For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 binary has an additional layer of crypto.
+
=== NATIVE_FIRM ===
+
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader.
+
+
If (u8*)0x10000000 bit 1 is clear, it hashes data from the region 0x10012000-0x10012090 using SHA2, and then sets AES keyslot 0x11 to the lower portion of that hash. It then initialises KeyX for keyslots 0x15, 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11.
+
+
It sets KeyY for keyslot 0x15 to arm9_bin_buf+0, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, the keys for keyslot 0x15 is cleared and it jumps to the decrypted addr.