Views: 613,917 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 11-22-17 05:05 PM

Main - Posts by Syphurith

Pages: 1 2 3
Posted on 11-12-15 01:03 PM, in How to use start parameters in HB launcher? (rev. 3 of 11-12-15 01:04 PM) Link | #714
Posted by d0k3

Indeed there are more homebrews using the XML and perhaps with arguements..
Such as CHMM2, ftbrony, installer, menuhax_manager, qtm.. For example?
However i do suggest you to ask smea or others on #3dsdev for help on this.
BTW, what you suppose to do with the arguements? RxTools just loads a static payload and it's fine.
Yes if this could be loaded using CN or other *hax, those 8.1 users may have a way for xorpads..

Posted on 11-14-15 02:37 PM, in How to use start parameters in HB launcher? Link | #716
Posted by d0k3
I alreay got behind this, just check my Brahma2Loader source code :).

Quite good news to hear. So it would load successfully from HBL then? Yup.

Posted on 11-14-15 03:53 PM, in Rebuilding a (fully decrypted) CCI with already available tools? (rev. 2 of 11-14-15 04:00 PM) Link | #718
Why would use use a Zero key? For the re-encryption: You can just generate the correct xorpads from decrypted contents.
Just get xorpad of a small file and rebuild it to enlarge its romfs/exefs, and compare this to the one for new file. The begining would be the same.
Also there is Zero Key fix, I used that to fix the sh*tty ZeroCrypto that stops the usage for CFWs. -- produces no valid signatures, neither.

And, since ZeroKey is now only supported by GW or its fakes.. Unless ZeroKey adjustments are done for CFW, you can have the possibility to run..
However even the signature is valid for a dev unit, it is still invalid for a retail one. So you still need to patch signatures check.

Why you need this? Note: There is leaked contents of dev unit keys and certs..

Posted on 11-15-15 12:56 AM, in how do I add libs to 3ds devkit? Link | #723
Eh.. I wanna try the question of lib installation.
Posted by Inside My DevKitPro Folder
Programmers Notepad
You can easily get what i installed by compare the list above with your own.

You can: make INSTALL it to DevKitPro root. And include that as -lctru or something else.
Or Simply to merge some into existing libraries. Such as copying all include/lib/tools/data/share/bin to devKitARM..

I don't know how to load cgfx, nor GL or C++. And i can not ensure the installation tips always correct..

Posted on 11-24-15 02:09 PM, in Decrypting the NAND title.db / import.db Link | #772
Posted by d0k3

1.There is a "extdata_tool" somewhere. Compiled binary can be found somewhere.
extdata_tool -m IMG -x -i -t -l title.db.out
This can parse the file, but can not manipulate it. So no offline installation..
2.To make things easier, i suggest you do such steps.
A.dump xorpad for those dbs (import, title) on SD card.
B.backup the the dbs. let's say, "clean".
C.install a title, and backup the dbs as "installed".
D.remove the previous title you installed, say "removed".
And xor those dbs from SD with the xorpad. Get all decrypted to compare with WinMerge2011.
Soon you would see what is modified. Yes this is not for NAND, but that is quite similar.
Well i know now if you've ever installed a title, there is record inside import.db, orz.

That's all what i wanna say. Hope you good luck.

Posted on 11-27-15 01:05 PM, in Get ARM11 code execution from FIRM_LAUNCH ARM9? Link | #784
Posted by gudenau

You could contact 173210 and others on github, from those repos of CFWs under active development.
And i would say good for this too.

Posted on 11-29-15 08:06 PM, in Questions? and Private Update Server (rev. 4 of 11-30-15 12:52 PM) Link | #799
I've built a private update server yesterday, and released its source (surely without ninty files). To my surprise, the TitleHash and FsSize inside GetSystemUpdate SOAP isn't actually verified. And no way for me to make a really good GetSystemUpdate reply...
Also to note, there is a defect inside TMD structure and therefore the CIA, so that version spoof works. I even used the server with a spoofed MSET to cheat the emunand, and orz.. Unfortunately i can not get those total downgraded even on my emunand, maybe that's just too greedy.

Now i have two questions, looking for someone to answer. So mind you please think for a while?
1. Is there any way to patch the nim module for those update urls, on 9.3+? I do know that eshop.3dsx does something similar but i am not sure about those. Maybe HANS could do this? yeah i have method to pack exefs and romfs..
2. How much could it benefit with a lower MSET or Spider on those 9.3+?

The server can still easily go wrong. Hope someone would like it. Original link is in strikethrough.
Server Tool: http://pan.baidu.com/s/1qW3UQza, Curl Test: http://pan.baidu.com/s/1sj6ADdV
Alternative link. Server Tool: https://dropfile.to/cvHd1, access: FqdU1Rt. Curl Test: https://dropfile.to/ekeJG, access: KEnFOxs.
The previous package is the files to construct the server, written in PHP7.x and Nodejs. The latter one is the Test scripts with curl to test the server output.
I haven't used it to play with sysNand - mine isn't hard modded. But since the signature isn't broken i think that doesn't matter. Spoofed CIA would break the signature.

@d0k3 It is released. Found out you haven't seen the conversation there i just post its links here.

Posted on 11-29-15 10:39 PM, in Questions? and Private Update Server (rev. 3 of 11-29-15 10:51 PM) Link | #801
Posted by Opposing Force
Is it possible to rehost those files? Probably not many here can read chinese.

Well OK. Indeed using google translation isn't hard, but i would update the main post to add attachments.
Eh.. this forum doesn't support attachment. I would have to find a free file hosting website first..
EDIT: OK now it is on dropfile.io i hope you can download it easier then.

Posted on 11-30-15 11:29 AM, in Questions? and Private Update Server (rev. 6 of 11-30-15 11:49 AM) Link | #804
Posted by profi200
1. No.
2. Not going to work because 1. Besides that we still have gamecard titles which can be used as entrypoint.

There is no defect in tmd. Nintendo simply fucked it up and does not check the version after installing again. For this to work however it must pass installation time checks which a modified tmd will not so it requires disabled signature checks. If installed however it will run even on sysNAND. This way you can theoretically make a 3DS system Nintendo can never update again.

Btw: Why do people use some random upload sites instead of something like Dropbox?

Thanks much for your reply. Heat down
I played with my 9.8 emunand yesterday, and my console is directly updated from 4.1 to 9.2 first with your sysupdator. Well and i used the version spoofed MSET from 9.0 and it gets installed. So it still need to disable the signature checks.. It would be surprised me much if they do not actually check those spoofed ones.
Posted by Shared Result
And mind me share some result with you? Emunand: 9.8.0. JPN.
0.Complete official pack of 9.9.0, official SOAP TitleList. Success.
1.Complete official pack of 9.9.0, SOAP crafted. Success. Confirm: It doesn't actually read FsSize maybe.
2.Complete official pack of 9.9.0, SOAP crafted, and wrong TitleHash. Confirm: It doesn't actually calculate the hash but store it instead.
3.InComplete pack of 9.9.0, SOAP crafted. Success. Confirm: So it really doesn't know if a pack is really complete.
4.A version spoofed MSET/CVer/NVer from 9.0. Success, NNID settings removed. Confirm: WTF, I can not believe it.
5.A generated spoofed pack of 9.0/4.5. FAIL, that time i just think there is some checks. Ever failed on a title which id ends with 20F00.

There is only hashes in TMD, and CXI/CFA (encrypted) is signed, cert no difference.
Still it is not hard to just decrypt the CIA with console partially to get the correct hashes. There is already tool to re-produce a valid TMD file.
If it checks by the CXI/CFA content id (00000002.app) it is still easy to an extent, original hash of contents doesn't need to change.

But now, i think there should be some checks other than the TMD reading itself. If it is that easy to downgrade i think they would just knock their head with $. (orz)

I developed this myself after the ronhero on gbatemp states he has done that can provides a paid service for n00b. Since this is quite risky i didn't post the server there. Even you told them that is there would always be some careless guys (lol).

Random upload sites: well cause i can not access those famous upload sites easily from the country normally.
I thought of a 3dsx version of sysupdater and now it sounds not of much use then (i mean here it is the server). Hope you a good day.

Posted on 11-30-15 12:51 PM, in Questions? and Private Update Server (rev. 2 of 11-30-15 12:52 PM) Link | #805
Posted by profi200

My mistake. I've checked the signature at the beginning of the TMDs of different titles, and that the whole TMD is protected by signature, thus it deserve a signature patch to install a spoofed CIA. So the hope to downgrade the SysNand on a firmware without sig-patch isn't real. Thanks as lead me the way off the wrong path.
Then this can only be useful to play with emunand, or update the sysnand, with untouched CIAs.
EDIT: I would update the posts above to strikethrough the wrong statements.

Posted on 12-01-15 12:45 PM, in Questions? and Private Update Server Link | #806
@profi200 Sorry to disturb you but.. I'd like to hear your opinion about "where the TitleHash is".
I could not find the TitleHash inside all those modules' ram dumped using NTR, nor the extracted contents from decrypted emunand.
It checks if the TitleHash different from maybe "stored" one, and also the hash inside GetSystemUpdate reply and GetTitleHash must match.
Once you enter the MSET or other special apps, the wifi would not be kept functional thus NTR lost its connection. So i can not dump mset ones out.
It should be in NAND or RAM. But i didn't know where it might be stored. Orz.
Dreaming of this get stored in a title and the tmd changes. Yes tmd should not change. It doesn't check tmd of installed ones much. Oh why dreaming? lol

Have a good time with your research and life!

Also here is a way to generate the TitleHash to keep it different every minute.
//Create a 16 bytes random TitleHash to easily issue an update. Or else comment this off and use the line below to give it a value.
//This is generated using the client hostname and a date-time string, thus it would change per minute.
$TitleHash = md5(gethostname().date('YmdHi'));
//$TitleHash = '14C4B935FCB69959B88B7003A5326D2B'; //Wrong TitleHash, this is actually the one of 9.8.0-25J

Posted on 12-04-15 03:42 AM, in Alternative NAND Connection? (rev. 4 of 12-04-15 04:33 AM) Link | #808
I've heard that 1.21GB isn't restorable via NAND Dumps. Even i don't know if that's real or not..
This is just a question and conception so If I've said something wrong, point it out please, thanks.
If the "not restorable" is totally a hoax, thanks very much for inform me that. (Very glad to hear)
UPDATE: I've heard from someone that the 1.21GB NAND can be restored, just most shops don't want to help them. (Feeling good)

All i know about the NAND chip in 3ds:
1.Pinouts Connection for dumping and restoring the NAND dump access it like a SD/MMC. Normal NAND connection would be at least 8+3 pins, counting its I/O pins.
2.The size of the NAND dump is much smaller than the NAND chip size itself, especially for N3DS.
3.A bare NAND can not be accessed (W) via FAT filesystems without data loss unless a FTL is implemented. Cause FAT is designed for Block Device not NAND.
4.FTL implementation consumes page OOBs or pages outside the mounted size as algorithm usage.
5.The dump and xorpad are generated not the same time, but it can be decrypted correctly. Yes maybe just for most dumps (at least my O3DS can be restored with GW method, and yes it should be restorable via hardmod).

And my notes:
1.There is a NAND FTL implemention in 3ds hardware level (Oops. Or bootrom.), and the current pinout connections R/W nand through it.
2.The NAND chip must contains its page translations or block/hybrid ones in its chip. For N3DS, not all the space is used/translated.
But if pages inside dump is in a same order (such as those of O3DS, all pages in the dump are translated) of that it is read or written, then the restoration would not break the translation, otherwise (ie, dump of incomplete read/write and pages are not translated) it would result a brick.
3.If NAND chip is connected without FTL, and accessed as a bare NAND chip the dump size should be exactly the size of chip, counting all bad blocks inside.

So the conclusion:
The image we can get from 3ds may be incomplete (including GW dumps), contains no translation tables.
If the NAND dump isn't a translated result this would cause it not restorable with those incomplete dumps.

If a direct connection to NAND pinouts could be performed, the chips should always be restorable (except damaged or huge bad blocks).
However it might be done in a more complex way (needs special device to R/W the bare chip).

Posted on 12-07-15 12:06 AM, in What is this file's format? (rev. 2 of 12-07-15 12:17 AM) Link | #821
Posted by Mikle0x
I believe there is too few zeroes for it to be bytecode. Moreover, I think signature-like data is located just after "PROCESS" (compare UiT.plugin with UiT (1).plugin; the encrypted data is EXACTLY the same between the two files, but the signature is totally different due to a modification in the header)

1.The most content of the file should be encrypted. Just try load it into a IDA (you can find 6.6).
2.No those Dev Cert marks such as "CP00000004" or "XS0000000A" is involved. Oh this is only for those NCCHs.
3.There are dev keys leaked very long ago, including AES and RSA types. The amount of those is finite.
4.This file isn't found in NW4C:NW4F, or leaked 4.2.8 SDK.
Since i don't find any clue about where this file comes from, i don't know what it belongs.
You may just want to write a tiny program to try all those keys for you, but this may be not enough.
If you have a dev console, write a program to let it try all its keyslots.
Even i do want the SDK to generate new version of libraries' signatures, i won't ask it publicly.
Let me guess. If a file is designed to be used inside a system with many keys, it may at least tell the system which key should be used.
Otherwise it could not be decrypted well. I don't know if the 0x31=49 is a slot number.

Good luck. Hope you could eventually play with it.

Posted on 12-14-15 10:45 AM, in Get BOOTROM/Key Scrambler? (rev. 2 of 12-14-15 10:46 AM) Link | #827
1.Decapping Fundraiser that started by Jl12 was late proven to be fake. So no fundraiser now.
2.OTP dumping is not possible at current research level. Well and i don't know more info about it.
3.Key scramber? Oh this is totally left cause the research on the hardware.
BTW i'm not the guy that certificated to show any proofs - i'm not REing it. Nor do I have hardware skill.
And this kind of development is not so fashion as the exploit finding, and I don't think you can get someguys to raise the money.
Yes i do doubt if there is anyone tried that in private. And, those pirates don't care really about homebrew or even RE it - well they're just gamers.
That's all what i know about your question. Yes.

