Hacking Question Deeper Understanding of Firmware

Would more users like to know more about the "hacking" process?


  • Total voters
    29

WayneWayne10

Member
OP
Newcomer
Joined
Dec 1, 2017
Messages
17
Trophies
0
Age
30
XP
172
Country
United States
This is a question in general regarding firmware. I always noticed that a firmware is typically "signed" by the devices parent company. For example the switches firmware is signed by Nintendo, the PSP's was signed by Sony and so forth. My question is what does that exactly mean and why is it so difficult to spoof a signature? I understand if no one wants to put forth the effort and answer but I've always wondered. I assume it has to do with encryption and what not.
 

marine5422

Well-Known Member
Newcomer
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
Google it Public key cryptography, or asymmetrical cryptography. Unless we can get a key directly from nintendo, all kind of method useless, especially Brute-forcing the key.
 

gte206w

New Member
Newbie
Joined
Jan 4, 2009
Messages
3
Trophies
0
XP
272
Country
United States
You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/
 

WayneWayne10

Member
OP
Newcomer
Joined
Dec 1, 2017
Messages
17
Trophies
0
Age
30
XP
172
Country
United States
You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/

This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
0
XP
964
Country
United States
This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
The way a signature works, is that it is made with a special key, and is file specific. Unless you have the encryption key, it'll take a ton of brute forcing to sign a file or encrypt a file.
 

marine5422

Well-Known Member
Newcomer
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
This is a question in general regarding firmware. I always noticed that a firmware is typically "signed" by the devices parent company. For example the switches firmware is signed by Nintendo, the PSP's was signed by Sony and so forth. My question is what does that exactly mean and why is it so difficult to spoof a signature? I understand if no one wants to put forth the effort and answer but I've always wondered. I assume it has to do with encryption and what not.

You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/



It's good post to read, but it look like an ancient legacy. So I added talk more, and easier example with Ninty console.


[Wii era] - All kind of contents (Disc data, Firmware Update, other all wii shop download) encrypted/signatured with private-key that Ninty have, and can be decrypted with public-key that name as "common-key" which is inside of Wii hardware. and they discover the signature bug that called "Trucha Bug" that can sign the un-autherized contents. Once we get the key from hardware, It's easy to decrypt the contents. (but still you can't encrypt/sign the contents by your own unless you have a private key, and still we didn't know what the private key is until now) You just can download official contents(like firmware) from NUS* by your own (even if you don't have the console) and had a key, decrypt it, and understand it, and sign it. it's done.
I should say it SECURITY LEVEL 3. :D

NUS*: Nintendo Update Server

[3DS era] - Looks similar with wii era, but acutally there isn't 'common-key' that you could found inside of the console. Instead, they use the internal key function that called "key scrambler" when they needed. So if wants to decrypt the contents, you need console and to use the key scrambler previliage by take over the console kernel. Once you take over the console by using the exploit (usually savegame exploit), you can use the key function. And then you can decrypt the contents and signature feature patch. After few years later, someone found the BOOTROM bug, using an exploit now it looks everyone can easily take over their console. (Boot9strap/Firmhax). SECURITY LEVEL 2. :toot:

*: There is more complicate method when they update their security levels are going up other security still remain but I just say for easy one. So don't blame it.


[Switch era] - We maybe think this similar with other, BUT you even can't get contents directly from server. Because they need key/authentic to accept the download the from their server. (It's relate with TLS/SSL server protocol inside the console, and they change the server from 3DS era) So you can't get a firmware or digital content unless you have the console and previlige to use this feature. but we don't what is the key and we don't have previlage to use the console to take over. (basically Ninty block the savegame exploit method by using block to save share feature all of your switch game) So now you can't get decrypt the contentsor can't get anything unless you have the one of the above. And all cytography/security function is still unknown for now (few of them known but not all).
So you are now in here. SECURITY LEVEL 1. :(




EDIT: I'm not a expert in cytography/security and it can't be explaining all about their system, but that just easy explaining about Ninty console signature/cryptography. So don't blame it if it something wrong.
 
Last edited by marine5422,

zoogie

playing around in the dsiware
Developer
Joined
Nov 30, 2014
Messages
8,433
Trophies
2
XP
13,900
Country
Micronesia, Federated States of
This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
That basically. Public/private key cryptography is based on the fact that it's mathematically easy to verify that the message (in our case, a game rom) is legit with the public key, but mathematically and computationally almost impossible to derive the private key (needed to sign our own data) from the public key and message. It's (rsa in this case) based on a "trapdoor function", aka easy to compute one way but difficult to get the inverse. In other words, it's easy to multiply two prime numbers together, but difficult to get a number's factors without guessing. And when we're talking about enormous numbers like with RSA 2048, it's computationally unfeasible to derive the factors since it would take centuries with our present technology.

My attempt at explaining this may be off a little bit off, but the basic gist of it is correct.
The wikipedia article on trapdoor functions is really good, give it a read:
https://en.wikipedia.org/wiki/Trapdoor_function
 
  • Like
Reactions: medoli900
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: +1