Hacking 3DS Firmware has been decrypted

[digipokemaster]

so what exactly will this decrypted 3ds fw do ? is this the start of playing 3ds games like with ds2 card?

*facepalm*

well im just asking im trying to learn more about why this is a big deal? i dont know all about this area of knowledge. i have never try to hack anything so i have no clue on these thing.

 

[Pong20302000]

so what exactly will this decrypted 3ds fw do ? is this the start of playing 3ds games like with ds2 card?

*facepalm*

it does nothing

it just allows us to look into the 3ds internal working
nothing more nothing less

 

[digipokemaster]

so what exactly will this decrypted 3ds fw do ? is this the start of playing 3ds games like with ds2 card?

*facepalm*

it does nothing

it just allows us to look into the 3ds internal working
nothing more nothing less

thanks pong for helping me understand what this meant

 

[Gaiaknight]

ya no as much as i want the 3ds hacked at the same time i dont lol

 

[RodrigoDavy]

so what exactly will this decrypted 3ds fw do ? is this the start of playing 3ds games like with ds2 card?

*facepalm*

it does nothing

it just allows us to look into the 3ds internal working
nothing more nothing less

Still more promising than Crown3DS !


Now, seriously... Happy to see some advance, as the 3ds hacking scene seems stopped in time with just fake rumors. We really have to be grateful for Neimod, he seems to be the only one trying anything at all...

 

[Mirby]

So forgive me if this is a stupid question, but does this have any bearing on being able to decrypt the 3DS roms? Not to play them, but to inspect the file structure as, if I'm correct in my reading of this thread, you now could with the decrypted firmware?

I mainly want the music like in 3SF files or something like we can do with the DS and 2SF files.

And yes, I made 3SF up, but it sounds like a probable name for this currently hypothetical 3DS sound format.

 

[Sonic4Ever]

so what exactly will this decrypted 3ds fw do ? is this the start of playing 3ds games like with ds2 card?

Why don't you read the OP before posting?

 

[RupeeClock]

Well good for neimod's research, no use to any of us for the time being.

Things like this can speed up the development of exploits or flashcarts but neimod may not want any of that to happen.
It could lead to DSiWare and 3DS downloads actually being subject to piracy, and seriously, should that happen it could spell doom for the eShop.

 

[Sychophantom]

Well good for neimod's research, no use to any of us for the time being.

Things like this can speed up the development of exploits or flashcarts but neimod may not want any of that to happen.
It could lead to DSiWare and 3DS downloads actually being subject to piracy, and seriously, should that happen it could spell doom for the eShop.

It would put a hurting on it, but doom? Probably not. As widespread as the piracy is on the DS, it's only a fraction of the userbase. I'd imagine that it's quite similar for the 3DS.

It may force Nintendo to update more often, and perhaps do a little better with weekly sales, but it won't kill the eShop.

 

[Snailface]

This practically confirms the firmware decryption:
https://github.com/neimod

Corresponds nicely with the timeline of the pastie.

and this of course (firm.c)

fprintf(stdout, "Entrypoint ARM9: 0x%08X\n", entrypointarm9);
fprintf(stdout, "Entrypoint ARM11: 0x%08X\n", entrypointarm11);

How did this escape our attention for 7 days?

 

[RupeeClock]

Well good for neimod's research, no use to any of us for the time being.

Things like this can speed up the development of exploits or flashcarts but neimod may not want any of that to happen.
It could lead to DSiWare and 3DS downloads actually being subject to piracy, and seriously, should that happen it could spell doom for the eShop.

It would put a hurting on it, but doom? Probably not. As widespread as the piracy is on the DS, it's only a fraction of the userbase. I'd imagine that it's quite similar for the 3DS.

It may force Nintendo to update more often, and perhaps do a little better with weekly sales, but it won't kill the eShop.

Think about how WiiWare ended up, WiiWare/eShop is not as large of a market as retail.
Ocarina of Time 3D has over 10000 ratings on the eShop but has sold over a million copies.

Those who see the most benefit of the eShop may be the most likely to know how to pirate, should it happen.

Well, we'd see. I doubt Nintendo is that unsecured like it was on the DS and Wii.

 

[Pong20302000]

This practically confirms the firmware decryption:
https://github.com/neimod

Corresponds nicely with the timeline of the pastie.

and this of course (firm.c)

fprintf(stdout, "Entrypoint ARM9: 0x%08X\n", entrypointarm9);
fprintf(stdout, "Entrypoint ARM11: 0x%08X\n", entrypointarm11);

How did this escape our attention for 7 days?

pretty sure that was when he dumps the encrypted firmware, not when he decrypted it

 

[RodrigoDavy]

Couldn't the firmware encryption/decryption be used to create custom firmware like the DS had with FlashMe?

EDIT: Maybe at least downgrade the Nintendo original firmware at the 3ds?

 

[Pong20302000]

Couldn't the firmware encryption/decryption be used to create custom firmware like the DS had with FlashMe?

how would you plan on installing this CFW with no way on installing any firmware
and no 3DS mode exploit to load a file as such either

this allows is us to see how it functions and if there are any loopholes
hence why arm9 needs a beating to check for possibilities
nothing else

 

[Cyan]

If I remember, the DS didn't had encryption. Flashme patched the firmware to bypassing the AES check to allow launch of unsigned homebrew.

For 3DS, if we can't bypass it, then we need the encryption key, which only Nintendo has. (private key)
Decryption is done with the common key, which is included in the firmware.

Decrypting the firmware only allow browsing files and checking how it's working, but it doesn't allow encryption/custom firmware creation.

Analyzing how the console internals are working is the first step to allow unsigned homebrew, but it doesn't mean it can be done.
It's possible if Nintendo made a mistake, but they can/will update the firmware to fix any flaw.

 

[SifJar]

Couldn't the firmware encryption/decryption be used to create custom firmware like the DS had with FlashMe?

EDIT: Maybe at least downgrade the Nintendo original firmware at the 3ds?

No. It is just decryption (assuming this is true), not encryption. Therefore you can just inspect it. You can't modify it and re-encrypt & sign it, so the 3DS won't accept the modified version.

EDIT: Beaten.

 

[Snailface]

Couldn't the firmware encryption/decryption be used to create custom firmware like the DS had with FlashMe?

how would you plan on installing this CFW with no way on installing any firmware
and no 3DS mode exploit to load a file as such either

this allows is us to see how it functions and if there are any loopholes
hence why arm9 needs a beating to check for possibilities
nothing else

What excites me is the possibility of an emulator. We have to be close to that breakthrough being feasible, right?

Pong, you are this thread's official tech guru. You must have an answer!

 

[Cyan]

So forgive me if this is a stupid question, but does this have any bearing on being able to decrypt the 3DS roms? Not to play them, but to inspect the file structure as, if I'm correct in my reading of this thread, you now could with the decrypted firmware?

I'm also curious about it.

I think the firmware was dump encrypted as a .bin file, then decrypted with ctrtool using the keys found in it by analyzing the RAM. (stop me if I'm wrong).

To decrypt a cartridge content, I guess it would need either:
- Read it's content directly on the consoles (RAM reading). But it would required a full read, there's no way we can command the console to read the game data like a dump tool. we see only the files while they are accessed while playing.

- Decrypt the dumped ROMs. The key should be in the firmware (not in the ROM itself, it would be to easy to hack).
If it's on the firmware, there are a lot of chance that they can be decrypted now that they can check the firmware content.



The more possible hack with only the common key (decryption) is emulation, like said on previous post.
But it still require a lot of analyzing process to see how arm 9 and 11, and the hardware are working.

 

[Mbmax]

Nice. At least we will have rom's icons, for example.

 

[3DSGuy]

So forgive me if this is a stupid question, but does this have any bearing on being able to decrypt the 3DS roms? Not to play them, but to inspect the file structure as, if I'm correct in my reading of this thread, you now could with the decrypted firmware?

I'm also curious about it.

I think the firmware was dump encrypted as a .bin file, then decrypted with ctrtool using the keys found in it by analyzing the RAM. (stop me if I'm wrong).

To decrypt a cartridge content, I guess it would need either:
- Read it's content directly on the consoles (RAM reading). But it would required a full read, there's no way we can command the console to read the game data like a dump tool. we see only the files while they are accessed while playing.

- Decrypt the dumped ROMs. The key should be in the firmware (not in the ROM itself, it would be to easy to hack).
If it's on the firmware, there are a lot of chance that they can be decrypted now that they can check the firmware content.



The more possible hack with only the common key (decryption) is emulation, like said on previous post.
But it still require a lot of analyzing process to see how arm 9 and 11, and the hardware are working.

No I don't think it would work like that. We need more information to clarify, to be sure. There are system titles which are exclusively titled firmware titles. Or Neimod could be referring to the contents of the NAND as the 'firmware'. It's all a bit vague at the moment for me. But I doubt that the NCCH encryption/decryption keys will be in those decrypted dumps. Also ctrtool can only decrypt the contents of NCCH (CXI/CFA) files and the contents of CIA files. Currently it can only read and check RSA signature of Firmware dumps.

But IMO judging from the quoted IRC text, he's just decrypted the 'firmware' titles.