Homebrew AES key scrambler

[perkel]

OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

here:

Reisyukaku[/URL]]
I dumped OTP registers on N3DS, which gave me access to 0x200 bytes of NAND keys , which let me generate all the keys from 0x15, 0x16 and all keyXs for 0x18, 0x19..0x1F so i can decrypt 9.6+. I honestly dont think nintendo would be able to lock us out again. lol
Took me longer than I expected to get this done because my n3ds was acting weird from downgrade. So SciresM was my beta tester

 

[Syphurith]

OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

here:

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

 

[urherenow]

here:

Just... wow...

OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.

Wait. He said he did this with an N3DS. No way he downgraded to 3.0. I guess I should just nod and pretend I understand what just happened .

Edit: ok... he had someone else help him do it because his N3DS was messing up. My eyes must be crossed.

 

[Xenon Hacks]

OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

Glad it was Rei and not Wulf who figured it out.

 

[perkel]

Just... wow...

Even better is that he plans to release it tomorrow (if he gets time to finish it) which means that from tommorow on 9.6+ emunand on n3ds is possible. RXtools dude/chick also said they plan to release 9.6+ before march.

 

[OctopusRift]

OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?

Yessiree you can. Read up on it!

 

[urherenow]

OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.

Yessiree you can. Read up on it!

A little late on that one...

 

[OctopusRift]

A little late on that one...

Well. Considering I've been working on dumping N3DS OTP for like 3 months. Nah.

 

[Rosselman]

Glad it was Rei and not Wulf who figured it out.

Pretty sure Wulf already figured it out.

 

[Xenon Hacks]

Pretty sure Wulf already figured it out.

Dont care what the cuck squad claims to know

 

[Rosselman]

Dont care what the cuck squad claims to know

They did have a video.

 

[Xenon Hacks]

They did have a video.

could be CVER who knows, dont care.

 

[Rosselman]

could be CVER who knows, dont care.

Nope, it was legit, they even tried the official updater and it was up to date. To be fair, SALT contributes a lot to 3dbrew, so I don't have hate for them.

 

[ketal]

If you can find Process9 {1.0} file-writing code, have fun dumping the keys

 

[Shadowtrance]

If you can find Process9 {1.0} file-writing code, have fun dumping the keys

My googlefu is failing me. lol

 

[RednaxelaNnamtra]

Hey, how should I name the 0x11 keys after creating them with my key generator?
I would use something like slot0x11-9.6key.bin and slotx11-9.3key.bin

 

[uyjulian]

julians-MacBook-Pro:~ julian$ openssl md2 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl md5 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl mdc2 /Users/julian/Documents/key_slot\ part.bin 
MDC2(/Users/julian/Documents/key_slot part.bin)= 1608e7783962dbac2d7a2803abd5bf71
julians-MacBook-Pro:~ julian$ openssl rmd160 /Users/julian/Documents/key_slot\ part.bin 
RIPEMD160(/Users/julian/Documents/key_slot part.bin)= a09afdd153b3f82889bfe613efd529af68e0159d
julians-MacBook-Pro:~ julian$ openssl sha /Users/julian/Documents/key_slot\ part.bin 
SHA(/Users/julian/Documents/key_slot part.bin)= 2ded8f66bfee9b764fec60516d9d26f3fc6f6537
julians-MacBook-Pro:~ julian$ openssl sha1 /Users/julian/Documents/key_slot\ part.bin 
SHA1(/Users/julian/Documents/key_slot part.bin)= b9cfa84916a930d272250130d67ceb822141177d
julians-MacBook-Pro:~ julian$ shasum -a 224 /Users/julian/Documents/key_slot\ part.bin 
b59ffab75b012ac520a1e065fa069668edd8fb493b1bdf893af1f4d7  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 256 /Users/julian/Documents/key_slot\ part.bin 
82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 384 /Users/julian/Documents/key_slot\ part.bin 
28c0d77a51ac757fcfdbdafeb6021bb7c1993cee6c5e69d9cd7f462550aca4c99964836450e7d7121f86f8475be6b0a2  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 512 /Users/julian/Documents/key_slot\ part.bin 
87d0ab58e794b2d89101de40bee944a205cc48badb24c60e121ba9ac61a4eea68bed2bd2720fc74b5763ecc00b81f054892fb65ca19b0be27cbaeda1c442bd94  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$

 

[mathieulh]

Why dump the OTP area when you can use the kernel9 loader hack to dump the content of the SHA_HASH register (which the kernel9 loader does not clear) to attain the same result ?

 

[Dazzozo]

Why dump the OTP area when you can use the kernel9 loader hack to dump the content of the SHA_HASH register (which the kernel9 loader does not clear) to attain the same result ?

Because that was literally publicly disclosed minutes ago.

 

[mathieulh]

Because that was literally publicly disclosed minutes ago.

Ok, I didn't know that, this seemed like an obvious thing to do, given that it's cleared by Kernel9, as you run code earlier, you can just read the actual OTP hash used in the decryption of the nand keystore.