How to obtain AES Keys
Users can provide some additional crypto keys to enable some advanced features in Citra. These keys are not officially provided by Citra due to legal considerations.
Automatically (Recommended)
In this method, you will create aes_keys.txt, and optionally seeddb.bin, files from your console using a GodMode9 script. This will dump all the keys and other secrets you need for game decryption, Miis, amiibo, etc. This requires your 3DS to be on firmware 11.16.0 or 11.17.0.
Note that the seeddb.bin reflects the seed encryption keys available on your console at the time of dumping. If you ever install and dump new games on your 3DS that use seed encryption, you may need to re-dump this file to acquire their seed keys for Citra.
The script may also not output a seeddb.bin, or it may display an error when trying to dumping it, which simply indicates that you do not have any seeds and thus should not need them. If this happens you can ignore it.
- Download the GodMode9 script here (Right Click -> Save Link As) and save it to the
gm9/scriptsdirectory on your SD card. - Launch GodMode9 on your 3DS and run the script by pressing HOME, selecting "Scripts", and selecting "DumpKeys". Wait for the script to finish and return you to the GodMode9 menu, then turn off your 3DS.
- On your SD card you will find
gm9/aes_keys.txt, and optionallygm9/seeddb.bin. Copy these files to thesysdatafolder in your Citra user directory.
If you see an error like line 7: read fail when dumping in GodMode9, your environment does not have access to the bootrom data and thus cannot dump the required keys. This can occur if you are using fastboot3DS; please launch GodMode9 through a different method.
Manually
As an alternative, instead of dumping a keys file using the script, you can create the file and provide all of the AES keys manually. The keys are supplied by filling the file sysdata/aes_keys.txt (located in the User Directory) in the following format:
slot0x0DKeyX=0123456789ABCDEF0123456789ABCDEF
slot0x0DKeyY=0123456789ABCDEF0123456789ABCDEF
slot0x0DKeyN=0123456789ABCDEF0123456789ABCDEF
slot0x18KeyX=0123456789ABCDEF0123456789ABCDEF
slot0x1BKeyX=0123456789ABCDEF0123456789ABCDEF
slot0x25KeyX=0123456789ABCDEF0123456789ABCDEF
slot0x2CKeyX=0123456789ABCDEF0123456789ABCDEF
slot0x2DKeyX=0123456789ABCDEF0123456789ABCDEF
slot0x2DKeyY=0123456789ABCDEF0123456789ABCDEF
slot0x2DKeyN=0123456789ABCDEF0123456789ABCDEF
slot0x31KeyX=0123456789ABCDEF0123456789ABCDEF
slot0x31KeyY=0123456789ABCDEF0123456789ABCDEF
slot0x31KeyN=0123456789ABCDEF0123456789ABCDEF
slot0x3DKeyX=0123456789ABCDEF0123456789ABCDEF
common0=0123456789ABCDEF0123456789ABCDEF
common1=0123456789ABCDEF0123456789ABCDEF
The strings 0123456789ABCDEF0123456789ABCDEF in the example above are all placeholder and should be replaced by correct 32-digit hex values of keys. Not all lines in the example are required at the same time. Please read the explanation below about which key enables which feature
Loading encrypted games
Required keys: slot0x25KeyX and slot0x2CKeyX.
If loading encrypted New 3DS games, slot0x18KeyX and slot0x1BKeyX are also required.
Games that use seed encryption also require their seed key to be present in your seeddb.bin file.
For those who are interested, here's a write-up about 3DS security, that also talks about the slot0x25KeyX.
Sharing Mii via QR code between Citra and 3DS
Required keys: single slot0x2DKeyN, OR slot0x2DKeyX, slot0x2DKeyY together.
Generating accurate UDS data frame
Required keys: single slot0x31KeyN, OR slot0x31KeyX, slot0x31KeyY together.
Using client cert dumped from 3DS
Required keys: single slot0x0DKeyN, OR slot0x0DKeyX, slot0x0DKeyY together.
Installing encrypted CIA
Required keys: slot0x3DKeyX and common0. common1~5are probably also required for some
unusual CIA.