1. Kirito-kun

    OP Kirito-kun Disciple of GabeN
    Banned

    Joined:
    Jul 23, 2013
    Messages:
    290
    Country:
    Canada
    Has anyone thought about uncovering the system encryption's private key by performing a memory dump? The private key has to exist in the system's memory at some point, if it's being used. A memdump will allow the privkey to be accessed while encrypted.

    [​IMG]

    The original RAM chip can be removed and a reversed engineered version of the chip that allows interface with a PC can be attached in it's place. After connecting the modified RAM chip to a PC, we can scan system memory until we find the key.

    Once you have they key, you'll be able to run any code you want on the system. The storage NAND is a separate chip on the PCB, so replacing the RAM shouldn't effect it. This seems like a possible method to hack the system.

    Anyone thought about trying?
     
    Margen67 likes this.
  2. ZhangYang

    ZhangYang Newbie
    Newcomer

    Joined:
    Jun 7, 2012
    Messages:
    9
  3. Kirito-kun

    OP Kirito-kun Disciple of GabeN
    Banned

    Joined:
    Jul 23, 2013
    Messages:
    290
    Country:
    Canada
    So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?
     
    Margen67 likes this.
  4. ZhangYang

    ZhangYang Newbie
    Newcomer

    Joined:
    Jun 7, 2012
    Messages:
    9
    *I am not sure about this but I'll answer this using stuff I read*
    Basically, it's somewhere in the ram but we don't know where it is. The ram is encrypted, and we need something to decrypt that.
    EDIT:
    You shouldn't use logic with hacking, because it doesn't usually work out.
     
  5. evandixon

    evandixon PMD Researcher
    Developer

    Joined:
    May 29, 2009
    Messages:
    1,725
    Country:
    United States
    Only the common key would be in memory, and if I remember correctly, it's only there for an instant, making it super hard to find (there's probably some other obstacle too).

    [edit] Ninja'd by ZhangYang. I don't get this kind of thing at my usual forum... Oh well, this is bigger.
     
  6. mercluke

    mercluke ‮҉
    Member

    Joined:
    Dec 2, 2007
    Messages:
    3,163
    Country:
    there is a different key used to sign content than there is to confirm that it is correctly signed.
    the 3ds would not have the signing key stored anywhere because it doesn't need it
     
    pelago likes this.
  7. RachelB

    RachelB GBAtemp Regular
    Member

    Joined:
    Jul 16, 2013
    Messages:
    151
    Country:
    United States
    Not necessarily. Keys can be stored solely in the cpu, and nowhere else. See TRESOR.
     
    Margen67 and McHaggis like this.
  8. Kirito-kun

    OP Kirito-kun Disciple of GabeN
    Banned

    Joined:
    Jul 23, 2013
    Messages:
    290
    Country:
    Canada

    We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.
     
    Margen67 likes this.
  9. Coto

    Coto -
    Member

    Joined:
    Jun 4, 2010
    Messages:
    2,768
    Country:
    Chile
    but ARM11 features XN (execute never) bit, that will throw an exception if the code jumps to an area with XN's set to 1 (and cannot be set to 0 without kernel access.. see user mode or privileged, but some guys already reached that point..)
     
  10. xblackdemonx

    xblackdemonx Member
    Newcomer

    Joined:
    Nov 4, 2011
    Messages:
    36
    Country:
    Canada
    Please do it for us then
     
    Margen67 likes this.
  11. Kirito-kun

    OP Kirito-kun Disciple of GabeN
    Banned

    Joined:
    Jul 23, 2013
    Messages:
    290
    Country:
    Canada
    Would you like to provide me with a 3DS to tear down? The method I am describing requires the destruction of the system.
     
  12. RedCoreZero

    RedCoreZero Creativity is Power
    Banned

    Joined:
    Nov 12, 2012
    Messages:
    526
    Country:
    United States
    Smells like lock bait!
     
  13. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing
    Member

    Joined:
    Sep 20, 2010
    Messages:
    4,324
    Country:
    3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

    It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.
     
  14. WhiteMaze

    WhiteMaze GBAtemp Maniac
    Member

    Joined:
    Jun 16, 2013
    Messages:
    1,084
    Country:
    Portugal
    Wow. Easy there.

    I think we all understood what he meant by that.
     
    Celice likes this.
  15. Ericthegreat

    Ericthegreat Not New Member
    Member

    Joined:
    Nov 8, 2008
    Messages:
    3,395
    Country:
    United States
    The real question is what happened to the pics that people donated 2k for, I would think they would make them public if they had them.... Not nice to get people to donate for them and not share....

    Edit: So this hasnt been done due to $300....
     
    Margen67 likes this.
  16. 3DSGuy

    3DSGuy No longer in scene
    Member

    Joined:
    May 22, 2012
    Messages:
    345
    Country:
    United States
    The keys are never actually in the RAM. All AES keys except decrypted Title keys, are never stored in their "final" form, instead the key is descrambled by a hardware AES engine embedded in the SoC, when it is required for decrypting something.
    Signature checks are done by the bootldr to verify the FW stored in the NAND. So yes, you do need the signing key.
     
    Dartz150 and pelago like this.
  17. 13ds
    This message by 13ds has been removed from public view by raulpica, Sep 20, 2013.
    Jul 24, 2013
  18. muskieratboi

    muskieratboi Rydian's got some competition!
    Member

    Joined:
    Sep 19, 2012
    Messages:
    423
    Country:

    Getting Data? Very Easy!

    DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

    RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.
     
  19. WhiteMaze

    WhiteMaze GBAtemp Maniac
    Member

    Joined:
    Jun 16, 2013
    Messages:
    1,084
    Country:
    Portugal
    Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

    But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..
     
  20. muskieratboi

    muskieratboi Rydian's got some competition!
    Member

    Joined:
    Sep 19, 2012
    Messages:
    423
    Country:

    The difference is that the Gateway team (apparrently, since we STILL have yet to see the physical cartridge itself in the wild) know what the heck they are doing, and this found said unsigned code execution exploit.

    In other words, Read Rydian's thread, namely this:



    "Why not look into the 3DS and find the key?"
    • The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works.
     
    WhiteMaze likes this.
  21. muskieratboi

    muskieratboi Rydian's got some competition!
    Member

    Joined:
    Sep 19, 2012
    Messages:
    423
    Country:
    Posts merged.
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Memory,