Proper support for firmware 9.0.1 as the console’s supported key generation is read from BOOT0 rather than being hardcoded. Thanks to this, Goldleaf needn’t be updated every firmware update if the only issue is a key mismatch; The updater has been fixed as it’s broken in version 0.7.2 and probably older versions. In a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in.pem file format.
Json example. Auto-generate a dotmap from a GeoJSON file. Contribute to veltman/dotmapper development by creating an account on GitHub.
-->If you encounter errors with the NPS extension for Azure Multi-Factor Authentication, use this article to reach a resolution faster. NPS extension logs are found in Event Viewer under Custom Views > Server Roles > Network Policy and Access Services on the server where the NPS Extension is installed.
Troubleshooting steps for common errors
| Error code | Troubleshooting steps |
|---|---|
| CONTACT_SUPPORT | Contact support, and mention the list of steps for collecting logs. Provide as much information as you can about what happened before the error, including tenant id, and user principal name (UPN). |
| CLIENT_CERT_INSTALL_ERROR | There may be an issue with how the client certificate was installed or associated with your tenant. Follow the instructions in Troubleshooting the MFA NPS extension to investigate client cert problems. |
| ESTS_TOKEN_ERROR | Follow the instructions in Troubleshooting the MFA NPS extension to investigate client cert and ADAL token problems. |
| HTTPS_COMMUNICATION_ERROR | The NPS server is unable to receive responses from Azure MFA. Verify that your firewalls are open bidirectionally for traffic to and from https://adnotifications.windowsazure.com |
| HTTP_CONNECT_ERROR | On the server that runs the NPS extension, verify that you can reach https://adnotifications.windowsazure.com and https://login.microsoftonline.com/. If those sites don't load, troubleshoot connectivity on that server. |
| NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request. | This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Azure AD. Verify that your firewalls are open bidirectionally for traffic to and from https://adnotifications.windowsazure.com and https://login.microsoftonline.com using ports 80 and 443. It is also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to 'control access through NPS Network Policy'. This error can also trigger if the user is not assigned a license. |
| REGISTRY_CONFIG_ERROR | A key is missing in the registry for the application, which may be because the PowerShell script wasn't run after installation. The error message should include the missing key. Make sure you have the key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftAzureMfa. |
| REQUEST_FORMAT_ERROR Radius Request missing mandatory Radius userNameIdentifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. |
| REQUEST_MISSING_CODE | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. CHAPV2 and EAP support phone call and mobile app notification. |
| USERNAME_CANONICALIZATION_ERROR | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, contact support for further help. |
Alternate login ID errors
| Error code | Error message | Troubleshooting steps |
|---|---|---|
| ALTERNATE_LOGIN_ID_ERROR | Error: userObjectSid lookup failed | Verify that the user exists in your on-premises Active Directory instance. If you are using cross-forest trusts, contact support for further help. |
| ALTERNATE_LOGIN_ID_ERROR | Error: Alternate LoginId lookup failed | Verify that LDAP_ALTERNATE_LOGINID_ATTRIBUTE is set to a valid active directory attribute. If LDAP_FORCE_GLOBAL_CATALOG is set to True, or LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that you have configured a Global Catalog and that the AlternateLoginId attribute is added to it. If LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that the value is correct. If there is more than one forest name, the names must be separated with semi-colons, not spaces. If these steps don't fix the problem, contact support for more help. |
| ALTERNATE_LOGIN_ID_ERROR | Error: Alternate LoginId value is empty | Verify that the AlternateLoginId attribute is configured for the user. |
Errors your users may encounter
| Error code | Error message | Troubleshooting steps |
|---|---|---|
| AccessDenied | Caller tenant does not have access permissions to do authentication for the user | Check whether the tenant domain and the domain of the user principal name (UPN) are the same. For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. The UPN represents a valid user for the tenant in Azure. |
| AuthenticationMethodNotConfigured | The specified authentication method was not configured for the user | Have the user add or verify their verification methods according to the instructions in Manage your settings for two-step verification. |
| AuthenticationMethodNotSupported | Specified authentication method is not supported. | Collect all your logs that include this error, and contact support. When you contact support, provide the username and the secondary verification method that triggered the error. |
| BecAccessDenied | MSODS Bec call returned access denied, probably the username is not defined in the tenant | The user is present in Active Directory on-premises but is not synced into Azure AD by AD Connect. Or, the user is missing for the tenant. Add the user to Azure AD and have them add their verification methods according to the instructions in Manage your settings for two-step verification. |
