Views: 623,092 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 01-22-18 02:58 AM

Main - Posts by d0k3

Pages: 1 2 3 4
Posted on 11-02-15 06:47 AM, in Injecting other apps over Health & Safety? Link | #649
Using your stuff/3DStool/CTRtool I've build something that should work. See here:

- Put H&S app & tmd into apptmd_hs/ folder (names do not matter)
- Put CIA of app to inject into cia_inject/ folder (name does not matter
- Run go.bat

The only thing missing from this is encryption, but I'm sure we can handle this.

Posted on 11-02-15 07:01 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 07:04 AM) Link | #651
... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Posted by Syphurith
Thanks. I could test it with a newer release of FBI first.

Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry!

Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder.

Posted on 11-02-15 07:06 AM, in Injecting other apps over Health & Safety? Link | #652
Posted by Syphurith
Thanks. I could test it with a newer release of FBI first.
Read its batch file it seems.. i should use a decrypted CXI of H&S to test it?
The fixtmd should take in a decrypted CXI as its APP.
Well, i would execute all those commands manually..

You need a decrypted H&S app. Forgot to say, sorry.

Posted on 11-02-15 07:36 AM, in Injecting other apps over Health & Safety? (rev. 3 of 11-02-15 07:37 AM) Link | #655
Posted by Syphurith
Eh.. Have you already tested it yet?
Since the ctrtool packaged won't run for me.. Could you get me a link to its source?
Yes, it might not work for N3DS now. However it should not be too hard to do so.
Anyway, please give me some time to let me test injection of newer FBI first..

EDIT:: NVM. i would try to do all those line by line.
EDIT:: I made a huge mistake, fixtmd needs an encrypted file.

Correct, the file needs to be encrypted for fixTMD. Forgot about that, too :/. Anyways, you can get CTRtool from here:

If required, just compile it anew.

And I can't test, I only own a N3DS :).

Posted on 11-02-15 07:45 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 07:50 AM) Link | #657
Posted by Syphurith
Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB.
I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name.
Note: Not all programs would recognize the "*" mark.

And for FixTmd, I highly doubt how to calculate the hashes for multiple contents. NVM.
Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content.
Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF.
Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900.

In short current FixTmd would not break a N3DS content, when it only uses the content #0.

Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB.

Posted on 11-02-15 08:42 AM, in Injecting other apps over Health & Safety? (rev. 2 of 11-02-15 08:43 AM) Link | #659
Posted by Syphurith
You might want to use my dumped JPN APP to test if size matches..

For the HASH of the Content Table. You might want to just update this:
//Calculate Hash of third part of TMD.
printf("[INFO]Update hashes #2..");
sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0);
sprint_sha256(fx, fh);
memcpy(fctmd+0x0208, fh, 32);
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
However it still deserves a fix. Parameters order of it would be changed.

I'll wait until you update fixtmd, alright?

in the meantime:

This should fix:
* the wildcard issue for CTRtools
* the size issue (output size should be correct now)
* processing the logo.bin for .apps that have it

From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem.

Posted on 11-02-15 09:31 AM, in Injecting other apps over Health & Safety? Link | #663
Posted by Syphurith
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it)
and it does load into FBI 1.4.14, over my old H&S 2050 JPN.

I would try another CIA, then.

That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways).

Posted on 11-02-15 10:16 AM, in Injecting other apps over Health & Safety? Link | #666
Posted by Syphurith
I had just figured out a faulty re-encryption script.
Just now I had injected the DevMenu620 which i tried many times before - just its first success.
Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file.
Now the next step for this tool, maybe a porting to other script.. or maybe not.

And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files.
RxTools only handle the single app ones, so no injection for N3DS now.

Posted by Syphurith
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?)
2.You should have it decrypted first, and remember to reencrypt it.
3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed.
And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean.

Glad to hear it worked with DevMenu, too!

I will streamline a lot of that by adding a new feature to Decrypt9. Decrypt9 can handle the TMD update, decryption and reencryption.

And, of course we can generate xorpads for decrypted NCSD/NCCH, using the Python script and real hardware, of course. Or did you mean something else?

Posted on 11-02-15 10:46 AM, in Injecting other apps over Health & Safety? Link | #668
Posted by Syphurith
Eh.. Yes if that is added to decrypt9 that could be super convinient.
However i think release a easy-to-use PC edition with xorpad decryption/encryption may be a starter kit for guys.
At least 3dstool did quite a bulk of dirty work.. Ha.
Still, i don't know if you have finally succeeded in the injection to your N3DS..
So i think using this PC edition to be a alpha/beta, and the code could be taken to decrypt9.

I'll try it this evening (my timezone, obviously) and will write about it afterwards.

Moving everything to Decrypt9 would be too much, but...
o I'll add one feature to extract & decrypt the H&S app from SysNAND
o Generating the .app to inject would have to be handled on PC, obviously
o And I'll add another feature to encrypt & inject the new app and also adapt the TMD in the process

Not super convenient, but convenient enough, I think. Because of the decryption / encryption / xorpad generation, this can't be done without real hardware and Decrypt9 or similar anyways. If you have some ideas how to streamline it differently, that would be very good, too, as I don't want to force people to use Decrypt9.

