|
| ||
| Views: 1,391,548 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 04-16-24 12:54 PM |
| Guest: | ||
| Main - Posts by Syphurith |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 21/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
I tried to decrypt then unpack all those H&S CIA fetched from CDN - all regions, both O3DS and N3DS.
Cause mine is an old 3ds, I can't decrypt all those successfully, the only one failed may be one from later New 3ds. The encrypted CIA, generated using 3DNUS, contains the exactly same .TMD compared with the original installed one. The TMD from decrypted differs with hashes. Its content, the CXI/APP file, is almost all the same, in their decrypted form. NCCH padgen can be used to generate the xorpads from a decrypted CXI, and its result all the same with what from the encrypted. For O3DS, all H&S contains only 1 CXI/APP. For N3DS, that is two, the first one is the expected CXI/APP with CTR-N-HACJ, and the other is a manual. So, as you could figure out from all those notes above. Yes, you can get those in a total legal way. And, this tool with source could merge the two exheader for injectable one. Get it here! I've already tested it with the original FBI 1.3.8 exheader, along with the old H&S 2050 one. It generated exactly a same file with what from fbi_inject 2050. Last report: Tried to inject a devmenu. And failed as expected. May due to i removed the romfs and plain binaries. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 22/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Thanks. I could test it with a newer release of FBI first. Read its batch file it seems.. i should use a decrypted CXI of H&S to test it? Oh no, that only takes in Encrypted one, cause the original CXIs are all encrypted in NAND. Well, i would execute all those commands manually.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 23/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Eh.. Have you already tested it yet? Since the ctrtool packaged won't run for me.. Could you get me a link to its source? Yes, it might not work for N3DS now. However it should not be too hard to do so. Anyway, please give me some time to let me test injection of newer FBI first.. EDIT:: NVM. i would try to do all those line by line. EDIT:: I made a huge mistake, fixtmd needs an encrypted file. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 24/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB. I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name. Note: Not all programs would recognize the "*" mark. Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content. Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF. Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900. In short current FixTmd would not break a N3DS content, when it only uses the content #0. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 25/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 You might want to use my dumped JPN APP to test if size matches.. For the HASH of the Content Table. You might want to just update this: //Calculate Hash of third part of TMD.
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
printf("[INFO]Update hashes #2.."); sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0); memset(fx,0,256); sprint_sha256(fx, fh); printf("0x0208:0x0B04-0x%04X:\n%s\n",fltmd,fx); memcpy(fctmd+0x0208, fh, 32); However it still deserves a fix. Parameters order of it would be changed. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 26/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 FixTmd Update: Get it Here. Pure Source Code you would have to compile it yourself. NOTE: You must follow the order of contents index in TMD to put multiple file to work, or else it would mess up. Tested with N3DS content, and generated a good TMD. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 27/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Well take a released version of ctrtool myself from profi200 github. It finally passed the wildcard issue for me.
And yes, the file size is correct.. Let me have a try to inject it.. Just wait me a while.. Orz.. I had to re-encrypt it first. Nearly forgot it.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 28/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it) and it does load into FBI 1.4.14, over my old H&S 2050 JPN. I would try another CIA, then. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 29/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 I had just figured out a faulty re-encryption script. Just now I had injected the DevMenu620 which i tried many times before - just its first success. Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file. Now the next step for this tool, maybe a porting to other script.. or maybe not. And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files. RxTools only handle the single app ones, so no injection for N3DS now. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 30/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?) 2.You should have it decrypted first, and remember to reencrypt it. 3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed. And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 31/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Eh.. Yes if that is added to decrypt9 that could be super convinient. However i think release a easy-to-use PC edition with xorpad decryption/encryption may be a starter kit for guys. At least 3dstool did quite a bulk of dirty work.. Ha. Still, i don't know if you have finally succeeded in the injection to your N3DS.. So i think using this PC edition to be a alpha/beta, and the code could be taken to decrypt9. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 32/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Thanks for your effort.. Really. Do you remember how they convert those 3DS/CXI to CIA? Just generate the xorpad, and put the files in correct location, and let tools handle the work. Also, you can get a file totally legal from CDN. Its decrypted CXI content can generate a good xorpad. What i expected is: 1.User reads the manual to know what .app and .tmd he should get from the decrypted NAND/Decrypt9/other. 2.User puts the files in folder, and use generation xorpad tool. Then he uses decrypt9 or other for the xorpads. 3.User puts the xorpads in xorpads folder, and start the execution. 4.User gets the valid product from tool. He then puts the files to good location of SD card, following manual. 5.User then uses the decrypt9/other to done the injection. Or for decrypt9 users: they just put the files in correct location, it would look for the overwritten app, and backup, generate, inject. All-In-One solution. But still, why i listed all those as above? 1.You can not expect such unsigned contents without signature patched to work. Yes i know those generated ones NCCH signature - FAIL. 2.If the main part is done offline, they may have a better choice. Most of them already know "NOT UPDATE" - yup - so the APP and TMD version would be kept for a long time. They may want to try another APP for it if they like. Once injected failed, they can re-generate another with ease. 3.We can not say the tools would always work. So once something wrong happens a PC version might be quite easy to debug. 4.Yes CIA, CXI can be decrypted in decrypt9 super easily. However there are still guys used to use the xorpads. 5.Once the PC is likely stable, you can get a better base for your decrypt9 feature, and offer decrypt9 users a better option. Like 'Premium'. You don't have to. I've already set up decrypt9 to boot via MSET. Let theirselves find this is better, they would spread the finding. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 33/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
I've found a relationship to a common error.
