Hacking [Release]NTR CFW 3.2 with experimental Real-Time Save feature.

JoelLouviere · Jul 25, 2015

Zidapi said:
You seem pretty confident in your answer. Is there any particular reason why NTR can't be adapted for use with Ninjhax2.0?

The reason CFWs like Pasta and reiNAND, and apps like FBI don't work under Ninjhax2.0 is because the arm9 exploits they require were patched from 9.3 onwards.

NTR however doesn't use any arm9, it's all arm 11. So why couldn't it be updated for systems running 9.3+ sysNAND?

If that's the case, it's probably just a matter of it not being made yet. Whoever says it won't ever work obviously doesn't know what they're talking about, then.
I just hope we hear from cell about it being on 9.9 ;___;

sneef · Jul 26, 2015

Spzjulien said:
i installed ntr 2.2 on my New 3ds 9.0E, boot without any problem

then i boot pasta with CN card, then try to boot NTR with cubic cia ...

it pass all clear mem and test but seem freeze at the end when bootNTR 2.3 "start ntr.bin" last screen .... any clue ??

edit : problem solved ntr 2.2 fail but 2.1 work ... at last .. (with PastaCFW 1.3 beta7)
now let play with debuger

OMG thank you for posting this!! i had done this setup on my japanese N3DS and it worked with 2.2 but now i'm using the exact setup as you (eu/aus n3ds on 9.0.0 20E) and it was crashing on start ntr.bin and i was going insane.. so glad to know 2.1 works.. gonna look for it now.. thanks again!!!

Spzjulien · Jul 26, 2015

sneef said:
OMG thank you for posting this!! i had done this setup on my japanese N3DS and it worked with 2.2 but now i'm using the exact setup as you (eu/aus n3ds on 9.0.0 20E) and it was crashing on start ntr.bin and i was going insane.. so glad to know 2.1 works.. gonna look for it now.. thanks again!!!

U welcom

Yes that odd, it boot first time then never work again, but with 2.1 no problem at all...

I3lackMoon · Aug 4, 2015

liomajor said:
How to use NTR CFW + Debugger with ARCode Cheats

You need:

- A retail Cartridge or legit CIA buyed from eShop
(unsigned cia works with pre bootet PASTA CFW)
- Cubic Ninja with NTR QR Code
- NTR.BIN in root folder of internal memorycard
- Create empty file 'debug.flag' in root folder of internal memorycard
- NTR Debugger
- Activated WLAN with Internet and a PC in the same Network

debug.flag or activate it inside NTR Menu (press X+Y)

Used Commands:

To connect to your console's IP use:
connect('XXX.XXX.XXX.XXX', 8000)

A few games disconnect wlan when playing movie / loading,
if that happens, don't close NTR Debugger, re-connect it!

To get your App/Game's PID:
listprocess()

Example MH4U-EUR:
(pid: 0x00000028, pname: redgiant, tid: 0004000000126100)

PID might change once per boot!

You can find TitleID's for games here: http://3ds.essh.co/

To write your value:
write(0x<OFFSET>, (0x<VALUE>, 0x<VALUE> ,0x<VALUE> ,0x<VALUE>), pid=0x<PID>)

OFFSET = Cheat Offset // VALUE = The Value you want to write // PID = The Apps/Games Process ID

NTR Debugger:

- Start Cubic Ninja and execute NTR Exploit
- Start your desired game
- Start NTR Debugger on PC
- Connect NTR Debugger Example: connect('192.168.1.100', 8000)
- To get the PID, write listprocess() and look for your Games TitleID (TID)

As example i took PID 0x28.

Now how to use ARCode:

Example ARCode
-=[Paper Mario Sticker Star]=-
$9999
02CBCE9C 0000270F

NTR will be 14000000 + ARCode Offset = OFFSET:
write(0x16CBCE9C, (0x0F, 0x27 ,0x00 ,0x00), pid=0x28)

Depending on what you cheated, it might be necessary to
buy/sell,enter/exit map/house or gain exp to take affect.

To dump your games flash memory:

Additional Commands:

Display Apps/Games Memory Layout:
memlayout (pid=0xPID)

Example MH4U (EUR):
valid memregions:
00100000 - 0111dfff , size: 0101e000
08000000 - 0b13efff , size: 0313f000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
1e800000 - 1e9fffff , size: 00200000
end of memlayout.

You have to find the region where your value
belongs to! In most cases, it will be inside
the region that covers offset around 14000000!

To DUMP memoryregions:
data(0x<START OFFSET>, 0x<size>, filename='<name of the file>', pid=0x<PID>)

To find cheats:

Make as many dumps you need and use Cheatengine to find your offset.

Example:
Dump 01 > 1000
Dump 02 > 2000

To use Cheatengine with dumped files:
Press "Open Process", then press "Open File" and choose
your file. After searching, switch to the next dump.

