[Question] Would it be possible to sign our own friend code seed?

Discussion in '3DS - Homebrew Development and Emulators' started by ariankordi, Nov 21, 2016.

  1. ariankordi
    OP

    ariankordi GBATemp Greg Joswiak

    Member
    392
    243
    Oct 25, 2014
    United States
    /dev/null
    As I'm very sure many of you know, there was yet another 3DS ban wave. I wasn't banned from this ban wave; it was something completely separate, however I'd still like to see this happen.

    I might be wrong about either some or all of this, but when logging into the game servers, the entire LocalFriendCodeSeed_B file is sent. This file validates the user and bans are logged through here, hence why everyone needs them to unban themselves.

    Now, the file has an RSA2048 signature and the actual seed, the signature is the bigger part of this file. The actual seed is at the bottom.
    [​IMG][​IMG]
    (this file is a banned one if you happened to want to waste your time copying it)
    The signature is checked by both the firmware and the server. The firmware will hang if this isn't valid (or at least that will happen with SecureInfo_A which has the same type of signature), and more importantly, the server will return 002-0121 if this isn't valid, which means Nintendo has the RSA 2048 key for this and is rejecting your cert.
    [​IMG]
    [​IMG]
    However, when I was seeing that the 3DS could generate these signatures from a system format (it's somewhere in this thread), this lead me to believe that the 3DS could actually SIGN these files. The firmware can validate the signatures and there isn't any server involvement when it generates a new movable.sed.

    Plus, there appears to be a lot of RSA stuff in ARM9 ITCM. I have no idea how anything RSA works, but I think we can get something out of this anyway.
    It would be AMAZING if someone could get us to the point of being able to sign these files ourselves and not requiring another console or using the other method (which didn't work for me)

    I might be wrong on a lot of stuff, and in fact I might be wrong on everything, but this is an idea. Correct me if I'm wrong on whatever.
    Please don't derail this thread with you being against ban circumvention, please. Discuss that elsewhere.
     
    I pwned U!, Majickhat55 and KytuzuEX like this.
  2. KibaLight

    KibaLight Newbie

    Newcomer
    5
    0
    Sep 17, 2016
    In what regards this, browsing 3DBrew I came across this.

    I know nothing about coding for 3DS (haven't had time to mess with it) but I guess it is come kind of syscall?

    "This deletes the NAND LocalFriendCodeSeed file, then recreates it using the LocalFriendCodeSeed data stored in memory."

    I am really curious about it right now, I've seen also in 3DSBrew that LocalFriendCodeSeed is related to KeyY in ARM9 ITCM in some way. (Offset 0x3808)
     
  3. ariankordi
    OP

    ariankordi GBATemp Greg Joswiak

    Member
    392
    243
    Oct 25, 2014
    United States
    /dev/null
    I know, I've once blanked movable.sed & LocalFriendCodeSeed, and they regenerated themselves from the value in ITCM. If only there was an easy way to edit ITCM.
     
  4. Doodil

    Doodil Newbie

    Newcomer
    3
    2
    Nov 19, 2016
    Gambia, The
    Your 3ds can't sign a new movable.sed

    If you check https://www.3dbrew.org/wiki/Nand/private/movable.sed you'll see that the RSA signature is over the first 8 of 16 byte of the keyY.

    If you do a system transfer or a system format it changes the remaining 8 byte without having to generate a new RSA signature. The new movable.sed ends up with the same RSA signature.