Hacking How are 3ds games encrypted/ideas on how to decrypt them?

[ILOVEPIE]

I understand that there is an encryption suit protecting 3ds games but i'm interested in what kind because certain forms of encryption are only useful so long as both ends remain uncracked. If the encryption on 3ds carts is AES then I see no reason why we cannot extract the common key from the firmware of a 3ds, if everyone focused their efforts on one 3ds we should be able to break it's unique encryption keys and extract the common key from a disassembly of the OS. Another option might be to use emunand to do memory scanning for the common key. We can apply methods that have been proven for other heavily encrypted and or obfuscated systems, it's no different than trying to reverse engineer a heavily obfuscated and encrypted PC program or am I wrong?

 

[Kaphotics]

key is set by the bootrom, and is write only.

bootrom has not been dumped, so no aes key. which is why the 3DS has to be used to generate xorpads.

 

[ILOVEPIE]

Do you mean it's in write only memory or do you mean you can only pass the key to the OS not retrieve it, because if it's the latter you can memory scan for it, if it's the former then how does it fetch the key in order to decrypt the roms when it runs them.

 

[Relys]

key is set by the bootrom, and is write only.

bootrom has not been dumped, so no aes key. which is why the 3DS has to be used to generate xorpads.

[/thread]

 

[ILOVEPIE]

Relys I understand what he said i'm trying to clarify what he meant. If we have kernelmode access (which I believe the current exploit gives us) we can memory scan the whole system for the key assuming that it's not in hardware WOM. if the key is in software based Write Only Memory (i.e. like the flags windows uses on sections of memory in programs to make them read, write, and/or executable) it can be bypassed. if it's hardware based WOM then we need to figure out how the OS accesses it to decrypt the games (we could potentially get the key by piggybacking on the game decryption), unless it's done using a hardware decryption chip, in which case we'd need someone to dissect that hardware .

 

[gamesquest1]

imagine its like a magic box, you put something in one side and it come out the other side decrypted, the OS never does the decryption it just passes it through the aes chip which spits out the decrypted version.....so the system never has access to the "key" itself

well thats how i would explain it anyways with my limited knowledge from just reading up on 3ds brew and what devs have said about how it works

 

[ILOVEPIE]

Oh... ok that makes more sense... they're using a hardware chip to do decryption... anyone with a broken DS and an scanning/tunneling electron microscope willing to reverse engineer the chip for us? (i'm assuming here the aes key is built into the chip, if it's not then reverse engineering the chip is pointless)

 

[Abcdfv]

Oh... ok that makes more sense... they're using a hardware chip to do decryption... anyone with a broken DS and an scanning/tunneling electron microscope willing to reverse engineer the chip for us? (i'm assuming here the aes key is built into the chip)

There are a couple people wanting to, one went as far as depackaging the chip, but no one has decapped it fully yet.

 

[ILOVEPIE]

I'm sure Datel is working on it

 

[Kakkoii]

Oh... ok that makes more sense... they're using a hardware chip to do decryption... anyone with a broken DS and an scanning/tunneling electron microscope willing to reverse engineer the chip for us? (i'm assuming here the aes key is built into the chip, if it's not then reverse engineering the chip is pointless)

There was a person willing to put up the money to decap it, but people on this forum told him it would be a waste of time -_-

 

[ILOVEPIE]

that's sad... if the chip has the key hardcoded then it can be reversed if someone manages to make a schematic of the chip.