Views: 1,610,085 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 11-23-24 10:21 AM |
Guest: |
0 users reading Injecting other apps over Health & Safety? | 2 bots |
Main - Homebrew discussion - Injecting other apps over Health & Safety? | Hide post layouts | New reply |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 40/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
... but I have trouble building the new ExeFS.bin via 3DStool. It simply doesnt work, I get garbled output:
ERROR: open file exefs/»“AÍMMW6Q–€‰Cˆ®ïd‰«Ç@™ž¹£Ðø/ røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed
Any ideas?
ERROR: open file exefs/®ïd‰«Ç@™ž¹£Ðø/ røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed ERROR: open file exefs/røQ¹ÏìAPWë2œ©ü<ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed ERROR: open file exefs/ﲸu’[æÈCMB÷Ug`-néJ_1ÔÄrsÉq&vn*}’.bin failed ERROR: open file exefs/`-néJ_1ÔÄrsÉq&vn*}’.bin failed ERROR: open file exefs/&vn*}’.bin failed ERROR: open file exefs/í¾4Ë S>a ·æ/;0.bin failed ERROR: create file failed EDIT: Nevermind, got it! But, can you help me get the TMDfixer to work? |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 20/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 3dstool supports reading a decrypted file without xorpad, or reading an encrypted one with xorpad. When with xorpad, please remember to use those --XX-xor arguments. Eh, the TMD fixer is written by myself. Since the zip file contains its source code, you might want to simply take a look of it. All it does is quite simple, to recalculate those SHA-256 hashes. Note: the previous post contains the link to its source. But not in the package when i harmed the rules. I compiled it in MSYS2 - mingw64 mode, with my win 8.1 x64 PC. If you really can't get it compiled, you may want to write one yourself. Below is all what it does. An updated version of FixTmd: Here it is. It would accept other APP and TMD names, see its output. Source included. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 21/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
I tried to decrypt then unpack all those H&S CIA fetched from CDN - all regions, both O3DS and N3DS.
Cause mine is an old 3ds, I can't decrypt all those successfully, the only one failed may be one from later New 3ds. The encrypted CIA, generated using 3DNUS, contains the exactly same .TMD compared with the original installed one. The TMD from decrypted differs with hashes. Its content, the CXI/APP file, is almost all the same, in their decrypted form. NCCH padgen can be used to generate the xorpads from a decrypted CXI, and its result all the same with what from the encrypted. For O3DS, all H&S contains only 1 CXI/APP. For N3DS, that is two, the first one is the expected CXI/APP with CTR-N-HACJ, and the other is a manual. So, as you could figure out from all those notes above. Yes, you can get those in a total legal way. And, this tool with source could merge the two exheader for injectable one. Get it here! I've already tested it with the original FBI 1.3.8 exheader, along with the old H&S 2050 one. It generated exactly a same file with what from fbi_inject 2050. Last report: Tried to inject a devmenu. And failed as expected. May due to i removed the romfs and plain binaries. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 41/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Using your stuff/3DStool/CTRtool I've build something that should work. See here:
http://wikisend.com/download/350650/UniversalInjectGen_v0.1.zip Howto: - Put H&S app & tmd into apptmd_hs/ folder (names do not matter) - Put CIA of app to inject into cia_inject/ folder (name does not matter - Run go.bat The only thing missing from this is encryption, but I'm sure we can handle this. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 22/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 Thanks. I could test it with a newer release of FBI first. Read its batch file it seems.. i should use a decrypted CXI of H&S to test it? Oh no, that only takes in Encrypted one, cause the original CXIs are all encrypted in NAND. Well, i would execute all those commands manually.. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 42/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Posted by Syphurith Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry! Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 43/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith You need a decrypted H&S app. Forgot to say, sorry. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 23/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 Eh.. Have you already tested it yet? Since the ctrtool packaged won't run for me.. Could you get me a link to its source? Yes, it might not work for N3DS now. However it should not be too hard to do so. Anyway, please give me some time to let me test injection of newer FBI first.. EDIT:: NVM. i would try to do all those line by line. EDIT:: I made a huge mistake, fixtmd needs an encrypted file. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 44/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith Correct, the file needs to be encrypted for fixTMD. Forgot about that, too :/. Anyways, you can get CTRtool from here: https://github.com/profi200/Project_CTR/releases If required, just compile it anew. And I can't test, I only own a N3DS . |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 24/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB. I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name. Note: Not all programs would recognize the "*" mark. Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content. Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF. Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900. In short current FixTmd would not break a N3DS content, when it only uses the content #0. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 45/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 25/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 You might want to use my dumped JPN APP to test if size matches.. For the HASH of the Content Table. You might want to just update this: //Calculate Hash of third part of TMD.
And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
printf("[INFO]Update hashes #2.."); sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0); memset(fx,0,256); sprint_sha256(fx, fh); printf("0x0208:0x0B04-0x%04X:\n%s\n",fltmd,fx); memcpy(fctmd+0x0208, fh, 32); However it still deserves a fix. Parameters order of it would be changed. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 46/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith I'll wait until you update fixtmd, alright? in the meantime: http://wikisend.com/download/715352/UniversalInjectGen_v0.2.zip This should fix: * the wildcard issue for CTRtools * the size issue (output size should be correct now) * processing the logo.bin for .apps that have it From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 26/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 FixTmd Update: Get it Here. Pure Source Code you would have to compile it yourself. NOTE: You must follow the order of contents index in TMD to put multiple file to work, or else it would mess up. Tested with N3DS content, and generated a good TMD. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 27/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Well take a released version of ctrtool myself from profi200 github. It finally passed the wildcard issue for me.
And yes, the file size is correct.. Let me have a try to inject it.. Just wait me a while.. Orz.. I had to re-encrypt it first. Nearly forgot it.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 28/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it) and it does load into FBI 1.4.14, over my old H&S 2050 JPN. I would try another CIA, then. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 47/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways). |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 29/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Posted by d0k3 I had just figured out a faulty re-encryption script. Just now I had injected the DevMenu620 which i tried many times before - just its first success. Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file. Now the next step for this tool, maybe a porting to other script.. or maybe not. And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files. RxTools only handle the single app ones, so no injection for N3DS now. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 30/59 EXP: 26096 Next: 3801 Since: 10-26-15 Last post: 3236 days ago Last view: 3186 days ago |
Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?) 2.You should have it decrypted first, and remember to reencrypt it. 3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed. And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean. |
d0k3 |
| ||
Member Normal user Level: 20 Posts: 48/75 EXP: 38205 Next: 4234 Since: 06-04-15 Last post: 3252 days ago Last view: 3000 days ago |
Posted by Syphurith Posted by Syphurith Glad to hear it worked with DevMenu, too! I will streamline a lot of that by adding a new feature to Decrypt9. Decrypt9 can handle the TMD update, decryption and reencryption. And, of course we can generate xorpads for decrypted NCSD/NCCH, using the Python script and real hardware, of course. Or did you mean something else? |
Main - Homebrew discussion - Injecting other apps over Health & Safety? | Hide post layouts | New reply |
Page rendered in 0.033 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 103/103, time: 0.007 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |