Nintendo Switch Digital Software Dumping Guide
Note: this guide is outdated - NSP processing steps should be ignored and this should be used instead: xml_dataset_generator_nsp.py
Dumping Methods
Homebrew-enabled Switch (Dump Contents From Console)
It's an open-source homebrew application capable of generating installable Nintendo Submission Package (NSP) dumps from installed digital titles.
Tools
- A Nintendo Switch console with a firmware version greater than or equal to 3.0.0. Must either be vulnerable to Fusée Gelée or have a firmware version compatible with Caffeine. The exact details on how to use these exploits to launch homebrew applications aren't covered in this guide.
- The latest NXDumpTool build saved to
sdmc:/switch/nxdumptool/nxdumptool.nro
. - Keys file generated using Lockpick_RCM, located at
sdmc:/switch/prod.keys
. Run the payload on your console in order to dump the keys. They're needed by NXDumpTool to decrypt contents while generating NSP dumps.
Note #1: if you use a SD card with a FAT32 partition and the game you wish to dump is bigger than 4 GiB, you can dump it in smaller parts, but you must reassemble them afterwards.
Note #2: you don't need to have enough free space in your SD card for a whole dump. Sequential (multi-session) dumping is available in NXDumpTool, and it's automatically triggered if there's not enough space for a whole dump - but there must be at least 1 GiB of free space. After each session, you'll have to transfer the generated part files to your PC before continuing the dump process in the next session.
Note #3: dump verification against No-Intro database is also available in the application, but it requires a working Internet connection at runtime.
Dumping
- Using either Fusée Gelée or Caffeine, boot into the CFW of your preference and load the Homebrew Launcher using title override (hold R while launching a game).
- Load NXDumpTool.
- Select
Dump SD card / eMMC (NANDUSER) content
, then select the game you wish to dump from the displayed list.- If you can't find your game on the list, or if the list is empty, it most likely means you're using a gamecard with updates/DLCs installed to the SD card and/or eMMC. These titles are internally referred to as "orphan content" in NXDumpTool. You can access the orphan content list by pressing the Y button in the SD/eMMC menu. For more information, see Dumping steps (orphan content).
- Select
Nintendo Submission Package (NSP) dump
.- If you have installed updates / DLCs for the selected title:
- If you want to dump the base game / application, select
Dump base application NSP
. - If you want to dump an installed update, select
Dump installed update NSP
. - If you want to dump an installed DLC, select
Dump installed DLC NSP
.
- If you want to dump the base game / application, select
- Otherwise, if you have no installed updates / DLCs for the selected title, go to the next step.
- If you have installed updates / DLCs for the selected title:
- Set the available options to the following values:
Split output dump (FAT32 support)
: set it to Yes if you're using a FAT32 partition in your SD card. Otherwise, set it to No.Verify dump using No-Intro database
: set it to Yes if you wish to verify your dump using the No-Intro database. This requires a working Internet connection.Remove console specific data
: Yes. This will remove console/account data from a personalized ticket and convert it to a common ticket if the title you wish to dump uses titlekey crypto. If the ticket is already a common one, it is left untouched.Generate ticket-less dump
: No.Change NPDM RSA key/sig in Program NCA
: No. This option only appears with base applications and updates.- If you chose to dump an installed update:
Dump delta fragments
: Yes. This will dump the delta fragments from the update (if available).Update to dump
: use the left/right buttons to cycle between the available updates and select the one you want to dump.
- If you chose to dump an installed DLC:
DLC to dump
: use the left/right buttons to cycle between the available DLCs and select the one you want to dump.
Output naming scheme
: optional. Just choose the naming scheme you'd like to use.
- Select
Start NSP dump process
, press A and wait for the process to finish. You'll be able to find the output file(s) insdmc:/switch/nxdumptool/NSP
. - If dump verification is enabled, after dumping, you should see the CRC32 checksum for the encrypted CNMT NCA in your NSP dump. If the application says that it found a matching database entry, then this is likely a good redump. However, we do need a little more information (see Extracting data from NSP).
- Copy the output dump to your PC. If you used the split method for FAT32, or if you used sequential (multi-session) dumping, you'll need to reassemble the part files into a single NSP dump. For more information, see Merge part files (FAT32 / multi-session dump only).
