1
edit
Changes
Jump to navigation
Jump to search
Line 11:
Line 11: + + + + + + + + − + Line 46:
Line 54: + + + Line 57:
Line 68: + + + + + + + + + + + + + + + + + + + + + + + + + + +
possibility of DPA attack
There's a common key used to generate output at compile time, when the cci/ctx files are made. Why do you say 128 bit AES CTR though? --[[User:Jl12|Jl12]]
There's a common key used to generate output at compile time, when the cci/ctx files are made. Why do you say 128 bit AES CTR though? --[[User:Jl12|Jl12]]
: Because 128-bit AES CTR is used to encrypt those formats. --[[User:Neimod|Neimod]] 15:40, 18 June 2011 (CEST)
: Because 128-bit AES CTR is used to encrypt those formats. --[[User:Neimod|Neimod]] 15:40, 18 June 2011 (CEST)
AES CTR is more difficult to attack via DPA or EM-DPA
I know *something* is used to encrypt but do we know it is 128 bit AES CTR? --[[User:Jl12|Jl12]]
I know *something* is used to encrypt but do we know it is 128 bit AES CTR? --[[User:Jl12|Jl12]]
do you know that the cipher text is xored at the end but not the exact algo or are you sure about AES also
Frankly I don't think it was AES. I think it's using RSA for encryption. Besides it already used it once for the 2048-bit signature as you said. Wouldn't it make way more sense to also use it for the encryption scheme. --[[User:Jl12|Jl12]]
Frankly I don't think it was AES. I think it's using RSA for encryption. Besides it already used it once for the 2048-bit signature as you said. Wouldn't it make way more sense to also use it for the encryption scheme. --[[User:Jl12|Jl12]]
: Lol. --[[User:Neimod|Neimod]] 16:06, 20 June 2011 (CEST)
: Lol. --[[User:Neimod|Neimod]] 16:06, 20 June 2011 (CEST)
agree the (LOL) RSA would not be of use to slow for an real time decryption or load of a game at runtime also the block size would not match and there would be no advantage using RSA as when console talks to the cartridge both keys are exposed to the end user and therefore could be potentially broken. RSA would
only make sense if they can keep a secret key at their place. which is the case for DSA to sight the firmware for example preventing anybody to load
unauthorized firmware into the device. and nobody could fake the signature as he does not have the private key. (fairly standard methods today for
all sorts of consumer electronics).
What's funny? So I guess it's just based purely on speculation? You should say so. That way nobody believes something that isn't right. --[[User:Jl12|Jl12]] 22:28, 20 June 2011 (CEST)
What's funny? So I guess it's just based purely on speculation? You should say so. That way nobody believes something that isn't right. --[[User:Jl12|Jl12]] 22:28, 20 June 2011 (CEST)
: RSA is only used for the signature. After that a symmetric block cipher called AES is used in CTR mode. --[[User:Neimod|Neimod]] 23:32, 20 June 2011 (CEST)
: RSA is only used for the signature. After that a symmetric block cipher called AES is used in CTR mode. --[[User:Neimod|Neimod]] 23:32, 20 June 2011 (CEST)
i guess if Neimod has the RAM simulator he could dump the firmware if not fire walled by a MMU. the PROC is ARM and there are nice IDA modules for it plus the Hexrays decompiler. Don't forget the RAM is executable and i don't think that neimod just read from it !
How did you get this data? Did you find some way to dump 3DS cartridges? --[[User:Popoffka|Popoffka]] 09:15, 1 June 2011 (CEST)
How did you get this data? Did you find some way to dump 3DS cartridges? --[[User:Popoffka|Popoffka]] 09:15, 1 June 2011 (CEST)
::::::This master decryption key, is it used for every game? For the 3ds homebrew format I will create a tool which includes a 3d model, an icon and the machine code in the file. However, before we should think about the structure for it. I know that's a bit early, but later (when we can run homebrew) we will be glad if we have it.--[[User:Lazymarek9614|Lazymarek9614]] 20:14, 9 September 2011 (CEST)
::::::This master decryption key, is it used for every game? For the 3ds homebrew format I will create a tool which includes a 3d model, an icon and the machine code in the file. However, before we should think about the structure for it. I know that's a bit early, but later (when we can run homebrew) we will be glad if we have it.--[[User:Lazymarek9614|Lazymarek9614]] 20:14, 9 September 2011 (CEST)
:::::::We can also use the elf Format for homebrew--[[User:ichfly|ichfly]]
:::::::We can also use the elf Format for homebrew--[[User:ichfly|ichfly]]
::::::::Yes, but it has not a banner.--[[User:Lazymarek9614|Lazymarek9614]] 16:54, 10 September 2011 (CEST)
:::::::::Shall I create a new talk about the homebrew format? We should discuss and plan it a bit.--[[User:Lazymarek9614|Lazymarek9614]] 11:08, 11 September 2011 (CEST)
::::::::::Yes, you shall.. --[[User:Elisherer|Elisherer]] 11:55, 11 September 2011 (CEST)
Hi Neimod, love your work! my question is: The extended header suppose to start right after the NCCH header so why there is twice the space? (extended header size is usually 1024 and plain region offset is usually 5*512 = 2560 -> 2048 after the end of the ncch) thanks. --[[User:Elisherer|Elisherer]] 11:46, 6 September 2011 (CEST)
Hi Neimod, love your work! my question is: The extended header suppose to start right after the NCCH header so why there is twice the space? (extended header size is usually 1024 and plain region offset is usually 5*512 = 2560 -> 2048 after the end of the ncch) thanks. --[[User:Elisherer|Elisherer]] 11:46, 6 September 2011 (CEST)
:Because they just are. --[[User:Neimod|Neimod]] 17:40, 6 September 2011 (CEST)
:Because they just are. --[[User:Neimod|Neimod]] 17:40, 6 September 2011 (CEST)
:Game editors want to fit their game in the smallest ROM chip size possible, to reduce manufacturing costs. Also, encrypting blocks of zeros/FF is bad practices, compression avoids it. --[[User:Luigi2us|Luigi2us]] 18:17, 6 September 2011 (CEST)
:Game editors want to fit their game in the smallest ROM chip size possible, to reduce manufacturing costs. Also, encrypting blocks of zeros/FF is bad practices, compression avoids it. --[[User:Luigi2us|Luigi2us]] 18:17, 6 September 2011 (CEST)
I've found something in my Chronicles Samurai Warriors savegame:
18 A1 72 6F 6D 3A 2F 53 00 6F 75 6E 64 2F 73 74 .¡rom:/S.ound/st
72 00 65 61 6D 2F 53 54 52 4D 00 5F 53 59 53 5F MES.SAGE_GOO.D.b
63 73 74 6D F9 D7 9A 2F 95 90 8D 0A 93 00 03 B0 cstmùך/•...“..°
Looks like a path in the ROM filesystem in a LZ77 compression. Maybe it can help to find the master decryption key (if we would have
a dumped Samurai Warriors).--[[User:Lazymarek9614|Lazymarek9614]] 21:12, 16 September 2011 (CEST)
:I'm by no means an expert on de/encryption, signing code and what not, but the master decryption key is probably stored in internal RAM/ROM (in other words, inside the CPU die), that way it can't be sniffed or easily obtained. I doubt Nintendo would store a key as important as that in external RAM/ROM/SRAM, or in a some form of a filesystem. If they did, their programmers are dumber than Sony's. But again, system security is not the sort of thing I am good at, so take this with a grain of salt. --[[User:CHR15x94|CHR15x94]] 21:35, 16 September 2011 (CEST)
The key is stored in every 3DS and it's always the same key...! I wonder that no one sniffed the 3DS' RAM yet. This should be done now!
Has anyone experience in RAM sniffing?--[[User:Lazymarek9614|Lazymarek9614]] 22:01, 16 September 2011 (CEST)
:Someone will eventually. It's not an easy thing to do, and FPGAs (the device you'd use to access RAM) are quite expensive ($500 - $700+USD for a decent one). People did it with the DSi, I'm sure it won't be _too_ long for the 3DS. Might find [http://hackmii.com/2009/09/dsi-ram-hax/ this] interesting as well. --[[User:CHR15x94|CHR15x94]] 22:55, 16 September 2011 (CEST)
FPGAs are very expensive, that is true. The cheapest one I've ever seen was about $199 (it's the Development board which was used to dump ROMs by Legacy). I know about the DSi RAM haxx, but I don't have an FPGA. If I had one, I would try it.--[[User:Lazymarek9614|Lazymarek9614]] 10:17, 17 September 2011 (CEST)
:The cheapes I saw was 52 $ but if you realy buy one get the one for 69 $ (becaus I think it is much better) http://www.altera.com/products/devkits/max-index.jsp or one with a cyclon. I recommend boards with an Embedded USB-Blaster.--[[User:ichfly|ichfly]]
That, and the pinout of the 3DS RAM chip is completely unknown. --[[User:Luigi2us|Luigi2us]] 17:52, 17 September 2011 (CEST)
"Non-Executable CXI file examples(Includes Decrypted RomFS): DLPChild" Why are you calling dlpchild non-exec NCCH when that would have an ExeFS like any other "normal" CXI?(AFAIK dlpchild is exactly the same as other exec CXIs besides being temporarily installed to NAND from wlan for running) --[[User:Yellows8|Yellows8]] 16:44, 23 June 2012 (CEST)
:Bad wording, I mean DLPChild Container NCCH, the same DLPChild containers used in CCIs and installed titles, to hold the DLPChild CIA files--[[User:3dsguy|3dsguy]] 00:36, 24 June 2012 (CEST)
I've been thinking, you know how we have executable specialisations of NCCH, which are officially called .CXI (CTR Executable Image). And we also have non-executable specialisations of NCCH, which I've assumed uses the extention .CXI. But perhaps officially, non-executable specialisations of NCCH have a different file extention all together, like the case CCI and CSU (both NCSD format).--[[User:3dsguy|3dsguy]] 18:09, 7 July 2012 (CEST)
:actually after looking more closely at the scarse details on the CFA (CTR File Archive), the details closely follow the non-executable specialisation of NCCH which is the dlpChild container. So are the non-executable NCCH called CFA files?--[[User:3dsguy|3dsguy]] 18:20, 7 July 2012 (CEST)
Question: from what you know today (i assume you have at lead partially disassembly) what of the mechanism is HW implemented ? and what software ?
the random seeding function for example ? could you force the seeding to be constant or better at your choice ? i think if you can influence the seed and if the use AES CRT plus the cipher text cleartext info as you must have as it corresponds RAM / ROM extern intern it should be possible to launch a DPA attack on it and get the key. assuming that there are not some hidden custom functions in it.