I've searched a lot for a way to do that. So firstly, thanks to everybody who helped me, even a little !
Hall of fame : @motezazer, @Ronhero, @AlbertoSONIC, @d0k3, @MassExplosion213, @thaikhoa, @Gadorach, sansnumen !

This method can be applied to any system titles.


And now the great part !


To Decrypt the sysNAND's native-firm, you need :

- Decrypt9
- ctrTool
- WinImage (or an equivalent software)

1- Download decrypt9, copy the files to your SDcard and run it on your 3DS.
2- On the menu, search for "CTR Partitions Dump" and do it. Shutdown your console.
3- Copy CTRNAND.bin from the root of your SDcard to your PC and open it with WinImage.
4- Go to \title\00040138\00000002\content, extract "000000XX.app" and rename it to "firm.app".
5- Create a \D9titles folder, copy firm.app into it and run decrypt9 again on your 3DS.
6- This time, on the menu, search for "Decryt Titles" and do it. Shutdown your console and put the SDcard back into your PC.
7- download ctrtool, extract the archive and copy firm.app from the \D9titles folder into the /ctrtool folder.
8- Run "extract-decrypted-ExeFS-x32/64.bat" and go to the \ExeFS folder, here there is a "firm.bin", this is your decrypted native-firm !


To Decrypt the emuNAND's native-firm, you need :

- Decrypt9
- ctrTool
- WinImage (or an equivalent software)
- 3DSFat16tool
- emuNANDTool

1- Download emuNANDTool and dump the emuNAND of your SDcard with it, rename this backup to "NAND.bin" !
2- Download 3DSFat16tool exctract the archive and copy the previous NAND.bin into the \3DSFat16tool folder.
3- Download decrypt9, copy the files to your SDcard and run it on your 3DS.
4- On the menu, search for "CTRNAND Padgen" and do it. Shutdown your console.
5- Copy "nand.fat16.xorpad" from the root of your SDcard to the \3DSFat16tool folder on your PC.
6- Run "Decrypt-NAND.bat" and open CTRNAND.bin with WinImage.
7- Go to \title\00040138\00000002\content, extract "000000XX.app" and rename it to "firm.app".
8- Create a \D9titles folder, copy firm.app into it and run decrypt9 again on your 3DS.
9- This time, on the menu, search for "Decryt Titles" and do it. Shutdown your console and put the SDcard back into your PC.
10- download ctrtool, extract the archive and copy firm.app from the \D9titles folder into the /ctrtool folder.
11- Run "extract-decrypted-ExeFS-x32/64.bat" and go to the \ExeFS folder, here there is a "firm.bin", this is your decrypted native-firm !

➥

 

[stomp_442]

Thanks for sharing.

 

[MassExplosion213]

This is great! I had no idea our PM would help make something! You know, other than what it was intended to make.

 

[gudenau]

No Nix love?

 

[MassExplosion213]

No Nix love?

What apps do you need? I have quite a few Nix versions.

 

[gudenau]

What apps do you need? I have quite a few Nix versions.

I have all the one I would need for this. ;-)

 

[MassExplosion213]

I have all the one I would need for this. ;-)

Ok. Just checking.

 

[Justin20020]

Sry for my question bit for what is it good?

 

[Syphurith]

