48
edits
Changes
Jump to navigation
Jump to search
Line 111:
Line 111: + + Line 118:
Line 120: + + Line 132:
Line 136: − + + − + − + + + + + + + + + + − + − + + + + + + − + − + + + + + + + + Line 238:
Line 264: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
System Settings svcBreak
When managing 3DS Software installed to the SD Card, the [[Title Database|title.db]] is read by the core receiving [[Application Manager Services PXI|AM]] commands. From the title.db file, AM gets a list of installed titles, title sizes and the name of the ".cmd" file for each title, which is used to check the authenticity of the title data(product code, title version, and if an electronic manaual is used, is also kept for each title, in the title.db, but won't be used by the Data Management Utility). For each title listed, it checks if the title is authentic(via the .cmd file). If the title passes authentication, Data Management decrypts/reads the ICN data from the executable NCCH([[CXI]]) and displays it along with the archived title size. If a title doesn't pass authentication, a placeholder icon(light grey with a '?' in the center), name ('????????') and a size of zero are used. Deleting titles removes the title data from the title.db and import.db, and deletes the directory of the content.
When managing 3DS Software installed to the SD Card, the [[Title Database|title.db]] is read by the core receiving [[Application Manager Services PXI|AM]] commands. From the title.db file, AM gets a list of installed titles, title sizes and the name of the ".cmd" file for each title, which is used to check the authenticity of the title data(product code, title version, and if an electronic manaual is used, is also kept for each title, in the title.db, but won't be used by the Data Management Utility). For each title listed, it checks if the title is authentic(via the .cmd file). If the title passes authentication, Data Management decrypts/reads the ICN data from the executable NCCH([[CXI]]) and displays it along with the archived title size. If a title doesn't pass authentication, a placeholder icon(light grey with a '?' in the center), name ('????????') and a size of zero are used. Deleting titles removes the title data from the title.db and import.db, and deletes the directory of the content.
Additionally, if a CTR-NAND or TWL-NAND installed title passes authentication, but has a fake-signed ticket, System Settings will call "[[SVC|svcBreak]]" upon entering Data Management -> 3DS | DSiWare. Barring patched RSA sig checks, this will prevent a user from viewing the 3DS and/or DSiWare Data Management menu depending on which NAND(s) the offending title(s) is installed. This phenomenon has been known to lock users out of executing widely used exploits like [https://github.com/zoogie/Bannerbomb3 Bannerbomb3], which need access to Data Management to trigger.
=== DSiWare ===
=== DSiWare ===
== System Format ==
== System Format ==
Most of the System Format is done with [[FS:InitializeCtrFileSystem]]. This command updates the high u64 of the keyY stored in [[Nand/private/movable.sed|movable.sed]]. Since this keyY was updated, the data stored on [[SD_Filesystem|SD]] card(sdmc/Nintendo 3DS/<ID0>/<ID1>) and the data under [[Flash_Filesystem|nand/data/<ID0>]] is rendered useless, since that data used the old keyY. Since that data is no longer usable, the system then deletes the two above SD/NAND directories.
Most of the System Format is done with [[FS:InitializeCtrFileSystem]]. This command updates the high u64 of the keyY stored in [[Nand/private/movable.sed|movable.sed]]. Since this keyY was updated, the data stored on [[SD_Filesystem|SD]] card(sdmc/Nintendo 3DS/<ID0>/<ID1>) and the data under [[Flash_Filesystem|nand/data/<ID0>]] is rendered useless, since that data used the old keyY. Since that data is no longer usable, the system then deletes the two above SD/NAND directories.
When you first enter the System Format menu, it will check if a NNID is linked. If there's a linked-NNID, it will then display: "Are you ready to connect to the Internet to check whether data can be formatted"? Continuing will only result in connecting to wifi for checking in with Nintendo's servers, which may fail if the console is banned. Once that's done it will continue with the usual system-format messages; proceeding will result in the NNID cookie, potentially still present on NAND backups or multiboot scenarios, being invalidated until the next sign-in (at which point even old sessions will be valid again).