To get the real offset from Cheatengine to NTR it's:
<START OFFSET> + <FOUND OFFSET> = <OFFSET>

To write the offset with your value (4 Bytes): (Example 50000 dec // 0000C350 Hex)
write(0x<OFFSET>, (0x50 ,0xC3 ,0x00 ,0x00), pid=0x<PID>)

To export the offset to ARCode (HEX):
<START OFFSET> + <FOUND OFFSET> - 14000000 = <ARCode OFFSET>

If the result is negative (<0), ARCode is unable to use the cheat!

For a few games, the found offset is not fixed and you need to find it once per use.

You are free to copy my Tutorial as long you share it for everyone!

Noob question >.<
When come to type write, it said ...

null
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Server disconnected.

Do u know what happened ?

Deleted User · Aug 4, 2015

I3lackMoon said:
Noob question >.<
When come to type write, it said ...

null
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Server disconnected.

Do u know what happened ?

Happens to me too :/

dsrules · Aug 4, 2015

I3lackMoon said:
Noob question >.<
When come to type write, it said ...

null
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Server disconnected.

Do u know what happened ?

did you enable the debugger?? push X+Y then choose Enable debugger

I3lackMoon · Aug 4, 2015

dsrules said:
did you enable the debugger?? push X+Y then choose Enable debugger

Yeah, i've enabled it, and successful connect it to my 3ds IP, but when i want to write, it showed that T-T

dsrules · Aug 4, 2015

I3lackMoon said:
Yeah, i've enabled it, and successful connect it to my 3ds IP, but when i want to write, it showed that T-T

maybe the address you tried to write to is out of range? check memory regions and range with memlayout(YourPID#)

I3lackMoon · Aug 4, 2015

dsrules said:
maybe the address you tried to write to is out of range? check memory regions and range with memlayout(YourPID#)

I'm sure i've checked the address with PID with Arcodes + 14000000 right ? I wanna share the cheat but unfortunately the site is down T-T

dsrules · Aug 4, 2015

I3lackMoon said:
I'm sure i've checked the address with PID with Arcodes + 14000000 right ? I wanna share the cheat but unfortunately the site is down T-T

if the ARCode is 0x03XXXXXX (0x17XXXXXX) then 99% it will not work on ntr
if it's 0x00XXXXXX to 0x02XXXXXX (0x14000000 to 0x16000000) then it will 99.9% work on ntr

I3lackMoon · Aug 4, 2015

dsrules said:
if the ARCode is 0x03XXXXXX (0x17XXXXXX) then 99% it will not work on ntr
if it's 0x00XXXXXX to 0x02XXXXXX (0x14000000 to 0x16000000) then it will 99.9% work on ntr

Oh i just knew it, i thought it's around 0x14xxxxxx and above @@, yea my code is 0x03xxxxxx ... so how can i overcome this matter ?

dsrules · Aug 4, 2015

I3lackMoon said:
Oh i just knew it, i thought it's around 0x14xxxxxx and above @@, yea my code is 0x03xxxxxx ... so how can i overcome this matter ?

rehack by dumping 001 , 080 regions
or dump fcram 001 080 and search values near fcram address on 001 or 080

I3lackMoon · Aug 4, 2015

dsrules said:
rehack by dumping 001 , 080 regions
or dump fcram 001 080 and search values near fcram address on 001 or 080

Ah, i see ... btw what range of the regions that ntr confirmed worked ? >.<

dsrules · Aug 4, 2015

I3lackMoon said:
Ah, i see ... btw what range of the regions that ntr confirmed worked ? >.<

check your game with memlayout(0xpid#)

I3lackMoon · Aug 4, 2015

dsrules said:
check your game with memlayout(0xpid#)

I think i get it now

So, i have to search the offset myself then >.<
Thx for the info so far

dsrules · Aug 4, 2015

I3lackMoon said:
I think i get it now
So, i have to search the offset myself then >.<
Thx for the info so far

btw, after using memlayout on ntr 2.2 , 3ds is most likely to freeze if you try to continue playing
ntr 3.0 should fix that and there's no point to use 2.2 now when 3.0 is out

I3lackMoon · Aug 4, 2015

dsrules said:
btw, after using memlayout on ntr 2.2 , 3ds is most likely to freeze if you try to continue playing
ntr 3.0 should fix that and there's no point to use 2.2 now when 3.0 is out

Thx again, but i already use ntr 3.0

It's more easy to use than ntr 2.2 for me >.<

EDIT : why i never find the exact offset in my dumps T-T ...
Let's say : dump1 -> 2500 , dump2 -> 1620 ... in cheat engine i open file dump1, use first scan 2500, then open file dump2, use next scan 1620, and found nothing ... is my debugger not working or what ? @@

Hazard2 · Aug 13, 2015

liomajor said:
How to use NTR CFW + Debugger with ARCode Cheats

You need:

- A retail Cartridge or legit CIA buyed from eShop
(unsigned cia works with pre bootet PASTA CFW)
- Cubic Ninja with NTR QR Code
- NTR.BIN in root folder of internal memorycard
- Create empty file 'debug.flag' in root folder of internal memorycard
- NTR Debugger
- Activated WLAN with Internet and a PC in the same Network

debug.flag or activate it inside NTR Menu (press X+Y)

Used Commands:

To connect to your console's IP use:
connect('XXX.XXX.XXX.XXX', 8000)

A few games disconnect wlan when playing movie / loading,
if that happens, don't close NTR Debugger, re-connect it!

