Hacking Decrypt and Re-Encrypt NAND?

[drfsupercenter]

So...

With VoID's multi decryption tools, I noticed there is a function to decrypt your NAND. By itself that's probably not very useful, BUT

Could we potentially overcome the whole "you can only restore NAND backups from *your own system*" hurdle? Think about it.

Say you have one 3DS with the 4.x firmware on it. You have another one that's newer (maybe even a 2DS, who knows) and want to put DevMenu on there so you can install all the .cia files you want and be able to go online and everything too without needing a Gateway.

If you get a NAND flash port installed, and dump your NAND, couldn't you use VoID's tools to decrypt *that* NAND dump?

I'm not so sure how exactly the NAND is encrypted, but given that we can get xorpads now and decrypt the contents, couldn't we re-encrypt it using a different system's xorpads? In theory we could share a NAND image with friends and everybody just re-encrypt it with their own xorpads?

(I'm also thinking, couldn't you essentially change your system's region with this too? take a US and EUR system, dump both, encrypt one to the other, etc)

 

[gudenau]

There are still chechsums in place, so I do not think this would work.

 

[Ryanrocks462]

it wouldn't work since each console has its own unique Key and no one seems to know how to decrypt your consoles key, so once we are able to modify the console key of course , re-encrypting would be no problem

 

[sgtkwol]

To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?

 

[Ryanrocks462]

To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?

We have to find how to dump/extract it from the and first ;3

 

[drfsupercenter]

To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?

Yeah, this is what I was getting at.

I'm no programmer and have no idea how you would do this, but I'm sure it's possible. Thanks for explaining why it won't work at the moment though. Someone get on this!

 

[Jayro]

Seems like there would be some way to JTAG and/or debug the memory in real time, or save a memory dump while a nand encryption is taking place.

 

[williamcesar2]

To confirm, xorpads are generated using the "everybody's 3DS" keys. Any way to write a similar program that will use a 4.x 3DS to sign with the "your 3DS" key?

interesting

 

[sgtkwol]

Please don't quote me as correct, unless someone more knowledgeable can confirm. I'm only stating what I think is correct based on what I've read/used.

 

[williamcesar2]

I do not quoted you as ''correct'' but as ''interesting'' nothing more

 

[misterb98]

Got it working! You apparently only need the larger file.

 make_cia -o patch.cia --major=5 --minor=7 --micro=0 --content0=00000006.app.out --id_0 00000006

It installed fine. For whatever reason, I now need to accept the online agreement, but whenever I hit accept (all in Japanese, ) it says Accepted, but then goes to a screen in smash saying I need to accept the agreement. This is probably an issue people have worked around, any tips?

 

[einstein95]

No, NAND xorpads are generated from the per-console key; and no, you can't simply xor NAND A with xorpad A to get the plain data then xor with xorpad B to run it on the console unless you copy certain files from console B (apparently).

 

[drfsupercenter]

No, NAND xorpads are generated from the per-console key; and no, you can't simply xor NAND A with xorpad A to get the plain data then xor with xorpad B to run it on the console unless you copy certain files from console B (apparently).

Yeah, I was saying *if* you have a NAND dump of both systems.

You can install a NAND flasher to any system, even if it's >4.5
And then you could take that image and decrypt it using a 4.5 system, no?

For the sake of testing, I now have multiple region 3DSes running 4.x firmware. So I can decrypt each system's NAND *on that system*

If anyone wants to give me some ideas to try, I can always see if I can flash it back to the other. Actually about to send the two systems out today to get NAND flashers installed so I don't have to worry about any permanent damage

 

[shinyquagsire23]

Yeah, I was saying *if* you have a NAND dump of both systems.

You can install a NAND flasher to any system, even if it's >4.5
And then you could take that image and decrypt it using a 4.5 system, no?

For the sake of testing, I now have multiple region 3DSes running 4.x firmware. So I can decrypt each system's NAND *on that system*

If anyone wants to give me some ideas to try, I can always see if I can flash it back to the other. Actually about to send the two systems out today to get NAND flashers installed so I don't have to worry about any permanent damage

I'm actually curious about what's different between the two NANDs in terms of region. I believe smea once posted a pic where he was exploring the NAND filesystem a bit, although I'm not sure what filesystem it even has.

 

[einstein95]

I'm actually curious about what's different between the two NANDs in terms of region. I believe smea once posted a pic where he was exploring the NAND filesystem a bit, although I'm not sure what filesystem it even has.

FAT16

 

[justinkb]

Correctly implemented AES with console-unique (so they can't be "leaked") keys (of sufficient length) is unbreakable. Forget it.

 

[shinyquagsire23]

Correctly implemented AES with console-unique (so they can't be "leaked") keys (of sufficient length) is unbreakable. Forget it.

We can already decrypt and (I believe) re-encrypt NAND partitions. The main issue is that there are some other console-specific bits in the firmware. Nintendo's System Transfer app itself literally copies stuff off the NAND to the other person's 3DS and then re-encrypts it under the new console's keys.

 

[gamesquest1]

We can already decrypt and (I believe) re-encrypt NAND partitions. The main issue is that there are some other console-specific bits in the firmware. Nintendo's System Transfer app itself literally copies stuff off the NAND to the other person's 3DS and then re-encrypts it under the new console's keys.

the actual main issue is that the main use of this would be to downgrade....but unless you can re-encrypt to the updated console you would need the xorpad for that specifc console.....which you cant get unless your on 4.x..........which pretty much leaves the only use for this as something like trying to make a US 3ds into a EU 3ds etc......both systems would still need to be on 4.x, but i suupose *theoretically* you could make yourself a different region emunand, which may be handy for say people importing a japanese N3ds but being able to boot into the EU firmware or something......but again i have no idea if its possible, but it sounds theoretically possible (more so than trying to modify the sysnand as at least if anything goes wrong with your emunand you can just wipe it without having to have a hardware mod

 

[drfsupercenter]

the actual main issue is that the main use of this would be to downgrade....but unless you can re-encrypt to the updated console you would need the xorpad for that specifc console.....which you cant get unless your on 4.x..........which pretty much leaves the only use for this as something like trying to make a US 3ds into a EU 3ds etc......both systems would still need to be on 4.x, but i suupose *theoretically* you could make yourself a different region emunand, which may be handy for say people importing a japanese N3ds but being able to boot into the EU firmware or something......but again i have no idea if its possible, but it sounds theoretically possible (more so than trying to modify the sysnand as at least if anything goes wrong with your emunand you can just wipe it without having to have a hardware mod

Yeah, you could downgrade [allthethings.png]

Think about how many people have a 3DS that is newer than 4.5, you could basically get one "donor" NAND from someone here and just re-encrypt it to their specific console, profit! They'd just have to solder a flash port in, which is certainly cheaper than trying to track down a 4.x 3DS.

 

[gamesquest1]

Yeah, you could downgrade [allthethings.png]

Think about how many people have a 3DS that is newer than 4.5, you could basically get one "donor" NAND from someone here and just re-encrypt it to their specific console, profit! They'd just have to solder a flash port in, which is certainly cheaper than trying to track down a 4.x 3DS.

i guess your missing the point....to get the unique per device encryption...the device would need to be hacked, if its hacked, whats the point?
you cant just make a nand work from one console one a updated console without having the target console hacked too so you can re-encrypt the "donor nand" using that 3ds's unique encryption