Posted on 11-03-15 05:04 AM, in Injecting other apps over Health & Safety? Link | #671
Posted by Syphurith
I've found a relationship to a common error.
As you know sometimes injected the generated app, the H&S shows no banner.
This is actually caused by a wrong crypto mark. To be used there, you have to made the injection app Encrypted. However, in NCCH file, 0x01BF. The mark should be cleared to "Crypto:Secure(0)" or else it would show "Crypto:None". This is due to 3dstool implementation, it sometimes just throws this mark away. I know how you might think about it. Oh no. It wouldn't load a wrong crypto, nor a decrypted one. And, even it is without the romfs.bin it could still run - if the original injection app requires no romfs.bin. So dummy romfs.bin is not really that needed.

Finally I've got some correct injection apps. The tool is here: NodeJS version

Thanks a ton for pointing that out! But, at 0x1BF in the NCCH header, there is nothing ("reserved area", see here). Did you mean 0x18F?

As for the NodeJS version... does that require any additional stuff installed? To be pretty blunt, I'm hoping @Shadowtrance makes that GUI once we have that thing running stable enough :).

Posted on 11-04-15 03:27 AM, in Injecting other apps over Health & Safety? Link | #678
@Syphurith, compared to my latest Windows .bat script - what is changed in your newest nodeJS script? Is it only the xorpad encryption, or is it more?

Posted on 11-04-15 09:07 AM, in Injecting other apps over Health & Safety? Link | #680
I didn't think about the xorpad problem, either. You could make your script generate the ncchinfo.bin on it's own, it's actually pretty easy.

Btw, you already saw it anyways, but everyone keeping an eye on this thread:
Posted by d0k3 on GBAtemp.org

Decrypt9 now includes two new features, one for dumping the H&S app, the other for injecting it. You need to compile from source, there's no binary release yet. And I suggest you use my last batch script to generate the inject .app (yup, .tmd / .xorpads not required), because the .app to inject needs to be the exact same size as the original H&S app (that requirement will most likely be removed later), and I'm not sure if @Syphurith's script makes sure of that.

I will most likely refine some of how this works now. And, btw, we can easily inject to other system apps, too, but I'm unsure if that would be a good idea.

Now, although the Decrypt9 way might be the more noob friendly in the long run, we still need @Syphurith's script - because only with Syphuriths method, the .app to inject can be bigger than the original H&S app (that would never work in Decrypt9). If @Shadowtrance makes that GUI, it best includes both ways (with / without D9).

Advantages of the Decrypt9 method:

Faster, needs only 3 steps (dump hs.app via D9, create inject app on PC, inject hs.app via D9).
You only need to handle the .app file, no .tmd or .xorpads.
Less room for error, much more noob friendly.
Also, safer. Injecting files into FAT images using tools like OSFmount might lead to fragmentation, which in turn might lead to unexpected results. With Decrypt9 that will never happen, as it will leave everything untouched but the actual files space.

@Syphurith, could you add the Decrypt9 method to your nodeJS script (as an alternative). It is the same as the other one, just with an already decrypted hs.app, no .tmd and no xorpads.

Posted on 11-04-15 03:12 PM, in Is the I2C register PowerOff() function dangerous? (rev. 3 of 11-04-15 03:13 PM) Link | #682
I mean this one:
void PowerOff()
i2cWriteRegister(I2C_DEV_MCU, 0x20, 1 << 0);
while (true);

On Github, @idgrepthat wrote:
Posted by idgrepthat on Github
Don't recommend. Power functions are unstable and can potentially brick.

Posted by idgrepthat on Github
Reboot has never caused problems for me, but homebrew and Gw's power-off functions can cause 3ds's to behave strangely. Like return 0 causing a full power-off in dsi mode instead of the homemenu grey screen that's expected. Yellows8 bricked his 3ds while researching these registers.

Maybe it's something you still feel is worth it, but I think it's an unnecessary risk given the small reward. I'm not that concerned about it because I never use homebrew power off any more. Your call.

I think the shutdown functions of CTR Boot Manager and Quick Shutdown are different, because they don't operate on ARM9. Anyways, is there any more infos on the subject? A shutdown function would be pretty convenient, but it is of course not worth the price of messing up your 3DS.

Posted on 11-10-15 05:43 AM, in What is special about homebrew zero key encryption? (rev. 2 of 11-10-15 05:45 AM) Link | #700
As some of you might already know, my own fork of Decrypt9 has options to decrypt NCCH/NCSD and CIAs. The NCCH/NCSD decryptor works fine with commercial CCIs and system apps, however I noticed just yesterday, that this isn't the case for homebrew .3DS files. If I try to decrypt them the same way, I just get broken output. So, what is different about the encryption in those (this is zero key encryption, right?), and how can I detect it? CTRtool and Makerom seem to handle that encryption just fine, but I haven't found the correct place in their source codes yet.

