3DS Rom Hacks - Possible?

Discussion in '3DS - Flashcards & Custom Firmwares' started by jonthedit, Nov 3, 2014.

  1. jonthedit

    jonthedit GBAtemp Advanced Maniac

    May 30, 2011
    I am wondering if it is possible yet to extract .3DS content and repack modified files?
    What limitations are there currently, and can someone send me in the right direction for this?
    Margen67 likes this.
  2. endoverend

    endoverend AKA zooksman

    GBAtemp Patron
    endoverend is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 6, 2013
    United States
    Yes... there was a NSMB2 hack in the form of a .cia. Now that we have devmenu with CFW we can install them.
    Margen67 likes this.
  3. FAST6191

    FAST6191 Techromancer

    pip Reporter
    Nov 21, 2005
    United Kingdom
    Extraction has been possible for a while now (and we have seen plaintext parts of 3ds game data for quite some time before that even), public repacking and executing is somewhat newer. I was thinking about writing a high level overview, partially because a lot of people are asking for it and partially because a lot of what I am seeing is along the lines of "it worked for my ancestors". Likewise 3dbrew do not seem to have anything I can really link to and say "that". They would tell us that it is all there, and they are right, but for this sort of thing you would have to understand aspects of encryption, some general concepts of filesystems and read about six different pages, jumping between them all the time.
    I don't have a 3ds, mainly as I do not think the 3ds has any good games, the hacking work seems much the same as the DS and GBA which still have good games that need work done on them, most commercial devs I liked on the DS and GBA are now mainly doing android and IOS games, homebrew is not likely to take off in the same way as the DS did (IOS was more or less the final nail in the DS' coffin and now android has swallowed IOS), hacking is somewhat undeveloped and being pulled in very odd directions (thankfully we have more or less been spared proper elitism) and I do not predict many things will change here.

    You will need a 4.5 3ds, the as yet unreleased exploits and flash carts compatible with newer firmwares will probably not do you any good here. The new hacked firmware business may see you able to pull a bit more off but most work has gone into gateway and co. Said 4.5 3ds will also be needed to generate the files to decrypt the 3ds games, though some people are variously uploading the keys (which are files the exact same length as the original 3ds ROM and basically a copy of the 3ds ROM so we don't upload them here) known as XORpads and others are uploading the files themselves once extracted.

    On the subject of gateway they have not hacked the firmwares as much as people would like in this regard so things are still a little bit fiddly. There is no great reason for it to be this way (the 4.5 exploits grant basically complete control over the 3ds) but gateway and others have not yet nerfed enough of the security. Equally some of it all seems to involve using several tools in succession.

    What files have been seen largely follow along from previous Nintendo efforts, save for the 3d aspect which is actually fairly well developed, both in terms of what it does vs what the current standards for 3d are (in this case it is a mish mash of the more portable versions of opengl) and in terms of how much reverse engineering/decoding/editing work has gone into the formats (it is probably more developed than a lot of the DS 3d hacking work). To that end if you are familiar with what went for the DS, GC and Wii then you can probably take to the 3ds easily enough.

    Nobody yet seems to have been able to answer me as to whether binaries (exefs, more on that in a moment) are doable, this would open up the door to assembly hacking, cheats* and all sorts of good stuff. In the 3ds the binaries sit somewhat aside from the regular files and have a bit more protection. For the 4.5 family it is entirely possible to operate at this level but whether enough of it has been done is a different matter. At this point I am not sure if I have even seen a plaintext binary as I would probably get over myself enough to do a disassembly and start documenting things. I do not have a good, free, ARM11 disassembler I can link to right now but you can have a read of http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html if you want, there should be a free disassembler you can get working out there somewhere though.

    *editing files can do an awful lot, especially in modern programming where people try to have data and executable code separated, but editing memory, even if it is hard to get memory dumps to scan, is the more traditional method and doable if binaries can be edited.

