Decrypt and Re-Encrypt NAND?

Discussion in '3DS - Flashcards & Custom Firmwares' started by drfsupercenter, Dec 3, 2014.

  1. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    So...

    With VoID's multi decryption tools, I noticed there is a function to decrypt your NAND. By itself that's probably not very useful, BUT

    Could we potentially overcome the whole "you can only restore NAND backups from *your own system*" hurdle? Think about it.

    Say you have one 3DS with the 4.x firmware on it. You have another one that's newer (maybe even a 2DS, who knows) and want to put DevMenu on there so you can install all the .cia files you want and be able to go online and everything too without needing a Gateway.

    If you get a NAND flash port installed, and dump your NAND, couldn't you use VoID's tools to decrypt *that* NAND dump?

    I'm not so sure how exactly the NAND is encrypted, but given that we can get xorpads now and decrypt the contents, couldn't we re-encrypt it using a different system's xorpads? In theory we could share a NAND image with friends and everybody just re-encrypt it with their own xorpads?

    (I'm also thinking, couldn't you essentially change your system's region with this too? take a US and EUR system, dump both, encrypt one to the other, etc)
     


  2. gudenau

    gudenau Never a unique idea

    Member
    3,257
    1,224
    Jul 7, 2010
    United States
    /dev/random
    There are still chechsums in place, so I do not think this would work.
     
  3. Ryanrocks462

    Ryanrocks462 Wii U/3DS Hacker.. Will test anything, A Pirate

    Banned
    566
    221
    Jun 18, 2014
    United States
    California
    it wouldn't work since each console has its own unique Key and no one seems to know how to decrypt your consoles key, so once we are able to modify the console key of course , re-encrypting would be no problem
     
  4. sgtkwol

    sgtkwol GBAtemp Regular

    Member
    222
    69
    Oct 29, 2008
    United States
    To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?
     
  5. Ryanrocks462

    Ryanrocks462 Wii U/3DS Hacker.. Will test anything, A Pirate

    Banned
    566
    221
    Jun 18, 2014
    United States
    California
    We have to find how to dump/extract it from the and first ;3
     
  6. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Yeah, this is what I was getting at.

    I'm no programmer and have no idea how you would do this, but I'm sure it's possible. Thanks for explaining why it won't work at the moment though. Someone get on this! :P
     
  7. Jayro

    Jayro MediCat DVD and Mini Windows 10 Developer

    Member
    GBAtemp Patron
    Jayro is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,855
    2,587
    Jul 23, 2012
    United States
    Octo Canyon
    Seems like there would be some way to JTAG and/or debug the memory in real time, or save a memory dump while a nand encryption is taking place.
     
  8. williamcesar2

    williamcesar2 GBAtemp Advanced Fan

    Member
    673
    328
    Jun 21, 2013
    United States
    New York City

    interesting
     
  9. sgtkwol

    sgtkwol GBAtemp Regular

    Member
    222
    69
    Oct 29, 2008
    United States
    Please don't quote me as correct, unless someone more knowledgeable can confirm. I'm only stating what I think is correct based on what I've read/used.
     
  10. williamcesar2

    williamcesar2 GBAtemp Advanced Fan

    Member
    673
    328
    Jun 21, 2013
    United States
    New York City
    I do not quoted you as ''correct'' but as ''interesting'' nothing more
     
  11. misterb98

    misterb98 Moral Gateway User. Wat.

    Member
    450
    142
    Aug 24, 2010
    United States
    Got it working! You apparently only need the larger file.

    Code:
     make_cia -o patch.cia --major=5 --minor=7 --micro=0 --content0=00000006.app.out --id_0 00000006 
    It installed fine. For whatever reason, I now need to accept the online agreement, but whenever I hit accept (all in Japanese, :P) it says Accepted, but then goes to a screen in smash saying I need to accept the agreement. This is probably an issue people have worked around, any tips?
     
  12. einstein95

    einstein95 GBAtemp Regular

    Member
    228
    138
    Aug 31, 2013
    New Zealand
    No, NAND xorpads are generated from the per-console key; and no, you can't simply xor NAND A with xorpad A to get the plain data then xor with xorpad B to run it on the console unless you copy certain files from console B (apparently).
     
  13. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Yeah, I was saying *if* you have a NAND dump of both systems.

    You can install a NAND flasher to any system, even if it's >4.5
    And then you could take that image and decrypt it using a 4.5 system, no?

    For the sake of testing, I now have multiple region 3DSes running 4.x firmware. So I can decrypt each system's NAND *on that system*

    If anyone wants to give me some ideas to try, I can always see if I can flash it back to the other. Actually about to send the two systems out today to get NAND flashers installed so I don't have to worry about any permanent damage :P
     
  14. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,962
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    I'm actually curious about what's different between the two NANDs in terms of region. I believe smea once posted a pic where he was exploring the NAND filesystem a bit, although I'm not sure what filesystem it even has.
     
  15. einstein95

    einstein95 GBAtemp Regular

    Member
    228
    138
    Aug 31, 2013
    New Zealand
    FAT16
     
  16. justinkb

    justinkb GBAtemp Advanced Fan

    Member
    619
    210
    Oct 7, 2012
    Netherlands
    Correctly implemented AES with console-unique (so they can't be "leaked") keys (of sufficient length) is unbreakable. Forget it.
     
  17. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,962
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    We can already decrypt and (I believe) re-encrypt NAND partitions. The main issue is that there are some other console-specific bits in the firmware. Nintendo's System Transfer app itself literally copies stuff off the NAND to the other person's 3DS and then re-encrypts it under the new console's keys.
     
  18. gamesquest1

    gamesquest1 Nabnut

    Member
    14,119
    9,454
    Sep 23, 2013
    the actual main issue is that the main use of this would be to downgrade....but unless you can re-encrypt to the updated console you would need the xorpad for that specifc console.....which you cant get unless your on 4.x..........which pretty much leaves the only use for this as something like trying to make a US 3ds into a EU 3ds etc......both systems would still need to be on 4.x, but i suupose *theoretically* you could make yourself a different region emunand, which may be handy for say people importing a japanese N3ds but being able to boot into the EU firmware or something......but again i have no idea if its possible, but it sounds theoretically possible (more so than trying to modify the sysnand as at least if anything goes wrong with your emunand you can just wipe it without having to have a hardware mod
     
  19. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Yeah, you could downgrade [allthethings.png]

    Think about how many people have a 3DS that is newer than 4.5, you could basically get one "donor" NAND from someone here and just re-encrypt it to their specific console, profit! They'd just have to solder a flash port in, which is certainly cheaper than trying to track down a 4.x 3DS.
     
  20. gamesquest1

    gamesquest1 Nabnut

    Member
    14,119
    9,454
    Sep 23, 2013
    i guess your missing the point....to get the unique per device encryption...the device would need to be hacked, if its hacked, whats the point?
    you cant just make a nand work from one console one a updated console without having the target console hacked too so you can re-encrypt the "donor nand" using that 3ds's unique encryption