Ok so, I compiled ctrtool and tried to extract it from the .cia but it doesn't seems to work.CIA is not an executable format, it's an archive used for installation.
http://3dbrew.org/wiki/CIA
If you want to modify the binary, you'll have to extract it from the archive.
M:\ctr>ctrtool -i rc.cia
Header size 0x00002020
Type 0000
Version 0000
Certificates offset: 0x00002040
Certificates size: 0x0a00
Ticket offset: 0x00002a40
Ticket size 0x0350
TMD offset: 0x00002dc0
TMD size: 0x0b64
Meta offset: 0x1177d40
Meta size: 0x0000
Content offset: 0x00003940
Content size: 0x0000000001174400
Warning, could not read common key.
Ticket content:
Signature Type: 04000100
Issuer: Root-CA00000004-XS00000009
Signature:
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
Encrypted Titlekey: DF7E3183ED96A41602F74F6B1DEA3862
Ticket ID: 594037C3424ED03B
Ticket Version: 0
Title ID: 0004000E0011D700
Common Key Index: 0
Content permission map:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
TMD header:
Signature type: RSA 2048 - SHA256
Issuer: Root-CA00000004-CP0000000a
Version: 1
CA CRL version: 0
Signer CRL version: 0
System version: 0000000000000000
Title id: 0004000E0011D700
Title type: 00000040
Group id: 0000
Access rights: 00000000
Title version: 0403
Content count: 0002
Boot content: 0000
Hash: F7736C8DF6A6711D189718A927DA26C3E4FFD0B4BA1F00BF05F089F6
C6FE750E
TMD content info:
Content index: 0000
Command count: 0002
Unknown: 31644B957A07652FDCEBEBA524CDFF396DEC93597AECC48C93F24E07
20B66085
TMD contents:
Content id: 00000004
Content index: 0000
Content type: 0000
Content size: 0000000000f99400
Content hash: 0588C2D6DD2933BAFEE48CD007E6BE5E37BDE54BCC55C78A3C346E4F
9C33598A
Content id: 00000005
Content index: 0001
Content type: 0000
Content size: 00000000001db000
Content hash: 6B006F492CD65C2901E0AC4C139B7878AA1F2A762FA16D5EDAD0CD73
B5F7BF85
M:\ctr>
Thanks for the useful links, I tried to just ciatoccia with makerom as mentioned on your first link, but instead of the fail to decrypt CIA content I got this error:I've detailed the process of decryption/extraction two times already, and I won't do it again. I still have to make a real tutorial out of it, but I'm too lazy, so if someone else can do that, it's appreciated.
If you want to rebuild the thing, and it's a "gameapp" CIA, I recommend following the process in the first link, and then unpacking/rebuilding the .3ds with any of the tutorials available on this site (mine, of course). Just stop the process of rebuilding when you have decrypted the romfs.bin, extract it with "ctrtool --romfsdir=romfs -t romfs romfs.bin", edit the files, and use 3dstool to rebuild the romfs (it's the only command-line tool I could find which does that. I wanted to include it in a script): "3dstool -c -f romfs.bin -t romfs --romfs-dir romfs". If it's the code.bin which you want to edit, you can find it in exefs.
[CCI ERROR] This CIA cannot be converted to CCI
[RESULT] Failed to build CCI
Thanks for the useful links, I tried to just ciatoccia with makerom as mentioned on your first link, but instead of the fail to decrypt CIA content I got this error:
I don't even know what's the reason about that error which is so generic, google didn't help too, so I tried to get the keys for it with rxTools anyway, following your suggestions and this tutorial: https://gbatemp.net/threads/how-to-dump-and-backup-eshop-games-and-dlc.375586/
I was able to print all my keys, but there are no keys for my homemade rc.cia listed.
If I check it on the SD with Title Manager on the 3DS the .cia is seen both as .cia in SDMC both as installed in Program as Patch for Unique Id 0x011d7 which is confirmed in the CIA title ID: 0004000E0011D700
I tryed FunkyCIA too and it was able to rebuild all the cia's and give me the raw's too, writing all the keys on different .txt (otherTitles, systemTitles.txt, updateTitles.txt etc. etc.) but even so there are not keys for the one I'm looking for.