| InvalidFormat or StrongAuthenticationServiceInvalidParameter | The phone number is in an unrecognizable format | Have the user correct their verification phone numbers. |
| InvalidSession | The specified session is invalid or may have expired | The session has taken more than three minutes to complete. Verify that the user is entering the verification code, or responding to the app notification, within three minutes of initiating the authentication request. If that doesn't fix the problem, check that there are no network latencies between client, NAS Server, NPS Server, and the Azure MFA endpoint. |
| NoDefaultAuthenticationMethodIsConfigured | No default authentication method was configured for the user | Have the user add or verify their verification methods according to the instructions in Manage your settings for two-step verification. Verify that the user has chosen a default authentication method, and configured that method for their account. |
| OathCodePinIncorrect | Wrong code and pin entered. | This error is not expected in the NPS extension. If your user encounters this, contact support for troubleshooting help. |
| ProofDataNotFound | Proof data was not configured for the specified authentication method. | Have the user try a different verification method, or add a new verification methods according to the instructions in Manage your settings for two-step verification. If the user continues to see this error after you confirmed that their verification method is set up correctly, contact support. |
| SMSAuthFailedWrongCodePinEntered | Wrong code and pin entered. (OneWaySMS) | This error is not expected in the NPS extension. If your user encounters this, contact support for troubleshooting help. |
| TenantIsBlocked | Tenant is blocked | Contact support with Directory ID from the Azure AD properties page in the Azure portal. |
| UserNotFound | The specified user was not found | The tenant is no longer visible as active in Azure AD. Check that your subscription is active and you have the required first party apps. Also make sure the tenant in the certificate subject is as expected and the cert is still valid and registered under the service principal. |
Free Key Generation Software
Messages your users may encounter that aren't errors
Xforce key generator for autocad 2017. Sometimes, your users may get messages from Multi-Factor Authentication because their authentication request failed. These aren't errors in the product of configuration, but are intentional warnings explaining why an authentication request was denied.
| Error code | Error message | Recommended steps |
|---|---|---|
| OathCodeIncorrect | Wrong code enteredOATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
| SMSAuthFailedMaxAllowedCodeRetryReached | Maximum allowed code retry reached | The user failed the verification challenge too many times. Depending on your settings, they may need to be unblocked by an admin now. |
| SMSAuthFailedWrongCodeEntered | Wrong code entered/Text Message OTP Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
Errors that require support
If you encounter one of these errors, we recommend that you contact support for diagnostic help. There's no standard set of steps that can address these errors. When you do contact support, be sure to include as much information as possible about the steps that led to an error, and your tenant information.
| Error code | Error message |
|---|---|
| InvalidParameter | Request must not be null |
| InvalidParameter | ObjectId must not be null or empty for ReplicationScope:{0} |
| InvalidParameter | The length of CompanyName {0} is longer than the maximum allowed length {1} |
| InvalidParameter | UserPrincipalName must not be null or empty |
| InvalidParameter | The provided TenantId is not in correct format |
| InvalidParameter | SessionId must not be null or empty |
| InvalidParameter | Could not resolve any ProofData from request or Msods. The ProofData is unKnown |
| InternalError | |
| OathCodePinIncorrect | |
| VersionNotSupported | |
| MFAPinNotSetup |
Next steps
Troubleshoot user accounts
If your users are Having trouble with two-step verification, help them self-diagnose problems.
Health check script
The Azure MFA NPS Extension health check script performs a basic health check when troubleshooting the NPS extension. Run the script and choose option 3.
Contact Microsoft support
Nsp Install Key Generation Mismatch Error Free
If you need additional help, contact a support professional through Azure Multi-Factor Authentication Server support. When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.
To collect debug logs for support diagnostics, use the following steps on the NPS server:
Nsp Install Key Generation Mismatch Error Code
Open Registry Editor and browse to HKEY_LOCAL_MACHINESOFTWAREMicrosoftAzureMfa set VERBOSE_LOG to TRUE
Open an Administrator command prompt and run these commands:
Reproduce the issue
Stop the tracing with these commands:
Open Registry Editor and browse to HKEY_LOCAL_MACHINESOFTWAREMicrosoftAzureMfa set VERBOSE_LOG to FALSE
Zip the contents of the C:NPS folder and attach the zipped file to the support case.
Item description:
Goldleaf
Easy-to-use title installer & manager for Nintendo Switch
If you are looking for Tinfoil, this is Tinfoil's safer and way more extended evolution.
Brief description
Goldleaf is a multipurpose tool, specialized on title installing from NSP packages, but with other utilities, such as NAND/SD browsing,
You can easily manage title-related stuff, like install titles via NSP packages or uninstall already installed titles.
If you know what FBI is (related to 3DS homebrew), this is a similar project for Nintendo Switch.
Disclaimer
Installing NSP packages can be dangerous.
Keep in mind that there will always be a ban risk, and that NSPs with tickets are specially dangerous.
If you want to be safe, avoid connecting to the internet via airplane mode, or block Nintendo's services via special tools such as 90DNS.
Goldleaf simply provides support for a normal NSP and/or ticket installation. The way you use them or the risks you are taking are your problem.
Goldleaf gives the user the possibility to modify NAND files, by deleting them or allowing to copy new files there.
This can be dangerous, as deleting NCAs from the NAND contents can lead to unfixable errors. Image deleting all the EXE and DLL files from System32 folder. Well, the result would be similar.
Removing tickets from installed contents will make the system not to be able to recognise them as 'legit' purchased, so it will refuse to launch them (in many cases, but NOT all cases)
Main features
SD card and NAND browser
A very simple but, in my opinion, one of the most useful features in Goldleaf. Just a file browser for the SD card or for NAND partitions, providing special support for some file formats:
NSP (Nintendo Submission Package)
It's the official format used by Nintendo to provide installable content from their CDN servers.
Technically, it's a PFS0 (a simple file format containing several files) with NCA contents, sometimes XML and/or icon metadata (exported by official packaging tools), and a ticket and a cert in case they are signed with a titlekey (games are, system contents aren't).
Goldleaf can install NSPs same way other official apps would, like DevMenu.
As a warning, I do not recommend installing NSPs in case you plan to go online. Installing content from unofficial tools (such as Goldleaf or the old Tinfoil) can lead to permanent bans from online services, and in severe cases, from every Nintendo service, even from updating the console or games. Install NSPs at your own risk.
NRO (Nintendo Relocatable Object)
Officially is treated as a dynamic library object, similar to DLLs on Windows. This are loaded dynamically by applications at runtime.
Homebrew uses them as executable binaries because as they can contain multiple data sections, we can use them to load extra info such as NACP (title, author and version), an icon, or even RomFs data to access at runtime.
Goldleaf has the ability of launching NROs located at the SD card. Keep in mind that this feature usually can cause undefined behavior due to some difficulties cleaning up graphics so quickly.
NCA (Nintendo Content Archive)
This format is the base format used by Horizon OS to store content.
While the previously mentioned formats don't require any kind of cryptography to be extracted or used, NCAs have to be decrypted, so the user is required to provide the required keys to extract the content.
NCAs have different sections, as well as other information. The two main sections are the ExeFs and RomFs: the ExeFs filesystem contains the code NSO binaries and a NPDM metadata file, while the RomFs contains different files to be accessed from the title.
Some NCAs could also contain a special section, which is the section 0. This section contains the PNG and GIF logos displayed at the top-left and botton-right of the console when launching a title.
NCAs don't have neccessarily those two sections. The program NCA, the base of any application or applet, will contain an ExeFs, and usually a RomFs in case it's a game or a system title with resources like settings or Home Menu.
Appart from program NCAs there are some other NCA types: control NCA (NACP and icons), legalinfo NCA (HTML manuals and information), offline NCA (HTML documents in case the title wants to load them) content meta CNMT NCA (with title specific information)..
Goldleaf has embedded hactool in his code, so it can extract those partitions from NCAs, if the keys are provided.
NXTheme (Home Menu theme)
This format is developed by Qcean team, a format to handle Home Menu layout modding.
+Goldleaf can install them, but it needs to have Home Menu's RomFs at sd:/goldleaf/qlaunch. If the keys used with other formats are provided, Goldleaf itself will locate the console's qlaunch and extract it to that directory.
