Hacking (4.x only) CIA CFW Complete Guide

[Subtle Demise]

If you properly decrypt a 3DS rom, you can use ctr_makecia32.exe to convert it to a cia. Now don't go looking for it on here or any public site because you won't find it.

 

[KazoWAR]

make_cia is a open source alternative to ctr_makecia32, has anyone tried it out?

https://gbatemp.net/threads/where-ctr-toolkit-sits-in-the-scheme-of-things.353276/

 

[The Real Jdbye]

It seems like anybody who actually knows how to convert 3ds to cia isn't going to share it with the public.

Hmmm, what does this remind me of?

I haven't actually tried to do it yet but I'm pretty confident I could pull it off. However I don't feel like going through the ordeal of restarting my 3DS about a million times just to test it. But if I do it, I'll post how to here.

 

[schuko1982]

I haven't actually tried to do it yet but I'm pretty confident I could pull it off. However I don't feel like going through the ordeal of restarting my 3DS about a million times just to test it. But if I do it, I'll post how to here.

Thank you

 

[PieFace]

well even after doing everything number of time, failed to connect is the farthest I reach

Try opening and closing the browser first

 

[CalebW]

Don't use 3DSExplorer for extracting anything. Ever.

What do you use for extraction? I'm using the latest ctrtool from git and whenever I try to extract a 3ds file using "ctrtool -p Rom.3ds" I get:

Spoiler

ctrtool -p LM-AGGE.3DS
Header:                NCSD
Signature:              53DAD3611C2BE666D600C528B078491A04AC60580225C2079567F5ABEB1E8867
                        08A5C89C7093E9DB869F04B7B376815DA7068392B2738AF62433017AD56A1BFA
                        880051D61C8C313321384622EBF1B2E3EC9FB104FE11F57B024ECA8EFE9E700A
                        75429911CDBC67F89F85ED9708944F2B94700CBF1914C134D020826240DA4252
                        A7ABCD5ECEA7A05291A9A1F281EF7EA5F4F15AEBEEB2D31051FD97DC02632476
                        48F413469D96F8B09E38D1E79DA8E5AA86DF3BC8573CC0855DDE02A0DCDD56B6
                        F5B95302BD319A394CD83D5CC23956D9D164C9F9C5D785A4A3C21D5CBF326E68
                        8BB2F67DAC1CC6DF62EBF667391A286F5E8F6C8FDF33618F46A36A797F2546FE
Media size:            0x00200000
Media id:              0004000000055f00
 
Partition 0   
Id:                    005F050000000400
Area:                  0x00004000-0x32AE7000
Filesystem:            00
Encryption:            00
 
Partition 1   
Id:                    005F050000000500
Area:                  0x32AE7000-0x32BB3000
Filesystem:            00
Encryption:            00
 
Partition 2   
Id:                    005F050000000600
Area:                  0x32BB3000-0x34AC7000
Filesystem:            00
Encryption:            00
 
Partition 7   
Id:                    005F050000005010
Area:                  0x34AC7000-0x368EC200
Filesystem:            00
Encryption:            00
 
Extended header hash:  0000000000000000000000000000000000000000000000000000000000000000
Additional header size: 00000000
Sector zero offset:    00000000
Flags:                  0000000101010000
> Mediaunit size:      0x200
> Mediatype:          Card1
> Card Device:        NorFlash
 
