DSi internal memory question

Discussion in 'NDS - Flashcarts and Accessories' started by zbrahead91, Oct 30, 2009.

Oct 30, 2009
  1. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    Just a quick question and depending on the answer I may have some ideas.

    Is the internal non-volatile memory encrypted?

    By internal non-volatile memory encryption, I mean if one were to hijack the pins of the internal memory chip and read it, would it make sense?
     
  2. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    EDIT: According to Hack Mii the internal flash is easily accessible.

    My question is now thus:

    If, like the Wii, the DSiWare channels are stored on the internal flash unencrypted, could one not take this file and analyse it in similar way to NDS Roms, (modified ndstool? I'm assuming due to the unavoidable similarities between the two this shouldn't be too hard [​IMG]) Should this analysis be acheived, would it be a far stretch to suppose that we could insert unsigned code in (a la ARM7 Fix)?

    Additionally, if it is unencrypted, then we have a crib by which to attempt to locate the SD keys, and be able to use that DSi to run 'homebrew' DSiWare on that individual DSi?

    This is all about 'jailbreaking' an individual DSi (in a fairly destructive process too, for that matter. Would this acheivement lead to an easier understanding of the security systems in place to achieve a softmod?


    EDIT2: I may be talking complete bullcrap here, but meh. This is what I have gleaned from other, not-dissimilar threads.

    EDIT3: I have no idea with DSi stuff, btw. I am, however an experienced Win32 cracker.
     
  3. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    Further thoughts:

    Upon studying two encrypted files of the same game (WW:S) I think that maybe the encryption could be XORing of the file with the DSi's shopkey/something else with the unencrypted file.

    If it were possible to use a known-plaintext attack on this (maybe using the WarioWare : Smooth Moves title file/format/thing/header (see .NDS file breakdowns) it may be possible to gain the system's shop channel key. IF and only IF the thing is XOR. (Lets face it, the DSi isn't really capable of encrypting multi-megabyte files that quickly unless the operation was simple and computationally inexpensive, HELLO XOR!!! [​IMG]) Problem is I have no idea how long the key is, (prolly 2^n or sth) so it would be quite hard to guarantee we got the right answer.

    Just had an idea whilst typing this, which needs to be confirmed... is any part of the (unencrypted) DS rom the same size throughout *every* DS rom, sort of a common feature? If so, this could be used to attempt a known-plaintext attack [​IMG]. Problem is the common feature has to be long enough in terms of bytes to allow differing possible sizes of key.

    Just some random disjointed thoughts [​IMG] make with them what you will.

    EDIT: This is all based on assumptions and conjecture, just want to emphasise that. (I swear this is an educated guess.... Honest!)

    EDIT2: Just another thought, if we break it once and it is XOR, we have basically mauled the DSi's key for every DSi for that game, hopefully this key isn't salted according to the game, and can thus use the same key to decrypt/re-encrypt othergames /homebrew.
     
  4. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    In the meantime, just having a fiddle with a frequency analysis attack [​IMG]

    EDIT: Bah, I fail at this kind of thing. *googles for programs to do it for me*
     
  5. BlackDave

    Member BlackDave Official GBATemp "Cleanup Guy"

    Joined:
    Aug 27, 2009
    Messages:
    913
    Location:
    The Promised Land...
    Country:
    United States
  6. DeltaBurnt

    Member DeltaBurnt I'm bored

    Joined:
    Feb 21, 2009
    Messages:
    3,353
    Location:
    Where intellect matters
    Country:
    United States
    His ideas fail mwuhahahaha.

    Bushing shot em down [​IMG]

    Oh and nice quadruple post hah
     
  7. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    This was my notepad! [​IMG]

    I applied llogic! and bushing shot them down *politely* This constitutes a win [​IMG]
     
  8. rockstar99

    Member rockstar99 Hi

    Joined:
    Dec 3, 2008
    Messages:
    7,375
    Location:
    Toronto
    Country:
    Canada
    [​IMG]
    sorry pal just leave it to TT

    happy halloween
     
  9. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    Leave it to TT?
    Why not try and help, I mean, *actually* help. (not bitchign and bemoaning and telling them to do it faster helping)
     
  10. rockstar99

    Member rockstar99 Hi

    Joined:
    Dec 3, 2008
    Messages:
    7,375
    Location:
    Toronto
    Country:
    Canada
    so try messaging them how do you know their reading what your posting here

    happy halloween
     
  11. zbrahead91
    OP

    Newcomer zbrahead91 Member

    Joined:
    Sep 14, 2009
    Messages:
    10
    Country:
    United Kingdom
    I don't plus I am lurkign in @dsidev
     

Share This Page