[Tutorial] FW-Spoofing Game Updates

Discussion in '3DS - Tutorials' started by Ammako, Jan 2, 2016.

  1. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    Hi there, this is a tutorial for FW-spoofing game updates for N3DS users, for game updates that require 9.6+ as we cannot update emunand past 9.5 yet.

    As I could not find an actual step-by-step tutorial on doing this I figured I would make one.

    This may not be needed if you are using Gateway as their FW-spoofing might already take care of spoofing FW properly for game updates. In case it is needed though then you should be able to follow this tutorial to get game updates working.

    When I asked people it didn't seem FreeMultiPatcher was working for spoofing game updates, so this is the main reason for this tutorial. If it -does- work, though, then this tutorial isn't completely needed.
    However, having to run FMP every time you start up your 3DS can be annoying, and this allows you to skip that entirely. You'll be able to install your game updates and they'll just -work-.

    Note this is only for N3DS users. O3DS users can update their emunand to the latest firmware and everything should run fine.

    When attempting to run a game with an update installed that requires a firmware above 9.5 to run, it will not run, either giving you a never-ending 3DS logo loading screen, or it will load but black screen and possibly give you a black screen error message telling you an error has occurred and making you force-power off your 3DS.

    It was only recently that game updates started showing up that required 9.6+ FW to run, so there isn't very much info on this and a lot of people don't even know that there even are updates that require 9.6+ to run (it doesn't seem like anyone has uploaded FW-spoofed versions of game update .cias online yet either.)
    So chances are, you will have to FW-spoof it yourself.


    For this, you will need:
    - Decrypt9
    - PackHack (Google it, original download contains slot0x25KeyX.bin which I don't want to link to.)
    - HxD (or any other Hex Editor)
    - makerom, reuploaded to my dropbox for your convenience (I found it unusually difficult to find it back when I needed it and had to find it.)
    - If you are doing this on an O3DS sysnand < 7.x : slot0x25KeyX.bin at the root of your SD card (shouldn't be a problem as the people who will be doing this are N3DS users.)

    ---

    Step 1: Getting the game update

    Get your game update .cia which requires 9.6+ to run. I don't have a list of which game updates require 9.6+ to run, but a few that I know of are, Codename S.T.E.A.M., The Legend of Zelda: Triforce Heroes and Fire Emblem: if

    For this tutorial I will be using Codename S.T.E.A.M. v1.2.0 game update.

    Use your Google-fu to find the updates online.

    Once you have your game update, create a folder named D9Game at the root of your SD card and copy the game update over to that folder.

    Warning: Spoilers inside!

    ---

    Step 2: Decrypting the game update and unpacking it

    To decrypt the game update, I use Decrypt9. Download it from the links at the beginning of this tutorial and install it using whichever method suits you best. I personally recommend using the .3dsx version as it is the easiest to set up.

    You will have to run it from sysnand. It will not work from within emunand.

    If you are using CTRBootManager to autoboot into your favourite CFW, you will need to abort CTRBootManager's autoboot function and then select homebrew launcher. You can add Decrypt9 to sdmc:/3ds/ just like you would any homebrew and run it from HBL, or you can add it directly as an entry in CTRBootManager which in my opinion is more convenient.

    Here is a sample boot.cfg for CTRBootManager which will allow you to run Decrypt9 directly from it:

    Code:
    // Boot menu configuration
    boot_config =
    {
    	// Default timeout in seconds
    	// If timeout = -1, disable autoboot
    	timeout = 0;
    
    	// Some devices (n3ds?) seem to have
    	// some timing problems when using timeout=0 (autoboot).
    	// You may increase this value to improve boot success rate.
    	// Default delay (8) should be good for o3ds, 2 seems good for n3ds
    	autobootfix = 8;
    
    	// if timeout = 0 (autoboot),
    	// hold this key to enter the menu
    	// keycode list : https://goo.gl/4XLDIL
    	recovery = 9; // L
    
    	// Default boot entry
    	default = 0;
    
    	// Boot menu entries (11 max)
    	entries =
    	(
    		{
    			title  = "rxTools";
    			path = "/rxTools/sys/code.bin";
    			offset = "0x12000";
    		},
    		{
    			title  = "Homebrew Launcher";
    			path = "/boot_hb.3dsx";
    		},
    		{
    			title  = "Decrypt9";
    			path = "/Decrypt9WIP.3dsx";
    		}
    	);
    };
    
    Note: this configuration file will make CTRBootManager autoboot into rxTools, and to access any of the other boot options, you will have to hold L while menuhax is running until you get to the CTRBootManager menu.

    Place Decrypt9WIP.3dsx at the root of your SD card.

    Warning: Spoilers inside!

    Once you have all of this, you should be set to decrypt the game update.

    Boot into CTRBootManager's boot menu by holding L and select Decrypt9. Remember this will only work if it is run from sysnand, and only if sysnand is 9.2 or lower.

    Once in the Decrypt9 menu, you want to select "Game Decryptor Options", then "CIA Decryptor (deep)"
    It will work its magic and the game update .cia will be decrypted. You can now turn off your 3DS.

    Get PackHack and extract it somewhere on your computer. Copy the decrypted game update back to your computer and place it in the same folder as HackingToolkit.exe

    Warning: Spoilers inside!

    Then run HackingToolkit.exe

    Enter "cia", then type in the filename of your game update without the file extension as instructed.
    When it asks you if you want to decompress the code.bin file, enter y (yes)
    It will unpack the update .cia and give you a DecryptedExeFS.bin, DecryptedExHeader.bin, DecryptedManual.bin and DecryptedRomFS.bin, along with an exe and romfs folder.

    ---

    Step 3: Editing the Exheader

    In order to FW-spoof the game update, you will have to edit the DecryptedExHeader.bin

    Start up HxD and open DecryptedExHeader.bin

    Edit the two bytes at 0x39C and the two bytes at 0x79C to 21 02 then save the file.

    This will spoof the game update as having a minimum firmware requirement of 4.0 (? or at least somewhere in the 4.x range)

    Warning: Spoilers inside!

    ---

    Step 4: Repacking the files into a .cia

    Once you've edited the exheader, the update will be FW-spoofed as requiring a minimum firmware of 4.x to run, so it should work normally now. But you still need to repack it into an installable .cia before you can actually use it.

    Download makerom and extract it anywhere you want on your computer.

    Copy the following files extracted from PackHack over to makerom's folder:
    - /exe/ folder
    - DecryptedExHeader.bin
    - DecryptedRomFS.bin

    (NOTE: If in your /exe/ folder, the code.bin file was named ".code.bin" by PackHack for some reason, rename it to "code.bin")

    You will need a RSF file. This is a basic text file in which some information needs to be changed.

    Create a blank .txt file in makerom's folder and rename it to RSF.rsf
    Copy the following code into the RSF file.

    Code:
    BasicInfo:
      Title                   : Iron15
      CompanyCode             : 00
      ProductCode             : CTR-U-BFZJ
      ContentType             : Application # Application / SystemUpdate / Manual / Child / Trial
      Logo                    : Nintendo # Nintendo / Licensed / Distributed / iQue / iQueForSystem
    
    TitleInfo:
      UniqueId                : 0x012de
      Category                : Patch # Application / SystemApplication / Applet / Firmware / Base / DlpChild / Demo / Contents / SystemContents / SharedContents / AddOnContents / Patch / AutoUpdateContents
    
    Option:
      UseOnSD                 : true # true if App is to be installed to SD
      EnableCompress          : true # Compresses exefs code
      FreeProductCode         : true # Removes limitations on ProductCode
      EnableCrypt             : false # Enables encryption for NCCH and CIA
      MediaFootPadding        : false # If true CCI files are created with padding
    
