RSA Registers

RSA Registers

Overview #

The RSA module is essentially a hardware-accelerated modular exponentiation engine. It is specially optimized for RSA applications, so its behavior can be incoherent when RSA’s invariants are broken.

Observed edge cases #

  • if 2 divides mod, output == 0

Registers #

Old3DSNameAddressWidthUsed by
YesRSA_CNT0x1000B0000x04
YesRSA_?0x1000B0F00x04
YesRSA_SLOT00x1000B1000x10
YesRSA_SLOT10x1000B1100x10
YesRSA_SLOT20x1000B1200x10
YesRSA_SLOT30x1000B1300x10
YesRSA_EXPFIFO0x1000B2000x100 (can handle u32 writes to any aligned position in the FIFO)
YesRSA_MOD0x1000B4000x100
YesRSA_TXT0x1000B8000x100

RSA_CNT #

BitDescription
0Start (1=Enable/Busy, 0=Idle)
1Interrupt enable (1=enable, 0=disable)
4-7Keyslot (Bit6-7 don’t actually affect the keyslot)
8Endianness (1=Little endian, 0=Big endian). Affects RSA_EXPFIFO, RSA_MOD, and RSA_TXT.
9Word order (1=Normal order, 0=Reversed order). Affects RSA_MOD and RSA_TXT.

RSA_SLOT #

NameOffsetWidth
RSA_SLOTCNT0x00x4
RSA_SLOTSIZE0x40x4
?0x80x4
?0xC0x4

RSA_SLOTCNT #

BitsDescription
0Key status (1=Key has been set, 0=Key has not been set yet)
1Key write-protect, this bit is RW. (0 = no protection, 1 = protected)
2Key read-protect, this bit is RW. (0 = no protection, 1 = protected)
30-3?
31Key slot protect. Makes all other bits in this reg read-only until reset

Before writing RSA_EXPFIFO/RSA_MOD, bit0 here should be cleared when bit31 is already clear. Otherwise, the ARM9 will hang when attempting to write to RSA_EXPFIFO.

RSA_SLOTSIZE #

This contains the RSA size for this slot, in words. Normally this is 0x40 for RSA-2048.

RSA_EXPFIFO #

The 0x100-byte private or public exponent is written to this write-only FIFO.

RSA_MOD #

The RSA key modulus for the selected keyslot can be written here. When writing the RSA modulus, the modulus must align with the end of the register area.

Writing to RSA_MOD does not change the exponent written with RSA_EXPFIFO. An attack based on the 🔗 Pohlig-Hellman algorithm exists to “read” the contents of RSA_EXPFIFO as a result (see 3DS System Flaws).

RSA_TXT #

The RSA signature can be written here, and the data read from here is the message. When writing the RSA signature, the signature must be prepended with zeroes until it is a multiple of 8 bytes, and the end of the signature must align with the end of the register area.

The PKCS message padding must be manually checked by software, as hardware will only do raw RSA operations.

Keyslots usage #

KeyslotDescription
0Arbitrary
1CXI access desc (following the exheader)
2-3Initialized by the ARM9 bootrom, but not used by any of the FIRMs. It’s unknown what the ARM9 bootrom uses these for, if anything.