Hacking 6.x crypto save files on emunand

lambstone

No. Nyet. 不. Non. Nein.
OP
Banned
Joined
Aug 14, 2011
Messages
614
Trophies
0
XP
310
Country
Recent weeks there have been fantastic developments in the 3ds hacking and modding scene.

However it seems that with emunand still uses the 4.x crypto keys for save games in nand based titles like pokemon x/y. This means that when you create a save file on a 6.x sysnand and then try to run it on on emunand it shows up as incorrect.

I'm almost ready to jump ship and get a 4.5 3ds but if I have to sacrifice my pokemon y game save...

Is there any work around?
 

hashcheck1

Well-Known Member
Member
Joined
Aug 5, 2013
Messages
473
Trophies
1
Age
43
XP
1,063
Country
i don't understand this issue! I have done a manual system transfer (nand backup and emunand windows tool) with eshop Zelda & Animal crossing my saves work perfectly. They were created on a legit 7.3 3dsXL

How come i didnt see this issue? becuase eshop games not physical?
 

Huntereb

Well-Known Member
Member
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
How come i didnt see this issue? becuase eshop games not physical?


Only physical carts do this.

I'm just running a corrupted save on Emunand now. when it's fixed I'll just use Pokebank to tranfer my good pokemon (If there isn't an issue with my save file, that is). I was in it for the story anyway, and it was a good one.
 
  • Like
Reactions: hashcheck1

lambstone

No. Nyet. 不. Non. Nein.
OP
Banned
Joined
Aug 14, 2011
Messages
614
Trophies
0
XP
310
Country
Only physical carts do this.

I'm just running a corrupted save on Emunand now. when it's fixed I'll just

Yeah, wonder if this issue can ever be fixed. It's really strange because if emunand is still using 4.x crypto for the save file like many have reported, pokemon x used 6.x crypto. Trying to load pokemon save on emunand wouldn't work because of different save file crypto.

Assuming that this is true. By all accounts 7.x official system nand should be using 7.x crypto and should not be able to load pokemon x save files due to different crypto.
 

Huntereb

Well-Known Member
Member
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
Yeah, wonder if this issue can ever be fixed. It's really strange because if emunand is still using 4.x crypto for the save file like many have reported, pokemon x used 6.x crypto. Trying to load pokemon save on emunand wouldn't work because of different save file crypto.

Assuming that this is true. By all accounts 7.x official system nand should be using 7.x crypto and should not be able to load pokemon x save files due to different crypto.


Dunno how it works, it just expects something that isn't there. Ask Nintendo, I'm sure they're be glad to share. :rofl2:
 
  • Like
Reactions: hashcheck1

profi200

Banned!
Banned
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
How often? It can't be fixed. It's pointless, what some ($$$)company promises, this never will be fixed until the bootrom is dumped.
 

nervx

Well-Known Member
Member
Joined
May 29, 2006
Messages
309
Trophies
1
XP
343
Country
Canada
someone should ask the gateway team about this and if they'll be able to fix it then post the response on the forum.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
In order to generate 6.0.0+ savedata, a KeyY initialized by the NATIVE_FIRM version 10833 or newer is used. That key is initialized using a RSA keyslot, itself initialized by the bootrom.
The RSA keyslot is cleared when a CXI is loaded, this means that on a system where an older revision of NATIVE_FIRM was loaded by the bootrom, the keyY keyslot isn't loaded and the key required to generate the final KeyY stored in the RSA keyslot has been cleared long before your own code is running (therefore, long before 6.0.0+ NATIVE_FIRM is running from emuNAND)

This means the KeyY used on emuNAND 6.0.0. NATIVE_FIRM to generate the new 6.0.0+ savedata will always be different to the one used on 6.0.0 NATIVE_FIRM run from sysNAND. There is nothing, short of running code on a live 6.0.0. system BEFORE a CXI is loaded (this means early in the boot process), that can get you the real key.

I am studying some ventures, such as performing a reboot on the ARM9 core while keeping the ARM11 cores running but I have serious doubts as to whether this would bear any fruits whatsoever.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Do I smell converting broken saves maybe?

Oh ! I don't care so much about the new savedata crypto (although I wouldn't mind dumping the RSA keyslots and any registers I can at boot time)

I am much more interested in dumping the actual bootrom if that's even possible. It seems rather very well protected as it's unmapped and cleared at the time we get to run anything on the system.
 

Huntereb

Well-Known Member
Member
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
Oh ! I don't care so much about the new savedata crypto (although I wouldn't mind dumping the RSA keyslots and any registers I can at boot time)

I am much more interested in dumping the actual bootrom if that's even possible. It seems rather very well protected as it's unmapped and cleared at the time we get to run anything on the system.


But maaaaybeeee...?
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
But maaaaybeeee...?

At this point dumping the RSA keyslot and/or generating the proper KeyY for 6.0.0. games seems very far fetched. I doubt that the Gateway engineers managed to get this key either or are anything close to getting it so I wouldn't count on it.

In fact, as it stands, Nintendo could use a very similar security scheme to prevent newer ROMs from running, such as the encrypting the games' ExeFS with a new key that cannot be dumped through the rsa_verify request vulnerability used by Gateway and that isn't set/initialized by 4.5.0 NATIVE_FIRM.

Possibly the only reason they haven't done that already is because they do not care.
 

Huntereb

Well-Known Member
Member
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
At this point dumping the RSA keyslot and/or generating the proper KeyY for 6.0.0. games seems very far fetched. I doubt that the Gateway engineers managed to get this key either or are anything close to getting it so I wouldn't count on it.


Alright then, I guess I'll just use Pokebank to store my Poke's before my game is useless in the future (If that works, like I've been saying).
 

profi200

Banned!
Banned
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
Like i said, without dumping the bootrom, it is impossible.

@mathieulh:
You can't dump the Bootrom. Not even neimod with his RAM dumping setup can. The bootrom is unmapped, before you even can do anything and it can not be remapped. That is permanently disabled until you power off the system.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,237
Like i said, without dumping the bootrom, it is impossible.

@mathieulh:
You can't dump the Bootrom. Not even neimod with his RAM dumping setup can. The bootrom is unmapped, before you even can do anything and it can not be remapped. That is permanently disabled until you power off the system.
And how many times have we heard you can't and you won't down the years? Pretty sure we "couldn't" run homebrew on the 3ds.........people always forget the "yet" it might seem "impossible" but often the impossible is achieved by trying
 

profi200

Banned!
Banned
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
This has nothing to do with trying. It's a fact. If sometimes the infos, how Nintendo do it, is public avialable, you will understand why. I don't go in details here. It's 100% not possible without decapping.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Like i said, without dumping the bootrom, it is impossible.

@mathieulh:
You can't dump the Bootrom. Not even neimod with his RAM dumping setup can. The bootrom is unmapped, before you even can do anything and it can not be remapped. That is permanently disabled until you power off the system.

I know it's unmapped and long gone before you anyone can run code. I even said so in my very posts so you are repeating what I just wrote. (Did you read my posts?)

As to why a hardware ram dump setup cannot read this, it's because the bootrom never leaves the (ARM9 presumably) cpu cache.

Why do you think I mentioned resetting the ARM9 core while having a loop running the ARM11 cores ?

I never mentioned a high probability of success in this attempt did I ?

There are also other venues I'd like to explore. For instance it's fairly safe to say the bootrom is decrypted through the AES hardware engine, maybe nintendo weren't smart enough to clear the slots after the bootrom was gone, it's unlikely but it's worth looking into.
 
  • Like
Reactions: ground

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
  • Xdqwerty @ Xdqwerty:
    Water park was quite fun
    Xdqwerty @ Xdqwerty: Water park was quite fun