Dumping steps (orphan content)
- Using either Fusée Gelée or Caffeine, boot into the CFW of your preference and load the Homebrew Launcher using title override (hold R while launching a game).
- Load NXDumpTool.
- Select
Dump SD card / eMMC (NANDUSER) content
, then press the Y button. - Look for the orphan update / DLC you wish to dump, then press A on it.
- Select
Nintendo Submission Package (NSP) dump
. - Set the available options to the following values:
Split output dump (FAT32 support)
: set it to Yes if you're using a FAT32 partition in your SD card. Otherwise, set it to No.Verify dump using No-Intro database
: set it to Yes if you wish to verify your dump using the No-Intro database. This requires a working Internet connection.Remove console specific data
: Yes. This will remove console/account data from a personalized ticket and convert it to a common ticket if the title you wish to dump uses titlekey crypto. If the ticket is already a common one, it is left untouched.Generate ticket-less dump
: No.- If you chose to dump an orphan update:
Change NPDM RSA key/sig in Program NCA
: No.Dump delta fragments
: Yes. This will dump the delta fragments from the orphan update (if available).
Output naming scheme
: optional. Just choose the naming scheme you'd like to use.
- Select
Start NSP dump process
, press A and wait for the process to finish. You'll be able to find the output file(s) insdmc:/switch/nxdumptool/NSP
. - If dump verification is enabled, after dumping, you should see the CRC32 checksum for the encrypted CNMT NCA in your NSP dump. If the application says that it found a matching database entry, then this is likely a good redump. However, we do need a little more information (see Extracting data from NSP).
- Copy the output dump to your PC. If you used the split method for FAT32, or if you used sequential (multi-session) dumping, you'll need to reassemble the part files into a single NSP dump. For more information, see Merge part files (FAT32 / multi-session dump only).
Merge part files (FAT32 / multi-session dump only)
- Copy all parts of your NSP dump to your PC.
- Merge your part files into a complete dump:
- On Windows:
- Open the command prompt and use
cd
to change the current working directory to the one that holds your split files (e.g.cd C:\switch_dumps
). - Type the following command according to your specific case, then press Enter:
- If you're dealing with a split NSP dump (non-sequential):
copy /b * game.nsp
. - If you're dealing with a split NSP dump (sequential):
copy /b *.nsp.hdr+*.nsp.0* game.nsp
.
- If you're dealing with a split NSP dump (non-sequential):
- Open the command prompt and use
- On Linux/Mac:
- Open your terminal emulator and use
cd
to change the current working directory to the one that holds your split files (e.g.cd /dev/sdb/switch_dumps
). - Type the following command according to your specific case, then press Enter:
- If you're dealing with a split NSP dump (non-sequential):
cat * > game.nsp
. - If you're dealing with a split NSP dump (sequential):
cat *.nsp.hdr *.nsp.0* > game.nsp
.
- If you're dealing with a split NSP dump (non-sequential):
- Open your terminal emulator and use
- On Windows:
- Your part files should be reassembled into a full
game.nsp
file. You can safely delete your part files afterwards.
Extracting data from NSP
[To do: some sort of batch script would be desirable for this section]
In order to gather relevant data from digital title dumps (like NCA information, ticket, titlekey, etc.), you'll need to use hactool and nstool. The following sections will assume:
- You have already downloaded both programs to a specific location in your PC.
- Moved the full NSP dump and copied the keys file generated by Lockpick_RCM (located at
sdmc:/switch/prod.keys
) to the same location. - Opened a command prompt / terminal emulator window.
- Used
cd
to change the current working directory accordingly.
Unpacking NSP dump
- Type
hactool -r -t pfs0 --outdir=unpacked_nsp [game.nsp]
and press Enter. You'll end up with aunpacked_nsp
directory, which holds the unpacked NSP data.- Note: replace
[game.nsp]
with the actual NSP filename. If it has any whitespaces, enclose it using double quotes (e.g.hactool -r -t pfs0 --outdir=unpacked_nsp "VA-11 HALL-A v65536 (0100A6700D66E800) (UPD).nsp"
).
- Note: replace
Collect ticket information
- Look for a
.tik
file inside theunpacked_nsp
directory and copy its full filename (e.g.0100a6700d66e8000000000000000008.tik
).- Note: if there's no
.tik
file available, it means the digital title you dumped uses standard crypto. Skip to Collect NCA information.
- Note: if there's no
- To collect data from the ticket:
- On Windows:
- Type
nstool -t tik unpacked_nsp\[file.tik] > tik_info.txt
and press Enter.
- Type
- On Linux/Mac:
- Type
nstool -t tik unpacked_nsp/[file.tik] > tik_info.txt
and press Enter.
- Type
- Note: replace
[file.tik]
with the actual ticket filename (e.g.nstool -t tik unpacked_nsp\0100a6700d66e8000000000000000008.tik > tik_info.txt
).
- On Windows:
- You'll end up with a
tik_info.txt
file, which contains info from the ticket file. Open it, copy theData
element (e.g.000102030405060708090A0B0C0D0E0F
). This is the encrypted titlekey for your dumped title - keep it in your clipboard or save it somewhere else.
Collect NCA information
You'll have to repeat the following steps for every .nca
file inside the unpacked_nsp
directory.
- To collect data from a NCA:
- On Windows:
- If your dumped title uses titlekey crypto, type
hactool -r -y -k prod.keys -t nca --titlekey=[stripped_titlekey] --disablekeywarns unpacked_nsp\[file.nca] > [nca_info.txt]
and press Enter. - Otherwise, if your dumped title uses standard crypto, type
hactool -r -y -k prod.keys -t nca --disablekeywarns unpacked_nsp\[file.nca] > [nca_info.txt]
and press Enter.
- If your dumped title uses titlekey crypto, type
- On Linux/Mac:
- If your dumped title uses titlekey crypto, type
hactool -r -y -k prod.keys -t nca --titlekey=[stripped_titlekey] --disablekeywarns unpacked_nsp/[file.nca] > [nca_info.txt]
and press Enter. - Otherwise, if your dumped title uses standard crypto, type
hactool -r -y -k prod.keys -t nca --disablekeywarns unpacked_nsp/[file.nca] > [nca_info.txt]
and press Enter.
- If your dumped title uses titlekey crypto, type
- Note: replace the following sections in the provided command(s):
[stripped_titlekey]
with the encrypted titlekey from the previous section, if applicable (e.g.000102030405060708090A0B0C0D0E0F
).[file.nca]
with the current NCA filename (e.g.e4239b7e79cc5a4b307413e5f34ea325.nca
).[nca_info.txt]
with a TXT filename that resembles the current NCA file (e.g.e4239b7e79cc5a4b307413e5f34ea325_info.txt
).
- Example command line:
hactool -r -y -k prod.keys -t nca --titlekey=000102030405060708090A0B0C0D0E0F --disablekeywarns unpacked_nsp\e4239b7e79cc5a4b307413e5f34ea325.nca > e4239b7e79cc5a4b307413e5f34ea325_info.txt
.
- On Windows:
- You'll end up with a TXT for each NCA file available in the
unpacked_nsp
directory, each one containing in-depth details about their corresponding NCA file.
Homebrew-enabled Switch (Dump Contents From Network Traffic)
todo: create script to streamline this process. also determine if it is risky to do this - maybe it would be better to dump ssl session keys or make the switch log the traffic itself.
You can use patches from here (disable_ca_verification and disable_browser_ca_verification - there is currently a pull request to add support for Switch system software v15.0.1 for the latter) and a network analysis tool (e.g. Charles, Fiddler, mitmproxy, Wireshark) to intercept the NCAs directly, which allows HTTP headers to be preserved (which contain info such as last-modified date (i.e. file upload date). Unique-per-dump headers should have their value blanked, i.e. X-LLID:
, Date:
.
Gathering Dump Info
- Digital serial:
- For CDN dumps, put the title ID that was requested from the CDN
atum
server, in lowercase. - For installed title dumps made with NXDumpTool (and dumps of unknown origin), put the title ID from the
Id
child element inContentMeta
, located in the thecnmt
file inside the cnmt nca. Remove the0x
prefix (e.g.0x0100a6700d66e800
->0100a6700d66e800
).
