4dsdev
Views: 578,522 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 06-26-17 08:15 PM
Guest:

0 users reading RSA Questions | 1 bot

Main - Reverse-engineering - RSA Questions New reply


nocash
Posted on 10-25-15 07:04 AM Link | #550
Some RSA questions...

1) Does somebody have some source code example for decrypting the RSA signatures in DSi cart headers?
I guess any open source RSA implementations could do that, when calling the correct functions with correct parameters.

2) The DSi BIOS has two different subfunctions for RSA decryption functions (either one of them used, depending on bit0 of the first byte of the RSA key).
Is that something common in RSA world? And what is it good for? Are that two different RSA variants, or is just some kind of optimization for faster processing of "even/odd" keys?

3) The DSi's encrypted RSA data is always 80h bytes in size. But the size of the decrypted output is variable (from what I've seen, it's always (?) 7Fh bytes; whereas those 7Fh bytes are usually mainly consisting of padding bytes).
What is that variable length good for? Are there cases where it could be bigger or smaller than 7Fh? And is it something that can be freely assigned at encryption time, or is it just some "dirt effect" where the compressor is "randomly" assigning different lengths depending on the input?

nocash
Posted on 05-10-16 12:10 PM Link | #1016
About the 3rd question: That stuff seems to be defined in RFC 2313:
A block type BT, a padding string PS, and the data D shall be
formatted into an octet string EB, the encryption block.
EB = 00 || BT || PS || 00 || D .
As far as I understand, the leading 00h is intended to avoid overflows on large interger maths, the BT block type is always 01h on DSi, the following PS padding consists of FFh's on DSi (as defined for BT=01h), padding does then end with the trailing 00h, then followed by the actual data (usually a 14h-byte SHA1 value on DSi).

The DSi BIOS decrypt function doesn't return the leading 00h, but internally RSA seems to work as if the 00h would be there. So, to make an unencrypted 80h-byte signature, one could just follow that notation (ie. adding a leading 00h to the 7Fh-byte signature).
Or am I missing something, and that wouldn't be the optimal format for unencrypted signatures?

Plans for next no$gba version are supporting unencrypted signatures in that fashion - so that people could create "authentic" DSi homebrew games or system files that are compatible with the original firmware.
One would still need Nintendo's private key to get that files working in real hardware, but in an emulator one could just hook the BIOS RSA functions (ie. detecting if the signature contains the unencrypted "00 || BT || PS || 00" values, and if so, just copy the signature as-is instead of trying to decrypt it).

nocash
Posted on 05-26-16 04:20 PM Link | #1038
About the 1st question: Somebody pointed me on this https://github.com/mborisov1/rsa_embedded - it's less than 200 lines of code - and it contains everything needed to decrypt RSA signatures!
That's about a million times simplier than trying to understand polarssl source code, or trying to disassemble the DSi bios functions.
I've ported it to ASM, and it's actually working for the DSi signatures. When changing two things:
The .h files defines MPI_NUMBER_SIZE=128, counted in 16bit units (ie. 256 bytes), for the DSi that must be changed to half of that size.
The source/dest/key values must be little-endian, whilst the DSi does have them stored in big-endian.
And the parameters for the "mpi_powm65537" function are then "m=source/dest buffer", and "n=key".


Main - Reverse-engineering - RSA Questions New reply

Page rendered in 0.031 seconds. (2048KB of memory used)
MySQL - queries: 27, rows: 66/66, time: 0.022 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2015-10-07)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.