    AccessControlInfo:
      ExtSaveDataId: 0x000000000000012dc
      SystemSaveDataId1: 0x000000000
      SystemSaveDataId2: 0000000000
      OtherUserSaveDataId1: 0x000000
      OtherUserSaveDataId2: 0x000000
      OtherUserSaveDataId3: 0x000000
      FileSystemAccess:
       ##CategorySystemApplication
       ##CategoryHardwareCheck
       ##CategoryFileSystemTool
       ##Debug
       ##TwlCardBackup
       ##TwlNandData
       ##Boss
       ##DirectSdmc
       ##Core
       ##CtrNandRo
       ##CtrNandRw
       ##CtrNandRoWrite
       ##CategorySystemSettings
       ##CardBoard
       ##ExportImportIvs
       ##DirectSdmcWrite
       ##SwitchCleanup
       ##SaveDataMove
       ##Shop
       ##Shell
       ##CategoryHomeMenu
      IdealProcessor                : 0
      AffinityMask                  : 1
      Priority                      : 16
      MaxCpu                        : 0x9E # Default
      DisableDebug                  : false
      EnableForceDebug              : false
      CanWriteSharedPage            : false
      CanUsePrivilegedPriority      : false
      CanUseNonAlphabetAndNumber    : false
      PermitMainFunctionArgument    : false
      CanShareDeviceMemory          : false
      RunnableOnSleep               : false
      SpecialMemoryArrange          : false
      UseOtherVariationSaveData     : false
      CoreVersion                   : 2
      DescVersion                   : 2
      #RleaseKernelMajor            : "002
      #RleaseKernelMinor            : "350
      MemoryType                    : Application # Application / System / Base
      HandleTableSize: 512
      IORegisterMapping:
       - 1ff50000-1ff57fff
       - 1ff70000-1ff77fff
      MemoryMapping:
       - 1f000000-1f5fffff:r
      SystemCallAccess:
       ControlMemory: 1
       QueryMemory: 2
       ExitProcess: 3
       GetProcessAffinityMask: 4
       SetProcessAffinityMask: 5
       SetProcessIdealProcessor: 6
       GetProcessIdealProcessor: 7
       CreateThread: 8
       ExitThread: 9
       SleepThread: 10
       GetThreadPriority: 11
       SetThreadPriority: 12
       GetThreadAffinityMask: 13
       SetThreadAffinityMask: 14
       GetThreadIdealProcessor: 15
       SetThreadIdealProcessor: 16
       GetCurrentProcessorNumber: 17
       Run: 18
       CreateMutex: 19
       ReleaseMutex: 20
       CreateSemaphore: 21
       ReleaseSemaphore: 22
       CreateEvent: 23
       SignalEvent: 24
       ClearEvent: 25
       CreateTimer: 26
       SetTimer: 27
       CancelTimer: 28
       ClearTimer: 29
       CreateMemoryBlock: 30
       MapMemoryBlock: 31
       UnmapMemoryBlock: 32
       CreateAddressArbiter: 33
       ArbitrateAddress: 34
       CloseHandle: 35
       WaitSynchronization1: 36
       WaitSynchronizationN: 37
       SignalAndWait: 38
       DuplicateHandle: 39
       GetSystemTick: 40
       GetHandleInfo: 41
       GetSystemInfo: 42
       GetProcessInfo: 43
       GetThreadInfo: 44
       ConnectToPort: 45
       SendSyncRequest1: 46
       SendSyncRequest2: 47
       SendSyncRequest3: 48
       SendSyncRequest4: 49
       SendSyncRequest: 50
       OpenProcess: 51
       OpenThread: 52
       GetProcessId: 53
       GetProcessIdOfThread: 54
       GetThreadId: 55
       GetResourceLimit: 56
       GetResourceLimitLimitValues: 57
       GetResourceLimitCurrentValues: 58
       GetThreadContext: 59
       Break: 60
       OutputDebugString: 61
    
      AccessibleSaveDataIds:
       # 0x00000
       # 0x00000
       # 0x00000
       # 0x00000
       # 0x00000
       # 0x00000
    
      InterruptNumbers:
      ServiceAccessControl:
       - $hioFIO
       - $hostio0
       - $hostio1
       - cfg:u
       - fs:USER
       - gsp::Gpu
       - hid:USER
       - ndm:u
       - pxi:dev
       - APT:A
       - ac:u
       - act:u
       - am:app
       - boss:U
       - cam:u
       - cecd:u
       - dlp:FKCL
       - dlp:SRVR
       - dsp::DSP
       - frd:u
       - http:C
       - ir:USER
       - ldr:ro
       - mic:u
       - news:u
       - nfc:u
       - nim:aoc
       - nwm::UDS
       - ptm:u
       - qtm:u
       - soc:U
       - ssl:C
    
    SystemControlInfo:
      SaveDataSize: 1M
      RemasterVersion: 00001
      StackSize: 0x000040000
      Dependency:
        #a: 0x0004013000002402L
        #a: 0x0004013000003802L
        #a: 0x0004013000001502L
        #a: 0x0004013000003402L
        #a: 0x0004013000001602L
        #a: 0x0004013000002602L
        #a: 0x0004013000001702L
        #a: 0x0004013000001802L
        #a: 0x0004013000002702L
        #a: 0x0004013000002802L
        #a: 0x0004013000001a02L
        #a: 0x0004013000003202L
        #a: 0x0004013000001b02L
        #a: 0x0004013000001c02L
        #a: 0x0004013000001d02L
        #a: 0x0004013000002902L
        #a: 0x0004013000001e02L
        #a: 0x0004013000003302L
        #a: 0x0004013000001f02L
        #a: 0x0004013000002002L
        #a: 0x0004013000002b02L
        #a: 0x0004013000003502L
        #a: 0x0004013000004002L
        #a: 0x0004013000002c02L
        #a: 0x0004013000002d02L
        #a: 0x0004013000002102L
        #a: 0x0004013000003102L
        #a: 0x0004013000002202L
        #a: 0x0004013020004202L
        #a: 0x0004013000003702L
        #a: 0x0004013000002e02L
        #a: 0x0004013000002302L
        #a: 0x0004013000002f02L
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
        ######################
    
    You will need to edit a few things in the RSF file. Most of its contents aren't very important, but you may need to change the Product Code, UniqueId and Category.

