How are 3ds games encrypted/ideas on how to decrypt them?

Discussion in '3DS - Flashcards & Custom Firmwares' started by ILOVEPIE, Sep 9, 2014.

  1. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    I understand that there is an encryption suit protecting 3ds games but i'm interested in what kind because certain forms of encryption are only useful so long as both ends remain uncracked. If the encryption on 3ds carts is AES then I see no reason why we cannot extract the common key from the firmware of a 3ds, if everyone focused their efforts on one 3ds we should be able to break it's unique encryption keys and extract the common key from a disassembly of the OS. Another option might be to use emunand to do memory scanning for the common key. We can apply methods that have been proven for other heavily encrypted and or obfuscated systems, it's no different than trying to reverse engineer a heavily obfuscated and encrypted PC program or am I wrong?
     
  2. Kaphotics

    Kaphotics badc0ded

    Member
    611
    460
    Sep 10, 2010
    United States
    key is set by the bootrom, and is write only.

    bootrom has not been dumped, so no aes key. which is why the 3DS has to be used to generate xorpads.
     
    Relys likes this.
  3. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    Do you mean it's in write only memory or do you mean you can only pass the key to the OS not retrieve it, because if it's the latter you can memory scan for it, if it's the former then how does it fetch the key in order to decrypt the roms when it runs them.
     
  4. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States

    [/thread]
     
    loco365 likes this.
  5. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    Relys I understand what he said i'm trying to clarify what he meant. If we have kernelmode access (which I believe the current exploit gives us) we can memory scan the whole system for the key assuming that it's not in hardware WOM. if the key is in software based Write Only Memory (i.e. like the flags windows uses on sections of memory in programs to make them read, write, and/or executable) it can be bypassed. if it's hardware based WOM then we need to figure out how the OS accesses it to decrypt the games (we could potentially get the key by piggybacking on the game decryption), unless it's done using a hardware decryption chip, in which case we'd need someone to dissect that hardware .
     
  6. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,164
    9,523
    Sep 23, 2013
    imagine its like a magic box, you put something in one side and it come out the other side decrypted, the OS never does the decryption it just passes it through the aes chip which spits out the decrypted version.....so the system never has access to the "key" itself

    well thats how i would explain it anyways with my limited knowledge from just reading up on 3ds brew and what devs have said about how it works
     
    Relys likes this.
  7. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    Oh... ok that makes more sense... they're using a hardware chip to do decryption... anyone with a broken DS and an scanning/tunneling electron microscope willing to reverse engineer the chip for us? (i'm assuming here the aes key is built into the chip, if it's not then reverse engineering the chip is pointless)
     
  8. Abcdfv

    Abcdfv What comes around goes around.

    Member
    1,458
    592
    Dec 24, 2013
    United States
    There are a couple people wanting to, one went as far as depackaging the chip, but no one has decapped it fully yet.
     
  9. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    I'm sure Datel is working on it :P
     
  10. Kakkoii

    Kakkoii Old fart

    Member
    621
    282
    Sep 14, 2007
    Canada
    There was a person willing to put up the money to decap it, but people on this forum told him it would be a waste of time -_-
     
  11. ILOVEPIE
    OP

    ILOVEPIE Advanced Member

    Newcomer
    50
    25
    Jan 30, 2012
    United States
    that's sad... if the chip has the key hardcoded then it can be reversed if someone manages to make a schematic of the chip.