On another, slightly related note... I can decrypt homebrew CIAs just fine, but the content hashes in there seem to be all wrong. Again, there never was any trouble with verifying the hashes for commercial stuff (legit CIAs / custom CIAs from Riku's converter / CIAs built from CDN). Any ideas about that?

If you need an example, btw, just check my own CTRXplorer or FBI.

Posted on 11-10-15 05:55 AM, in Is the I2C register PowerOff() function dangerous? Link | #702
Posted by plutoo
I'm pretty sure it's safe. There are two things that can cause a brick with MCU pokes (afaik). They are as follows:

1. Power cycle from ARM11 when ARM9 has things left that it hasn't yet written to NAND. This could corrupt the file-system, internal files could become out-of-sync, and whatnot.
2. Poking around with LED pattern registers (this was how Yellows8 bricked his 3DS).

In this case neither applies so I'd say go for it.

Thanks for your reply! Well, I tried it, and in fact it is now included as a hidden option in Decrypt9. I still find it suspicious, though. With that option, the console turns of so fast and also a big difference to the reboot function, which takes it's time. Don't know if I will keep that in. I'd prefer to do it the same way as f.e. Quick Reboot does it, but I also have no access to CTRUlib functions from Decrypt9.

Posted on 11-10-15 06:09 AM, in What is special about homebrew zero key encryption? Link | #703
Posted by Dazzozo
Yes. The FixedCryptoKey bit is set. See http://3dbrew.org/wiki/NCCH#NCCH_Flags

The key used (fixed / zero) depends on whether its a system title. This is all explained at http://3dbrew.org/wiki/NCCH#Encryption

Alright, so with that flag set, a fixed key is used as AES NormalKey for encryption and everything else works as normal? I assume the zero key is all zeroes, and the systemkey is unknown. Because of the all-zeroes key, no actual hardware is needed for de-/encryption, but actual hardware would be required for decrypting with the fixed systemkey. Also, does this work with 7x / seed crypto? (might only make sense in theory)

Plus, the thing about the hashes in homebrew CIAs... any ideas?

Posted on 11-10-15 06:43 AM, in How to use start parameters in HB launcher? (rev. 4 of 11-10-15 06:46 AM) Link | #704
Well, in theory, it should be pretty simple, but take a look at this code (from my Brahma fork):
s32 main (int argc, char **argv) {
// Initialize services

consoleInit(GFX_BOTTOM, NULL);
if (brahma_init()) {
if ((argc > 1) && (argc <= 4)) {
char* payload = argv[1];
u32 offset = 0;
u32 psize = 0;

if (argc > 2) sscanf(argv[2], "%X", &offset);
if (argc > 3) sscanf(argv[3], "%X", &psize);

printf("[+] Loading %s@%X (size %X)\n", payload, offset, psize);
load_arm9_payload(payload, offset, psize);
printf("[!] Loading failed\n");
The above doesn't work, all that is found in the start parameters is a few correct symbols for the first parameter (the payload), and then garbled stuff. I'm loading it via .XMLs, the same way HANS shortcuts are loaded. I'd just take a look into the HANS source code, but well, that isn't released yet. Any ideas?

Posted on 11-10-15 11:40 AM, in What is special about homebrew zero key encryption? Link | #706
Posted by Dazzozo
-- Snip --

Got it, and both of it. For the CIAs the problem was that I did not recognize that Metadata comes at the end of the file structure. Thanks a ton!

Posted on 11-14-15 02:23 PM, in How to use start parameters in HB launcher? Link | #715
Posted by Syphurith
Indeed there are more homebrews using the XML and perhaps with arguements..
Such as CHMM2, ftbrony, installer, menuhax_manager, qtm.. For example?
However i do suggest you to ask smea or others on #3dsdev for help on this.
BTW, what you suppose to do with the arguements? RxTools just loads a static payload and it's fine.
Yes if this could be loaded using CN or other *hax, those 8.1 users may have a way for xorpads..

I alreay got behind this, just check my Brahma2Loader source code :).

Posted on 11-14-15 03:11 PM, in Rebuilding a (fully decrypted) CCI with already available tools? Link | #717
This may sound like somewhat of a noob question, but I haven't found any way to do this yet, without coding it myself. From looking at the source code, I'm pretty sure Makerom would be capable of it, but there is just no method implemented to actually do it.

So, here's what I want to do:
o Start with a fully decrypted CCI (made from a comercial cartridge, then decrypted via Decrypt9). Signatures are all bad at this point, of course.
o Reencrypt everything (= all contents) with zerokey crypto (already have figured that out, no problem).
o Now, also fix the signatures (target "development keys & certs" in makerom) for each and every content. That's the difficult step.
=> have a fully working (as in manual and all) zerokey encrypted rom for GW

I don't even own a Gateway, just doing this for scientific purposes. In essence, what I'd need is a "zerokey signature fixer". Haven't found anything like that yet, though. The fact that this would only be of any use for GW makes it even less probable something like that exists, too.

Any ideas?

Pages: 1 2 3 4

Main - Posts by d0k3

Page rendered in 0.020 seconds. (2048KB of memory used)
MySQL - queries: 22, rows: 99/99, time: 0.011 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.