Hacking Decrypt and Re-Encrypt NAND?

drfsupercenter

Flash Cart Aficionado
OP
Member
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
So...

With VoID's multi decryption tools, I noticed there is a function to decrypt your NAND. By itself that's probably not very useful, BUT

Could we potentially overcome the whole "you can only restore NAND backups from *your own system*" hurdle? Think about it.

Say you have one 3DS with the 4.x firmware on it. You have another one that's newer (maybe even a 2DS, who knows) and want to put DevMenu on there so you can install all the .cia files you want and be able to go online and everything too without needing a Gateway.

If you get a NAND flash port installed, and dump your NAND, couldn't you use VoID's tools to decrypt *that* NAND dump?

I'm not so sure how exactly the NAND is encrypted, but given that we can get xorpads now and decrypt the contents, couldn't we re-encrypt it using a different system's xorpads? In theory we could share a NAND image with friends and everybody just re-encrypt it with their own xorpads?

(I'm also thinking, couldn't you essentially change your system's region with this too? take a US and EUR system, dump both, encrypt one to the other, etc)
 

Ryanrocks462

Wii U/3DS Hacker.. Will test anything, A Pirate
Banned
Joined
Jun 18, 2014
Messages
566
Trophies
0
Location
California
XP
162
Country
United States
it wouldn't work since each console has its own unique Key and no one seems to know how to decrypt your consoles key, so once we are able to modify the console key of course , re-encrypting would be no problem
 

sgtkwol

Well-Known Member
Member
Joined
Oct 29, 2008
Messages
222
Trophies
0
XP
270
Country
United States
To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?
 

drfsupercenter

Flash Cart Aficionado
OP
Member
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?

Yeah, this is what I was getting at.

I'm no programmer and have no idea how you would do this, but I'm sure it's possible. Thanks for explaining why it won't work at the moment though. Someone get on this! :P
 

Jayro

MediCat USB Dev
Developer
Joined
Jul 23, 2012
Messages
12,878
Trophies
4
Location
WA State
Website
ko-fi.com
XP
16,772
Country
United States
Seems like there would be some way to JTAG and/or debug the memory in real time, or save a memory dump while a nand encryption is taking place.
 

sgtkwol

Well-Known Member
Member
Joined
Oct 29, 2008
Messages
222
Trophies
0
XP
270
Country
United States
Please don't quote me as correct, unless someone more knowledgeable can confirm. I'm only stating what I think is correct based on what I've read/used.
 

misterb98

Moral Gateway User. Wat.
Member
Joined
Aug 24, 2010
Messages
449
Trophies
0
XP
290
Country
United States
Got it working! You apparently only need the larger file.

Code:
 make_cia -o patch.cia --major=5 --minor=7 --micro=0 --content0=00000006.app.out --id_0 00000006

It installed fine. For whatever reason, I now need to accept the online agreement, but whenever I hit accept (all in Japanese, :P) it says Accepted, but then goes to a screen in smash saying I need to accept the agreement. This is probably an issue people have worked around, any tips?
 

einstein95

Well-Known Member
Member
Joined
Aug 31, 2013
Messages
230
Trophies
0
Age
29
XP
312
Country
New Zealand
No, NAND xorpads are generated from the per-console key; and no, you can't simply xor NAND A with xorpad A to get the plain data then xor with xorpad B to run it on the console unless you copy certain files from console B (apparently).
 

drfsupercenter

Flash Cart Aficionado
OP
Member
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
No, NAND xorpads are generated from the per-console key; and no, you can't simply xor NAND A with xorpad A to get the plain data then xor with xorpad B to run it on the console unless you copy certain files from console B (apparently).

Yeah, I was saying *if* you have a NAND dump of both systems.

You can install a NAND flasher to any system, even if it's >4.5
And then you could take that image and decrypt it using a 4.5 system, no?