You will have to reboot with CFW after installing a theme to see any changes.
NACP (Nintendo Application Control Property)
This is the format used by Nintendo to store a title's name, version, author name and other information, like if the title supports screnshots or video captures.
Goldleaf can parse a NACP file and display some of it's information.
Tickets and certificates
Tickets (.tik) and certificates (.cert) are the format used by Nintendo to provide encryption data for titlekey-signed titles (almost every game).
NSPs usually contain them, and Goldleaf can install them if they are located in the SD card.
To install a ticket you will have to provide a certificate, both with the same name and in the same directory, with their extension. (example: sd:/game.tik and sd:/game.cert)
The NAND browser has almost the same support, but it's reccomended to use it only to export files via copying them to the SD card, to avoid any trouble. Goldleaf should warn when doing dangerous operations anyway.
USB installer and Goldtree
You can install NSPs via USB using Goldtree, a C# PC client to handle this installations.
Keep in mind that USB installations are a bit unstable, and might bug sometimes.
Title manager
Goldleaf's title manager will display all the titles installed in the system, both SD, NAND and the one in the gamecart if inserted.
You can view these titles' information, icon, install location and Application Id.
Titles can also be completely uninstalled here. Keep in mind that deleting a title won't delete its savedata, that should stay on the system.
Ticket manager
Goldleaf can get all the tickets installed on the console. While some of them will contain the name of the title they belong to, some could belong to DLC or other types of content despite not belonging directly to a title.
You can view the Application Id and the key generation of a ticket by selecting it.
Tickets can also be removed from the console. Removing tickets can be a dangerous option, as without them, titlekey-signed won't be allowed to boot by Home Menu.
CFW configuration
This is mostly a useful menu for checking which CFWs are in the SD card and whichof them have any Home Menu modifications, meaning that a theme is probably installed there.
You can delete any Home Menu modifications of a certain CFW after selecting a CFW.
Console information
On this option, you can check the used size of the SD card, the entire NAND, and on the different NAND partitions.
It also displays the current firmware version the console is.
About
Displays Goldleaf's logo and whether Goldleaf is running as a NRO from hbmenu or as a normal title.
As some other miscellaneous options, you can easily reboot or shut down your console from Goldleaf, by pressing ZL or ZR in any moment.
Providing keys
If you provide a file with several Switch keys (commonly named as prod.keys or keys.dat) you will be able to do some extra stuff with Goldleaf: (remember that you have to place it as sd:/goldleaf/keys.dat)
Unless you already have dumped qlaunch's (aka Home Menu) RomFs (or at least the files within lyt folder) in sd:/goldleaf/qlaunch directory, you will need to provide the previously mentioned key file with several keys, so that Goldleaf can extract directly the RomFs of the console's qlaunch contents to use it.
You have the option to extract NCA contents (ExeFs, RomFs or section 0), but you will need the previously mentioned keys too.
Installation
You have two options to use Goldleaf: load it as regular homebrew via hbmenu as a NRO binary, or install the NSP as a regular title. Ironically, you would need to install Goldleaf's NSP via Goldleaf as a NRO (or older installers like the original Tinfoil)
For both options, you will have to get the latest release of the NRO/NSP from here.
Getting ready for USB installations
USB installations require a few extra things to be available:
Download Zadig tool from here
Open Goldleaf and select the USB install option, with the Switch connected to the PC via a USB-C cable.
Open Zadig, and select the device of your Nintendo Switch, and install libusbK there.
Nothing else is required. No external files, or extra configuration are required for Goldleaf but the NRO/NSP.
NRO binary
Simply place the NRO anywhere in the SD card (people use to place NROs in switch folder) and launch it!
NSP (installable title)
Goldleaf's NSP title has application ID / title ID 050032A5CF12E000. (as an extra piece of information)
You need a homebrew to install the NSP. The best solution would be to download both the NRO and the NSP, and install the NSP via the NRO. (ironically)
Having it installed, you should be able to launch Goldleaf as a normal title.
Goldtree and USB installs
USB communication is slightly different from Tinfoil's one, so Tinfoil's old Python script, AluminumFoil nor other tools won't work properly.
Goldtree will ask you to choose a NSP after establishing connection with Goldleaf, and it will be received and installed by Goldleaf.
