How to solve the AES key scrambler

Discussion in '3DS - Homebrew Development and Emulators' started by julialy, Dec 29, 2015.

  1. julialy
    OP

    julialy Homebrewer

    Member
    1,675
    587
    Nov 26, 2012
    United States
    United States
    I hope this information helps some people who have trouble figuring out the AES key scrambler.

    k = normal key
    x = keyX
    y = keyY
    C = constant

    let's algebra !!!!

    let's start with
    Code:
    k = (((x <<< 2) ^ y) + C) <<< 87
    Solve for k

    Code:
    k = (((x <<< 2) ^ y) + C) <<< 87
    Solve for x

    Code:
    k        = (((x <<< 2) ^ y) + C) <<< 87
      >>> 87                         >>> 87
    (k >>> 87)     = ((x <<< 2) ^ y) + C
               - C                   - C
    ((k >>> 87) - C)     = (x <<< 2) ^ y
                     ^ y             ^ y
    (((k >>> 87) - C) ^ y)      = x <<< 2
                          >>> 2     >>> 2
    x = (((k >>> 87) - C) ^ y) >>> 2
    Solve for y

    Code:
    k        = (((x <<< 2) ^ y) + C) <<< 87
      >>> 87                         >>> 87
    (k >>> 87)     = ((x <<< 2) ^ y) + C
               - C                   - C
    ((k >>> 87) - C)              = (x <<< 2) ^ y
                     ^ (x <<< 2)  ^ (x <<< 2)
    y = ((k >>> 87) - C) ^ (x <<< 2)
    Solve for C

    Code:
    k        = (((x <<< 2) ^ y) + C) <<< 87
      >>> 87                         >>> 87
    (k >>> 87)                   = ((x <<< 2) ^ y) + C
               - ((x <<< 2) ^ y) - ((x <<< 2) ^ y)
    C = (k >>> 87) - ((x <<< 2) ^ y)
    easy, right? You just need three variables to get one of them!
     
  2. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Well good if the implemented algorithm is that easy. But i've forgot the older one with function wrapper.
    Now a implementation to just calculate the normal key with given KeyX or KeyY is needed, and I don't know how to do so.
    There was a pair of KeyX/KeyY/CTR for N3DS 9.5 leaked but totally useless before, hope with its normal key we can use it to test out our recovery solution.
    Wish the algorithm implemented in hardware is itself simple, or we may need to generate a lot of normal keys to get the curve of the function.
    So steps: 1.calculate normalkey. 2.recover the algorithm, and constant C. 3.Use it to recover the KeyX/KeyY with anyslot that its counterpart is known.
    Hope the solution is right.. wait we can check it using the keys leaked.
     
  3. Suiginou

    Suiginou (null)

    Member
    565
    588
    Jun 26, 2012
    Gambia, The
    pc + 8
    If you watch plutoo's presentation again, you need a normalkey and a keyY or keyX to actually make things happen, though. The 9.5 keyX/keyY is useless. Besides, we have a set of keyX/keyY already (7.x exefs/romfs crypto).

    See also: The entirety of https://gbatemp.net/threads/aes-key-scrambler.406951/

    The problem here is that normalkeys are very hard to come by. There was the example of the NFC normalkey in N3DS firmware 8.1/9.0 that got changed to a keyY in NATIVE_FIRM 9.3, but N3DSes seem to be fairly rare.
     
    Last edited by Suiginou, Dec 29, 2015
    Syphurith likes this.
  4. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    I don't know if we can use the pair of keyX and keyY to calculate the normal one and get it out of the keyscrambler.
    The 9.5 slot0x16 is useless before, and if it can not be used to check the recovery then that's useless afterwards (orz).
    Still thanks for every effort made to the recovery..

    UPDATE: Seen your post. So you can't read that out..
     
    Last edited by Syphurith, Dec 29, 2015 - Reason: Well I know that now.
  5. Suiginou

    Suiginou (null)

    Member
    565
    588
    Jun 26, 2012
    Gambia, The
    pc + 8
    You can use keyX/keyY to calculate the normalkey once you have the constant C. The public doesn't have C yet, however. Figuring the key scrambler out has, at this point, nearly no practical applications. If you're here for usable hax, you're looking in the wrong place.

    The current method presented by plutoo is to get a normalkey and a keyY and apply some bitwise logic to derive keyX and from there get C. The public, me included, is currently still stuck at the "find a normalkey" part.
     
  6. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Not for the hax. I just want to know the progress on the calculations. Well I'm happy with my coldboot rx old 9.2.
    So the normalkey is still blocking us. I'm quite sad but can not help with it then.

    @Suiginou Eh.. Oh wait then why they said in the talk that bitflips the KeyY can be used to recover the KeyX (that sharing the same bit of produced normal key)? If their calculation is right but no way to get the normal one out? How do they figure this out.. That's weird.
     
    Last edited by Syphurith, Dec 29, 2015 - Reason: WTF.
  7. dark_samus3

    dark_samus3 GBAtemp Addict

    Member
    2,326
    1,728
    May 30, 2015
    United States
    I haven't gotten anything done with it, but I think the step most people missed is encrypt something on the 3ds, a file with all zeros... Then look at the result, flip a bit, repeat above process, look at what changed, record the change, rinse and repeat for all 128 bits of KeyY, then once KeyX is know (not sure but I think it is somehow derived in the results of the all zero file that was encrypted) all you need is C
     
  8. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    The problem though is that you can't find C itself without all three keys (keyX, keyY and normal), which is the tough part since you have to find keyX indirectly from a normal key and keyX without C. Doing it indirectly requires using the hardware keyscrambler for comparison so that's why it's actually difficult, you have to brute force finding the keyX somewhat.
     
    Last edited by shinyquagsire23, Dec 29, 2015
  9. Psi-hate

    Psi-hate GBATemp's Official Psi-Hater

    Member
    1,665
    1,057
    Dec 14, 2014
    United States
    Houston
    Rei says she has she just got the keyscrambler figured out and has it out of the way apparently.
     
    Syphurith likes this.
  10. dankzegriefer

    dankzegriefer GBAtemp Advanced Fan

    Member
    829
    437
    Aug 19, 2015
    United States
    Please, don't use maths in a text field. Use something made for maths.
     
  11. doctorgoat

    doctorgoat GBAtemp Advanced Fan

    Member
    624
    234
    Jun 3, 2015
    United States
    That's valid code in a text field.
     
  12. dankzegriefer

    dankzegriefer GBAtemp Advanced Fan

    Member
    829
    437
    Aug 19, 2015
    United States
    It's valid math in a code field. And hard to read.