Homebrew AES key scrambler

[motezazer]

KeyX is set by Arm9Loader and KeyY is set by NATIVE_FIRM, so I guess you are right since KeyX is probably already cleared by the time arm9loaderhax runs. If we could get the normal key somehow it would be possible, but that's probably not going to happen any time soon.

These keys are generated with Key #2 and you overwrute Key #2 with a garbage key to exploit this. So, while the keys are still set in the keyslots, you can't use themp, because they are garbage.
If you use memchunkhax2+ntrcardhax on sysNAND 9.6+, you will be able to use the keys (are they are set in keyslots), but not to know their values. Plus Nintendo will probably change the keys soon.

 

[cearp]

Plus Nintendo will probably change the keys soon.

and when nintendo change the keys, we will have to wait and do all of this stuff again? would it be harder, or just the same more work? i mean... if whatever made n3ds emunand 9.5+ so difficult, can't they just do that again, but... better/more?

-- stuff like cryptofix new games for n3ds, that will get worse/more complex?

 

[motezazer]

and when nintendo change the keys, we will have to wait and do all of this stuff again? would it be harder, or just the same more work? i mean... if whatever made n3ds emunand 9.5+ so difficult, can't they just do that again, but... better/more?

Currently to use emuNAND 9.6+ you have to have a sysNAND 9.6+ and to exploit memchunkhax2+ntrcardhax. (To USE it.)
They fix ntrcardhax and they change the keys: you can't have emuNAND 10.4+

 

[DjoeN]

Currently to use emuNAND 9.6+ you have to have a sysNAND 9.6+ and to exploit memchunkhax2+ntrcardhax. (To USE it.)
They fix ntrcardhax and they change the keys: you can't have emuNAND 10.4+

But that's for N3DS, since O3DS can use Emunand 10.3 (atm) on sysnand 9.2? (not saying that 10.4 will work on O3DS if they fix the ntrcardhax and change keys (if for now, we all know Nintendo, sometimes there thinking in a very wierd way!))

 

[Suiginou]

Currently to use emuNAND 9.6+ you have to have a sysNAND 9.6+ and to exploit memchunkhax2+ntrcardhax. (To USE it.)
They fix ntrcardhax and they change the keys: you can't have emuNAND 10.4+

Couldn't someone just dump the NAND 0x12c00 sector, firmlaunch into a modified 9.6 NATIVE_FIRM that doesn't do the keyslot cleanup, generate a xorpad from there to decrypt the 0x12c00 sector and thus be able to decrypt 9.6+ firmwares?

I'm not too hot into N3DS stuff.

 

[motezazer]

But that's for N3DS, since O3DS can use Emunand 10.3 (atm) on sysnand 9.2? (not saying that 10.4 will work on O3DS if they fix the ntrcardhax and change keys (if for now, we all know Nintendo))

Of course that's for N3DS, I'm not sure that Nintendo could ever block emuNAND on O3DS.

--------------------- MERGED ---------------------------

Couldn't someone just dump the NAND 0x12c00 sector, firmlaunch into a modified 9.6 NATIVE_FIRM that doesn't do the keyslot cleanup, generate a xorpad from there to decrypt the 0x12c00 sector and thus be able to decrypt 9.6+ firmwares?

I'm not too hot into N3DS stuff.

No, the OTP are locked.

 

[Suiginou]

No, the OTP are locked.

Oh, so that's the OTP region. Well shit.

 

[froggestspirit]

How come nintendo only put the extra encryption on N3DS? It's successfully locked us out of 9.6 emunand so far, so it'd make sense to do it on o3DS, unless it requires new hardware that is N3DS exclusive?

 

[motezazer]

How come nintendo only put the extra encryption on N3DS? It's successfully locked us out of 9.6 emunand so far, so it'd make sense to do it on o3DS, unless it requires new hardware that is N3DS exclusive?

It requires to install a special per-console sector on NAND.
Plus on O3DS a vulnerability could allow us to break it in a few minutes.

 

[froggestspirit]

So it's actually in nintendo's best interest not to if they could. That's kinda fortunate for us

 

[Myria]

It requires to install a special per-console sector on NAND.
Plus on O3DS a vulnerability could allow us to break it in a few minutes.

What vulnerability is that?

 

[motezazer]

What vulnerability is that?

FIRM prior to 3.X forgot to lock OTP.
Source: https://www.3dbrew.org/wiki/3DS_System_Flaws

 

[Xenon Hacks]

FIRM prior to 3.X forgot to lock OTP.
Source: https://www.3dbrew.org/wiki/3DS_System_Flaws

Soooooo couldnt someone run Sysupdater on an O3DS on and downgrade to abuse the flaw? Or is there no complete 3.0 backup anywhere?

 

[motezazer]

Soooooo couldnt someone run Sysupdater on an O3DS on and downgrade to abuse the flaw? Or is there no complete 3.0 backup anywhere?

PRIOR to 3.X
And someone could exploit the flaw, but it's completly useless.

 

[OctopusRift]

Soooooo couldnt someone run Sysupdater on an O3DS on and downgrade to abuse the flaw? Or is there no complete 3.0 backup anywhere?

Not on THAT iso site. This issue was you couldnt run a browser or Cubic before 4.5(afaik) so no dumps exist yet.

But. In theory. Someone with a 3DS hardmodded on 2.x could do a nand dump on 2,x then upgrade to 4.5 and decrypt their 2.x nand dump.

 

[Reisyukaku]

Not on THAT iso site. This issue was you couldnt run a browser or Cubic before 4.5(afaik) so no dumps exist yet.

But. In theory. Someone with a 3DS hardmodded on 2.x could do a nand dump on 2,x then upgrade to 4.5 and decrypt their 2.x nand dump.

ROP for 1.0 cubic ninja exists, but i digress. Also OTP is per console so you'd need to half-boot your n3ds somehow into 3x and obtain OTP. Or try the various other seemingly unlikely methods.

 

[motezazer]

ROP for 1.0 cubic ninja exists, but i digress. Also OTP is per console so you'd need to half-boot your n3ds somehow into 3x and obtain OTP. Or try the various other seemingly unlikely methods.

2.X, not 3.X
And O3DS ARM11 kernel would panic, because of the new hardware.

 

[Duo8]

Which component of the system does the OTP lock?

 

[capito27]

Which component of the system does the OTP lock?

Kernel9 disables OTP through the use of the CFG_SYSPROT9 flag as seen here

 

[motezazer]

Which component of the system does the OTP lock?

Kernel9 disables OTP through with the CFG_SYSPROT9 flag as seen here

And on N3DS arm9loader does the lock.