Maybe you could add this manual version of the title decryption.
Get the .app files you want to play with
_ From the decrypted NAND, using WinImage/UltraISO or other mount tools. Go to check path "/title/<TItleIDHigh>/<TItleIDLow>"
_ You would need the TitleID. If you're playing with system titles feel free to search for the name on 3dbrew Title List page.
_ Get the .app files from the folder "content". There may be more than one, go get all of them.
_ Most .app files could be encrypted as Game .3DS. Use ncchinfo_gen.py to generate the ncchinfo.bin and use that to generate the xorpads.
_ If you don't think that is encrypted, use ctrtool -i <Name.app> to check if there is a "hash mismatch". If yes that is encrypted surely (for now).
_ Use ctrtool to unpack the .app, as what you do when converting the .3DS. Like: ctrtool -p --exefs=exefs.bin --romfs=romfs.bin --exheader=exheader.bin <Name.app>
_ Once you get the xorpads from your console, use padxorer to decrypt the unpacked .bin files for you. Like: padxorer exefs.bin 0000.Main.norm_exe.xorpad
_ Then you can unpack the romfs, or other, using ctrtool. Like: ctrtool -t romfs --romfsdir=./romfs decrypted_romfs.bin
_ Feel free to play with the files decrypted. Like: ctrtool -t exheader -i decrypted_exheader.bin

Following the manual way you may even patch and re-encrypt it back, however NO SIGNATURE GENERATED!
Edit the decrypted content. Once done, get it encrypted using padxorer: padxorer decrypted_modified_romfs.bin 0000.Main.romfs.xorpad.
Then, get your HxD, Open the original .app file, the original encrypted part, your re-encrypted part.
Simply search for the original binary offset and calculate its end, and copy all of your re-encrypted content to replace it.
Note: Only useful when both encrypted parts have the same length. Otherwise you may have to edit the .app to change its regions, and this is beyond my knowledge.

I personally used the patchrom from 44670. To use this you would have to get devkitPro+devkitARM, and python installed.
Place the extracted exefs (mostly a code.bin would be produced) and decrypted exheader.bin, romfs.bin, exefs.bin to the repo's /workdir folder.
Rename exheader.bin to exh.bin. Make sure, you have exh.bin, romfs.bin, exefs.bin, and a exefs/code.bin in the workdir folder.
Next call the cmd.exe and add devkitARM/bin to path, Like "set PATH=%PATH%;C:\devkitPro\devkitARM\bin". Then call the python script "exe2elf.py".
This tool is not so good for use, and you may have other tools for the purpose converting the exefs to ELF.
To my knowledge this tool only calls the arm-none-eabi-gcc from devkitARM to link the content again. So most part you edited could be found in original decrypted file.

BTW, there is something weird for me. I do know every version of those system apps could have different xorpads..
But once i tried to do all these with the O3DS Native_FIRM.. The one rxTools decrypted and patched is around 943KB while the decrypted & unpacked firm.bin only ~940KB.
Compared the two files with WinMerge2011 and figured out there is almost only the difference in the end of the file, ~2KB missing from manually decrypted one.
Almost? cause the one in rxTools folder is patched also, and there are some bytes different from the original.

Anyway hope those above helps with some development... And? Didn't find a 0x10082 in any binary in my decrypted "cfg".

 

[pakrett]

No Nix love?

What apps do you need? I have quite a few Nix versions.

What's Nix ?

 

[MassExplosion213]

What's Nix ?

Any Unix based system.

 

[gudenau]

Any Unix based system.

Like Linux.

 

[pakrett]

Maybe you could add this manual version of the title decryption.
Get the .app files you want to play with
_ From the decrypted NAND, using WinImage/UltraISO or other mount tools. Go to check path "/title/<TItleIDHigh>/<TItleIDLow>"
_ You would need the TitleID. If you're playing with system titles feel free to search for the name on 3dbrew Title List page.
_ Get the .app files from the folder "content". There may be more than one, go get all of them.
_ Most .app files could be encrypted as Game .3DS. Use ncchinfo_gen.py to generate the ncchinfo.bin and use that to generate the xorpads.
_ If you don't think that is encrypted, use ctrtool -i <Name.app> to check if there is a "hash mismatch". If yes that is encrypted surely (for now).
_ Use ctrtool to unpack the .app, as what you do when converting the .3DS. Like: ctrtool -p --exefs=exefs.bin --romfs=romfs.bin --exheader=exheader.bin <Name.app>
_ Once you get the xorpads from your console, use padxorer to decrypt the unpacked .bin files for you. Like: padxorer exefs.bin 0000.Main.norm_exe.xorpad
_ Then you can unpack the romfs, or other, using ctrtool. Like: ctrtool -t romfs --romfsdir=./romfs decrypted_romfs.bin
_ Feel free to play with the files decrypted. Like: ctrtool -t exheader -i decrypted_exheader.bin