    As we'll all be doing this with patch files you don't need to change the Category as it's already set to Patch. You should however change the UniqueId and the Product Code to match the original game update .cia

    To get those, head over to 3dsdb.com and search for your game's name.
    For Code Name S.T.E.A.M., the UniqueID is 0004000000132500 and the Product Code is CTR-P-AY6A

    The RSF file uses the last 8 digits of the UniqueID minus the last two 0's, and the Product Code for game updates is the same as the Product Code for the actual game, except the P is replaced with an U.

    So, for Code Name S.T.E.A.M., the UniqueId in the RSF file will be changed to 0x01325 and its Product Code will be changed to CTR-U-AY6A.

    Warning: Spoilers inside!

    Save your RSF file, you should be done with it.

    You should now be ready to run the following commands:

    Code:
    makerom -f cxi -target t -rsf RSF.rsf -o update.cxi -exheader DecryptedExHeader.bin -code exe\code.bin -romfs DecryptedRomFS.bin -icon exe\icon.bin -alignwr
    ExInjector.exe -rom update.cxi -exheader DecryptedExHeader.bin -sd
    makerom -f cia -target t -content update.cxi:0:0 -minor 2 -micro 0 -o update.cia
    
    Shift-right-click on the background of the makerom folder and select "Open command window here" to open a CMD window in makerom's directory.

    Warning: Spoilers inside!

    Copy/paste the commands and run them. You should now have an update.cia in makerom's folder.


    The only thing left to do is install it with your favourite CIA manager, and it should run properly! :)


    Note: I have not tested this myself, as I don't have a N3DS let alone an exploitable one, and I don't have any of the games that have an update that requires 9.6+ so I can't personally test it to see if it works. However, the person who needed a FW-spoofed Code Name S.T.E.A.M. 1.2.0 update tested it for me and reported that it was working.

    If things aren't working for you, unfortunately I can't mess around with things in hopes of figuring out the problem. But this should work for any game update that requires 9.6+ to run.


    Credits

    - Asia81 for the original tutorial on decrypting and unpacking update .cias (https://gbatemp.net/threads/tutorial-how-to-decrypt-extract-and-rebuild-a-cia.388677/)
    - SciresM and RainThunder over at this thread for info on how to edit the ExHeader to FW-spoof the update and how to rebuild the unpacked files into an installable .cia
     


  2. gudenau

    gudenau Largely ignored

    Member
    3,278
    1,250
    Jul 7, 2010
    United States
    /dev/random
    Happen to have a method for system titles?

    Edit:
    You should be able to get updates from funkyCIA if you have a previous update or you downloaded the game; both from the eshop of course.

    Edit 2:
    You can use ctrTool to get all the needed info for the RSF file aswell.
     
    Last edited by gudenau, Jan 3, 2016
    MAXLEMPIRA likes this.
  3. MAXLEMPIRA

    MAXLEMPIRA Legends are Made from True Stories...

    Member
    861
    163
    Jun 24, 2012
    Mexico
    Kanto <- Hyrule -> Unova
    That's what I was thinking of, downloading the latest eShop CIA from 3DNUS and spoofing it, it should be able to install it on EmuNAND and access to eShop without HANS or FMP, just installing latest FW Spoofed eShop and nVer/cVer (Can't remmember right now which one is necessary, cVer should be) on any N3DS with any CFW :3 can someone try this?

    EDIT: Found this, if it could help https://gbatemp.net/threads/quick-tuto-decrypt-your-own-native-firmware-or-any-system-titles.396247/
     
    Last edited by MAXLEMPIRA, Jan 3, 2016
  4. Ericjwg

    Ericjwg Good

    Member
    2,866
    693
    Jul 2, 2015
    Canada
    Nice
     
  5. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    Quick question, I'm at the end of step 2. After using Decrypt9, the 3DS screen shows a message that the .cia was successfully decrypted and checking in the D9Game folder, I see only one .cia file. Comparing its MD5 to the original untouched .cia shows that it has indeed been modified. After I move this .cia file to the PackHack folder and running HackingToolkit.exe, I enter "cia", the name of the file (without the file extension), and then hit Y to confirm decompression code.bin, several lines of text quickly flash past (too quick to read), and I'm taken back to the HackingToolkit main menu. Looking in the folder, no files have been generated. There is no DecryptedExHeader.bin anywhere to be found. Am I doing something wrong here?

