Hacking Rom Injection Tool

  • Thread starter Thread starter FrankVVV
  • Start date Start date
  • Views Views 8,624
  • Replies Replies 40
  • Likes Likes 1

FrankVVV

Active Member
Newcomer
Joined
Dec 1, 2013
Messages
36
Reaction score
8
Trophies
0
Age
54
XP
124
Country
Belgium
We have now seen a few releases where a rom from an older console was injected into a new one so it became a 3DS VC rom. Do you think someone will sooner or later release tool so we could do this ourself easily, or will that be too complicated? Imagine the 1000's of extra games that could be played on the 3DS!!!
 
  • Like
Reactions: Idaho
Want to see it too o_o
It should be possible to replace a rom inside of the vc-game like on the Wii.
But I think we need to have a homebrew-loader or something or a method to signing the modified vc-games to run it on our 3DS ( like signing homebrews on PSP to run it on OFW)
 
afaik the bbb gameboy pokemon releases are encrypted as homebrew i.e not using the proper encryption.......so if you look into how the homebrew is encrypted, you might be able to decrypt them and inject a different rom

.....personally i think homebrew emulators would be better, instead of having a hundred and one different VC titles, just have an emulator that you can drop & drag games into........but whatever:P
 
afaik the bbb gameboy pokemon releases are encrypted as homebrew i.e not using the proper encryption.......so if you look into how the homebrew is encrypted, you might be able to decrypt them and inject a different rom

.....personally i think homebrew emulators would be better, instead of having a hundred and one different VC titles, just have an emulator that you can drop & drag games into........but whatever:P
Homebrew is just encrypted with a zero-filled key. ctrtool can extract the data from the ROM (so can 3DSExplorer to some degree), makerom can repack the ROM after editing.
So if they really are encrypted with a zero key, it should be a simple task to inject another ROM into it.
I may have a go at it later.
 
001.jpg
002.jpg
003.jpg

Those are by smealum except the last one. And he was only showing something he was able to do, not saying that is a reallity or maybe be released, so please don't start a flamewar about that, my pure intention is to show something requested here, not wihning something.
 
  • Like
Reactions: Idaho
afaik the bbb gameboy pokemon releases are encrypted as homebrew i.e not using the proper encryption.......so if you look into how the homebrew is encrypted, you might be able to decrypt them and inject a different rom
Are you sure it's using encrypted as homebrew? Couldn't they uses the 3DSs AES engine to re-encrypt the file with the proper key since AES is a symmetric algorithm?

"For homebrew you can decrypt the file to a readable format but we normally use the elf file (AES key for homebrew is 00000000000000000000000000000000 the NCCH Offset is located at 0x120 in media units (1 media unit = 0x200 bytes)) so if you want to add homebrew NCSD Support you can add that preaty easy. For nin code you need to run a decrypter on the 3ds or have the Y-Key and the final scrambler key" ~ichfly

So, if it is encrypted with the homebrew key we should be able to extract it, inject ROM and repack. Also, it will be easier to inject a ROM into a BBB release that has already been injected (such as the Pokemon ones). The reason being is that Nintendo doesn't use scene releases for the NES/GBA etc. ROMs. It will be easier to identify the header of the injected ROM as you can just look at the scene releases for the NES/GBA ROMs.
 
  • Like
Reactions: Ryanrocks462
So, I had a look...
laptopscreengrab_20140819070845.png

Looks like the ROM is easily accessible, so injecting a new one should be no problem :)

Edit:
The ROM loaded up in VBA-M just fine too, once renamed to .gbc file extension:
laptopscreengrab_20140819071212.png


However, the edited file can not be repacked into a romFS using makerom. Quote from 3DSGuy: "However makerom fails to calculate two fields (relating to the organisation of the embedded FS) properly, so the 3DS doesn't accept the romfs makerom creates.. I never figured out how to generate those two fields. So romfs generation remains nearly working (close but no cigar)."
If there is another tool to create romFS, or one is made, ROM injection will be easy. Otherwise... not so much.
 
So, I had a look...

Looks like the ROM is easily accessible, so injecting a new one should be no problem :)

That's awesome!!! How did you do that??? I tried poking around in 3DS Explorer and got ExeFS.bin and RomFS.bin. I decrypted RomFS.bin with the AES key. I'm guessing FS stands for File System??? Do you have to mount it?
 
So a noob question here... here's my thoughts. correct me if I am incorrect with any of them
  1. Homebrew .3ds files are encrypted as homebrew
  2. These HB.3ds files can run using SSSpwn
  3. .3ds game roms files can be translated so long as they can be decrypted
  4. If perchance .3ds roms can be decrypted, they can be re-encrypted as HB and it will still run
  5. Since this .3ds rom are re-encrypted as HB, it will run on SSSpwn.
  6. Also, it seems to be that the current inject GB VC roms are incredibly inefficient. Bloating a ~5mb rom to occupy a minimum of 64mb.
 
