# How to solve the AES key scrambler

2,035 11 0

1. ### OP uyjulian Homebrewer Member Level 12

Joined:
Nov 26, 2012
Messages:
2,552
Country: I hope this information helps some people who have trouble figuring out the AES key scrambler.

k = normal key
x = keyX
y = keyY
C = constant

let's algebra !!!!

Code:
`k = (((x <<< 2) ^ y) + C) <<< 87`
Solve for k

Code:
`k = (((x <<< 2) ^ y) + C) <<< 87`
Solve for x

Code:
```k        = (((x <<< 2) ^ y) + C) <<< 87
>>> 87                         >>> 87
(k >>> 87)     = ((x <<< 2) ^ y) + C
- C                   - C
((k >>> 87) - C)     = (x <<< 2) ^ y
^ y             ^ y
(((k >>> 87) - C) ^ y)      = x <<< 2
>>> 2     >>> 2
x = (((k >>> 87) - C) ^ y) >>> 2```
Solve for y

Code:
```k        = (((x <<< 2) ^ y) + C) <<< 87
>>> 87                         >>> 87
(k >>> 87)     = ((x <<< 2) ^ y) + C
- C                   - C
((k >>> 87) - C)              = (x <<< 2) ^ y
^ (x <<< 2)  ^ (x <<< 2)
y = ((k >>> 87) - C) ^ (x <<< 2)```
Solve for C

Code:
```k        = (((x <<< 2) ^ y) + C) <<< 87
>>> 87                         >>> 87
(k >>> 87)                   = ((x <<< 2) ^ y) + C
- ((x <<< 2) ^ y) - ((x <<< 2) ^ y)
C = (k >>> 87) - ((x <<< 2) ^ y)```
easy, right? You just need three variables to get one of them!

2. ### Syphurith Beginner Member Level 3

Joined:
Mar 8, 2013
Messages:
641
Country: Well good if the implemented algorithm is that easy. But i've forgot the older one with function wrapper.
Now a implementation to just calculate the normal key with given KeyX or KeyY is needed, and I don't know how to do so.
There was a pair of KeyX/KeyY/CTR for N3DS 9.5 leaked but totally useless before, hope with its normal key we can use it to test out our recovery solution.
Wish the algorithm implemented in hardware is itself simple, or we may need to generate a lot of normal keys to get the curve of the function.
So steps: 1.calculate normalkey. 2.recover the algorithm, and constant C. 3.Use it to recover the KeyX/KeyY with anyslot that its counterpart is known.
Hope the solution is right.. wait we can check it using the keys leaked.

3. ### Suiginou (null) Member Level 6

Joined:
Jun 26, 2012
Messages:
565
Country: If you watch plutoo's presentation again, you need a normalkey and a keyY or keyX to actually make things happen, though. The 9.5 keyX/keyY is useless. Besides, we have a set of keyX/keyY already (7.x exefs/romfs crypto).

The problem here is that normalkeys are very hard to come by. There was the example of the NFC normalkey in N3DS firmware 8.1/9.0 that got changed to a keyY in NATIVE_FIRM 9.3, but N3DSes seem to be fairly rare.

Last edited by Suiginou, Dec 29, 2015
Syphurith likes this.
4. ### Syphurith Beginner Member Level 3

Joined:
Mar 8, 2013
Messages:
641
Country: I don't know if we can use the pair of keyX and keyY to calculate the normal one and get it out of the keyscrambler.
The 9.5 slot0x16 is useless before, and if it can not be used to check the recovery then that's useless afterwards (orz).
Still thanks for every effort made to the recovery..

Last edited by Syphurith, Dec 29, 2015 - Reason: Well I know that now.
5. ### Suiginou (null) Member Level 6

Joined:
Jun 26, 2012
Messages:
565
Country: You can use keyX/keyY to calculate the normalkey once you have the constant C. The public doesn't have C yet, however. Figuring the key scrambler out has, at this point, nearly no practical applications. If you're here for usable hax, you're looking in the wrong place.

The current method presented by plutoo is to get a normalkey and a keyY and apply some bitwise logic to derive keyX and from there get C. The public, me included, is currently still stuck at the "find a normalkey" part.

6. ### Syphurith Beginner Member Level 3

Joined:
Mar 8, 2013
Messages:
641
Country: Not for the hax. I just want to know the progress on the calculations. Well I'm happy with my coldboot rx old 9.2.
So the normalkey is still blocking us. I'm quite sad but can not help with it then.

@Suiginou Eh.. Oh wait then why they said in the talk that bitflips the KeyY can be used to recover the KeyX (that sharing the same bit of produced normal key)? If their calculation is right but no way to get the normal one out? How do they figure this out.. That's weird.

Last edited by Syphurith, Dec 29, 2015 - Reason: WTF.
7. ### dark_samus3 GBAtemp Addict Member Level 10

Joined:
May 30, 2015
Messages:
2,372
Country: I haven't gotten anything done with it, but I think the step most people missed is encrypt something on the 3ds, a file with all zeros... Then look at the result, flip a bit, repeat above process, look at what changed, record the change, rinse and repeat for all 128 bits of KeyY, then once KeyX is know (not sure but I think it is somehow derived in the results of the all zero file that was encrypted) all you need is C

8. ### shinyquagsire23 SALT/Sm4sh Leak Guy Member Level 13

Joined:
Nov 18, 2012
Messages:
1,970
Country: The problem though is that you can't find C itself without all three keys (keyX, keyY and normal), which is the tough part since you have to find keyX indirectly from a normal key and keyX without C. Doing it indirectly requires using the hardware keyscrambler for comparison so that's why it's actually difficult, you have to brute force finding the keyX somewhat.

Last edited by shinyquagsire23, Dec 29, 2015
9. ### Psi-hate GBATemp's Official Psi-Hater Member Level 11

Joined:
Dec 14, 2014
Messages:
1,743
Country: Rei says she has she just got the keyscrambler figured out and has it out of the way apparently.

Syphurith likes this.
10. ### dankzegriefer Banned Banned Level 5

Joined:
Aug 19, 2015
Messages:
896
Country: Please, don't use maths in a text field. Use something made for maths.

11. ### doctorgoat GBAtemp Advanced Fan Member Level 4

Joined:
Jun 3, 2015
Messages:
675
Country: That's valid code in a text field.

12. ### dankzegriefer Banned Banned Level 5

Joined:
Aug 19, 2015
Messages:
896
Country: It's valid math in a code field. And hard to read.

Draft saved Draft deleted