3DS 2-Time Pad Challenge

1. Here's some basic info on neimod's two-time pad challenge for the 3DS. Ask in #3dsdev on EFNet if you want more information.
2.  
3. <neimod> anyone up for a 3ds two-time pad challenge?
4. <mtheall> ?
5. <Brian117> uh
6. <Brian117> will there be snacks?
7. <neimod> if you bring some
8. <Brian117> will there be air conditioning?
9. <neimod> each update of the 3ds firmware is encrypted with the same xor stream, which is a security flaw known as the two-time pad (or multiple-time pad)
10. <neimod> the challenge is... given the different updated versions of the encrypted 3ds firmware, try to decrypt the firmware
11. <Brian117> i forfeit
12. <neimod> if you're serious about trying, i can provide some sample files
13. <X-Scale> I could try it, neimod
14. <X-Scale> So...the 1st sample will be F1 ^ P, the 2nd F2 ^ P, etc ?
15. <neimod> yes correct
16. <X-Scale> I see...any idea how long is that pad ?
17. <neimod> practically infinitely long
18. <X-Scale> hmm
19. <gruetzkop> aw
20. <gruetzkop> so is in sample n there is a section that is 0 in clear text, we can decrypt that section in every other sample
21. <crediar> aren't updates in encrypted containers?
22. <neimod> there are a couple sections which are filled with zeros, but that's maybe 0.1% of the entire file
23. <neimod> crediar: that is all stripped away
24. * psyduck_ is now known as psyduckg
25. * You are no longer marked as being away
26. <gruetzkop> isnt enc_a ^ enc_b == a ^ b
27. <neimod> yes
28. <neimod> it gives the xor of plaintexts
29. <crediar> nintendo already made that mistake with the GC IPL
30. <gruetzkop> yeah
31. <crediar> neimod what do I need to help you?
32. <neimod> well how would you solve the challenge?
33. * You have been marked as being away
34. * Yuuki has quit ()
35. * Yuuki (Yuuki@dslb-178-000-064-224.pools.arcor-ip.net) has joined #3dsdev
36. <crediar> first I would just xor the files and look at the output
37. <crediar> just gimme the files and I will give it a try
38. <mtheall> evidently the classical solution is to perform crib dragging. if i find time later maybe i will request to participate
39. * sepp256 (~sepp256@picasso.ee.psu.edu) has joined #3dsdev
40. * sepp256_ has quit (Read error: Operation timed out)
41. <neimod> crib dragging works best with actual word-based text, it's not quite that easy when dealing with pure binary files
42. <mtheall> there's bound to be blocks of text somewhere
43. <X-Scale> neimod: how can you be sure the same pad is used in all of those firmware files ?
44. <neimod> if it wasn't, you would not be able to read any strings of text from it by xoring
45. <neimod> it is the same pad, it is a fact
46. <mtheall> what does the ability of text being read by xoring have to do with it using the same xor pad?
47. <neimod> if it were different pads, the result would be complete gibberish
48. <mtheall> are you implying that you already have a non-gibberish result?
49. <neimod> very small parts
50. <mtheall> okay then now i believe it
51. <neimod> if you want to try
52. <neimod> generate an xorpad, and xor it with 10 low entropic data files, eg arm code
53. <neimod> then try to guess the xorpad
54. <mtheall> does figuring out one xor value in the stream give you the rest of the xor pad for a given block?
55. <neimod> no
56. <neimod> not directly
57. <neimod> you could think of the files being similar, and shifted around
58. <neimod> the kernel is not rewritten from scratch for each update i would imagine
59. <crediar> arm asm just pokes right into your eyes
60. <mtheall> so there's not a really good way to get the rest of the xor pad for a block when you figure out part of it
61. <neimod> pointers would probably change each update
62. <mtheall> other than randomly guessing or a genetic algorithm maybe
63. <neimod> there are many options to try
64. <mtheall> but at least the xor at one position is identical across all streams
65. <neimod> the ideal goal is to find an exploit in a small piece of revealed code, that would allow pwning of the arm9
66. <neimod> like a buffer overflow or similar
67. <crediar> is the 3ds little or big endian?
68. <mtheall> i need to get my eyes on more arm code
69. <mtheall> i'm assuming little endian
70. <neimod> little endian
71. <costis> leedle endian
72. <neimod> lets say you know that file 2 is shifted 200 bytes forward relative to file 1
73. <neimod> and lets say you know the xorpad for block 5
74. <neimod> so, you know the plain text for file 1 for block 5, and since file 2 is shifted relative to file 1, you then also know that this plaintext is the the plain text of file 2 shifted 200 bytes forward
75. <neimod> and so, you know the xorpad of block 5, shifted 200 bytes forward
76. <neimod> now repeat the same process, and you can expand your xorpad
77. <mtheall> at least until you get to a part where there's a shift *and* a change. but i guess having more than two streams helps mitigate that
78. * syslock has quit (Quit: tschüß...)
79. <Brian117> my head just exploded
80. <mtheall> that can't be good
81. * GeekShad1 is now known as GeekShado
82. <neimod> the key part is figuring out if a file has shifted (so the bytes are exactly the same), and by how many bytes
83. * lameboy2 (~lameboyad@122.150.47.211) has joined #3dsdev
84. <neimod> obviously this doesn't apply for the entire file, but for smaller blocks it probably does
85. <costis> someone write some code
86. <mtheall> you could xor file1^(file2 shifted x bytes)^file1 and maybe get some chunks
87. <costis> to do automated analysis
88. * lameboy has quit (Ping timeout: 306 seconds)
89. * lameboy2 is now known as lameboy
90. <mtheall> errrr
91. <neimod> that would be file2 shifted x bytes
92. <mtheall> file1^(file2 shifted) and look for chunks of 0s
93. <mtheall> nvm. i should not do xor math while driving
94. * You are no longer marked as being away
95. <mtheall> file1^(file2 shifted)^file2
96. <neimod> you cannot shift files yourself, because then the xorpads would differ, resulting in gibberish
97. <mtheall> that's true
98. <mtheall> i have to shift *after* xor and compare
99. <mtheall> (file1^pad)^((file2^pad) shifted) and look for chunks of 0s
100. <mtheall> that's my last guess
101. * You have been marked as being away
102. * You are no longer marked as being away
103. <Brian117> wrong
104. * You have been marked as being away
105. <paraz0an> you're typing on IRC while driving?
106. <mtheall> paraz0an: i was at the time
107. * zeromus has quit (Read error: Operation timed out)
108. * zeromus (~poople@cpe-66-69-203-119.austin.res.rr.com) has joined #3dsdev
109. * h4PPYC4T (~h4PPYC4T@p5DDF52F7.dip.t-dialin.net) has joined #3dsdev
110. * pXd has quit (Ping timeout: 245 seconds)
111. * Yuuki has quit ()
112. * Luigi__ has quit (Read error: Operation timed out)
113. * lameboy has quit (Read error: Connection reset by peer)
114. * lameboy (~lameboyad@122.150.47.211) has joined #3dsdev
115. * neimod has quit (Ping timeout: 630 seconds)
116. <phoenix_> eh, 3ds has an arm9?
117. <zeromus> well its got to, as part of the nds core
118. <phoenix_> dont see why that couldnt be pretty accurately emulated/handled with the arm11's
119. * ld16 (~jeff@pool-74-104-172-30.bstnma.fios.verizon.net) has joined #3dsdev
120. <zeromus> there are little difference between the arm versions