Hardware CTR nand decrypt of broken old 3DS

Scipiox · Apr 12, 2017

My Old 3DS mainboard was damaged ans system not booting now. But I did full backup of NAND console via hard mod in last. As console had firmware higher than 10.x and in last was not possible simply unlock it, I have no XORpads or decryptetd partitions backups, just nand backup. I find out nand CID of broken console via Arduino, and I am able make fresh nand backup.
Is any way decrypt CTR partition of broken console, whan I have full NAND backup and NAND CID? I would like extract my "profile" files from NAND this broken console?

proflayton123 · Apr 12, 2017

without xors you're sol

PabloMK7 · Apr 12, 2017

Wait until someone dumps the bootrom.

Scipiox · Apr 12, 2017

Must exist some way decrypt it. CTRNAND/TWL ctr is generated from NAND CID (that I know).
What other component (IC) on mainboard console storing unique data (I would be able resolder it on another - working - mainboard).
Other theoretical way is try bruteforce it. CTR partition have known "header". As I know part of data unencrypted, I could try keys untill this parto of data will be equal...

Scipiox · Apr 12, 2017

Another thing, that I don't undertand.
I am trying debug xorpad gerenation from Decrypt9WIP. There is procedure "CryptBuffer" that using "CryptBufferInfo" structure as input. I tried manually set all variables of structure (include ctr, KeyY + setKeyY = 1 to set it etc...), but it generate different output on each console.

proflayton123 · Apr 12, 2017

Is there not a program to use to extract from the NAND

GerbilSoft · Apr 12, 2017

The NAND encryption KeyXs are generated using data stored in the OTP ROM. The OTP itself is encrypted using some key in the protected ARM9 BootROM.

Ergo, in order to decrypt the NAND offline, you'd need the console-specific OTP, the keys from BootROM, and some way to generate the console-unique keys from both of those data sources. The last step will probably happen fairly quickly once the BootROM is publicly released.

Scipiox · Apr 12, 2017

OK, i understand. Actually is not possible get all needed keys "offline" from nand image and nand CID, therefore is not possible decrypt it using other 3DS.

But somewhere on mainboard of 3DS must be components, that store unique data. One from it is NAND memory chip, but it is not probably only this component. Somobody know what hardware components on 3DS mainboard are unique? If all this components will be located, theoretical will be possible get it and solder it on other (working) mainboard to "clone" console (i know, maybe some IC will not able simply resolder, but theoretically..).

GerbilSoft · Apr 12, 2017

The OTP ROM is stored within the SoC. It's practically impossible to extract it outside of booting to 2.1 and running a dumping tool.

Scipiox · Apr 12, 2017

GerbilSoft said:
The OTP ROM is stored within the SoC. It's practically impossible to extract it outside of booting to 2.1 and running a dumping tool.

Thank you for answer, I understand.
Do you know, where concrete is this System-on-Chip (SoC) located on Old 3DS mainboard?

GerbilSoft · Apr 12, 2017

Scipiox said:
Thank you for answer, I understand.
Do you know, where concrete is this System-on-Chip (SoC) located on Old 3DS mainboard?

It's CPU-CTR: https://www.3dbrew.org/wiki/Hardware#Images

You're not going to be able to extract the OTP ROM externally. The only way to do it if the system isn't usable is to decap the chip and manually extract the OTP using a microscope, which requires expensive equipment and is very time-consuming. (Incidentally, this method could also be used to extract the BootROM, but that's 32 KB, and I don't think you'd want to read 262,144 bits by hand.)

bennyman123abc · Apr 12, 2017

GerbilSoft said:
It's CPU-CTR: https://www.3dbrew.org/wiki/Hardware#Images

You're not going to be able to extract the OTP ROM externally. The only way to do it if the system isn't usable is to decap the chip and manually extract the OTP using a microscope, which requires expensive equipment and is very time-consuming. (Incidentally, this method could also be used to extract the BootROM, but that's 32 KB, and I don't think you'd want to read 262,144 bits by hand.)

