Views: 623,270 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 01-23-18 05:14 AM

Main - Posts by Syphurith

Pages: 1 2 3
Posted on 11-02-15 04:13 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 05:13 AM) Link | #648
I tried to decrypt then unpack all those H&S CIA fetched from CDN - all regions, both O3DS and N3DS.
Cause mine is an old 3ds, I can't decrypt all those successfully, the only one failed may be one from later New 3ds.
The encrypted CIA, generated using 3DNUS, contains the exactly same .TMD compared with the original installed one. The TMD from decrypted differs with hashes.
Its content, the CXI/APP file, is almost all the same, in their decrypted form.
NCCH padgen can be used to generate the xorpads from a decrypted CXI, and its result all the same with what from the encrypted.
For O3DS, all H&S contains only 1 CXI/APP.
For N3DS, that is two, the first one is the expected CXI/APP with CTR-N-HACJ, and the other is a manual.

So, as you could figure out from all those notes above. Yes, you can get those in a total legal way.

And, this tool with source could merge the two exheader for injectable one. Get it here!
I've already tested it with the original FBI 1.3.8 exheader, along with the old H&S 2050 one. It generated exactly a same file with what from fbi_inject 2050.

Last report: Tried to inject a devmenu. And failed as expected. May due to i removed the romfs and plain binaries.

Posted on 11-02-15 06:58 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 07:24 AM) Link | #650
Posted by d0k3
Using your stuff/3DStool/CTRtool I've build something that should work. See here:

- Put H&S app & tmd into apptmd_hs/ folder (names do not matter)
- Put CIA of app to inject into cia_inject/ folder (name does not matter
- Run go.bat

The only thing missing from this is encryption, but I'm sure we can handle this.

Thanks. I could test it with a newer release of FBI first.
Read its batch file it seems.. i should use a decrypted CXI of H&S to test it?
The fixtmd should take in a decrypted CXI as its APP.
Oh no, that only takes in Encrypted one, cause the original CXIs are all encrypted in NAND.
Well, i would execute all those commands manually..

Posted on 11-02-15 07:20 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 07:25 AM) Link | #654
Posted by d0k3

Eh.. Have you already tested it yet?
Since the ctrtool packaged won't run for me.. Could you get me a link to its source?
Yes, it might not work for N3DS now. However it should not be too hard to do so.
Anyway, please give me some time to let me test injection of newer FBI first..

EDIT:: NVM. i would try to do all those line by line.
EDIT:: I made a huge mistake, fixtmd needs an encrypted file.

Posted on 11-02-15 07:37 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 07:38 AM) Link | #656
Posted by d0k3
... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry!

Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder.

Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB.
I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name.
Note: Not all programs would recognize the "*" mark.

And for FixTmd, I highly doubt how to calculate the hashes for multiple contents. NVM.
Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content.
Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF.
Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900.

In short current FixTmd would not break a N3DS content, when it only uses the content #0.

Posted on 11-02-15 07:55 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 08:00 AM) Link | #658
Posted by d0k3
Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB.

You might want to use my dumped JPN APP to test if size matches..

For the HASH of the Content Table. You might want to just update this:
//Calculate Hash of third part of TMD.
printf("[INFO]Update hashes #2..");
sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0);
sprint_sha256(fx, fh);
memcpy(fctmd+0x0208, fh, 32);
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
However it still deserves a fix. Parameters order of it would be changed.

Posted on 11-02-15 08:57 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 09:02 AM) Link | #660
Posted by d0k3
I'll wait until you update fixtmd, alright?

in the meantime:

This should fix:
* the wildcard issue for CTRtools
* the size issue (output size should be correct now)
* processing the logo.bin for .apps that have it

From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem.

FixTmd Update: Get it Here. Pure Source Code you would have to compile it yourself.
NOTE: You must follow the order of contents index in TMD to put multiple file to work, or else it would mess up.
Tested with N3DS content, and generated a good TMD.

