Hacking Where is the OTP located?

[yacepi15]

The OTP is located on the NAND or in the Bootrom? Thanks.
(And... If it is located in NAND,why cant be extracted from a NAND dump?)

 

[mashers]

It's in the bootrom, which hasn't been decrypted yet afaik.

 

[Ryccardo]

It's a separate PROM inside the cpu, unlike the bootrom which is also there but a factory-stamped ROM!

 

[mashers]

Oh my mistake, I thought it was actually within the bootrom.

 

[yacepi15]

And... What locks reading from that region at boot? The Native_firm?

 

[daxtsu]

And... What locks reading from that region at boot? The Native_firm?

As far as I know, that's correct, since 3dbrew mentions that as of FIRM 3.0, the OTP became locked on boot. On a related note, the bootrom locks itself, if I'm not mitaken.

 

[ihaveahax]

And... What locks reading from that region at boot? The Native_firm?

yes; this is why we can go to versions before 3.0 to get the OTP.

 

[yacepi15]

And today,installing A9LH is safe?

 

[Bedel]

And today,installing A9LH is safe?

Yes, at least if you can follow a guide without skipping any step.

 

[daxtsu]

And today,installing A9LH is safe?

Unless we end up getting some kind of a bootrom exploit, or some other "miracle" hack comes about, downgrading to 2.1 will remain the only realistic option to get the OTP, and @d0k3's tools have proven time and again to be safe. As long as you can follow directions, the entire process is about as safe as it can possibly be, especially now since Hourglass9 is out, which should remove a lot of human error from the NAND restoration parts.

 

[Heran Bago]

http://fanlore.org/wiki/OTP

 

[dimmidice]

i've done two installs of A9LH in recent days. it's safe but read the guide thoroughly, follow the guide exactly, take it slow, and if you're unsure of anything ask for help somewhere. don't assume anything.

 

[Ryccardo]

Oh my mistake, I thought it was actually within the bootrom.

Oh, don't worry, it's a technical detail that won't affect common users/developers and most likely not even bootrom researchers; but when you make consoles by the tens of thousands, a fixed rom + a small prom is cheaper and more reliable than a larger prom!

 

[richardparker]

It's in the bootrom, which hasn't been decrypted yet afaik.

whats afaik??

 

[mashers]

whats afaik??

As far as I know.

 

[nl255]

Unless we end up getting some kind of a bootrom exploit, or some other "miracle" hack comes about, downgrading to 2.1 will remain the only realistic option to get the OTP, and @d0k3's tools have proven time and again to be safe. As long as you can follow directions, the entire process is about as safe as it can possibly be, especially now since Hourglass9 is out, which should remove a lot of human error from the NAND restoration parts.

Do you know if anyone has looked at applying Tempesthax to the 3DS? I know it already has to several different kinds of encryption software on both the iPhone and Android to extract ECDSA keys.

 

[mashers]

Do you know if anyone has looked at applying Tempesthax to the 3DS? I know it already has to several different kinds of encryption software on both the iPhone and Android to extract ECDSA keys.

I don't fully understand what they're doing there, but it says this:

fully extract decryption keys, by measuring the laptop's electromagnetic emanations during decryption of a chosen ciphertext

Wouldn't that mean we would need to know the encryption/decryption key used to protect OTP in order to have any hope of discovering it using the method? Also, the equipment needed is so specialised, whereas currently OTP can be captured using a relatively safe method.

 

[richardparker]

As far as I know.

oh right thanks!

 

[nl255]

I don't fully understand what they're doing there, but it says this:


Wouldn't that mean we would need to know the encryption/decryption key used to protect OTP in order to have any hope of discovering it using the method? Also, the equipment needed is so specialised, whereas currently OTP can be captured using a relatively safe method.

No, the whole point of what they did is to extract the keys. Known/chosen plaintext means that you know (or can control) what is being encrypted or decrypted. Also, the point of using something like that would be to get the Bootrom keys or other keys we don't have, not OTP. You know, like the ones that would be needed to install CIA files or system titles directly, which would allow downgrading to any firmware via hardmod. Or decrypting games without the need for a 3DS and decrypt9.

 

[mashers]

No, the whole point of what they did is to extract the keys. Known/chosen plaintext means that you know (or can control) what is being encrypted or decrypted. Also, the point of using something like that would be to get the Bootrom keys or other keys we don't have, not OTP. You know, like the ones that would be needed to install CIA files or system titles directly, which would allow downgrading to any firmware via hardmod. Or decrypting games without the need for a 3DS and decrypt9.

I see. But still, wouldn't those keys be per-console, and hence the same elaborate process would be needed to capture them each time?