Got an error saying the fffuck.exe is for 64 bit only. Is there a 32 bit build I can use? Wanting to get this working on the off off chance I have ctraging still in my partition.
So if I extract a nand.bin using fuse-3ds would CTRAging be in the 'titles' folder if it still exists? Or would the fragments only be visible if the NAND is searched using fff*ck.exe?
Basically i'm confused if the fragments of O3DS CTRAging we have found so far would be immediately visable on the extracted NAND, or if we would need to search the NAND for file fragments that have already been marked as 'deleted' by the filesystem. In which case is there any more modern method to search a nand dump made by Godmode9? (Since a Godmode9 dump doesn't include the xorkeys the fff*ck.exe requires)
Also has anyone managed to dump the latest version of CTRAging from a N2DS XL?
Basically i'm confused if the fragments of O3DS CTRAging we have found so far would be immediately visable on the extracted NAND, or if we would need to search the NAND for file fragments that have already been marked as 'deleted' by the filesystem. In which case is there any more modern method to search a nand dump made by Godmode9? (Since a Godmode9 dump doesn't include the xorkeys the fff*ck.exe requires)
Also has anyone managed to dump the latest version of CTRAging from a N2DS XL?
Last edited by Razor83,
Yeah this tutorial is outdated, I will add new methods as soon as I have time.
Also, CTRAging is marked deleted by the filesystem so any further write could overwrite it very easily.
I trying to launch it but i hangs at " wait" and nothing happens. I can launch it with the Main Menu but without sound usw. Where i can launch it directly and with sound? Or what i doing wrong?
- Joined
- Jun 4, 2015
- Messages
- 1,441
- Trophies
- 1
- Location
- Minus World
- Website
- www.youtube.com
- XP
- 2,481
- Country
Eject any game carts from the card slot before launching.
Do you think you could update this? I'd like to try it out.
I also wonder if a similar thing could be done for the SD card of a new/nearly-new console (in case dev apps in the form of CIAs-waiting-be-installed can be found, or something like that)
Edit: yes, I did necrobump, but at least I have useful stuff to share
I've made some progress on old3DS CTRAging research, so I thought I'd leave some stuff here.
First of all, it's impossible to get CTRAging unless they manage to make a gap big enough for CTRAging to fully fit in without being overwritten. I have a near-complete old3DS CTRAging, it's just missing the start of the code, but it's missing enough to not be reconstruable, and no old3DS dump I have has that part intact, so fail.
The reason CTRAging gets overwritten can be observed in a NAND dump I received. First a very basic firmware (probably pre-1.0.0) is installed with a very limited set of sysmodules (if anyone is interested, I can exactly list which sysmodules), TestMenu, CTRAging, and probably 1 or 2 smaller programs, if any, then once the testing is done, they very first delete CTRAging, any other dev app which could come after it, replace the old sysmodules with their new counterparts, delete TestMenu, install some misc factory files, then from where it's a mystery, and it ends up on the shelves.
To put it shortly, CTRAging gets overwritten by account.dat and mset. We did overestimate how smart Nintendo could be with CTRAging, but no, it's purely unintentional. It just gets uninstalled too early for the last part to not get overwritten.
As for those who are having problems with the awful program everyone has been using, I made my own. Works in wine too. You need a decrypted CTRNAND for this program to work, and it doesn't accept xorpads yet. You know if your CTRNAND is decrypted because you can find "CTR" and "FAT16" very close to eachother. I attached the program.
PUT THE EXE IN AN EMPTY DIRECTORY BECAUSE IT'LL CREATE A LOT OF FILES! The reason is so that we can catch any duplicate titles and have a chance of one of them being hopefully intact.
Edit3: you can get a decrypted CTRNAND by copying your NAND backup to your 3DS's SDCard, using Godmode9 to mount it, and copy ctrnand_fat.img to /gm9/out
Or alternatively get ninfs (formerly fusectr (?)) at https://github.com/ihaveamac/ninfs#windows and copy ctrnand_fat.img out of there.
Edit2: drag the decrypted CTRNAND file on the exe, it has no GUI. A black window (command prompt) will open, scan your CTRNAND, write lots of files to the disk, then close. This is normal. If no files are made then your CTRNAND is not decrypted.
Edit4:
I made a typo, so the ff.exe in the attachment only dumps CTRAging. DO NOT DELETE YOUR BACKUPS! Keep ctrnand_fat.img until I release a new tool which does forensic analysis on ctrnand_fat.img (instead of just dummy scanning for NCCH) which has a much higher chance of recovering corrupted titles.
I've made some progress on old3DS CTRAging research, so I thought I'd leave some stuff here.
First of all, it's impossible to get CTRAging unless they manage to make a gap big enough for CTRAging to fully fit in without being overwritten. I have a near-complete old3DS CTRAging, it's just missing the start of the code, but it's missing enough to not be reconstruable, and no old3DS dump I have has that part intact, so fail.
The reason CTRAging gets overwritten can be observed in a NAND dump I received. First a very basic firmware (probably pre-1.0.0) is installed with a very limited set of sysmodules (if anyone is interested, I can exactly list which sysmodules), TestMenu, CTRAging, and probably 1 or 2 smaller programs, if any, then once the testing is done, they very first delete CTRAging, any other dev app which could come after it, replace the old sysmodules with their new counterparts, delete TestMenu, install some misc factory files, then from where it's a mystery, and it ends up on the shelves.
To put it shortly, CTRAging gets overwritten by account.dat and mset. We did overestimate how smart Nintendo could be with CTRAging, but no, it's purely unintentional. It just gets uninstalled too early for the last part to not get overwritten.
As for those who are having problems with the awful program everyone has been using, I made my own. Works in wine too. You need a decrypted CTRNAND for this program to work, and it doesn't accept xorpads yet. You know if your CTRNAND is decrypted because you can find "CTR" and "FAT16" very close to eachother. I attached the program.
PUT THE EXE IN AN EMPTY DIRECTORY BECAUSE IT'LL CREATE A LOT OF FILES! The reason is so that we can catch any duplicate titles and have a chance of one of them being hopefully intact.
Edit3: you can get a decrypted CTRNAND by copying your NAND backup to your 3DS's SDCard, using Godmode9 to mount it, and copy ctrnand_fat.img to /gm9/out
Or alternatively get ninfs (formerly fusectr (?)) at https://github.com/ihaveamac/ninfs#windows and copy ctrnand_fat.img out of there.
Edit2: drag the decrypted CTRNAND file on the exe, it has no GUI. A black window (command prompt) will open, scan your CTRNAND, write lots of files to the disk, then close. This is normal. If no files are made then your CTRNAND is not decrypted.
Edit4:
I made a typo, so the ff.exe in the attachment only dumps CTRAging. DO NOT DELETE YOUR BACKUPS! Keep ctrnand_fat.img until I release a new tool which does forensic analysis on ctrnand_fat.img (instead of just dummy scanning for NCCH) which has a much higher chance of recovering corrupted titles.
Last edited by Sono,
100000h to 11B758h
And those are 100% lost due to being overwritten by account.dat and mset.
That section is actually part of the SDK, but since we don't have any other app compiled with such an old SDK version I don't think it's recoverable.
Nope. Most of the SDK functions are intact. There are actually some CTRAging-unique functions very early in there, like Serial port functions, undocumented MCU stuff, A LOT of test scripts, and other juicy stuff which are lost to the corruption.
There are at least 3 (Possibly 4) versions of CTRAging, but so far we have only managed to recover one version - V3. The cxi size of each version is:-
V1 = 13,821KB
V2 = 14,720KB
V3 = 31,592KB
V3 appears to be exclusive to the N3DS / N3DS XL models, but for the O3DS / O3DS XL / 2DS models the version your system has depends on when it was manufactured, not what type of system it is (So for instance you could have an O3DS with V2 or an O3DS XL with V1, if that was the latest version available when it was manufactured)
I'm guessing that there may even be a V4 on N2DS XL systems, but so far no-one has recovered CTRAging from a N2DS XL.
I had actually been writing up a guide myself which I was hoping could replace the one in the OP, but hadn't got around to posting it yet. I'm sure its not as good as yours, but I may as well post the draft version here as an alternative method, since it may be useful to some people and the more people searching the better chance we have of finding an intact O3DS CTRAging.
What I would really appreciate now is an automated method to check if the 100000h to 11B758h offsets are intact or have been overwritten in the cxi / ncch
V1 = 13,821KB
V2 = 14,720KB
V3 = 31,592KB
V3 appears to be exclusive to the N3DS / N3DS XL models, but for the O3DS / O3DS XL / 2DS models the version your system has depends on when it was manufactured, not what type of system it is (So for instance you could have an O3DS with V2 or an O3DS XL with V1, if that was the latest version available when it was manufactured)
I'm guessing that there may even be a V4 on N2DS XL systems, but so far no-one has recovered CTRAging from a N2DS XL.
Great guide Sono
I had actually been writing up a guide myself which I was hoping could replace the one in the OP, but hadn't got around to posting it yet. I'm sure its not as good as yours, but I may as well post the draft version here as an alternative method, since it may be useful to some people and the more people searching the better chance we have of finding an intact O3DS CTRAging.
-First create a NAND dump with Godmode9
-You can either embed the essential files backup into the NAND as prompted on initial startup, or you can dump the OTP separately using this script:-
https://github.com/16BitWonder/GodMode9-Scripts/releases/download/v3.6/Dump-otp-bin.zip
-On PC use fuse-3ds to mount your NAND backup:-
https://gbatemp.net/threads/tutoria...backups-and-sd-contents-with-fuse-3ds.499994/
-If your NAND dump doesnt have an essential file backup embedded make sure to add your OTP.bin instead
-Mount the backup as a directory into an empty/new folder
-Once mounted copy the ctrnand_full.img to an empty/new folder
-Download and extract ncch_extractor from this post:-
https://gbatemp.net/threads/dumping-super-mario-3d-land-beta.389806/page-3#post-5534055
-Place ncch_extractor.exe in the same folder as your ctrnand_full.img
-Drag and drop ctrnand_full.img on top of ncch extractor.exe
-A long list of cxi files will be created
-Look for a file called either "XX_CTR-P-S300_(JPN).cxi" or "XX_CTR-P-3S00.cxi", the easiest way to find it is to arrange the folder contents by size, as it should be one of the largest files (Between 13,821KB to 31,592KB depending on the version)
-If this cxi exists (In my experience its about a 33% chance) we need to check if the ExeFS portion is "GOOD" and not corrupted
-Download and extract "makerom 0.15 and ctrtool":-
https://github.com/profi200/Project_CTR/releases
-Copy and paste your .cxi into the Windows_x86_64 folder which has makerom.exe and ctrtool.exe inside
-Rename the .cxi to "CTR-P-S300"
-Open a new notepad and copy and paste the following text:-
-Save the notepad as run.bat
-Put the run.bat inside the same folder as your CTR-P-S300.cxi, makerom.exe and ctrtool.exe.
-Double click the run.bat and it will examine the contents of your cxi, the important part is near the end which will tell you if the ExeFS is "GOOD" and hasn't been corrupted. Look for the following lines near the bottom:-
ExeFS:
Section name: .code
Section offset: 0x00000200
Section size: 0x00155fe8
Section hash (FAIL): 0CA01E22A88C94DDD715C409851D2819486E24AB8A76D31754D397C9
Even if your ExeFS is marked as "FAIL" its still worth keeping/uploading your cxi as it may be possible to combine the uncorrupted parts with someone elses ExeFS to create a complete uncorrupted version. You can post your results here, but you cant post the cxi directly since its copyrighted material.
-You can either embed the essential files backup into the NAND as prompted on initial startup, or you can dump the OTP separately using this script:-
https://github.com/16BitWonder/GodMode9-Scripts/releases/download/v3.6/Dump-otp-bin.zip
-On PC use fuse-3ds to mount your NAND backup:-
https://gbatemp.net/threads/tutoria...backups-and-sd-contents-with-fuse-3ds.499994/
-If your NAND dump doesnt have an essential file backup embedded make sure to add your OTP.bin instead
-Mount the backup as a directory into an empty/new folder
-Once mounted copy the ctrnand_full.img to an empty/new folder
-Download and extract ncch_extractor from this post:-
https://gbatemp.net/threads/dumping-super-mario-3d-land-beta.389806/page-3#post-5534055
-Place ncch_extractor.exe in the same folder as your ctrnand_full.img
-Drag and drop ctrnand_full.img on top of ncch extractor.exe
-A long list of cxi files will be created
-Look for a file called either "XX_CTR-P-S300_(JPN).cxi" or "XX_CTR-P-3S00.cxi", the easiest way to find it is to arrange the folder contents by size, as it should be one of the largest files (Between 13,821KB to 31,592KB depending on the version)
-If this cxi exists (In my experience its about a 33% chance) we need to check if the ExeFS portion is "GOOD" and not corrupted
-Download and extract "makerom 0.15 and ctrtool":-
https://github.com/profi200/Project_CTR/releases
-Copy and paste your .cxi into the Windows_x86_64 folder which has makerom.exe and ctrtool.exe inside
-Rename the .cxi to "CTR-P-S300"
-Open a new notepad and copy and paste the following text:-
Code:
@echo off
ctrtool -y CTR-P-S300.cxi
pause-Save the notepad as run.bat
-Put the run.bat inside the same folder as your CTR-P-S300.cxi, makerom.exe and ctrtool.exe.
-Double click the run.bat and it will examine the contents of your cxi, the important part is near the end which will tell you if the ExeFS is "GOOD" and hasn't been corrupted. Look for the following lines near the bottom:-
ExeFS:
Section name: .code
Section offset: 0x00000200
Section size: 0x00155fe8
Section hash (FAIL): 0CA01E22A88C94DDD715C409851D2819486E24AB8A76D31754D397C9
Even if your ExeFS is marked as "FAIL" its still worth keeping/uploading your cxi as it may be possible to combine the uncorrupted parts with someone elses ExeFS to create a complete uncorrupted version. You can post your results here, but you cant post the cxi directly since its copyrighted material.
Last edited by Razor83,
I managed to get old3DS CTRAging v2 working with a broken ROMFS. Sadly it's not possible yet to get v1 working due to all 13 of the dumps I've got having the EXACT SAME corruption at the exact same place, but I managed to bruteforce the code.bin into being functional.
The only thing which crashes (as in, data abort) is the key tests, the rest only do an errF due to a broken ROMFS which I'll try to fix for a video.
Just to save your time, v2 is almost like v3 (new3DS-only), except the camera test is working, and there are some useless tests which are missing from v3.
Video coming soon (albeit it's extremely boring)
The only thing which crashes (as in, data abort) is the key tests, the rest only do an errF due to a broken ROMFS which I'll try to fix for a video.
Just to save your time, v2 is almost like v3 (new3DS-only), except the camera test is working, and there are some useless tests which are missing from v3.
Video coming soon (albeit it's extremely boring)
Nice finding! You can use the ROMFS from the v3 one as iirc it's the same
<celebration>
I would like to thank everyone who has helped me with this project!
Special shoutouts to @ClickCLK and Normatt, without them I would not have been able to do the research required to do this.
</celebration>
Too bad v2 is just a dumbed-down v3 (new3DS). CTRAging v1 is STILL the most interesting CTRAging, as it includes A LOT of stuff which was removed from v2.
Here's the video I promised yesterday:
There's no download link because
1) it's against the forum rules
2) it's pointless, and I showed everything in the video
I would like to thank everyone who has helped me with this project!
Special shoutouts to @ClickCLK and Normatt, without them I would not have been able to do the research required to do this.
</celebration>
Too bad v2 is just a dumbed-down v3 (new3DS). CTRAging v1 is STILL the most interesting CTRAging, as it includes A LOT of stuff which was removed from v2.
Here's the video I promised yesterday:
There's no download link because
1) it's against the forum rules
2) it's pointless, and I showed everything in the video
"pointless"
This app has twl archive access, which could grant cfw access in a homebrew takeover situation.
If this app is signed and legit, it would be very valuable.
Nope. Sadly I had to recreate the NCCH *from scratch* because of how much corruption has infested all of the samples I have.
I had to recreate code.bin from scratch, and it still has some bit errors which don't seem to affect anything. As for the ROMFS, I had to use the files from the public leak of the v3 CTRAging because I only have three v2 samples, and the only one which has a readable ROMFS is missing a lot of files still, and they are also corrupted.
So yeah, sadly this is not usable, we'd need a perfect dump for that.
Similar threads
-
- Article
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
-
-
-
-
@
Xdqwerty:
@Purple_Heart, then I will be actually older than him for a bit (ik thats not how ages work btw) -
-
-
-
-
-
-
-
-
-
-
-
-