Keep in mind that USB support is a bit unstable, and sometimes it might fail. Anyway, it should work most of the times.
Basic controls
The controls are quite intuitive in Goldleaf, but here you have a brief explanation of them:
Press A to select options from menus, browse folders, or in case it's a file, to browse a menu with file options (copy, delete..)
Press B to cancel a dialog or to go back to the previous page / menu.
Press X to paste the path of the clipboard. Obviously, this option is only available on file browsers. (SD or NAND)
Press Y to browse a menu with directory options, similar to the one used with files, instead of browsing the directory. Obviously, this option is only available on file browsers. (SD or NAND)
Press ZL or ZR anywhere to browse a menu with reboot / shut down options, in case you want to reboot or shut down the console.
Press Plus (+) or Minus (-) to exit Goldleaf and return to hbmenu. This option is only available if Goldleaf is loaded as a NRO binary. (more special cases like this one below)
Movement is quite obvious. Using the L-stick, the R-stick or the D-pad you can move through menu or dialog options. On menus (like the file browsers or the main menu) the R-stick provides a way faster scrolling.
Special features
Goldleaf differs on some features depending on whether it is loaded as a NRO or as an installed title:
Goldleaf can be exited via Plus (+) or Minus (-) buttons if it's loaded as a NRO, but as regular titles have to be exited from the Home Menu, this feature is not available as a title.
Goldleaf disables Home button pressing while installing a NSP if it's loaded as a title, but this feature isn't available as a NRO binary for technical reasons related to applets.
Goldleaf cannot launch NRO binaries if it's loaded as a title due to technical reasons. They can only be launched from another NRO binary.
Issues and support
In case you find a bug or you need help with Goldleaf, you have several places to ask.
Many errors are very common and can be misunderstood, and you should document a bit for some errors instead of directly calling them issues:
It's a common issue for some NSPs, although they are completely valid ones, being detected as wrong NSPs. Although they can be really wrong NSPs, it is usually caused by firmware mismatch. For instance, in case you are trying to install a title which requires at least 5.1.0 version (which uses key generation 4) on a lower firmware version, it won't be recognised as a valid NSP for cryptographical reasons. (the console cannot decrypt the NSP because it is encrypted with unknown keys which are within 5.1.0 update)
The USB installation can sometimes freeze in the middle of the install. If that happens, try closing Goldleaf and Goldtree, uninstalling the wrongly-installed title and retrying.
Screenshots
Goldleaf
Goldtree
Possible future features
Savedata mounting and browsing (and hopefully exporting)
Key derivation, the process to obtain the required keys from the console itself
Support more extraction formats (PFS0 (aka NSP) or XCI), same way GodMode9 does with the 3DS system
As GodMode9 does, implement a more simple way to mount contents instead of static menus
Credits
The main conceps of Goldleaf are and have been developed by XorTroll, but without the effort and support of many others, this project wouldn't be what it is now:
(from all the people listed below, special thanks to Adubbz, exelix, C4Phoenix, The-4n and SciresM, for their huge support on their respective areas of homebrew)
Adubbz and all the (old) Tinfoil contributors, for their huge work with title installing.
exelix and Qcean team, for all their huge support with Home Menu themes. Goldleaf uses (adapted) SwitchThemesCommon libraries to handle theme installs.
C4Phoenix, for his awesome work doing this project's logo, and the GIF displayed when launching the installed version.
All the icons except Goldleaf's one (see credit above) were grabbed from Icons8.
The-4n, for hacBrewPack, to make completely legal NSPs.
SciresM for hactool, which was ported as a library to make NCA extraction a thing in Goldleaf.
Thealexbarney, for his C# libraries for various Nintendo Switch formats: LibHac, used by Goldtree.
Simon for his libusbK implementation for C#, which has made Goldtree client possible.
All the testers, for reporting bugs and helping with the project's development.
Support
If you would like to be more informed about my projects' status and support, you should check H&H, my Discord server. It's a simple server for Homebrew and Hacking, focused on my projects. If you would like to be a beta-tester, you might be interested on the nightly building system we have there for testers.
If you like my work, you should take a look at my Patreon page. For those who support me, you will be credited on my projects, and you'll gain some nice extras on H&H!
