From 3dbrew
Revision as of 12:42, 6 July 2013 by Neimod (talk | contribs)
Jump to navigation Jump to search

There has been alot of tinkering with the 3DS since launch, and although there have been leaps and bounds due to the combined efforts of many contributors, much of what we're doing would be expedited by extracting the boot code and other proprietary information (secrets) from the custom Nintendo SoC (System-On-a-Chip) of a retail 3DS.

UPDATE 06/07/2013

The fundraiser will remain open until it raises approximately 2,300 in order to pay for the decapping and the applicable taxes. Thus the fundraiser is still running.

What is chip decapping?

For those that are unfamiliar: the CPU, GPU & DSP all exist on one proprietary SOC design used on the 3DS. Secure information is stored there partly, most likely burned onto the SoC during manufacturing and not readable by any other normal means or from outside of the SoC, in such a way that the secure information there, always stays there. In good design it will never reach the main memory of the 3DS and so sensitive data (like encryption keys or algorithms) stay secure.

Extracting data from a proprietary chip to reverse-engineer it is typically done by decapping it, which is risky business and involves removing the epoxy, delayering the chip and taking high-resolution pictures of every layer to reconstruct logic from the images. Special equipment is used ( SEM / scanning electron microscope ) and it is rarely done outside of a professional context because it is very costly to an average enthusiast ("hacker") and access to equipment and the expertise is hard to realize.

Chip decapping has been used by the "emulation" community to reverse-engineer and recover data from special proprietary chips, such as those in SNES cartridges. It has also been used to to reverse-engineer other hardware to create emulators for other platforms besides the SNES.

Is this legal?

Decapping a chip and reverse engineering it is in fact legal in the US, and most likely in other countries too. Check out the Semiconductor Chip Protection Act of 1984, which states reverse engineering a chip is not prohibited.

However, we do not endorse piracy, and any information revealed by the chip decapping will be used to advance progress for homebrew applications and games on 3DS, not piracy.

How much?

We have gotten a price quote from a professional lab on the deal (removal, decap, delayer, SEM imaging) and it came out to $400 per layer of the chip, which they estimate will come to "about $2000 total". Plus the cost of the 3DS we will be donating for the hardware sample(s).

The numbers of layers is approximate because they likely don't know how many layers are in the SoC until they actually decap it. In the worst case we estimate between 8 or 10 layers. For now we're trying to reach their initial quote of $2000 USD and send in the 3DS to get it started. Later on we can still decide to have the remaining layers imaged.

Why should I help?

Kicking it around with other contributors on this site, we all agreed it would be interesting or valuable to us but $2000+ is simply a lot to ask of anyone to drop suddenly on a hobby project. Also $2000+ while a lot for an individual is a very achievable goal for a fund raising.

We created this page here to raise awareness of the fundraiser for this purpose. Now is the chance for you, the viewers of this site, to contribute. You will have the noble honor of helping the 3DS community progress forward. We're also considering giving contributors a copy of the images produced as thanks.

To reiterate, what we're trying to do is: send in initially 1 3DS to a professional lab to get delayered and imaged (covering the costs of doing so). The resulting SEM images will be reconstructed and used towards discovering more of the hardware secrets inside the 3DS.

How likely is this going to help progress?

It is not possible to give a clear answer on this until the 3DS SoC chip has been decapped. But consider the success story about the SNES decapping here. There is no 100% guarantee that we will have the same success story, since the technology is different and there might be more technological limitations. But we won't know until we try. We have a team of proven experts, anxious to have a very thorough look inside the SoC of the 3DS.

The most likely focus points will be:

  • the boot ROM, possibly containing flaws which allow us to take control of the system
  • secret keys, hidden in hardware, used in cryptographic operations
  • secret algorithms, implemented in hardware to obscure information
  • and possibly much more

How can I help?

If you'd like to donate and help contribute to this cause you can do so by donating here.

Contact information

User Jl12 is in charge of collecting the donations, and will deliver the final samples to the professional lab for the chip decapping at the end of the fundraiser. Any more questions can be directed to him at his email address gspeer012 (at) gmail (dot) com