Needs some help understanding Decrypted Title Keys and the encryption state of installed cia files

Discussion in '3DS - Flashcards & Custom Firmwares' started by apoptygma, Jul 6, 2016.

  1. apoptygma
    OP

    apoptygma GBAtemp Advanced Fan

    Member
    689
    145
    Mar 30, 2010
    I'm just trying to get my head around the existing database of Decrypted Title Keys -

    1) These keys are generated from a purchased/installed title using what tool?
    2) If a cia is installed from another source (be it 'clean' or otherwise) would the same key be able to be extracted from that working install?
    3) Does the initial state of a given cia when installed determine what it's contents on the NAND will be? ie. is decryption performed at the time of install, so a decrypted title, encrypted title (with keys available) and a title installed from say uncart all end up in the same 'state' once installed or is it possible to have a title installed which does not run due to encryption?
    4) Does the site validate keys against the CDN to prevent incorrect keys being submitted?
    5) Would (local) brute-forcing be possible given that there's afaik 1.2089258e+24 possible keys for a given title?
     
  2. Ricken

    Ricken So long, and goodnite / So long, not goodnite

    Member
    2,221
    2,417
    Jan 19, 2016
    United States
    Shibuya, The small one from Vegas
    1) The keys are generated by Ninty, and they use their private software
    2) Nope, because the key data isn't saved to the title. The eShop puts the keys in your Nand, hence why Decrypt9 can dump them
    3) I'm not fully getting this question... but I don't think so. Correct me if I'm wrong, but keys are for eShop games only
    4) Probably, as you can't enter names of games when submitting just a TID and DTK
    5) Not easily, as I don't see how you could get the TID without having it installed, and if you have it installed, then either A. someone has dumpshared it, or B. you can dump your DTK.bin and upload it
     
  3. apoptygma
    OP

    apoptygma GBAtemp Advanced Fan

    Member
    689
    145
    Mar 30, 2010
    I think the answer to 1) might be Decrypt9 from the sound of your second answer? I meant (to phrase it differently) how are people getting these keys to put them into the main database on the site.

    your answer to 5 - I mean there's titles that are available elsewhere as .cia files that aren't listed in this database, so they've been dumped but the key wasn't submitted, so is there a way for me to get the keys from those dumps and then submit it (possibly using Decrypt9?)

    So my understanding is that there's either a title that's installed without encryption being present, ie. the cia is decrypted - for those the key won't be present/installed in the NAND and then there's titles which have a key stored in the NAND, those can be extracted via decrypt9.

    So my concept of grabbing a cia from another site, installing it and then using a tool to extract the key wont work because that title will have already been decrypted by the party that dumped it and the keys will have been discarded?
     
  4. Ricken

    Ricken So long, and goodnite / So long, not goodnite

    Member
    2,221
    2,417
    Jan 19, 2016
    United States
    Shibuya, The small one from Vegas
    d0k3 doesn't work for Ninty. lol

    Nope, unless you bought it off the eShop. Then you'd have keys to dump. Installing a .cia from a site like that Iso won't work as the keys aren't stored within the .cias

    Again with the eShop

    Yep, Discard
     
  5. apoptygma
    OP

    apoptygma GBAtemp Advanced Fan

    Member
    689
    145
    Mar 30, 2010
    I meant how the keys got on the site , not what tool did nintendo generate them with but what tool was used to extract them, and It sounds like it was d0k3's tools.
     
  6. Ricken

    Ricken So long, and goodnite / So long, not goodnite

    Member
    2,221
    2,417
    Jan 19, 2016
    United States
    Shibuya, The small one from Vegas
    Oh yeah, Decrypt9. my bad :P
     
    apoptygma likes this.
  7. c4388354

    c4388354 GBAtemp Regular

    Member
    102
    81
    Jan 23, 2015
    United States
    1) You buy a title/game from the eShop, then use Decrypt9 Dump Titlekeys option to get a EncTitleKeys/bin / DecTitleKeys.bin file, which you can then upload ;)

    2) If the CIA was an eshop release (not converted from a Gamecart) and the CIA is NOT cryptofixed, then it might be possible that the keys are the same as the eShop.
    If you have the CIA then you can extract the titleid and encrypted key from the CIA file.
    if you don't have the CIA file, the encrypted key can be found in the 'ticket.db' file of your 3DS.

    It is a bit of a lengthy process to verify the CIA key is correct.
    Warning: Spoilers inside!

    3) Once the title is installed (and sig-checks patched) there is no functional difference,
    a game converted from a gamecard will run the same as an eshop game.

    4) yes the site does seem to check, this is why the site only accepts DECRYPTED keys.
    The site seems to download and decrypt one of the content files and check that the hashes match the TMD
    once this check is done and the hash matches then the decrypted key gets added to the site database.
    If the hash doesn't match then the key will be rejected.
    Once a day? / every few days? Those decrypted keys are 're-encrypted' and put on the site.

    5) no, not feasible to brute-force a key...
     
    Last edited by c4388354, Jul 6, 2016
  8. apoptygma
    OP

    apoptygma GBAtemp Advanced Fan

    Member
    689
    145
    Mar 30, 2010
    Wow amazing info! Why do you say brute-force isn't plausible? Modern GPUs could throw millions/billions of keys at a locally stored binary?
     
  9. c4388354

    c4388354 GBAtemp Regular

    Member
    102
    81
    Jan 23, 2015
    United States
    its a 128 bit key, so 2 ^ 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys
    Number of seconds in one Year = 365 days x 24 hours x 60 minutes x 60 seconds = 31,536,000

    Lets say you can test 10 BILLION keys per second, every second for a year...
    (not exactly sure how many keys you could test per second, but lets say 10 billion per second)
    31,536,000 x 10,000,000,000,000 = 315,360,000,000,000,000 keys per year per computer.

    340,282,366,920,938,463,463,374,607,431,768,211,456 keys total (2 ^ 128)
    000,000,000,000,000,000,000,315,360,000,000,000,000 keys checked per computer per year
    (I've added leading zeros to show the huge difference between the numbers)

    Lets say you can find the key after trying 50% of them, that is still
    170,141,183,460,469,231,731,687,303,715,884,105,728 keys.

    edit: forgot a zero :P
     
  10. apoptygma
    OP

    apoptygma GBAtemp Advanced Fan

    Member
    689
    145
    Mar 30, 2010
    well played sir, "r/TheyDidTheMath"
    My mistake was thinking it was a 32-bit key :)