Hacking NAND/emuNAND Encryption and Transfer Curiosity

[drfsupercenter]

Alright, so I was curious about something recently and haven't had it properly explained.

Scenario 1:
Person 1 and Person 2 both have a 3DS XL running 4.5.0-10U. They both use Gateway's launcher to backup their NAND. (And for sake of discussion, let's say they also "format emuNAND" which copies the system NAND to the first part of the SD card)
If person 1 and 2 swap SD cards after creating emuNAND, it's my understanding that neither will work. Correct?

Scenario 2:
Person 1 has a fully updated 3DS (7.1), Person 2 has a 4.5 system with a hardware NAND flasher installed. Person 2 makes a backup of 4.5 using Gateway's launcher. They then update to 7.1. Person 1 does a system transfer to person 2's system. Person 2 then backs up the NAND using the hardware flasher, then restores 4.5 the same way.
Using the "NAND formatter" utility someone on gbatemp wrote, person 2 can now play person 1's games from an emuNAND.

I can confirm scenario 2, as I have two 3DS systems and did this exact thing myself. I even transferred it back after a week to system 1 (from the real NAND, not emulated), and can still use the backup.

Now, here's my question. Why doesn't scenario 1 work while scenario 2 does?

As far as I know, every 3DS has its own set of keys for decrypting the encrypted contents. See also: movable.sed.

The file also gets remade every time you format the NAND, which is why your SD card will no longer work and you have to redownload your programs.

And therefore, since movable.sed is part of the NAND, wouldn't it transfer over in scenario 1 as well? A similar scenario is formatting your real NAND while leaving the emuNAND untouched - the emuNAND still boots perfectly fine, I can confirm this as well.

From what I've heard from others, all the system transfers do is transfer NAND contents like pictures, settings and the like, as well as movable.sed - everything else is done via SD which is why DSiware gets moved to the SD and back, and all your games still work fine by just putting the SD in system 2 after a transfer.

So why exactly does scenario 2 work but scenario 1 doesn't? Hopefully someone can help me understand.

 

[drfsupercenter]

Hmm, I notice that the target system keeps its original profile (name, birthday, country, etc).
And I think the Wi-Fi settings are retained too.

Maybe it just intentionally doesn't transfer system settings.

 

[untok]

Hmm if i understand 2 option ownership of games moved to another system and then worked to new and old system. But if old source system connect same id than transferred id to eshop then games dissapear to source backed up system because ticket are moved on new system.

 

[drfsupercenter]

The tickets might disappear, but I'm under the impression that having a different emuNAND simply *will not boot*, it has to be created from your own system
So I just don't get why scenario 2 magically works but 1 doesn't. Is there some hidden piece of information I'm missing (like a separate hardware key, not movable.sed)?

I'm not really even fussed about downloaded games, I'm more interested in just getting it to boot. I haven't tried scenario 1 myself as I only have one 3DS on 4.5, but I'm going off of what I've read.

 

[gamesquest1]

The tickets might disappear, but I'm under the impression that having a different emuNAND simply *will not boot*, it has to be created from your own system
So I just don't get why scenario 2 magically works but 1 doesn't. Is there some hidden piece of information I'm missing (like a separate hardware key, not movable.sed)?

I'm not really even fussed about downloaded games, I'm more interested in just getting it to boot. I haven't tried scenario 1 myself as I only have one 3DS on 4.5, but I'm going off of what I've read.

each nand is uniquely encrypted, the console itself has its own unique encryption key......switching the SD with emunand from console 1 to console 2 means console 2 is unable to decrypt the firmware stored on the emunand partition as it was created using console 1's unique key, if it worked like what you are asking downgrading consoles using someone Else's nand dump would work

 

[migles]

it's been a while since i had this idea on my head, what happens when you have a nand backup of a 4.5 console, move the games to a new system and restore the nand, game cloning?

