Difference between revisions of "Nand:/sys/dev.kp"

From DSiBrew
< Nand:‎ | sys
Jump to navigation Jump to search
m
m (fix link)
 
(14 intermediate revisions by 6 users not shown)
Line 3: Line 3:
 
Note that the console id itself is burned in an OTP area of the TWL CPU, and changing the contents of this file will not actually change the console id.
 
Note that the console id itself is burned in an OTP area of the TWL CPU, and changing the contents of this file will not actually change the console id.
  
 +
:[fixme: The DSi does have a unique per-console ID: The wifi MAC address, stored in the FLASH memory on the wifi daughterboard. Is there really another ID in an "OTP area of the TWL CPU", as stated above? And if yes: How is that OTP ID accessed by software?]
  
 
This file contains the unique per-console ECC private-public key pair, along with a certificate issued by Nintendo.
 
This file contains the unique per-console ECC private-public key pair, along with a certificate issued by Nintendo.
 +
 +
This file is created by the DSi Shop, with data from a SOAP reply. The SOAP request data includes the hw console id, and the 0x100-byte RSA signature stored in NAND file [[nand:/sys/HWID.sgn]]. Trying to send that request would require a NAND dump, but when you have a NAND dump already sending that request is pointless since you can grab dev.kp from NAND.
 +
 +
Sending that request is pointless anyway since the dev.kp data from the server is random. The returned dev.kp data from the server for the EC private/public keys are random, the ticket consoleID immediately following TW before - in the twcert keyid is random as well.
 +
DSi Shop and System Settings don't contain any code for deleting dev.kp. If you try to delete/rename dev.kp manually from NAND a new dev.kp will be generated by the shop, but then the server will return an error since the server account public dev.kp cert won't match.
 +
 +
Data management can't be accessed when dev.kp doesn't exist since you'd have no twcert to sign/verify [[Tad|tads]] with, like when you never connected the DSi Shop server.
 +
 
  Signature across rest of block -- type = 0x00010002, ECC
 
  Signature across rest of block -- type = 0x00010002, ECC
 
  0000000: 00 01 00 02 00 db da 21 3b e1 f1 bf bb 4d dc 1d
 
  0000000: 00 01 00 02 00 db da 21 3b e1 f1 bf bb 4d dc 1d
Line 25: Line 34:
 
  00000c0: 00 00 00 02 54 57 63 37 39 64 63 65 63 39 2d 30  ....TWc79dcec9-0
 
  00000c0: 00 00 00 02 54 57 63 37 39 64 63 65 63 39 2d 30  ....TWc79dcec9-0
 
  00000d0: 38 61 32 30 32 38 37 30 31 30 38 34 31 31 38 00  8a2028701084118.
 
  00000d0: 38 61 32 30 32 38 37 30 31 30 38 34 31 31 38 00  8a2028701084118.
  00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
  00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
  00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0000100: 00 00 00 00 6f dd de 42 01 e0 34 a3 19 bc a9 af ....o..B..4.....
+
  0000110: 50 fe 8a ac 75 08 07 a9 3a 2c 21 51 93 ae 4a 90 P...u...:,!Q..J.
+
  Public ECC key (30 bytes, starting at 0x108)
  0000120: 6e 62 41 f1 a2 fe 00 00 3d 0a 13 97 da 53 17 98 nbA.....=....S..
+
  0000100: 00 00 00 00 6f dd de 42 01 e0 34 a3 19 bc a9 af
  0000130: 69 38 65 67 ca f4 9c 87 ec 44 b7 eb d0 ec b8 3d i8eg.....D.....=
+
  0000110: 50 fe 8a ac 75 08 07 a9 3a 2c 21 51 93 ae 4a 90
  0000140: 23 cf 7a 35 00 00 00 00 00 00 00 00 00 00 00 00 #.z5............
+
  0000120: 6e 62 41 f1 a2 fe 00 00 3d 0a 13 97 da 53 17 98
  0000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
  0000130: 69 38 65 67 ca f4 9c 87 ec 44 b7 eb d0 ec b8 3d  
  0000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
  0000140: 23 cf 7a 35 00 00 00 00 00 00 00 00 00 00 00 00
  0000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
  0000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 +
  0000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 +
  0000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
   
