Changes

369 bytes added ,  20:22, 7 February 2015
Line 186: Line 186:  
!  Keyslot
 
!  Keyslot
 
!  Description
 
!  Description
 +
!  Key-data initialized by ARM9 bootrom
 +
!  Key-data initialized by Process9
 
|-
 
|-
 
| 0x00-0x03
 
| 0x00-0x03
 
| These are the TWL keyslots, the key-data for these can be set via the REG_AESKEY0-REG_AESKEY3 registers. These keyslots are initialized by NATIVE_FIRM. The console-unique portion of two of these keyslots are only [[CONFIG|initialized]] by NATIVE_FIRM during initial hard-boot.
 
| These are the TWL keyslots, the key-data for these can be set via the REG_AESKEY0-REG_AESKEY3 registers. These keyslots are initialized by NATIVE_FIRM. The console-unique portion of two of these keyslots are only [[CONFIG|initialized]] by NATIVE_FIRM during initial hard-boot.
 +
|
 +
| Yes
 
|-
 
|-
 
| 0x0D
 
| 0x0D
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 +
| Yes
 +
| No
 
|-
 
|-
 
| 0x11
 
| 0x11
 
| This is used for general normal-key crypto, where the normal-key is set by FIRM. This keyslot is also used by the New3DS [[FIRM]] arm9 binary loader.
 
| This is used for general normal-key crypto, where the normal-key is set by FIRM. This keyslot is also used by the New3DS [[FIRM]] arm9 binary loader.
 +
| No
 +
| Yes, when using this keyslot
 +
|-
 +
| 0x12
 +
| Unused?
 +
| No
 +
| No
 
|-
 
|-
 
| 0x14
 
| 0x14
 
| Starting with [[5.0.0-11]], NATIVE_FIRM Process9 now sets the keyY for this to the same one it uses for initializing 3 of the keyslots' keyYs from [[PSPXI:EncryptDecryptAes|here]].
 
| Starting with [[5.0.0-11]], NATIVE_FIRM Process9 now sets the keyY for this to the same one it uses for initializing 3 of the keyslots' keyYs from [[PSPXI:EncryptDecryptAes|here]].
 +
| Yes
 +
| See description
 
|-
 
|-
 
| 0x20..0x23
 
| 0x20..0x23
 
| All of these keyslots(initialized by bootrom) are set to the same key-data. These seem to be set to a regular normal-key?
 
| All of these keyslots(initialized by bootrom) are set to the same key-data. These seem to be set to a regular normal-key?
 +
| Yes
 +
| No
 
|-
 
|-
 
| 0x25
 
| 0x25
 
| The keyX and keyY initialized by bootrom for this keyslot are console-unique. This keyslot is used for the [[7.0.0-13|v7.0]] [[NCCH]] encryption, the keyX is initialized during NATIVE_FIRM [[Savegames#6.0.0-11_Savegame_keyY|boot]]. The keyY/CTR used for this keyslot is the same as keyslot 0x2C.
 
| The keyX and keyY initialized by bootrom for this keyslot are console-unique. This keyslot is used for the [[7.0.0-13|v7.0]] [[NCCH]] encryption, the keyX is initialized during NATIVE_FIRM [[Savegames#6.0.0-11_Savegame_keyY|boot]]. The keyY/CTR used for this keyslot is the same as keyslot 0x2C.
 +
|
 +
| See description
 +
|-
 +
| 0x26
 +
| Unused?
 +
| No
 +
| No
 
|-
 
|-
 
| 0x2C
 
| 0x2C
 
| Used to decrypt [[NCCH|NCCH]], the keyY is set by Process9(see [[NCCH|here]] regarding the keyY). Keyslots 0x2C..0x2F all use the same keyX, set by bootrom.
 
| Used to decrypt [[NCCH|NCCH]], the keyY is set by Process9(see [[NCCH|here]] regarding the keyY). Keyslots 0x2C..0x2F all use the same keyX, set by bootrom.
 +
| Yes
 +
| Yes
 
|-
 
|-
 
| 0x2D
 
| 0x2D
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 +
| Yes
 +
| No
 
|-
 
|-
 
| 0x2E
 
| 0x2E
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyY is set by NATIVE_FIRM.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyY is set by NATIVE_FIRM.
 +
| Yes
 +
| Yes
 
|-
 
|-
 
| 0x2F
 
| 0x2F
 
| Initially this keyslot has the same keyY as keyslot 0x2D, initialized by bootrom. This keyY is initialized during NATIVE_FIRM [[Savegames#6.0.0-11_Savegame_keyY|boot]]. This is the keyslot used for calculating v6.0 gamecard savegames' keyYs.
 
