Toggle sidebar

Hacking Was NAND ever decrypted?

  • Thread starter Thread starter _V1qY
  • Start date Start date
  • Views Views 4,136
  • Replies Replies 19
V

_V1qY

Well-Known Member
Member
Level 2
Joined
May 31, 2012
Messages
138
Reaction score
36
Trophies
0
XP
176
Country
Using hardware modifications, you can dump and put back your NAND however since it is encrypted with a key specific to your 3DS unit, you cannot use the NAND of someone else from a lower firmware.

When Gateway exploit is used, the settings app changes the text of the firmware to be "GW 4.5" or something. So was Gateway able to decrypt the NAND format and make changes to it (the emuNAND) and encrypt it? Or was this just a temporary change in RAM?
 
Only a change in RAM and not a big one actually, they just replaced the 4 character ("Ver.") with "GW3D".
But we should be able to get the keys to decrypt the NAND with that RAM dumper app that was released around christmas afaik.
 
iCEQB said:
Only a change in RAM and not a big one actually, they just replaced the 4 character ("Ver.") with "GW3D".
But we should be able to get the keys to decrypt the NAND with that RAM dumper app that was released around christmas afaik.
Click to expand...
What makes you so sure? If encryption and decryption mechanisms are isolated, like it was the case with the Wii, you won't be able to do jack before you're able to have a look at the activity in that particular, isolated sector.

Of course that being said, I have no idea how it's done on the 3DS - it remains to be seen. So far, smealum's done some progress with decrypting system titles - maybe he'll have a look at NAND once he's done playing with those.

EDIT: Scratch that, neimod did it, apparently.

http://gbatemp.net/threads/3ds-firmware-has-been-decrypted.332624/
 
If he'd just release it, we could get a dump of our current firmware, use a tool to get it's key, then encrypt someone else's firmware with our key, and we would have a hardware downgrade.
 
If won't work like this, the key to decrypt anything is probably in an ecrypted executeable/bootrom/die somewhere.
Only unsigned code will most likely give you the slightest chance to get it. (I don't know about kernel und userland seperation on the 3DS, but I'm bpretty sure it's there)
 
The key cannot be extracted via software. Also, AES can't be broken, even if you know the entire plaintext.
 
The eMMC (why does everyone call it a NAND ? Well, I guess it does use one anyway) is encrypted using a per 3DS key set by the bootrom to an AES hardware keyslot, these keyslots are write only and cannot be read.

Therefore the only way to decrypt the content of an eMMC chip is to use the AES hardware engine of the 3DS it came from. The whole process is rather slow and can only be done if you are running your own ARM9 code on the device (aka kernel mode).

Also, just to be sure we are on the same page here, you obviously can't write back the decrypted content to the eMMC pages, it needs to be encrypted with the right key.

You get the idea.
 
Wasn't this FW decrypting what led to the current state of the scene? IE the hack was sold to the Gateway gangstas resulting in a flash cart.
 
"
  1. Brandon Serpas@BJSerpas 28 Dec
    @smealum Just curious: what is currently keeping us from downgrading our firmwares? I know it's possible, but only with a prior NAND backup. Expand
  2. smea@smealum 28 Dec
    @BJSerpas assuming you had flashing hardware and a way to decrypt/encrypt data for your 3DS, you could probably downgrade your console. Expand
  3. Brandon Serpas@BJSerpas 28 Dec
    @smealum And that's where you come in to decrypt stuff, right? :3 Expand
  4. smea@smealum 28 Dec
    @BJSerpas but yeah i actually did decrypt my own nand; cf http://smealum.net/mount.png . unfortunately, there's no solution for the masses.
"
 
  • Like
Reactions: Idaho
how boring, what does he mean "no solution for the masses" ? If he means electronic intervention its not a problem to lot of people around here...
 
KazoWAR said:
you'd be surprised.
Click to expand...

Yeah well I know not everybody have skills for soldering and unsoldering stuffs or even the money to afford the appropriate tools to do so.
But come on we need electronic intervention on the xbox360 to hack it and thats not a problem to anyone who's willing to as he'll do it by himself or pay a guy to do it...
 
Idaho said:
how boring, what does he mean "no solution for the masses" ? If he means electronic intervention its not a problem to lot of people around here...
Click to expand...

Well the main problem is that you'd have to find your console's encryption key, which could be fairly trivial if you've already updated to 6.x or 7.x.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Homebrew Homebrew app  [Release] GridLauncher Rosalina

Homebrew  My Secret World DS: is there a way to bypass the password lock?

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside

Homebrew  reBadge - an open source Nintendo Badge Arcade and Theme Shop revival, done with ❤️