 
   
 
  Private per-console ECC key, used for signing files on SD
 
  Private per-console ECC key, used for signing files on SD
Line 40: Line 51:
 
  0000190: c9 ab 8e a1 f9 b5 c8 14 3c 74 74 f8 19 3a
 
  0000190: c9 ab 8e a1 f9 b5 c8 14 3c 74 74 f8 19 3a
  
See also [http://www.wiibrew.org/wiki/Certificate_chain Certificate Chain]
+
See also [http://www.wiibrew.org/wiki/Certificate_chain Certificate Chain], [[nand:/sys/cert.sys]]
 +
 
 +
{{Navbox filebrowser}}

Latest revision as of 05:22, 20 December 2022

The dev.kp file is encrypted with ES block encryption, and the contents of an example dev.kp file after decryption is shown below.

Note that the console id itself is burned in an OTP area of the TWL CPU, and changing the contents of this file will not actually change the console id.

[fixme: The DSi does have a unique per-console ID: The wifi MAC address, stored in the FLASH memory on the wifi daughterboard. Is there really another ID in an "OTP area of the TWL CPU", as stated above? And if yes: How is that OTP ID accessed by software?]

This file contains the unique per-console ECC private-public key pair, along with a certificate issued by Nintendo.

This file is created by the DSi Shop, with data from a SOAP reply. The SOAP request data includes the hw console id, and the 0x100-byte RSA signature stored in NAND file nand:/sys/HWID.sgn. Trying to send that request would require a NAND dump, but when you have a NAND dump already sending that request is pointless since you can grab dev.kp from NAND.

Sending that request is pointless anyway since the dev.kp data from the server is random. The returned dev.kp data from the server for the EC private/public keys are random, the ticket consoleID immediately following TW before - in the twcert keyid is random as well. DSi Shop and System Settings don't contain any code for deleting dev.kp. If you try to delete/rename dev.kp manually from NAND a new dev.kp will be generated by the shop, but then the server will return an error since the server account public dev.kp cert won't match.

Data management can't be accessed when dev.kp doesn't exist since you'd have no twcert to sign/verify tads with, like when you never connected the DSi Shop server.

Signature across rest of block -- type = 0x00010002, ECC
0000000: 00 01 00 02 00 db da 21 3b e1 f1 bf bb 4d dc 1d
0000010: 60 29 da 19 42 1e 66 4f a8 e5 27 a1 d4 ea 46 7d
0000020: 9b b4 00 95 c5 0d e8 fa ef a7 8d e9 bc 54 da c1
0000030: 24 94 0b 7c ad a8 61 d5 05 97 c2 64 38 ad 18 f9

0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Key used to sign this cert (Root-CA00000001-MS00000008)
0000080: 52 6f 6f 74 2d 43 41 30 30 30 30 30 30 30 31 2d  Root-CA00000001-
0000090: 4d 53 30 30 30 30 30 30 30 38 00 00 00 00 00 00  MS00000008
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Console ID string
00000c0: 00 00 00 02 54 57 63 37 39 64 63 65 63 39 2d 30  ....TWc79dcec9-0
00000d0: 38 61 32 30 32 38 37 30 31 30 38 34 31 31 38 00  8a2028701084118.
00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Public ECC key (30 bytes, starting at 0x108)
0000100: 00 00 00 00 6f dd de 42 01 e0 34 a3 19 bc a9 af
0000110: 50 fe 8a ac 75 08 07 a9 3a 2c 21 51 93 ae 4a 90
0000120: 6e 62 41 f1 a2 fe 00 00 3d 0a 13 97 da 53 17 98
0000130: 69 38 65 67 ca f4 9c 87 ec 44 b7 eb d0 ec b8 3d 
0000140: 23 cf 7a 35 00 00 00 00 00 00 00 00 00 00 00 00
0000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Private per-console ECC key, used for signing files on SD
0000180: 01 12 9d e0 77 82 44 d3 ee 99 ad ce e5 fa fa ed
0000190: c9 ab 8e a1 f9 b5 c8 14 3c 74 74 f8 19 3a

See also Certificate Chain, nand:/sys/cert.sys