[Technical Question] Bypassing the need of a seed

Discussion in '3DS - Homebrew Development and Emulators' started by addi33, Jun 8, 2017.

  1. addi33
    OP

    addi33 GBAtemp Advanced Maniac

    Member
    1,642
    701
    Sep 12, 2016
    Gambia, The
    Idk, this was like around when *hax 2.8 beta was revealed by smea including the PASLR bypass, I imagine that there was also something said about bypassing the need for speed of a seed for preloads for example. I couldn't find any technical writeup on that (Or I'm to dumb to browse 3dbrew/other sites idk) and I'd like to have somone has has knowledge regarding this, to anser it, I have no actual clue how the seed crypto works etc... So any good answers are appreciated.
    Thanks.
     
    Last edited by addi33, Jun 8, 2017
  2. Arck

    Arck GBAtemp Advanced Fan

    Member
    700
    330
    Mar 13, 2016
    Is that even possible ?

    If it is, then I guess more than one people will try some stuff to get Pokemon Ultra Sun/Moon early.
     
    Last edited by Arck, Jun 8, 2017
    addi33 likes this.
  3. Giodude

    Giodude Ruler of Italy

    Member
    GBAtemp Patron
    Giodude is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,619
    1,009
    May 17, 2015
    United States
    New York
    If I were to guess, it has the seed crypto built in, so anybody can launch any app that has a crypto for 9.6+ firmware. I remember before the paslr bypass you had to have a bunch of files on your sd card that would fill that role, but I havent used hax legitimately since 2.7. I also can't test it anymore due to Rosalina doing away with hax payloads entirely.
     
  4. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,901
    1,355
    Feb 13, 2015
    Italy
    Imola
    Basically, a cia (also physical games, but they never use seed mode) is made up of different partitions, called Contents or NCCHs

    The whole cia (but not .3ds or the actually installed files) are protected by a titlekey, itself encrypted with key 0x3D
    (installed files have, at this layer, console-specific encryption coming from the movable.sed and other factors = key 0x34)
    (physical games use key 0x3B)

    Individual contents may or may not be encrypted by some keys (they actually refer to only one part of the final key, the other comes from the ncch itself anyway):
    - No encryption at all
    - Zerokey
    - System fixed key
    - Normal key (comes from the bootrom, that's why only as of 2 days ago we got the first PC title decryptor, Slot0x2CKeyX)
    - 7.0 key (better known as Slot0x25keyX)
    - Secure3 (slot0x18KeyX, N3DS exclusive, Xenoblade uses this)
    - Secure4 (slot0x1BKeyX, N3DS exclusive, 9.6+)

    Now, my phrase above "the other comes from the ncch itself anyway" is wrong if seed encryption is used (which adds complexity to one of the above, it's not an alternative)
    There simply is one more key, which anyone can freely download from the eShop servers (with FBI2, or even just visiting the game's page on the eShop), and is saved to internal storage in the FS driver's save...
    The trick, of course, is that Nintendo decides when and for which regions the key should be available (the second problem is easily bypassed, the first.. nope) and is indeed the reason we could download big-name recent games days before launch, even install them because we had the titlekey, but not run them
    (The icon was still visible on Home, despite being part of the ExeFS which is inside the NCCH, because some parts of a content like the icon/header/exheader use old-style encryption so that they can be read on outdated consoles - or ones without seed! - and they select which key to use anyway)

    Seeds are exclusive to 9.6+ digital titles (not for technical reasons, but it would be stupid to force physical game owners to connect to the eShop)

    HBL/Payload updates never claimed to bypass seeds actually, rather they fixed running a .3dsx over a title which uses seed, but you must have that seed installed!
     
  5. Drakia

    Drakia GBAtemp Maniac

    Member
    1,495
    1,747
    Mar 15, 2008
    Canada
    Literally impossible. The seed is an encryption key, different for every release, and only available on Nintendo's servers once a game has been officially release. You could try to brute force, but the game would be out, and the universe would have long since died before you managed to decrypt it.
     
  6. Mikemk

    Mikemk GBAtemp Maniac

    Member
    1,487
    519
    Mar 26, 2015
    United States
    Without the seed, the game is garbage (random) data.