|Release date||August 13, 2018|
iQueCrypt is a tool for extracting information from a CMD file, from a console's ticket.sys file, or from a Virage2 dump; as well as for encrypting and decrypting apps and title keys. To obtain these files, a user will need a NAND dump of their iQue or already-extracted files. Some operations also require a Virage2 dump.
iQueCrypt has four modes: encrypt, decrypt, extract, and ecdh. See the usage manual for more in-depth instructions.
The main use for the encrypt mode is to create an "injection", where an app is encrypted with the recrypt key of another (legitimately-obtained) app on an iQue. When this encrypted app is run, the iQue treats it as the legitimate app, and decrypts and executes it normally. This can be used to run other, normal iQue games as well as hacks or homebrew.
To create an injection, follow these steps:
- Obtain the plaintext ROM of the game you want to inject
- Dump the console's NAND or otherwise obtain its recrypt.sys file.
- Dump the console's Virage2.
- Pick a game on your console to serve as the "host" for the injection and take note of its content ID (in hex). This must be a game that has already been launched and exists as a .rec on NAND. Some games are not as compatible with others. Try to have matching save types and matching or greater hardware access and SKC access.
- Extract the content iv of the host game from its CMD or ticket.
- Use the encrypt mode on the plaintext ROM, with the recrypt.sys file, Virage2 dump, content ID, and content iv obtained in the preceding steps.
- The output should be a .rec which is the plaintext ROM encrypted with the host's recrypt key and content iv.
- Rename the file to (hex content ID of host game).rec
- Backup the original .rec of the same name on your console, and then wrie the newly generated .rec back to the NAND.
This allows the user to obtain plaintext versions of title keys and apps (if given the appropriate keys and ivs).
Extract mode can extract keys, initialization vectors, and other information from CMDs, ticket.sys files, and V2 dumps. This makes it easy to obtain the files or information a user needs to encrypt or decrypt files.
iQueCrypt can compute the ECDH of a console's ECC private key and a ticket's ECC public key, in order to create the AES key used to re-encrypt the title key in a game's CMD. This allows the owner of an iQue to obtain the title key for each game that they own by following these steps:
- Dump the console's NAND or otherwise obtain its ticket.sys file.
- Dump the console's Virage2.
- Extract the iQue common key and ECC private key from the V2 dump.
- Extract the ticket of the desired game to obtain its (twice-encrypted) title key, title key iv, title key iv 2, and ECC public key
- Use the ecdh mode with the V2 ECC private key and the ticket's ECC public key to generate the file ecdh_key.bin.
- Decrypt the title key using ecdh_key.bin and title key iv 2.
- Decrypt the result of the previous step with the common key and title key iv.
- The result of the above step will be the plaintext title key of the game or app.