Hacking rxTools with Signatures patched out!

[pakrett]

yep

You doesn't already have a palantine cfw full set up ? If yes, you can easily convert your rednand into emunand.

 

[godstriker8]

Well damn, I've come full circle, and the file doesn't open in WinImage. Its a full sized 776,000 KB file.

Only thing that could be wrong, is that when I use the decrypt.bat I have to manually close it, it seems to just stay at the 100% mark, don't know if thats normal.

EDIT: When I drag the emuNAND.fat16.bin into there it works fine, I'm pretty sure its the decrypt.bat crapping out on me now.

 

[VerseHell]

No, it must say finished at the end.

 

[godstriker8]

No, it must say finished at the end.
View attachment 20527

I left it, and it said "paused" after a minute

EDIT: Did it again for the fifth time, and it worked... The file still won't open in WinImage though

 

[VerseHell]

What does it say?

 

[godstriker8]

What does it say?

"Error reading file E://...emuNAND.fat16.bin.out"

 

[Falo]

Alright, thanks to zoogie and his tool, we may found a way to install FBI on a 2DS :

Download this pack : http://jheberg.net/captcha/fbi-injection-v11/
(You need to have python 2.7 installed and added in your path)
1. Use the gateway launcher.dat to create your emunand (format emunand, backup your sd card content first
2. Setup rxTools : http://www.rxtools.net/#!howto (replace the rxTools.dat with one of the patched one)
3. Use rxTools to get your nand xorpad (Decryption Options -> Generate fat16 Xorpad). Put it on the FBI injection folder
4. Open emunand tool, choose extract emunand then choose the FBI injection folder for the destination
5. Execute decrypt.bat
6. Execute the MAKE_FBI_NCCH which match your console region. It will generate a 0000000X.app file.
7. Open WinImage.
8. Drag and drop the emuNAND.fat16.bin.out on the program then click on OK
9. Go to title/0040010/00022300/content for a EU console or title/0040010/00021300/content for US one.
10. Delete the 0000000X.app inside. (You can extract it first if you want)
11. Click on Image->Inject then choose your own 0000000X.app.
12. Save and close WinImage.
13. Execute reencrypt.bat
14. Restore your emunand with emunand tool.
15. Boot on the emunand with rxTools. Select Health & Safety app. FBI should boot instead.

Tested it on a 4.2 O3DS and it works fine, so it should work on a 2DS too.

Doesn't work on 9.2 EUR O3DS, error: "This software title can't be launched. Please redownload...".
Afterwards it deletes the title from homescreen. I tested both signature patched rxtools.dat's.

Note: on 9.2 EUR it's 00000008.app, not 00000004.app.

Is there no way without downgrading or buying cubic ninja/gw? Can't FBI be ported to a spider launcher.dat?

 

[VerseHell]

"Error reading file E://...emuNAND.fat16.bin.out"

Then there must be something wrong on your nand xorpad.

Doesn't work on 9.2 EUR O3DS, error: "This software title can't be launched. Please redownload...".
Afterwards it deletes the title from homescreen. I tested both signature patched rxtools.dat's.

Note: on 9.2 EUR it's 00000008.app, not 00000004.app.

Is there no way without downgrading or buying cubic ninja/gw? Can't FBI be ported to a spider launcher.dat?

It's 00000004.app on 4.2.
Did you try to rename it 00000008.app before injecting then?

 

[zoogie]

Doesn't work on 9.2 EUR O3DS, error: "This software title can't be launched. Please redownload...".
Afterwards it deletes the title from homescreen. I tested both signature patched rxtools.dat's.

Note: on 9.2 EUR it's 00000008.app, not 00000004.app.

Is there no way without downgrading or buying cubic ninja/gw? Can't FBI be ported to a spider launcher.dat?

That's because the title updates on 6.x which causes the higher file name. On US 9.x is 00000005.app instead of 00000003.app on 4.x.

And my preliminary tests are like yours, it doesn't work on 9.2. Better sign checking security.
I'm going to test 6.1 in a while and see if it works there. That would restore some hope for 2ds (via a dangerous downgrade admittingly).

 

[Sam_SpadeR]

@AHP_person After unpacking it, I tried modifying a few strings, like adding GBA to the title in the GBA version/SSB in the SSB version, etc. I didn't change the length of the file, and all the strings stayed the same size (e.g. "rxTools - Roxas75 [v2.4]" -> "rxTools - Roxas75 [vSSB]" And yet, after recompiling it and trying to run it, I get "rxTools.dat is corrupt!" Is there some sort of integrity check that needs tweaking?

Edit: Oh, and I see references to "Exploit Options" and "Downgrade MSET." Unfinished or just disabled?

Hello guys. Man, can you did the thing for the GBA/DSi and Super Smash games could exist together with the same .dat file? I read this comment in the post a few days ago and I´ve been really excited for it.

Thanks for the wonderful job there.

Cheers and thanks!

 

[Falo]

Did you try to rename it 00000008.app before injecting then?

Yes. Just leaving it as 4.app would not work, i would have to modify the cmd ids to match 4.app.

That's because the title updates on 6.x which causes the higher file name. On US 9.x is 00000005.app instead of 00000003.app on 4.x.

And my preliminary tests are like yours, it doesn't work on 9.2. Better sign checking security.

My guess is, there are more then signature checks, *.tmd contains the sha256 checksums of *.app files and also title.db must constain something to match up with apps.

 

[godstriker8]

I needed the xorpad to create the emunand. fat16.bin using the tool provided above, so I'm pretty sure it's good. Besides if that was broken, thered be no way to fix it since I got it from RXtools problem free

 

[VerseHell]

That's because the title updates on 6.x which causes the higher file name. On US 9.x is 00000005.app instead of 00000003.app on 4.x.

And my preliminary tests are like yours, it doesn't work on 9.2. Better sign checking security.
I'm going to test 6.1 in a while and see if it works there. That would restore some hope for 2ds (via a dangerous downgrade admittingly).

Yes. Just leaving it as 4.app would not work, i would have to modify the cmd ids to match 4.app.


My guess is, there are more then signature checks, *.tmd contains the sha256 checksums of *.app files and also title.db must constain something to match up with apps.

That's mean it won't work on a 2DS then. Too bad.
Well, it's still useful for people who don't have a wifi connection or have the "failed to connect" error.

I needed the xorpad to create the emunand. fat16.bin using the tool provided above, so I'm pretty sure it's good. Besides if that was broken, thered be no way to fix it since I got it from RXtools problem free

If you're using that : http://gbatemp.net/threads/port-release-3dsfat16tool-c-rewrite-by-d0k3.390942/ you can also try to type :

3DSFAT16tool -d -n emuNAND.bin emuNAND.fat16.bin NAND.fat16.xorpad

(It will stop before 100% but it's normal)
then rename emuNAND.fat16.bin emuNAND.fat16.bin.out and try to open it with WinImage.
This is my last idea, I hope it will work. :/

 

[zoogie]

That's mean it won't work on a 2DS then. Too bad.
Well, it's still useful for people who don't have a wifi connection or have the "failed to connect" error.



If you're using that : http://gbatemp.net/threads/port-release-3dsfat16tool-c-rewrite-by-d0k3.390942/ you can also try to type :

3DSFAT16tool -d -n emuNAND.bin emuNAND.fat16.bin NAND.fat16.xorpad

(It will stop before 100% but it's normal)
then rename emuNAND.fat16.bin emuNAND.fat16.bin.out and try to open it with WinImage.
This is my last idea, I hope it will work. :/

Just did a run through test of several firmwares. It works up to 8.1. Stops working at 9.2 (didn't test 9.0)
Interesting.
@Falo

 

[VerseHell]

Just did a run through test of several firmwares. It works up to 8.1. Stops working at 9.2 (didn't test 9.0)
Interesting.
@Falo

What did you do? Like @Falo said, just renaming the *.app doesn't work, the icon doesn't even show up.

 

[zoogie]

What did you do? Like @Falo said, just renaming the *.app doesn't work, the icon doesn't even show up.

After 4.5 the FBI icon stopped showing up, but it still booted and ran fine when I started H & S.

Tested 4.5, 6.1, 7.1, 8.1, and 9.2. (as i said above, on 9.2 it stopped working though)

 

[VerseHell]

After 4.5 the FBI icon stopped showing up, but it still booted and ran fine when I started H & S.

Tested 4.5, 6.1, 7.1, 8.1, and 9.2.

Weird, this is what I get when I follow my own tutorial :
- On 4.2, I still have the H&S icon, but FBI boot instead
- On 7.2, i don't have the H&S icon anymore. (just renamed the *.app before injecting)
I must be doing something wrong.

 

[samiam144]

@zoogie are we suppose to rename the fat16.bin.out file to just .bin and inject it back to sysnand?

 

[zoogie]

Weird, this is what I get when I follow my own tutorial :
- On 4.2, I still have the H&S icon, but FBI boot instead
- On 7.2, i don't have the H&S icon anymore. (just renamed the *.app before injecting)
I must be doing something wrong.

You're supposed to rename it to whatever the ?.app version is for the given firmware and overwrite the original .app. It will vary by firmware and region. Granted, I first injected my .app on 4.5 so that might have made a difference in it working so well. I'll retest on 8.1 with fat16 injection on that firmware.

@zoogie are we suppose to rename the fat16.bin.out file to just .bin and inject it back to sysnand?

I'm just using the 3DSFAT16tool.exe's instructions to decrypt/inject/encrypt. I'm using GW's system restore to write the nand back.
The FBI injection pack wasn't working for me.

 

[VerseHell]

Nope, doesn't work, even tried on my 8.1 emunand backup :
- This is the untounched H&S app folder :

Spoiler

So I deleted the built my own *.app, renamed it 00000008.app, replaced the 00000008.app in the content folder with mine, injected the emunand back and still no icon.

Yes. Just leaving it as 4.app would not work, i would have to modify the cmd ids to match 4.app.

Can you explain us what have you done exactly?