Talk:Bootloader

From DSiBrew

Jump to: navigation, search

RSA and Bootsector decryption?

Where is that RSA info from? Is it possible to decrypt the RSA block on DSi, or on 3DS, or both? Any hints how to do that? Are DSi and 3DS using the same RSA key?

The notice about keyX being same as for "Tad" sounds good... until one figures out that the "srl extract" utility contains only a normal "key" (not a keyX/Y pair), so decrypting isn't possible even when knowing keyY. Of course, whomever has found the normal key, should be also able to find the keyX/Y values, but I've no idea how that could be done (it will certainly not work with cooking coach which has all keyslots erased, so it might require main ram hacks in worst case).

The part about "binblk->binblocksize" is the actual binary size is confusing. If binblk->binblocksize is known, then what is binblksize in the formula? Or is that a typo, and it means same as binblk->binblocksize?Nocash 14:27, 27 March 2015 (CET)

  • 1/3) See last page edit.
  • 2) One can easily obtain the keyX^keyY key with F_XY_reverse(<any normalkey>) from that tool, but of course that's rather pointless without a keyX/keyY to XOR with that. Besides ramhaxx, the only other way to obtain the keyX/keyY for that yourself is to just get it from the 3DS DSi-key-stash @ 0x01FFD000(essentially *all* DSi keys are stored in there + TWL_FIRM Process9).

--Yellows8 06:00, 7 April 2015 (CEST)

4.1) Okay, decrypting the RSA stuff is possible, and it's just me not knowing how to. Are you saying that the RSA key is contained in the TWL_FIRM executable? So one could simply "copy/paste" it from the TWL_FIRM files? Or is the key elsewhere, and TWL_FIRM is just using it during boot? So one would need some exploit to hack TWL_FIRM during boot-up? Sorry, but I don't have a 3DS, and know absolutely nothing about that console.
4.3) I've edited it myself (see last page edit). I hope that wasn't wrong.
5) Yeah, reversing KeyX without KeyY won't work (I can confirm that). If that Tad KeyX is one of the "known" DSi keys (those relocated from DSi BIOS ROM to TCM/WRAM during booting), then everything would be fine. And otherwise, one would need some 3DS exploit to get that DSi-key-stash... supposedly some special kernel exploit which isn't available to normal 3DS programmers?
PS. I've added some contact info on my wiki/user page (just in case) --Nocash 22:56, 14 April 2015 (CEST)
Yes, those two RSA pubks are stored in the TWL_FIRM Process9 binary itself. When one has TWL_FIRM decrypted one can just extract those keys from there. There's public exploit(s)+tools for that, including arm9hax which is required for dumping the DSi keys from 3DS ARM9 ITCM. The common tad-keyX is written to the AES engine keyslot for it by bootrom, AFAIK it doesn't get copied elsewhere(the keyY for it is copied to the keystorage area near the end of ARM7 memory, but of course that area gets cleared when games are booted). --Yellows8 20:34, 18 April 2015 (CEST)

Thanks! Found the RSA key. And now I do also understand what you meant about reversing Tad key X (the DSi does only relocate Tad key Y to RAM/TCM). My emu is now throwing that "Error: 1-2435-8325" message. That should be a good place to start with. --Nocash 23:41, 20 April 2015 (CEST)

Bootloader Error Photos

1124101052.jpg
1124101051.jpg
1124101051a.jpg

Here are some shots of my DSi with what I think is a bootloader error. --The2Banned2One 17:25, 24 November 2010 (CET)


Discuss here:

Personal tools