[Relax]Question about NAND, more?

Discussion in '3DS - Console, Accessories and Hardware' started by Syphurith, Sep 6, 2015.

  1. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Well i'm not the one comes for NAND backups. Orz
    And yes, i hope you can have fun reading this. Yep
    Know some details or not, I hope you enjoy it, really. Really..?

    As you may already know, NAND chip have a lifespan - write cycle limit. I think you know it?
    Of course, 3DS NAND is encrypted, and you have ways to dump it. Yes
    And surely i think they used some wear leveling or other techs to extend the lifespan for the chip on motherboard.
    Just as what i planned to do with that f**king chip on a board with STM32 months ago - too hard for me now.
    When i simply thought someone just played the console too much.. I mean out of its lifespan
    The chip might get read-only, or even worse. And some new data may also randomly lost.
    Randomly lost - almost with wear leveling only - if i only writes 1 block then others may still be good for some time.

    And now the first question jumped out! What is a predictable lifespan of the console? Sounds ridiculous?
    I mean the maximum time you could play with it. Yes maximum, 8 hours a day or you can still use times to count it.
    For predictable, i mean like saying one just play Mii Plaza every day and encounter 100. You can make your case.
    The chip may be 2GB, as other reversed for wear leveling or other. However you can think it is just 1GB.
    You can guess, predict, or even calculate. For a specific 3ds revision or other you like.
    Then, what if you redirect most of those IO to SD card. I mean EmuNAND. Horrible lifespan?

    Also i doubt very much about where the keys should be stored. AES Engine could be in ARM, or somewhere else.
    OTP stands for One-Time-Programmable. However GW wrote its key into the scramber and so did nintendo (for 7.x).
    So i thought it might not be in the OTP sections, or other chips we don't know. Maybe only bootrom there..?
    If that is packed into the core, it still should have an address at least when booting.

    As you can see on 3DS motherboard picture, and 3dbrew hardware page, there is a customized chip.
    And that Renesas, productor of the UC CTR/KTR have secure cores with EEPROM. And different OP codes.
    Don't tell me UC just means User-Customed. I don't know what it may do. CTR on Old 3DS and KTR for new.


    Thanks for your reading. If you want me know your thoughts please tag me, like @Syphurith.
    If you think those above are ridiculous, and don't want to reply me, leave it as it is now please, thanks.
     
  2. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,806
    4,990
    Mar 17, 2010
    Norway
    Alola
    @Syphurith

    You can actually see what part of the system sets individual encryption keyslots right here: http://www.3dbrew.org/wiki/AES_Registers
    For the 7.0 key it is set by NATIVE_FIRM boot. Many of the keys (the permanent ones) are set by the ARM9 bootrom (which is OTP I think) as all encryption is handled by ARM9.

    The lifespan of a SD card should not be much worse than the 3DS' eMMC. They are both NAND type memory. Realistically, you will stop using the 3DS before the NAND wears out anyway (it will take many years under normal circumstances), but a SD card can always be replaced, the eMMC in the 3DS is not so easy to replace. So emuNAND is actually preferrable for those who are worried about wearing out the NAND memory.
     
    Syphurith likes this.
  3. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Much help, thanks. Oh.. So OTP for those factory only keys.. maybe set in bootrom.

    Then could you please think of this question? It is said that for New 3ds with 9.6+ booting, the NATIVE_FIRM has an additional layer.
    If there is a partially decrypted copy stored in NAND or elsewhere, it might be done during the update of NATIVE_FIRM.
    This is not so difficult to find out, if you dump emuNAND, update the package/CIA, and dump again, with xorpad compare? However i have no New 3ds.
    Or else, if that is bootrom to load the NATIVE_FIRM, how does it know the NATIVE_FIRM needs to be decrypted once more?
    If it does know, then it might be not in the OTP, or the NATIVE_FIRM isn't directly loaded by bootrom.

    And, as you see there is no possibility for a new 3ds running EmuNAND 9.6+, CURRENTLY, yes. Just beyond our knowledge now.
    Indeed i'm quite interested in what is happened when those updates are been applied. Must be somewhere handles it. However these are not so related to its hardware.

    Eh.. What about the UC chip? Could it be something else? As seen in the front image of motherboard it seems to have 48-pins. Quite similar to be a MPU or MCU.
    I found some info about renesas' secure core, which is release in 2011. However its IO interfaces are not so fast as what is needed to do a decrypt stream..
    RS47X [http://www.ipa.go.jp/security/jisec/hardware/hw_certified_products/c0440/c0440_st.pdf] no OTP..

    Edit:Nevermind.If you get no clue about this mystery chip.
     
    Last edited by Syphurith, Sep 6, 2015