6,263
edits
Changes
→NCCH Specs
== NCCH Specs ==
== NCCH Specs ==
=== Encryption ===
The extended header, the [[ExeFS]] and the [[RomFS]] are encrypted using 128-bit AES CTR. See here regarding the [https://github.com/3dshax/ctr/blob/master/ctrtool/ncch.c CTR].
The extended header, the [[ExeFS]] and the [[RomFS]] are encrypted using 128-bit AES CTR. See here regarding the [https://github.com/3dshax/ctr/blob/master/ctrtool/ncch.c CTR].
By default encrypted regions are compressed with an LZ77 variant, then encrypted. The spec allows for both unencrypted and uncompressed regions to exist. Development units use a fixed system key for system titles. For the "Secure crypto" NCCH encryption mode(the encryption mode used for retail NCCH) the [[AES|keyY]] is the first 0x10-bytes of the NCCH signature, the AES engine internally generates the final-normal key(see [[AES|here]] for the keyslot).
By default encrypted regions are compressed(ExeFS:/.code only) with an LZ77 variant, then encrypted. The spec allows for both unencrypted and uncompressed regions to exist. Development units use a fixed system key for system titles. For the "Secure crypto" NCCH encryption mode(the encryption mode used for retail NCCH) the [[AES|keyY]] is the first 0x10-bytes of the NCCH signature, the AES engine internally generates the final-normal key(see [[AES|here]] for the keyslot).
As of [[7.0.0-13]] the system now supports a new encryption method for the secure-cryptotype, the CTR for this is the same as before. This is enabled when NCCH flag[3] is non-zero. When enabled, the [[RomFS]] and [[ExeFS]] files which don't have filenames "icon" or "banner"(that is, ".code") are crypted with a different keyslot. This keyslot is [[Savegames|initialized]] by the 6.0 gamecard savegame keyY init function during boot, using a different portion of the [[Savegames|final]] hash(this keyslot is separate from the one used for the 6.0 save crypto).
As of [[7.0.0-13]] the system now supports a new encryption method for the secure-cryptotype, the CTR for this is the same as before. This is enabled when NCCH flag[3] is non-zero. When enabled, the [[RomFS]] and [[ExeFS]] files which don't have filenames "icon" or "banner"(that is, ".code") are crypted with a different keyslot. This keyslot is [[Savegames|initialized]] by the 6.0 gamecard savegame keyY init function during boot, using a different portion of the [[Savegames|final]] hash(this keyslot is separate from the one used for the 6.0 save crypto).
With New3DS [[9.3.0-21]] new NCCH crypto support was added, enabled via ncchflag[3]=0x0A. This is almost identical to the v7.0 crypto except with a New3DS-only keyslot, however this also uses unknown encryption for RomFS.
=== Format ===
On retail for SD applications, exheader_systeminfoflags.flag bit1 must be set.
On retail for SD applications, exheader_systeminfoflags.flag bit1 must be set.