropriately.
This is the ONLY information available on the internet that I could find about said CERT file and its purpose!!
Your statement leads me to believe that the CERT, being neither console-unique or game-unique, is actually a "valid" CERT file for the game even in the case of a non-legit NSP, and should therefore be kept in the NSP even though the TIK is removed, as its absence might raise a flag somewhere.
But other people have been adamant in removing the CERT along with the TIK. That's why I'm reaching out to you to get information about the CERT file in order to have some semblance of certitude about how to proceed with this file.
Thank you very much in advance for your help in this matter and thanks a lot for the great tool you developed!!
There are a few different certificates that are used when installing titles to the Switch. The Certificates are used to decrypt different kinds of tickets. The ones used in CDNSP are the certificates that belong to game updates and go along with the forged tickets (which are also done in the style of game updates, no additional encryption is used unlike with personal tickets which encrypt the Rights ID and have a different certificate to go along with it for decryption). If you're removing the ticket from the NSP then there's no reason to keep the cert that goes along with it. If you plan to inject your own personal tickets into the NSPs, you'd need a different cert to go along with that ticket anyway, so if you're not going to be using the forged tickets that come in the NSPs then there's really no use for the certificate. This applies only to game and DLC titles, game updates don't use forged tickets, those tickets actually come right from the CDN.
Well, that's 10 times more information in that single message than what I managed to find with 2 hours of research, thanks a lot! Ok, so I'll delete the cert along with the ticket.
Interesting about the game update NSPs, as I was also "unticketing" them (zeroing the RightsID, deleting the TIK). But, if the update is installed on a non-legit game that was "unticketed", would there be a risk of being flagged for installing a "legit" update (legit tickets, at least) on a game that has no ticket? In this case, I'm guessing that if I "unticket" the game, might as well "unticket" the update to go along with it and keep the ticket blob clean for this title?
Although for NSP updates of XCI (cartridge) titles, that's interesting information because in this case, it would be better to keep the "legit ticket" for the update (as XCI titles can be updated through the Big-N official servers, unless you're not updated to the latest firmware, as is now the case with many people who don't want to go near 6.0).
One last thing, you say the forged tickets for games are done in the style of game updates. Does that mean they are no longer console-specific and/or account-specific? They seem to still be linked to the RightsID of the "main" NCA file, and this RightsID can't be valid for a console that's not the one that purchased the game, or does that no longer apply to a "game-update-style ticket"?
Thanks again for all this invaluable information!
Updates created with CDNSP are completely legit, they can even be used on OFW. Since updates are the same for both eShop titles and cartridge titles (eShop titles have tickets, cartridges don't) it would not be a good idea to remove tickets from updates or convert updates from title key encrypted to MasterKey encryption. Update tickets are not console or NNID specific which is why we use them as a base for forged tickets.
Legit game or DLC tickets still have a common Rights ID (as in my copy will have the same Rights ID as your copy of the same game) but the Rights ID isn't important, it's the title key. The title key is also common (my title key is the same as your title key for any given game) but is RSA-2048 encrypted using a console unique key and the ticket also contains your NNID info and console info which is why "personalized" tickets can't be shared. Other consoles wouldn't be able to decrypt the title key. They use a different certificate file to deal with this then updates do. But by using the certificate that updates use and mimicking update tickets we can create universal tickets just like what the updates use. If Nintendo wanted to they could make updates NNID and console specific too which would put a stop to that.
So in short, Rights IDs aren't personal, title keys aren't either, that's why we can even do what we do now, but in a real personalized ticket (games or DLC, not updates) it doesn't store the title key in plain hex like the forged tickets do, it instead stores a console unique encrypted version of the title key along with NNID and console info.
Well that was enlightening!! So much information that I hadn't been exposed to in such a concise manner before, even though I've tried researching the subject. Thank you so much for this crash course!!
Final thought, in your opinion, would it be better (telemetry-wise) for games (not updates) to be installed with forged tickets or be converted from TitleKey encryption to MasterKey encryption? There have been claims that installing NSPs with forged tickets leads to a ban (if telemetry is not blocked at least, either by DNS, firewall rules or creport), but from what you explained that shouldn't be the case. That's the one thing I'm having trouble wrapping my head around.
Either way, thanks again for all this information!!
Honestly, I approve of MasterKey encrypted games. It prevents an entry in your titles DB and if you decide to install the game legit you can without issues. I don't use them personally though as I use FreeShopNX (which can't convert the NCAs to MasterKey prior to installing). Eventually if Nintendo does query your tickets the forged ones will get flagged, but MasterKey installed content don't have tickets so...
Right this instant, there doesn't seem to be a difference as Nintendo doesn't verify your ticket server side yet, but it could help in the future.