Posted on 01-05-16 10:44 AM, in How Does Version Spoofing Work? Link | #853
Posted by gudenau
How does version spoofing work on the 3DS, I would like to attempt to implement a version spoofer so n3DS emuNAND users can get intomthe eShop.

Quite sorry for replying this late.
1.Version Spoofing itself is not hard, just edit the Version inside TMD.
However this would break the TMD signatures so you would need sig-patch environment - except Injected APP that isn't checked for the signature tightly.
2.The main reason you can not access Eshop due to the Service URL changed. Thanks to Smea that already a homebrew based on HANS can give you the access.
Hope you could find something interesting next time.

Posted on 01-06-16 09:33 AM, in How Does Version Spoofing Work? (rev. 4 of 01-06-16 09:36 AM) Link | #855
Posted by gudenau
That does not explain how it is done on the console though.

Okey.. First the eShop changed their server URLs so the eShop spoofing is done by HANS.
In my own understanding the Version itself is only a number checked mostly, that marked in the TMD of the title, to say it is a certain version - not really mean that version, if modified - yes that is it so you can disable some update notice for some certain games that modified.
If you patch a game to make its Version be the same of its update, and the system would think it is updated - well i've done that when i bundled an update to a game and it doesn't pop for update notice for that game.
If without other checks, a title would be regarded as "update" by system if the version is simply higher than the current one. But this won't always work - i tried to downgrade the emunand with spoofed TMDs for the whole system titles and yes failed.
To change a version is easy, but remake a valid signature isn't. And i don't think Ninty would enable fake-sign (as wii) again.
Even you can fake the signature, when the application is so complex that related tightly with other services of the newer system version, or with a newly updated web server, that would not work. And eShop is just this type, so the modification of exefs/romfs is needed for them - and that's the reason why that's HANS enhanced.

Most time for a not that important title, the system would just check if that is updated, compare the current installed version to the latest version.
For System Titles, this isn't handled this way, even the console would only accept higher version except removed first, there are more checks.
And for eShop, this is quite important, and web related. The actual obstacle for them is the changed service urls.

I think the main purpose of dealing with the eShop has already come to an end. Hope my poor speaking can deal with your question this time.

Posted on 01-08-16 03:29 PM, in How Does Version Spoofing Work? Link | #867
Posted by gudenau
I would like to know about the firmware version part, not the title version. But that is a good post none the less.

The firmware version? This version is inside exheader of CXI of CIA/CCI, telling what minimum version of firmware is needed for running it.
See this page: http://3dbrew.org/wiki/NCCH/Extended_Header#ARM11_Kernel_Capabilities
Posted by Masks
0b1111110xxxxx Kernel release version Bits 8-15: Major version; Bits 0-7: Minor version

This is actually kernel release version. The version spoof for those 9.5+ titles that changed this value and system just run those.
Cause till now there are many FIRMs updates that just for "stability" and not infects the functionality much, so this spoofing likely works for games.
However for eShop and other titles on 10.3, the firmware set up a bitmask and the apps asks for it - just check those title decrypted with ctrtool.
If just modify the kernel version it wouldn't work (tried). But i haven't tried if i remove this mark, and you can test it alone if you have decrypt9.
You might know already that GW can partially update some titles and get eShop access without HANS, thinking of those GW patches, it might patched kernel to produce the false bitmask for those. I've heard about GW heavily patched the system and even a running thread in ARM11, but i don't know really about that.
This is just like the region free for games, the era of just modify the exheader/what leaves us after ninty introduced a new mechiasm to check the region, so only GW/NTR locale emulation could work. I'm quite noob at RE so I can not reveal how that is done, nor this for kernel release version.

Posted on 01-08-16 03:33 PM, in How to find version of installed title on 9.3 3DS? Link | #868
What type of title you want to check?
1.System Titles: just look at yellows8 server record: http://yls8.mtheall.com/ninupdates/reports.php
2.SD Application: Sorry you have to use AM to get Titles that installed, and this needs am service access.
No FAT16 xorpad generations.. only except you are sure that is a preinstalled System Title that not on CDN.

Posted on 01-13-16 05:43 PM, in [Request] Homebrew&CFW Updater Link | #880
I'm sorry but there seems to be InstallMii already.
BTW this could be possible, once you can persuade a guy into developing it.
Good luck! (Sorry i won't anticipate this..)
Pages: 1 2 3

Main - Posts by Syphurith

Page rendered in 0.070 seconds. (2048KB of memory used)
MySQL - queries: 22, rows: 97/97, time: 0.034 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.