Views: 1,615,648 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 12-26-24 06:43 PM |
Guest: |
Main - Posts by Syphurith |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 1/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
I'm quite noob here but i'd like to try to answer this.
I found no way to directly decrypt the system CIAs that get from Ninty's CDN. Even with decrypted title keys the decrypted content still seems encrypted/a mess. The only way for me now, is to install the CIA, to the EmuNand, then decrypt and dump those System Apps with RxTools. Once it is dumped, you could see lots of .app files in your SD card root. Just look for the title id you'd like to see, it should be fully decrypted, and just with ctrtool or whatever you could unpack it. Maybe with a later release of rxTools it would allow users to just decrypt and dump several ones that users asked and written in a text file. If there is any way to fully decrypt the contents i'd be quite happy to see it. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 2/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Sorry if I posted in a wrong section of this forum. What i faced may be a little noobish. So this is more like discussion than released information.
I think all those Command Headers of services in 3dbrew should be legit, however i had not ever found part of any Header value in those decompressed code.bin of those system modules. Maybe the service module is placed when being initialized? These seems to be an initializer included in very beginning of code.bin. And? let me show you a little tool. I've written a little tool to recognize those NCCHs from a section file provided. Mostly it was made for the section NATIVE_FIRM_ARM11_1FF00000 of decrypted FIRM from 9.8.0J. With it i got those NCCHs of fs, loader, pm, pxi, sm. You could compile it with "gcc -O3" if you want. C Source of This tool URL How to get the section? Well still you could do it manually.. with hex editors, following offsets ctrtool tells you. BTW i had not ever successfully loaded any NCCH just with the ctr_ldr.py.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 3/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
I wrote a tool to replace the encrypted parts of original file to decrypted one.
Comparison between original H&S, and FBI injection, with those decrypted NCCHs: Romfs, Exheader, Exefs: Mismatch. Inside Exefs: code.bin is touched. It seems little was not changed.. Here you can get the tool: DecryptedReplacer. Source code included Maybe you can inject one that Size just smaller than the xorpad? You see most contents are touched. Exactly, FBI's exefs is bigger than H&S. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 4/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
The .app content is indeed a CXI. Cause we would need to repack the exefs and CXI, i think 3dstool is better for it. However i don't know how to create a valid TMD file..
Here are some steps provided.. Note: Old method with DecryptedReplacer is now in spoiler. 1.Unpack Old CXI. NCSD Header is saved in this step. 3dstool -xvtf cxi 00000002.app --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
EDIT: Figured out the logo.bcma.lz isn't actually needed when repacking.
2.Unpack Old Exefs. 3dstool -xvtfu exefs exefs.bin --header exefsheader.bin --exefs-dir exefs
3.Now overwrite the contents, including romfs.bin, code.bin, and exheader.bin. 4.Rebuild the Exefs. If you don't have the header, take it from original exefs.bin, 0x0-0x200 bytes. 3dstool -t exefs -c --exefs-dir exefs -f exefs.bin --header exefsheader.bin
Note: 3dstool need icon.icn, banner.bnr inside the exefs folder.
5b.Repack it, also apply the xorpads. 3dstool -cvtf cxi 1.cxi --header ncchheader.bin --exh exh.bin --plain plain.bin --exefs exefs.bin --romfs romfs.bin --exh-xor 0004001000020300.Main.exheader.xorpad --exefs-xor 0004001000020300.Main.exefs_norm.xorpad --romfs-xor 0004001000020300.Main.romfs.xorpad
Yes, note the CXI "1.cxi" is now encrypted. And that is actually the same file by DecryptedReplacer.
