Homebrew Decrypting the NAND title.db / import.db

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,896
Country
Germany
Normally, I'd ask highly specialised reverse engineering stuff such as this over on 4DSdev.org (which, in fact, I already did). Trying my luck here now, cause it has gotten fairly silent over there now.

Recently, I've been trying to write a working parser for title databases (title.db, import.db, maybe even ticket.db). There is an entry for those on 3Dbrew.org:
http://3dbrew.org/wiki/Title_Database

Parsing the title.db and import.db from my N3DS (9.0.0) NAND, I've noticed something strange: Although the files are obviously okay (otherwise my console would be bricked), they look like they are corrupted in several parts. Parsing (as described on 3Dbrew.org) works for some Title Entry and Title Info tables, but for others, I just get garbage.

Now, is it possible that just some parts of the files are encrypted? (I'm not talking about the standard CTRNAND encryption layer, of course). And, how to decrypt them, and how (if we'd rule out statistical analysis) to decide which parts are encrypted and which are not?

Any ideas?
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,896
Country
Germany
Don't they use AES as part of the encryption for the databases? I'm out at the moment so I can't really check things such as the available modules that the 3DS is able to use.
Well, yes, the entire CTRNAND is AES-CTR encrypted, and we have already figured that out. There might be an additional layer of encryption on title.db which looks (emphasis on 'looks' not 'is') more like file corruption because it is not applied to the whole file.
 

Suiginou

(null)
Member
Joined
Jun 26, 2012
Messages
565
Trophies
0
Location
pc + 8
XP
738
Country
Gambia, The
Don't they use AES as part of the encryption for the databases? I'm out at the moment so I can't really check things such as the available modules that the 3DS is able to use.
AES is the only encryption they use. RSA is only used for signatures and no other real cipher is to be found on the CTR.
 

Deleted member 373223

Pink = Best colour
Member
Joined
Oct 8, 2015
Messages
4,099
Trophies
1
XP
2,790
Well, yes, the entire CTRNAND is AES-CTR encrypted, and we have already figured that out. There might be an additional layer of encryption on title.db which looks (emphasis on 'looks' not 'is') more like file corruption because it is not applied to the whole file.
or maybe is somethingh like a special type of checksum for check that the file is not a fake. (i am not good in those thingh i am just supposing a possibilty!)
this are my files: https://mega.nz/#!z4cFHD6B!vW_TvrVMiQQHRSzeWA66pPx-ysPkcggfT2EvtpDsf_k
 
  • Like
Reactions: d0k3

dark_samus3

Well-Known Member
Member
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,042
Country
United States
So looking at the entry over on 3dbrew it says KeyX and KeyY are used but it doesn't say which slots are used and it says it uses AES-MAC (not sure what that is) so if we knew what parts were encrypted (there HAS to be a way to tell otherwise the 3ds wouldn't know what to do and would brick obviously) and what KeyY and X slots were used we could probably end up genertaing XORpads for the whole thing and spit out a decrypted file...
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,896
Country
Germany
So looking at the entry over on 3dbrew it says KeyX and KeyY are used but it doesn't say which slots are used and it says it uses AES-MAC (not sure what that is) so if we knew what parts were encrypted (there HAS to be a way to tell otherwise the 3ds wouldn't know what to do and would brick obviously) and what KeyY and X slots were used we could probably end up genertaing XORpads for the whole thing and spit out a decrypted file...
We can find out which parts are encrypted with statistical analysis (ie. check the entropy of that part). The seemingly corrupted parts also happen to be nicely aligned to certain 'round' (ie with zeros at the end) offsets. Statistical analysis is not a good solution of course, and there absolutely has to be some 'proper' way to determine the encrypted parts (if they are encrypted...). It seems there is just too little known about these files by now. It looks a whole lot like Nintendo is deliberately making things difficult for us for sure. I almost gave up on finding out by now.
 
Last edited by d0k3,

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,896
Country
Germany
May I ask what you are trying to achieve here?
Trying to find the currently installed title version for GW downgraded consoles because gateway left everything a mess in their DG process
No editing, if that is what you're implying here. I know that is pretty dangerous (although I have currently a seemingly succesful experiment with an edited import.db going on;)). GW leaves multiple TMDs and APPs in the NAND after their downgrade process, and for a clean app inject we need to determine which is the correct one.
 
  • Like
Reactions: dark_samus3

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Veho @ Veho: Mkay.