Homebrew The bootroms

[Aletron9000]

That should already be quite doable without any bootroms. Hell the "bigbluemenu" that everyone was using for so long is nothing but a dev "rom" with a banner and (maybe) encryption/signing swap.

But at first, it was a dev .cia, someone took it, put it into a dev unit and decrypted the cia, then reencrypted it on a retail system. I mean we would be able to decrypt dev roms on the computer without a dev unit.

Which would make things easier and cheaper

 

[Thee_BaBs]

-snip-

 

[sirocyl]

The "Dev bootrom" is identical to the master, production, retail bootrom. In fact, the only place the bootrom itself would vary, is in an engineering sample pre-release - likely one with a socketed SoC, too.

The only thing that differs, is the contents of the OTP area, and what bootrom does with them - the OTP holds secondary keys, system identification/registration numbers, and system configurations/provisioning.

The bootrom holds a key which is used to decrypt the OTP area, which is the same key in all configurations.

Also, the bootrom key may be responsible for "factory things", such as preinstall and the provision/registration process (which "burns" the OTP in the first place).
That way, if said "factory things" were to leak from the factory, they'd be useless without the bootrom secret.

 

[Poryhack]

But at first, it was a dev .cia, someone took it, put it into a dev unit and decrypted the cia, then reencrypted it on a retail system. I mean we would be able to decrypt dev roms on the computer without a dev unit.

That has also been possible for some time using nothing but ctrtool/makerom, provided the dev CIA is using the "fixed" dev NCCH keys. See for yourself (ctrl+F, "dev_fixed_ncch_key"). Spoiler alert: For non-system titles it's literally just zeros.

 

[Aletron9000]

That has also been possible for some time using nothing but ctrtool/makerom, provided the dev CIA is using the "fixed" dev NCCH keys. See for yourself (ctrl+F, "dev_fixed_ncch_key"). Spoiler alert: For non-system titles it's literally just zeros.

I have alot of work to catch up on now that i know this.

 

[dankzegriefer]

So if timing is that short, what about making a loop that increments the number of ms each time so we get the timing with brute force?

ms might be too fast.

--------------------- MERGED ---------------------------

That has also been possible for some time using nothing but ctrtool/makerom, provided the dev CIA is using the "fixed" dev NCCH keys. See for yourself (ctrl+F, "dev_fixed_ncch_key"). Spoiler alert: For non-system titles it's literally just zeros.

DevMenu is always encrypted as a system title.

 

[PabloMK7]

ms might be too fast.

I said ms, but I meant any time unit, I know it is much smaller time

 

[dankzegriefer]

I said ms, but I meant any time unit, I know it is much smaller time

The best device for the job might be an FPGA.

 

[dankzegriefer]

Is the actual timing known but not feasible to get?

The timing is unknown and infeasible unless you have a very fast device. I think an old estimation is you'd need a processor faster than the 3DS's to even attempt.

 

[Poryhack]

DevMenu is always encrypted as a system title.

Yes but the fixed crypto key for system titles is on that page as well, right next to the non-system key.

 

[dankzegriefer]

Yes but the fixed crypto key for system titles is on that page as well, right next to the non-system key.

New versions use new NCCH crypto.

 

[Poryhack]

New versions use new NCCH crypto.

Ah, well in that case yes. It would require keys from the bootrom (or at least keys that haven't been discovered yet) to decrypt on a computer. Should also be possible to decrypt with Decrypt9 on an updated dev system.

 

[dankzegriefer]

Ah, well in that case yes. It would require keys from the bootrom (or at least keys that haven't been discovered yet) to decrypt on a computer. Should also be possible to decrypt with Decrypt9 on an updated dev system.

And dev systems grow on trees.

 

[Swiftloke]

The timing is unknown and infeasible unless you have a very fast device. I think an old estimation is you'd need a processor faster than the 3DS's to even attempt.

That's not that hard these days xD

 

[dankzegriefer]

That's not that hard these days xD

True, but it would probably need a direct connection, so an FPGA is probably the only thing that COULD do it.

 

[Poryhack]

And dev systems grow on trees.

Not sure if sarcasm or not, but they've never been easier to acquire. Even without going the NDA route there is sure to be a fairly active secondhand market on ASSEMblergames. Hell, there's even a debugger unit for sale on eBay. Cost will always be an issue, but from what I hear the "panda" units can be had for surprisingly cheap.

 

[Suiginou]

New versions use new NCCH crypto.

New NCCH crypto (7.x crypto) does not use hardcoded bootrom keys. It's possible to write an a9lh tool to regenerate the keys.

 

[dankzegriefer]

New NCCH crypto (7.x crypto) does not use hardcoded bootrom keys. It's possible to write an a9lh tool to regenerate the keys.

Yeah, now you get a SNAKE devkit and install arm9loaderhax on it. If @Reisyukaku hasn't already done it, nobody will.

 

[Suiginou]

Yeah, now you get a SNAKE devkit and install arm9loaderhax on it. If @Reisyukaku hasn't already done it, nobody will.

But he has.

 

[Xenon Hacks]

But he has.

Please tell this is just a language gap and when you said "he" you meant "it"