Hacking 3DS Hack: "We hacked it"

Status
Not open for further replies.

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
"most of the time, they are" - no they aren't. That would completely defeat the point of assymetric encryption. The only time private keys were stored on a console was some of the PSP keys being stored on the PS3.
I don't think he's asking whether or not the keys are ever in Main Memory, I think he's asking if they are on the device, and they are - on the encryption chip which is separate from the rest of the hardware and deals with encryption and encryption alone. If the console did not have a key to decrypt content, it wouldn't play the content. If it didn't have a key to sign content, eShop wouldn't work. You technically can sign content on the 3DS itself and for your own use - the console does it natively.

The problem lays in the key only, as it is pretty much unreadable and blanks out upon a decapping attempts as far as I know - it has its own embedded memory, so you can't "jack into it" from the outside either.
 

RupeeClock

Colors 3D Snivy!
Member
Joined
May 15, 2008
Messages
6,495
Trophies
1
Age
34
Website
Visit site
XP
2,928
Country
What about DSaveManager ? I have a 3ds with a flash card, can i use this software to restore a savegame to a 3ds cartridge?
Unfortunately not. This method requires that you load DSaveManager on your DS Lite or DS system, and then swap the cartridge so it can read/write that cart's save data via WLAN.

DSi and 3DS systems took measures to prevent cart swapping.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
I don't think he's asking whether or not the keys are ever in Main Memory, I think he's asking if they are on the device, and they are - on the encryption chip which is separate from the rest of the hardware and deals with encryption and encryption alone. If the console did not have a key to decrypt content, it wouldn't play the content. If it didn't have a key to sign content, eShop wouldn't work. You technically can sign content on the 3DS itself and for your own use - the console does it natively.

The problem lays in the key only, as it is pretty much unreadable and blanks out upon a decapping attempts as far as I know - it has its own embedded memory, so you can't "jack into it" from the outside either.
No, the private key is not on the console in anyway. Unless someone screwed up big time. A console specific key is there, but that is not enough to sign executable content.
 

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
No, the private key is not on the console in anyway. Unless someone screwed up big time. A console specific key is there, but that is not enough to sign executable content.
Then how, pray tell, is the 3DS "signing" content downloaded from the eShop in such a fashion that it is bootable only on one specific 3DS, when I am pretty certain that it does not download pre-signed? I'm not saying you're wrong, I'd just like an explaination - the way I see it, the console has to sign the content in some fashion.
 
  • Like
Reactions: SuzieJoeBob
D

Deleted-185407

Guest
Then how, pray tell, is the 3DS "signing" content downloaded from the eShop in such a fashion that it is bootable only on one specific 3DS, when I am pretty certain that it does not download pre-signed? I'm not saying you're wrong, I'd just like an explaination - the way I see it, the console has to sign the content in some fashion.

Why would it not download pre-signed? Makes more sense to download content pre-signed.
 

metroid maniac

An idiot with an opinion
Member
Joined
May 16, 2009
Messages
2,068
Trophies
2
XP
2,575
Country
Then how, pray tell, is the 3DS "signing" content downloaded from the eShop in such a fashion that it is bootable only on one specific 3DS, when I am pretty certain that it does not download pre-signed? I'm not saying you're wrong, I'd just like an explaination - the way I see it, the console has to sign the content in some fashion.

The content is signed by Nintendo and then encrypted with a 3DS specific key, I think. Then it is put on the SD card.
Exchanging SD cards between 3DSs should not work if that is true.
 

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
Why would it not download pre-signed? Makes more sense to download content pre-signed.
The content is signed by Nintendo and then encrypted with a 3DS specific key, I think. Then it is put on the SD card.
Exchanging SD cards between 3DSs should not work if that is true.
Because that would require the 3DS to actually send the 3DS-specific key each time via the Internet, and that can be intercepted. It actually makes MORE sense to me to use an on-board chip with memory on the silicone instead.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Then how, pray tell, is the 3DS "signing" content downloaded from the eShop in such a fashion that it is bootable only on one specific 3DS, when I am pretty certain that it does not download pre-signed? I'm not saying you're wrong, I'd just like an explaination - the way I see it, the console has to sign the content in some fashion.
The content that is downloaded is signed with Nintendo's private key, prior to being made available for download. The signature is verified and the content will be re-encrypted using the per-console key as part of the process of installing it to NAND. (I may have over simplified slightly or whatever, but this is the gist; content that is download is already signed. It is just encrypted again with a per console key, not signed). It does download pre-signed. It would be a foolish security system to have signing done on the client system.

So now you may be wondering what the point of the decapping project is? Well, it could reveal other keys e.g. common key (which is on each console), useful for decrypting content. In addition, it would allow inspection of the bootROM. If there is some vulnerability there, it could be exploited for running custom code very early in the boot process (see BootMii due to the Trucha Bug in old version of boot1). It also couldn't be fixed for already existing consoles, only for newly produced ones.

Because that would require the 3DS to actually send the 3DS-specific key each time via the Internet, and that can be intercepted. It actually makes MORE sense to me to use an on-board chip with memory on the silicone instead.
To clarify, this does not happen. The downloaded version will be signed with the 3DS private key (universal to all 3DS systems due to the corresponding common key present on all units), then the client 3DS will do the per-console crypto to stop it being copied to another 3DS unit. The 3DS private key (should) never be present on any 3DS, or indeed anywhere outside of some isolated computer at Nintendo HQ (that's a postulation, but it's probably not far fetched; they don't want to risk it leaking at all).
 
  • Like
Reactions: pelago

metroid maniac

An idiot with an opinion
Member
Joined
May 16, 2009
Messages
2,068
Trophies
2
XP
2,575
Country
Because that would require the 3DS to actually send the 3DS-specific key each time via the Internet, and that can be intercepted. It actually makes MORE sense to me to use an on-board chip with memory on the silicone instead.

