Posted by d0k3

--Snip--

Posted by d0k3

Using your stuff/3DStool/CTRtool I've build something that should work. See here:
http://wikisend.com/download/350650/UniversalInjectGen_v0.1.zip

Howto:
- Put H&S app & tmd into apptmd_hs/ folder (names do not matter)
- Put CIA of app to inject into cia_inject/ folder (name does not matter
- Run go.bat

The only thing missing from this is encryption, but I'm sure we can handle this.

Posted by Syphurith

Thanks. I could test it with a newer release of FBI first.

Posted by Syphurith

Thanks. I could test it with a newer release of FBI first.
Read its batch file it seems.. i should use a decrypted CXI of H&S to test it?
The fixtmd should take in a decrypted CXI as its APP.
Well, i would execute all those commands manually..

Posted by d0k3

..Snip..

Posted by Syphurith

Eh.. Have you already tested it yet?
Since the ctrtool packaged won't run for me.. Could you get me a link to its source?
Yes, it might not work for N3DS now. However it should not be too hard to do so.
Anyway, please give me some time to let me test injection of newer FBI first..

EDIT:: NVM. i would try to do all those line by line.
EDIT:: I made a huge mistake, fixtmd needs an encrypted file.

Posted by d0k3

... and one thing that popped into my mind right now... if there are multiple .app files, the TMD contains hashes for all .app files. So, not working for N3DS atm. You will need to adapt fixtmd for that.
Great! Please check if the newly created .app has the same size as the H&S app. It should work regardless, but better be safe than sorry!

Also, for your source code, I inserted the compile parameters for static executables, just in case you wonder.

Posted by Syphurith

Quite sorry, but the .app file size: H&S(O3DS,JPN,2050): 812KB, generated: 804KB.
I should have done it no harm.. Since the ctrtool in package won't run for me, I used mine, and replaced the "*" mark with the actual file name.
Note: Not all programs would recognize the "*" mark.

And for FixTmd, I highly doubt how to calculate the hashes for multiple contents. NVM.
Content Hash: 0xB04 + A*0x30 + 0x10. The SHA-256 hash of the whole content.
Stage2 Hash: 0x204. SHA-256 hash of 0xB04-EOF.
Stage3 Hash: 0x1E4. SHA-256 hash of 0x204+0x900.

In short current FixTmd would not break a N3DS content, when it only uses the content #0.

Posted by d0k3

Alright! I'm just looking into the size issue. The v2050 has a a logo region, while the other one has not - that's the only problem I'm seeing so far. The actual problem, though, is that the RomFS created is too small by exactly 4kB.

Posted by Syphurith

You might want to use my dumped JPN APP to test if size matches..

For the HASH of the Content Table. You might want to just update this:

//Calculate Hash of third part of TMD.
printf("[INFO]Update hashes #2..");
sha2(fctmd + 0xB04, fltmd - 0xB04, fh, 0);
memset(fx,0,256);
sprint_sha256(fx, fh);
printf("0x0208:0x0B04-0x%04X:\n%s\n",fltmd,fx);
memcpy(fctmd+0x0208, fh, 32);

And i tried the tool again, it could generate a same TMD, using APP and TMD extracted from decrypted CIA of N3DS H&S.
However it still deserves a fix. Parameters order of it would be changed.

Posted by d0k3

I'll wait until you update fixtmd, alright?

in the meantime:
http://wikisend.com/download/715352/UniversalInjectGen_v0.2.zip

This should fix:
* the wildcard issue for CTRtools
* the size issue (output size should be correct now)
* processing the logo.bin for .apps that have it

From what I see this will generate an app identical to Riku's inject files, save for the RomFS. The difference in RomFS is only due to us using a different content for the dummy file, so no problem.

Posted by Syphurith

Good news for you.
Your generated app was finally injected into my emuNand (surely i re-encrypted it)
and it does load into FBI 1.4.14, over my old H&S 2050 JPN.

I would try another CIA, then.

Posted by d0k3

That's fantastic news! Will try on N3DS EmuNAND later, too. Also keep in mind that the CIA to inject needs to be deep decrypted (which typical homwbrews are, anyways).

Posted by Syphurith

I had just figured out a faulty re-encryption script.
Just now I had injected the DevMenu620 which i tried many times before - just its first success.
Have you looked at some posts this page? You can even build a xorpad without the actual encrypted file.
Now the next step for this tool, maybe a porting to other script.. or maybe not.

And.. For the N3DS, you may have to use NAND dumps for that, cause it may have multiple APP files.
RxTools only handle the single app ones, so no injection for N3DS now.

Posted by Syphurith

Let me take a note
1.The file size had better be the same.. (May be the cause of what the NAND recorded?)
2.You should have it decrypted first, and remember to reencrypt it.
3.FixTMD should be called to use the encrypted APP/CXI, and this is what this tool missed.
And yes, Batch script is dirty and quick. And much of those might be done in a better way (i mean, python/nodejs/..) At least batch is really a bad language.. You might know what i mean.