Hacking (4.x only) CIA CFW Complete Guide

[r5xscn]

Hi I need help on installing the devmenu. I am able to boot to CFW with L button pressed, however after that there is no Internet connection (I am able to connect to internet when in OFW) only streetpass, so I cant find My 3DS IP on the network. Anyone can help? Thank you in advance.

Edit: fixed, recreate emunand after setting the internet connection and launching browser as fast as I can fixed this.

 

[codeclutch]

Hi I need help on installing the devmenu. I am able to boot to CFW with L button pressed, however after that there is no Internet connection (I am able to connect to internet when in OFW) only streetpass, so I cant find My 3DS IP on the network. Anyone can help? Thank you in advance.

Edit: fixed, recreate emunand after setting the internet connection and launching browser as fast as I can fixed this.

Yeah sometimes you just gotta try remaking the files and start over from what I've seen.. glad you got it working though

 

[ender360]

yesterday i was able to play my games in cfw. i thought of a smart idea of just letting my 3ds standby. did this for a few hours but found out it died. so now i try to launch cfw and i get the message.

"An error has occured. Hold down the POWER Button to turn off the power, then turn it on and try again. For help, visit support.nintendo.com."


I read from a few posts back that emunand must not be installed properly, to format and do all over again.
anyone encountered this and got it fixed?

 

[miamore]

yesterday i was able to play my games in cfw. i thought of a smart idea of just letting my 3ds standby. did this for a few hours but found out it died. so now i try to launch cfw and i get the message.

"An error has occured. Hold down the POWER Button to turn off the power, then turn it on and try again. For help, visit support.nintendo.com."


I read from a few posts back that emunand must not be installed properly, to format and do all over again.
anyone encountered this and got it fixed?

hi. what happen to me the last time is similar to your case.. a bit different as I accidentally changed my user and birthday on my ds profile and everything went boom! cant access the CFW with that error. what I did is reformat the 3ds and did everything from the beginning. installing the CFW all over again :-p

 

[miamore]

yesterday i was able to play my games in cfw. i thought of a smart idea of just letting my 3ds standby. did this for a few hours but found out it died. so now i try to launch cfw and i get the message.

"An error has occured. Hold down the POWER Button to turn off the power, then turn it on and try again. For help, visit support.nintendo.com."


I read from a few posts back that emunand must not be installed properly, to format and do all over again.
anyone encountered this and got it fixed?

also the CFW is very unstable.. one time I just copy an .CIA file on my SD card. and when I click the nintendo ds profile. it goes in. meaning the CFW is not working anymore (again)

 

[nop90]

also the CFW is very unstable.. one time I just copy an .CIA file on my SD card. and when I click the nintendo ds profile. it goes in. meaning the CFW is not working anymore (again)

It's not a matter of stability, CFW is not related to the DS profile hack.

If you play ds games or if you change DS profile, the hack is removed and you have to reinstall it whith a DS cart (or with the browser exploit if your FW version if affected).

But the CFW and the emunand are still on your SD card.

 

[miamore]

It's not a matter of stability, CFW is not related to the DS profile hack.

If you play ds games or if you change DS profile, the hack is removed and you have to reinstall it whith a DS cart (or with the browser exploit if your FW version if affected).

But the CFW and the emunand are still on your SD card.

thanks for the clarification.

seriously? playing ds games will removed the CFW? or could I just use a flashcart for ds games and play these DS games on my original firmware? will that affect my CFW?

 

[nop90]

thanks for the clarification.

seriously? playing ds games will removed the CFW? or could I just use a flashcart for ds games and play these DS games on my original firmware? will that affect my CFW?

You can't play ds games on cfw, you can play them (both original games and roms on ds cart) on your sysnand, but this removes the DS hack and you have to reinstall it with multiroploader.nds in order lo launch cfw again.

It's the same with the GW cart: if you play DS games you can't use the anymore the GW cart since you reinstall the DS profile hack.

 

[codeclutch]

You can't play ds games on cfw, you can play them (both original games and roms on ds cart) on your sysnand, but this removes the DS hack and you have to reinstall it with multiroploader.nds in order lo launch cfw again.

It's the same with the GW cart: if you play DS games you can't use the anymore the GW cart since you reinstall the DS profile hack.

So is there any stable way of running ds roms without having to fix it afterwards?

 

[coolfuze]

So is there any stable way of running ds roms without having to fix it afterwards?

No,t but you only need to fix it when you want access to the cfw and if you're religiously playing ds cart games it won't be that often. Plus it takes like 5 seconds to run the ds profile exploit again in my experience.

 

[shiduyo]

I keep getting stuck at ctrlclient lol, I had it running with auto click at an interval of 1 second for 2 hours but the bat never worked ¯\_(ツ)_/¯ and I've reset the cfw process 3 times already.

 

[miamore]

I keep getting stuck at ctrlclient lol, I had it running with auto click at an interval of 1 second for 2 hours but the bat never worked ¯\_(ツ)_/¯ and I've reset the cfw process 3 times already.

heres my thread about the ctrclient.

http://gbatemp.net/threads/after-installing-cfw-4-5-what-now.382459/#post-5363401

 

[miamore]

I DIDIT!!!!!!!!!!!!!!!!!!

how did you solved the failed to connect error in installing Devmenu?