Posted on 11-02-15 09:04 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 09:06 AM) Link | #661
Well take a released version of ctrtool myself from profi200 github. It finally passed the wildcard issue for me.
And yes, the file size is correct.. Let me have a try to inject it.. Just wait me a while..
Orz.. I had to re-encrypt it first. Nearly forgot it..

Posted on 11-02-15 09:12 AM, in Injecting other apps over Health & Safety? Link | #662
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it)
and it does load into FBI 1.4.14, over my old H&S 2050 JPN.

I would try another CIA, then.

Posted on 11-02-15 09:37 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 09:38 AM) Link | #664
Posted by d0k3
That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways).

I had just figured out a faulty re-encryption script.
Just now I had injected the DevMenu620 which i tried many times before - just its first success.
Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file.
Now the next step for this tool, maybe a porting to other script.. or maybe not.

And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files.
RxTools only handle the single app ones, so no injection for N3DS now.

Posted on 11-02-15 09:57 AM, in Injecting other apps over Health & Safety? Link | #665
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?)
2.You should have it decrypted first, and remember to reencrypt it.
3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed.
And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean.

Posted on 11-02-15 10:26 AM, in Injecting other apps over Health & Safety? Link | #667
Posted by d0k3
Glad to hear it worked with DevMenu, too!

I will streamline a lot of that by adding a new feature to Decrypt9. Decrypt9 can handle the TMD update, decryption and reencryption.

And, of course we can generate xorpads for decrypted NCSD/NCCH, using the Python script and real hardware, of course. Or did you mean something else?

Eh.. Yes if that is added to decrypt9 that could be super convinient.
However i think release a easy-to-use PC edition with xorpad decryption/encryption may be a starter kit for guys.
At least 3dstool did quite a bulk of dirty work.. Ha.
Still, i don't know if you have finally succeeded in the injection to your N3DS..
So i think using this PC edition to be a alpha/beta, and the code could be taken to decrypt9.

Posted on 11-02-15 11:11 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 11:13 AM) Link | #669
Posted by d0k3
I'll try it this evening (my timezone, obviously) and will write about it afterwards.

Moving everything to Decrypt9 would be too much, but...
o I'll add one feature to extract & decrypt the H&S app from SysNAND
o Generating the .app to inject would have to be handled on PC, obviously
o And I'll add another feature to encrypt & inject the new app and also adapt the TMD in the process

Not super convenient, but convenient enough, I think. Because of the decryption / encryption / xorpad generation, this can't be done without real hardware and Decrypt9 or similar anyways. If you have some ideas how to streamline it differently, that would be very good, too, as I don't want to force people to use Decrypt9.

Thanks for your effort.. Really.
Do you remember how they convert those 3DS/CXI to CIA?
Just generate the xorpad, and put the files in correct location, and let tools handle the work.
Also, you can get a file totally legal from CDN. Its decrypted CXI content can generate a good xorpad.
What i expected is:
1.User reads the manual to know what .app and .tmd he should get from the decrypted NAND/Decrypt9/other.
2.User puts the files in folder, and use generation xorpad tool. Then he uses decrypt9 or other for the xorpads.
3.User puts the xorpads in xorpads folder, and start the execution.
4.User gets the valid product from tool. He then puts the files to good location of SD card, following manual.
5.User then uses the decrypt9/other to done the injection.
Or for decrypt9 users: they just put the files in correct location, it would look for the overwritten app, and backup, generate, inject. All-In-One solution.

But still, why i listed all those as above?
1.You can not expect such unsigned contents without signature patched to work. Yes i know those generated ones NCCH signature - FAIL.
2.If the main part is done offline, they may have a better choice. Most of them already know "NOT UPDATE" - yup - so the APP and TMD version would be kept for a long time. They may want to try another APP for it if they like. Once injected failed, they can re-generate another with ease.
3.We can not say the tools would always work. So once something wrong happens a PC version might be quite easy to debug.
4.Yes CIA, CXI can be decrypted in decrypt9 super easily. However there are still guys used to use the xorpads.
5.Once the PC is likely stable, you can get a better base for your decrypt9 feature, and offer decrypt9 users a better option. Like 'Premium'.

You don't have to. I've already set up decrypt9 to boot via MSET. Let theirselves find this is better, they would spread the finding.

Posted on 11-02-15 06:57 PM, in Injecting other apps over Health & Safety? (rev. 3 of 11-03-15 07:50 AM) Link | #670
I've found a relationship to a common error.
As you know sometimes injected the generated app, the H&S shows no banner.
This is actually caused by a wrong crypto mark. To be used there, you have to made the injection app Encrypted. However, in NCCH file, 0x01BF. The mark should be cleared to "Crypto:Secure(0)" or else it would show "Crypto:None". This is due to 3dstool implementation, it sometimes just throws this mark away. I know how you might think about it. Oh no. It wouldn't load a wrong crypto, nor a decrypted one. And, even it is without the romfs.bin it could still run - if the original injection app requires no romfs.bin. So dummy romfs.bin is not really that needed.

Finally I've got some correct injection apps. The tool is here: NodeJS version Link removed due to out-of-date.

Posted on 11-03-15 06:36 AM, in Injecting other apps over Health & Safety? (rev. 7 of 11-03-15 09:47 PM) Link | #672
Posted by d0k3
Thanks a ton for pointing that out! But, at 0x1BF in the NCCH header, there is nothing ("reserved area", see here). Did you mean 0x18F?

As for the NodeJS version... does that require any additional stuff installed? To be pretty blunt, I'm hoping @Shadowtrance makes that GUI once we have that thing running stable enough :).

Yes my mistake. It was 0x18F exactly.
The NodeJS version currently only works for stuffs from decrypted+unpacked CIA.
\ori\0004001000020300-2050.0000.00000002 # Extracted from decrypted 0004001000020300-2050.cia
\xor\0004001000020300.Main.exefs_norm.xorpad # Xorpads generated from \ori\0004001000020300-2050.0000.00000002
I am now fixing it to let it auto rename those in ori so it would proceed as normal.

Now, I have its v5 edition, Get it Here Link removed due to out-of-date.
To run this package, you would need Nodejs executable.
You can get one from nodejs.org/dist/latest/. ie. x64 windows, get https://nodejs.org/dist/latest/win-x64/node.exe
Once you get it, place the executable along side with the extracted contents, with the do.js. And just do.bat. For Linux, open a console there and 'node do'.
Note: surely you would have to place the original H&S to ori (doesn't matter whether that is encrypted or not or even extracted from CIA), inject CIA to cia, and H&S xorpads to xor. It doesn't matter if there are more xorpads than the target H&S in the xor folder.
It would display what it actually called, and shows the result.

Oh yes, most users love the GUI. Even RxTools is getting weird.

Posted on 11-03-15 10:01 PM, in Injecting other apps over Health & Safety? (rev. 2 of 11-03-15 10:02 PM) Link | #674
Oh man i'm feeling shame when i upload those again and again to fix some stupid bugs.
The old ones messed up the names with multiple contents.
Newest here:
Multiple contents would be generated in good names. I mean in their original IDs in the TMD.
So you might want to have a try. It finally get to a stage. Whoa.

ShadowTrance have injected FBI successfully into N3DS, which isn't supported by old rxTools and Riku packages.
Hope ShadowTrance can make a good UI for all these steps.

Posted on 11-04-15 04:12 AM, in Injecting other apps over Health & Safety? (rev. 11 of 11-04-15 04:41 AM) Link | #679
Posted by Shadowtrance
Yeah I'm slowly (attempting) to write a GUI version, most of the node script makes no sense to me at all though. haha So kinda stalled a bit at the moment.
Someone want to translate it to something i can actually make sense of? :P yeah i don't get js at all...

Even the latest node script translated to batch would help to be honest. :)

Indeed you can just run it with something. Then BEFORE it finishes and let you close it, just take a look at all its output.

Posted by d0k3
@Syphurith, compared to my latest Windows .bat script - what is changed in your newest nodeJS script? Is it only the xorpad encryption, or is it more?

Not only the xorpad encryption.
1. It supports multiple contents. Yes, at least for N3DS users.
2. Maybe multiple platform supports. Should work with linux, when "node do" and proper tools prepared.
3. Auto fix the Crypto keys to Secure (0).
4. Removed dummy romfs generation (commented). Since i found it still works for me..

Also i have something to tell you all. Since you can generate xorpads from decrypted CXI. And we can repack a valid decrypted CXI. Then, we may have no limit on its file size, actually. However that leads to another routine, so would be much use if with decrypt9 and real console. Oh, or with a UI so the program can ask for xorpads if no good xorpad is given. Or, much simplier, just modify the ncchinfo_gen.py to get oversized (than H&S) xorpads. This could be a tool running against the decrypted CIA. Yes these are only several bytes different between the ncchinfo.bin.
I can confirm the xorpad should be generated correctly. Now testing the injected Spider browser - 15MB must be bigger than H&S itself....
Oh it finally found that is weird and stopped me, lol. So original file size may be recorded already..

Posted on 11-04-15 10:28 AM, in Injecting other apps over Health & Safety? Link | #681
Posted by d0k3
I didn't think about the xorpad problem, either. You could make your script generate the ncchinfo.bin on it's own, it's actually pretty easy.
Btw, you already saw it anyways, but everyone keeping an eye on this thread:

I've seen the post there. Let me show the update version:

Posted on 11-05-15 05:51 AM, in Pre-patched: Rebuild a exefs as you like! Then HANS? (rev. 2 of 11-05-15 06:10 AM) Link | #686
Yeah i've manipulated it and got pre-patched version of Culdprit on my console minutes ago.
If you already know and can do these.. I would thank you for helping others or a simple leave.

To have an already patched version of any app, you might need to replace romfs and exefs contents.
To repack a romfs is not hard; you can use 3dstool like this:
3dstool -cvtf romfs romfs.bin --romfs-dir romfs
Just similar as what you did to it for unpacking:
3dstool -xvtf romfs romfs.bin --romfs-dir romfs

The exefs pack/unpack is something similar, but a header is required to rebuild it. This header is indeed the 0x200 bytes from the exefs.bin, so you can ever pass it as arguement. You can play with the packing safely without touching the files.
However once you replaced code.bin or something else in the folder, the hashes, offsets and sizes go wrong, even 3dstool itself could pack them into a exefs.bin but not be able to unpack it again. So says, that invalids the exefs.bin.

I've written a small tool just for this situation. It would calculate the size and offset and hashes. However the tool doesn't handle the LZ77 compression/decompression, so you would have the code.bin in compressed format to use this tool.
Unpack:3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefsheader.bin
The tool:FixExefsHdr exefsheader.x exefs
And you can rebuild it again:
3dstool -cvtf exefs exefs.bin --exefs-dir exefs --header exefsheader.x
And yes you can unpack it with 3dstool or something else to get the uncompressed code.bin.

Then what this could be to HANS?
Any CXI unpacked using 3dstool have at the most 6 parts, NCCH Header, ExtHeader, Plain, Logo, Romfs and Exefs, and the first 4 of them is almost contain no content of the game itself. I've heard HANS can redirect the flows of reading Romfs and Exefs to SD, thus some Games get Tranlasted on a newer firmware than 9.2.
If that doesn't ask for file size, a pre-patched romfs and exefs may be good news for HANS users. Anyway, that is not hard to rebuild a CXI or CIA.

To get a pre-patched CIA you would need more steps.
1.Decrypt both the main CIA and its patch you wanna apply. Just use decrypt9 for this.
2.Unpack all both stuffs. Use ctrtool: ctrtool -i -y --content=c --tmd=tmd TheCIA.cia.
3.Find which the patch would apply on, by checking the titleid, programid, jumpid with ctrtool and those contents.
4.Unpack the target CXI and patch CXI, for example c.0000.00000000, to get all its stuffs. Use 3dstool, not ctrtool.
5.Unpack both exefs.bin, romfs.bin. Then replace the original files using what from patch.
6.Rebuild the exefs.bin and pack romfs.bin back.
7.You would need to Use my MergeExHeader to merge both exheaders in order to update the service table or more.
8.Since the MergeExHeader is original made for injection APP, you would have to at least patch the SaveData Size (original), Jump id(Original), and remaster version(Patch).
If you don't know what should patch, and meet a fail, use ctrtool for the info and compare the output, pick what you like and see 3dbrew for tips of finding the offset inside the exheader.
9.Since two CXI have different content types you would have to rebuild the CXI carefully. Do remember use the original NCCH header extracted. You can decide other parts in a order, From where to get the file: Merged/Rebuilt part, Patch part, Original part.
10.You can then use makerom to create the CIA. Notice the order described in TMD! So:
makerom -f cia -o a.cia -content 0000.cxi:0:0 -content ori\c.0001.00000002:1:2
Then? You've get the file, and just test it out with your own console!

Thanks for reading my text. I'm not good at english at all.
The needed files by me in this thread: MergeExHeader/FixExefsHdr/savedatasizefix
You can freely modify/distribute, if someone would like to get those hosted on github and maintain -- Thanks so much!

Posted on 11-05-15 08:33 AM, in Pre-patched: Rebuild a exefs as you like! Then HANS? Link | #688
Posted by Yoshi
Is this better than ctrtool? I'm unable to use ctrtool as it gave me "not compatible" error, dunno why it happens.... plus none has responded my question on reddit yet.
Does it support 32-bit? Getting the same error won't help me getting closer to modding 3ds games :S

You could compile it yourself if the executable could not run. BTW 3dstool can be built with VS or CMake.
I like to compile those myself to get the edge version, with MSYS2.

ctrtool is designed to unpack/pack/modify the NCCH files. Especially for translation.
If what you need is unpack/pack CIA, or list the file details you still need to have ctrtool and makerom.

Incompatible may due to the toolchain it used to build the tool. VS2013 is without XP support by default.

Posted on 11-05-15 03:20 PM, in Pre-patched: Rebuild a exefs as you like! Then HANS? Link | #689
Some notes about its limit: Can be used to build a pre-patched game. Can't used to embed DLC into the game.
Actually you can get the DLC CIA itself merged into the game, however it would not be recognized. You would need to keep DLC itself be installed standalone, since that is not in a same type of contents. So you can not use this to avoid the region lock with DLC CIAs. If you need so you can get NTR with locale emulation. However you could properly merge multiple DLC CIAs into one what is exactly much easier.

Eh.. Wait. I'm remembered something strange about DLCs.
A game merged with DLC could not recognize its included DLC, but if DLC is installed standalone and in the region it would get recognized.
Thought of the design of NTR locale emulation plugin. It checks if Title has some plugins connected to trigger the emulation. All emulation plugin for regions differs only in a byte that shows which region it would be. Maybe there is better solution for it to get the region check itself removed so every time game query for its DLC, the system would ignore the region and return the values. However this is not easy to be done, and i am sure myself can not do this in at least several years.

Well a patched version is already enough for translated contents with HANS now.
Pages: 1 2 3

Main - Posts by Syphurith

Page rendered in 0.023 seconds. (2048KB of memory used)
MySQL - queries: 22, rows: 99/99, time: 0.012 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.