Question Deeper Understanding of Firmware

Discussion in 'Switch - Hacking & Homebrew' started by WayneWayne10, Dec 8, 2017.

  1. WayneWayne10
    OP

    WayneWayne10 Newbie

    Newcomer
    8
    5
    Dec 1, 2017
    United States
    This is a question in general regarding firmware. I always noticed that a firmware is typically "signed" by the devices parent company. For example the switches firmware is signed by Nintendo, the PSP's was signed by Sony and so forth. My question is what does that exactly mean and why is it so difficult to spoof a signature? I understand if no one wants to put forth the effort and answer but I've always wondered. I assume it has to do with encryption and what not.
     
  2. marine5422

    marine5422 Advanced Member

    Newcomer
    67
    4
    Feb 8, 2007
    United States
    Google it Public key cryptography, or asymmetrical cryptography. Unless we can get a key directly from nintendo, all kind of method useless, especially Brute-forcing the key.
     
  3. gte206w

    gte206w Newbie

    Newcomer
    1
    0
    Jan 4, 2009
    United States
    You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

    gbatemp.net/threads/ps3-psp-private-keys-released.272700/
     
  4. WayneWayne10
    OP

    WayneWayne10 Newbie

    Newcomer
    8
    5
    Dec 1, 2017
    United States
    This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
     
  5. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    1,219
    611
    Aug 20, 2017
    United States
    Crap Mountain
    The way a signature works, is that it is made with a special key, and is file specific. Unless you have the encryption key, it'll take a ton of brute forcing to sign a file or encrypt a file.
     
  6. marine5422

    marine5422 Advanced Member

    Newcomer
    67
    4
    Feb 8, 2007
    United States


    It's good post to read, but it look like an ancient legacy. So I added talk more, and easier example with Ninty console.


    [Wii era] - All kind of contents (Disc data, Firmware Update, other all wii shop download) encrypted/signatured with private-key that Ninty have, and can be decrypted with public-key that name as "common-key" which is inside of Wii hardware. and they discover the signature bug that called "Trucha Bug" that can sign the un-autherized contents. Once we get the key from hardware, It's easy to decrypt the contents. (but still you can't encrypt/sign the contents by your own unless you have a private key, and still we didn't know what the private key is until now) You just can download official contents(like firmware) from NUS* by your own (even if you don't have the console) and had a key, decrypt it, and understand it, and sign it. it's done.
    I should say it SECURITY LEVEL 3. :D

    NUS*: Nintendo Update Server

    [3DS era] - Looks similar with wii era, but acutally there isn't 'common-key' that you could found inside of the console. Instead, they use the internal key function that called "key scrambler" when they needed. So if wants to decrypt the contents, you need console and to use the key scrambler previliage by take over the console kernel. Once you take over the console by using the exploit (usually savegame exploit), you can use the key function. And then you can decrypt the contents and signature feature patch. After few years later, someone found the BOOTROM bug, using an exploit now it looks everyone can easily take over their console. (Boot9strap/Firmhax). SECURITY LEVEL 2. :toot:

    *: There is more complicate method when they update their security levels are going up other security still remain but I just say for easy one. So don't blame it.


    [Switch era] - We maybe think this similar with other, BUT you even can't get contents directly from server. Because they need key/authentic to accept the download the from their server. (It's relate with TLS/SSL server protocol inside the console, and they change the server from 3DS era) So you can't get a firmware or digital content unless you have the console and previlige to use this feature. but we don't what is the key and we don't have previlage to use the console to take over. (basically Ninty block the savegame exploit method by using block to save share feature all of your switch game) So now you can't get decrypt the contentsor can't get anything unless you have the one of the above. And all cytography/security function is still unknown for now (few of them known but not all).
    So you are now in here. SECURITY LEVEL 1. :(




    EDIT: I'm not a expert in cytography/security and it can't be explaining all about their system, but that just easy explaining about Ninty console signature/cryptography. So don't blame it if it something wrong.
     
    Last edited by marine5422, Dec 8, 2017
  7. zoogie

    zoogie playing around in the dsiware

    Member
    7,059
    9,097
    Nov 30, 2014
    Micronesia, Federated States of
    That basically. Public/private key cryptography is based on the fact that it's mathematically easy to verify that the message (in our case, a game rom) is legit with the public key, but mathematically and computationally almost impossible to derive the private key (needed to sign our own data) from the public key and message. It's (rsa in this case) based on a "trapdoor function", aka easy to compute one way but difficult to get the inverse. In other words, it's easy to multiply two prime numbers together, but difficult to get a number's factors without guessing. And when we're talking about enormous numbers like with RSA 2048, it's computationally unfeasible to derive the factors since it would take centuries with our present technology.

    My attempt at explaining this may be off a little bit off, but the basic gist of it is correct.
    The wikipedia article on trapdoor functions is really good, give it a read:
    https://en.wikipedia.org/wiki/Trapdoor_function
     
    medoli900 likes this.
Loading...