Hacking Question Deeper Understanding of Firmware

Would more users like to know more about the "hacking" process?


  • Total voters
    29

WayneWayne10

Member
OP
Newcomer
Joined
Dec 1, 2017
Messages
17
Trophies
0
Age
32
XP
217
Country
United States
This is a question in general regarding firmware. I always noticed that a firmware is typically "signed" by the devices parent company. For example the switches firmware is signed by Nintendo, the PSP's was signed by Sony and so forth. My question is what does that exactly mean and why is it so difficult to spoof a signature? I understand if no one wants to put forth the effort and answer but I've always wondered. I assume it has to do with encryption and what not.
 

marine5422

Well-Known Member
Newcomer
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
Google it Public key cryptography, or asymmetrical cryptography. Unless we can get a key directly from nintendo, all kind of method useless, especially Brute-forcing the key.
 

gte206w

New Member
Newbie
Joined
Jan 4, 2009
Messages
3
Trophies
0
XP
272
Country
United States
You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/
 

WayneWayne10

Member
OP
Newcomer
Joined
Dec 1, 2017
Messages
17
Trophies
0
Age
32
XP
217
Country
United States
You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/

This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
1
XP
975
Country
United States
This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
The way a signature works, is that it is made with a special key, and is file specific. Unless you have the encryption key, it'll take a ton of brute forcing to sign a file or encrypt a file.
 

marine5422

Well-Known Member
Newcomer
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
This is a question in general regarding firmware. I always noticed that a firmware is typically "signed" by the devices parent company. For example the switches firmware is signed by Nintendo, the PSP's was signed by Sony and so forth. My question is what does that exactly mean and why is it so difficult to spoof a signature? I understand if no one wants to put forth the effort and answer but I've always wondered. I assume it has to do with encryption and what not.

You can also start by reading this older thread and see if it satisfies your curiosity enough (won't let me post this if I make it a URL...):

gbatemp.net/threads/ps3-psp-private-keys-released.272700/



It's good post to read, but it look like an ancient legacy. So I added talk more, and easier example with Ninty console.


[Wii era] - All kind of contents (Disc data, Firmware Update, other all wii shop download) encrypted/signatured with private-key that Ninty have, and can be decrypted with public-key that name as "common-key" which is inside of Wii hardware. and they discover the signature bug that called "Trucha Bug" that can sign the un-autherized contents. Once we get the key from hardware, It's easy to decrypt the contents. (but still you can't encrypt/sign the contents by your own unless you have a private key, and still we didn't know what the private key is until now) You just can download official contents(like firmware) from NUS* by your own (even if you don't have the console) and had a key, decrypt it, and understand it, and sign it. it's done.
I should say it SECURITY LEVEL 3. :D

NUS*: Nintendo Update Server

[3DS era] - Looks similar with wii era, but acutally there isn't 'common-key' that you could found inside of the console. Instead, they use the internal key function that called "key scrambler" when they needed. So if wants to decrypt the contents, you need console and to use the key scrambler previliage by take over the console kernel. Once you take over the console by using the exploit (usually savegame exploit), you can use the key function. And then you can decrypt the contents and signature feature patch. After few years later, someone found the BOOTROM bug, using an exploit now it looks everyone can easily take over their console. (Boot9strap/Firmhax). SECURITY LEVEL 2. :toot:

*: There is more complicate method when they update their security levels are going up other security still remain but I just say for easy one. So don't blame it.


[Switch era] - We maybe think this similar with other, BUT you even can't get contents directly from server. Because they need key/authentic to accept the download the from their server. (It's relate with TLS/SSL server protocol inside the console, and they change the server from 3DS era) So you can't get a firmware or digital content unless you have the console and previlige to use this feature. but we don't what is the key and we don't have previlage to use the console to take over. (basically Ninty block the savegame exploit method by using block to save share feature all of your switch game) So now you can't get decrypt the contentsor can't get anything unless you have the one of the above. And all cytography/security function is still unknown for now (few of them known but not all).
So you are now in here. SECURITY LEVEL 1. :(




EDIT: I'm not a expert in cytography/security and it can't be explaining all about their system, but that just easy explaining about Ninty console signature/cryptography. So don't blame it if it something wrong.
 
Last edited by marine5422,

zoogie

playing around in the end of life
Developer
Joined
Nov 30, 2014
Messages
8,560
Trophies
2
XP
14,998
Country
Micronesia, Federated States of
This actually helps out a lot but I'm fairly new to encryption and have read a few rudimentary books over it. So if we had access to the encryption key is there a way to decrypt it to figure out its unlocking key, so to speak, or would that require a ton of computing power and time?
That basically. Public/private key cryptography is based on the fact that it's mathematically easy to verify that the message (in our case, a game rom) is legit with the public key, but mathematically and computationally almost impossible to derive the private key (needed to sign our own data) from the public key and message. It's (rsa in this case) based on a "trapdoor function", aka easy to compute one way but difficult to get the inverse. In other words, it's easy to multiply two prime numbers together, but difficult to get a number's factors without guessing. And when we're talking about enormous numbers like with RSA 2048, it's computationally unfeasible to derive the factors since it would take centuries with our present technology.

My attempt at explaining this may be off a little bit off, but the basic gist of it is correct.
The wikipedia article on trapdoor functions is really good, give it a read:
https://en.wikipedia.org/wiki/Trapdoor_function
 
  • Like
Reactions: medoli900

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    Leave
  • Sicklyboy @ Sicklyboy:
    I'm fortunate to have had some managers over the years who I've straight up told to go fuck themselves, and not get in trouble for it. Help that I've been on the receiving end of that as well lmao
  • BigOnYa @ BigOnYa:
    Agreed, you can tell him you quit when you see him in court, (For defecation on property, charges)
  • K3Nv2 @ K3Nv2:
    There's a difference in a abusive management rather than one drilling into you for messing up
  • Sicklyboy @ Sicklyboy:
    Told my last boss that I was resigning and he was confused and asked if I was serious 😭🤣
  • K3Nv2 @ K3Nv2:
    My last boss got investigated for racial slurs and guess what happened to him
  • BigOnYa @ BigOnYa:
    I luckily haven't had a boss in over 20 years, (independent contractor) but the people I do work for, it's pretty much like they my bosses, and yea some can be assholes. But there has been many jobs I've walked off and mailed they're checks back to them.
  • K3Nv2 @ K3Nv2:
    Bosses should yell at workers for mess ups they just need to know the difference in abuse and punishment
  • BigOnYa @ BigOnYa:
    I don't abuse or curse at my employess, I feel like waving the gun around gets the point across just fine.
  • K3Nv2 @ K3Nv2:
    A boss is basically a glorified baby sitter
    +1
  • K3Nv2 @ K3Nv2:
    I respect one's that tells someone what to do clearly, warn them when they mess up and actually put work in with a crew
    +1
  • Sicklyboy @ Sicklyboy:
    That's how all of my last managers have been in this job and my last one. Last time I had a manager where I was being micromanaged to hell and back was over a decade ago when I worked retail
  • Sicklyboy @ Sicklyboy:
    My managers nowadays are perfectly fine assigning me a project and just checking in once every week or two
  • K3Nv2 @ K3Nv2:
    I had to micromanage the managers
  • Sicklyboy @ Sicklyboy:
    At my last job I (as an individual contributor, not a manager or supervisor or anything) used to be the one to tell my manager when I was traveling for work "hey I'm gonna be out of office between x and y dates, I got something on the other side of the country I'm gonna go work on"
  • Sicklyboy @ Sicklyboy:
    Which was not the normal dynamic for that role lmao
  • Sicklyboy @ Sicklyboy:
    Don't get to travel for my current job :(
  • K3Nv2 @ K3Nv2:
    Had me started working 10 days in a row with different days off after that I was like no
  • Sicklyboy @ Sicklyboy:
    On the bright side, I also don't even have to leave my house for my current job, so... could be worse
  • K3Nv2 @ K3Nv2:
    Some of the shift workers were so bad it held us up from 10pm to 10am
  • wolffangalchemist @ wolffangalchemist:
    coming to the painful realization backing up my ps2's hdd to swap in a sata ssd, i need a faster more modern way to interface with old ide hard drives than using hdlgmanclient or ftp over network.
  • Sicklyboy @ Sicklyboy:
    NIC is only 10/100 right?
  • wolffangalchemist @ wolffangalchemist:
    that was fast in they year 2000
    +1
  • wolffangalchemist @ wolffangalchemist:
    i have three network adapters 2 standard us ones with the ethernet and phone jack and one slimmer Japanese one with just a ethernet port. not sure if one would be faster than the other. i installed a sata adapter thing i got off temu for 3 dollars in the Japanese one thought, was surprised it actually works. but considering i got 18 games to go, gonna be a two day endeavor at this point.
    wolffangalchemist @ wolffangalchemist: i have three network adapters 2 standard us ones with the ethernet and phone jack and one...