Homebrew [Request] CTRAging (3ds debug app) research.

Razor83

Well-Known Member
Member
Joined
Dec 23, 2009
Messages
391
Trophies
1
XP
1,758
Country
I managed to get old3DS CTRAging v2 working with a broken ROMFS. Sadly it's not possible yet to get v1 working due to all 13 of the dumps I've got having the EXACT SAME corruption at the exact same place, but I managed to bruteforce the code.bin into being functional.
The only thing which crashes (as in, data abort) is the key tests, the rest only do an errF due to a broken ROMFS which I'll try to fix for a video.
Just to save your time, v2 is almost like v3 (new3DS-only), except the camera test is working, and there are some useless tests which are missing from v3.

Video coming soon (albeit it's extremely boring)
Great to hear you got v2 working Sono, even if its not as interesting as v1.

I would love to know more about how you got v2 working - did you perform hex comparisons with v3 to manually repair the corrupted areas?

Also just a random thought I had - do dev consoles go through the exact same factory installation procedure as retail consoles, or is it slightly different? If so might a dev console be more likely to have CTRAging v1 intact?
 
Last edited by Razor83,

Sono

cripple piss
Developer
Joined
Oct 16, 2015
Messages
2,800
Trophies
2
Location
home
XP
9,221
Country
Hungary
I would love to know more about how you got v2 working - did you perform hex comparisons with v3 to manually repair the corrupted areas?

I don't have any v3 dumps, only the publically leaked v3 version (N3DSEncrypted_CTRAging.cia), so I can't really compare it against it, considering how awfully unstable v3 is, which makes me think that the dump still includes some sort of corruption in its codebin.
However, thanks to @PabloMK7 's suggestion, I was able to get almost everything working using the ROMFS from v3, except key test (all of the tests crash or hang, so they were skipped in the video), and the LCD test slightly below it (which is missing a top.bmp).

I got v2 code working by a lot of bruteforcing and manual work. I did write 3 tools to help me with doing 13-way data comparison, but otherwise it's a very manual process of sitting in HxD, copypasting chunks of data from 13 files into a dummy file, doing more stuff with it on the other 2 tools, then putting it into IDA to see if the disassembly is valid or not.
Repeat this until you recognize the CTRSDK _start sequence and you find SVC 3 as the last branch to signal success.

My only enemies are bit corruptions though. For some dumps they are almost identical, except some BITS are different from the rest of the files. Due to almost all bit combinations creating valid disassembly which makes sense, it's impossible to 100% recreate the original code without some sort of reference (at which point you'd use the reference instead of just makeshifting up all this contraption).

Also just a random thought I had - do dev consoles go through the exact same factory installation procedure as retail consoles, or is it slightly different? If so might a dev console be more likely to have CTRAging v1 intact?

I'm pretty sure dev consoles (especially early ones) contain more goodies than a retail console, but good luck finding one which has NEVER EVER been turned on. Remember, if you get to see the setup screen then you know you're screwed, and you'll never be able to recover exefs from the NCCH.
 

Sono

cripple piss
Developer
Joined
Oct 16, 2015
Messages
2,800
Trophies
2
Location
home
XP
9,221
Country
Hungary
I have hard evidence to back up my claim that dumping CTRAging v1 is impossible.

Looking at each encrypted NCCH (I have no idea why I have 3 decrypted NCCHs, or why they are decrypted in the first place) I have noticed that 0x1000 to 0x6000 and 0x8000 to 0xE000 are consistently corrupted with valid data. Inspecting the data more closely, it confirms that it's BOSS savedata. This is confirmed by a FAT inspection (/DATA/<ID>/SYSDATA/00010034/00000000), and the fact that a SAVE header is present right above the CTRAging NCCH.

Looking at the data even more closely I noticed that a lot of times the CTRAging data is overwritten in the middle by random system applications (like Download Play, News applet, Home Menu), but there was this one lucky dump where there was a CVer title in the middle of the CTRAging dump. Dumping it reveals that CTRAging v1.00 still ships even with 4.2.0-U systems (assuming it was factory 4.2.0 and not updated), so there is still some slight hope of finding a dump where the BOSS savedata hasn't overwritten the two regions mentioned above.

But yeah, unless there is some lucky 3DS out there where the BOSS savedata hasn't trolled itself into the start of CTRAging v1 then there is no way to ever finish the reconstruction of CTRAging v1. The rest of the code has been reconstructed, except where those two troll corruptions happen.
 
Last edited by Sono,

Razor83

Well-Known Member
Member
Joined
Dec 23, 2009
Messages
391
Trophies
1
XP
1,758
Country
But yeah, unless there is some lucky 3DS out there where the BOSS savedata hasn't trolled itself into the start of CTRAging v1 then there is no way to ever finish the reconstruction of CTRAging v1. The rest of the code has been reconstructed, except where those two troll corruptions happen.
Might you know exactly when the BOSS (SpotPass) savedata is created? Is it in the factory, upon initial system setup, or after activating SpotPass in a game? Just trying to work out if theres even a chance we could recover CTRAging v1.
 
Last edited by Razor83,

Sono

cripple piss
Developer
Joined
Oct 16, 2015
Messages
2,800
Trophies
2
Location
home
XP
9,221
Country
Hungary
Might you know exactly when the BOSS (SpotPass) savedata is created? Is it in the factory, upon initial system setup, or after activating SpotPass in a game? Just trying to work out if theres even a chance we could recover CTRAging v1.

I don't know because appearently all CTRAging dumps are from 3DSes which were sadly already turned on. By doing a shallow analysis on the BOSS data, it seems like there is a ~66% that the BOSS data is created during the initial setup (by the user, that is, not from the factory), so recovery might be possible.
 

piratesephiroth

I wish I could read
Member
Joined
Sep 5, 2013
Messages
3,453
Trophies
2
Age
103
XP
3,228
Country
Brazil
I don't know because appearently all CTRAging dumps are from 3DSes which were sadly already turned on. By doing a shallow analysis on the BOSS data, it seems like there is a ~66% that the BOSS data is created during the initial setup (by the user, that is, not from the factory), so recovery might be possible.
So a hardmod is required
 

PabloMK7

Red Yoshi! ^ω^
OP
Developer
Joined
Feb 21, 2014
Messages
2,603
Trophies
2
Age
24
Location
Yoshi's Island
XP
5,000
Country
Spain
I've successfully restored the home menu banner. It was an early format so the home menu was not being able to read it.
rtHu88W.png
 

HI_Ricky

Member
Newcomer
Joined
Nov 3, 2019
Messages
21
Trophies
0
Age
47
XP
343
Country
Hong Kong
Is the 3ds part of the unit? Does it come with a cartridge? Does it come with an installed app? This is the first time I see one of these. :P
yes 3ds is part of util for display message , no idea what app install on there , screen boot up is user mode , dev menu ( mean not normal 3ds system)
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    That would've gone slow he's old
    +1
  • ZeroT21 @ ZeroT21:
    sadly the person in question feels too young for his own good
  • K3Nv2 @ K3Nv2:
    We don't question people
  • ZeroT21 @ ZeroT21:
    me neither, i just bash them
  • K3Nv2 @ K3Nv2:
    We just question @AncientBoi
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
    K3Nv2 @ K3Nv2: While the victims are being buried