Was NAND ever decrypted?

Discussion in '3DS - Flashcards & Custom Firmwares' started by _V1qY, Jan 9, 2014.

  1. _V1qY
    OP

    _V1qY GBAtemp Regular

    Member
    138
    36
    May 31, 2012
    Using hardware modifications, you can dump and put back your NAND however since it is encrypted with a key specific to your 3DS unit, you cannot use the NAND of someone else from a lower firmware.

    When Gateway exploit is used, the settings app changes the text of the firmware to be "GW 4.5" or something. So was Gateway able to decrypt the NAND format and make changes to it (the emuNAND) and encrypt it? Or was this just a temporary change in RAM?
     
  2. iCEQB

    iCEQB GBAtemp Advanced Fan

    Member
    682
    447
    Nov 2, 2013
    United States
    Only a change in RAM and not a big one actually, they just replaced the 4 character ("Ver.") with "GW3D".
    But we should be able to get the keys to decrypt the NAND with that RAM dumper app that was released around christmas afaik.
     
  3. Pong20302000

    Pong20302000 making notes on everything

    Member
    8,076
    1,932
    Sep 8, 2009
    One's inner self
    yes NAND image have been decypted
    only recently tho
     
    pelago likes this.
  4. iCEQB

    iCEQB GBAtemp Advanced Fan

    Member
    682
    447
    Nov 2, 2013
    United States
    Nice where?
     
  5. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,113
    5,181
    Mar 17, 2010
    Norway
    Alola
    smea figured it out.
     
  6. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,558
    21,538
    Sep 13, 2009
    Poland
    Gaming Grotto
    What makes you so sure? If encryption and decryption mechanisms are isolated, like it was the case with the Wii, you won't be able to do jack before you're able to have a look at the activity in that particular, isolated sector.

    Of course that being said, I have no idea how it's done on the 3DS - it remains to be seen. So far, smealum's done some progress with decrypting system titles - maybe he'll have a look at NAND once he's done playing with those.

    EDIT: Scratch that, neimod did it, apparently.

    http://gbatemp.net/threads/3ds-firmware-has-been-decrypted.332624/
     
  7. _V1qY
    OP

    _V1qY GBAtemp Regular

    Member
    138
    36
    May 31, 2012
    If he'd just release it, we could get a dump of our current firmware, use a tool to get it's key, then encrypt someone else's firmware with our key, and we would have a hardware downgrade.
     
  8. iCEQB

    iCEQB GBAtemp Advanced Fan

    Member
    682
    447
    Nov 2, 2013
    United States
    If won't work like this, the key to decrypt anything is probably in an ecrypted executeable/bootrom/die somewhere.
    Only unsigned code will most likely give you the slightest chance to get it. (I don't know about kernel und userland seperation on the 3DS, but I'm bpretty sure it's there)
     
  9. justinkb

    justinkb GBAtemp Advanced Fan

    Member
    619
    210
    Oct 7, 2012
    Netherlands
    The key cannot be extracted via software. Also, AES can't be broken, even if you know the entire plaintext.
     
  10. mathieulh

    mathieulh GBAtemp Fan

    Member
    335
    394
    Feb 28, 2008
    France
    The eMMC (why does everyone call it a NAND ? Well, I guess it does use one anyway) is encrypted using a per 3DS key set by the bootrom to an AES hardware keyslot, these keyslots are write only and cannot be read.

    Therefore the only way to decrypt the content of an eMMC chip is to use the AES hardware engine of the 3DS it came from. The whole process is rather slow and can only be done if you are running your own ARM9 code on the device (aka kernel mode).

    Also, just to be sure we are on the same page here, you obviously can't write back the decrypted content to the eMMC pages, it needs to be encrypted with the right key.

    You get the idea.
     
  11. Nismax

    Nismax GBAtemp Regular

    Member
    185
    60
    Sep 13, 2009
    United States
    Wasn't this FW decrypting what led to the current state of the scene? IE the hack was sold to the Gateway gangstas resulting in a flash cart.
     
  12. Idaho

    Idaho GBAtemp Advanced Fan

    Member
    672
    402
    Oct 3, 2013
    France
    I'm curious as it'd mean a major breakthrough, do you have any more info, can we re-encrypt those with other keys ???
     
  13. _V1qY
    OP

    _V1qY GBAtemp Regular

    Member
    138
    36
    May 31, 2012
    "
    1. Brandon Serpas@BJSerpas 28 Dec
      @smealum Just curious: what is currently keeping us from downgrading our firmwares? I know it's possible, but only with a prior NAND backup. Expand
    2. [​IMG] smea@smealum 28 Dec
      @BJSerpas assuming you had flashing hardware and a way to decrypt/encrypt data for your 3DS, you could probably downgrade your console. Expand
    3. [​IMG] Brandon Serpas@BJSerpas 28 Dec
      @smealum And that's where you come in to decrypt stuff, right? :3 Expand
    4. [​IMG] smea@smealum 28 Dec
      @BJSerpas but yeah i actually did decrypt my own nand; cf http://smealum.net/mount.png . unfortunately, there's no solution for the masses.
    "
     
    Idaho likes this.
  14. Idaho

    Idaho GBAtemp Advanced Fan

    Member
    672
    402
    Oct 3, 2013
    France
    how boring, what does he mean "no solution for the masses" ? If he means electronic intervention its not a problem to lot of people around here...
     
  15. KazoWAR

    KazoWAR GBAtemp Advanced Maniac

    Member
    1,800
    683
    Aug 12, 2008
    United States
    Winter Haven
    you'd be surprised.
     
  16. Idaho

    Idaho GBAtemp Advanced Fan

    Member
    672
    402
    Oct 3, 2013
    France
    Yeah well I know not everybody have skills for soldering and unsoldering stuffs or even the money to afford the appropriate tools to do so.
    But come on we need electronic intervention on the xbox360 to hack it and thats not a problem to anyone who's willing to as he'll do it by himself or pay a guy to do it...
     
  17. DinohScene

    DinohScene Capture the Dino

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,087
    12,615
    Oct 11, 2011
    Antarctica
    В небо
    Probably ease of use.
    Or a familiar sounding word.
    Just like everyone calling a hack a "jailbreak".
     
  18. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    NAND flash + eMMC controller.


    And btw, just reencrypting the other NAND image doesn't work. There are other things, which need to be changed.
     
  19. SilverfalconLP

    SilverfalconLP Advanced Member

    Newcomer
    75
    24
    Dec 23, 2013
  20. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    Well the main problem is that you'd have to find your console's encryption key, which could be fairly trivial if you've already updated to 6.x or 7.x.