869
edits
Changes
→FIRM
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader.
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader.
If (u8*)0x10000000 bit 1 is clear, it hashes data from the region 0x10012000-0x10012090 using SHA2, and then sets AES keyslot 0x11 to the lower portion of that hash. It then initialises KeyX for keyslots 0x15, 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11.
If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things:
* Hashes data from the region 0x10012000-0x10012090 using SHA2.
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
* Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it.
* Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, the keys for keyslot 0x15 is cleared and it jumps to the decrypted addr.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bit_buf+64 using a fixed key and makes sure it's all zeroes. It it is, it jumps to the decrypted addr. Otherwise it will just loop forever.
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 16
| Encrypted KeyX
|-
| 0x010
| 16
| KeyY
|-
| 0x020
| 16
| IV
|-
| 0x030
| 16
| ?
|-
| 0x040
| 16
| Control block
|}
=See Also=
=See Also=