 

[ender360]

hi. what happen to me the last time is similar to your case.. a bit different as I accidentally changed my user and birthday on my ds profile and everything went boom! cant access the CFW with that error. what I did is reformat the 3ds and did everything from the beginning. installing the CFW all over again :-p

I fixed it by only reinstalling cfw. Looking forward for the next cfw!

 

[Proansta]

Is there a list of working games?
(PilotWings Resort doesn't work, it stays in the "Nintendo 3DS" loading screen.)
Thanks in advance.

 

[DarkerSuperTails]

EDIT 2: ROM to CIA Guide is Released! Thanks to user Ground for helping tremendously!
EDIT: I have released a new CFW! Check the features!

Special thanks to j913b!



As of now this guide requires a 3ds flashcart that allows eShop access, or an eShop game to already be installed on your SD card. I will assume ownership of a Gateway cart, but the steps should be very similar regardless of what cart you own.

Disclaimer: I take no responsibility for any damage caused by attempting this mod. Although there have been no reported problems so far, this is cutting edge stuff that has been only lightly tested. Continue at your own risk.

Downloads
Rop MultiLoader
Hex Workshop
Win32DiskImager
Palantine CFW v1.0
DevMenu Cia - not legal to link. Use Google

1. Make sure your 3DS is configured to connect to the internet properly before going any further. Write down the LAN IP of your 3ds for later.
2. Copy the Rop Multiloader to your DS mode flashcart. Launch the Rop Multiloader rom from your cart and select "Gateway 4x"
3. Copy the Gateway Launcher.dat to your SD card, and load it with the usual exploit. Select "Nand Backup".
4. When it finishes, copy the nand.bin from your SD card to your computer.
5. If you have not already done so, boot the Gateway Launcher and select "Format Emunand". Be careful, as this will erase all the files on your SD card.
6. On your SD card navigate to "sdmc:/Nintendo 3DS/<id0>/<id1>/dbs/". Create two files in this folder named title.db and import.db . Put the SD card back in your 3ds and go to System Settings, and attempt to manage the SD software. Let the 3DS do its repair process.
7. Mount your SD card on your computer. Make a backup of the card with Win32DiskImager.
8. Open Hex Workshop as administrator. Select Disk-> Open Drive. Choose "All" from the drop down menu and select the disk with the size matching your SD card. Once opened, the very beginning should say "GATEWAYNAND"
9. Choose Disk->Restore Sectors and select your saved nand.bin. Change "Starting Sector" to be "1".
10. Now that that is finished, your SD is ready to launch the CFW. Copy the contents of the folder "SD Card" folder to your SD card.
11. Launch the "Rop Multiloader" from your DS cart again. This time select "Homebrew 4x".
12. Finally launch the exploit the usual way, and make sure to hold down the L Button. it may take as many as 10 tries to work, but don't give up. You will know it worked when the screen flashes white then black for a second.
13. Download "DevMenu_2x.cia" and put it in the "Palantine CFW" folder.
14. On your computer, in the CFW files, edit run.bat and replace "IPTOMODIFY" with the IP of your 3DS, and then run it by double clicking it. This will try to install the DevMenu onto your device.
15. Reboot your 3DS and launch the CFW again. If it worked you will see a present on the homescreen.
16. Congrats! You have installed a CFW to your 3DS!

Let me know if I have made any mistakes, or if there is need for clarification.

Win32DiskImager is used to make a backup of your emunand which you can restore to your SD card to revert back to Gateway. If you have 2 SD cards like I do then this is unnecessary.

Thanks to idunoe for the db trick!


ctrclient commands

I have reverse engineered most of the ctrclient commands and have exposed some very interesting functionality. These commands are for developers only. You run a very real risk of doing permanent damage to your device if you try to play around with these.

ctrclient.exe --serveradr=<3ds ip> --customcmd=“<custom cmd>“
 
installcia:<cia name>
 
readmem:<mem type> <offset> <size>    @<optional output file name>
    memtypes: 11kern, 11usr=, 9
    11usr=<process name> (i.e. pxi, pm)
 
writemem:<mem type> <offset> <size> @<input hex file>
    memtypes: 11kern, 11usr=, 9
    11usr=<process name> (i.e. pxi, pm)
 
getservhandle <service name> (i.e. ir:u )
 
sendservicecmd <service handle> <header code> <arg1>,<arg2>…
 
getprocinfo:addrconv <arm11 procname>  <vaddr>  (i.e. pxi 0x100000)
getprocinfo:kprocess <arm11 procname>  (i.e. pxi)
getprocinfo:mmutable <arm11 procname>  (i.e. pxi)

ROM to CIA Guide

This guide requires makerom and ctrtool.