NCCH:
Header:                NCCH
Signature:              4C945FBBE9BAE703275A7B5F206F2F3C571E32AE130D81300C7A096FBA708CDE
                        43DB8BB62893880B81707EA5146593635FFEB1FA299C096955CC3AA342688475
                        655F5FA0B71468754D27D5A0E99EA5ADC867FF81A74543046F7BC79A4ABDB013
                        57D00536C274BD1C2E0A43F5ACE1E1EAE9EBCB9343A8E634C7E936AAE86654E2
                        FA85490DD552D0671342CAB73B687995566B140714BB4EDC43E40FF13BFBC107
                        C2277F8D72FB0FD5304E5B781D547C9AE56B8D2BBFF2FEAA53FB39B6398E0914
                        7BB0C97FF9A324D17F3112507CAAFA952849A0ECD52DE5CC68220D8C5EF51871
                        1B2133BD5ACE677779AAF362F59B3A695E0224F639A3A1A25857EEC6136E40B8
Content size:          0x32ae3000
Partition id:          0004000000055f00
Maker code:            3130
Version:                0002
Program id:            0004000000055f00
Logo hash:              0000000000000000000000000000000000000000000000000000000000000000
Product code:          CTR-P-AGGE
Exheader size:          00000400
Exheader hash:          68B2AD896D4B391AA7DF8420B2525B143F70F15D07EC06092D1B653C1FE60BAE
Flags:                  0000030100000000
> Mediaunit size:      0x200
> Crypto key:          Secure
> Form type:          Executable content
> Content type:        Application
> Content platform:    CTR
Plain region offset:    0x00004a00
Plain region size:      0x00000200
Logo offset:            0x00000000
Logo size:              0x00000000
ExeFS offset:          0x00004c00
ExeFS size:            0x0051ca00
ExeFS hash region size: 0x00000200
RomFS offset:          0x00522000
RomFS size:            0x325c5000
RomFS hash region size: 0x00000200
ExeFS Hash:            FE051B716884E5FC5A9FBA765DFD3801423EBDA63F6F4824AD50CD8D259534E2
RomFS Hash:            CD72A467011B48887376703948210BAB1D3796EC15C3B3215678B7D219C5212D
Error, exheader hash mismatch. Wrong key?

EDIT: I added -v to the above command and then I see at the very top.

Could not load keyset file "keys.xml", error: Failed to open file.

 

[piratesephiroth]

What do you use for extraction? I'm using the latest ctrtool from git and whenever I try to extract a 3ds file using "ctrtool -p Rom.3ds" I get:

Spoiler

ctrtool -p LM-AGGE.3DS
Header:                NCSD
Signature:              53DAD3611C2BE666D600C528B078491A04AC60580225C2079567F5ABEB1E8867
                        08A5C89C7093E9DB869F04B7B376815DA7068392B2738AF62433017AD56A1BFA
                        880051D61C8C313321384622EBF1B2E3EC9FB104FE11F57B024ECA8EFE9E700A
                        75429911CDBC67F89F85ED9708944F2B94700CBF1914C134D020826240DA4252
                        A7ABCD5ECEA7A05291A9A1F281EF7EA5F4F15AEBEEB2D31051FD97DC02632476
                        48F413469D96F8B09E38D1E79DA8E5AA86DF3BC8573CC0855DDE02A0DCDD56B6
                        F5B95302BD319A394CD83D5CC23956D9D164C9F9C5D785A4A3C21D5CBF326E68
                        8BB2F67DAC1CC6DF62EBF667391A286F5E8F6C8FDF33618F46A36A797F2546FE
Media size:            0x00200000
Media id:              0004000000055f00
 
Partition 0 
Id:                    005F050000000400
Area:                  0x00004000-0x32AE7000
Filesystem:            00
Encryption:            00
 
Partition 1 
Id:                    005F050000000500
Area:                  0x32AE7000-0x32BB3000
Filesystem:            00
Encryption:            00
 
Partition 2 
Id:                    005F050000000600
Area:                  0x32BB3000-0x34AC7000
Filesystem:            00
Encryption:            00
 
Partition 7 
Id:                    005F050000005010
Area:                  0x34AC7000-0x368EC200
Filesystem:            00
Encryption:            00
 
Extended header hash:  0000000000000000000000000000000000000000000000000000000000000000
Additional header size: 00000000
Sector zero offset:    00000000
Flags:                  0000000101010000
> Mediaunit size:      0x200
> Mediatype:          Card1
> Card Device:        NorFlash
 