    Details abridged:
    Warning: Spoilers inside!
    EDIT (final):
    It looks like the problems were being caused by Windows OS on my end, it was interfering with how hackingtoolkit was working and generally wreaking havoc. Case somewhat closed, for now. :)
     
    Last edited by NekoMichi, Jan 8, 2016
  6. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    Decrypt9 just decrypts the .cia, keeps the same file.
    It'll remain the same size and the same name because it's the same file with the same contents, just decrypted. Encryption != compression, file size wouldn't change.

    Are you sure you are selecting CIA Decryptor (deep)? (shallow) won't work, and I'm not entirely sure what the (for GW) one does.
     
  7. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    I've been using the deep option, the log output shows no errors or anything.
     
  8. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    I'm going to try and see if i run into the same problem. For the time being there -could- be a possibility that your update .cia got corrupted while you were copying it over to your SD card. Not sure if Decrypt9 would throw an error if that was the case.
     
    Last edited by Ammako, Jan 8, 2016
  9. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    Thanks.:) Maybe this is something that is specific to Smash Bros.? I'll try this same procedure using a different game's update .cia later to see if anything changes.
     
    Last edited by NekoMichi, Jan 8, 2016
  10. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    Yeah the game update for smash is quite large compared to every other game update so that might cause problems. But I'm pretty sure Decrypt9 is supposed to be able to decrypt even regular came .cias which can be even larger.
     
  11. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    Just tested a 5MB .cia game update, got the exact same results.
     
  12. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    Well, it is working for me.
    My theory is that there is a problem with your computer itself (or so the " 'C:\Users\Admin' is not recognized as an internal or external command, operable program or batch file. " line leads me to believe.)

    Since I've already got the update downloaded here and extracted, I might as well just do the exheader editing and then I'll create a patch for you to apply to your update .cia
     
    NekoMichi likes this.
  13. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    Thank you, I really appreciate that.
    Is this with a EUR region .cia?
     
  14. Ammako
    OP

    Ammako GBAtemp Guru

    Member
    6,424
    3,546
    Dec 22, 2009
    Canada
    Yeah, I got the EUR one.

    Also, my md5 for the decrypted .cia is 407a6db4a04ce11dec9545b294c6d87f
    Might want to compare with yours. If it matches then we can rule out Decrypt9.

    Might also want to make sure the .cia doesn't get slightly corrupted when copying over to the SD card, or making sure the decrypted one doesn't get slightly corrupted when transferring it back to the computer.

    And last but not least, if you're using the built-in N3DS FTP file transfer, the chances of a file that large getting corrupted are much higher than if you were to actually plug the microSD card in directly.

    Edit: Well anyway, if anyone's running into a similar issue, here's an xdelta patch you can apply to the EUR Smash 1.1.3 update. You will have to decrypt it with Decrypt9 first, but this should let you patch the exheader without having to use HackingToolkit, if for some reason the latter does not want to co-operate.
     

    Attached Files:

    Last edited by Ammako, Jan 8, 2016
  15. renzen

    renzen Member

    Newcomer
    15
    2
    Jan 5, 2016
    same thing happened to me...
     
  16. PetitMagique

    PetitMagique GBAtemp Regular

    Member
    117
    31
    Jan 4, 2016
    United States
    This guide works on my downgraded N3DS XL running 9.5 emuNAND. Thanks!! Just one thing, could you give some more details on what the makerom commands are doing? I'm curious.

    I was having this exact same problem. In my case I realized the hackingtool application will not accept filenames with spaces. I renamed the update file to "update.cia" and everything works as expected.
     
  17. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    I figured that the file name had issues, so I tried update.cia at that time, but it didn't change anything. Turns out the Windows OS was having issues, so it seems to be an isolated case on my end. Thanks anyway. :)
     
  18. PetitMagique

    PetitMagique GBAtemp Regular

    Member
    117
    31
    Jan 4, 2016
    United States
    So I also tried this guide with Triforce Heroes 2.1.0 update. It works. The game screen shows v2.1.0 and I can load the game and play online. However, I still get the update notification on the homescreen. Any idea what may be causing this? Did I not patch something?
     
  19. Comedor

    Comedor GBAtemp Fan

    Member
    331
    9
    Jan 28, 2007
    Brazil
    Interesting, what would happen if you try to install a .cia update that requires 9.6 on a 9.2 system? I didn't know updates had firmware check.

    Also, this tutorial can only be used for updates right? But not actual games?
     
  20. NekoMichi

    NekoMichi Retro Collector

    Member
    1,288
    918
    Jun 4, 2015
    Minus World
    The update will install, but launching the game will cause the 3DS to hang on the loading animation.