Homebrew AES key scrambler

perkel · Jan 13, 2016

urherenow said:
OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

here:

[URL='http://gbatemp.net/members/reisyukaku.344848/' said:
Reisyukaku[/URL]]
I dumped OTP registers on N3DS, which gave me access to 0x200 bytes of NAND keys , which let me generate all the keys from 0x15, 0x16 and all keyXs for 0x18, 0x19..0x1F so i can decrypt 9.6+. I honestly dont think nintendo would be able to lock us out again. lol
Took me longer than I expected to get this done because my n3ds was acting weird from downgrade. So SciresM was my beta tester

Syphurith · Jan 13, 2016

urherenow said:
OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

perkel said:
here:

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

urherenow · Jan 13, 2016

perkel said:
here:

Just... wow...

Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.

Wait. He said he did this with an N3DS. No way he downgraded to 3.0. I guess I should just nod and pretend I understand what just happened

.

Edit: ok... he had someone else help him do it because his N3DS was messing up. My eyes must be crossed.

Xenon Hacks · Jan 13, 2016

Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

Glad it was Rei and not Wulf who figured it out.

perkel · Jan 13, 2016

urherenow said:
Just... wow...

Even better is that he plans to release it tomorrow (if he gets time to finish it) which means that from tommorow on 9.6+ emunand on n3ds is possible. RXtools dude/chick also said they plan to release 9.6+ before march.

OctopusRift · Jan 13, 2016

urherenow said:
OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

Yessiree you can. Read up on it!

urherenow · Jan 13, 2016

Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

OctopusRift said:
Yessiree you can. Read up on it!

A little late on that one... :rolleyes:

OctopusRift · Jan 13, 2016

urherenow said:
A little late on that one...

Well. Considering I've been working on dumping N3DS OTP for like 3 months. Nah.

Rosselman · Jan 13, 2016

Xenon Hacks said:
Glad it was Rei and not Wulf who figured it out.

Pretty sure Wulf already figured it out.

Xenon Hacks · Jan 13, 2016

Rosselman said:
Pretty sure Wulf already figured it out.

Dont care what the cuck squad claims to know

Rosselman · Jan 13, 2016

Xenon Hacks said:
Dont care what the cuck squad claims to know

They did have a video.

Xenon Hacks · Jan 13, 2016

Rosselman said:
They did have a video.

could be CVER who knows, dont care.

Rosselman · Jan 13, 2016

Xenon Hacks said:
could be CVER who knows, dont care.

Nope, it was legit, they even tried the official updater and it was up to date. To be fair, SALT contributes a lot to 3dbrew, so I don't have hate for them.

ketal · Jan 13, 2016

If you can find Process9 {1.0} file-writing code, have fun dumping the keys

Shadowtrance · Jan 13, 2016

ketal said:
If you can find Process9 {1.0} file-writing code, have fun dumping the keys

My googlefu is failing me. lol

RednaxelaNnamtra · Jan 13, 2016

Hey, how should I name the 0x11 keys after creating them with my key generator?
I would use something like slot0x11-9.6key.bin and slotx11-9.3key.bin

uyjulian · Jan 13, 2016

Code:

julians-MacBook-Pro:~ julian$ openssl md2 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl md5 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl mdc2 /Users/julian/Documents/key_slot\ part.bin 
MDC2(/Users/julian/Documents/key_slot part.bin)= 1608e7783962dbac2d7a2803abd5bf71
julians-MacBook-Pro:~ julian$ openssl rmd160 /Users/julian/Documents/key_slot\ part.bin 
RIPEMD160(/Users/julian/Documents/key_slot part.bin)= a09afdd153b3f82889bfe613efd529af68e0159d
julians-MacBook-Pro:~ julian$ openssl sha /Users/julian/Documents/key_slot\ part.bin 
SHA(/Users/julian/Documents/key_slot part.bin)= 2ded8f66bfee9b764fec60516d9d26f3fc6f6537
julians-MacBook-Pro:~ julian$ openssl sha1 /Users/julian/Documents/key_slot\ part.bin 
SHA1(/Users/julian/Documents/key_slot part.bin)= b9cfa84916a930d272250130d67ceb822141177d
julians-MacBook-Pro:~ julian$ shasum -a 224 /Users/julian/Documents/key_slot\ part.bin 
b59ffab75b012ac520a1e065fa069668edd8fb493b1bdf893af1f4d7  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 256 /Users/julian/Documents/key_slot\ part.bin 
82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 384 /Users/julian/Documents/key_slot\ part.bin 
28c0d77a51ac757fcfdbdafeb6021bb7c1993cee6c5e69d9cd7f462550aca4c99964836450e7d7121f86f8475be6b0a2  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 512 /Users/julian/Documents/key_slot\ part.bin 
87d0ab58e794b2d89101de40bee944a205cc48badb24c60e121ba9ac61a4eea68bed2bd2720fc74b5763ecc00b81f054892fb65ca19b0be27cbaeda1c442bd94  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$

mathieulh · Jan 13, 2016

Why dump the OTP area when you can use the kernel9 loader hack to dump the content of the SHA_HASH register (which the kernel9 loader does not clear) to attain the same result ?

Dazzozo · Jan 13, 2016

mathieulh said:
Why dump the OTP area when you can use the kernel9 loader hack to dump the content of the SHA_HASH register (which the kernel9 loader does not clear) to attain the same result ?

Because that was literally publicly disclosed minutes ago.

mathieulh · Jan 13, 2016

Dazzozo said:
Because that was literally publicly disclosed minutes ago.

Ok, I didn't know that, this seemed like an obvious thing to do, given that it's cleared by Kernel9, as you run code earlier, you can just read the actual OTP hash used in the decryption of the nand keystore.

Homebrew AES key scrambler

Well-Known Member

Beginner

Well-Known Member

Well-Known Member

Well-Known Member

GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

Well-Known Member

GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

Spooky Skeleton

Well-Known Member

Spooky Skeleton

Well-Known Member

Spooky Skeleton

aiueo

Well-Known Member

Well-Known Member

Homebrewer

Well-Known Member

KRAZOA PALACE

Well-Known Member

Similar threads

Popular threads in this forum