@Shadowtrance, @dark_samus3, @Apache Thunder and everyone else dabbling around in the dark and dangerous art of OTP dumping, I made a little something that may help streamline the OTP dumping process in the future.
I did some basic testing, but without a hardmod and only a N3DS at my disposal I can't test everything of course.
This is what this can / should do:
This is what needs testing:
- Dump the OTP.bin (0x100 or 0x108)
- On-the-fly switching of the CTRNAND crypto slot 0x4 -> 0x5 or slor 0x5 -> 0x4
- Dumping the NCSD NAND header
- Inject the NCSD NAND header
- Includes a basic set of Decrypt9WIP functionality, including...
- ... dumping / injecting the cryptoswitched CTRNAND partition!
The code is rather simple, so I'm pretty sure we won't need a whole lot of testing, but i still need to refine some stuff until this can have a proper release.
- Duming the NAND header on O3DS (not dangerous!)
- OTP Dumping, cryptoswitching, injecting the NAND header
- Dumping / injecting the cryptoswitched CTRNAND partition
if this could helpI guess that the process could be done on Kernel9 like this (remove useless steps for O3DS/2DS):
- Make sure WiFi is enabled
- Dumping NAND (2 files: originalNAND, 2.1NAND)
- Extracting CTRNAND
- Generating 0x4 and 0x5 CTRNAND xorpads and FIRM0+FIRM1 xorpads
- Decrypting CTRNAND with 0x5 xorpad
- Installing CIAs to the CTRNAND, installing the older FIRMs
- Injecting browser configuration and default page into CTRNAND
- Encrypting CTRNAND with 0x4 xorpad into 2.1NAND
- Patching the NCSD header of 2.1NAND
- Reinjecting into 2.1NAND
- Preparing Spider 2.1 payloads on the SD
- Flashing NAND with 2.1NAND
- Rebooting
- User launches Spider 2.1 => Exploiting + RSA_VERIFY => dumping OTP + flashing back originalNAND
- Done