4dsdev
Views: 617,222 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 12-16-17 11:27 AM
Guest:

0 users reading Injecting other apps over Health & Safety? | 1 bot

Main - Homebrew discussion - Injecting other apps over Health & Safety? New reply

Pages: 1 2 3
d0k3
Posted on 11-01-15 12:13 PM (rev. 2 of 11-01-15 12:29 PM) Link | #645
... but I have trouble building the new ExeFS.bin via 3DStool. It simply doesnt work, I get garbled output:
ERROR: open file exefs/»“AÍMM W6Q–€‰Cˆ®ïd‰«Ç@™ž¹£Ðø/ røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed

ERROR: open file exefs/®ïd‰«Ç@™ž¹£Ðø/ røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed

ERROR: open file exefs/røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed

ERROR: open file exefs/ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed

ERROR: open file exefs/`-néJ_1ÔÄrsÉq&vn*}’.bin failed

ERROR: open file exefs/&vn*}’.bin failed

ERROR: open file exefs/í¾4Ë
S>a ·æ/;0.bin failed

ERROR: create file failed

Any ideas?

EDIT: Nevermind, got it! But, can you help me get the TMDfixer to work?

Syphurith
Posted on 11-01-15 11:20 PM Link | #647
Posted by d0k3
--Snip--

3dstool supports reading a decrypted file without xorpad, or reading an encrypted one with xorpad. When with xorpad, please remember to use those --XX-xor arguments.

Eh, the TMD fixer is written by myself. Since the zip file contains its source code, you might want to simply take a look of it. All it does is quite simple, to recalculate those SHA-256 hashes. Note: the previous post contains the link to its source. But not in the package when i harmed the rules.
I compiled it in MSYS2 - mingw64 mode, with my win 8.1 x64 PC. If you really can't get it compiled, you may want to write one yourself. Below is all what it does.

1.Read original TMD file. To make it easier, it loads the whole file into memory.
2.Read repacked APP file. Yes still loaded the whole, indeed it could be done better with sha2_file. The file size and the hash is needed, and the size may be get from fstat calls. Notice the size stored in what an order.
3.Update TMD: 0x0B14 + 0x32 : app hash. 0x0B0C + 0x8 : app size. The third part of TMD is updated.
4.Sha2: 0x0B04 + 0x30.. Update TMD: 0x0208 + 0x32 : hash of this third part. Second part done.
5.Sha2: 0x0204 + 0x900.. Update TMD: 0x01e4 + 0x32 : the hash of the second part.
Still i don't know exactly why it can't compile. Could you show me your compilation log?

An updated version of FixTmd: Here it is. It would accept other APP and TMD names, see its output. Source included.

Syphurith
Posted on 11-02-15 04:13 AM (rev. 3 of 11-02-15 05:13 AM) Link | #648
I tried to decrypt then unpack all those H&S CIA fetched from CDN - all regions, both O3DS and N3DS.
Cause mine is an old 3ds, I can't decrypt all those successfully, the only one failed may be one from later New 3ds.
The encrypted CIA, generated using 3DNUS, contains the exactly same .TMD compared with the original installed one. The TMD from decrypted differs with hashes.
Its content, the CXI/APP file, is almost all the same, in their decrypted form.
NCCH padgen can be used to generate the xorpads from a decrypted CXI, and its result all the same with what from the encrypted.
For O3DS, all H&S contains only 1 CXI/APP.
For N3DS, that is two, the first one is the expected CXI/APP with CTR-N-HACJ, and the other is a manual.

So, as you could figure out from all those notes above. Yes, you can get those in a total legal way.

And, this tool with source could merge the two exheader for injectable one. Get it here!
I've already tested it with the original FBI 1.3.8 exheader, along with the old H&S 2050 one. It generated exactly a same file with what from fbi_inject 2050.

Last report: Tried to inject a devmenu. And failed as expected. May due to i removed the romfs and plain binaries.

d0k3
Posted on 11-02-15 06:47 AM Link | #649
Using your stuff/3DStool/CTRtool I've build something that should work. See here:
http://wikisend.com/download/350650/UniversalInjectGen_v0.1.zip

Howto:
- Put H&S app & tmd into apptmd_hs/ folder (names do not matter)
- Put CIA of app to inject into cia_inject/ folder (name does not matter
- Run go.bat

The only thing missing from this is encryption, but I'm sure we can handle this.

Syphurith
Posted on 11-02-15 06:58 AM (rev. 3 of 11-02-15 07:24 AM) Link | #650
Posted by d0k3
Using your stuff/3DStool/CTRtool I've build something that should work. See here:
http://wikisend.com/download/350650/UniversalInjectGen_v0.1.zip

Howto:
- Put H&S app & tmd into apptmd_hs/ folder (names do not matter)
- Put CIA of app to inject into cia_inject/ folder (name does not matter
- Run go.bat

The only thing missing from this is encryption, but I'm sure we can handle this.

Thanks. I could test it with a newer release of FBI first.
Read its batch file it seems.. i should use a decrypted CXI of H&S to test it?
The fixtmd should take in a decrypted CXI as its APP.
Oh no, that only takes in Encrypted one, cause the original CXIs are all encrypted in NAND.
Well, i would execute all those commands manually..

d0k3
Posted on 11-02-15 07:01 AM (rev. 3 of 11-02-15 07:04 AM) Link | #651
... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Posted by Syphurith
Thanks. I could test it with a newer release of FBI first.

Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry!

Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder.

d0k3
Posted on 11-02-15 07:06 AM Link | #652
Posted by Syphurith
Thanks. I could test it with a newer release of FBI first.
Read its batch file it seems.. i should use a decrypted CXI of H&S to test it?
The fixtmd should take in a decrypted CXI as its APP.
Well, i would execute all those commands manually..

You need a decrypted H&S app. Forgot to say, sorry.

Syphurith
Posted on 11-02-15 07:20 AM (rev. 3 of 11-02-15 07:25 AM) Link | #654
Posted by d0k3
..Snip..

Eh.. Have you already tested it yet?
Since the ctrtool packaged won't run for me.. Could you get me a link to its source?
Yes, it might not work for N3DS now. However it should not be too hard to do so.
Anyway, please give me some time to let me test injection of newer FBI first..

EDIT:: NVM. i would try to do all those line by line.
EDIT:: I made a huge mistake, fixtmd needs an encrypted file.

d0k3
Posted on 11-02-15 07:36 AM (rev. 3 of 11-02-15 07:37 AM) Link | #655
Posted by Syphurith
Eh.. Have you already tested it yet?
Since the ctrtool packaged won't run for me.. Could you get me a link to its source?
Yes, it might not work for N3DS now. However it should not be too hard to do so.
Anyway, please give me some time to let me test injection of newer FBI first..

EDIT:: NVM. i would try to do all those line by line.
EDIT:: I made a huge mistake, fixtmd needs an encrypted file.

Correct, the file needs to be encrypted for fixTMD. Forgot about that, too :/. Anyways, you can get CTRtool from here:
https://github.com/profi200/Project_CTR/releases

If required, just compile it anew.

And I can't test, I only own a N3DS :).

Syphurith
Posted on 11-02-15 07:37 AM (rev. 3 of 11-02-15 07:38 AM) Link | #656
Posted by d0k3
... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry!

Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder.

Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB.
I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name.
Note: Not all programs would recognize the "*" mark.

And for FixTmd, I highly doubt how to calculate the hashes for multiple contents. NVM.
Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content.
Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF.
Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900.

In short current FixTmd would not break a N3DS content, when it only uses the content #0.

d0k3
Posted on 11-02-15 07:45 AM (rev. 2 of 11-02-15 07:50 AM) Link | #657
Posted by Syphurith
Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB.
I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name.
Note: Not all programs would recognize the "*" mark.

And for FixTmd, I highly doubt how to calculate the hashes for multiple contents. NVM.
Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content.
Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF.
Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900.

In short current FixTmd would not break a N3DS content, when it only uses the content #0.

Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB.

Syphurith
Posted on 11-02-15 07:55 AM (rev. 3 of 11-02-15 08:00 AM) Link | #658
Posted by d0k3
Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB.

You might want to use my dumped JPN APP to test if size matches..

For the HASH of the Content Table. You might want to just update this:
//Calculate Hash of third part of TMD.
printf("[INFO]Update hashes #2..");
sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0);
memset(fx,0,256);
sprint_sha256(fx, fh);
printf("0x0208:0x0B04-0x%04X:\n%s\n",fltmd,fx);
memcpy(fctmd+0x0208, fh, 32);
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
However it still deserves a fix. Parameters order of it would be changed.

d0k3
Posted on 11-02-15 08:42 AM (rev. 2 of 11-02-15 08:43 AM) Link | #659
Posted by Syphurith
You might want to use my dumped JPN APP to test if size matches..

For the HASH of the Content Table. You might want to just update this:
//Calculate Hash of third part of TMD.
printf("[INFO]Update hashes #2..");
sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0);
memset(fx,0,256);
sprint_sha256(fx, fh);
printf("0x0208:0x0B04-0x%04X:\n%s\n",fltmd,fx);
memcpy(fctmd+0x0208, fh, 32);
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
However it still deserves a fix. Parameters order of it would be changed.

I'll wait until you update fixtmd, alright?

in the meantime:
http://wikisend.com/download/715352/UniversalInjectGen_v0.2.zip

This should fix:
* the wildcard issue for CTRtools
* the size issue (output size should be correct now)
* processing the logo.bin for .apps that have it

From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem.

Syphurith
Posted on 11-02-15 08:57 AM (rev. 2 of 11-02-15 09:02 AM) Link | #660
Posted by d0k3
I'll wait until you update fixtmd, alright?

in the meantime:
http://wikisend.com/download/715352/UniversalInjectGen_v0.2.zip

This should fix:
* the wildcard issue for CTRtools
* the size issue (output size should be correct now)
* processing the logo.bin for .apps that have it

From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem.

FixTmd Update: Get it Here. Pure Source Code you would have to compile it yourself.
NOTE: You must follow the order of contents index in TMD to put multiple file to work, or else it would mess up.
Tested with N3DS content, and generated a good TMD.

Syphurith
Posted on 11-02-15 09:04 AM (rev. 2 of 11-02-15 09:06 AM) Link | #661
Well take a released version of ctrtool myself from profi200 github. It finally passed the wildcard issue for me.
And yes, the file size is correct.. Let me have a try to inject it.. Just wait me a while..
Orz.. I had to re-encrypt it first. Nearly forgot it..

Syphurith
Posted on 11-02-15 09:12 AM Link | #662
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it)
and it does load into FBI 1.4.14, over my old H&S 2050 JPN.

I would try another CIA, then.

d0k3
Posted on 11-02-15 09:31 AM Link | #663
Posted by Syphurith
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it)
and it does load into FBI 1.4.14, over my old H&S 2050 JPN.

I would try another CIA, then.

That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways).

Syphurith
Posted on 11-02-15 09:37 AM (rev. 2 of 11-02-15 09:38 AM) Link | #664
Posted by d0k3
That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways).

I had just figured out a faulty re-encryption script.
Just now I had injected the DevMenu620 which i tried many times before - just its first success.
Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file.
Now the next step for this tool, maybe a porting to other script.. or maybe not.

And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files.
RxTools only handle the single app ones, so no injection for N3DS now.

Syphurith
Posted on 11-02-15 09:57 AM Link | #665
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?)
2.You should have it decrypted first, and remember to reencrypt it.
3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed.
And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean.

d0k3
Posted on 11-02-15 10:16 AM Link | #666
Posted by Syphurith
I had just figured out a faulty re-encryption script.
Just now I had injected the DevMenu620 which i tried many times before - just its first success.
Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file.
Now the next step for this tool, maybe a porting to other script.. or maybe not.

And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files.
RxTools only handle the single app ones, so no injection for N3DS now.

Posted by Syphurith
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?)
2.You should have it decrypted first, and remember to reencrypt it.
3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed.
And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean.

Glad to hear it worked with DevMenu, too!

I will streamline a lot of that by adding a new feature to Decrypt9. Decrypt9 can handle the TMD update, decryption and reencryption.

And, of course we can generate xorpads for decrypted NCSD/NCCH, using the Python script and real hardware, of course. Or did you mean something else?
Pages: 1 2 3

Main - Homebrew discussion - Injecting other apps over Health & Safety? New reply

Page rendered in 0.023 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 103/103, time: 0.014 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.