Uncleared OTP hash keydata in console-unique 0x11 key-generation
Kernel9Loader does not clear the
SHA_HASH register after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of
OTP data used to seed the
console-unique NAND keystore decryption key set on keyslot 0x11.
Retrieving this keydata and the
NAND keystore of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current
New3DS-only AES keyXs including the newer batch introduced in
9.6.0-X. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.
...