    Anyway onto the good stuff. This will not be the high level overview I spoke of earlier, mainly as I still have some reading to do and things to get sorted in my head, but quite a lot of the way there.
    http://gbatemp.net/threads/release-3ds_ctr_decryptor-void.370684/ will allow you to decrypt the games, for newer games there is a new form of encryption that 3dbrew called "v7.0 NCCH encryption", those are the keys that leaked the other day ( http://gbatemp.net/threads/3ds-7-x-keys-released.373309/ ) and you may have to combine some stuff to use them for newer games (some people were making new tools later on in that topic and I have not kept up). Some will also use this to reencrypt the games (encrypt with the XORpad) but I hold this is pointless, as do several others, as gateway and co have so called zero key encrypted homebrew support, which in turn can be used to sort ROMs out. The idea being that games have their own keys, however gateway have hacked the firmware such that code encrypted with an all 00 key will run.

    Right now there is no equivalent of ndstool for the 3ds, if you are not familiar with ndstool it was a part of devkitpro but could pull apart commercial ROMs into the files that made them up, allow you to edit them and then repack the ROM such that any crashing was probably your fault*. Coupled with encryption issues it means a lot of people are still doing in place editing and making the edited files the same size (and location**) as the ones that originally were in the ROM. This is good practice for end stage hacks (if I can edit a file in place rather than rebuilding everything for the final hack that I release to the public then I will), however for playing around, initial forays and my internal use I rebuild as it is one less thing I have to worry about.

    *there were a few problems with various games (Mario kart being one of the more notable) and a few bugs along the way, hence people using other tools for a lot of stuff nowadays on the DS.

    **if I need to do something in place but want the freedom of a rebuild I will often change the apparent location of the file to the nice and juicy end of the ROM where are no files and lots of free space. I have not been keeping a close eye on things but I have not seen this on the 3ds either.

    3dbrew links then
    NCCH is the format used by the 3ds for an awful lot of things. The CXI variation is probably the main concern for 3ds hackers working in ROMs (the CFA tends to store non executable stuff).
    Optional parts, though ones the 3ds game hacker is interested in, are the so called ExeFS and RomFS. Remember when I said binaries/executables are kept somewhat apart... this would be the Exe(cutable)F(ile)S(ystem) and ROMFS part of the equation.

    People will be talking about various keys and "keyslots" on the 3ds and the terms can get very confusing, mainly as a lot of them have very similar and very non descriptive names. Between the two pages you should have a rough overview of the keys and the decryption methods involved. Alternatively you can probably ignore a lot of that until you need it (likely never if you only want to edit some files),

    Other good stuff. I include it both because it is under the umbrella of ROM hacking and because they have some more basic examples of the applications of the cryptography involved.
    The title is probably obvious but savegames are very useful in hacking. For the 3ds the saves are protected by the console/firmware, unlike the GBA, DS and most things of that age or older where the dev would have had to implement their own hash/encryption/checksum and further protections. I would not put it past devs to implement their own checks though, especially now save editors like datel's powersaves (it might not allow end user edits but edits still have to happen) and the cybergadget exist.

    "This page describes the format and encryption of extdata, "extra data" stored on SD card and NAND. At: "
    The CIA is an intelligence agency under the purview of the US gover

    Between the two this is what the DLC, the 3dsware, the virtual console emulators (which also have some interesting things to tinker with), parts of the menu itself and more aim to handle. Not sure what goes for the game updates. The CIA stuff is a bit easier to fiddle with hence people getting excited about virtual console injection a little while back, it might also have some future as a simpler way of running things.

    You might also like http://3dbrew.org/wiki/Category:File_formats
    Probably the main one not already mentioned would be RSF which just houses the info on the game (think headers from earlier consoles which covered names, saves and whatever else). However getting one made up for the ROM you are using saves so much hassle (if you see mention of messing with hashes this is what that should avoid), http://3dbrew.org/wiki/Extdata has some more there.

    "Poke your understanding of the concepts involved, I want tools so I can just edit the files"
    Fair enough, it is still early enough in the game that you probably do want an understanding of the concepts involved but you probably can get away with being an instructions follower at this point. Also despite 0 key encryption being possible some people do still use the "XORpad" that the decryption software makes* to encrypt the altered ROM.
    I already linked decryption tools, no way around those or any alternatives really worth linking at this point. Mind you http://3dbrew.org/wiki/3DSExplorer is probably worth having in your collection of tools.

    *in case it was not made clear elsewhere the decryption programs take part of the game, run it through the 3ds' own decryption hardware, spits out a giant file which is actually just the ROM but in such a way that if you XOR it (XOR is just a boolean operation like NAND, NOR and NOT, however it does also double up as a type of encryption) against the original ROM then the plain version pops out. XOR it once and you decrypt a encrypted file, XOR the decrypted file and it is encrypted again. Some of the save stuff used XOR but there is nothing particularly special about XOR here.

    Though I said nothing quite like NDStool has been made this would be heading in that direction. I believe it still struggles to build a ROMFS from scratch so you will have to either do the in place stuff or manually fix the ROMFS if you are going to unpack or change sizes (making a smaller file and padding it back out is entirely acceptable). I am a little bit out of touch here so it could have been fixed since then. There are some RomFS rebuilding tools floating around but apparently they use parts of the leaked SDK so I am not sure what goes.

    Not sure where the current compiled versions are stashed right now.
    makerom does a lot but ctrtool is a bit more geared towards CIA files.

    You might also like
    It is for virtual console injection but it does provide a reasonable overview and pictures of what goes.

    I have just got called away so I will have to leave it there for the time being, and a quick scan of what I wrote says I have teased you with things but actually shown you nothing.... Oh well.
    Celice, gamefan5, gamesquest1 and 4 others like this.
  4. jonthedit

    jonthedit GBAtemp Advanced Maniac

    May 30, 2011

    I am in possession of two 4.5 3DS consoles. Thank you for the information, though I already looked into 3dbrew and your injecting thread a while ago.
    I guess I just need to go ahead and DO something instead of complaining. :P
  5. gamesquest1

    gamesquest1 Nabnut

    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Sep 23, 2013
    whilst it may be deemed "pointless"....and it does indeed restrict what you can do to a degree, there is one advantage, as the files are encrypted, distributing a rom patch for a zero keyed rom would mean needing the end user to either decrypt, repack and then patch if you use zero keys, whereas if you manually do the work and rebuild the rom using the original xor pads and limit expanding files and such you can release a perfectly fine patch which is just the size of the patch itself and can be directly applied to a normal rom.......if i zero key repack, i would be pretty much forced to upload virtually the entire rom in order to share my patch, which as you can imagine would be pretty much all of the original copy written code rather than just my patches, so not exactly useless if you intend to share your work and not share an entire rom....but for doing stuff with no intent to share zero key encryption is much easier and has more freedom
  6. FAST6191

    FAST6191 Techromancer

    pip Reporter
    Nov 21, 2005
    United Kingdom
    Perhaps, maybe time to consider a scene rule along the lines of dumped games have to include a XORpad. Dumping would seem to require a homebrew enabled 3ds, only real problem would be the increased archive size.

    Granted something similar was contemplated for Wii games and scrubbing (basic safe scrub* as main archive, files to reform 1:1 dump included as a patch of some form) and that never got far. It is not like pure dumps are required by the scene either.

    *said safe scrub would have been able to run on a plain disc drive modded wii without any kind of software/IOS level hacks as well.
  7. Tomato Hentai

    Tomato Hentai hot death grips singles in your area

    Oct 30, 2014
    I believe so...? Can't CrystalTile open .3DS roms?​
  8. FAST6191

    FAST6191 Techromancer

    pip Reporter
    Nov 21, 2005
    United Kingdom
    If you feed it a decrypted 3ds ROM it can probably do some stuff -- it has a hex editor that works well enough, its 2d image editing is probably extensible enough that you can do something with it (to say nothing of it probably all being similar enough to the GBA and DS before it), possibly its compression facilities (you can expand a few things though it is mainly GBA and DS LZ rather than the newer stuff seen thus far on the 3ds) and definitely some of its text editing functionality.
    However you will need a decrypted ROM in the first place and I doubt CT2's auto filesystem stuff will handle a proper ROMFS or CXI format 3ds ROM.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice