Where is the OTP located?

Discussion in '3DS - Flashcards & Custom Firmwares' started by yacepi15, May 29, 2016.

  1. yacepi15
    OP

    yacepi15 GBAtemp Advanced Fan

    Member
    869
    167
    Aug 15, 2015
    The OTP is located on the NAND or in the Bootrom? Thanks.
    (And... If it is located in NAND,why cant be extracted from a NAND dump?)
     


  2. mashers

    mashers Stubborn ape

    Member
    3,837
    5,153
    Jun 10, 2015
    Kongo Jungle
    It's in the bootrom, which hasn't been decrypted yet afaik.
     
  3. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,894
    1,353
    Feb 13, 2015
    Italy
    Imola
    It's a separate PROM inside the cpu, unlike the bootrom which is also there but a factory-stamped ROM!
     
  4. mashers

    mashers Stubborn ape

    Member
    3,837
    5,153
    Jun 10, 2015
    Kongo Jungle
    Oh my mistake, I thought it was actually within the bootrom.
     
  5. yacepi15
    OP

    yacepi15 GBAtemp Advanced Fan

    Member
    869
    167
    Aug 15, 2015
    And... What locks reading from that region at boot? The Native_firm?
     
  6. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,491
    3,878
    Jun 9, 2007
    As far as I know, that's correct, since 3dbrew mentions that as of FIRM 3.0, the OTP became locked on boot. On a related note, the bootrom locks itself, if I'm not mitaken.
     
  7. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,339
    5,752
    Apr 20, 2015
    United States
    Tigard, OR
    yes; this is why we can go to versions before 3.0 to get the OTP.
     
  8. yacepi15
    OP

    yacepi15 GBAtemp Advanced Fan

    Member
    869
    167
    Aug 15, 2015
    And today,installing A9LH is safe?
     
    hobbledehoy899 likes this.
  9. Bedel

    Bedel The key of the blade

    Member
    981
    330
    Oct 28, 2015
    Yes, at least if you can follow a guide without skipping any step.
     
    I_AM_L_FORCE and hobbledehoy899 like this.
  10. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,491
    3,878
    Jun 9, 2007
    Unless we end up getting some kind of a bootrom exploit, or some other "miracle" hack comes about, downgrading to 2.1 will remain the only realistic option to get the OTP, and @d0k3's tools have proven time and again to be safe. As long as you can follow directions, the entire process is about as safe as it can possibly be, especially now since Hourglass9 is out, which should remove a lot of human error from the NAND restoration parts.
     
  11. Heran Bago

    Heran Bago Where do puyo come from?

    Member
    3,003
    408
    Nov 6, 2005
    United States
    Foggy California
  12. dimmidice

    dimmidice GBAtemp Advanced Maniac

    Member
    1,872
    1,261
    Sep 12, 2009
    Belgium
    i've done two installs of A9LH in recent days. it's safe but read the guide thoroughly, follow the guide exactly, take it slow, and if you're unsure of anything ask for help somewhere. don't assume anything.
     
  13. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,894
    1,353
    Feb 13, 2015
    Italy
    Imola
    Oh, don't worry, it's a technical detail that won't affect common users/developers and most likely not even bootrom researchers; but when you make consoles by the tens of thousands, a fixed rom + a small prom is cheaper and more reliable than a larger prom!
     
  14. richardparker

    richardparker GBAtemp Advanced Fan

    Member
    707
    113
    Oct 10, 2014
    India
    Swallowed up by the ocean!
    whats afaik??
     
  15. mashers

    mashers Stubborn ape

    Member
    3,837
    5,153
    Jun 10, 2015
    Kongo Jungle
    As far as I know.
     
    dimmidice likes this.
  16. nl255

    nl255 GBAtemp Addict

    Member
    2,518
    343
    Apr 9, 2004
    Do you know if anyone has looked at applying Tempesthax to the 3DS? I know it already has to several different kinds of encryption software on both the iPhone and Android to extract ECDSA keys.
     
  17. mashers

    mashers Stubborn ape

    Member
    3,837
    5,153
    Jun 10, 2015
    Kongo Jungle
    I don't fully understand what they're doing there, but it says this:

    Wouldn't that mean we would need to know the encryption/decryption key used to protect OTP in order to have any hope of discovering it using the method? Also, the equipment needed is so specialised, whereas currently OTP can be captured using a relatively safe method.
     
  18. richardparker

    richardparker GBAtemp Advanced Fan

    Member
    707
    113
    Oct 10, 2014
    India
    Swallowed up by the ocean!
    oh right thanks!
     
  19. nl255

    nl255 GBAtemp Addict

    Member
    2,518
    343
    Apr 9, 2004
    No, the whole point of what they did is to extract the keys. Known/chosen plaintext means that you know (or can control) what is being encrypted or decrypted. Also, the point of using something like that would be to get the Bootrom keys or other keys we don't have, not OTP. You know, like the ones that would be needed to install CIA files or system titles directly, which would allow downgrading to any firmware via hardmod. Or decrypting games without the need for a 3DS and decrypt9.
     
  20. mashers

    mashers Stubborn ape

    Member
    3,837
    5,153
    Jun 10, 2015
    Kongo Jungle
    I see. But still, wouldn't those keys be per-console, and hence the same elaborate process would be needed to capture them each time?