6,264
edits
Changes
Jump to navigation
Jump to search
Line 75:
Line 75: + − +
→New_3DS FIRM
* Hashes data from the region 0x10012000-0x10012090 using SHA2.
* Hashes data from the region 0x10012000-0x10012090 using SHA2.
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
* Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
* Crypts an unknown 0x10-byte block with keyslot 0x11, then uses the output block to set the normalkey for keyslot 0x11.
* Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it.
* Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it.
* Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys.
* Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bit_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. It it is, it jumps to the decrypted addr. Otherwise it will just loop forever.
It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. It it is, it jumps to the decrypted addr. Otherwise it will just loop forever.
Thus, the ARM9 binary has the following header:
Thus, the ARM9 binary has the following header: