Views: 1,590,071 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 09-18-24 05:47 AM |
Guest: |
0 users reading Injecting other apps over Health & Safety? | 1 bot |
Main - Homebrew discussion - Injecting other apps over Health & Safety? | Hide post layouts | New reply |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 31/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
I'm currently thinking about adding a universal app injector (to Health & Safety) to Decrypt9, but I can't find a starting point.
There's the 3DS FBI NAND Inject Generator by Riku. It will not work for N3DS and source code is not available. I did some reverse engineering, though, and it looks like Riku's tool doesn't really generate a fitting FBI inject, but rather identifies the H&S version via the TMD and selects from a range of "precompiled" FBI injects to dump. So, how to actually generate a fitting inject? This is how I think I'd have to go about it: 1. Have a .3DS or .CIA of the app to inject & a dump of the 3DS H&S .TMD and NCCH ready. 2. Fully decrypt and dump the ExeFS from the app to inject. 3. Replace the ExeFS in the H&S NCCH with the one just dumped. That means all files, code, banner & icon. 4. Encrypt the ExeFS in the same way as the ExeFS in the original H&S app was encrypted. Alternatively, leave it unencrypted and set the NCCH header accordingly (2. option would be easier). 5. Pad the new H&S NCCH with zeroes so it has the exact same size as the old one or use a dummy file in RomFS to reach the desired size (1. option would be easier). 6. Recalculate the SHA-256 hashes in the NCCH and the .TMD. 7. Done! (of course, the new H&S inject would only work when signatures are patched) Maybe I missed something, any ideas? Also, this would of course not work when the app to inject has a bigger ExeFS than H&S. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 3/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
I wrote a tool to replace the encrypted parts of original file to decrypted one.
Comparison between original H&S, and FBI injection, with those decrypted NCCHs: Romfs, Exheader, Exefs: Mismatch. Inside Exefs: code.bin is touched. It seems little was not changed.. Here you can get the tool: DecryptedReplacer. Source code included Maybe you can inject one that Size just smaller than the xorpad? You see most contents are touched. Exactly, FBI's exefs is bigger than H&S. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 4/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
The .app content is indeed a CXI. Cause we would need to repack the exefs and CXI, i think 3dstool is better for it. However i don't know how to create a valid TMD file..
Here are some steps provided.. Note: Old method with DecryptedReplacer is now in spoiler. 1.Unpack Old CXI. NCSD Header is saved in this step. 3dstool -xvtf cxi 00000002.app --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
EDIT: Figured out the logo.bcma.lz isn't actually needed when repacking.
2.Unpack Old Exefs. 3dstool -xvtfu exefs exefs.bin --header exefsheader.bin --exefs-dir exefs
3.Now overwrite the contents, including romfs.bin, code.bin, and exheader.bin. 4.Rebuild the Exefs. If you don't have the header, take it from original exefs.bin, 0x0-0x200 bytes. 3dstool -t exefs -c --exefs-dir exefs -f exefs.bin --header exefsheader.bin
Note: 3dstool need icon.icn, banner.bnr inside the exefs folder.
5b.Repack it, also apply the xorpads. 3dstool -cvtf cxi 1.cxi --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
Yes, note the CXI "1.cxi" is now encrypted. And that is actually the same file by DecryptedReplacer.
Now? what blocks me from going further is the TMD. I don't know how to generate it properly. I've compared several TMDs, and tried to gain one from makerom then unpack, however still no success. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 9/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Finally got the HASH update to work. However it seems I built a wrong APP file..
There is already an updated version of it on the next page, so this link is removed. Calculation: URL from gbatemp.net
And 0xB0C, the content length should be updated too. - If the length was touched. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 32/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Thanks! I'll take a deeper look tomorrow. Just a few remarks for now... I do think the CXI for the inject has to be the exact same size as the H&S app. No problem doing this, Rikus injects have a variable size dummy file inside the RomFS for this reason, I think... Also, almost all of the code for properly reencrypting the inject app (if that is required) and building the TMD is already in Decrypt9.
What would help me a lot would the H&S app files for various FW versions, so that I can compare them to Rikus FBI inject files. Any idea how I can get them? |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 11/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
I'm glad to see you have already know how to build the TMD..
Posted by d0k3 Do you mean that where to get precompiled and ready-for-use app and tmd files for injection? If so you can just take a look at rxTools release package, there is /tools/fbi_inject/ But i wonder how exactly to build a valid .app file. I've tried to replace the exefs (so banner, icon, logo would be changed also), and repacked and re-encrypted it back. However once i tapped it in EmuNand, it just show a black screen and poped out an error. I should have some faults while creating the CXI.. Hope you can get a valid tool, either for Decrypt9, or for PC. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 33/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by Syphurith I'm pretty sure we'll get this to work . I already knew about the valid inject files from the rxTools archive. What I'm searching for is the original, untouched H&S app & tmd, best for multiple regions/version. I can't get it from my own system, cause there are no valid injects available for N3DS. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 12/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by d0k3 Oh now I understood. I would upload a H&S app from my decrypted NAND, from 9.8 and 4.1, JPN. Could i post those links? I mean it might be illegal? Note that the xorpads for different versions are different - cause different names. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 34/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by Syphurith Alright, thanks a ton! Got it, so you can remove it. Which single post do you mean? I'll look over the files and will see what I can say about them later! |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 35/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Alright, after a quick first look....
ExeFS in a proper inject only has the .code replaced (when compared to the original H&S app). RomFS just contains a dummy file to make sure that the inject app has the exact same size as the original one. Both easy to handle. Encryption of the .app and modification of the .tmd, we can handle, and adapting the NCCH header should not be a biggie either. The ExHeader looks to be coming from FBI. The only think adapted between different proper injects is the remaster version (1 byte), which is easy to adapt ourselves. Not completely sure now, but I think we can do this. What would help a lot, would be knowing which FBI version Riku's Converter uses. Finding this out ourselves would be as simple as injecting, running and looking for the version number. Can't do, though, as I only own a N3DS. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 15/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by d0k3 Well i was hoping for your getting the file, and now link is removed. Posted by d0k3 Wait a minute for me to inject it in.. Confirmed to be 1.3.8. The generated inject app and tmd for 2050 JPN O3DS, is exactly the same file from rxTools.. Problem solved, due to wrong behavior of ctrtool. Once used 3dstool to unpack the file, the code.bin matches the one from rxTools fbi_inject.app. Anyway, forget about it.. Just use 3dstool when ctrtool goes wrong. Eh.. Maybe the exe contains some interesting things too, cause it request a tmd. |
profi200 |
| ||
Member Who knows? Level: 19 Posts: 38/70 EXP: 34186 Next: 1591 Since: 05-21-15 From: Germany Last post: 2928 days ago Last view: 2796 days ago |
Don't link or share copyrighted content here. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 36/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by profi200 Sorry, won't happen again. To be honest, I've been unsure wthere this falls under the copyrighted category. We both removed the links (even from quotes) now. Posted by Syphurith Well, I can explain why it is identical with the one from rxTools - that's because rxTools uses Riku's inject files . Also, RomFS is not empty - it contains a dummy file to reach the desired file size (same size as H&S). The remaining mystery now is the ExHeader - when comparing the proper inject ExHeader with the one gained from the FBI 1.3.8 CIA content 0 ExHeader, this is what is different: 0x000 - Application title ("safe" instead of "FBI", from H&S) 0x00E - Remaster version (has to be same as .app/.tmd number) 0x1C8 - Jump ID (has to be same as ACI program id, see below) 0x200 - Access control info (ACI) program id (taken from H&S) 0x248 - ACI file system access info (FBI + H&S permissions combined) 0x600 - ACI2 program id (taken from H&S) 0x648 - ACI2 file system access info (FBI + H&S permissions combined) Info taken from here. Mystery solved? I think so! We need to try this, though, and coding this won't be simple. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 16/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by profi200 Sorry and won't happen again. Extra: It seems i am blocked/banned on 3dsdev, might be the cause of supporting rxTools. However this stops me from sending it to him more easily/securely.. Posted by d0k3 Quite happy to see you figured out the details. Eh let me check it myself again.. Compared material : the decrypted exheader of FBI.app and fbi_inject/Riku-Generated-edition, and H&S. fbi_inject.app from rxTools and the Riku generated one are exactly the same (hashed). FBI.app is extracted from the FBI.cia with ctrtool, from FBI 1.3.8 release. To be short, I would just show you what is modified from normal FBI exheader, that is adjusted to H&S one. Style: Addr + Length. Note: This might be a minimum requirement.. 0x000 + 0x8 , 0x00C + 0x4 , 0x1C8 + 0x4 , 0x1CC + 0x4 , 0x200 + 0x8 , 0x248 + 0x1 , 0x600 + 0x8 , 0x648 + 0x1 So, i could overwrite inject app exheader, by 0x0 + 0x16, 0x1C8 + 0x8, 0x200 + 0x8, 0x248 + 0x1, 0x600 + 0x8, 0x648 + 0x1 in short. Extra: Well i would recommend for a binary comparison by some script next time for such jobs.. And, yes we should try combined system access first.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 17/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by d0k3 Eh.. I get a purely legal way for you to get those .app file next time. You don't need to install them! I don't care about this any more. Since you can check it yourself if you wish. You can get those EUR/USA/KOR/CHN ones. Well older title might be found in that ISO site. Thanks for this guy in this post for this, i don't know that could before. Hope the progress goes smoothly. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 37/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by Syphurith Continuing from yesterday... The actual NCCH header only has the offsets, sizes and hashes for ExeFS and RomFS modified (which is understandable) + the hash for the ExtHeader. Now, what do we need to do? 1. Build new (valid, hashes need to be correct) ExeFS with .code from FBI, all other files H&S 2. Build new (valid, hash needs be correct) RomFS with a dummy file (this is so that the resulting app is the exact same size as H&S 3. Create the ExtHeader as I wrote above 4. Adapt the NCCH header from H&S as I wrote above 5. Take plain region & logo region from H&S 6. Adapt the hashes in the H&S .TMD 7. Put all that stuff together I guess CTRtool & Makerom will be able to do a lot of that stuff, and for the remainder, a small program I'll code will do. I didn't get your fix TMD code to work, though. Any more ideas? |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 18/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by d0k3 Your plan sounds good. Well I doubt what if the injected app have romfs.... And the actual sizes of exefs differ - at least of FBI and H&S. What the Fix TMD posted is just for hashing, and content size update. It get the size of the .app, set it to update, and re-calculate those 3 hashes. I think you'd already know how to calculate the hashes. When i was trying to build a injectable file, I forgot to compare the other files, so i didn't find that difference of exheader. Eh for ctrtool.. yes all okey, but please try 3dstool if extraction went wrong - i've experienced such thing. Well nothing now. Except i wonder the size could really affect that much. Hope your customized build of any other app could be. FBI is written in C++, and built with citrus/aemstro/ctrcommon/picasso/libctru, and i doubt if latest version could fit in the size. Checked - not much bigger than original H&S. It might fit.. Also to note that, you might want to try to inject a version into your N3DS. Once you plan to do so, please have you NAND backup and Nand Xorpad with you. Good luck. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 38/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by Syphurith Continuing from here... If we had a tool (or two) that could inject ExeFS, RomFS and ExtHeader into an existing CXI (while also taking care of the hashes/offsets/sizes in the NCCH header AND touching the rest as little as possible), I think the rest would be manageable. Is there anything such as this? |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 19/59 EXP: 25834 Next: 4063 Since: 10-26-15 Last post: 3170 days ago Last view: 3120 days ago |
Posted by d0k3 I was thinking of using 3dstool/ctrtool/makerom to do its unpack/repack. And after that all we need to do might be to recreate the exheader and tmd. Well indeed 3dstool is best for NCCH/CXI. However i didn't tested the other files it generated, that the ncchheader.bin. It could always generate a valid CXI if proper material is given, cause the tool is invented for tranlation purpose. Yes, not always the exefs.bin and romfs.bin could be the same for them.. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 39/75 EXP: 37838 Next: 4601 Since: 06-04-15 Last post: 3186 days ago Last view: 2933 days ago |
Posted by Syphurith Alright, good! It looks like 3DStool does the trick. I unpacked the H&S CXI, then repacked it and got the exact same file. We're a good step closer now. ExeFS building and RomFS building can be done via either 3DStool or CTRtool. The only things left are adapting the ExtHeader and getting the TMD fixer to work. Is the TMDfixer written by you? I can't compile it because it complains about missing files, and I can't just run it because there are .dll files missing. |
Main - Homebrew discussion - Injecting other apps over Health & Safety? | Hide post layouts | New reply |
Page rendered in 0.036 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 103/103, time: 0.006 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |