#30913 - tonofsteel - Mon Dec 06, 2004 3:37 am
I am fairly new to this, but would like to learn as things progress along figuring out the encryption used on the carts.
So far it seems to be clear that:
1. The encryption is a cipher stream of some sort
2. Upon booting, the DS sends some unencrypted data to the ROM to check if it is ready to use, and get the ID of the chip, as well it sends a command to start encryption.
3. The DS reads data in blocks, apparantly 512byte blocks, with 8 bytes of instructions sent just before reading, to set up the transfer.
Now I have a few questions/requests. I am waiting for my DS, but I have access to a cart. I was going to use a FPGA or some type of system to try and probe a cart. Is it possible for the people out there to list exactly what they know about the required logic signals sent to and from the ROM?
As well there was some speculation about what that 8 byte setup before the block transfer is. Could it be the page to transfer as well as a key to use for that particular transfer?
I only have some LA captures for the block transferring but not the initial startup of the DS, can somone post these?
I am considering trying to probe the cart without a DS at hand, but am wondering if this is a futile thing to do? Since we know what the DS does to access and set up the cart, it may be possible to simulate being the DS and trying to access the cart using the same key every time, so we may be able to work on that from there. We will then know the key, and the cipher text, with only to figure out the algorithm.
But shouldnt that be easy since if we try all realistically possible algorithms it will yield us ARM code?
Anyways just some thoughts, i would like to contribute to breaking the encryption, and just need a little more info on the startup logic transfers between the DS and the cart if someone could post them.
#30922 - tepples - Mon Dec 06, 2004 5:10 am
| tonofsteel wrote: |
it may be possible to simulate being the DS and trying to access the cart using the same key every time, so we may be able to work on that from there. We will then know the key, and the cipher text, with only to figure out the algorithm.
But shouldnt that be easy since if we try all realistically possible algorithms it will yield us ARM code? |
"Realistically possible" means implementable in as many gates as will fit in the sections of the circuitry in the DS and in the ROM dedicated to crypto. More algorithms are theoretically "realistically possible" than you will have time to check in your lifetime. In addition, it could be that the key presumably stored in the header is encrypted, and another circuit inside the ROM chip decrypts that key.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#30942 - tonofsteel - Mon Dec 06, 2004 2:55 pm
Alright. I know that cryptanalysis is a bitch at the best of times, but hey, at least I was looking into it, and trying some ideas. But as I have mentioned previously I am fairly new to cryptanalysis.
There are a few people here that seem to know what they are doing, but they seem very reluctant to share any info they have, or if they do, they are even more reluctant to tell you what they see in it. No, I am not going to steal credit from you.....
Only person: DarkFader, has taken some time out of his busy life to explain what is known so far.
Mabye there is a closed group of people that are working on it and want any newcomers to stay out, since all I get in replies are criticism, which is fine at times, but is getting a little tired already, but I know that it may be way more complicated than I am currently thinking, and I also know that it may be alot easier. Whats better? Start off trying to figure it out thinking its the most impossible encryption method available. OR looking at it from a point of view that there are speed and cost considerations (as well as technical) that have to be taken into account, and there may be a certain limitation on what encryption is being used. Even if your wrong, chances are that while your messing around with the data you will find something that leads to a more conclusive observation.
Thus leads to the first assumption to BEGIN to figure out some more: Cipher stream.
And I can go on to other points, and mabye some are wrong, but i was asking for what is the best way to spend my time right now since i am stupidly optimistic and energetic to get started. I could pretty much just sit here and read hex if it might help....
And tepples, wtf man? Its a guess right now, all just speculation on whats happening. If someone gets far enough to be pretty sure its a type of encryption, then what are we going to do come to you for discouragement hour? And no tepples, its not going to just fall into your hands, unless Ampz or someone hands it to you.....
I was just looking to see if anyone on here was looking at this from a technical point of view, and had some ideas that could be tested out but trying to read the cart. We have the control to send the same key again and again, thus if we can keep getting constant data out then that may help us to understand more.....
mabye instead of arguing with "TheDaddy" and pipe warp and whoever else was on those million posts, we should start doing some "dev" work.
#30973 - josath - Mon Dec 06, 2004 7:27 pm
| Quote: |
| "Realistically possible" means implementable in as many gates as will fit in the sections of the circuitry in the DS and in the ROM dedicated to crypto. More algorithms are theoretically "realistically possible" than you will have time to check in your lifetime. In addition, it could be that the key presumably stored in the header is encrypted, and another circuit inside the ROM chip decrypts that key. |
I don't see anything wrong with this. Just looks like some constructive criticism, is all. I'm sure he didn't mean any offense.
#30980 - tonofsteel - Mon Dec 06, 2004 8:58 pm
Well if its just meant as constructive critisism then I must apologize a bit. So far I have only recieved constructive critisism, and thats about it. I would like to have a good conversation about figuring out some technical aspects with someone, mabye someday. Once I get organized I plan to post all that I know, and have found out from other people, of which have helped out, DarkFader's website and information, sgstair's captures, joat's wide knowledge of everything, as well as a few others in #dsdev.
But there is lots of knowledge but it does not seem to be coming together, many people have not heard of somone elses work. There isnt much up to this point but there is no use for me to figure out how to get a header off a cart when it has already been done, and the person who did it has a good understanding of how to do it. I just want this information to be a little more accessable, not only for me, but for the other people out there who are much smarter than me, and might look at it and say, oh thats how it works.... So please can people post what they know, if you know how to do something with the cart, please post it.
#30991 - tepples - Mon Dec 06, 2004 10:28 pm
| tonofsteel wrote: |
| And tepples, wtf man? Its a guess right now, all just speculation on whats happening. If someone gets far enough to be pretty sure its a type of encryption, then what are we going to do come to you for discouragement hour? |
I intended my devil's advocacy only to temper some people's irrational exuberance. I guess I was just tired of people on Pocket Heaven demanding that Loopy and FluBBa port PocketNES and SNES Advance to the DS using DS features, so I set this as my sig:
| In his sig on boards.pocketheaven.com, tepples wrote: |
| No, you can't always assume that somebody will sell copiers for the Nintendo DS to the public. |
Soon afterward, the demands slowed down significantly.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.