NCCH:
Header:                NCCH
Signature:              4C945FBBE9BAE703275A7B5F206F2F3C571E32AE130D81300C7A096FBA708CDE
                        43DB8BB62893880B81707EA5146593635FFEB1FA299C096955CC3AA342688475
                        655F5FA0B71468754D27D5A0E99EA5ADC867FF81A74543046F7BC79A4ABDB013
                        57D00536C274BD1C2E0A43F5ACE1E1EAE9EBCB9343A8E634C7E936AAE86654E2
                        FA85490DD552D0671342CAB73B687995566B140714BB4EDC43E40FF13BFBC107
                        C2277F8D72FB0FD5304E5B781D547C9AE56B8D2BBFF2FEAA53FB39B6398E0914
                        7BB0C97FF9A324D17F3112507CAAFA952849A0ECD52DE5CC68220D8C5EF51871
                        1B2133BD5ACE677779AAF362F59B3A695E0224F639A3A1A25857EEC6136E40B8
Content size:          0x32ae3000
Partition id:          0004000000055f00
Maker code:            3130
Version:                0002
Program id:            0004000000055f00
Logo hash:              0000000000000000000000000000000000000000000000000000000000000000
Product code:          CTR-P-AGGE
Exheader size:          00000400
Exheader hash:          68B2AD896D4B391AA7DF8420B2525B143F70F15D07EC06092D1B653C1FE60BAE
Flags:                  0000030100000000
> Mediaunit size:      0x200
> Crypto key:          Secure
> Form type:          Executable content
> Content type:        Application
> Content platform:    CTR
Plain region offset:    0x00004a00
Plain region size:      0x00000200
Logo offset:            0x00000000
Logo size:              0x00000000
ExeFS offset:          0x00004c00
ExeFS size:            0x0051ca00
ExeFS hash region size: 0x00000200
RomFS offset:          0x00522000
RomFS size:            0x325c5000
RomFS hash region size: 0x00000200
ExeFS Hash:            FE051B716884E5FC5A9FBA765DFD3801423EBDA63F6F4824AD50CD8D259534E2
RomFS Hash:            CD72A467011B48887376703948210BAB1D3796EC15C3B3215678B7D219C5212D
Error, exheader hash mismatch. Wrong key?

EDIT: I added -v to the above command and then I see at the very top.

Could not load keyset file "keys.xml", error: Failed to open file.

ctrtool -p --exheader=exheader.bin --romfs=romfs.bin --exefs=exefs.bin --logo=logo.bin your_rom.3ds

 

[X_Frost]

Forgive me if I missed this. Since this requires a NAND copy, can this be performed on Gateway's emunand? I know that GW blocks dev access when loading as a .3ds , but I'm not sure if that's from the card or if it's the NAND that access is restricted

My question is, can this be done on gateways emunand provided I have eshop access.

 

[piratesephiroth]

Forgive me if I missed this. Since this requires a NAND copy, can this be performed on Gateway's emunand? I know that GW blocks dev access when loading as a .3ds , but I'm not sure if that's from the card or if it's the NAND that access is restricted

My question is, can this be done on gateways emunand provided I have eshop access.

it only works with a 4.5 NAND.bin

 

[X_Frost]

it only works with a 4.5 NAND.bin

So I can't make a backup up of my emunand using emunand tool and do the same process as if it was a 4.5 nand?

 

[pLaYeR^^]

How can i make .3ds files to .cia files and install via devmenu? Which tools do i need and which commands?

 

[piratesephiroth]

So I can't make a backup up of my emunand using emunand tool and do the same process as if it was a 4.5 nand?

nope. You'll have to make a 4.5 emunand.

 

[CalebW]

ctrtool -p --exheader=exheader.bin --romfs=romfs.bin --exefs=exefs.bin --logo=logo.bin your_rom.3ds

Thanks, that worked. But logo.bin is empty...so why do you extract it? I thought the logo.bin was in the exefs(or exheader, forgot which) so you could only extract it once it's been decrypted...

 

[vittorio]

I can not run a well- CFW , after starting the run.bat the CFW is no longer

 

[GorTesK]

i allowed don't worry

noone cares, what you allow
those links are illegal, asking for them is not allowed

 

[palantine]

Just want everyone to know my philosophy as a developer: release everything open source.

I will never ever keep anything I work on private unless I think it could cause a brick.

 

[vittorio]

help me to patch gatewaynand

 

[piratesephiroth]

Thanks, that worked. But logo.bin is empty...so why do you extract it? I thought the logo.bin was in the exefs(or exheader, forgot which) so you could only extract it once it's been decrypted...

Yeah, old games (before 5.0, I guess) have logo.bin inside the exefs. Trying to extract it from the rom like that will result in 0 byte file since it isn't there.

 

[asesin22]

only gateway damm and mt card why not -_-

 

[CalebW]

Yeah, old games (before 5.0, I guess) have logo.bin inside the exefs. Trying to extract it from the rom like that will result in 0 byte file since it isn't there.

Ok, and what does the rsf file have to look like for each game?