To get your App/Game's PID:
listprocess()

Example MH4U-EUR:
(pid: 0x00000028, pname: redgiant, tid: 0004000000126100)

PID might change once per boot!

You can find TitleID's for games here: http://3ds.essh.co/

To write your value:
write(0x<OFFSET>, (0x<VALUE>, 0x<VALUE> ,0x<VALUE> ,0x<VALUE>), pid=0x<PID>)

OFFSET = Cheat Offset // VALUE = The Value you want to write // PID = The Apps/Games Process ID

NTR Debugger:

- Start Cubic Ninja and execute NTR Exploit
- Start your desired game
- Start NTR Debugger on PC
- Connect NTR Debugger Example: connect('192.168.1.100', 8000)
- To get the PID, write listprocess() and look for your Games TitleID (TID)

As example i took PID 0x28.

Now how to use ARCode:

Example ARCode
-=[Paper Mario Sticker Star]=-
$9999
02CBCE9C 0000270F

NTR will be 14000000 + ARCode Offset = OFFSET:
write(0x16CBCE9C, (0x0F, 0x27 ,0x00 ,0x00), pid=0x28)

Depending on what you cheated, it might be necessary to
buy/sell,enter/exit map/house or gain exp to take affect.

To dump your games flash memory:

Additional Commands:

Display Apps/Games Memory Layout:
memlayout (pid=0xPID)

Example MH4U (EUR):
valid memregions:
00100000 - 0111dfff , size: 0101e000
08000000 - 0b13efff , size: 0313f000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
1e800000 - 1e9fffff , size: 00200000
end of memlayout.

You have to find the region where your value
belongs to! In most cases, it will be inside
the region that covers offset around 14000000!

To DUMP memoryregions:
data(0x<START OFFSET>, 0x<size>, filename='<name of the file>', pid=0x<PID>)

To find cheats:

Make as many dumps you need and use Cheatengine to find your offset.

Example:
Dump 01 > 1000
Dump 02 > 2000

To use Cheatengine with dumped files:
Press "Open Process", then press "Open File" and choose
your file. After searching, switch to the next dump.

To get the real offset from Cheatengine to NTR it's:
<START OFFSET> + <FOUND OFFSET> = <OFFSET>

To write the offset with your value (4 Bytes): (Example 50000 dec // 0000C350 Hex)
write(0x<OFFSET>, (0x50 ,0xC3 ,0x00 ,0x00), pid=0x<PID>)

To export the offset to ARCode (HEX):
<START OFFSET> + <FOUND OFFSET> - 14000000 = <ARCode OFFSET>

If the result is negative (<0), ARCode is unable to use the cheat!

For a few games, the found offset is not fixed and you need to find it once per use.

You are free to copy my Tutorial as long you share it for everyone!

You sir just made my day. I was looking for similar information for a while till you showed up! thank you (even if the post is old) didn't know that 3ds hacking scene has gone much deeper
Question, aside from ram dumps, isn't there a way yet that let you dump/extract the actual binary of the game? and when i say a "binary" i mean like DOLs (Wii) SO (Android Shared Object) Mach-O (iOS), etc... and if so, is the right loaders/plugins have been made for a disassembler like IDA? can't find such thing anywhere.

liomajor · Aug 13, 2015

With NTR/Reinand you can only dump FCRAM. Everything else is part of the romfs/etc you can extract after gaining the xorpads.

For details you can read 3dbrew / File Formats / Memory Layout

Hazard2 · Aug 13, 2015

liomajor said:
With NTR/Reinand you can only dump FCRAM. Everything else is part of the romfs you can extract after gaining the xorpads.

oh i see thank you

being a newcomer even to 3ds as a whole. I messed with the former systems in my last post alot (not like searching for the code/cheat then apply it) so I don't like to sit and play only.
regarding your second statement, so i guess it's possible to get it but yet not to disassemble it...

Hacking [Release]NTR CFW 3.2 with experimental Real-Time Save feature.

Well-Known Member

Well-Known Member

Well-Known Member

Member

Deleted User

Guest

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Member

Well-Known Member

Member

Similar threads

Popular threads in this forum