Completely off-topic but, is the bootrom the same on each console or different? If not, then I could dump the bootrom manually and there we go. Every 3DS problem solved

(Not really but some will be solved

)

GerbilSoft · Apr 12, 2017

bennyman123abc said:
Completely off-topic but, is the bootrom the same on each console or different? If not, then I could dump the bootrom manually and there we go. Every 3DS problem solved (Not really but some will be solved )

It's the same for all systems and all models. Good luck trying to dump the ROM using a microscope, though. The DMG (Game Boy) boot ROM, which is 256 bytes (2048 bits), was dumped in 2003 using this method: http://dot-matrix-game.blogspot.se/2014/01/boot-roms.html

bennyman123abc · Apr 12, 2017

GerbilSoft said:
It's the same for all systems and all models. Good luck trying to dump the ROM using a microscope, though. The DMG (Game Boy) boot ROM, which is 256 bytes (2048 bits), was dumped in 2003 using this method: http://dot-matrix-game.blogspot.se/2014/01/boot-roms.html

I just need a broken 3DS with an intact chip that stores the BootROM (I will need to do a bit of research first of course). I already have a microscope capable of this) Or reading the article, I could try to overclock the 3DS and do the same thing the person who dumped the GBC BootROM did

Idk how hard that would be though...

Ryccardo · Apr 12, 2017

bennyman123abc said:
I could try to overclock the 3DS and do the same thing the person who dumped the GBC BootROM did Idk how hard that would be though...

That's basically what hedgeberg is trying and well-known others have done before: disturbing the CPU in just the right way so it skips the 1-2 instructions that lock bootrom until next reset - compared to GBC there's the significant issue of getting the actual dumper to run (since GB/C roms are unencrypted and their "signing" is just a fixed logo and checksum, while on 3DS the most realistic option is preloading the dumper in RAM and hoping to make it jump to that code)

bennyman123abc · Apr 12, 2017

Ryccardo said:
That's basically what hedgeberg is trying and well-known others have done before: disturbing the CPU in just the right way so it skips the 1-2 instructions that lock bootrom until next reset - compared to GBC there's the significant issue of getting the actual dumper to run (since GB/C roms are unencrypted and their "signing" is just a fixed logo and checksum, while on 3DS the most realistic option is preloading the dumper in RAM and hoping to make it jump to that code)

Has it been done successfully on the 3DS however?

Ryccardo · Apr 12, 2017

bennyman123abc said:
Has it been done successfully on the 3DS however?

Soon (by hedgeberg)
Years ago by the others who aren't interested in sharing

bennyman123abc · Apr 12, 2017

Ryccardo said:
Soon (by hedgeberg)
Years ago by the others who aren't interested in sharing

I would be a noob and ask how soon but, I am in a good mood today so, I won't purposely piss anyone off

gamesquest1 · Apr 12, 2017

Scipiox said:
OK, i understand. Actually is not possible get all needed keys "offline" from nand image and nand CID, therefore is not possible decrypt it using other 3DS.

But somewhere on mainboard of 3DS must be components, that store unique data. One from it is NAND memory chip, but it is not probably only this component. Somobody know what hardware components on 3DS mainboard are unique? If all this components will be located, theoretical will be possible get it and solder it on other (working) mainboard to "clone" console (i know, maybe some IC will not able simply resolder, but theoretically..).

you could probably transplant the CPU from one system to another (this has already been done once by someone to make a US small n3DS before the official release but its no simple feat and probably well beyond the capabilities of 99.9% of people

what exactly happened to the system? as in most cases it would probably be easier to fix the console in question

Scipiox · Apr 13, 2017

gamesquest1 said:
you could probably transplant the CPU from one system to another (this has already been done once by someone to make a US small n3DS before the official release but its no simple feat and probably well beyond the capabilities of 99.9% of people

what exactly happened to the system? as in most cases it would probably be easier to fix the console in question

This is old 3DS original mainboard (CTR-01) of my friend. I hardmoded it in last. It was damaged later by somebody next, who tried fix hardmod by soldering "clock" wire under game slot (it was not absolute needed, because it was able simply fix resolder wire to oposite side of MB - i did it now and hardmod still working). Damaged area is near of CPU and I am not able fix it (so tiny, and probably some connection on PCB is damaged too).

Hardware CTR nand decrypt of broken old 3DS

Member

The Temp Loaf'

Red Yoshi! ^ω^

Member

Member

The Temp Loaf'

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Penguin accelerator

Well-Known Member

Penguin accelerator

Well-Known Member

Nabnut

Member

Attachments

Similar threads

Popular threads in this forum