Now? what blocks me from going further is the TMD. I don't know how to generate it properly. I've compared several TMDs, and tried to gain one from makerom then unpack, however still no success. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 5/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by plutoo Thanks for that. However i didn't know and already made a tool to extract those NCCHs from the section.... Any thoughts about the command header? It's quite weird for me. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 6/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by plutoo Then would there be some precalculated ones in other modules? I've tried cfg from 9.8 just minutes ago, and no such command header is found.. Maybe I'm silly? Whatever thanks for your patience answering me the question.Would try use a decrypted cfg from 4.1.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 7/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by plutoo Mind you tell me which system version of those system titles was checked, when those command header could be found? I've checked 4.1 cfg minutes ago, and I seemed to load it wrongly. Hex search produced no result of 0x00010082 inside its code.bin. However when checking 9.8 cfg there is quite a bulk of Thumb in its beginning.. Maybe I've searched a wrong module.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 8/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by plutoo Then I would forget checking those inside Thumb modules. Oh so still i would have to use the outdated sig file or read myself. My question is solved totally, much thanks. Have a good day. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 9/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Finally got the HASH update to work. However it seems I built a wrong APP file..
There is already an updated version of it on the next page, so this link is removed. Calculation: URL from gbatemp.net
And 0xB0C, the content length should be updated too. - If the length was touched. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 10/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by Mrrraou Thank you for that. I had to admit Decrypt9 is better option for decrypting things.. So next time i could try it when don't want to install the CIA. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 11/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
I'm glad to see you have already know how to build the TMD..
Posted by d0k3 Do you mean that where to get precompiled and ready-for-use app and tmd files for injection? If so you can just take a look at rxTools release package, there is /tools/fbi_inject/ But i wonder how exactly to build a valid .app file. I've tried to replace the exefs (so banner, icon, logo would be changed also), and repacked and re-encrypted it back. However once i tapped it in EmuNand, it just show a black screen and poped out an error. I should have some faults while creating the CXI.. Hope you can get a valid tool, either for Decrypt9, or for PC. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 12/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 Oh now I understood. I would upload a H&S app from my decrypted NAND, from 9.8 and 4.1, JPN. Could i post those links? I mean it might be illegal? Note that the xorpads for different versions are different - cause different names. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 13/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
I second the post by nopy. The NAND chip of your new 3ds is a MLC one, which holds 2 bits in a cell. MLC has a typical write lifespan as 10K times for every cell, however this is for MicroN produced ones, Check here for typical times. Not only your flashing would cost its write cycles, the normal use of your console, when writing files, would cost some too. So, I doubt what stored in your NAND has already been broken.
To check it is or not, just get your NAND Fat xorpad to decrypt both images, the "working" one you flash which was dumped when it was working at last, and the "current" one you dumped after flash the "working" one. Decrypt both images with xorpad, and extract the "titles" folder to be compared, you can use the tool WinMerge2011 for such comparison. If you don't care about totally brick it, or it confirmed your NAND chip is worn out, you might want to try replace the chip yourself. If so, good luck - the chip is just around where you connect the pins, not hard to be found, and please notice you better get a same chip of product id. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 14/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by plutoo Sorry to disturb you again, but .... I've found a title hidden in FIRM, which is called PROCESS9, Titleid 0004013000003000. This is found in the SAFE_MODE FIRM, also 5 modules of their SAFE_MODE edition is found. Now this is the new link of the tool.. Here it goes If you'd like to play with it.. Eh.. Sorry this might already be known to you all, since Process9 is described on Page "FIRM" on 3dbrew. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 15/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 Well i was hoping for your getting the file, and now link is removed. Posted by d0k3 Wait a minute for me to inject it in.. Confirmed to be 1.3.8. The generated inject app and tmd for 2050 JPN O3DS, is exactly the same file from rxTools.. Problem solved, due to wrong behavior of ctrtool. Once used 3dstool to unpack the file, the code.bin matches the one from rxTools fbi_inject.app. Anyway, forget about it.. Just use 3dstool when ctrtool goes wrong. Eh.. Maybe the exe contains some interesting things too, cause it request a tmd. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 16/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by profi200 Sorry and won't happen again. Extra: It seems i am blocked/banned on 3dsdev, might be the cause of supporting rxTools. However this stops me from sending it to him more easily/securely.. Posted by d0k3 Quite happy to see you figured out the details. Eh let me check it myself again.. Compared material : the decrypted exheader of FBI.app and fbi_inject/Riku-Generated-edition, and H&S. fbi_inject.app from rxTools and the Riku generated one are exactly the same (hashed). FBI.app is extracted from the FBI.cia with ctrtool, from FBI 1.3.8 release. To be short, I would just show you what is modified from normal FBI exheader, that is adjusted to H&S one. Style: Addr + Length. Note: This might be a minimum requirement.. 0x000 + 0x8 , 0x00C + 0x4 , 0x1C8 + 0x4 , 0x1CC + 0x4 , 0x200 + 0x8 , 0x248 + 0x1 , 0x600 + 0x8 , 0x648 + 0x1 So, i could overwrite inject app exheader, by 0x0 + 0x16, 0x1C8 + 0x8, 0x200 + 0x8, 0x248 + 0x1, 0x600 + 0x8, 0x648 + 0x1 in short. Extra: Well i would recommend for a binary comparison by some script next time for such jobs.. And, yes we should try combined system access first.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 17/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 Eh.. I get a purely legal way for you to get those .app file next time. You don't need to install them! I don't care about this any more. Since you can check it yourself if you wish. You can get those EUR/USA/KOR/CHN ones. Well older title might be found in that ISO site. Thanks for this guy in this post for this, i don't know that could before. Hope the progress goes smoothly. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 18/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 Your plan sounds good. Well I doubt what if the injected app have romfs.... And the actual sizes of exefs differ - at least of FBI and H&S. What the Fix TMD posted is just for hashing, and content size update. It get the size of the .app, set it to update, and re-calculate those 3 hashes. I think you'd already know how to calculate the hashes. When i was trying to build a injectable file, I forgot to compare the other files, so i didn't find that difference of exheader. Eh for ctrtool.. yes all okey, but please try 3dstool if extraction went wrong - i've experienced such thing. Well nothing now. Except i wonder the size could really affect that much. Hope your customized build of any other app could be. FBI is written in C++, and built with citrus/aemstro/ctrcommon/picasso/libctru, and i doubt if latest version could fit in the size. Checked - not much bigger than original H&S. It might fit.. Also to note that, you might want to try to inject a version into your N3DS. Once you plan to do so, please have you NAND backup and Nand Xorpad with you. Good luck. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 19/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 I was thinking of using 3dstool/ctrtool/makerom to do its unpack/repack. And after that all we need to do might be to recreate the exheader and tmd. Well indeed 3dstool is best for NCCH/CXI. However i didn't tested the other files it generated, that the ncchheader.bin. It could always generate a valid CXI if proper material is given, cause the tool is invented for tranlation purpose. Yes, not always the exefs.bin and romfs.bin could be the same for them.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 20/59 EXP: 26226 Next: 3671 Since: 10-26-15 Last post: 3269 days ago Last view: 3219 days ago |
Posted by d0k3 3dstool supports reading a decrypted file without xorpad, or reading an encrypted one with xorpad. When with xorpad, please remember to use those --XX-xor arguments. Eh, the TMD fixer is written by myself. Since the zip file contains its source code, you might want to simply take a look of it. All it does is quite simple, to recalculate those SHA-256 hashes. Note: the previous post contains the link to its source. But not in the package when i harmed the rules. I compiled it in MSYS2 - mingw64 mode, with my win 8.1 x64 PC. If you really can't get it compiled, you may want to write one yourself. Below is all what it does. An updated version of FixTmd: Here it is. It would accept other APP and TMD names, see its output. Source included. |
Main - Posts by Syphurith |
Page rendered in 0.028 seconds. (2048KB of memory used) MySQL - queries: 22, rows: 99/99, time: 0.005 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |