Hacking rxTools with Signatures patched out!

Status
Not open for further replies.
Riku

Riku

Well-Known Member
Member
Level 8
Joined
May 3, 2009
Messages
288
Trophies
0
XP
1,491
Country
United States
Falo said:
The difference here is, your *.app file is encrypted.
Just fixing tmd checksums is not making it work.

Can you make a step by step guide what you did, so we can make eur/usa files?
Click to expand...
Extract both exefs', put .code from fbi and icon/banner from original app (important, since system caches them), build compressed exefs. Edit FBI exheader: replace name at beginning, ProgramID (stored in 3 places), remove SD flag and set SysApp flag (in 2 places). Re-Xor them both and inject inside CXI. In CXI header edit new ExeFS size, new exheader hash and new exefs hash. Pad exeFS to 4096, compare original CXI size and modified and create new RomFS to fill size (I used original RomFS, just cutted some audio file), rexor and insert it into cxi along with new romfs hash and new size. Last step is generating new TMD hashes.

That's all I remember, too much info. :wacko:
 
Last edited by Riku,
  • Like
Reactions: piratesephiroth, samiam144 and Vappy
P

pikatsu

Well-Known Member
Member
Level 7
Joined
Apr 16, 2014
Messages
845
Trophies
0
Age
39
XP
1,163
Country
Argentina
Riku said:
Extract both exefs', put .code from fbi and icon/banner from original app (important, since system caches them), build compressed exefs. Edit FBI exheader: replace name at beginning, ProgramID (stored in 3 places), remove SD flag and set SysApp flag (in 2 places). Re-Xor them both and inject inside CXI. In CXI header edit new ExeFS size, new exheader hash and new exefs hash. Pad exeFS to 4096, compare original CXI size and modified and create new RomFS to fill size (I used original RomFS, just cutted some audio file), rexor and insert it into cxi along with new romfs hash and new size. Last step is generating new TMD hashes.

That's all I remember, too much info. :wacko:
Click to expand...

Is this injection working with every app or game?
 
pakrett

pakrett

Well-Known Member
Member
Level 8
Joined
Apr 6, 2015
Messages
1,519
Trophies
0
Age
34
XP
1,351
Country
France
Falo said:
Because i don't trust the downgrade and i want to avoid modifying my sysnand if possible.
Also except for piracy (and finally being able to make translation patches for 3ds) there is no reason for me to downgrade, i do buy games if i want them.
Click to expand...

Downgrade by gateway method = 100% safe
 
samiam144

samiam144

Régulier
Member
Level 9
Joined
Aug 19, 2007
Messages
2,875
Trophies
0
XP
1,742
Country
Canada
VerseHell said:
Alright, thanks to zoogie and his tool, we may found a way to install FBI on a 2DS (It's also useful for O3DS if you don't want to do the whole cfw process) :

Edit : Seems like it doesn't work on 9.0-9.2. :(

Download this pack : http://jheberg.net/captcha/fbi-injection-v12/

1. Use the gateway launcher.dat to create your emunand (format emunand, backup your sd card content first
2. Setup rxTools : http://www.rxtools.net/#!howto (replace the rxTools.dat with one of the patched one)
3. Use rxTools to get your nand xorpad (Decryption Options -> Generate fat16 Xorpad). Put it on the FBI injection folder
4. Open emunand tool, choose extract emunand then choose the FBI injection folder for the destination
5. Execute decrypt.bat
6. Open WinImage.
7. Drag and drop the emuNAND.fat16.bin on the program then click on OK
8. Go to title/0040010/00022300/content for a EU console or title/0040010/00021300/content for US one.
9. Execute the MAKE_FBI_NCCH which match your console region. It will generate a 0000000X.app file. If needed, rename it to match the 0000000X.app in the content folder.
10. Delete the 0000000X.app from the content folder.
11. Click on Image->Inject then choose your own 0000000X.app.
12. Save and close WinImage.
13. Execute reencrypt.bat
14. Restore your emunand with emunand tool.
15. Boot on the emunand with rxTools. Select Health & Safety app. FBI should boot instead. :)
16. If you're on 4.X, install another CIA installer from it before updating your emunand, because the update will restore the original Health & Safety app.

Tested it on a 4.2 O3DS and it works fine, so it should work on a 2DS too. :)
Click to expand...
On step 16, can we use FBI again to install? I assume the title ID will be different, right?
 
Falo

Falo

Well-Known Member
Member
Level 11
Joined
Jul 22, 2012
Messages
680
Trophies
2
XP
2,627
Country
Germany
pakrett said:
Downgrade by gateway method = 100% safe
Click to expand...
It's not 100% safe and i'm not trusting that method.

Suiginou said:
Of what is the TMD content info hash a hash? I presume they also need to be updated, not only the TMD content hash.
Click to expand...
There are 3 hashs,
first (0xB14) hashes the content (app file),
second (0x208) hashes the content table (0xB04 - 0xB33)
third (0x1E4) hashes the content index table (0x204 - 0xB03)
All simple sha256.

Riku said:
Extract both exefs', put .code from fbi and icon/banner from original app (important, since system caches them), build compressed exefs. Edit FBI exheader: replace name at beginning, ProgramID (stored in 3 places), remove SD flag and set SysApp flag (in 2 places). Re-Xor them both and inject inside CXI. In CXI header edit new ExeFS size, new exheader hash and new exefs hash. Pad exeFS to 4096, compare original CXI size and modified and create new RomFS to fill size (I used original RomFS, just cutted some audio file), rexor and insert it into cxi along with new romfs hash and new size. Last step is generating new TMD hashes.

That's all I remember, too much info. :wacko:
Click to expand...
I did all that, now the icon/banner is there and i'm able to start it, but then "An error has occured, please restart console...".
Some error on my side or it's not working...
 
  • Like
Reactions: Syphurith
Riku

Riku

Well-Known Member
Member
Level 8
Joined
May 3, 2009
Messages
288
Trophies
0
XP
1,491
Country
United States
Falo said:
I did all that, now the icon/banner is there and i'm able to start it, but then "An error has occured, please restart console...".
Some error on my side or it's not working...
Click to expand...
Try to install original 0004001000020300 v2050 and inject my files. You won't be able to see it in HOME menu, but launching from FBI list should work. And if it does work feel free to decrypt and compare.
 
pakrett

pakrett

Well-Known Member
Member
Level 8
Joined
Apr 6, 2015
Messages
1,519
Trophies
0
Age
34
XP
1,351
Country
France
Falo said:
It's not 100% safe and i'm not trusting that method.
Click to expand...

Almost 100% safe, like all stuff you can found here.

If you have, like me, an EUR old3ds I don't see the problem. I've doing it so many times with my console and with my friends one, no prblm.
NVD -> your choice.
 
Last edited by pakrett,
Falo

Falo

Well-Known Member
Member
Level 11
Joined
Jul 22, 2012
Messages
680
Trophies
2
XP
2,627
Country
Germany
Riku said:
Try to install original 0004001000020300 v2050 and inject my files. You won't be able to see it in HOME menu, but launching from FBI list should work. And if it does work feel free to decrypt and compare.
Click to expand...

The main reason i'm doing this is because i CAN'T install anything... (i don't want to downgrade my console).
I already did decrypt your app and compared it, except for region flags in icon.bin, different program id in exheader/ncch and a different ncch size it's the same...

note: EUR is 0004001000022300 v3077, if you want, i can send you the nand files and xorpads.
 
Riku

Riku

Well-Known Member
Member
Level 8
Joined
May 3, 2009
Messages
288
Trophies
0
XP
1,491
Country
United States
Falo said:
The main reason i'm doing this is because i CAN'T install anything... (i don't want to downgrade my console).
I already did decrypt your app and compared it, except for region flags in icon.bin, different program id in exheader/ncch and a different ncch size it's the same...

note: EUR is 0004001000022300 v3077, if you want, i can send you the nand files and xorpads.
Click to expand...
I'll make EUR version for you later.
 
  • Like
Reactions: Vappy, Ambassador, pakrett and 2 others
masterz87

masterz87

Well-Known Member
Member
Level 5
Joined
Apr 21, 2013
Messages
484
Trophies
0
Age
37
XP
645
Country
United States
Since this thing is supposed to work with dsiware, has _anyone_ gotten it to work like at all? Does it _only_ work with the browser exploit or something?

I keep getting the damned "an errorhas occurred".

I am using emunand as I hate installing anything to sysnand unless absolutely required.
 
Last edited by masterz87,
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

Hardware  Why does my 3DS take so long to turn off?

Hacking Hardware  New Nintendo 3DS XL Louvre

General chit-chat
Help Users
    AncientBoi @ AncientBoi: 🫂 +1