| Initially this keyslot has the same keyY as keyslot 0x2D, initialized by bootrom. This keyY is initialized during NATIVE_FIRM [[Savegames#6.0.0-11_Savegame_keyY|boot]]. This is the keyslot used for calculating v6.0 gamecard savegames' keyYs.
 +
| Yes
 +
| See description
 
|-
 
|-
 
| 0x31
 
| 0x31
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler. NATIVE_FIRM sets this keyY to the same one used for keyslot 0x2E.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler. NATIVE_FIRM sets this keyY to the same one used for keyslot 0x2E.
 +
| Yes
 +
| Yes
 
|-
 
|-
 
| 0x32
 
| 0x32
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyslot keyX is the same keyX used for keyslot 0x31.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyslot keyX is the same keyX used for keyslot 0x31.
 +
| Yes
 +
| No
 
|-
 
|-
 
| 0x34-0x37
 
| 0x34-0x37
 
| All four of these keyslots use the same keyX. Keyslots 0x35/0x36 use the same keyY, see [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]] for keyslot 0x36.
 
| All four of these keyslots use the same keyX. Keyslots 0x35/0x36 use the same keyY, see [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]] for keyslot 0x36.
 +
| Yes
 +
| Only for keyslot 0x37
 
|-
 
|-
 
| 0x38
 
| 0x38
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]], this uses the hardware key-scrambler.
 +
| Yes
 +
| No
 
|-
 
|-
 
| 0x39
 
| 0x39
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyslot keyX is the same keyX used for keyslot 0x38. NATIVE_FIRM sets this keyY to the same one used for keyslot 0x2E.
 
| See [[PSPXI:EncryptDecryptAes|EncryptDecryptAes]]. This keyslot keyX is the same keyX used for keyslot 0x38. NATIVE_FIRM sets this keyY to the same one used for keyslot 0x2E.
 +
| Yes
 +
| Yes
 
|-
 
|-
 
| 0x3D
 
| 0x3D
 
| This keyslot uses keyY. Used to decrypt title keys in [[Ticket]]. Used by Gateway.
 
| This keyslot uses keyY. Used to decrypt title keys in [[Ticket]]. Used by Gateway.
 +
| Yes
 +
| Yes
 
|-
 
|-
 
| 0x3E
 
| 0x3E
 
| This keyslot uses an unique keyX/keyY.
 
| This keyslot uses an unique keyX/keyY.
 +
|
 +
| No
 
|-
 
|-
 
| 0x3F
 
| 0x3F
 
| This keyslot uses an unique keyX/keyY.
 
| This keyslot uses an unique keyX/keyY.
 +
|
 +
| No
 
|}
 
|}
   Line 252: Line 300:     
=== keyX ===
 
=== keyX ===
The ARM9 bootrom initializes the keyX for each 3DS keyslot, the ARM9 bootrom also initializes the keyY for the keyslots where NATIVE_FIRM doesn't set the keyY. In certain cases Process9 may also set the keyX.
+
The ARM9 bootrom initializes the keyX for certain 3DS keyslots, the ARM9 bootrom may also initialize the keyY for certain keyslots. In certain cases Process9 may also set the keyX.
    
=== Hardware key generator ===
 
=== Hardware key generator ===
Line 260: Line 308:     
=== FIRM-launch key clearing ===
 
=== FIRM-launch key clearing ===
Starting with [[9.0.0-20]] the Process9 FIRM-launch code now "clears" the following AES keyslots, with certain keydata by writing the normal-key: 0x15 and 0x18-0x20. These are the keyslots used by the New3DS [[FIRM]] arm9bin loader(minus keyslot 0x11), so the New3DS Process9 presumably does this too.
+
Starting with [[9.0.0-20]] the Process9 FIRM-launch code now "clears" the following AES keyslots, with certain keydata by writing the normal-key: 0x15 and 0x18-0x20. These are the keyslots used by the New3DS [[FIRM]] arm9bin loader(minus keyslot 0x11), the New3DS Process9 does this too.