Hacking Where is the OTP located?

yacepi15 · May 29, 2016

The OTP is located on the NAND or in the Bootrom? Thanks.
(And... If it is located in NAND,why cant be extracted from a NAND dump?)

mashers · May 29, 2016

It's in the bootrom, which hasn't been decrypted yet afaik.

Ryccardo · May 29, 2016

It's a separate PROM inside the cpu, unlike the bootrom which is also there but a factory-stamped ROM!

mashers · May 29, 2016

Oh my mistake, I thought it was actually within the bootrom.

yacepi15 · May 29, 2016

And... What locks reading from that region at boot? The Native_firm?

daxtsu · May 29, 2016

yacepi15 said:
And... What locks reading from that region at boot? The Native_firm?

As far as I know, that's correct, since 3dbrew mentions that as of FIRM 3.0, the OTP became locked on boot. On a related note, the bootrom locks itself, if I'm not mitaken.

ihaveahax · May 29, 2016

yacepi15 said:
And... What locks reading from that region at boot? The Native_firm?

yes; this is why we can go to versions before 3.0 to get the OTP.

yacepi15 · May 29, 2016

And today,installing A9LH is safe?

Bedel · May 29, 2016

yacepi15 said:
And today,installing A9LH is safe?

Yes, at least if you can follow a guide without skipping any step.

daxtsu · May 29, 2016

yacepi15 said:
And today,installing A9LH is safe?

Unless we end up getting some kind of a bootrom exploit, or some other "miracle" hack comes about, downgrading to 2.1 will remain the only realistic option to get the OTP, and @d0k3's tools have proven time and again to be safe. As long as you can follow directions, the entire process is about as safe as it can possibly be, especially now since Hourglass9 is out, which should remove a lot of human error from the NAND restoration parts.

Heran Bago · May 29, 2016

http://fanlore.org/wiki/OTP

dimmidice · May 29, 2016

i've done two installs of A9LH in recent days. it's safe but read the guide thoroughly, follow the guide exactly, take it slow, and if you're unsure of anything ask for help somewhere. don't assume anything.

Ryccardo · May 29, 2016

mashers said:
Oh my mistake, I thought it was actually within the bootrom.

Oh, don't worry, it's a technical detail that won't affect common users/developers and most likely not even bootrom researchers; but when you make consoles by the tens of thousands, a fixed rom + a small prom is cheaper and more reliable than a larger prom!

richardparker · May 29, 2016

mashers said:
It's in the bootrom, which hasn't been decrypted yet afaik.

whats afaik??

mashers · May 29, 2016

richardparker said:
whats afaik??

As far as I know.

nl255 · May 29, 2016

daxtsu said:
Unless we end up getting some kind of a bootrom exploit, or some other "miracle" hack comes about, downgrading to 2.1 will remain the only realistic option to get the OTP, and @d0k3's tools have proven time and again to be safe. As long as you can follow directions, the entire process is about as safe as it can possibly be, especially now since Hourglass9 is out, which should remove a lot of human error from the NAND restoration parts.

Do you know if anyone has looked at applying Tempesthax to the 3DS? I know it already has to several different kinds of encryption software on both the iPhone and Android to extract ECDSA keys.

mashers · May 29, 2016

nl255 said:
Do you know if anyone has looked at applying Tempesthax to the 3DS? I know it already has to several different kinds of encryption software on both the iPhone and Android to extract ECDSA keys.

I don't fully understand what they're doing there, but it says this:

fully extract decryption keys, by measuring the laptop's electromagnetic emanations during decryption of a chosen ciphertext

Wouldn't that mean we would need to know the encryption/decryption key used to protect OTP in order to have any hope of discovering it using the method? Also, the equipment needed is so specialised, whereas currently OTP can be captured using a relatively safe method.

richardparker · May 29, 2016

mashers said:
As far as I know.

oh right thanks!

nl255 · May 29, 2016

mashers said:
I don't fully understand what they're doing there, but it says this:

Wouldn't that mean we would need to know the encryption/decryption key used to protect OTP in order to have any hope of discovering it using the method? Also, the equipment needed is so specialised, whereas currently OTP can be captured using a relatively safe method.

No, the whole point of what they did is to extract the keys. Known/chosen plaintext means that you know (or can control) what is being encrypted or decrypted. Also, the point of using something like that would be to get the Bootrom keys or other keys we don't have, not OTP. You know, like the ones that would be needed to install CIA files or system titles directly, which would allow downgrading to any firmware via hardmod. Or decrypting games without the need for a 3DS and decrypt9.

mashers · May 29, 2016

nl255 said:
No, the whole point of what they did is to extract the keys. Known/chosen plaintext means that you know (or can control) what is being encrypted or decrypted. Also, the point of using something like that would be to get the Bootrom keys or other keys we don't have, not OTP. You know, like the ones that would be needed to install CIA files or system titles directly, which would allow downgrading to any firmware via hardmod. Or decrypting games without the need for a 3DS and decrypt9.

I see. But still, wouldn't those keys be per-console, and hence the same elaborate process would be needed to capture them each time?

Hacking Where is the OTP located?

Well-Known Member

Stubborn ape

Penguin accelerator

Stubborn ape

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

The key of the blade

Well-Known Member

Where do puyo come from?

Well-Known Member

Penguin accelerator

Well-Known Member

Stubborn ape

Well-Known Member

Stubborn ape

Well-Known Member

Well-Known Member

Stubborn ape

Similar threads

Popular threads in this forum