4dsdev
Views: 1,611,767 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 12-03-24 05:15 PM
Guest:

0 users reading Injecting other apps over Health & Safety? | 3 bots

Main - Homebrew discussion - Injecting other apps over Health & Safety? Hide post layouts | New reply

Pages: 1 2 3
d0k3
Posted on 10-29-15 11:07 AM Link | #599
I'm currently thinking about adding a universal app injector (to Health & Safety) to Decrypt9, but I can't find a starting point.

There's the 3DS FBI NAND Inject Generator by Riku. It will not work for N3DS and source code is not available. I did some reverse engineering, though, and it looks like Riku's tool doesn't really generate a fitting FBI inject, but rather identifies the H&S version via the TMD and selects from a range of "precompiled" FBI injects to dump.

So, how to actually generate a fitting inject? This is how I think I'd have to go about it:
1. Have a .3DS or .CIA of the app to inject & a dump of the 3DS H&S .TMD and NCCH ready.
2. Fully decrypt and dump the ExeFS from the app to inject.
3. Replace the ExeFS in the H&S NCCH with the one just dumped. That means all files, code, banner & icon.
4. Encrypt the ExeFS in the same way as the ExeFS in the original H&S app was encrypted. Alternatively, leave it unencrypted and set the NCCH header accordingly (2. option would be easier).
5. Pad the new H&S NCCH with zeroes so it has the exact same size as the old one or use a dummy file in RomFS to reach the desired size (1. option would be easier).
6. Recalculate the SHA-256 hashes in the NCCH and the .TMD.
7. Done! (of course, the new H&S inject would only work when signatures are patched)

Maybe I missed something, any ideas? Also, this would of course not work when the app to inject has a bigger ExeFS than H&S.

Syphurith
Posted on 10-29-15 12:49 PM (rev. 4 of 10-29-15 12:56 PM) Link | #601
I wrote a tool to replace the encrypted parts of original file to decrypted one.
Comparison between original H&S, and FBI injection, with those decrypted NCCHs:
Romfs, Exheader, Exefs: Mismatch. Inside Exefs: code.bin is touched. It seems little was not changed..
Here you can get the tool: DecryptedReplacer. Source code included

DecryptedReplacer.exe 00000002.app exefs.bin decrypted_exefs.bin exheader.bin decrypted_exheader.bin romfs.bin decrypted_romfs.bin
It would produce a "00000002.app.decrypted" for this example. Just load it with ctrtool to extract the content.
Note this tool can also let you replace those decrypted parts to encrypted ones.
Hope this tool could help you.However i don't know how to generate a injectable version of anything yet.
Maybe you can inject one that Size just smaller than the xorpad? You see most contents are touched. Exactly, FBI's exefs is bigger than H&S.

Syphurith
Posted on 10-29-15 02:39 PM (rev. 11 of 10-29-15 04:20 PM) Link | #603
The .app content is indeed a CXI. Cause we would need to repack the exefs and CXI, i think 3dstool is better for it. However i don't know how to create a valid TMD file..
Here are some steps provided.. Note: Old method with DecryptedReplacer is now in spoiler.

1.Unpack Old CXI. NCSD Header is saved in this step.

3dstool -xvtf cxi 00000002.app.decrypted --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin
This decrypted CXI is needed, you can use DecryptedReplacer to replace the encrypted contents to decrypted ones.
Or Just try unpack the encrypted one with 3dstool.
3dstool -xvtf cxi 00000002.app --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
EDIT: Figured out the logo.bcma.lz isn't actually needed when repacking.

2.Unpack Old Exefs. Indeed you might done this in the step above with a specified argument. Not for 3dstool.
3dstool -xvtfu exefs exefs.bin --header exefsheader.bin --exefs-dir exefs

3.Now overwrite the contents, including romfs.bin, code.bin, and exheader.bin.

