@Shadowtrance, @dark_samus3, @Apache Thunder and everyone else dabbling around in the dark and dangerous art of OTP dumping, I made a little something that may help streamline the OTP dumping process in the future.
I did some basic testing, but without a hardmod and only a N3DS at my disposal I can't test everything of course.
This is what this can / should do:
This is what needs testing:
- Dump the OTP.bin (0x100 or 0x108)
- On-the-fly switching of the CTRNAND crypto slot 0x4 -> 0x5 or slor 0x5 -> 0x4
- Dumping the NCSD NAND header
- Inject the NCSD NAND header
- Includes a basic set of Decrypt9WIP functionality, including...
- ... dumping / injecting the cryptoswitched CTRNAND partition!
The code is rather simple, so I'm pretty sure we won't need a whole lot of testing, but i still need to refine some stuff until this can have a proper release.
- Duming the NAND header on O3DS (not dangerous!)
- OTP Dumping, cryptoswitching, injecting the NAND header
- Dumping / injecting the cryptoswitched CTRNAND partition
if this could help there are some steps that are checking things like WiFi for N3DS and things like thatI guess that the process could be done on Kernel9 like this (remove useless steps for O3DS/2DS):
- Make sure WiFi is enabled
- Dumping NAND (2 files: originalNAND, 2.1NAND)
- Extracting CTRNAND
- Generating 0x4 and 0x5 CTRNAND xorpads and FIRM0+FIRM1 xorpads
- Decrypting CTRNAND with 0x5 xorpad
- Installing CIAs to the CTRNAND, installing the older FIRMs
- Injecting browser configuration and default page into CTRNAND
- Encrypting CTRNAND with 0x4 xorpad into 2.1NAND
- Patching the NCSD header of 2.1NAND
- Reinjecting into 2.1NAND
- Preparing Spider 2.1 payloads on the SD
- Flashing NAND with 2.1NAND
- Rebooting
- User launches Spider 2.1 => Exploiting + RSA_VERIFY => dumping OTP + flashing back originalNAND
- Done