GitHub: [ Register or Signin to view external links. ]
GitHub releases: [ Register or Signin to view external links. ]
Enjoy using this tool, and Happy New Year!
Change log:
First version, with lots of cool features!
Goldleaf
Easy-to-use title installer & manager for Nintendo Switch
If you are looking for Tinfoil, this is Tinfoil's safer and way more extended evolution.
Brief description
Goldleaf is a multipurpose tool, specialized on title installing from NSP packages, but with other utilities, such as NAND/SD browsing,
You can easily manage title-related stuff, like install titles via NSP packages or uninstall already installed titles.
If you know what FBI is (related to 3DS homebrew), this is a similar project for Nintendo Switch.
Disclaimer
Installing NSP packages can be dangerous.
Keep in mind that there will always be a ban risk, and that NSPs with tickets are specially dangerous.
If you want to be safe, avoid connecting to the internet via airplane mode, or block Nintendo's services via special tools such as 90DNS.
Goldleaf simply provides support for a normal NSP and/or ticket installation. The way you use them or the risks you are taking are your problem.
Goldleaf gives the user the possibility to modify NAND files, by deleting them or allowing to copy new files there.
This can be dangerous, as deleting NCAs from the NAND contents can lead to unfixable errors. Image deleting all the EXE and DLL files from System32 folder. Well, the result would be similar.
Removing tickets from installed contents will make the system not to be able to recognise them as 'legit' purchased, so it will refuse to launch them (in many cases, but NOT all cases)
Main features
SD card and NAND browser
A very simple but, in my opinion, one of the most useful features in Goldleaf. Just a file browser for the SD card or for NAND partitions, providing special support for some file formats:
NSP (Nintendo Submission Package)
It's the official format used by Nintendo to provide installable content from their CDN servers.
Technically, it's a PFS0 (a simple file format containing several files) with NCA contents, sometimes XML and/or icon metadata (exported by official packaging tools), and a ticket and a cert in case they are signed with a titlekey (games are, system contents aren't).
Goldleaf can install NSPs same way other official apps would, like DevMenu.
As a warning, I do not recommend installing NSPs in case you plan to go online. Installing content from unofficial tools (such as Goldleaf or the old Tinfoil) can lead to permanent bans from online services, and in severe cases, from every Nintendo service, even from updating the console or games. Install NSPs at your own risk.
NRO (Nintendo Relocatable Object)
Officially is treated as a dynamic library object, similar to DLLs on Windows. This are loaded dynamically by applications at runtime.
Homebrew uses them as executable binaries because as they can contain multiple data sections, we can use them to load extra info such as NACP (title, author and version), an icon, or even RomFs data to access at runtime.
Goldleaf has the ability of launching NROs located at the SD card. Keep in mind that this feature usually can cause undefined behavior due to some difficulties cleaning up graphics so quickly.
NCA (Nintendo Content Archive)
This format is the base format used by Horizon OS to store content.
While the previously mentioned formats don't require any kind of cryptography to be extracted or used, NCAs have to be decrypted, so the user is required to provide the required keys to extract the content.
NCAs have different sections, as well as other information. The two main sections are the ExeFs and RomFs: the ExeFs filesystem contains the code NSO binaries and a NPDM metadata file, while the RomFs contains different files to be accessed from the title.
Some NCAs could also contain a special section, which is the section 0. This section contains the PNG and GIF logos displayed at the top-left and botton-right of the console when launching a title.
NCAs don't have neccessarily those two sections. The program NCA, the base of any application or applet, will contain an ExeFs, and usually a RomFs in case it's a game or a system title with resources like settings or Home Menu.
Appart from program NCAs there are some other NCA types: control NCA (NACP and icons), legalinfo NCA (HTML manuals and information), offline NCA (HTML documents in case the title wants to load them) content meta CNMT NCA (with title specific information)..
Goldleaf has embedded hactool in his code, so it can extract those partitions from NCAs, if the keys are provided.
NXTheme (Home Menu theme)
This format is developed by Qcean team, a format to handle Home Menu layout modding.
+Goldleaf can install them, but it needs to have Home Menu's RomFs at sd:/goldleaf/qlaunch. If the keys used with other formats are provided, Goldleaf itself will locate the console's qlaunch and extract it to that directory.
You will have to reboot with CFW after installing a theme to see any changes.