- For CDN dumps, put the title ID that was requested from the CDN
- Dump tool: e.g. "NXDumpTool vX.Y.Z".
- Files:
- Set Format to CDN.
- For filenames, use only the Native filename field.
- For CDN dumps, a
.txt
file containing the HTTP response headers should optionally be attached to each NCA. Each.txt
should only contain the response headers for that exact NCA download request (e.g. not one from downloading it again / getting a HEAD request afterwards, etc.). - Dat following files:
- The NCAs, using the
[lowercase_nca_id].nca
/[lowercase_nca_id].cnmt.nca
naming scheme (add the.nca
/.cnmt.nca
if it isn't present - e.g. if dumped straight from CDN). - Optional, if dealing with a title that uses titlekey crypto (ticket file):
- First, dat the ticket file according to the dump method you used:
- For CDN dumps: check the value for the titlekey type field (1 byte @ 0x281) in the ticket file:
- If it's set to
0x01
, you're dealing with a personalized ticket that should be stripped like this (the way NXDumpTool does, as of 2019-11-25). Afterwards, use[lowercase_rights_id]-stripped.tik
as the ticket filename (e.g.0100a6700d66e8000000000000000008-stripped.tik
). - Otherwise, if it's set to
0x00
, it's a common ticket that doesn't need to be modified. Use[lowercase_rights_id]-cetk.tik
as the ticket filename (e.g.0100a6700d66e8000000000000000008-cetk.tik
).
- If it's set to
- For installed title dumps made with NXDumpTool: check if the ticket file has already been stripped by looking at the 0x100 bytes area @ 0x004:
- If it's filled with
0xFF
, you're dealing with a stripped personalized ticket. - Otherwise, it's an untouched common ticket.
- If it's filled with
- For CDN dumps: check the value for the titlekey type field (1 byte @ 0x281) in the ticket file:
- Grab the 16 bytes @ 0x180 in the stripped/common ticket and save them to a
[lowercase_rights_id].enctitlekey.bin
file (e.g.0100a6700d66e8000000000000000008.enctitlekey.bin
). This is the encrypted titlekey - dat this new file. - Now you'll need to decrypt the titlekey. Run hactool on the
Program
type NCA from your dump using this command:hactool -r -y -k [keys_file] -t nca --titlekey=[encrypted_titlekey] --disablekeywarns [file.nca]
.- Note: replace the following sections in the provided command:
[keys_file]
with the filename from a keys file that contains previously dumped keys from a Switch console.[encrypted_titlekey]
with the encrypted titlekey from the previous step (e.g.000102030405060708090A0B0C0D0E0F
).[file.nca]
with the filename from the biggest NCA from your dump (e.g.e4239b7e79cc5a4b307413e5f34ea325.nca
).
- Example command line:
hactool -r -y -k prod.keys -t nca --titlekey=000102030405060708090A0B0C0D0E0F --disablekeywarns e4239b7e79cc5a4b307413e5f34ea325.nca
.
- Note: replace the following sections in the provided command:
- Look for the
Titlekey (Decrypted) (From CLI)
element in the console output from hactool and copy its value - this is the decrypted titlekey. Save these 16 bytes to a[lowercase_rights_id].dectitlekey.bin
file (e.g.0100a6700d66e8000000000000000008.dectitlekey.bin
) and dat it.
- First, dat the ticket file according to the dump method you used:
- The NCAs, using the
- Dump origin:
- Console SD card: dumped from installed title data on console SD card.
- Dev console: dumped from installed title data on console.
- CDN: title data retrieved straight from CDN to PC, via PC downloading tool (that emulates the Switch download process) or network sniffer.
Submitting Dump Info
Register on the forum (if you aren't already registered) and once your account has been activated, post the info in the "New Dumps & Redumps" sub-forum. Or if this is a one-off submission, you can use one of the other contact methods listed on the main page.
Or if you have a login for it, you can submit the dump info directly to the DAT-o-MATIC database.
Note: DAT-o-MATIC supports importing XMLs in this format directly: https://datomatic.no-intro.org/stuff/example_upload_custom.xml, although there isn't a proper specification (or tool to generate this format from folder(s)/file(s)) yet