6,263
edits
Changes
Jump to navigation
Jump to search
Line 73:
Line 73: − + − + − + − + + − +
→New_3DS FIRM
If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things:
If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things:
* Hashes data from the region 0x10012000-0x10012090 using SHA2.
* Hashes data from the region [[IO|0x10012000-0x10012090]] using SHA256 via the [[SHA_Registers|SHA]] hardware.
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
* Crypts an unknown 0x10-byte block with keyslot 0x11, then uses the output block to set the normalkey for keyslot 0x11.
* Decrypts an unknown 0x10-byte block with keyslot 0x11 using AES-ECB. Then the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. Then it uses the output block to set the normalkey for keyslot 0x11.
* Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it.
* Decrypts arm9_bin_buf+0 using keyslot 0x11 with AES-ECB, and initialises keyX for keyslot 0x15 with it.
* Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys.
* Initialises KeyX for keyslots 0x18-0x20 with the output of decrypting a certain binary sequence with AES-ECB using keyslot 0x11. These are presumably New3DS-specific keys.
* The normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the CTR to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. If it is, it jumps to the decrypted addr. Otherwise it will just loop forever.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the CTR to arm9_bin_buf+32. It then proceeds to decrypt the binary with AES-CTR. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. If it is, it does some cleanup then it jumps to the entrypoint for the decrypted binary. Otherwise it will just loop forever.
Thus, the ARM9 binary has the following header:
Thus, the ARM9 binary has the following header: