If you modify a program/game, the signatures will become invalid and the 3DS won't run it.
Hacking Post your ideas regarding how to hack the 3DS, here
- Thread starter Vulpes Abnocto
- Start date
- Views 430,102
- Replies 1,786
- Likes 1
Morning Rydian. That must be boring to explain them why and why again. Would you stick a FAQ then.
Also Please check my latest post above.. That guy shows that the private key may just be 16Bytes long and it may be bombed.
Now i'm wondering about how to fetch some Appdata.bin to try decryption then..
Eh.. Will we open another thread when this goes to 100 pages?
Wow it's pity that CDNScan seems useless to get those apps for dev unit. Just got 401.
When a file doesn't exist on CDN it reterns 401.. So we can not guess if it existed.
When a file doesn't exist on CDN it reterns 401.. So we can not guess if it existed.
Eh, this will do until any major progress is made. This thread was made to hold all the suggestions by people that don't know what's going on but will post anyways.
As we know there is two key for RSA. one Private key to identify the sender, one Public key to decrypt.
then. Would that be possible >>
It that is really 128Bits We can make a simple Webpage with REST Javascript client and let all the users help the distributed key bombing. Also It helps when we get lots of signatures.
then. Would that be possible >>
Or will there be any other methods we need to inject to this story.
It that is really 128Bits We can make a simple Webpage with REST Javascript client and let all the users help the distributed key bombing. Also It helps when we get lots of signatures.
Nobody in their right mind would use 128bit RSA key
please post the source again I cant find it
Btw IF that were the case then setting up that webpage would take WAY longer than factoring it on my crap phone
please post the source again I cant find it
Btw IF that were the case then setting up that webpage would take WAY longer than factoring it on my crap phone
Here you go, In this repo [https://github.com/ps3hen/CTR-TOOLS],
Then Head to [CTR-Keys\Decrypted TitleKeys] and Look at the file length.
Yes I'm also wondering why it assumes that is a 128bits key..
Maybe they just thought that they used RSA and SHA so It would not be very easy to break?
Don't know about 3ds but on Wii the title key is a 128bit AES key.
It was used to make the game data unreadable to:
-make hacking more complicated
-stop extraction of assets
Totally different beast compared to RSA.
128bit AES is still good enough for uncritical things
Its symetric, meaning the same key is used for encryption and decryption.
It must be available on the device and thus can be leaked if it's hacked.
This is completely different from the signing stuff
It was used to make the game data unreadable to:
-make hacking more complicated
-stop extraction of assets
Totally different beast compared to RSA.
128bit AES is still good enough for uncritical things
Its symetric, meaning the same key is used for encryption and decryption.
It must be available on the device and thus can be leaked if it's hacked.
This is completely different from the signing stuff
Well is there any clue to find some short text encrypted by that AES key then?
if it is only 128Bits it will be easier for somebody to bomb >>
Because you can generate the keys and try to check if the key is correct. With such a method it will cost certainly less time than you bomb some key longer than 1024Bits. If that is used to sign those package holding on CDN it may help the analysing. Wow we still have to find that key..Device.. Orz.
lol, no
assuming the best possible case by grossly overestimating everything
there are some attacks on aes-128 leaving a complexitly >2^126 (2^2)
everyone (2^33)
has a 8 core (2^3)
4ghz pc capable of testing 1 key every cycle (2^32/s)
running continously
still leaves you with 2^58s running time
hmm, no earth, probably bad news
lets say everyone does a yearly upgrade to a twice as good pc*
still 34a, well at least the second game will be decoded faster then
*:
assuming the best possible case by grossly overestimating everything
there are some attacks on aes-128 leaving a complexitly >2^126 (2^2)
everyone (2^33)
has a 8 core (2^3)
4ghz pc capable of testing 1 key every cycle (2^32/s)
running continously
still leaves you with 2^58s running time
hmm, no earth, probably bad news
lets say everyone does a yearly upgrade to a twice as good pc*
still 34a, well at least the second game will be decoded faster then
*:
Code:
n = 2**58/60/60/24/356
a = 0
while n > 0:
n-=2**a
a+=1
print(a)
When the bootloader cannot load the firmware from the NAND and gives an error message, does it attempt to process anything afterward? If so, could that be exploited? Heh, I dunno. Just a question.
Well i see. i tried to calculate its time however i don't think such a method helps then because there is many that keys to explode. Well maybe you can guess what it is of a 16Bytes string in CETK, if you'd like to check you can get it here. [>>Skydrive: [CETK]<< 0x01cf + 0x10<<] Or take away the 'tmd' from tmd link and end that with 'cetk'.
BTW. How many types of keys has been used in 3ds, and where they are used? Got any idea?
I see no reason why it would. It would simply be stupid for Nintendo to have it do anything more, as it is quite clear at that point that the console is not in a usable condition.
like any hard to hack game system it will need a flash to pass thru the AP measures, although I wish that it will be hacked using softmod instead of hardmod.
Really doubt this but what would happen if every member (assuming they are willing) was to run a program to brute force the keys for the 3DS. Would it really take less time?
at that speed, yes
but you have to account for the fact that computing power increases over time
lets assume that a weaker form of moores law holds and computing power doubles every two years
thats 5849424 two year periods,
half that again because you will compute half the possibilities in the last period (geometric progression)
half again to get the halflife (50% chance of being cracked) of the key instead of the maximum (optionally)
then compute log_2 (because of doubling) of that
and you have 21.5 periods (or 20.5 for the halflife)
that means it would take more like 41 years to crack the first game
(but after you reached that point aditional keys could be cracked much faster)
note that you can't simply half that by using two such computers
(because they then have less time to "become better")
you would need to acount for that before the log
(meaning that every doubling in number would only substract one period)
someone needs to double check that but im reasonably certain its ok
WTF is that '3ds Common Key'. Where do you think that may been? It can never be easily changed due to its role in CDN title decryption, and some other things. I hope there is magic number in runtime-ram or in some other storage on the board. but that may be not for they can make that key solid in chip (as a constant or even gates).
