Hacking Pasta CFW - A CFW that allows unsigned CIA to be installed on Old and New 3DS! (required ninjhax)

[WeedZ]

So we're just dick swinging again? Cause this isn't that kind of party.

 

[gamesquest1]

It is require additional signature check patching, it's not that simple.

if thats not the case i guess i goofed it somewhere

EDIT: ok i read that wrong i thought it was @Riku replying

 

[davhuit]

About Gateway, sent them an email with the link to Pasta Source code, said to them if it was running GBA/DSIware fine, even with using the MSET exploit, and so, that they might be interested to check it to fix GBA/DSIware support on Gateway.

no, romfs is not used in vc gba. gba rom are located in code.bin

Okay, I'll check that file, then.

Edit : Code.bin file is 0kb, so it probably not that. But the "exefs.bin" file is 8656 Kb, and Metroid Fusion rom is 8192 Kb, so it might be inside this file.

@Riku : We always use the template of another VC game. Doing VC games are pretty simple, did like 300 of them. More informations here : https://gbatemp.net/threads/the-general-vc-rom-injection-thread-nes-gb-c-a-etc.371894/

Basically, we just take an official VC Game as the base rom, we extract it, we replace the rom file by another one, then we recompile everything, which give a .3DS file, then we convert it to cia and it's done.

 

[AHP_person]

About Gateway, sent them an email with the link to Pasta Source code, said to them if it was running GBA/DSIware fine, even with using the MSET exploit, and so, that they might be interested to check it to fix GBA/DSIware support on Gateway.



Okay, I'll check that file, then.

Edit : Code.bin file is 0kb, so it probably not that. But the "exefs.bin" file is 8656 Kb, and Metroid Fusion rom is 8192 Kb, so it might be inside this file.

@Riku : We always use the template of another VC game. Doing VC games are pretty simple, did like 300 of them. More informations here : https://gbatemp.net/threads/the-general-vc-rom-injection-thread-nes-gb-c-a-etc.371894/

Basically, we just take an official VC Game as the base rom, we extract it, we replace the rom file by another one, then we recompile everything, which give a .3DS file, then we convert it to cia and it's done.

Don't decompress the .code, it's not compressed. The .code is the rom followed by a footer.

 

[motezazer]

About Gateway, sent them an email with the link to Pasta Source code, said to them if it was running GBA/DSIware fine, even with using the MSET exploit, and so, that they might be interested to check it to fix GBA/DSIware support on Gateway.

That will not help them. At all.

 

[Ambassador]

Edit : Code.bin file is 0kb, so it probably not that. But the "exefs.bin" file is 8656 Kb, and Metroid Fusion rom is 8192 Kb, so it might be inside this file.

use ctrtool:

ctrtool -t exefs --exefsdir=./extractedexefs exefs.bin

 

[Slushie3DS]

The thread is becoming severely offtopic. Please, back on topic.

I was looking at spider3DStools, and I have no idea where nop90 was talking about. He said there was something specifying the browser version, and that changing it would allow for other browsers to work, and I couldn't seem to find anywhere that had any of the browser versions as a variable. I was, however, looking more at rxTools' HTML/Payload, and I noticed it does specify the different browser version in the JavaScript. I couldn't find anything like this in the spider3DStools source, and I still am a bit lost as to why the different browsers would have different payloads if each one injects the same binary file. There is not even a user-agent detection written in to the HTML frame, either. It's strange.

Here are the documents, for show.

Spoiler: rxTools HTML Document (User-Agent Specified):

<html>
<script type="text/javascript">Object.defineProperty(window.navigator, 'userAgent', { get: function(){ return 'Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US'; } });Object.defineProperty(window.navigator, 'vendor', { get: function(){ return ''; } });</script>
<head>
<title>Loading rxTools.dat</title>
<script>rxTools JavaScript Document</script>
</head>
<body>
<h1>loading rxTools.dat<iframe height="0" src="#/"></iframe></h1>
</body>
</html>

Spoiler: rxTools JavaScript Document (Cleaned Version:)

<script>
d=document,r=parent,w=window;
if(r==w){
l='rxTools.dat';
d.title='Loading ' + l;
w.onload=function(){
d.body.childNodes[0].innerHTML='loading ' + l + '<iframe height=0 src=#/>';
}
}else{
w.onload=function(){
b=0,f=w.frameElement,p=f.parentNode,o=d.createElement('object');
o.addEventListener('beforeload',function(){
if(++b==1)p.addEventListener('DOMSubtreeModified',r.z);
else if(b==2)p.removeChild(f);
});
d.body.appendChild(o);
}
}
function z(){
n=navigator.userAgent;
if(n.indexOf('Nintendo 3DS')!=-1){
m=[],q={'1.7412':'PAYLOAD HERE',
'1.7455':'PAYLOAD HERE',
'1.7498':'PAYLOAD HERE',
'1.7552':'PAYLOAD HERE',
'1.7567':'PAYLOAD HERE'
}[n.substring(n.lastIndexOf('/')+1,n.lastIndexOf('.'))].replace(':','dmc:/'+l+Array(26-l.length).join('\0'))+Array(74).join('\0'),
s=q.length-1;
for(j=1;j<410;j++){
i=4*j/s,a=Array(j);
for(k=0;k<i;a[k++]=q);
m.push(d.createTextNode(String.fromCharCode.apply(null,Array(a))));
}
}
}</script>

Spoiler: spider3DStools Frame HTML Document:

<html>
<head>
<script>
var nb = 0;
function handleBeforeLoad() {
if (++nb == 1) {
p.addEventListener('DOMSubtreeModified', parent.dsm, false);
} else if (nb == 2) {
p.removeChild(f);
}
}

function documentLoaded() {
f = window.frameElement;
p = f.parentNode;
var o = document.createElement("object");
o.addEventListener('beforeload', handleBeforeLoad, false);
document.body.appendChild(o);
}

window.onload = documentLoaded;
</script>
</head>
<body>
KEKEKEKEK...
</body>
</html>

Spoiler: spider3DStools Exploit HTML Document:

<html>
<head>
<style>
body {
color:white;
background:black;
}


</style>
<script>
function magicfun(mem, size, v) {
var a = new Array(size - 20);
nv = v + unescape("%ucccc");
for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));

mem.push(t);
}

function dsm(evnt) {
var mem = [];

for (var j = 20; j < 430; j++) {
magicfun(mem, j, unescape("YOUR PAYLOAD HERE"));
}
}
</script>
</head>
<body>
<h1 align="center">LOADING ROP...</h1>
<iframe width=0 height=0 src="frame.html"></iframe>
</body>
</html>

Can anyone shed any light on this? I'm gonna fiddle with them and see if I can mix them together.

EDIT: I actually answered my own question after I asked it. If you look at the first script, it is detecting your browser. I was masked by a user-agent tool, thus why I looked like a 3DS with the 1.17567 browser.

Object.defineProperty(window.navigator, 'userAgent', { get: function(){ return 'Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US'; }

Then, in the second script, it waits for the return of the get function to deliver the specified payload.

function z(){
                n=navigator.userAgent;
                if(n.indexOf('Nintendo 3DS')!=-1){
                    m=[],q={'1.7412':

I guess that's a bit more understanding as to how it could be oriented towards all browsers.

 

[Kurt91]

Forgive me if this is something that belongs in the tech-help thread, but it was just a hypothetical question I thought of a little bit ago that got me curious...

Let's say that I owned an old 3DS and a New 3DS. My old one is on 9.0 and can run Pasta, while my New one is on 9.7 and cannot. If I were to run Pasta on the 9.0 with NTR on top of it so that I can spoof a higher firmware, what would happen to my non-legit CIA files if I were to run a system transfer to the New one? Would it assume that there was something wrong with the file and "fix" it for me in the process, making them count as eShop-purchased legit games, or would it simply either ignore the "broken" file or even just transfer it over in an unplayable state and expect me to delete it myself?

 

[Riku]

The Fire Emblem EU rom have 32MB rom.

didn't know that, thanks, 32MB roms works fine.

Spoiler

 

[Slushie3DS]

Forgive me if this is something that belongs in the tech-help thread, but it was just a hypothetical question I thought of a little bit ago that got me curious...

Let's say that I owned an old 3DS and a New 3DS. My old one is on 9.0 and can run Pasta, while my New one is on 9.7 and cannot. If I were to run Pasta on the 9.0 with NTR on top of it so that I can spoof a higher firmware, what would happen to my non-legit CIA files if I were to run a system transfer to the New one? Would it assume that there was something wrong with the file and "fix" it for me in the process, making them count as eShop-purchased legit games, or would it simply either ignore the "broken" file or even just transfer it over in an unplayable state and expect me to delete it myself?

I just skimmed that, but I'm gonna go out on a limb and say that it would see they are unsigned, and not allow them to transfer.

 

[ShadowOne333]

didn't know that, thanks, 32MB roms works fine.

Spoiler

Wow!
Mother 3 as a VC Injected ROM?
Now that's superb!

What about Golden Sun 1, 2 and Pokemon Emerald?
I heard those are the hardest to get working.

 

[pakrett]

didn't know that, thanks, 32MB roms works fine.

Spoiler

Is there a thread somewhere which you're based on ? Or you did it yourself ?

 

[Slushie3DS]

Well, it seems as if I do not need to look into doing stuff with spiderhax based on browser version, seeing as how @SilverfalconLP supplied me with something similar.

Check it out here.

 

[davhuit]

Don't decompress the .code, it's not compressed. The .code is the rom followed by a footer.

So, that would mean you just need to replace the rom with the new one to work, seems a bit too easy but I might try.

Let's just wait until Riku explain how he's doing (if he wants to), will be easier/faster.

It would also require it's own thread.

 

[Slushie3DS]

Finally caved after months of wanting to, and bought Cubic Ninja. It should be here around next week, Tuesday. I'm still going to be looking at the spider entry-point, though. I'd like to get that working, or fail trying.

 

[JoostinOnline]

Finally caved after months of wanting to, and bought Cubic Ninja. It should be here around next week, Tuesday. I'm still going to be looking at the spider entry-point, though. I'd like to get that working, or fail trying.

Why did you resist buying it?

 

[cjm5]

So you still need to boot into Pasta to play titles (like Ambassador games) installed with BigBlueMenu? I thought they would work right from boot up sysnand. Still this is pretty great. Time for EarthBound Zero!
Also this seems like something very few people want but I need updates to play some of my ntsc games like smash on my pal 3ds, are updates available as CIAs? this is super helpful in that case. and would it brick my system if I installed ntsc patches on my euro system?

 

[megazero1x1]

So a spider port is looking pretty grim....

 

[Omenien]

So you still need to boot into Pasta to play titles (like Ambassador games) installed with BigBlueMenu? I thought they would work right from boot up sysnand. Still this is pretty great. Time for EarthBound Zero!
Also this seems like something very few people want but I need updates to play some of my ntsc games like smash on my pal 3ds, are updates available as CIAs? this is super helpful in that case. and would it brick my system if I installed ntsc patches on my euro system?

The problem is that the game still isn't licensed to that 3DS even after it has been installed to the sysNAND. Until someone can figure out a way to apply the PastaCFW patches on boot, you'll need to open CN (or whatever exploit happens to be in use at the time) and start Pasta that way.

 

[goldensox]

Can someone explain to me how would the browser exploit work? I once jailbroke an iPhone by entering a site and clicking a button (a glorious TECHNOLOGY moment), will it be somehow similar?

My 3DS is 9.2 tho.