Keyshuffling Nintendo 3DS Secure Bootchain
grarpamp
grarpamp at gmail.com
Fri Mar 31 21:59:21 PDT 2017
https://github.com/Plailect/keyshuffling
https://www.3dbrew.org/
https://media.ccc.de/v/32c3-7240-console_hacking
We demonstrate an attack on the secure bootchain of the Nintendo 3DS
in order to gain early code execution. The attack utilizes the block
shuffling vulnerability of the ECB cipher mode to rearrange keys in
the Nintendo 3DS's encrypted keystore. Because the shuffled keys will
deterministically decrypt the encrypted firmware binary to incorrect
plaintext data and execute it, and because the device's memory
contents are kept between hard reboots, it is possible to reliably
reach a branching instruction to a payload in memory. This payload,
due to its execution by a privileged processor and its early
execution, is able to extract the hash of hardware secrets necessary
to decrypt the device's encrypted keystore and set up a persistant
exploit of the system.
More information about the cypherpunks
mailing list