Hacking 3DBrew / ctrtool / 3DSExplorer discussion

[3DSGuy]

I thought it would be a good idea to make a thread for anyone to ask questions about, What a specific update to 3DBrew/ctrtool/3DSExplorer means/does? And what does it mean in the grand scheme of things? Or just explaining a file format. It's mainly for those without the knowledge/resources to figure it out themselves. Hopefully any false hopes leading to homebrew can be squashed before harm or can be done or more 50 page threads made.

So if you have any questions, ask away. Hopefully myself or someone else will have the answer or at least an educated guess.

 

[yuyuyup]

Thanks for your help and also that great dev unit post from a while ago, the latest github from neimod updated with the following: Added preliminary support for RomFS. Does this mean anything? https://github.com/3dshax/ctr

 

[3DSGuy]

Thanks for your help and also that great dev unit post from a while ago, the latest github from neimod updated with the following: Added preliminary support for RomFS. Does this mean anything? https://github.com/3dshax/ctr

This update allows ctrtool to list and extract the resources from a RomFS file(the 'preliminary' part of the update comment, probably means that it's not perfect, or neimod intends to expand on the extracting capabilities). This is good, as at the moment no other tool can read/extract data from RomFS files.

Some background info on the RomFS file format:

RomFS files are part of the NCCH file format which are found in game ROMs(officially known as CCI files), eShop downloads and System titles
RomFS is a file format which contains resources which is used by the executable code like textures, graphics and sounds, even level layouts perhaps. It can also hold the download play app which is sent over between 3DS' and it can also hold the electronic manual used by the home menu.

 

[FAST6191]

Perhaps unrelated and I meant to ask in the dev thread but with the dev stuff and these tools is there a way to get either some dev binaries and/or assets in plaintext (well plain as far as the basic inbuilt ROM encryption). I ask as I would not mind a crack at reverse engineering some of the file formats in 3ds games like we did for the wii once decryption tools were released there ( http://gbatemp.net/topic/72013-wii-decryption-tool-released/page__st__15 ).

 

[Cyan]

Is there a visual schematics of a CCI, with each part nested?

like:

Spoiler: CCI (the rom dump)

Spoiler: The CCI Header

RSA-2048 SHA-256 signature of the NCSD header
Magic Number 'NCSD'
Size of the NCSD image
Media ID
Partitions FS type
Partitions crypt type

Spoiler: CXI

Spoiler: NCCH

Rom headers are here!
Content size
Partition ID
Maker code
Game ID

ExeFS offset
ExeFS size, in media units
ExeFS hash region size

RomFS offset, in media units
RomFS size, in media units
RomFS hash region size

ExeFS superblock hash
RomFS superblock hash

Spoiler: Extended header

Which data has the extended header??

Spoiler

[titlelain binary region]
The game's code is here?

Spoiler: ExeFS

embedded executable filesystem (ExeFS) - (contains ARM11 code, Home menu icn/bnr and logo)

Spoiler: RomFS

read-only filesystem (RomFS) - (Used for external file storage)

Something like that. Is that correct? It's not full, I put very few info inside, but it display visually the content of a CCI.

I guess on the RomFS and ExeFS, there are different partitions (defined in the NCCH Header)

 

[3DSGuy]

Is there a visual schematics of a CCI, with each part nested?

like:

Spoiler: CCI (the rom dump)

Spoiler: The CCI Header

RSA-2048 SHA-256 signature of the NCSD header
Magic Number 'NCSD'
Size of the NCSD image
Media ID
Partitions FS type
Partitions crypt type

Spoiler: CXI

Spoiler: NCCH

Rom headers are here!
Content size
Partition ID
Maker code
Game ID

ExeFS offset
ExeFS size, in media units
ExeFS hash region size

RomFS offset, in media units
RomFS size, in media units
RomFS hash region size

ExeFS superblock hash
RomFS superblock hash

Spoiler: Extended header

Which data has the extended header??

Spoiler

[titlelain binary region]
The game's code is here?

Spoiler: ExeFS

embedded executable filesystem (ExeFS) - (contains ARM11 code, Home menu icn/bnr and logo)

Spoiler: RomFS

read-only filesystem (RomFS) - (Used for external file storage)

Something like that. Is that correct? It's not full, I put very few info inside, but it display visually the content of a CCI.

I guess on the RomFS and ExeFS, there are different partitions (defined in the NCCH Header)

Hmm there are some mistakes, I'll re-do your spoiler tree.

 

[3DSGuy]

Spoiler: NCSD i.e. CCI (the rom dump)

Spoiler: The NCSD Header

RSA-2048 SHA-256 signature of the NCSD header
Magic Number 'NCSD'
Size of the NCSD image
Media ID
Partitions FS type
Partitions crypt type
NCCH table
Flags
NCCH title ID table
Card Info Header

Spoiler: NCCH

Spoiler: NCCH Header

RSA Signature
Magic NCCH
Content size
Partition ID
Maker code
Program ID
Extended header hash
Extended header size
Flags
Plain region offset
Plain region size

ExeFS offset
ExeFS size, in media units
ExeFS hash region size

RomFS offset, in media units
RomFS size, in media units
RomFS hash region size

ExeFS superblock hash
RomFS superblock hash

Spoiler: Extended header

Basicaly data which tells the 3DS, what the application is going to need available to it so it can function properly

Spoiler

[titlelain Region]
This contains SDK revision labels, and other resource labels.

Spoiler: ExeFS

embedded executable filesystem (ExeFS) - (contains application ARM11 code, Home menu icn/bnr and logo)

Spoiler: RomFS

read-only filesystem (RomFS) - code cannot be executed from here. It contains assets(graphics/sounds/objects) used by the ExeFS of the NCCH. It can also hold the Download play app for games which support download play. It can also contain the game manual.

That's more accurate. But looking at a rom in 3DSExplorer will give you a file tree, if you want something accurate.

 

[3DSGuy]

Perhaps unrelated and I meant to ask in the dev thread but with the dev stuff and these tools is there a way to get either some dev binaries and/or assets in plaintext (well plain as far as the basic inbuilt ROM encryption). I ask as I would not mind a crack at reverse engineering some of the file formats in 3ds games like we did for the wii once decryption tools were released there ( http://gbatemp.net/t...ed/page__st__15 ).

Yes you can, if you have a developer NCCH(CXI/CFA) encrypted with the 'zeros' key ctrtool can decrypt the RomFS and dump the assets from the RomFS. (it can be encrypted with another key, but you have know the encryption key, and you have to specify the key when attempting to decrypt the NCCH with ctrtool)

 

[yuyuyup]

Sorry for the bump, but I noticed the http://3dbrew.org/wiki/Title_list was updated on the 7th. Would you mind explaining any updates (if any are even worth caring about,) you know me just trying to keep abreast

 

[3DSGuy]

Sorry for the bump, but I noticed the http://3dbrew.org/wiki/Title_list was updated on the 7th. Would you mind explaining any updates (if any are even worth caring about,) you know me just trying to keep abreast

This list got reduced to a manageable size by deleting the demo list and cartridge list and shrinking the size of the regular eShop list. I've moved the full lists to my github wiki page and keep them updated there.

 

[elisherer]

There's a more robust list handled by mtheall on the irc channel..

 

[3DSGuy]

There's a more robust list handled by mtheall on the irc channel..

I didn't know mtheall upkept a list of eShop apps? is the irc channel you refer to "#3dsdev"?

EDIT: isn't yellows8 mtheall?

 

[Pippin666]

Can we extract icon from the rom with this tool ?? I wish I could extract SMB3DLand and HoR's icon.

Pip'

 

[SifJar]

Can we extract icon from the rom with this tool ?? I wish I could extract SMB3DLand and HoR's icon.

Pip'

Only if you happen to have the key for the NCCH. Or else a developer NCCH (for which the key is all zeros, if I am understanding 3DSGuy correctly).

So no, basically.

EDIT: Actually, the icon is in the ExeFS, not the RomFS. So this may be wrong. I have no idea if anything can actually view/extract ROM icons, but I don't think so. I haven't seen any extracted icons before, so I am assuming it can't be done.

 

[elisherer]

There's a more robust list handled by mtheall on the irc channel..

I didn't know mtheall upkept a list of eShop apps? is the irc channel you refer to "#3dsdev"? yes, on EFNet

EDIT: isn't yellows8 mtheall? No, yellows8 is also on the IRC channel

 

[3DSGuy]

There's a more robust list handled by mtheall on the irc channel..

I didn't know mtheall upkept a list of eShop apps? is the irc channel you refer to "#3dsdev"? yes, on EFNet

EDIT: isn't yellows8 mtheall? No, yellows8 is also on the IRC channel

Thanks for clarifying

 

[RodrigoDavy]

Just to confirm, the SD filesystem is encrypted with console unique keys under the Nintendo 3DS directory, does that means even the .sav files uses this kind of encryption? And if I want to backup a savefile, can I keep the encrypted copy in my computer and then transfer it to the sd card whenever I want?

 

[heartgold]

Just to confirm, the SD filesystem is encrypted with console unique keys under the Nintendo 3DS directory, does that means even the .sav files uses this kind of encryption? And if I want to backup a savefile, can I keep the encrypted copy in my computer and then transfer it to the sd card whenever I want?

Yeah sure, I've done that plenty of times. Heck I had a Metriod fusion backup save on my PC along with other 3DS data, my current SD became faulty so I used the backup data and everything worked. Although I was a few levels behind in Metriod cos you know that was the backup when it was taken.

 

[3DSGuy]

Just to confirm, the SD filesystem is encrypted with console unique keys under the Nintendo 3DS directory, does that means even the .sav files uses this kind of encryption? And if I want to backup a savefile, can I keep the encrypted copy in my computer and then transfer it to the sd card whenever I want?

Yep. Like heartgold said, you can keep backups of SD card game saves on your PC and restore them whenever you want.

 

[sightlight]

Hey guys, are we close to hack the System?