4dsdev
Views: 591,481 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 08-18-17 09:42 PM
Guest:

0 users reading Decrypting CIA contents directly? | 1 bot

Main - Homebrew discussion - Decrypting CIA contents directly? New reply


d0k3
Posted on 09-22-15 07:19 PM (rev. 3 of 09-22-15 07:22 PM) Link | #423
I know, CIAs can be decrypted via just installing them and then decrypting the extracted contents. However, this is not what I want to do... What I want to do is to decrypt CIA files (such as stuff downloaded from CDN) directly.

3DSbrew has this information:
Posted by http://3dbrew.org/wiki/CIA
The contents (NCCH/SRL) are encrypted using 128-bit AES-CBC. The encryption uses the decrypted titlekey from the ticket, and the content index from the TMD padded with zeros as the IV.

The ctr (or iv) is pretty simple, and it seems the titlekey has to be used as key. But which? NormalKey, KeyX or KeyY? And what keyslot to use? Maybe 0x3F because that seems to be unused for anything else?

profi200's GitHub repo of makerom has some code showing the decryption of a CIA:
https://github.com/profi200/Project_CTR/blob/master/makerom/cia.c#L669

However, that doesn't help me much in understanding how to do it on 3DS, because there seems to be only one key in that code (which is based on polarssl).

Can anyone help?


Dazzozo
Posted on 09-22-15 07:41 PM (rev. 2 of 09-22-15 07:44 PM) Link | #424
It can obviously only be a normal key, if this crypto can be performed on a PC.

Which keyslot you use is up to you, and how much you care depends on what you're doing. If you're not FIRM launching and just MCU-rebooting (on exit) it doesn't really matter outside of slots you want to use elsewhere.

Edit: 0x11 is a good slot for temporary work. Nintendo also uses it for this purpose.

d0k3
Posted on 09-23-15 04:19 AM (rev. 2 of 09-23-15 04:23 AM) Link | #425
Posted by Dazzozo
It can obviously only be a normal key, if this crypto can be performed on a PC.

Which keyslot you use is up to you, and how much you care depends on what you're doing. If you're not FIRM launching and just MCU-rebooting (on exit) it doesn't really matter outside of slots you want to use elsewhere.

Edit: 0x11 is a good slot for temporary work. Nintendo also uses it for this purpose.

Thank you! I forgot to say, makerom from Project CTR cannot decrypt untouched CIAs (from CDN), so there must be more to it. If the decryption could really be done on PC in all cases, this would already be in makerom. It might still be possible the 3DS hardware is only needed to decrypt the titlekey, though, which would make things a lot easier.

Dazzozo
Posted on 09-23-15 04:35 AM Link | #426
Yeah, you got it. Only the encryption of the title key uses a "special" key pair (hardware key generator). The title key itself is a normal key.

profi200
Posted on 09-23-15 07:33 PM Link | #429
You can't do everything on the PC because the title key needs to be decrypted through the AES engine. If you have the decrypted title key however it's easy to decrypt the contents of titles.

d0k3
Posted on 10-01-15 09:27 PM Link | #441
Posted by Dazzozo
Yeah, you got it. Only the encryption of the title key uses a "special" key pair (hardware key generator). The title key itself is a normal key.

Posted by profi200
You can't do everything on the PC because the title key needs to be decrypted through the AES engine. If you have the decrypted title key however it's easy to decrypt the contents of titles.

Thanks a ton, both of you! After some fiddling around (and noticing my crypto lib is even more broken than I thought it was :/), I finally managed to properly implement full CIA decryption in my WIP version of Decrypt9.


Main - Homebrew discussion - Decrypting CIA contents directly? New reply

Page rendered in 0.031 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 75/75, time: 0.022 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2015-10-07)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.