Somebody has updated the http://dsibrew.org/wiki/Bootloader article a few days ago, saying that the eMMC bootcode decryption would require a RSA key, and that the decrypted RSA data would contain an AES key for decrypting the actual bootcode. The article doesn't say if or how somehow has dumped that RSA key; but without knowing the RSA key, one hardly know the details about AES key - so it looks as if the RSA key was dumped.
Getting the bootcode decrypted would be great for working emulation & for actually understanding the DSi hardware and firmware. I wonder where that will lead to. In worst case it might take another 5-6 years until somebody figures out if or how the bootcode was decrypted.
Theoretically, the RSA key should reside in DSi BIOS ROM, and it shouldn't be possible to dump it (except via chip decapping). Then, reading between the lines, the dsibrew article mentions something called "TWL_FIRM". Doing some research showed the "TWL_FIRM" is some 1.75Mbyte system file, used for running the 3DS in DSi mode. There doesn't seem to be much known about what is in those 1.75Mbyte, but it might contain a copy of the DSi BIOS ROM, or maybe more likely, activate an actual DSi BIOS ROM inside of the 3DS hardware. Either way, it seems possible that the DSi RSA key was dumped on a 3DS (in case the 3DS should happen to contain the same key as DSi for some weird reason).
This http://3dbrew.org/wiki/FIRM#TWL_FIRM_and_AGB_FIRM is also interesting: "Also note that this DSi-mode ARM7 runs code(stored in TWL_FIRM) which pokes some DSi-mode registers that on the DSi were used for disabling access to the DSi bootROMs, however these registers do not affect the 3DS DSi-mode ARM9/ARM7 "bootrom" region(exceptionvector region + 0x8000) at all."
That does almost sound as if the 3DS contains a 1:1 copy of the DSi BIOS - but without the read-protection? If that's true, then almost everybody with a 3DS console and ability to run code in DSi mode could dump that DSi BIOS without problems.
Getting the bootcode decrypted would be great for working emulation & for actually understanding the DSi hardware and firmware. I wonder where that will lead to. In worst case it might take another 5-6 years until somebody figures out if or how the bootcode was decrypted.
Theoretically, the RSA key should reside in DSi BIOS ROM, and it shouldn't be possible to dump it (except via chip decapping). Then, reading between the lines, the dsibrew article mentions something called "TWL_FIRM". Doing some research showed the "TWL_FIRM" is some 1.75Mbyte system file, used for running the 3DS in DSi mode. There doesn't seem to be much known about what is in those 1.75Mbyte, but it might contain a copy of the DSi BIOS ROM, or maybe more likely, activate an actual DSi BIOS ROM inside of the 3DS hardware. Either way, it seems possible that the DSi RSA key was dumped on a 3DS (in case the 3DS should happen to contain the same key as DSi for some weird reason).
This http://3dbrew.org/wiki/FIRM#TWL_FIRM_and_AGB_FIRM is also interesting: "Also note that this DSi-mode ARM7 runs code(stored in TWL_FIRM) which pokes some DSi-mode registers that on the DSi were used for disabling access to the DSi bootROMs, however these registers do not affect the 3DS DSi-mode ARM9/ARM7 "bootrom" region(exceptionvector region + 0x8000) at all."
That does almost sound as if the 3DS contains a 1:1 copy of the DSi BIOS - but without the read-protection? If that's true, then almost everybody with a 3DS console and ability to run code in DSi mode could dump that DSi BIOS without problems.