As you know sometimes injected the generated app, the H&S shows no banner. This is actually caused by a wrong crypto mark. To be used there, you have to made the injection app Encrypted. However, in NCCH file, 0x01BF. The mark should be cleared to "Crypto:Secure(0)" or else it would show "Crypto:None". This is due to 3dstool implementation, it sometimes just throws this mark away. I know how you might think about it. Oh no. It wouldn't load a wrong crypto, nor a decrypted one. And, even it is without the romfs.bin it could still run - if the original injection app requires no romfs.bin. So dummy romfs.bin is not really that needed. Finally I've got some correct injection apps. The tool is here: |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 34/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 Yes my mistake. It was 0x18F exactly. \cia\FBI.cia
I am now fixing it to let it auto rename those in ori so it would proceed as normal.
\ori\0004001000020300-2050.0000.00000002 # Extracted from decrypted 0004001000020300-2050.cia \ori\tmd \xor\0004001000020300.Main.exefs_norm.xorpad # Xorpads generated from \ori\0004001000020300-2050.0000.00000002 \xor\0004001000020300.Main.exheader.xorpad \xor\0004001000020300.Main.romfs.xorpad Now, I have its v5 edition, To run this package, you would need Nodejs executable. You can get one from nodejs.org/dist/latest/. ie. x64 windows, get https://nodejs.org/dist/latest/win-x64/node.exe Once you get it, place the executable along side with the extracted contents, with the do.js. And just do.bat. For Linux, open a console there and 'node do'. Note: surely you would have to place the original H&S to ori (doesn't matter whether that is encrypted or not or even extracted from CIA), inject CIA to cia, and H&S xorpads to xor. It doesn't matter if there are more xorpads than the target H&S in the xor folder. It would display what it actually called, and shows the result. Oh yes, most users love the GUI. Even RxTools is getting weird. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 35/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Oh man i'm feeling shame when i upload those again and again to fix some stupid bugs.
The old ones messed up the names with multiple contents. Newest here: Multiple contents would be generated in good names. I mean in their original IDs in the TMD. So you might want to have a try. It finally get to a stage. Whoa. ShadowTrance have injected FBI successfully into N3DS, which isn't supported by old rxTools and Riku packages. Hope ShadowTrance can make a good UI for all these steps. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 36/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by Shadowtrance Indeed you can just run it with something. Then BEFORE it finishes and let you close it, just take a look at all its output. Posted by d0k3 Not only the xorpad encryption. 1. It supports multiple contents. Yes, at least for N3DS users. 2. Maybe multiple platform supports. Should work with linux, when "node do" and proper tools prepared. 3. Auto fix the Crypto keys to Secure (0). 4. Removed dummy romfs generation (commented). Since i found it still works for me.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 37/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by d0k3 I've seen the post there. Let me show the update version: http://pan.baidu.com/s/1hqEsBWw |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 38/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Yeah i've manipulated it and got pre-patched version of Culdprit on my console minutes ago.
If you already know and can do these.. I would thank you for helping others or a simple leave. To have an already patched version of any app, you might need to replace romfs and exefs contents. To repack a romfs is not hard; you can use 3dstool like this: 3dstool -cvtf romfs romfs.bin --romfs-dir romfs Just similar as what you did to it for unpacking:3dstool -xvtf romfs romfs.bin --romfs-dir romfs
The exefs pack/unpack is something similar, but a header is required to rebuild it. This header is indeed the 0x200 bytes from the exefs.bin, so you can ever pass it as arguement. You can play with the packing safely without touching the files. However once you replaced code.bin or something else in the folder, the hashes, offsets and sizes go wrong, even 3dstool itself could pack them into a exefs.bin but not be able to unpack it again. So says, that invalids the exefs.bin. I've written a small tool just for this situation. It would calculate the size and offset and hashes. However the tool doesn't handle the LZ77 compression/decompression, so you would have the code.bin in compressed format to use this tool. Unpack:3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefsheader.bin The tool:FixExefsHdr exefsheader.x exefs And you can rebuild it again: 3dstool -cvtf exefs exefs.bin --exefs-dir exefs --header exefsheader.x
And yes you can unpack it with 3dstool or something else to get the uncompressed code.bin.
Then what this could be to HANS? Any CXI unpacked using 3dstool have at the most 6 parts, NCCH Header, ExtHeader, Plain, Logo, Romfs and Exefs, and the first 4 of them is almost contain no content of the game itself. I've heard HANS can redirect the flows of reading Romfs and Exefs to SD, thus some Games get Tranlasted on a newer firmware than 9.2. If that doesn't ask for file size, a pre-patched romfs and exefs may be good news for HANS users. Anyway, that is not hard to rebuild a CXI or CIA. To get a pre-patched CIA you would need more steps. 1.Decrypt both the main CIA and its patch you wanna apply. Just use decrypt9 for this. 2.Unpack all both stuffs. Use ctrtool: ctrtool -i -y --content=c --tmd=tmd TheCIA.cia. 3.Find which the patch would apply on, by checking the titleid, programid, jumpid with ctrtool and those contents. 4.Unpack the target CXI and patch CXI, for example c.0000.00000000, to get all its stuffs. Use 3dstool, not ctrtool. 5.Unpack both exefs.bin, romfs.bin. Then replace the original files using what from patch. 6.Rebuild the exefs.bin and pack romfs.bin back. 7.You would need to Use my MergeExHeader to merge both exheaders in order to update the service table or more. 8.Since the MergeExHeader is original made for injection APP, you would have to at least patch the SaveData Size (original), Jump id(Original), and remaster version(Patch). If you don't know what should patch, and meet a fail, use ctrtool for the info and compare the output, pick what you like and see 3dbrew for tips of finding the offset inside the exheader. 9.Since two CXI have different content types you would have to rebuild the CXI carefully. Do remember use the original NCCH header extracted. You can decide other parts in a order, From where to get the file: Merged/Rebuilt part, Patch part, Original part. 10.You can then use makerom to create the CIA. Notice the order described in TMD! So: makerom -f cia -o a.cia -content 0000.cxi:0:0 -content ori\c.0001.00000002:1:2
Then? You've get the file, and just test it out with your own console!
Thanks for reading my text. I'm not good at english at all. The needed files by me in this thread: MergeExHeader/FixExefsHdr/savedatasizefix You can freely modify/distribute, if someone would like to get those hosted on github and maintain -- Thanks so much! |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 39/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Posted by Yoshi You could compile it yourself if the executable could not run. BTW 3dstool can be built with VS or CMake. I like to compile those myself to get the edge version, with MSYS2. ctrtool is designed to unpack/pack/modify the NCCH files. Especially for translation. If what you need is unpack/pack CIA, or list the file details you still need to have ctrtool and makerom. Incompatible may due to the toolchain it used to build the tool. VS2013 is without XP support by default. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 40/59 EXP: 25211 Next: 4686 Since: 10-26-15 Last post: 3015 days ago Last view: 2965 days ago |
Some notes about its limit: Can be used to build a pre-patched game. Can't used to embed DLC into the game.
Actually you can get the DLC CIA itself merged into the game, however it would not be recognized. You would need to keep DLC itself be installed standalone, since that is not in a same type of contents. So you can not use this to avoid the region lock with DLC CIAs. If you need so you can get NTR with locale emulation. However you could properly merge multiple DLC CIAs into one what is exactly much easier. Eh.. Wait. I'm remembered something strange about DLCs. A game merged with DLC could not recognize its included DLC, but if DLC is installed standalone and in the region it would get recognized. Thought of the design of NTR locale emulation plugin. It checks if Title has some plugins connected to trigger the emulation. All emulation plugin for regions differs only in a byte that shows which region it would be. Maybe there is better solution for it to get the region check itself removed so every time game query for its DLC, the system would ignore the region and return the values. However this is not easy to be done, and i am sure myself can not do this in at least several years. Well a patched version is already enough for translated contents with HANS now. |
| Main - Posts by Syphurith |
|
Page rendered in 0.050 seconds. (2048KB of memory used) MySQL - queries: 22, rows: 99/99, time: 0.007 seconds. ![[powered by Acmlm]](img/poweredbyacmlm.png "powering nostalgia")
Acmlmboard 2.064 (2018-07-20)© 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |
.
yeah i don't get js at all...