4.Rebuild the Exefs. If you don't have the header, take it from original exefs.bin, 0x0-0x200 bytes.
3dstool -t exefs -c --exefs-dir exefs -f exefs.bin --header exefsheader.bin
Note: 3dstool need icon.icn, banner.bnr inside the exefs folder.


5.Repack it as a CXI. If romfs=0KB, just remove that "--romfs romfs.bin".
3dstool -cvtf cxi 0.cxi --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin
From here to step 7, you can do so with only one command, with extra parameters. See step 5b
Well really you can take banner.bnr as banner.bin, icon.icn as icon.bin.

6.Now Xor your binaries to encrypt. Just use those xorpads with padxorer to encrypt. Don't mind that "decrypted_" prefix.

7.Since you have a decrypted CXI "0.cxi" now, you could use the DecryptedReplacer to replace those decrypted parts to encrypted ones. Yes see the post above.
DecryptedReplacer.exe 0.cxi exefs.bin decrypted_exefs.bin exh.bin decrypted_exh.bin romfs.bin decrypted_romfs.bin
Then you could have an encrypted CXI "0.cxi.decrypted". I said please don't mind the "decrypted" text.

5b.Repack it, also apply the xorpads.
3dstool -cvtf cxi 1.cxi --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
Yes, note the CXI "1.cxi" is now encrypted. And that is actually the same file by DecryptedReplacer.

Now? what blocks me from going further is the TMD. I don't know how to generate it properly.
I've compared several TMDs, and tried to gain one from makerom then unpack, however still no success.

Syphurith
Posted on 10-29-15 07:15 PM (rev. 3 of 11-02-15 09:14 AM) Link | #611
Finally got the HASH update to work. However it seems I built a wrong APP file..
Working TMD Hash Updator Source code included. At least it could pass RxTools verification.
There is already an updated version of it on the next page, so this link is removed.
Calculation: URL from gbatemp.net
Of what is the TMD content info hash a hash? I presume they also need to be updated, not only the TMD content hash.
There are 3 hashs,
first (0xB14) hashes the content (app file),
second (0x208) hashes the content table (0xB04 - 0xB33)
third (0x1E4) hashes the content index table (0x204 - 0xB03)
All simple sha256.

And 0xB0C, the content length should be updated too. - If the length was touched.

d0k3
Posted on 10-29-15 10:17 PM Link | #612
Thanks! I'll take a deeper look tomorrow. Just a few remarks for now... I do think the CXI for the inject has to be the exact same size as the H&S app. No problem doing this, Rikus injects have a variable size dummy file inside the RomFS for this reason, I think... Also, almost all of the code for properly reencrypting the inject app (if that is required) and building the TMD is already in Decrypt9.

What would help me a lot would the H&S app files for various FW versions, so that I can compare them to Rikus FBI inject files. Any idea how I can get them?

Syphurith
Posted on 10-30-15 05:05 AM (rev. 2 of 10-30-15 05:07 AM) Link | #616
I'm glad to see you have already know how to build the TMD..
Posted by d0k3
What would help me a lot would the H&S app files for various FW versions, so that I can compare them to Rikus FBI inject files. Any idea how I can get them?

Do you mean that where to get precompiled and ready-for-use app and tmd files for injection? If so you can just take a look at rxTools release package, there is /tools/fbi_inject// app and tmd in it. Most of those should be correctly created.
But i wonder how exactly to build a valid .app file. I've tried to replace the exefs (so banner, icon, logo would be changed also), and repacked and re-encrypted it back. However once i tapped it in EmuNand, it just show a black screen and poped out an error. I should have some faults while creating the CXI..
Hope you can get a valid tool, either for Decrypt9, or for PC.

d0k3
Posted on 10-30-15 09:55 AM Link | #617
Posted by Syphurith
I'm glad to see you have already know how to build the TMD..
Do you mean that where to get precompiled and ready-for-use app and tmd files for injection? If so you can just take a look at rxTools release package, there is /tools/fbi_inject// app and tmd in it. Most of those should be correctly created.
But i wonder how exactly to build a valid .app file. I've tried to replace the exefs (so banner, icon, logo would be changed also), and repacked and re-encrypted it back. However once i tapped it in EmuNand, it just show a black screen and poped out an error. I should have some faults while creating the CXI..
Hope you can get a valid tool, either for Decrypt9, or for PC.

I'm pretty sure we'll get this to work :). I already knew about the valid inject files from the rxTools archive. What I'm searching for is the original, untouched H&S app & tmd, best for multiple regions/version. I can't get it from my own system, cause there are no valid injects available for N3DS.

Syphurith
Posted on 10-30-15 10:15 AM (rev. 9 of 10-31-15 04:14 AM) Link | #619
Posted by d0k3
I'm pretty sure we'll get this to work :). I already knew about the valid inject files from the rxTools archive. What I'm searching for is the original, untouched H&S app & tmd, best for multiple regions/version. I can't get it from my own system, cause there are no valid injects available for N3DS.

Oh now I understood. I would upload a H&S app from my decrypted NAND, from 9.8 and 4.1, JPN.
Could i post those links? I mean it might be illegal? Note that the xorpads for different versions are different - cause different names.

Oh yes, anyway, I've packaged it. 2050 (9.8) and 1024(4.1) included. Password for that zip file is its filename, NO extension, NO spaces. Here it goes! Link removed. Please tell me once you get this file, and let it purge it off. Banned from 3dsdev, i can not deliver you the link more secured.
I think you should read all those content of this single post carefully. Thanks. Hope it helps you, even a little.

d0k3
Posted on 10-30-15 07:47 PM (rev. 2 of 10-31-15 11:02 AM) Link | #625
Posted by Syphurith
Oh now I understood. I would upload a H&S app from my decrypted NAND, from 9.8 and 4.1, JPN.
Could i post those links? I mean it might be illegal? Note that the xorpads for different versions are different - cause different names.

Oh yes, anyway, I've packaged it. 2050 (9.8) and 1024(4.1) included. Password for that zip file is its filename, NO extension, NO spaces.
Please tell me once you get this file, and let it purge it off. Banned from 3dsdev, i can not deliver you the link more secured.
I think you should read all those content of this single post carefully. Thanks. Hope it helps you, even a little.

Alright, thanks a ton! Got it, so you can remove it. Which single post do you mean? I'll look over the files and will see what I can say about them later!

d0k3
Posted on 10-30-15 08:14 PM Link | #626
Alright, after a quick first look....

ExeFS in a proper inject only has the .code replaced (when compared to the original H&S app). RomFS just contains a dummy file to make sure that the inject app has the exact same size as the original one. Both easy to handle. Encryption of the .app and modification of the .tmd, we can handle, and adapting the NCCH header should not be a biggie either.

The ExHeader looks to be coming from FBI. The only think adapted between different proper injects is the remaster version (1 byte), which is easy to adapt ourselves.

Not completely sure now, but I think we can do this. What would help a lot, would be knowing which FBI version Riku's Converter uses. Finding this out ourselves would be as simple as injecting, running and looking for the version number. Can't do, though, as I only own a N3DS.

Syphurith
Posted on 10-31-15 04:41 AM (rev. 12 of 10-31-15 05:32 AM) Link | #628
Posted by d0k3
Alright, thanks a ton! Got it, so you can remove it. Which single post do you mean? I'll look over the files and will see what I can say about them later!

Well i was hoping for your getting the file, and now link is removed.
Posted by d0k3
--Snip--

Wait a minute for me to inject it in.. Confirmed to be 1.3.8. However minor version isn't known. This inject app git version: 876adcfcadda127be7dc292c5f21c07bcb11cd48, 1.3.8 release on May 3rd, 2015. code.bin matches. Compared FBI.cia to fbi_inject.app.... And you're right, exheader is nearly same from fbi. code.bin the exactly same. banner.bin and icon.bin are same as original H&S, while romfs is empty.