If you are interested enough please read some of this story to see if you can catch some inspiration.
What a good story i've made above. Good imagination.. well. Then how can we find firmware location and access. But the differences between firmware of different versions, still mean a thing interesting. If you've tested all the ways to attack that RSA and only got failure, that's pity.
If there has not been any record of finding such a key yet (in all normal storage on board), i must say where is it is clear to us now.
Well how much possibility do you guys think there will be if someone modified his RAM chips (on board) to export those runtime for him. (if the main chip can not holds all the mem then, well.) Also you can try to find some newer methods by checking its authorized time. I remember 3ds is out years ago, so the new methods after that may not be able to be fixed. If that is in fact solid i would, lol.
Not interested? check something about a certificate inside 3ds below.
Well if somebody knows about where is the firmware (decrypted, i mean installed already) and how to access it (IO, but need to find out which chip holds that first), why don't they try to analyse.
If you are interested enough please read some of this story to see if you can catch some inspiration.
you see, we can fetch cetk (that holds the titlekey needs to be decrypted with that 'Common Key', even you can only find 3 cetk files related to 3ds/nds/gba firmware titles) and the firmwares. So if we get that key from somewhere (from hardware?)(or try to use some special exploits (ie one can check the timestamp and cause timing attack, or as some shown with other OS [how can it be/Another/Scanner?/A Collection/AttackDevice]) and decrypt that content (3ds firmware update data) from CDN. we will be able to decode the firmware update and try to find out many exploits. Where it is a bug fix, there may be exploits for those not updated.
Then we check apis and develop homebrews to reveal more of them. even there is chance for us to flash some modified firmware direct to the system manually and gain the max power. I know it may encounter some problems with law, however we do not use any part of its original code. we just take a reverse analysis on that F** firmware that we owned and backed up from our console. then the era of homebrew will come.
Then we check apis and develop homebrews to reveal more of them. even there is chance for us to flash some modified firmware direct to the system manually and gain the max power. I know it may encounter some problems with law, however we do not use any part of its original code. we just take a reverse analysis on that F** firmware that we owned and backed up from our console. then the era of homebrew will come.
If there has not been any record of finding such a key yet (in all normal storage on board), i must say where is it is clear to us now.
Well how much possibility do you guys think there will be if someone modified his RAM chips (on board) to export those runtime for him. (if the main chip can not holds all the mem then, well.) Also you can try to find some newer methods by checking its authorized time. I remember 3ds is out years ago, so the new methods after that may not be able to be fixed. If that is in fact solid i would, lol.
Not interested? check something about a certificate inside 3ds below.
Yep. I extracted those certificates (4 valid ones in total) from the SSL to eshop and got one with description as "CTR Common Prod 1" (that is sent when 3ds tries to connect to remote). would it ever been related to that 3ds Common Key, i doubt. (because no matter how many times i tried to extract and install and compare, they are exactly the same, like something solid. I will try to have another guy test the extraction and compare the certificate with me to check if that is very common. if that is the one we need, will there be chance of setup a test server use HTTPS to connect then attack) If i misunderstood that name, sorry.
Well thanks a lot.
I'm both glad Nintendo is stepping up their game, and...well, not so glad that they're going total tryhard pro on this. Now, someone make a game with a bunch security holes NOW (Assuming N doesn't proofread the code (OF COURSE they do genius!)) Then submit it as an indie dev, because it is just THAT easy.
I've check those certs (named 'CTR Common Prod 1'that 3ds used to connect to eshop with ssl) and found no difference between that of my Japanese one and that of my friend's USA one. Can we infer that they have the exactly same private key?
Why is such a certificate so common? can it be stored with that '3ds Common Key' somewhere in chips on board? or even its private key is just the '3ds Common Key'.. I highly doubt, 'cause that all those certs is signed by 'Nintendo CA - G3' of 'Nintendo of America Inc' in Washington, USA. (All the same, including the expire date and serial, lol)
If you think you have a hint of where its private key is please reply. If that won't help u hacking, please just ignore this.
Why is such a certificate so common? can it be stored with that '3ds Common Key' somewhere in chips on board? or even its private key is just the '3ds Common Key'.. I highly doubt, 'cause that all those certs is signed by 'Nintendo CA - G3' of 'Nintendo of America Inc' in Washington, USA. (All the same, including the expire date and serial, lol)
If you think you have a hint of where its private key is please reply. If that won't help u hacking, please just ignore this.
- Joined
- Nov 2, 2012
- Messages
- 2,273
- Trophies
- 1
- Location
- Unknown region of space
- Website
- www.metroidwiki.org
- XP
- 2,237
- Country
haha i'm a noob for this stuff (zeros and ones) but i must admit, it's WAY COOL to read this
I like programming and all this, but i don't have talent like you guys
I wish i could help....
Sorry for spamming ...
but i must admit, it's WAY COOL to read this I like programming and all this, but i don't have talent like you guys
I wish i could help....
Sorry for spamming ...
Similar threads
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
@
BakerMan:
guys, i need help, i got into an argument about what genre radioactive is, and i forgot who made it -
-
-
-
-
-
-
-
-
-
@
Sicklyboy:
hahahaha I'm half way through a bag off my Volcano and my tolerance is way down because I haven't been smoking much lately, so I was a little slow to catch that that was what your angle was+1
-
@
Sicklyboy:
Also I was just excited to know a music reference for once (I am the LAST person in the world that you want on your trivia team)+2
-
-
-
-
-
-
