Further thoughts:
Upon studying two encrypted files of the same game (WW:S) I think that maybe the encryption could be XORing of the file with the DSi's shopkey/something else with the unencrypted file.
If it were possible to use a known-plaintext attack on this (maybe using the WarioWare : Smooth Moves title file/format/thing/header (see .NDS file breakdowns) it may be possible to gain the system's shop channel key. IF and only IF the thing is XOR. (Lets face it, the DSi isn't really capable of encrypting multi-megabyte files that quickly unless the operation was simple and computationally inexpensive, HELLO XOR!!!
) Problem is I have no idea how long the key is, (prolly 2^n or sth) so it would be quite hard to guarantee we got the right answer.
Just had an idea whilst typing this, which needs to be confirmed... is any part of the (unencrypted) DS rom the same size throughout *every* DS rom, sort of a common feature? If so, this could be used to attempt a known-plaintext attack
. Problem is the common feature has to be long enough in terms of bytes to allow differing possible sizes of key.
Just some random disjointed thoughts
make with them what you will.
EDIT: This is all based on assumptions and conjecture, just want to emphasise that. (I swear this is an educated guess.... Honest!)
EDIT2: Just another thought, if we break it once and it is XOR, we have basically mauled the DSi's key for every DSi for that game, hopefully this key isn't salted according to the game, and can thus use the same key to decrypt/re-encrypt othergames /homebrew.