Step1: decrypt the .3ds rom.
I will not explain it in this tutorial, as it is explained a couple of times around the forum. (http://gbatemp.net/threads/release-3ds_ctr_decryptor-void.370684/)

If you end up with a decrypted romfs.bin, exheader.bin, code.bin (decompressed), icon.bin and banner.bin you did everything correct.

Step2: creating an .rsf file
The .rsf file is a little bit different then the one for .3ds roms. Anyway here is the proper one, make sure you fill in the XXXX the right way. Just copy the text in the codebox underneath in a text editor and save it as cia.rsf in the folder with the other stuff.

• you can open the exheader or original rom in a hex editor to look up the right values for the companycode, producttyp and productcode
•For the correct UniqueID you can check ctrtool and the official rom. Just remove the last 2 0 and write the 4 digits before that in the .rsf file:

BasicInfo:
  Title                  : "Custom Title"
  CompanyCode            : "00"
  ProductCode            : "CTR-P-DERP"
  ContentType            : Application # Application / SystemUpdate / Manual / Child / Trial
  Logo                    : Nintendo # Nintendo / Licensed / Distributed / iQue / iQueForSystem
 
TitleInfo:
  UniqueId                : 0x7850
  Category                : Application
 
Option:
  UseOnSD                : true # true if App is to be #installed to SD
  EnableCompress          : true # Compresses exefs code
  FreeProductCode        : true # Removes limitations on ProductCode
  EnableCrypt            : true # Enables encryption for NCCH and CIA
  MediaFootPadding        : true # If true CCI files are created with padding
 
AccessControlInfo:
  ExtSaveDataId: 0xb7850 # same as UniqueId
  SystemSaveDataId1: 0x00000000 # plaintext exheader
  SystemSaveDataId2: 0x00000000 # plaintext exheader
  OtherUserSaveDataId1: 0x00000 # plaintext exheader
  OtherUserSaveDataId2: 0x00000 # plaintext exheader
  OtherUserSaveDataId3: 0x00000 # plaintext exheader
  UseOtherVariationSaveData : false
 
SystemControlInfo:
  SaveDataSize: 1M # plaintext exheader
  RemasterVersion: 0 # plaintext exheader
  StackSize: 0x00040000 # plaintext exheader
  JumpId: 0x000400000b000000L # plaintext exheader (<full UniqueID>L)

step 3: creating the .cia
Open the command window in the folder with the exefs.bin, exheader.bin, romfs.bin, icon.bin, code.bin, banner.bin, cia.rsf and makerom. Now run the following command:



this will output an .cia file which you can install with the DevMenu and then run.

If you encounter an error saying "[ROMFS ERROR] Invalid RomFS Binary.", then remove the "-romfs romfs.bin" from the command.

Can someone help me? It worked like for a week. But now it dosent it gives me "An error has occurred" then it reboots. Even in the MT-card i always use it and now it giving me this error. Why?

 

[Leslie White]

I successfully installed the Palantine CFW on my Old3DSXL

Just a question though, as my Old3DS is on firmware 4.5, can I update my emunand to the latest firmware or must I let the emunand in 4.5 ?

Thanks for the answer

 

[SaagiBols]

I successfully installed the Palantine CFW on my Old3DSXL

Just a question though, as my Old3DS is on firmware 4.5, can I update my emunand to the latest firmware or must I let the emunand in 4.5 ?

Thanks for the answer

do you mean Rednand? it has to stay on 4.5 coz thats the only version that supports CFW for now!
..if you want to have an emunand with the latest FW, use the MT Card files,
1st: get a new SD memory card and use it to set up the extra emunand,
2nd: install the MT Card Profile exploit,
3rd: Launch the exploit and select the format emunand
4th: launch the exploit again and boot in classic mode,
5th: go to settings and if there is an (MT) in the firmware version, update the system...

Here is an more detailed tutorial on this, just ignore the CFW steps:https://gbatemp.net/threads/tutorial-4-5-sysnand-4-5-cfw-9-4-emunand-without-gateway.378721/

 

[Leslie White]

do you mean Rednand? it has to stay on 4.5 coz thats the only version that supports CFW for now!
..if you want to have an emunand with the latest FW, use the MT Card files,
1st: get a new SD memory card and use it to set up the extra emunand,
2nd: install the MT Card Profile exploit,
3rd: Launch the exploit and select the format emunand
4th: launch the exploit again and boot in classic mode,
5th: go to settings and if there is an (MT) in the firmware version, update the system...

Here is an more detailed tutorial on this, just ignore the CFW steps:https://gbatemp.net/threads/tutorial-4-5-sysnand-4-5-cfw-9-4-emunand-without-gateway.378721/

Yeah, I meant Rednand, not Emunand, my bad... that's cause I have my habits with the GW ^^
Thanks for the answer, that's what I figured, but it's OK, I have a N3DSXL with GW, all is fine

I just kept my old3DS to test and run a CFW, when friends come they'll be able to play some cia games with it (compatibles with the 4.5 FW)

 

[apoptygma]

Good work. Recommend you add this link somewhere http://wiki.gbatemp.net/wiki/3DS_Titles_with_7.x_Encryption