rvtr/SafeNANDManager
1
Fork 0
mirror of https://github.com/rvtr/SafeNANDManager.git synced 2026-01-26 13:43:04 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

Read ConsoleID register, if available

Browse Source
This commit is contained in:
RocketRobz 2024-04-26 17:13:07 -06:00
parent d4e4b34c5e
commit f28b46b3c8
2 changed files with 35 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
arm7/source/arm7.c
View File

@ -120,25 +120,36 @@ int main() {
irqEnable( IRQ_VBLANK | IRQ_VCOUNT | IRQ_NETWORK); irqEnable( IRQ_VBLANK | IRQ_VCOUNT | IRQ_NETWORK);
//setPowerButtonCB(powerButtonCB); //setPowerButtonCB(powerButtonCB);
u8 base[16]={0};
u8 in[16]={0};
u8 iv[16]={0};
u8 *scratch=(u8*)0x02300200;
u8 *out=(u8*)0x02300000; u8 *out=(u8*)0x02300000;
u8 *key3=(u8*)0x40044D0; memset(out, 0, 16);
aes(in, base, iv, 2);
//write consecutive 0-255 values to any byte in key3 until we get the same aes output as "base" above - this reveals the hidden byte. this way we can uncover all 16 bytes of the key3 normalkey pretty easily. // first check whether we can read the console ID directly and it was not hidden by SCFG
//greets to Martin Korth for this trick https://problemkaputt.de/gbatek.htm#dsiaesioports (Reading Write-Only Values) if (((*(vu16*)0x04004000) & (1u << 10)) == 0 && ((*(vu8*)0x04004D08) & 0x1) == 0)
for(int i=0;i<16;i++){ {
for(int j=0;j<256;j++){ // The console id registers are readable, so use them!
*(key3+i)=j & 0xFF; memcpy(out, (u8*)0x04004D00, 8);
aes(in, scratch, iv, 2); }
if(!memcmp(scratch, base, 16)){ if(out[0] == 0 || out[1] == 0) {
out[i]=j; // For getting ConsoleID without reading from 0x4004D00...
//hit++; u8 base[16]={0};
break; u8 in[16]={0};
u8 iv[16]={0};
u8 *scratch=(u8*)0x02300200;
u8 *key3=(u8*)0x40044D0;
aes(in, base, iv, 2);
//write consecutive 0-255 values to any byte in key3 until we get the same aes output as "base" above - this reveals the hidden byte. this way we can uncover all 16 bytes of the key3 normalkey pretty easily.
//greets to Martin Korth for this trick https://problemkaputt.de/gbatek.htm#dsiaesioports (Reading Write-Only Values)
for(int i=0;i<16;i++){
for(int j=0;j<256;j++){
*(key3+i)=j & 0xFF;
aes(in, scratch, iv, 2);
if(!memcmp(scratch, base, 16)){
out[i]=j;
//hit++;
break;
}
} }
} }
} }

7
arm9/source/arm9.c
View File

@ -56,6 +56,13 @@ void getConsoleID(u8 *consoleID){
memcpy(key, fifo, 16); //receive the goods from arm7 memcpy(key, fifo, 16); //receive the goods from arm7
if(memcmp(key + 8, empty_buff, 8) == 0)
{
//we got the consoleid directly or nothing at all, don't treat this as key3 output
memcpy(consoleID, key, 8);
return;
}
F_XY_reverse((uint32_t*)key, (uint32_t*)key_xy); //work backwards from the normalkey to get key_x that has the consoleID F_XY_reverse((uint32_t*)key, (uint32_t*)key_xy); //work backwards from the normalkey to get key_x that has the consoleID
for(int i=0;i<16;i++){ for(int i=0;i<16;i++){