3DS System Flaws: Difference between revisions

Line 125:

! Public disclosure timeframe

! Discovered by

|-

| Leak of normal-key matching a key-scrambler key

| Firmware versions [[8.1.0-18|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.

Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.

| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm

| [[9.3.0-21|9.3.0-X]], sort of

| [[10.0.0-27|10.0.0-X]]

| January 2015

|

| [[User:Yellows8|Yellows8]]

|-

| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])

Line 253:

Line 264:

| March 2015, original timeframe if any unknown

|

| plutoo/[[User:Yellows8|Yellows8]]/maybe others(?)

| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)

|-

| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])

Line 283:

Line 294:

| March 2015, originally 2012 for the first issue at least

|

| plutoo, [[User:Yellows8|Yellows8]], maybe others(?)

| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)

|}

@@ Line 125: / Line 125: @@
 !  Public disclosure timeframe
 !  Discovered by
+|-
+| Leak of normal-key matching a key-scrambler key
+| Firmware versions [[8.1.0-18|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9.  In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.
+Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY.  Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.
+| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm
+| [[9.3.0-21|9.3.0-X]], sort of
+| [[10.0.0-27|10.0.0-X]]
+| January 2015
+|
+| [[User:Yellows8|Yellows8]]
 |-
 | Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])
@@ Line 253: / Line 264: @@
 | March 2015, original timeframe if any unknown
 |
-| plutoo/[[User:Yellows8|Yellows8]]/maybe others(?)
+| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)
 |-
 | [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])
@@ Line 283: / Line 294: @@
 | March 2015, originally 2012 for the first issue at least
 |
-| plutoo, [[User:Yellows8|Yellows8]], maybe others(?)
+| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)
 |}