CTR nand decrypt of broken old 3DS

Discussion in '3DS - Console, Accessories and Hardware' started by Scipiox, Apr 12, 2017.

  1. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    My Old 3DS mainboard was damaged ans system not booting now. But I did full backup of NAND console via hard mod in last. As console had firmware higher than 10.x and in last was not possible simply unlock it, I have no XORpads or decryptetd partitions backups, just nand backup. I find out nand CID of broken console via Arduino, and I am able make fresh nand backup.
    Is any way decrypt CTR partition of broken console, whan I have full NAND backup and NAND CID? I would like extract my "profile" files from NAND this broken console?
     
  2. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,903
    2,234
    Jan 11, 2016
    Japan
    日本
    without xors you're sol
     
  3. PabloMK7

    PabloMK7 Red Yoshi! ^ω^

    Member
    1,817
    1,130
    Feb 21, 2014
    Spain
    Yoshi's Island
    Wait until someone dumps the bootrom.
     
  4. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    Must exist some way decrypt it. CTRNAND/TWL ctr is generated from NAND CID (that I know).
    What other component (IC) on mainboard console storing unique data (I would be able resolder it on another - working - mainboard).
    Other theoretical way is try bruteforce it. CTR partition have known "header". As I know part of data unencrypted, I could try keys untill this parto of data will be equal...
     
  5. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    Another thing, that I don't undertand.
    I am trying debug xorpad gerenation from Decrypt9WIP. There is procedure "CryptBuffer" that using "CryptBufferInfo" structure as input. I tried manually set all variables of structure (include ctr, KeyY + setKeyY = 1 to set it etc...), but it generate different output on each console.
     
  6. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,903
    2,234
    Jan 11, 2016
    Japan
    日本
    Is there not a program to use to extract from the NAND
     
  7. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,109
    2,352
    Mar 8, 2012
    United States
    The NAND encryption KeyXs are generated using data stored in the OTP ROM. The OTP itself is encrypted using some key in the protected ARM9 BootROM.

    Ergo, in order to decrypt the NAND offline, you'd need the console-specific OTP, the keys from BootROM, and some way to generate the console-unique keys from both of those data sources. The last step will probably happen fairly quickly once the BootROM is publicly released.
     
    Scipiox and proflayton123 like this.
  8. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    OK, i understand. Actually is not possible get all needed keys "offline" from nand image and nand CID, therefore is not possible decrypt it using other 3DS.

    But somewhere on mainboard of 3DS must be components, that store unique data. One from it is NAND memory chip, but it is not probably only this component. Somobody know what hardware components on 3DS mainboard are unique? If all this components will be located, theoretical will be possible get it and solder it on other (working) mainboard to "clone" console (i know, maybe some IC will not able simply resolder, but theoretically..).
     
  9. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,109
    2,352
    Mar 8, 2012
    United States
    The OTP ROM is stored within the SoC. It's practically impossible to extract it outside of booting to 2.1 and running a dumping tool.
     
    Scipiox likes this.
  10. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    Thank you for answer, I understand.
    Do you know, where concrete is this System-on-Chip (SoC) located on Old 3DS mainboard?
     
  11. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,109
    2,352
    Mar 8, 2012
    United States
    It's CPU-CTR: https://www.3dbrew.org/wiki/Hardware#Images

    You're not going to be able to extract the OTP ROM externally. The only way to do it if the system isn't usable is to decap the chip and manually extract the OTP using a microscope, which requires expensive equipment and is very time-consuming. (Incidentally, this method could also be used to extract the BootROM, but that's 32 KB, and I don't think you'd want to read 262,144 bits by hand.)
     
  12. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    696
    327
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    Completely off-topic but, is the bootrom the same on each console or different? If not, then I could dump the bootrom manually and there we go. Every 3DS problem solved :P (Not really but some will be solved :D)
     
  13. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,109
    2,352
    Mar 8, 2012
    United States
    It's the same for all systems and all models. Good luck trying to dump the ROM using a microscope, though. The DMG (Game Boy) boot ROM, which is 256 bytes (2048 bits), was dumped in 2003 using this method: http://dot-matrix-game.blogspot.se/2014/01/boot-roms.html
     
  14. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    696
    327
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    I just need a broken 3DS with an intact chip that stores the BootROM (I will need to do a bit of research first of course). I already have a microscope capable of this) Or reading the article, I could try to overclock the 3DS and do the same thing the person who dumped the GBC BootROM did :P Idk how hard that would be though...
     
  15. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,558
    1,697
    Feb 13, 2015
    Italy
    Imola
    That's basically what hedgeberg is trying and well-known others have done before: disturbing the CPU in just the right way so it skips the 1-2 instructions that lock bootrom until next reset - compared to GBC there's the significant issue of getting the actual dumper to run (since GB/C roms are unencrypted and their "signing" is just a fixed logo and checksum, while on 3DS the most realistic option is preloading the dumper in RAM and hoping to make it jump to that code)
     
  16. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    696
    327
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    Has it been done successfully on the 3DS however?
     
  17. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,558
    1,697
    Feb 13, 2015
    Italy
    Imola
    Soon (by hedgeberg)
    Years ago by the others who aren't interested in sharing
     
  18. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    696
    327
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    I would be a noob and ask how soon but, I am in a good mood today so, I won't purposely piss anyone off :P
     
  19. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,161
    9,523
    Sep 23, 2013
    you could probably transplant the CPU from one system to another (this has already been done once by someone to make a US small n3DS before the official release but its no simple feat and probably well beyond the capabilities of 99.9% of people

    what exactly happened to the system? as in most cases it would probably be easier to fix the console in question
     
  20. Scipiox
    OP

    Scipiox Newbie

    Newcomer
    9
    0
    Dec 10, 2014
    This is old 3DS original mainboard (CTR-01) of my friend. I hardmoded it in last. It was damaged later by somebody next, who tried fix hardmod by soldering "clock" wire under game slot (it was not absolute needed, because it was able simply fix resolder wire to oposite side of MB - i did it now and hardmod still working). Damaged area is near of CPU and I am not able fix it (so tiny, and probably some connection on PCB is damaged too).
     

    Attached Files:

    • mb.png
      mb.png
      File size:
      1.3 MB
      Views:
      29