== System Updater ==
== System Updater ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! System Version, for the mset title
! System version, for the mset title
! Parental controls reset functionality version
! Parental controls reset functionality version
! Inquiry number length
! Notes
! Notes
|-
|-
| [[1.0.0-0]] - [[5.1.0-11]]
| [[1.0.0-0|1.0.0-X]] - [[6.3.0-12|6.3.0-X]]
| v0
| v0
|
| 8
| Mostly inherited from the Wii/DSi algorithm which used CRC-32 (0xEDB88320) with custom XOR-out (0xAAAA). 0x14C1 was added to produce the final result.
For the 3DS algorithm, only constants were changed: the polynomial was changed to 0xEDBA6320 and the addition constant became 0x1657.
The input to either function is an ASCII string of the format "%02u%02u%04u" where the parameters are month, day, and low 4 digits of the inquiry number. The low 5 decimal digits from the output u32 are then used for the master key.
Because of the date being used in the algorithm, this results in the master key only being valid on a particular day, though this is trivially defeated by setting the system time to the correct date that the key was generated on.
This had a minor refactor in [[6.0.0-11|6.0.0-X]] but is functionally identical.
|-
|-
| [[6.0.0-11|6.0]] - [[6.3.0-12]]
| [[7.0.0-13|7.0.0-X]] - [[7.1.0-16|7.1.0-X]]
| v1
| v1
|
| 10
| Introduced a new scheme using HMAC-SHA-256. The HMAC key is loaded from mset .rodata, and differs between regions.
The inquiry number was bumped from 8 digits to 10 digits, but the same function is used to generate the digits as in v0 (derived from MAC address).
All digits of the inquiry number are now actually used in the master key derivation function, as the string format is now "%02u%02u%010u" (month, day, inquiry number). This buffer is hashed (as above), and a little-endian word is read from the start of the output hash. The low 5 decimal digits of this word are used as the master key.
|-
|-
| [[7.0.0-13]] - [[7.2.0-17]]
| [[7.2.0-17|7.2.0-X]] - current
| v2
| v2
|
| 10
| Extension of v1 featuring a number of changes which serve to obscure the HMAC key used.
The HMAC key is now stored in a separate file stored in the CVer RomFS, called [[CVer#masterkey.bin|masterkey.bin]]. This is used to update the key independently of the mset title. In order to make this possible, a scheme was devised to encode the required key within the inquiry number - the first digit denotes region, and the next two digits represent the key version. These values match up with values stored in the masterkey.bin header. For compatibility with v1 (as inquiry number length did not change), the version values begin at 10 - when parsing an inquiry number, a "version" of less than 10 should be handled as algorithm v1.
The HMAC key is now also encrypted in masterkey.bin. This uses AES-128-CTR using a (normal) key in mset .rodata (which differs between regions), with the initial counter value also stored in masterkey.bin.
At some point, Nintendo chose to "abandon" the original JPN region ID (0), and moved to region ID 9 instead (which usually doesn't exist). It is unknown why they made this change, as the AES key used for both of these IDs is the same.
|}
|}
| 0x10
| 0x10
| Reserved
| Reserved
|}
== Launch parameters ==
System Settings can start at specific menus when certain parameters are given.
<nowiki>*</nowiki> - returns to settings menu instead of rebooting
{| class="wikitable" border="1"
|-
! Value
! Action
|-
| 0x01
| Initial setup (system not actually formatted, music plays earlier)
|-
| 0x10
| Internet Settings -> Connection Settings
|-
| 0x11
| Internet Settings -> Other Information
|-
| 0x6e
| Internet Settings -> Connection Settings
|-
| 0x6f
| Parental Controls
|-
| 0x70
| Parental Controls birthday entry
|-
| 0x71
| Data Management
|-
| 0x72
| 3DS Software Management
|-
| 0x73
| 3DS Extra Data Management
|-
| 0x74
| DSiWare Management
|-
| 0x75
| StreetPass Management
|-
| 0x76
| Internet Settings*
|-
| 0x77
| Other Settings, second-to-last page*
|-
| 0x78
| Touch Screen calibration
|-
| 0x79
| Circle Pad calibration
|-
| 0x7a
| System Update
|-
| 0x7b
| System Update
|-
| 0x7c
| Format System Memory*
|}
|}