Toggle sidebar

Homebrew AES key scrambler

  • Thread starter Thread starter Suiginou
  • Start date Start date
  • Views Views 89,907
  • Replies Replies 455
  • Likes Likes 12
urherenow said:
OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?
Click to expand...

here:

[URL='http://gbatemp.net/members/reisyukaku.344848/' said:
Reisyukaku[/URL]]
I dumped OTP registers on N3DS, which gave me access to 0x200 bytes of NAND keys , which let me generate all the keys from 0x15, 0x16 and all keyXs for 0x18, 0x19..0x1F so i can decrypt 9.6+. I honestly dont think nintendo would be able to lock us out again. lol
Took me longer than I expected to get this done because my n3ds was acting weird from downgrade. So SciresM was my beta tester
Click to expand...
 
  • Like
Reactions: Xenon Hacks
urherenow said:
OTP can't be dumped. Those registers (or whatever they are) are locked down before arm9 even loads. And if I understand correctly, the OTP would be a per-console thing... no?
Click to expand...
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.
perkel said:
here:
Click to expand...
That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.
 
perkel said:
here:
Click to expand...
:huh:
:O
:wtf:

Just... wow...

Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
Click to expand...

Wait. He said he did this with an N3DS. No way he downgraded to 3.0. I guess I should just nod and pretend I understand what just happened :P.

Edit: ok... he had someone else help him do it because his N3DS was messing up. My eyes must be crossed.
 
Last edited by urherenow,
Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.
Click to expand...
Glad it was Rei and not Wulf who figured it out.
 
  • Like
Reactions: cearp, kiwiis and Syphurith
Syphurith said:
OTP for O3DS can be dumped, when your console is <3.0, and have the correct payload for CN/SKY.
However it seems you don't need the whole OTP dumped to get 0x11 keyslot.

That's quite good. Even i don't know about the clues about how that is done. Congrats to him/her.
Click to expand...
OctopusRift said:
Yessiree you can. Read up on it!
Click to expand...
A little late on that one... :rolleyes:
 
  • Like
Reactions: Syphurith
Hey, how should I name the 0x11 keys after creating them with my key generator?
I would use something like slot0x11-9.6key.bin and slotx11-9.3key.bin
 
Code: 
julians-MacBook-Pro:~ julian$ openssl md2 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl md5 /Users/julian/Documents/key_slot\ part.bin 
MD5(/Users/julian/Documents/key_slot part.bin)= 97eb0410ed2002a49ba221c0915d3f58
julians-MacBook-Pro:~ julian$ openssl mdc2 /Users/julian/Documents/key_slot\ part.bin 
MDC2(/Users/julian/Documents/key_slot part.bin)= 1608e7783962dbac2d7a2803abd5bf71
julians-MacBook-Pro:~ julian$ openssl rmd160 /Users/julian/Documents/key_slot\ part.bin 
RIPEMD160(/Users/julian/Documents/key_slot part.bin)= a09afdd153b3f82889bfe613efd529af68e0159d
julians-MacBook-Pro:~ julian$ openssl sha /Users/julian/Documents/key_slot\ part.bin 
SHA(/Users/julian/Documents/key_slot part.bin)= 2ded8f66bfee9b764fec60516d9d26f3fc6f6537
julians-MacBook-Pro:~ julian$ openssl sha1 /Users/julian/Documents/key_slot\ part.bin 
SHA1(/Users/julian/Documents/key_slot part.bin)= b9cfa84916a930d272250130d67ceb822141177d
julians-MacBook-Pro:~ julian$ shasum -a 224 /Users/julian/Documents/key_slot\ part.bin 
b59ffab75b012ac520a1e065fa069668edd8fb493b1bdf893af1f4d7  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 256 /Users/julian/Documents/key_slot\ part.bin 
82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 384 /Users/julian/Documents/key_slot\ part.bin 
28c0d77a51ac757fcfdbdafeb6021bb7c1993cee6c5e69d9cd7f462550aca4c99964836450e7d7121f86f8475be6b0a2  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$ shasum -a 512 /Users/julian/Documents/key_slot\ part.bin 
87d0ab58e794b2d89101de40bee944a205cc48badb24c60e121ba9ac61a4eea68bed2bd2720fc74b5763ecc00b81f054892fb65ca19b0be27cbaeda1c442bd94  /Users/julian/Documents/key_slot part.bin
julians-MacBook-Pro:~ julian$
 
  • Like
Reactions: Syphurith and peteruk
Why dump the OTP area when you can use the kernel9 loader hack to dump the content of the SHA_HASH register (which the kernel9 loader does not clear) to attain the same result ?
 
Dazzozo said:
Because that was literally publicly disclosed minutes ago.
Click to expand...

Ok, I didn't know that, this seemed like an obvious thing to do, given that it's cleared by Kernel9, as you run code earlier, you can just read the actual OTP hash used in the decryption of the nand keystore.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Hardware  2 Broken 3DSes, need help

Gaming  any good rpgs on 3ds?

Hacking  Modding Reassurance