 

[gamesquest1]

it's been a while since i had this idea on my head, what happens when you have a nand backup of a 4.5 console, move the games to a new system and restore the nand, game cloning?

more of a temporary game clone, if the console with the restored nand connects to the internet its illegitimate games self destruct, if you keep it offline it works though

 

[migles]

more of a temporary game clone, if the console with the restored nand connects to the internet its illegitimate games self destruct, if you keep it offline it works though

we need someone very rich who bought all the digital games, and clone is console, everyone gets all the games! and nintendo will put down system transfer, like they did with nikki :C

 

[orochi115]

Alright, so I was curious about something recently and haven't had it properly explained.

Scenario 1:
Person 1 and Person 2 both have a 3DS XL running 4.5.0-10U. They both use Gateway's launcher to backup their NAND. (And for sake of discussion, let's say they also "format emuNAND" which copies the system NAND to the first part of the SD card)
If person 1 and 2 swap SD cards after creating emuNAND, it's my understanding that neither will work. Correct?

Scenario 2:
Person 1 has a fully updated 3DS (7.1), Person 2 has a 4.5 system with a hardware NAND flasher installed. Person 2 makes a backup of 4.5 using Gateway's launcher. They then update to 7.1. Person 1 does a system transfer to person 2's system. Person 2 then backs up the NAND using the hardware flasher, then restores 4.5 the same way.
Using the "NAND formatter" utility someone on gbatemp wrote, person 2 can now play person 1's games from an emuNAND.

I can confirm scenario 2, as I have two 3DS systems and did this exact thing myself. I even transferred it back after a week to system 1 (from the real NAND, not emulated), and can still use the backup.

Now, here's my question. Why doesn't scenario 1 work while scenario 2 does?

As far as I know, every 3DS has its own set of keys for decrypting the encrypted contents. See also: movable.sed.

The file also gets remade every time you format the NAND, which is why your SD card will no longer work and you have to redownload your programs.

And therefore, since movable.sed is part of the NAND, wouldn't it transfer over in scenario 1 as well? A similar scenario is formatting your real NAND while leaving the emuNAND untouched - the emuNAND still boots perfectly fine, I can confirm this as well.

From what I've heard from others, all the system transfers do is transfer NAND contents like pictures, settings and the like, as well as movable.sed - everything else is done via SD which is why DSiware gets moved to the SD and back, and all your games still work fine by just putting the SD in system 2 after a transfer.

So why exactly does scenario 2 work but scenario 1 doesn't? Hopefully someone can help me understand.

First, the NAND key is stored inside some secure area of the hardware. "System Transfer" doesn't transfer raw data directly. It involves re-encryption, I think.
You mentioned "moveable.sed" is only used to enc/dec title data on SD card. It has nothing to do with NAND encryption.

Scenario 2 can be simplified. You can just update emuNAND to 7.1 and do sys transfer to emuNAND 7.1. That's almost the same. No hardware flasher is needed.

 

[orochi115]

Hmm, I notice that the target system keeps its original profile (name, birthday, country, etc).
And I think the Wi-Fi settings are retained too.

Maybe it just intentionally doesn't transfer system settings.

Some of the settings are not transferred on purpose. I think it's by design.

 

[gamesquest1]

we need someone very rich who bought all the digital games, and clone is console, everyone gets all the games! and nintendo will put down system transfer, like they did with nikki :C

that would still require the person to do the system transfer a whole lot of times, and if anyone connects online their games get deleted
not exactly a convenient or realistic thing as you could be sure someone would just rob all the games and not transfer them to the next person.....basically its not really going to happen

 

[drfsupercenter]

First, the NAND key is stored inside some secure area of the hardware. "System Transfer" doesn't transfer raw data directly. It involves re-encryption, I think.
You mentioned "moveable.sed" is only used to enc/dec title data on SD card. It has nothing to do with NAND encryption.

Scenario 2 can be simplified. You can just update emuNAND to 7.1 and do sys transfer to emuNAND 7.1. That's almost the same. No hardware flasher is needed.

So you're saying it re-encrypts the NAND contents to match the hardware key and then when you transfer it back does the same process again?

As for scenario 2, when I did it initially, Gateway 2.1 wasn't out yet and emuNAND still wasn't very stable