#153206 - Lick - Wed Mar 26, 2008 12:22 pm
Hey guys, I just came across this article.
Is it somehow applicable to the DS?
_________________
http://licklick.wordpress.com
#153207 - pepsiman - Wed Mar 26, 2008 12:30 pm
| Lick wrote: |
I just came across this article.
Is it somehow applicable to the DS? |
I asked sgstair, he agreed it was possible, but doesn't know either way.
I'd be surprised if the DS had this bug and firefly or loopy hadn't noticed.
#153208 - Lick - Wed Mar 26, 2008 12:40 pm
Well, I'm surprised that Nintendo's programmers missed this to begin with. ;)
If a test were to be written, how would it work?
_________________
http://licklick.wordpress.com
#153220 - pepsiman - Wed Mar 26, 2008 3:59 pm
| Lick wrote: |
Well, I'm surprised that Nintendo's programmers missed this to begin with. ;)
If a test were to be written, how would it work? |
You need to create an nds with a header with a "combined hash" that starts with 0x0 and also set the signature in the nds to all zeros.
ndstool can calculate and display the hashes for you:
| Code: |
printf("DS Download Play(TM) / Wireless MultiBoot signature: %s\n", ok ? "OK" : "INVALID");
if (!ok)
{
printf("header hash: \t"); for (int i=0; i<SHA1_DIGEST_SIZE; i++) printf("%02X", (sha_parts + 0*SHA1_DIGEST_SIZE)[i]); printf("\n");
printf("ARM9 hash: \t"); for (int i=0; i<SHA1_DIGEST_SIZE; i++) printf("%02X", (sha_parts + 1*SHA1_DIGEST_SIZE)[i]); printf("\n");
printf("ARM7 hash: \t"); for (int i=0; i<SHA1_DIGEST_SIZE; i++) printf("%02X", (sha_parts + 2*SHA1_DIGEST_SIZE)[i]); printf("\n");
printf("combined hash: \t"); for (int i=0; i<SHA1_DIGEST_SIZE; i++) printf("%02X", sha_final[i]); printf("\n");
printf("signature hash: \t"); for (int i=0; i<SHA1_DIGEST_SIZE; i++) printf("%02X", sha1_from_sig[i]); printf("\n");
}
|
#153246 - yellowstar - Wed Mar 26, 2008 10:57 pm
You can try to make a test .nds with this too. You would edit the nds every iteration if needed, then use the this tool to verify. Then you would keep repeating until you get a valid signature, then you would test it on hardware and hope it works.(Found the link off of DCEmu via Google)
But, before you use it, you need to modify the tool so it has the same bug that the DS might have. Change memcmp to strcmp on line 419 in source code.(More changes might be needed, I'm not sure, I haven't tried anything yet with this)
(You'll need Dev-Cpp/GNU to compile, and OpenSSL too.)
#153421 - Sausage Boy - Sun Mar 30, 2008 3:41 am
I wrote a little test-app, and, as expected, it doesn't work. At least not on a DS lite, heh. In case anyone is curious, you can get it at http://blog.dev-scene.com/gaspcubed/files/2008/03/fakesign.zip
_________________
"no offense, but this is the gayest game ever"
#153463 - pepsiman - Mon Mar 31, 2008 11:23 am
The combined hash doesn't start with 0:
ndstool -v -i hello_fakesign.nds
Header information:
...
DS Download Play(TM) / Wireless MultiBoot signature: INVALID
header hash : 65174EC1BC5ECA4154338D3FC71B806B1AE49095
ARM9 hash : 3518BC6FF213AEE8FCE73F94DC20CE04C7F25846
ARM7 hash : ED1A03F88F33A42A90A1B9BBEB7F16147F83C1C2
combined hash : FB0857CC5A692514DCBD3ECFE3FB084C88574AE5
signature hash : 005DA96768DB813140DFEB6518F36DE6E9570860
#153475 - Sausage Boy - Mon Mar 31, 2008 3:09 pm
Hmm, I have to admit that I'm very unsure about this. The program yellowstar linked to, FireFly's ndsrsa, gives me this output:
$ ndsrsa verify nintendo hello_fakesign.nds
file = hello_fakesign.nds
hash 1 = 005DA96768DB813140DFEB6518F36DE6E9570860
hash 2 = 001F49D5D3EFAA9DD520765CBFA4FF8988C991F0
signature = wrong
Perhaps you know more than me about how all these hashes fit together?
_________________
"no offense, but this is the gayest game ever"
#153476 - pepsiman - Mon Mar 31, 2008 3:27 pm
| Sausage Boy wrote: |
| Perhaps you know more than me about how all these hashes fit together? |
Nope.
#153493 - Lick - Mon Mar 31, 2008 10:22 pm
Uhmm.. Not sure if this helps but '0' != '\0'.
The hash should not appear when outputted like a zero-terminated string.
_________________
http://licklick.wordpress.com
#153519 - pepsiman - Tue Apr 01, 2008 10:28 am
| Lick wrote: |
Uhmm.. Not sure if this helps but '0' != '\0'.
The hash should not appear when outputted like a zero-terminated string. |
This is the hexadecimal representation of the hash, it really does start with 8 0 bits.
#153530 - Lick - Tue Apr 01, 2008 12:56 pm
LOL. *ashamed* It was an early April fools joke, alright? XD
_________________
http://licklick.wordpress.com
#153579 - HyperHacker - Wed Apr 02, 2008 8:17 am
Does strcmp(SomeString, "") work, though? The way I understood it you set the second byte of the hash to zero, so the system only verifies the first byte, which is easy to brute-force.
_________________
I'm a PSP hacker now, but I still <3 DS.
#153582 - pepsiman - Wed Apr 02, 2008 9:40 am
| HyperHacker wrote: |
| Does strcmp(SomeString, "") work, though? The way I understood it you set the second byte of the hash to zero, so the system only verifies the first byte, which is easy to brute-force. |
strncmp("","",20) returns 0;
strncmp("a","",20) returns 1;
strncmp("a","a",20) returns 0;
You can set the second byte to 0, but you have to do the same to the signature. So you'd need to brute-force 16 bits instead of 8.
#153599 - Sausage Boy - Wed Apr 02, 2008 6:06 pm
According to my findings, hash2 and combined hash are supposed to be the same, and are indeed on the commercial multiboot demo I tried. It seems like ndsrsa and ndstool are doing something a little different, that leads to the same result most of the time. I wonder how the DS does it...
Edit:
Ok, I think I've sorted it out. Turns out ndstool calculates the arm9 hash differently depending on the romtype, and ndsrsa only calculates it the multiboot way. I tried fakesigning a commercial demo, and both ndstool and ndsrsa agreed that the hashes started with 0x00, unfortunately the DS refused it.
_________________
"no offense, but this is the gayest game ever"
#153689 - tepples - Thu Apr 03, 2008 11:54 pm
The people who made FlashMe have disassembled the part of the firmware responsible for RSA checks. Has anybody else disassembled it in order to check definitively whether this flaw is present?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#153751 - olimar - Sat Apr 05, 2008 5:22 am
Last edited by olimar on Wed Aug 20, 2008 10:55 pm; edited 1 time in total
#153754 - caitsith2 - Sat Apr 05, 2008 8:53 am
Had to have been a different programmer, one that doesn't know the difference between strcmp and memcmp, that did the wii rsa verification then.
#153756 - TwentySeven - Sat Apr 05, 2008 10:21 am
Amusing that they bothered with a really nice sha1 algo and then strcmp'd the results..
Anyway, thats that then. No signing bug on the DS.
#153762 - HyperHacker - Sat Apr 05, 2008 2:59 pm
I wonder if it was the same guy responsible for the sprintf() name bug in MP:H? :-p
_________________
I'm a PSP hacker now, but I still <3 DS.