Hacking 3DS Firmware has been decrypted

[The Real Jdbye]

Interesting. This is the first actual step towards homebrew, though we're far from being able to run homebrew yet, all the other work that has been done on the 3DS has lead to nothing. This has potential of being a way to discover an exploit allowing us to run homebrew. Though it may lead to nothing, that remains to be seen.

 

[Pong20302000]

So forgive me if this is a stupid question, but does this have any bearing on being able to decrypt the 3DS roms? Not to play them, but to inspect the file structure as, if I'm correct in my reading of this thread, you now could with the decrypted firmware?

I'm also curious about it.

I think the firmware was dump encrypted as a .bin file, then decrypted with ctrtool using the keys found in it by analyzing the RAM. (stop me if I'm wrong).

To decrypt a cartridge content, I guess it would need either:
- Read it's content directly on the consoles (RAM reading). But it would required a full read, there's no way we can command the console to read the game data like a dump tool. we see only the files while they are accessed while playing.

- Decrypt the dumped ROMs. The key should be in the firmware (not in the ROM itself, it would be to easy to hack).
If it's on the firmware, there are a lot of chance that they can be decrypted now that they can check the firmware content.



The more possible hack with only the common key (decryption) is emulation, like said on previous post.
But it still require a lot of analyzing process to see how arm 9 and 11, and the hardware are working.

No I don't think it would work like that. We need more information to clarify, to be sure. There are system titles which are exclusively titled firmware titles. Or Neimod could be referring to the contents of the NAND as the 'firmware'. It's all a bit vague at the moment for me. But I doubt that the NCCH encryption/decryption keys will be in those decrypted dumps. Also ctrtool can only decrypt the contents of NCCH (CXI/CFA) files and the contents of CIA files.

But IMO judging from the quoted IRC text, he's just decrypted the 'firmware' titles.

would be nice to know what versions also
we have nothing but him saying hes done it LOL
could be the old old old files for all we know

 

[Cyan]

I thought he dumped and decrypted the full NAND content.
so there's something called "firmware" which is not all the files inside the console?

more like a bios? but it might not be one, or else it would be called bios, not firmware.

 

[3DSGuy]

I thought he dumped and decrypted the full NAND content.
so there's something called "firmware" which is not all the files inside the console?

more like a bios? but it might not be one, or else it would be called bios, not firmware.

Look here: http://3dbrew.org/wi...System_Firmware. Having the full decrypted NAND content, would on top of being able to dump a read able version of the NAND, require having the system fixed NCCH key to decrypt the system titles on the nand.

 

[Deleted member 194275]

That's what I got reading this topic:

Pessimist temper: Neimod got nothing, but at least now hackers have (maybe) a "window" to look how things work on 3DS.

Optimistc temper: The path to homebrew is now open.

Stupid temper: I'll play emulators on this Sunday on my 3DS.

 

[DinohScene]

Sweet!

What ever the outcome will be it's another neat little insight on the 3DS's internals.

 

[elisherer]

I guess the AES-CTR keys are not an issue anymore...

maybe we could decrypt savegames now..maybe get a second chance...

 

[MushGuy]

^ Yeah, at least we should get the encryption keys for saves.

 

[MarianoReggiardo]

Let's look at the brigth side.
The 3DS encrypt the savegame and decript also the games downloaded from shop, they came encrypted by nintendo, the 3ds decrypted and encrypted again to store them in the SD card ( that;s why we can't share the games copiyng the folder ).

So that;s left us a small posibility to playany kind of software, stored in the SD card, re encrypted by the 3ds . That;s should go into the amazing hacking teories

 

[3DSGuy]

Let's look at the brigth side.
The 3DS encrypt the savegame and decript also the games downloaded from shop, they came encrypted by nintendo, the 3ds decrypted and encrypted again to store them in the SD card ( that;s why we can't share the games copiyng the folder ).

So that;s left us a small posibility to play retail games, stored in the SD card, re encrypted by the 3ds . That;s should go into the amazing hacking teories

http://3dbrew.org/wiki/SD_Filesystem, there is more to getting games to run off the SD card than per-console keys

 

[LuigiBlood]

I guess the AES-CTR keys are not an issue anymore...

maybe we could decrypt savegames now..maybe get a second chance...

What about decrypting ROMs? I admit I'm interested on that.

 

[chris888222]

Wow, why didn't I discover this thread sooner?

But what can a decrypted firmware do? Does it even do any good to the hacking scene?
I just want to get rid of that fking region lock.

