Homebrew AES key scrambler

[Dazzozo]

Lol they aren't dumpable, you're right, so we solve the hardware scrambler and then you can figure the keys out instead if dumping them

You can't solve for two unknowns. You don't have a normal key or a way to dump a normal key for a given keyY.

 

[Suiginou]

PSA: I don't think what we're doing has any real practical use whatsoever. This is just nerd science for the sake of knowledge for the time being.

Until we get bootrom dumps (if ever...), it will likely stay this way.

 

[motezazer]

PSA: I don't think what we're doing has any real practical use whatsoever. This is just nerd science for the sake of knowledge for the time being.

Until we get bootrom dumps (if ever...), it will likely stay this way.

Like I said, you can make a Sky3DS clone with that currently. And sniff Download Play traffic.

 

[Earth97]

This means Sky3DS has already got those keys?
Also, couldn't you use memchunkhax to gain ARM11 kernel access and dump the keys you need? Do you have to necessarily exploit ARM9?

 

[Dazzozo]

This means Sky3DS has already got those keys?

No. Sky3DS works around needing the key via "template" data.

 

[Duo8]

This means Sky3DS has already got those keys?
Also, couldn't you use memchunkhax to gain ARM11 kernel access and dump the keys you need? Do you have to necessarily exploit ARM9?

Kernel exploits won't reveal the keys. Maybe a bootrom dump.

 

[Earth97]

And how can you dump the bootrom?
If "using ntrhax" -> was enough information unveiled about that hax? Could someone (GW maybe?) do it?

 

[Suiginou]

And how can you dump the bootrom?

Nobody knows. It's an unsolved mystery. Yellows8 supposedly has done it, but we're never gonna see him reveal how he pulled that off.

 

[Earth97]

What about the third guy (derrek, if I'm not wrong)? He explained something about keys and bootrom, wasn't there anything useful? What's the point of what he said, then?

 

[Deleted member 356526]

What about the third guy (derrek, if I'm not wrong)? He explained something about keys and bootrom, wasn't there anything useful? What's the point of what he said, then?

Well. No one has released the bootrom so... we wait.

 

[Duo8]

Well. No one has released the bootrom so... we wait.

No. It's extremely unlikely that any major entity will release it. If we wait we'll stall indefinitely.

 

[Deleted member 356526]

No. It's extremely unlikely that any major entity will release it. If we wait we'll stall indefinitely.

Yeah. Unless FirmX gets cracked.

 

[Earth97]

Well. No one has released the bootrom so... we wait.

Sorry, but I fail to find an answer to my question in your reply.
"wasn't there anything useful (in what derrek said)? What's the point of what he said, then?"

 

[Deleted member 356526]

Sorry, but I fail to find an answer to my question in your reply.
"wasn't there anything useful (in what derrek said)? What's the point of what he said, then?"

More information about the bootrom. They have access. They want to let us know.

 

[Duo8]

Sorry, but I fail to find an answer to my question in your reply.
"wasn't there anything useful (in what derrek said)? What's the point of what he said, then?"

I remember it being mentioned, but can't remember in detail.
Maybe you should watch that part again.

 

[Earth97]

Damn, I downloaded the German version, going to look for the English one. Thank you for your answers.
Just realised it's both German and English.

 

[Syphurith]

Eh.. Could anyone tell me what the CTR with the KeyX/KeyY is for, then?
There isn't a place for it in the algorithm listed, and i fear no place for it in normal AES-CTR decryption with PC software.
If you can calculate two C out of the different keyslots, please tell me if they are the same.
Also as you might already know, that CTR is set when you need the xorpads, see decrypt9.

 

[Dazzozo]

Eh.. Could anyone tell me what the CTR with the KeyX/KeyY is for, then?
There isn't a place for it in the algorithm listed, and i fear no place for it in normal AES-CTR decryption with PC software.
If you can calculate two C out of the different keyslots, please tell me if they are the same.
Also as you might already know, that CTR is set when you need the xorpads, see decrypt9.

The CTR has absolutely nothing to do with the key generator. The key generator is just an optional function that can be invoked that generates a normal AES key from two inputs. The AES hardware can be used without invoking it (and with normal keys themselves).

Edit: There are two key generator algorithms. One for DSi keyslots (which can also be optionally/temporarily enabled for 3DS keyslots) and has been known for some time. The other (3DS) can only be used on 3DS keyslots. Both have their own constant, but the constant does not change based on the keyslot.

 

[dark_samus3]

You can't solve for two unknowns. You don't have a normal key or a way to dump a normal key for a given keyY.

At the talk they showed how to do it, you can encrypt something with all 0's with a KeyY and unknown corresponding KeyX, then flip bits in KeyY and you can determine KeyX from that, then you only have one unknown which you can solve for

 

[Dazzozo]

At the talk they showed how to do it, you can encrypt something with all 0's with a KeyY and unknown corresponding KeyX, then flip bits in KeyY and you can determine KeyX from that, then you only have one unknown which you can solve for

I know exactly what they showed everyone, because I have the constant.

You still can't solve with two unknowns...