#161274 - thoduv - Thu Jul 31, 2008 5:49 pm
Hi!
I would like to boot DS card, but in order to do so, I have to load/decrypt the secure area.
I grabed code from ndstool in order to encrypt KEY1 commands, but have troubles when the card is in "KEY1" mode.
Here's what I do:
- dummy command (0x9f...)
- read header
- read ID (first): getting ID: 80 3F 00 80, which is correct.
- switch into KEY1 mode, and init ndstool encrypter that way:
(all these functions are in encryption.cpp from ndstool source)
All my following command are then KEY1-encrypted with "encrypt" function from ndstool code.
- then, I switch KEY2 on (command 0x4) with all random parameters set to 0 (easier). I set up seed registers, and then "commit" seed changes with bit15 of CARD_CR2.
- finally, i try to read card ID again (2nd Get ROM Chip ID, command 0x1...), and then, I only get FF FF FF FF (no matter how much data I ask in CARD_CR2: i only get more FF's).
Is ndstool code unusable for KEY1 (Gbatek states that KEY1 encryption is the same as secure area decryption, so it should be OK) ? Is my initialisation of KEY2 wrong ? Any other ideas ?
Thanks !
I would like to boot DS card, but in order to do so, I have to load/decrypt the secure area.
I grabed code from ndstool in order to encrypt KEY1 commands, but have troubles when the card is in "KEY1" mode.
Here's what I do:
- dummy command (0x9f...)
- read header
- read ID (first): getting ID: 80 3F 00 80, which is correct.
- switch into KEY1 mode, and init ndstool encrypter that way:
| Code: |
| init1(gamecode);
arg2[1] <<= 1; arg2[2] >>= 1; init2(card_hash, arg2); |
(all these functions are in encryption.cpp from ndstool source)
All my following command are then KEY1-encrypted with "encrypt" function from ndstool code.
- then, I switch KEY2 on (command 0x4) with all random parameters set to 0 (easier). I set up seed registers, and then "commit" seed changes with bit15 of CARD_CR2.
| Code: |
|
// informations taken from gbatek here... u64 seed0 = (0 << 15) + 0x6000 + (card_header->encryption_seed & 7); u64 seed1 = 0x5C879B9B05LL; CARD_1B0 = (u32)(seed0 & 0xFFFFFFFF); CARD_1B4 = (u32)(seed1 & 0xFFFFFFFF); CARD_1B8 = (u16)(seed0 >> 32); CARD_1BA = (u16)(seed1 >> 32); |
- finally, i try to read card ID again (2nd Get ROM Chip ID, command 0x1...), and then, I only get FF FF FF FF (no matter how much data I ask in CARD_CR2: i only get more FF's).
Is ndstool code unusable for KEY1 (Gbatek states that KEY1 encryption is the same as secure area decryption, so it should be OK) ? Is my initialisation of KEY2 wrong ? Any other ideas ?
Thanks !