Homebrew Cubic Ninja Blowfish

V

Vappy

Well-Known Member
Member
Level 11
Joined
May 23, 2012
Messages
1,508
Trophies
2
XP
2,613
Country
Apparently you can get the processed key from a RAM dump. If someone gives a hash of the key, should be easy enough to find it with that.
 
  • Like
Reactions: Margen67
zoogie

zoogie

playing around in the end of life
Developer
Level 24
Joined
Nov 30, 2014
Messages
8,560
Trophies
2
XP
15,000
Country
Micronesia, Federated States of
Funny the coincidence of this thread appearing. I think I found it today.

Dump your CN RAM around the time when it's doing QR stuff, go to file offset 0x200000 and copy 0x1048 worth of data to a separate file.
The checksums I have are,
Code: 
  File: blowfish_processed.bin
CRC-32: 2bbc1e5c
   MD4: 549c79aa95a83d253ccd11aeb64cbff0
   MD5: 33f38ab6f0821bc64b6f6bf98c1494f0
SHA-1: 5b1c58e93827a1b440fa2d33524affc9822a2688
 
  • Like
Reactions: Slushie3DS, Margen67 and pseudov
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,364
Country
United States
Vappy said:
StapleButter says it's 0x1048 bytes, so that narrows it down at least a little. :P
Click to expand...
I included that.
dubbz82 said:
If this could be brute force attempted, it might not be all that terrible to be honest.
Click to expand...
That was an idea.
The Real Jdbye said:
Indeed. With a fast computer it should be a breeze.
Click to expand...
Exactly.
zoogie said:
Funny the coincidence of this thread appearing. I think I found it today.

Dump your CN RAM around the time when it's doing QR stuff, go to file offset 0x200000 and copy 0x1048 worth of data to a separate file.
The checksums I have are,
Code: 
  File: blowfish_processed.bin
CRC-32: 2bbc1e5c
   MD4: 549c79aa95a83d253ccd11aeb64cbff0
   MD5: 33f38ab6f0821bc64b6f6bf98c1494f0
SHA-1: 5b1c58e93827a1b440fa2d33524affc9822a2688
Click to expand...
I will check that in a little while.
 
  • Like
Reactions: Margen67
D

dubbz82

Well-Known Member
Member
Level 7
Joined
Feb 2, 2014
Messages
1,572
Trophies
0
Age
41
XP
1,215
Country
United States
Since I'm apparently a little out of the loop and missing something here, what exactly are you trying to do with the blowfish key, anyways?
 
pseudov

pseudov

Member
Newcomer
Level 1
Joined
Mar 23, 2015
Messages
23
Trophies
0
Age
42
XP
66
Country
Canada
zoogie said:
Funny the coincidence of this thread appearing. I think I found it today.

Dump your CN RAM around the time when it's doing QR stuff, go to file offset 0x200000 and copy 0x1048 worth of data to a separate file.
The checksums I have are,
Code: 
  File: blowfish_processed.bin
CRC-32: 2bbc1e5c
   MD4: 549c79aa95a83d253ccd11aeb64cbff0
   MD5: 33f38ab6f0821bc64b6f6bf98c1494f0
SHA-1: 5b1c58e93827a1b440fa2d33524affc9822a2688
Click to expand...

Hey zoogie, which ram dumper are you using? I've used two different ones, and both of them contain just 00's (null) at offset 0x200000 and beyond. I timed my ramdumps while scanning a QR code.
 
zoogie

zoogie

playing around in the end of life
Developer
Level 24
Joined
Nov 30, 2014
Messages
8,560
Trophies
2
XP
15,000
Country
Micronesia, Federated States of
pseudov said:
Hey zoogie, which ram dumper are you using? I've used two different ones, and both of them contain just 00's (null) at offset 0x200000 and beyond. I timed my ramdumps while scanning a QR code.
Click to expand...
I'm using kazowar's memdumper (which one are you using?).
I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
 
  • Like
Reactions: pseudov
pseudov

pseudov

Member
Newcomer
Level 1
Joined
Mar 23, 2015
Messages
23
Trophies
0
Age
42
XP
66
Country
Canada
zoogie said:
I'm using kazowar's memdumper (which one are you using?).
I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
Click to expand...

I used kazowar's as well, and the one from projectpokemon. Okay, I'll try a few more dumps at different timings and report back.
 
  • Like
Reactions: Margen67
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,364
Country
United States
zoogie said:
I'm using kazowar's memdumper (which one are you using?).
I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
Click to expand...
I frogot about the browser exploit.

zoogie said:
I'm using kazowar's memdumper (which one are you using?).
I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
Click to expand...

pseudov said:
I used kazowar's as well, and the one from projectpokemon. Okay, I'll try a few more dumps at different timings and report back.
Click to expand...

Could I have a link?

Edit:
For now I am brute forcing is, just in case I get lucky.
 
Last edited by gudenau,
  • Like
Reactions: Margen67
pseudov

pseudov

Member
Newcomer
Level 1
Joined
Mar 23, 2015
Messages
23
Trophies
0
Age
42
XP
66
Country
Canada
zoogie said:
I'm using kazowar's memdumper (which one are you using?).
I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
Click to expand...

I tried around 8 ramdumps as close as possible before the ninjhax screen, but they resulted in all zeroes at 0x200000. Once "Loading ->" comes up, the home button doesn't respond anymore, and ninjhax loads all the way without a chance to dump.

Any luck, gudenaurock?
 
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,364
Country
United States
pseudov said:
I tried around 8 ramdumps as close as possible before the ninjhax screen, but they resulted in all zeroes at 0x200000. Once "Loading ->" comes up, the home button doesn't respond anymore, and ninjhax loads all the way without a chance to dump.

Any luck, gudenaurock?
Click to expand...
Can not check at the moment, I deleted my save so I could start the QR code thing. My camera is busted so I was hoping that would help.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking  New 2ds Refuses to boot

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: roms wont boot with wood r4menu