No it doesnt. The 3DS specific key doesn't matter for Nintendo at large, and it stays entirely in a single 3DS unit. The only purpose is to stop the interchanging of SD cards, I think.
What is downloaded from the eShop is encrypted and signed by Nintendo and then encrypted by the 3DS-specific key on the 3DS before it is saved.
 
D

Deleted-185407

Guest
Because that would require the 3DS to actually send the 3DS-specific key each time via the Internet, and that can be intercepted. It actually makes MORE sense to me to use an on-board chip with memory on the silicone instead.

And there's nothing wrong with sending information about the 3DS to Nintendo's servers as to Nintendo it's classified as public information anyways. Not to mention, even if it was secure information, they can just use SSL connections to ensure safe transfer of data.

If Nintendo was to put their private keys anywhere on the console, then there's no point for them to implement any sort of security system.
 

metroid maniac

An idiot with an opinion
Member
Joined
May 16, 2009
Messages
2,068
Trophies
2
XP
2,575
Country
I must've confused the common key with the private key - private sort-of implies that it's private to every console, common is the one that's common with all. :unsure: Nomenclature, nomenclature.

Private keys and public (common) keys refer to asymmetric encryption... Basically, one key to encrypt and a different one to decrypt.
Nintendo has the private to encrypt but every 3DS needs the public to decrypt.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
I must've confused the common key with the private key - private sort-of implies that it's private to every console, common is the one that's common with all. :unsure: Nomenclature, nomenclature.
Common key (aka public key) is indeed common to all. It is also "public" in the sense that it is "known" by consumer 3DS units.

The private key is also universal to all units, but none of them "know" the key. This is how asymmetric encryption works; a private key is used to sign, a different key (the public key) is used to decrypt and verify. And there is no way to calculate one key from the other without knowing a randomly generated number (which changes for every single signature, unless you're Sony and fail at crypto implementation), making it impossible to calculate one from the other.
 

Arras

Well-Known Member
Member
Joined
Sep 14, 2010
Messages
6,317
Trophies
2
XP
5,382
Country
Netherlands
I must've confused the common key with the private key - private sort-of implies that it's private to every console, common is the one that's common with all. :unsure: Nomenclature, nomenclature.
The common key IS the same for each and every console, so that part is right. The private key is private because only Nintendo has it. From what I understand the things probably happen sort of like this:
-Ninty signs game with private key
-3DS downloads signed game, it's checked using the common key
-3DS encrypts/signs the game again with a console unique key during install
-When you want to play the game, it's checked/decrypted by the 3DS unique key again and you can play. If you were to try the data of another 3DS, this step would fail as it was encrypted/signed using a different key.

Honestly I'm not sure if encryption or signing is used for each step (it makes sense to me for Nintendo to upload encrypted data, not just signed, to prevent hackers from easily reading and analyzing the files) but I think this is about it.
 
  • Like
Reactions: SifJar

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
I think I'm getting the gist of it - I simply called "encryption on the device itself" signing, nevermind. Arras's description checks out with what I had in mind, I just thought that it's not pre-signed.
 

Arras

Well-Known Member
Member
Joined
Sep 14, 2010
Messages
6,317
Trophies
2
XP
5,382
Country
Netherlands
I think I'm getting the gist of it - I simply called "encryption on the device itself" signing, nevermind. Arras's description checks out with what I had in mind, I just thought that it's not pre-signed.
Yeah, the signing vs encrypting is kind of confusing to me too. I mean, for the end user, the result is the same (not being able to launch content on a different system), so it's hard to tell the difference, but the implementation, security and speed are different. It doesn't help that encrypting stuff is one of the steps in signing something.
 

spett

Member
Newcomer
Joined
Apr 9, 2012
Messages
8
Trophies
0
XP
283
Country
Norway
So, with the console key(found in movable.sed?) we can re-encrypt eShop games to be played on every 3DS..
 

Arras

Well-Known Member
Member
Joined
Sep 14, 2010
Messages
6,317
Trophies
2
XP
5,382
Country
Netherlands
So, with the console key(found in movable.sed?) we can re-encrypt eShop games to be played on every 3DS..
While that may be possible, you'll need to figure out how the actual encrypting/signing is done as well and you need to grab the key which is probably pretty much impossible without a hacked or heavily hardware modded (like neimod's RAM setup) 3DS. There might also be more stuff that prevents such a thing. You may need to register that game as installed in the 3DS's internal memory somewhere, for example.
 

BloodShed

Gamer
Newcomer
Joined
Dec 14, 2009
Messages
41
Trophies
0
Age
44
Location
Virginia, USA
XP
168
Country
United States
Guys, as a courtesy, please stop "educating" everyone else with your ignorance.

There's a rare few people in here that actually have the right idea and probably know what they're talking about. Unfortunately, most of you are posting nonsense and presenting it like fact. It's okay if you don't know. At least preface your information with, "I think" or "this is how I understand it" or "someone told me". At least try to read up on the subject from a reliable source before making wild accusations about topics that you know little to nothing about.

To clarify, reading a news article or a forum post about hacking a game console does not make you an expert. In fact, what you read is probably far too simplified or not even correct to begin with.

Hell, I'm a software developer that's written secure data services and custom authentication engines for the payroll industry (previously for the financial institution industry) for 8 years now and I wouldn't consider myself an expert either! But I have enough knowledge and experience with asymmetric key cryptography to cringe at the uninformed information spread around in here.

Not trying to be a dick, I just don't like seeing misinformation passed around.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: @salazarcosplay, Morning