Is there anything else I can do?
I did it and I got the 2 decrypted app files, ctrtool says 04 is the application, 05 is the manual, but when I try to remake the .cia I got this error:Before using ciatocci, you have to install the CIA, get the SD decryption keys (These are xorpads), decrypt the .app files (with padxorer), look what kind of files they are (application, manual or dlp), and rebuild the CIA with those files (It's all explained in the link). Now you have a decrypted CIA which can be converted to CCI no problem.
Even if you're not going to rebuild it into a CCI (You can skip that part, but given most tools out there are made to convert .3ds to .cia *cough*rsfgen.py*cough*, I find it more easy), you're going to need to decrypt those .app files. Those files can also be gotten by: "ctrtool --meta=.app file.cia", but you will need to install the CIA anyway to get the xorpads.
F:\ctr>makerom -f cia -o rcnew.cia -content decrypted_00000004.app:0:0 -content decrypted_00000005.app:1:1
[MAKEROM ERROR] Content 0 is corrupt
I did it and I got the 2 decrypted app files, ctrtool says 04 is the application, 05 is the manual, but when I try to remake the .cia I got this error:
EDIT: In fact if I check decrypted_00000004.app ctrtool says "Error, program id mismatch. Wrong key?" at the end.
The .cia is a rom hack made with own code and part of modified original game code in 1.0 exefs and packed as .cia which install itself as a game patch with same title id.Those "Wrong key?" messages you can mostly ignore. I've mostly had exheader hash mismatch, but I don't think this is much different.
Huh, that's weird.
What kind of .cia are you even trying to extract? If it's not a "gameapp" cia, I don't think the -ciatocci option will even work.
In any case, make sure it's really the correct file, and you've decrypted it with the correct xorpad. If you're sure, I'd carry on unpacking the "application" .app, by treating it as if it's a .3ds file, and the manual.app as if it's the manual.cfa (no need to use rom_tool to extract it, since it's not inside the app.app). Rsfgen will put weird values in the UniqueId, CompanyCode, and ProductCode fields. Fix that yourself.
If it's not a "gameapp" cia, i'd really recommend using exinjector after the fact.
> Form type: Executable content
> Content type: Application
> Content platform: CTR
The .cia is a rom hack made with own code and part of modified original game code in 1.0 exefs and packed as .cia which install itself as a game patch with same title id.
ctrtool sees it as:
Since the author dismissed the project long ago and source code is not available I wanted to tweak a couple of things by myself to make it better.
The two .app files are decrypted correctly, I can see some plain text like product code in offset 0x150 on both files for example, but still they are decrypted but not decompiled, and I tried to unpack the content in various ways with different tools but I always get corrupted errors somehow.
3DSExplorer can see the correct file structure if treated as .3ds but can't extract the .cxi executables from the NCCH containers.
Isn't there just a way to decompile directly the .app back to plain text source so I can modify and then rebuild from there?
I treated it as .3ds and did it all over again, generated ncchinfo.bin, generated xorpads, but I only got 2 files:The .app contains 3 different partitions: romfs, exefs and exheader. You are looking for unpacking romfs, and possibly the code.bin in exefs. To do this, do what I said, treat is as a .3ds file and follow any of the tutorials on this site. That means the following process:
- Generate xorpads for the partitions
- Extract/Decrypt the partitions
- Extract the romfs ("ctrtool --romfsdir=romfs romfs.bin")
It's all detailed in the links I've sent earlier, and over the whole forum.
Looks like it's a ctrKeyGen problem.
If I use the new ctrKeyGen.py Python 2.7 it creates a ncchinfo.bin with only 2 entries for me:
*Main.exheader.xorpad
*Main.exefs_norm.xorpad
If I use the old ctrKeyGen.exe it creates a ncchinfo.bin twice larger and with more entries, including romfs.
But if I try to generate xorpads with newer launchers.dat or rxTools I'm getting "Too many/few entries, or wrong version ncchinfo.bin"
If I use older launcher.dat o3ds freezes.