The generated inject app and tmd for 2050 JPN O3DS, is exactly the same file from rxTools..
Wait WTF? the app file and rxtools one are the same, and xorpads are all the same, however those code.bin lengths mismatch!
Loaded the code.bin into ida, and it shows all data.. Confused.. However it works.. lol.
Problem solved, due to wrong behavior of ctrtool. Once used 3dstool to unpack the file, the code.bin matches the one from rxTools fbi_inject.app.
Anyway, forget about it.. Just use 3dstool when ctrtool goes wrong.

Eh.. Maybe the exe contains some interesting things too, cause it request a tmd.

profi200
Posted on 10-31-15 11:07 AM Link | #629
Don't link or share copyrighted content here.

d0k3
Posted on 10-31-15 12:46 PM (rev. 4 of 10-31-15 12:49 PM) Link | #630
Posted by profi200
Don't link or share copyrighted content here.

Sorry, won't happen again. To be honest, I've been unsure wthere this falls under the copyrighted category. We both removed the links (even from quotes) now.
Posted by Syphurith
Well i was hoping for your getting the file, and now link is removed.
Wait a minute for me to inject it in.. Confirmed to be 1.3.8. However minor version isn't known. This inject app git version: 876adcfcadda127be7dc292c5f21c07bcb11cd48, 1.3.8 release on May 3rd, 2015. code.bin matches. Compared FBI.cia to fbi_inject.app.... And you're right, exheader is nearly same from fbi. code.bin the exactly same. banner.bin and icon.bin are same as original H&S, while romfs is empty.

The generated inject app and tmd for 2050 JPN O3DS, is exactly the same file from rxTools..
Wait WTF? the app file and rxtools one are the same, and xorpads are all the same, however those code.bin lengths mismatch!
Loaded the code.bin into ida, and it shows all data.. Confused.. However it works.. lol.
Problem solved, due to wrong behavior of ctrtool. Once used 3dstool to unpack the file, the code.bin matches the one from rxTools fbi_inject.app.
Anyway, forget about it.. Just use 3dstool when ctrtool goes wrong.

Eh.. Maybe the exe contains some interesting things too, cause it request a tmd.

Well, I can explain why it is identical with the one from rxTools - that's because rxTools uses Riku's inject files :). Also, RomFS is not empty - it contains a dummy file to reach the desired file size (same size as H&S).

The remaining mystery now is the ExHeader - when comparing the proper inject ExHeader with the one gained from the FBI 1.3.8 CIA content 0 ExHeader, this is what is different:
0x000 - Application title ("safe" instead of "FBI", from H&S)
0x00E - Remaster version (has to be same as .app/.tmd number)
0x1C8 - Jump ID (has to be same as ACI program id, see below)
0x200 - Access control info (ACI) program id (taken from H&S)
0x248 - ACI file system access info (FBI + H&S permissions combined)
0x600 - ACI2 program id (taken from H&S)
0x648 - ACI2 file system access info (FBI + H&S permissions combined)

Info taken from here. Mystery solved? I think so! We need to try this, though, and coding this won't be simple.



Syphurith
Posted on 10-31-15 03:41 PM (rev. 3 of 10-31-15 03:43 PM) Link | #631
Posted by profi200
Don't link or share copyrighted content here.

