Tutorial
Updated
Patching CIA Executable
I will show you how to patch a CIA's executable, this will allow you to do things like install SaltySD without NTR.
Requirements:
Step 1: Decrypt the CIA
Step 2: Extract the CIA
Step 3: Modify the code
Step 4: Repack the CIA
Step 5: Fix Versions (optional, but recommended)
Step 6: Encrypt The CIA
Step 7: Profit
If someone has a capture device, I would love some screenshots of D9!
Requirements:
- Ctrtool (in tools.zip)
- 3dstool (Also in tools.zip)
- makerom (guess where?)
- Hex editor
- CIA you want to patch
- CFW
- Decrypt9WIP
Step 1: Decrypt the CIA
You may skip this if your CIA is decrypted already!
Copy your the CIA that you want to decrypt into D9game on the root of your SD card.
Then go into Decrypt9, Game Decryptor Options->CIA Decrypter (deep) and wait.
Now copy that back to your PC, it is now decrypted!
Copy your the CIA that you want to decrypt into D9game on the root of your SD card.
Then go into Decrypt9, Game Decryptor Options->CIA Decrypter (deep) and wait.
Now copy that back to your PC, it is now decrypted!
Step 2: Extract the CIA
Execute "ctrtool --contents=contents [CIA].cia", with [CIA].cia replaced with the proper file.
Take note of the content file names, this will be important while remaking the CIA.
Next we need to extract the primary content file, this should be called contents.0000.XXXXXXXX, like the Smash 1.1.5 update it is called contents.0000.00000014. Execute "3dstool -xvtf cxi [CONTENTS] --header ncch.header --exh exheader.bin --exefs exefs.bin --romfs romfs.bin --plain plain.bin" with [CONTENTS] replaced with the contents file. This should generate a warning about "logoregion", it is safe to ignore this.
Next we need to extract the exefs, execute "3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefs.header".
The final extraction step is to decompress the code, execute "3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin"
Take note of the content file names, this will be important while remaking the CIA.
Next we need to extract the primary content file, this should be called contents.0000.XXXXXXXX, like the Smash 1.1.5 update it is called contents.0000.00000014. Execute "3dstool -xvtf cxi [CONTENTS] --header ncch.header --exh exheader.bin --exefs exefs.bin --romfs romfs.bin --plain plain.bin" with [CONTENTS] replaced with the contents file. This should generate a warning about "logoregion", it is safe to ignore this.
Next we need to extract the exefs, execute "3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefs.header".
The final extraction step is to decompress the code, execute "3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin"
Step 3: Modify the code
Copy the code-orig.bin file wherever you need it, modify it, and copy it back as
code-patched.bin.
code-patched.bin.
Step 4: Repack the CIA
First we need to compress the modified code, execute "3dstool -zvf code-patched.bin --compress-type blz --compress-out exefs/code.bin"
Then we need to create the exefs. Execute "3dstool -cvtf exefs exefs2.bin --exefs-dir exefs --header exefs.header"
We need to make the modified CXI, execute "3dstool -cvtf cxi patched.cxi --header ncch.header --exh exheader.bin --exefs exefs2.bin --romfs romfs.bin --plain plain.bin"
Finally we need to create the CIA file, this is where the name of the content files is needed. Execute "makerom -f cia -o [PATCHED].cia -content patched.cxi:0" with all the content files appended to it with "-content contents.xxxx.yyyyyyyy:x" EXCEPT for contents.0000.yyyyyyyy. For my SaltySD patch it would be "makerom -f cia -o SmashUpdate.NaCl.decrypted.cia -content patched.cxi:0 -content contents.0001.0000000f:1"
Then we need to create the exefs. Execute "3dstool -cvtf exefs exefs2.bin --exefs-dir exefs --header exefs.header"
We need to make the modified CXI, execute "3dstool -cvtf cxi patched.cxi --header ncch.header --exh exheader.bin --exefs exefs2.bin --romfs romfs.bin --plain plain.bin"
Finally we need to create the CIA file, this is where the name of the content files is needed. Execute "makerom -f cia -o [PATCHED].cia -content patched.cxi:0" with all the content files appended to it with "-content contents.xxxx.yyyyyyyy:x" EXCEPT for contents.0000.yyyyyyyy. For my SaltySD patch it would be "makerom -f cia -o SmashUpdate.NaCl.decrypted.cia -content patched.cxi:0 -content contents.0001.0000000f:1"
Step 5: Fix Versions (optional, but recommended)
Open the decrypted CIA in a hex editor, and locate the two bytes at offset 0x00002F9C and copy those.
Copy that to the modified CIA at 0x00002F9C.
Copy that to the modified CIA at 0x00002F9C.
Step 6: Encrypt The CIA
Now that the cia has been modified, we need to encrypt it; some things will break if the CIA is not encrypted. Copy the modified CIA to D9game again, launch Decrypt9WIP and goto Game Decryptor Options->CIA Encryptor (NCCH) and wait.
Step 7: Profit
If someone has a capture device, I would love some screenshots of D9!
Last edited by gudenau,
