Hacking DSi internal memory question

zbrahead91

Member
OP
Newcomer
Joined
Sep 14, 2009
Messages
10
Trophies
0
XP
121
Country
Just a quick question and depending on the answer I may have some ideas.

Is the internal non-volatile memory encrypted?

By internal non-volatile memory encryption, I mean if one were to hijack the pins of the internal memory chip and read it, would it make sense?
 

zbrahead91

Member
OP
Newcomer
Joined
Sep 14, 2009
Messages
10
Trophies
0
XP
121
Country
EDIT: According to Hack Mii the internal flash is easily accessible.

My question is now thus:

If, like the Wii, the DSiWare channels are stored on the internal flash unencrypted, could one not take this file and analyse it in similar way to NDS Roms, (modified ndstool? I'm assuming due to the unavoidable similarities between the two this shouldn't be too hard
tongue.gif
) Should this analysis be acheived, would it be a far stretch to suppose that we could insert unsigned code in (a la ARM7 Fix)?

Additionally, if it is unencrypted, then we have a crib by which to attempt to locate the SD keys, and be able to use that DSi to run 'homebrew' DSiWare on that individual DSi?

This is all about 'jailbreaking' an individual DSi (in a fairly destructive process too, for that matter. Would this acheivement lead to an easier understanding of the security systems in place to achieve a softmod?


EDIT2: I may be talking complete bullcrap here, but meh. This is what I have gleaned from other, not-dissimilar threads.

EDIT3: I have no idea with DSi stuff, btw. I am, however an experienced Win32 cracker.
 

zbrahead91

Member
OP
Newcomer
Joined
Sep 14, 2009
Messages
10
Trophies
0
XP
121
Country
Further thoughts:

Upon studying two encrypted files of the same game (WW:S) I think that maybe the encryption could be XORing of the file with the DSi's shopkey/something else with the unencrypted file.

If it were possible to use a known-plaintext attack on this (maybe using the WarioWare : Smooth Moves title file/format/thing/header (see .NDS file breakdowns) it may be possible to gain the system's shop channel key. IF and only IF the thing is XOR. (Lets face it, the DSi isn't really capable of encrypting multi-megabyte files that quickly unless the operation was simple and computationally inexpensive, HELLO XOR!!!
tongue.gif
) Problem is I have no idea how long the key is, (prolly 2^n or sth) so it would be quite hard to guarantee we got the right answer.

Just had an idea whilst typing this, which needs to be confirmed... is any part of the (unencrypted) DS rom the same size throughout *every* DS rom, sort of a common feature? If so, this could be used to attempt a known-plaintext attack
biggrin.gif
. Problem is the common feature has to be long enough in terms of bytes to allow differing possible sizes of key.

Just some random disjointed thoughts
tongue.gif
make with them what you will.

EDIT: This is all based on assumptions and conjecture, just want to emphasise that. (I swear this is an educated guess.... Honest!)

EDIT2: Just another thought, if we break it once and it is XOR, we have basically mauled the DSi's key for every DSi for that game, hopefully this key isn't salted according to the game, and can thus use the same key to decrypt/re-encrypt othergames /homebrew.
 

zbrahead91

Member
OP
Newcomer
Joined
Sep 14, 2009
Messages
10
Trophies
0
XP
121
Country
In the meantime, just having a fiddle with a frequency analysis attack
tongue.gif


EDIT: Bah, I fail at this kind of thing. *googles for programs to do it for me*
 

zbrahead91

Member
OP
Newcomer
Joined
Sep 14, 2009
Messages
10
Trophies
0
XP
121
Country
DeltaBurnt said:
His ideas fail mwuhahahaha.

Bushing shot em down
tongue.gif


Oh and nice quadruple post hah

This was my notepad!
tongue.gif


I applied llogic! and bushing shot them down *politely* This constitutes a win
tongue.gif
 

You may also like...

General chit-chat
Help Users
    K3N1 @ K3N1: Brady hops around teams like a hoe getting out of a car