Sorry and won't happen again.
Extra: It seems i am blocked/banned on 3dsdev, might be the cause of supporting rxTools. However this stops me from sending it to him more easily/securely..
Posted by d0k3
--Snip--

Quite happy to see you figured out the details. Eh let me check it myself again..
Compared material : the decrypted exheader of FBI.app and fbi_inject/Riku-Generated-edition, and H&S. fbi_inject.app from rxTools and the Riku generated one are exactly the same (hashed). FBI.app is extracted from the FBI.cia with ctrtool, from FBI 1.3.8 release.
To be short, I would just show you what is modified from normal FBI exheader, that is adjusted to H&S one. Style: Addr + Length.
Note: This might be a minimum requirement..
0x000 + 0x8 , 0x00C + 0x4 , 0x1C8 + 0x4 , 0x1CC + 0x4 , 0x200 + 0x8 , 0x248 + 0x1 , 0x600 + 0x8 , 0x648 + 0x1
So, i could overwrite inject app exheader, by 0x0 + 0x16, 0x1C8 + 0x8, 0x200 + 0x8, 0x248 + 0x1, 0x600 + 0x8, 0x648 + 0x1 in short.
Extra: Well i would recommend for a binary comparison by some script next time for such jobs..
And, yes we should try combined system access first..

Syphurith
Posted on 10-31-15 03:58 PM (rev. 2 of 10-31-15 03:59 PM) Link | #632
Posted by d0k3
--Snip--

Eh.. I get a purely legal way for you to get those .app file next time. You don't need to install them!

1. Get your Decrypt9 compiled and set up.
2. Get the packed cia version of the title via 3dnus.
3. Place those encrypted ones into your sdmc:/D9Decrypt.
4. Use decrypt9 to decrypt the cia! with a deep method.
5. Use ctrtool to extract those contents from the decrypted cia. You can extract the TMD too.
6. Note that the 0000 part of the contents might be a NCCH.
7. Now as you've get the decrypted NCCH, and TMD. Jobs done.
Yes so it could be done in this way.. Haven't check extracted ones against the decrypted normal ones..
I don't care about this any more. Since you can check it yourself if you wish.
You can get those EUR/USA/KOR/CHN ones. Well older title might be found in that ISO site.
Thanks for this guy in this post for this, i don't know that could before. Hope the progress goes smoothly.

d0k3
Posted on 11-01-15 02:50 PM (rev. 3 of 11-01-15 03:20 PM) Link | #637
Posted by Syphurith
Eh.. I get a purely legal way for you to get those .app file next time. You don't need to install them!

1. Get your Decrypt9 compiled and set up.
2. Get the packed cia version of the title via 3dnus.
3. Place those encrypted ones into your sdmc:/D9Decrypt.
4. Use decrypt9 to decrypt the cia! with a deep method.
5. Use ctrtool to extract those contents from the decrypted cia. You can extract the TMD too.
6. Note that the 0000 part of the contents might be a NCCH.
7. Now as you've get the decrypted NCCH, and TMD. Jobs done.
Yes so it could be done in this way.. Haven't check extracted ones against the decrypted normal ones..
I don't care about this any more. Since you can check it yourself if you wish.
You can get those EUR/USA/KOR/CHN ones. Well older title might be found in that ISO site.
Thanks for this guy in this post for this, i don't know that could before. Hope the progress goes smoothly.

Continuing from yesterday... The actual NCCH header only has the offsets, sizes and hashes for ExeFS and RomFS modified (which is understandable) + the hash for the ExtHeader.

Now, what do we need to do?
1. Build new (valid, hashes need to be correct) ExeFS with .code from FBI, all other files H&S
2. Build new (valid, hash needs be correct) RomFS with a dummy file (this is so that the resulting app is the exact same size as H&S
3. Create the ExtHeader as I wrote above
4. Adapt the NCCH header from H&S as I wrote above
5. Take plain region & logo region from H&S
6. Adapt the hashes in the H&S .TMD
7. Put all that stuff together

I guess CTRtool & Makerom will be able to do a lot of that stuff, and for the remainder, a small program I'll code will do. I didn't get your fix TMD code to work, though. Any more ideas?

Syphurith
Posted on 11-01-15 03:22 PM (rev. 3 of 11-01-15 03:33 PM) Link | #639
Posted by d0k3
--Snip--
I guess CTRtool & Makerom will be able to do a lot of that stuff, and for the remainder, a small program I'll code we'll do. I didn't get your fix TMD code to work, though. Any more ideas?

Your plan sounds good. Well I doubt what if the injected app have romfs.... And the actual sizes of exefs differ - at least of FBI and H&S.
What the Fix TMD posted is just for hashing, and content size update. It get the size of the .app, set it to update, and re-calculate those 3 hashes. I think you'd already know how to calculate the hashes. When i was trying to build a injectable file, I forgot to compare the other files, so i didn't find that difference of exheader.
Eh for ctrtool.. yes all okey, but please try 3dstool if extraction went wrong - i've experienced such thing.
Well nothing now. Except i wonder the size could really affect that much.
Hope your customized build of any other app could be. FBI is written in C++, and built with citrus/aemstro/ctrcommon/picasso/libctru, and i doubt if latest version could fit in the size. Checked - not much bigger than original H&S. It might fit..
Also to note that, you might want to try to inject a version into your N3DS. Once you plan to do so, please have you NAND backup and Nand Xorpad with you. Good luck.

d0k3
Posted on 11-01-15 03:59 PM Link | #640
Posted by Syphurith
--Snip--

Continuing from here... If we had a tool (or two) that could inject ExeFS, RomFS and ExtHeader into an existing CXI (while also taking care of the hashes/offsets/sizes in the NCCH header AND touching the rest as little as possible), I think the rest would be manageable. Is there anything such as this?

Syphurith
Posted on 11-01-15 04:20 PM Link | #641
Posted by d0k3
Continuing from here... If we had a tool (or two) that could inject ExeFS, RomFS and ExtHeader into an existing CXI (while also taking care of the hashes/offsets/sizes in the NCCH header AND touching the rest as little as possible), I think the rest would be manageable. Is there anything such as this?

For this purpose, you might try DecryptedReplacer (or dd?). Its theory is quite plain, and it only replace the same sized content from A to B. Just padding all those binaries size first, all parts should be smaller than original. You would still have to create a valid tmd and exheader and hashes.
I was thinking of using 3dstool/ctrtool/makerom to do its unpack/repack. And after that all we need to do might be to recreate the exheader and tmd.
Well indeed 3dstool is best for NCCH/CXI. However i didn't tested the other files it generated, that the ncchheader.bin. It could always generate a valid CXI if proper material is given, cause the tool is invented for tranlation purpose. Yes, not always the exefs.bin and romfs.bin could be the same for them..

d0k3
Posted on 11-01-15 05:05 PM (rev. 2 of 11-01-15 05:05 PM) Link | #644
Posted by Syphurith
For this purpose, you might try DecryptedReplacer (or dd?). Its theory is quite plain, and it only replace the same sized content from A to B. Just padding all those binaries size first, all parts should be smaller than original. You would still have to create a valid tmd and exheader and hashes.
I was thinking of using 3dstool/ctrtool/makerom to do its unpack/repack. And after that all we need to do might be to recreate the exheader and tmd.
Well indeed 3dstool is best for NCCH/CXI. However i didn't tested the other files it generated, that the ncchheader.bin. It could always generate a valid CXI if proper material is given, cause the tool is invented for tranlation purpose. Yes, not always the exefs.bin and romfs.bin could be the same for them..

Alright, good! It looks like 3DStool does the trick. I unpacked the H&S CXI, then repacked it and got the exact same file. We're a good step closer now. ExeFS building and RomFS building can be done via either 3DStool or CTRtool. The only things left are adapting the ExtHeader and getting the TMD fixer to work. Is the TMDfixer written by you? I can't compile it because it complains about missing files, and I can't just run it because there are .dll files missing.
Pages: 1 2 3

Main - Homebrew discussion - Injecting other apps over Health & Safety? Hide post layouts | New reply

Page rendered in 0.036 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 103/103, time: 0.006 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2018-07-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.