Hacking eShop games are played off the SD Card

[MegamanDSi]

When you download a eShop game it says destitation SD card so does that mean we could take the key and crack em?
I also looked inn my SD and here the format of it: SD:/Nintendo 3DS\89d7560caa5aa4c60143a56d65a5fb15\bcdb00a530107f1330303030001b534d then there are 3 folders
folder 1:dbs
folder 2:extdata
folder 3:title

in folder one you will see :import.db and title.db
in folder two you will see a folder with 8 zeroes and in the 8 zeroes folder you will see two other folders one named 0000008f and the other named 00000326
in the 0000008f you will another zeroes folder. In that zeroes folder you will see 0000001 to 5 with no file extension
in the 00000326 you will see another zeroes folder and inside that zeroes folder you will see a series of zero files with letters at the end of em

in folder 3 you will see 00040000 then two folders 00032600 and 00054300

in the 00054300 folder you will see two folders data and content.

in the content folder you will see 0000000.app, .tmd and 00000001.app
and a cmd folder with a .bat apllication inside.

i open it in notepad and I get this:NQ?É®Èü ÉŸêåë+Ú»˜2ˢǓÿ¾¡+;‹. ´Ó?Ûód„¢$`V¬ªûÿæ°ŸŠ«{©Er
Þ—ë[±ùŸØ›1


the 00032600 folder has just the content folder with the0000000.app, .tmd and 00000001.app and cmd folder with a .bat application inside of it.

when read in notepad it would say ƒ
ãBN¡gÒM¢`®¶ÜfYêI«bä$OŸR¬£Ôß+ÌGK!¹ g1›Uæ@)£–-î]Æ;k™I›f™)Æ%! à)ûØ袿

So I wonder could we crack em

 

[dangerboy]

it means you can take the key and decrypt them. IF you had the fucking key!!!!!!

 

[doyama]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

 

[pachura]

it means you can take the key and decrypt them. IF you had the fucking key!!!!!!

Most probably they are encrypted using private, per-console key.

 

[MegamanDSi]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

no I tried it with excite bike and Pokedex I took out the Sd card the two games disappeared

 

[Crazy-S]

Now that the Games use the SD Card to save and also entire Games can be stored to the SD it would be easier to hack the 3DS with Savegame Hacks just like Twilight hack


We could change some lines in the .bat, just to see what happens XD

 

[heartgold]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

No! They do run off the SD card. Which saves a lot of hassle now.

 

[deathking]

i would love to see the classics on eshop be hacked to inject whatever roms you want onto it

 

[TankedThomas]

Good luck cracking them. It'll take a long time. I myself have been working on the 3DS file system along with the eShop apps all night long (and now into the morning).

I'm no hacker, but I still know enough about computers and tech stuff that I can work things out. If there's one thing I've worked out, it's that Nintendo seems to have sorted their stuff out since the Wii. To be honest, I want to punch someone in the face after seeing this topic. You could at least look at the files in a hex editor..... even if it IS just gibberish (unless you're a robot or super-human.... I never was good with mathematics or anything similar).

Apps are split into those three files - the first being 0000000.tmd, then 00000001.app and finally 00000002.app. Then the data folder holds a .sav file, which is of 512KB for both of my apps that have it.

I'm sure that they're tied to the console, similar to the Wii, and having them split into parts is a worry. The .tmd almost seems like a header file, and what the .bat under the cmd folder is for, I have no idea.

I downloaded Pokedex 3D and 3D Classics Excitebike, as well as Super Mario Land, but I honestly don't know which is which. I presume Excitebike is the biggest, but then again, Pokedex 3D is not a port, so it's probably the biggest. Gotta say, I love the save state function for Gameboy games. That's epic.

I've actually been looking into the rest, as well. The extdat folder contains all the stuff under Extra Data that you can find under Settings on the 3DS. Most are hard to work out, but 00000326 is ~11.2MB and is Pokedex 3D (I'd be interested to know if anyone else has the same app with the same file size but with a different folder name).

The database (.db) files seem to either have little importance or great importance. They sure seem to have plenty of free space. If I had to guess, I'd say that the title.db file records (encrypted, most likely) information about each title you own/have bought/downloaded, and therefore, if it isn't on the list, it won't be valid, even if the app files are 100% valid. That could mean that if you opened the title.db file in a hex editor and replaced it with all free space, none of your apps would work. Hmmm.... that's a brilliant idea. I'm going to try that and see if it works. I'm sure Nintendo would have a counter-measure though, because that'd be fatal if just anyone could delete stuff so easily (although I'm sure you could re-download through the eShop to rebuild the database).

Something else that's pretty simple - under the "private" directory are two more folders - 00020400 and 00020500. The 204 folder holds phtcache.bin which is a cache for the 3DS Camera/Photo app (your current pictures are listed in it - the file extension, such as MPO or JPG, followed by a byte (00) of free space, followed by the file name, and then some supposedly random data that differs between each files). The 205 folder holds all the 3DS Sound app's stuff (apart from your personal files that you want to play back). This is where you can fetch any and all of your recordings.

Well, there's a whole lot of useless information. Have fun knowing (not a lot) more, people.

I'm off to do more testing now. It's fun, I guess... I wish the real hackers would do their thing though. I just like following along so that I learn stuff. I don't really want to see pirated games though...

 

[ProtoKun7]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

No, 3DS software does run from the SD card. DSiWare has to be on internal memory, though.

 

[doyama]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

No, 3DS software does run from the SD card. DSiWare has to be on internal memory, though.

Oh really? That's kinda new then, I had assumed the 3DS behaved similar to the DSi. Seems like an odd decision though. I realise its 'convenient' but there's obviously a lot of security issues with doing that. One thing they could have done was enable the "Secure" portion of the SD standard, though I guess that adds a layer of inconveneince without much security attached to it. I suppose for you pirates out there, if 3DS mode ever gets hacked, you'll be able to run your ROMS off the internal SD card. That will shave a good $1-2 off your flashcart cost since they won't need to put the SD card slot onto them anymore.

 

[machomuu]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

No, 3DS software does run from the SD card. DSiWare has to be on internal memory, though.

Oh really? That's kinda new then, I had assumed the 3DS behaved similar to the DSi. Seems like an odd decision though. I realise its 'convenient' but there's obviously a lot of security issues with doing that. One thing they could have done was enable the "Secure" portion of the SD standard, though I guess that adds a layer of inconveneince without much security attached to it. I suppose for you pirates out there, if 3DS mode ever gets hacked, you'll be able to run your ROMS off the internal SD card. That will shave a good $1-2 off your flashcart cost since they won't need to put the SD card slot onto them anymore.

The 3DS specifically tells you that the software is being saved to the SD Card. I don't know if this will make it easier to hack, I don't think Nintendo was so stupid as to overlook the possibility.

 

[TankedThomas]

Games still don't run off the SD card anyways. You have to transfer them internally to play after you download it.

No, 3DS software does run from the SD card. DSiWare has to be on internal memory, though.

Oh really? That's kinda new then, I had assumed the 3DS behaved similar to the DSi. Seems like an odd decision though. I realise its 'convenient' but there's obviously a lot of security issues with doing that. One thing they could have done was enable the "Secure" portion of the SD standard, though I guess that adds a layer of inconveneince without much security attached to it. I suppose for you pirates out there, if 3DS mode ever gets hacked, you'll be able to run your ROMS off the internal SD card. That will shave a good $1-2 off your flashcart cost since they won't need to put the SD card slot onto them anymore.

The 3DS specifically tells you that the software is being saved to the SD Card. I don't know if this will make it easier to hack, I don't think Nintendo was so stupid as to overlook the possibility.

Considering the file structure of the apps/games on the SD card, I don't think they'll be very easy to hack. Once someone makes sense of it, they still need to piece it together and decrypt it. At least, that's what I can gather.

 

[totalnoob617]

i dont think that just because eshop games will run from sd ,that that means any future 3ds flashcard wont have its own sd slot ,it doesnt meant that the cart games will run from the internal sd slot ,i guess it wil depend on how it is hacked though, but im sure the flashcard will emulate a cart, if it just did something to unlock the system people could easily copy it i would think

 

[doyama]

It doesn't really make it any 'easier' to hack. The file structure is pretty similar to previous encrypted DSiWare stuff. Unless you can break the encryption you're not going to be doing much externally.

My only point was that if you broke the security of the 3DS somehow, since the 3DS now allows for some code execution external to the unit, you could in theory run all your stuff off the SD card, which then would mean flashcarts wouldn't need an SD card slot. Again depends on a HUGE chain of events, the first one being actually breaking the 3DS security, which is still the biggest hurdle. It'll be interesting of Team Twiizers comes up with anything. Sudokuhax has been blocked now, but perhaps the eShop provides another vector for them to investigate.

 

[tajio]

Honestly, it's going to take a couple of years to fully hack the 3DS and be able to play 3DS homebrew let alone 3DS backups.

 

[TankedThomas]

Honestly, it's going to take a couple of years to fully hack the 3DS and be able to play 3DS homebrew let alone 3DS backups.

Try telling that to everyone else. There's a reason all these damn new topics keep popping up. If only they could take your words of wisdom to heart and shut up for once....

 

[totalnoob617]

as far as i know marcan and bushing are not even looking at the 3ds yet ,atleast last i checked theey werent ,the last posts i saw were old and about the sudoku hack and dsi
but then again you never know when some company will come out of left feild with something ,like the ps jailbreak, although i do have a feeling it wont be 2 years ,i think there is way to much interest inthis system and therefore profit potential for the flashcard companies to not get something out ,my guess would be a little over a year from launch date,like 1 or 2 months

 

[MegamanDSi]

Good luck cracking them. It'll take a long time. I myself have been working on the 3DS file system along with the eShop apps all night long (and now into the morning).

I'm no hacker, but I still know enough about computers and tech stuff that I can work things out. If there's one thing I've worked out, it's that Nintendo seems to have sorted their stuff out since the Wii. To be honest, I want to punch someone in the face after seeing this topic. You could at least look at the files in a hex editor..... even if it IS just gibberish (unless you're a robot or super-human.... I never was good with mathematics or anything similar).

Apps are split into those three files - the first being 0000000.tmd, then 00000001.app and finally 00000002.app. Then the data folder holds a .sav file, which is of 512KB for both of my apps that have it.

I'm sure that they're tied to the console, similar to the Wii, and having them split into parts is a worry. The .tmd almost seems like a header file, and what the .bat under the cmd folder is for, I have no idea.

I downloaded Pokedex 3D and 3D Classics Excitebike, as well as Super Mario Land, but I honestly don't know which is which. I presume Excitebike is the biggest, but then again, Pokedex 3D is not a port, so it's probably the biggest. Gotta say, I love the save state function for Gameboy games. That's epic.

I've actually been looking into the rest, as well. The extdat folder contains all the stuff under Extra Data that you can find under Settings on the 3DS. Most are hard to work out, but 00000326 is ~11.2MB and is Pokedex 3D (I'd be interested to know if anyone else has the same app with the same file size but with a different folder name).

The database (.db) files seem to either have little importance or great importance. They sure seem to have plenty of free space. If I had to guess, I'd say that the title.db file records (encrypted, most likely) information about each title you own/have bought/downloaded, and therefore, if it isn't on the list, it won't be valid, even if the app files are 100% valid. That could mean that if you opened the title.db file in a hex editor and replaced it with all free space, none of your apps would work. Hmmm.... that's a brilliant idea. I'm going to try that and see if it works. I'm sure Nintendo would have a counter-measure though, because that'd be fatal if just anyone could delete stuff so easily (although I'm sure you could re-download through the eShop to rebuild the database).

Something else that's pretty simple - under the "private" directory are two more folders - 00020400 and 00020500. The 204 folder holds phtcache.bin which is a cache for the 3DS Camera/Photo app (your current pictures are listed in it - the file extension, such as MPO or JPG, followed by a byte (00) of free space, followed by the file name, and then some supposedly random data that differs between each files). The 205 folder holds all the 3DS Sound app's stuff (apart from your personal files that you want to play back). This is where you can fetch any and all of your recordings.

Well, there's a whole lot of useless information. Have fun knowing (not a lot) more, people.

I'm off to do more testing now. It's fun, I guess... I wish the real hackers would do their thing though. I just like following along so that I learn stuff. I don't really want to see pirated games though...

Nintendo is losing there grip and THQ said it had sophisticated anti-piracy but no Btw Nintendo said that they have no intention of brick 3DS besides they will get sued for breaking
someones property and please tell the people who believe that they will to tell them that its ok they aint gonna brick you

 

[MegamanDSi]

i would love to see the classics on eshop be hacked to inject whatever roms you want onto it

or better a homebrew channel what is nintendo allowing us to hack it this should be easy