108
edits
Changes
Jump to navigation
Jump to search
Line 21:
Line 21: + +
→RSA and Bootsector decryption?
::Yes, those two RSA pubks are stored in the TWL_FIRM Process9 binary itself. When one has TWL_FIRM decrypted one can just extract those keys from there. There's public exploit(s)+tools for that, including arm9hax which is required for dumping the DSi keys from 3DS ARM9 ITCM. The common tad-keyX is written to the AES engine keyslot for it by bootrom, AFAIK it doesn't get copied elsewhere(the keyY for it is copied to the keystorage area near the end of ARM7 memory, but of course that area gets cleared when games are booted). --[[User:Yellows8|Yellows8]] 20:34, 18 April 2015 (CEST)
::Yes, those two RSA pubks are stored in the TWL_FIRM Process9 binary itself. When one has TWL_FIRM decrypted one can just extract those keys from there. There's public exploit(s)+tools for that, including arm9hax which is required for dumping the DSi keys from 3DS ARM9 ITCM. The common tad-keyX is written to the AES engine keyslot for it by bootrom, AFAIK it doesn't get copied elsewhere(the keyY for it is copied to the keystorage area near the end of ARM7 memory, but of course that area gets cleared when games are booted). --[[User:Yellows8|Yellows8]] 20:34, 18 April 2015 (CEST)
Thanks! Found the RSA key. And now I do also understand what you meant about reversing Tad key X (the DSi does only relocate Tad key Y to RAM/TCM). My emu is now throwing that "Error: 1-2435-8325" message. That should be a good place to start with. --[[User:Nocash|Nocash]] 23:41, 20 April 2015 (CEST)
== Bootloader Error Photos ==
== Bootloader Error Photos ==