#76030 - xproductions - Fri Mar 17, 2006 9:26 pm
Hello,
It is probably illegal to distribute the encryption key in the DS ARM7 ROM. However, here's a workaround. (I don't know alot about crypto, so this may be incorrect). According to Martin Korth's docs, the BIOS loads the key into RAM, calculates a new key based on the cartridge's gamecode and a constant modulo value (called init_keycode in his docs), and then uses that to decrypt the commands. Would it be legal to distribute to the re-calculated key for a certain code, say, NTR-BEER? I can't think of any technical catches here.
P.S. Martin's docs say that the key is re calculated three times, but this crypto is only applied to the "Secure Area Disable" and "Secure Area" which are ROM areas (look at his docs for info about that).
P.P.S. I suck at explaining so please try your best to understand and I can clarify anything you don't understand.
_________________
If you would not be forgotten
as soon as you are dead and rotten,
either write things worth reading
or do things worth writing.
-- Benjamin Franklin
#76036 - tepples - Fri Mar 17, 2006 9:59 pm
| xproductions wrote: |
| It is probably illegal to distribute the encryption key in the DS ARM7 ROM. |
O rly? Search this forum for keywords Accolade, Lexmark, or Chamberlain.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#76061 - swimgod - Sat Mar 18, 2006 12:21 am
or google lol
_________________
1x WII 2x remotes
2x NDS/L(FMv7-ORG:v4,FMv7-org:DSL)
1x GBAMP
2x 1gb (MicroDrive{typeII}&SanDisk{typeI})
1x SuperPass2
1x Supercard-CF
MoonShell skins
#76091 - HyperHacker - Sat Mar 18, 2006 4:07 am
As I asked before, but never got an answer... it's possible to just read the key out of the ARM7 BIOS. Shouldn't that be legal?
Also I heard something about some way you could get the cartridge to return an encrypted stream of zeros, which makes it really easy to determine the key.
#76092 - caitsith2 - Sat Mar 18, 2006 4:19 am
| HyperHacker wrote: |
As I asked before, but never got an answer... it's possible to just read the key out of the ARM7 BIOS. Shouldn't that be legal?
|
Yes, you could just read out the encryption key from the bios.
| HyperHacker wrote: |
Also I heard something about some way you could get the cartridge to return an encrypted stream of zeros, which makes it really easy to determine the key. |
Blowfish encryption is not used for the seperate encrypted stream of 0s. What is used for that is two hardware LFSRs, each seeded with 2 initial values. One of those initial values is constant, and the other is based on the RTC, a value looked up from a value contained in the DS card header, and one constant value. This LFSR encryption is not something you need to worry about for reading DS game cards inside the DS. you only need to worry about that encryption mode if your making a DS flash card, or your making a hardware standalone DS game card reader.
You do have to worry about the blowfish ecryption however, for all of the possible applications, including the DS flash card or standalone DS game card reader, as there is a set of DS game card commands specifically encrypted with the blowfish key, for reading out the secure area, then switching into the final ds game card read mode.
#76810 - HyperHacker - Fri Mar 24, 2006 11:00 pm
OK, so if I wanted to write an app that can like read files from the DS card, run it, etc I'd only need to decrypt it using the blowfish key in the BIOS, and doing so would be completely legal? 'Cause that'd be pretty convienient (boot the DS card without having to hold Select).
#77453 - zzo38computer - Fri Mar 31, 2006 9:56 pm
One thing, I don't think you can read anything from the BIOS unless the program-counter is in the BIOS, but maybe you can set the program-counter in the middle of a function and trick the BIOS code..
And apparently is legal to distribute the private key, if someone find it then the key is broken (oops...)
And, I wonder now if is possible to write document with instructions to build a DS game card that can be loaded custom software onto it, and maybe even a switch to enable writing mode, so you put in DS, enable writing switch, put GBA card and copy file
_________________
Important: Please send messages about FWNITRO to the public forum, not privately to me.
#77473 - caitsith2 - Sat Apr 01, 2006 4:34 am
| zzo38computer wrote: |
One thing, I don't think you can read anything from the BIOS unless the program-counter is in the BIOS, but maybe you can set the program-counter in the middle of a function and trick the BIOS code..
|
Look at http://phpfi.com/97977. There is code nintendo accidently put there as part of their randomly generated blowfish key, that allows complete bios readout.