Decrypting the NAND title.db / import.db

Discussion in '3DS - Homebrew Development and Emulators' started by d0k3, Nov 23, 2015.

  1. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,560
    2,578
    Dec 3, 2004
    Gambia, The
    Normally, I'd ask highly specialised reverse engineering stuff such as this over on 4DSdev.org (which, in fact, I already did). Trying my luck here now, cause it has gotten fairly silent over there now.

    Recently, I've been trying to write a working parser for title databases (title.db, import.db, maybe even ticket.db). There is an entry for those on 3Dbrew.org:
    http://3dbrew.org/wiki/Title_Database

    Parsing the title.db and import.db from my N3DS (9.0.0) NAND, I've noticed something strange: Although the files are obviously okay (otherwise my console would be bricked), they look like they are corrupted in several parts. Parsing (as described on 3Dbrew.org) works for some Title Entry and Title Info tables, but for others, I just get garbage.

    Now, is it possible that just some parts of the files are encrypted? (I'm not talking about the standard CTRNAND encryption layer, of course). And, how to decrypt them, and how (if we'd rule out statistical analysis) to decide which parts are encrypted and which are not?

    Any ideas?
     
    kiwiis, Filo97 and peteruk like this.
  2. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,615
    1,190
    Oct 8, 2015
    Italy
    Hyrule Castle
    this is not an answer, but i think that you are a genius thinking such a thing.
     
    Minnow and d0k3 like this.
  3. RainCode

    RainCode The Temper that Tampers

    Member
    162
    57
    Sep 29, 2015
    /dev/null
    Don't they use AES as part of the encryption for the databases? I'm out at the moment so I can't really check things such as the available modules that the 3DS is able to use.
     
  4. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,560
    2,578
    Dec 3, 2004
    Gambia, The
    Well, yes, the entire CTRNAND is AES-CTR encrypted, and we have already figured that out. There might be an additional layer of encryption on title.db which looks (emphasis on 'looks' not 'is') more like file corruption because it is not applied to the whole file.
     
  5. Suiginou

    Suiginou (null)

    Member
    565
    588
    Jun 26, 2012
    Gambia, The
    pc + 8
    AES is the only encryption they use. RSA is only used for signatures and no other real cipher is to be found on the CTR.
     
  6. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,615
    1,190
    Oct 8, 2015
    Italy
    Hyrule Castle
    or maybe is somethingh like a special type of checksum for check that the file is not a fake. (i am not good in those thingh i am just supposing a possibilty!)
    this are my files: https://mega.nz/#!z4cFHD6B!vW_TvrVMiQQHRSzeWA66pPx-ysPkcggfT2EvtpDsf_k
     
    d0k3 likes this.
  7. dark_samus3

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    So looking at the entry over on 3dbrew it says KeyX and KeyY are used but it doesn't say which slots are used and it says it uses AES-MAC (not sure what that is) so if we knew what parts were encrypted (there HAS to be a way to tell otherwise the 3ds wouldn't know what to do and would brick obviously) and what KeyY and X slots were used we could probably end up genertaing XORpads for the whole thing and spit out a decrypted file...
     
  8. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,560
    2,578
    Dec 3, 2004
    Gambia, The
    We can find out which parts are encrypted with statistical analysis (ie. check the entropy of that part). The seemingly corrupted parts also happen to be nicely aligned to certain 'round' (ie with zeros at the end) offsets. Statistical analysis is not a good solution of course, and there absolutely has to be some 'proper' way to determine the encrypted parts (if they are encrypted...). It seems there is just too little known about these files by now. It looks a whole lot like Nintendo is deliberately making things difficult for us for sure. I almost gave up on finding out by now.
     
    Last edited by d0k3, Nov 24, 2015
  9. V3NUS_M1NER

    V3NUS_M1NER GBAtemp Fan

    Member
    391
    136
    Nov 27, 2014
    United States
    May I ask what you are trying to achieve here?
     
  10. dark_samus3

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Trying to find the currently installed title version for GW downgraded consoles because gateway left everything a mess in their DG process
     
  11. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,560
    2,578
    Dec 3, 2004
    Gambia, The
    No editing, if that is what you're implying here. I know that is pretty dangerous (although I have currently a seemingly succesful experiment with an edited import.db going on;)). GW leaves multiple TMDs and APPs in the NAND after their downgrade process, and for a clean app inject we need to determine which is the correct one.
     
    dark_samus3 likes this.