Posted by megazig

check that iTCM is enabled for access from your mode.

Posted by http://3dbrew.org/wiki/CIA

The contents (NCCH/SRL) are encrypted using 128-bit AES-CBC. The encryption uses the decrypted titlekey from the ticket, and the content index from the TMD padded with zeros as the IV.

Posted by Dazzozo

It can obviously only be a normal key, if this crypto can be performed on a PC.

Which keyslot you use is up to you, and how much you care depends on what you're doing. If you're not FIRM launching and just MCU-rebooting (on exit) it doesn't really matter outside of slots you want to use elsewhere.

Edit: 0x11 is a good slot for temporary work. Nintendo also uses it for this purpose.

Posted by Dazzozo

Yeah, you got it. Only the encryption of the title key uses a "special" key pair (hardware key generator). The title key itself is a normal key.

Posted by profi200

You can't do everything on the PC because the title key needs to be decrypted through the AES engine. If you have the decrypted title key however it's easy to decrypt the contents of titles.

Posted by profi200

https://github.com/mid-kid/CakesForeveryWan/blob/master/source/crypto.c#L265

No access from ARM11 usrland. This uses the SHA directly.

Posted by Syphurith

I'm glad to see you have already know how to build the TMD..
Do you mean that where to get precompiled and ready-for-use app and tmd files for injection? If so you can just take a look at rxTools release package, there is /tools/fbi_inject// app and tmd in it. Most of those should be correctly created.
But i wonder how exactly to build a valid .app file. I've tried to replace the exefs (so banner, icon, logo would be changed also), and repacked and re-encrypted it back. However once i tapped it in EmuNand, it just show a black screen and poped out an error. I should have some faults while creating the CXI..
Hope you can get a valid tool, either for Decrypt9, or for PC.

Posted by Syphurith

Oh now I understood. I would upload a H&S app from my decrypted NAND, from 9.8 and 4.1, JPN.
Could i post those links? I mean it might be illegal? Note that the xorpads for different versions are different - cause different names.

Spoiler! (click to reveal)

Oh yes, anyway, I've packaged it. 2050 (9.8) and 1024(4.1) included. Password for that zip file is its filename, NO extension, NO spaces.
Please tell me once you get this file, and let it purge it off. Banned from 3dsdev, i can not deliver you the link more secured.

I think you should read all those content of this single post carefully. Thanks. Hope it helps you, even a little.

Posted by profi200

Don't link or share copyrighted content here.

Posted by Syphurith

Well i was hoping for your getting the file, and now link is removed.
Wait a minute for me to inject it in.. Confirmed to be 1.3.8. However minor version isn't known. This inject app git version: 876adcfcadda127be7dc292c5f21c07bcb11cd48, 1.3.8 release on May 3rd, 2015. code.bin matches. Compared FBI.cia to fbi_inject.app.... And you're right, exheader is nearly same from fbi. code.bin the exactly same. banner.bin and icon.bin are same as original H&S, while romfs is empty.

The generated inject app and tmd for 2050 JPN O3DS, is exactly the same file from rxTools..
Wait WTF? the app file and rxtools one are the same, and xorpads are all the same, however those code.bin lengths mismatch!
Loaded the code.bin into ida, and it shows all data.. Confused.. However it works.. lol.
Problem solved, due to wrong behavior of ctrtool. Once used 3dstool to unpack the file, the code.bin matches the one from rxTools fbi_inject.app.
Anyway, forget about it.. Just use 3dstool when ctrtool goes wrong.

Eh.. Maybe the exe contains some interesting things too, cause it request a tmd.

Posted by Syphurith

Eh.. I get a purely legal way for you to get those .app file next time. You don't need to install them!

"Just follow these steps!" (click to reveal)

1. Get your Decrypt9 compiled and set up.
2. Get the packed cia version of the title via 3dnus.
3. Place those encrypted ones into your sdmc:/D9Decrypt.
4. Use decrypt9 to decrypt the cia! with a deep method.
5. Use ctrtool to extract those contents from the decrypted cia. You can extract the TMD too.
6. Note that the 0000 part of the contents might be a NCCH.
7. Now as you've get the decrypted NCCH, and TMD. Jobs done.

Yes so it could be done in this way.. Haven't check extracted ones against the decrypted normal ones..
I don't care about this any more. Since you can check it yourself if you wish.
You can get those EUR/USA/KOR/CHN ones. Well older title might be found in that ISO site.
Thanks for this guy in this post for this, i don't know that could before. Hope the progress goes smoothly.

Posted by Syphurith

--Snip--

Posted by Syphurith

For this purpose, you might try DecryptedReplacer (or dd?). Its theory is quite plain, and it only replace the same sized content from A to B. Just padding all those binaries size first, all parts should be smaller than original. You would still have to create a valid tmd and exheader and hashes.
I was thinking of using 3dstool/ctrtool/makerom to do its unpack/repack. And after that all we need to do might be to recreate the exheader and tmd.
Well indeed 3dstool is best for NCCH/CXI. However i didn't tested the other files it generated, that the ncchheader.bin. It could always generate a valid CXI if proper material is given, cause the tool is invented for tranlation purpose. Yes, not always the exefs.bin and romfs.bin could be the same for them..