For the sake of testing, I now have multiple region 3DSes running 4.x firmware. So I can decrypt each system's NAND *on that system*

If anyone wants to give me some ideas to try, I can always see if I can flash it back to the other. Actually about to send the two systems out today to get NAND flashers installed so I don't have to worry about any permanent damage :P
 

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Yeah, I was saying *if* you have a NAND dump of both systems.

You can install a NAND flasher to any system, even if it's >4.5
And then you could take that image and decrypt it using a 4.5 system, no?

For the sake of testing, I now have multiple region 3DSes running 4.x firmware. So I can decrypt each system's NAND *on that system*

If anyone wants to give me some ideas to try, I can always see if I can flash it back to the other. Actually about to send the two systems out today to get NAND flashers installed so I don't have to worry about any permanent damage :P

I'm actually curious about what's different between the two NANDs in terms of region. I believe smea once posted a pic where he was exploring the NAND filesystem a bit, although I'm not sure what filesystem it even has.
 

justinkb

Well-Known Member
Member
Joined
Oct 7, 2012
Messages
625
Trophies
1
XP
347
Country
Netherlands
Correctly implemented AES with console-unique (so they can't be "leaked") keys (of sufficient length) is unbreakable. Forget it.
 

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Correctly implemented AES with console-unique (so they can't be "leaked") keys (of sufficient length) is unbreakable. Forget it.

We can already decrypt and (I believe) re-encrypt NAND partitions. The main issue is that there are some other console-specific bits in the firmware. Nintendo's System Transfer app itself literally copies stuff off the NAND to the other person's 3DS and then re-encrypts it under the new console's keys.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,237
We can already decrypt and (I believe) re-encrypt NAND partitions. The main issue is that there are some other console-specific bits in the firmware. Nintendo's System Transfer app itself literally copies stuff off the NAND to the other person's 3DS and then re-encrypts it under the new console's keys.
the actual main issue is that the main use of this would be to downgrade....but unless you can re-encrypt to the updated console you would need the xorpad for that specifc console.....which you cant get unless your on 4.x..........which pretty much leaves the only use for this as something like trying to make a US 3ds into a EU 3ds etc......both systems would still need to be on 4.x, but i suupose *theoretically* you could make yourself a different region emunand, which may be handy for say people importing a japanese N3ds but being able to boot into the EU firmware or something......but again i have no idea if its possible, but it sounds theoretically possible (more so than trying to modify the sysnand as at least if anything goes wrong with your emunand you can just wipe it without having to have a hardware mod
 

drfsupercenter

Flash Cart Aficionado
OP
Member
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
the actual main issue is that the main use of this would be to downgrade....but unless you can re-encrypt to the updated console you would need the xorpad for that specifc console.....which you cant get unless your on 4.x..........which pretty much leaves the only use for this as something like trying to make a US 3ds into a EU 3ds etc......both systems would still need to be on 4.x, but i suupose *theoretically* you could make yourself a different region emunand, which may be handy for say people importing a japanese N3ds but being able to boot into the EU firmware or something......but again i have no idea if its possible, but it sounds theoretically possible (more so than trying to modify the sysnand as at least if anything goes wrong with your emunand you can just wipe it without having to have a hardware mod

Yeah, you could downgrade [allthethings.png]

Think about how many people have a 3DS that is newer than 4.5, you could basically get one "donor" NAND from someone here and just re-encrypt it to their specific console, profit! They'd just have to solder a flash port in, which is certainly cheaper than trying to track down a 4.x 3DS.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,237
Yeah, you could downgrade [allthethings.png]

Think about how many people have a 3DS that is newer than 4.5, you could basically get one "donor" NAND from someone here and just re-encrypt it to their specific console, profit! They'd just have to solder a flash port in, which is certainly cheaper than trying to track down a 4.x 3DS.
i guess your missing the point....to get the unique per device encryption...the device would need to be hacked, if its hacked, whats the point?
you cant just make a nand work from one console one a updated console without having the target console hacked too so you can re-encrypt the "donor nand" using that 3ds's unique encryption
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.