So a noob question here... here's my thoughts. correct me if I am incorrect with any of them
  1. Homebrew .3ds files are encrypted as homebrew
  2. These HB.3ds files can run using SSSpwn
  3. .3ds game roms files can be translated so long as they can be decrypted
  4. If perchance .3ds roms can be decrypted, they can be re-encrypted as HB and it will still run
  5. Since this .3ds rom are re-encrypted as HB, it will run on SSSpwn.

SSSpwn doesn't run .3DS files, so no that won't work. ;)
 
SSSpwn doesn't run .3DS files, so no that won't work. ;)

Where is it mentioned that it can't run .3ds files? I thought it was just mentioned that it doesn't allow the running of roms. If a rom can be encrypted as homebrew then it should theoretically work.
 
That's awesome!!! How did you do that??? I tried poking around in 3DS Explorer and got ExeFS.bin and RomFS.bin. I decrypted RomFS.bin with the AES key. I'm guessing FS stands for File System??? Do you have to mount it?
ctrtool can extract files from RomFS.
makerom can create RomFS.bin but is missing an essential piece for the 3DS to accept the generated RomFS, there doesn't seem to be another tool that can create a RomFS either, so we're out of luck for the moment...

Where is it mentioned that it can't run .3ds files? I thought it was just mentioned that it doesn't allow the running of roms. If a rom can be encrypted as homebrew then it should theoretically work.
No, .3ds is the file format of ROMs. No ROMs means no .3ds. Homebrew will likely be ran in an entirely different way than commercial games, so it will be impossible to run commercial games using the same method.
 
But it will run homebrews. If commercial ROMs are repacked as HB ROMs they should work.

So this means that SSSpwn would require an app to load .3ds files and a tool to repack commercial roms as homebrew and SSSpwn will allow piracy! :wacko: Gosh!
 
Where is it mentioned that it can't run .3ds files? I thought it was just mentioned that it doesn't allow the running of roms. If a rom can be encrypted as homebrew then it should theoretically work.


Homebrew .3DS files are official ROMs encrypted with 0000... AES key.

SSSPwn is a userland exploit and they have their own way of executing code inside that sandbox.

Sorry warez kiddies, it's not going to happen.

But it will run homebrews. If commercial ROMs are repacked as HB ROMs they should work.


It runs homebrew inside of userland. No, it doesn't work that way.

So this means that SSSpwn would require an app to load .3ds files and a tool to repack commercial roms as homebrew and SSSpwn will allow piracy! :wacko: Gosh!

Nope, nope, nope.
 
  • Like
Reactions: filfat
ctrtool can extract files from RomFS.
makerom can create RomFS.bin but is missing an essential piece for the 3DS to accept the generated RomFS, there doesn't seem to be another tool that can create a RomFS either, so we're out of luck for the moment...


No, .3ds is the file format of ROMs. No ROMs means no .3ds. Homebrew will likely be ran in an entirely different way than commercial games, so it will be impossible to run commercial games using the same method.

I just built ctrtool. What are the arguments to pass it to extract the RomFS (sorry for n00b question, I haven't used it before).

Is the source for makerom out there??? We might be able to fix it.
 
I just built ctrtool. What are the arguments to pass it to extract the RomFS (sorry for n00b question, I haven't used it before).

Is the source for makerom out there??? We might be able to fix it.
ctrtool --romfsdir out_directory RomFS.bin
Will extract the contents of RomFS.bin to out_directory.

Fixing makerom would be a simple matter for someone who has reverse engineered the RomFS format fully, but that's not my strong suit. If 3DSGuy wasn't able to figure it out, most of us aren't likely to.
Source: https://github.com/3DSGuy/Project_CTR/tree/master/makerom
 
Homebrew .3DS files are official ROMs encrypted with 0000... AES key.

SSSPwn is a userland exploit and they have their own way of executing code inside that sandbox.

Sorry warez kiddies, it's not going to happen.


It runs homebrew inside of userland. No, it doesn't work that way.


Nope, nope, nope.


Ok. Ssspwn allows homebrew. Homebrew can do whatever the official dev kit can do. In theory, a homebrew to the scale of Pokemon X/Y can be created.

Homebrew .3ds files are official stuff just encrypted with the 0000.... AES key. Aka, it is a rom that has been decrypted and reencrypted with homebrew keys. So if you can decrypt a 3ds game rom and re-encrypt it with homebrew keys, the .3ds rom is now recognized by the system as homebrew and will run it.

SSSpwn executes code within a sandbox. The code that it can execute should include the code in .3ds game roms since 3ds homebrew by its very definition allows the creating of official SDK stuff but homebrew instead.
 
  • Like
Reactions: Ryanrocks462
It runs homebrew inside of userland. No, it doesn't work that way.

How about just decrypt the ROM and use a loader to load the ROM in?
I'm assuming the exploit allows for permissions on par with commercial games.
 

Site & Scene News

Popular threads in this forum