 

[LuigiBlood]

Wow, why didn't I discover this thread sooner?

But what can a decrypted firmware do? Does it even do any good to the hacking scene?
I just want to get rid of that fking region lock.

The only thing good it does is being able to actually look at it.
After all, before hacking you need to know what are you dealing with, it's like knowing where you are to do your job as a postman ^^'

 

[SifJar]

What about decrypting ROMs? I admit I'm interested on that.

Assuming the same key is used for firmware and game cards, they should be decryptable by my understanding. However, 3DSWare and other eShop downloads will NOT be decryptable without dumping the ticket from an actual console that has the game installed (the games themselves can be downloaded from Nintendo's servers directly by my understanding, similar to how NUSD works for Wii titles).

If a different key is used for game cards than firmware, the firmware will have to contain the (public) key for the cards so it can decrypt them, and therefore once someone finds that key within the decrypted firmware, ROMs could be decrypted (but not re-encrypted; i.e. to make modifications to ROMs, a method of playing unencrypted games would have to be devised, which may be more difficult than running encrypted ROMs)

Wow, why didn't I discover this thread sooner?

But what can a decrypted firmware do? Does it even do any good to the hacking scene?
I just want to get rid of that fking region lock.

To the end user, it does no good. It's really only useful to people like neimod who know what they're looking at in a decrypted firmware dump. For them, it allows understanding how the firmware works far more, which in turn allows looking for exploits and figuring out the more intricate details of the 3DS's inner workings. Eventually, maybe it'll lead to something. But it may well not lead to anything, ever.

 

[Lucifer666]

I hope that by inspecting the decrypted firmware, we can perhaps find some exploitable part of the OS, without the need to modify the firmware, seeing as we can't encrypt. (Remember Bannerbomb?)

I'm looking forward to the possibility of homebrew in the (near?) future, but to be honest I don't think it's time for emulators and flashcarts just yet (or if we manage to get HBC, running roms through that). The 3DS is still in one of its early stages and still does not have a decent library of games. I wouldn't want the 3DS game industry to be seriously hurt by this.

 

[3DSGuy]

What about decrypting ROMs? I admit I'm interested on that.

Assuming the same key is used for firmware and game cards, they should be decryptable by my understanding. However, 3DSWare and other eShop downloads will NOT be decryptable without dumping the ticket from an actual console that has the game installed (the games themselves can be downloaded from Nintendo's servers directly by my understanding, similar to how NUSD works for Wii titles).

If a different key is used for game cards than firmware, the firmware will have to contain the (public) key for the cards so it can decrypt them, and therefore once someone finds that key within the decrypted firmware, ROMs could be decrypted (but not re-encrypted; i.e. to make modifications to ROMs, a method of playing unencrypted games would have to be devised, which may be more difficult than running encrypted ROMs)

Wow, why didn't I discover this thread sooner?

But what can a decrypted firmware do? Does it even do any good to the hacking scene?
I just want to get rid of that fking region lock.

To the end user, it does no good. It's really only useful to people like neimod who know what they're looking at in a decrypted firmware dump. For them, it allows understanding how the firmware works far more, which in turn allows looking for exploits and figuring out the more intricate details of the 3DS's inner workings. Eventually, maybe it'll lead to something. But it may well not lead to anything, ever.

System(NAND) and Application(eShop downloads) titles use different NCCH encryption keys(BTW the key for encryption is the same for decryption). eShop downloads are just Application NCCH files encrypted again. If you got a 3DS' per console keys, you could dump eShop game's NCCH files, which the user downloaded, without the need for a ticket(I think). Nintendo's CDN hosts an entirely encrypted form of NCCH files (which is on top of the encryption of the NCCH contents, with the Application NCCH key) which requires a ticket for decryption (along with the common key).

 

[chrisrlink]

now we're moving in the right direction i hope to see 3ds Flash carts better yet 3DS CFW in the near future but if thas was sony Lawyers would be knocking at his door as we speak

 

[gamefan5]

I'm really laughing at the fact that this news is really getting people hopes up. And I'm pretty sure neimod is laughing at this too.

 

[BrunoAlvesMontei]

I would not get my hopes up, Nintendo can easily fix this trough an update.

But anyway, it's a great progress, amazing job!

 

[Chaosruler]

What? already firmware decrypted? I wonder what's hidden there... what "locked" functions are you keeping us from, Ninty? also does it hint more details about the 3DS hardware?