NACP (Nintendo Application Control Property)
This is the format used by Nintendo to store a title's name, version, author name and other information, like if the title supports screnshots or video captures.
Goldleaf can parse a NACP file and display some of it's information.
Tickets and certificates
Tickets (.tik) and certificates (.cert) are the format used by Nintendo to provide encryption data for titlekey-signed titles (almost every game).
NSPs usually contain them, and Goldleaf can install them if they are located in the SD card.
To install a ticket you will have to provide a certificate, both with the same name and in the same directory, with their extension. (example: sd:/game.tik and sd:/game.cert)
The NAND browser has almost the same support, but it's reccomended to use it only to export files via copying them to the SD card, to avoid any trouble. Goldleaf should warn when doing dangerous operations anyway.
USB installer and Goldtree
You can install NSPs via USB using Goldtree, a C# PC client to handle this installations.
Keep in mind that USB installations are a bit unstable, and might bug sometimes.
Title manager
Goldleaf's title manager will display all the titles installed in the system, both SD, NAND and the one in the gamecart if inserted.
You can view these titles' information, icon, install location and Application Id.
Titles can also be completely uninstalled here. Keep in mind that deleting a title won't delete its savedata, that should stay on the system.
Ticket manager
Goldleaf can get all the tickets installed on the console. While some of them will contain the name of the title they belong to, some could belong to DLC or other types of content despite not belonging directly to a title.
You can view the Application Id and the key generation of a ticket by selecting it.
Tickets can also be removed from the console. Removing tickets can be a dangerous option, as without them, titlekey-signed won't be allowed to boot by Home Menu.
CFW configuration
This is mostly a useful menu for checking which CFWs are in the SD card and whichof them have any Home Menu modifications, meaning that a theme is probably installed there.
You can delete any Home Menu modifications of a certain CFW after selecting a CFW.
Console information
On this option, you can check the used size of the SD card, the entire NAND, and on the different NAND partitions.
It also displays the current firmware version the console is.
About
Displays Goldleaf's logo and whether Goldleaf is running as a NRO from hbmenu or as a normal title.
As some other miscellaneous options, you can easily reboot or shut down your console from Goldleaf, by pressing ZL or ZR in any moment.
Providing keys
If you provide a file with several Switch keys (commonly named as prod.keys or keys.dat) you will be able to do some extra stuff with Goldleaf: (remember that you have to place it as sd:/goldleaf/keys.dat)
Unless you already have dumped qlaunch's (aka Home Menu) RomFs (or at least the files within lyt folder) in sd:/goldleaf/qlaunch directory, you will need to provide the previously mentioned key file with several keys, so that Goldleaf can extract directly the RomFs of the console's qlaunch contents to use it.
You have the option to extract NCA contents (ExeFs, RomFs or section 0), but you will need the previously mentioned keys too.
Installation
You have two options to use Goldleaf: load it as regular homebrew via hbmenu as a NRO binary, or install the NSP as a regular title. Ironically, you would need to install Goldleaf's NSP via Goldleaf as a NRO (or older installers like the original Tinfoil)
For both options, you will have to get the latest release of the NRO/NSP from here.
Getting ready for USB installations
USB installations require a few extra things to be available:
Download Zadig tool from here
Open Goldleaf and select the USB install option, with the Switch connected to the PC via a USB-C cable.
Open Zadig, and select the device of your Nintendo Switch, and install libusbK there.
Nothing else is required. No external files, or extra configuration are required for Goldleaf but the NRO/NSP.
NRO binary
Simply place the NRO anywhere in the SD card (people use to place NROs in switch folder) and launch it!
NSP (installable title)
Goldleaf's NSP title has application ID / title ID 050032A5CF12E000. (as an extra piece of information)
You need a homebrew to install the NSP. The best solution would be to download both the NRO and the NSP, and install the NSP via the NRO. (ironically)
Having it installed, you should be able to launch Goldleaf as a normal title.
Goldtree and USB installs
USB communication is slightly different from Tinfoil's one, so Tinfoil's old Python script, AluminumFoil nor other tools won't work properly.
Goldtree will ask you to choose a NSP after establishing connection with Goldleaf, and it will be received and installed by Goldleaf.
Keep in mind that USB support is a bit unstable, and sometimes it might fail. Anyway, it should work most of the times.
Basic controls
The controls are quite intuitive in Goldleaf, but here you have a brief explanation of them:
Press A to select options from menus, browse folders, or in case it's a file, to browse a menu with file options (copy, delete..)
Press B to cancel a dialog or to go back to the previous page / menu.
Press X to paste the path of the clipboard. Obviously, this option is only available on file browsers. (SD or NAND)
Press Y to browse a menu with directory options, similar to the one used with files, instead of browsing the directory. Obviously, this option is only available on file browsers. (SD or NAND)
Press ZL or ZR anywhere to browse a menu with reboot / shut down options, in case you want to reboot or shut down the console.
Press Plus (+) or Minus (-) to exit Goldleaf and return to hbmenu. This option is only available if Goldleaf is loaded as a NRO binary. (more special cases like this one below)
Movement is quite obvious. Using the L-stick, the R-stick or the D-pad you can move through menu or dialog options. On menus (like the file browsers or the main menu) the R-stick provides a way faster scrolling.
Special features
Goldleaf differs on some features depending on whether it is loaded as a NRO or as an installed title:
Goldleaf can be exited via Plus (+) or Minus (-) buttons if it's loaded as a NRO, but as regular titles have to be exited from the Home Menu, this feature is not available as a title.
Goldleaf disables Home button pressing while installing a NSP if it's loaded as a title, but this feature isn't available as a NRO binary for technical reasons related to applets.
Goldleaf cannot launch NRO binaries if it's loaded as a title due to technical reasons. They can only be launched from another NRO binary.
Issues and support
In case you find a bug or you need help with Goldleaf, you have several places to ask.
Many errors are very common and can be misunderstood, and you should document a bit for some errors instead of directly calling them issues:
It's a common issue for some NSPs, although they are completely valid ones, being detected as wrong NSPs. Although they can be really wrong NSPs, it is usually caused by firmware mismatch. For instance, in case you are trying to install a title which requires at least 5.1.0 version (which uses key generation 4) on a lower firmware version, it won't be recognised as a valid NSP for cryptographical reasons. (the console cannot decrypt the NSP because it is encrypted with unknown keys which are within 5.1.0 update)
The USB installation can sometimes freeze in the middle of the install. If that happens, try closing Goldleaf and Goldtree, uninstalling the wrongly-installed title and retrying.
Screenshots
Goldleaf
Goldtree
Possible future features
Savedata mounting and browsing (and hopefully exporting)
Key derivation, the process to obtain the required keys from the console itself
Support more extraction formats (PFS0 (aka NSP) or XCI), same way GodMode9 does with the 3DS system
As GodMode9 does, implement a more simple way to mount contents instead of static menus
Credits
The main conceps of Goldleaf are and have been developed by XorTroll, but without the effort and support of many others, this project wouldn't be what it is now:
(from all the people listed below, special thanks to Adubbz, exelix, C4Phoenix, The-4n and SciresM, for their huge support on their respective areas of homebrew)
Adubbz and all the (old) Tinfoil contributors, for their huge work with title installing.
exelix and Qcean team, for all their huge support with Home Menu themes. Goldleaf uses (adapted) SwitchThemesCommon libraries to handle theme installs.
C4Phoenix, for his awesome work doing this project's logo, and the GIF displayed when launching the installed version.
All the icons except Goldleaf's one (see credit above) were grabbed from Icons8.
The-4n, for hacBrewPack, to make completely legal NSPs.
SciresM for hactool, which was ported as a library to make NCA extraction a thing in Goldleaf.
Thealexbarney, for his C# libraries for various Nintendo Switch formats: LibHac, used by Goldtree.
Simon for his libusbK implementation for C#, which has made Goldtree client possible.
All the testers, for reporting bugs and helping with the project's development.
Support
If you would like to be more informed about my projects' status and support, you should check H&H, my Discord server. It's a simple server for Homebrew and Hacking, focused on my projects. If you would like to be a beta-tester, you might be interested on the nightly building system we have there for testers.
If you like my work, you should take a look at my Patreon page. For those who support me, you will be credited on my projects, and you'll gain some nice extras on H&H!
GitHub: [ Register or Signin to view external links. ]
GitHub releases: [ Register or Signin to view external links. ]
Enjoy using this tool, and Happy New Year!
Change log:
First version, with lots of cool features!