FIRM: Difference between revisions
| Line 75: | Line 75: | ||
* Hashes data from the region 0x10012000-0x10012090 using SHA2. | * Hashes data from the region 0x10012000-0x10012090 using SHA2. | ||
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively. | * Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively. | ||
* Crypts an unknown 0x10-byte block with keyslot 0x11, then uses the output block to set the normalkey for keyslot 0x11. | |||
* Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it. | * Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it. | ||
* Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys. | * Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys. | ||
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts | It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. It it is, it jumps to the decrypted addr. Otherwise it will just loop forever. | ||
Thus, the ARM9 binary has the following header: | Thus, the ARM9 binary has the following header: | ||