Changes

The extended header, the [[ExeFS]] and the [[RomFS]] are encrypted using 128-bit AES CTR. See here regarding the [https://github.com/3dshax/ctr/blob/master/ctrtool/ncch.c CTR].

The extended header, the [[ExeFS]] and the [[RomFS]] are encrypted using 128-bit AES CTR. See here regarding the [https://github.com/3dshax/ctr/blob/master/ctrtool/ncch.c CTR].

The key is generated using the [[AES|AES Engine]] key generator, where the keyX is set by the bootrom (see below for the keyslots) and the keyY is the first 0x10 bytes of the NCCH signature. This method of key generation is referred to as "secure-crypto". Starting with [[9.6.0-24|9.6.0-X]] Process9 can now generate the NCCH keyY with the first 0x10-bytes from a SHA256 hash(when ncchflag[7] = 0x20). This new keyY generation can only be used with [[7.0.0-13|7.0.0-X]] NCCH encryption or above.

The key is generated using the [[AES|AES Engine]] key generator, where the keyX is set by the bootrom (see below for the keyslots) and the keyY is the first 0x10 bytes of the NCCH signature. This method of key generation is referred to as "secure-crypto".  

 

Starting with [[9.6.0-24|9.6.0-X]] Process9 can now generate the NCCH keyY with the first 0x10-bytes from a SHA256 hash(when ncchflag[7] = 0x20). This hash is generated with the data <0x10-long old-method keyY><last 0x10-bytes which gets hashed during keyY generation>. This new keyY generation can only be used with [[7.0.0-13|7.0.0-X]] NCCH encryption or above.  

If a certain NCCH flag is set, a fixed AES key is used. There are two fixed keys, one for titles which have the system category bit set (SystemFixedKey), and one for the rest ("zeros" key). These are debug keys, as they aren't nomally supported on retail systems.

If a certain NCCH flag is set, a fixed AES key is used. There are two fixed keys, one for titles which have the system category bit set (SystemFixedKey), and one for the rest ("zeros" key). These are debug keys, as they aren't nomally supported on retail systems.