Following the manual way you may even patch and re-encrypt it back, however NO SIGNATURE GENERATED!
Edit the decrypted content. Once done, get it encrypted using padxorer: padxorer decrypted_modified_romfs.bin 0000.Main.romfs.xorpad.
Then, get your HxD, Open the original .app file, the original encrypted part, your re-encrypted part.
Simply search for the original binary offset and calculate its end, and copy all of your re-encrypted content to replace it.
Note: Only useful when both encrypted parts have the same length. Otherwise you may have to edit the .app to change its regions, and this is beyond my knowledge.

I personally used the patchrom from 44670. To use this you would have to get devkitPro+devkitARM, and python installed.
Place the extracted exefs (mostly a code.bin would be produced) and decrypted exheader.bin, romfs.bin, exefs.bin to the repo's /workdir folder.
Rename exheader.bin to exh.bin. Make sure, you have exh.bin, romfs.bin, exefs.bin, and a exefs/code.bin in the workdir folder.
Next call the cmd.exe and add devkitARM/bin to path, Like "set PATH=%PATH%;C:\devkitPro\devkitARM\bin". Then call the python script "exe2elf.py".
This tool is not so good for use, and you may have other tools for the purpose converting the exefs to ELF.
To my knowledge this tool only calls the arm-none-eabi-gcc from devkitARM to link the content again. So most part you edited could be found in original decrypted file.

BTW, there is something weird for me. I do know every version of those system apps could have different xorpads..
But once i tried to do all these with the O3DS Native_FIRM.. The one rxTools decrypted and patched is around 943KB while the decrypted & unpacked firm.bin only ~940KB.
Compared the two files with WinMerge2011 and figured out there is almost only the difference in the end of the file, ~2KB missing from manually decrypted one.
Almost? cause the one in rxTools folder is patched also, and there are some bytes different from the original.

Anyway hope those above helps with some development... And? Didn't find a 0x10082 in any binary in my decrypted "cfg".

Thank you ! Be sure that I will add this, but I'll test what you said before to be sure to not mis-understand something ^^

Any Unix based system.

Like Linux.

mmmmm, I like to play with linux too ^^

 

[pakrett]

@Syphurith, do you know how I can build a cia from a system titles (.app), I have a way but I don't know how to build a working rsf...

 

[leerpsp]

I hate to be this guy and ask and i know better then to ask but im going to so others will see this before we get a lot of them asking about it......................... here it comes............ (can this be used to downgrade 9.9?)

 

[Cavioe]

I hate to be this guy and ask and i know better then to ask but im going to so others will see this before we get a lot of them asking about it......................... here it comes............ (can this be used to downgrade 9.9?)

Just sell your 9.9 and get another.

 

[thaikhoa]

If I had a decrypted native firm from someone I won't need to do the same again with my own system. Is it right?

 

[pakrett]

If I had a decrypted native firm from someone I won't need to do the same again with my own system. Is it right?

Correct ^^ This is for who want another version of the native-firm, the files that was deleted from the nintendo's servers.

I hate to be this guy and ask and i know better then to ask but im going to so others will see this before we get a lot of them asking about it......................... here it comes............ (can this be used to downgrade 9.9?)

NO way ^^

 

[MassExplosion213]

I hate to be this guy and ask and i know better then to ask but im going to so others will see this before we get a lot of them asking about it......................... here it comes............ (can this be used to downgrade 9.9?)

With a xorpad, yes.

 

[pakrett]

But he need an hardmode, a way to generate this xorpdad in 9.9 (without any acces ^^) and a way to re-encrypt the system titles for his console, so...