ROM Hack [Wip Release] ctrcdnfetch - Tool to download 3DS eshop content after 11.8

[luigoalma]

Hello everyone, I've made a tool for downloading content from 3DS's eshop after the 11.8 update.
Like other tools (example, cearp's FunkyCIA), it allows an user to do a download backup of their purchased content from the eshop.

The tool however, will require you to provide a signed ticket that will get sent to nintendo servers, as the server-side checks won't let without one or with an unsigned ticket access content. The tool itself does perform signature checks before accessing content. (And if you're curious, no, a ticket for A title won't work for B title, even if sign, can't access if title id is unmatching between the ticket and content.) But eshop tickets do contain console and account ids, so careful.
The tool is open source under MIT and provided here, and I will also provide built releases for Windows (and Mac once I've got an environment setup for building).

I've provided explanation on README.md but will give a short explanation on how to use it, either you grab a built release or built it yourself and having tool on path:
1. Open the terminal/command line
2. Having tool on path (or current directory on windows cmd, not powershell), type: ctrcdnfetch pathtoyourticketfile
3. Let it work, it will check and start downloading if possible.

The tool currently lets you also do --proxy if you need one to access the internet at all or whatever is a user's reason to use one, in that case, a user may do for example:
ctrcdnfetch --proxy https://exampleuser:[email protected]:1234 pathtoyourticketfile

The tool will also take multiple ticket files, so you can list them on arguments and it will go one by one.
However the tool doesn't create cias for you yet, you'll need make_cdn_cia to make them for you (as for now).
The resulting cias are installable since it produces a cetk that will allow to make a cia that won't prevent installation. Except if --use-for-cetk is used, in that case it will use your original ticket to make a cetk.
Tickets like preinstall non unique console ones are always used since they already don't stop you from installing a cia made from them.

Downloads end up on the currently active folder on your terminal, each title ending up on a folder named after it's title id read from the ticket.

That's all for now, hope it's of use!

Edited for new details on new code addition! Need to grab new build or source though.

 

[Olmectron]

Cool. I got a huge library of games to backup in my eShop account.

 

[brunocar]

nice, i really didnt want to use eshop, can i buy games somewhere else and then use this?

 

[luigoalma]

nice, i really didnt want to use eshop, can i buy games somewhere else and then use this?

currently, i believe that's no way?
you still would need a valid signed ticket to access contents, so....

 

[ThoD]

This seems like an EXTREMELY niece way of doing things, since downloading legit titles can very easily just be done straight through the eshop. Only advantage I see this having is to avoid losing DLC of games/apps that are the kind to get auto-deleted if pirated (eg: SwapDoodle)... Any reasons besides that for anyone to choose this over straight up downloading directly from the eshop normally?

 

[luigoalma]

This seems like an EXTREMELY niece way of doing things, since downloading legit titles can very easily just be done straight through the eshop. Only advantage I see this having is to avoid losing DLC of games/apps that are the kind to get auto-deleted if pirated (eg: SwapDoodle)... Any reasons besides that for anyone to choose this over straight up downloading directly from the eshop normally?

Paranoia, paranoid users of entering the eshop of risk of being banned because they pirated before.
Even tho this will send tickets that came from the console as well, even if i'm trying to keep tool matching a 3ds on requested access, you know, theres always a bit of risk. Unless the console preinstalled tickets i suppose?
Also, it won't send ticket at all to nintendo servers if it's not signed, while eshop may. (i haven't tested if eshop does or not and don't really fully want to, considered it's sending to nintendo. e~e)

 

[yonaikerlol]

Hello everyone, I've made a tool for downloading content from 3DS's eshop after the 11.8 update.
Like other tools (example, cearp's FunkyCIA), it allows an user to do a download backup of their purchased content from the eshop.

The tool however, will require you to provide a signed ticket that will get sent to nintendo servers, as the server-side checks won't let without one or with an unsigned ticket access content. The tool itself does perform signature checks before accessing content. (And if you're curious, no, a ticket for A title won't work for B title, even if sign, can't access if title id is unmatching between the ticket and content.) But eshop tickets do contain console and account ids, so careful.
The tool is open source under MIT and provided here, and I will also provide built releases for Windows (and Mac once I've got an environment setup for building).

I've provided explanation on README.md but will give a short explanation on how to use it, either you grab a built release or built it yourself and having tool on path:
1. Open the terminal/command line
2. Having tool on path (or current directory on windows cmd, not powershell), type: ctrcdnfetch pathtoyourticketfile
3. Let it work, it will check and start downloading if possible.

The tool currently lets you also do --proxy if you need one to access the internet at all or whatever is a user's reason to use one, in that case, a user may do for example:
ctrcdnfetch --proxy https://exampleuser:[email protected]:1234 pathtoyourticketfile

The tool will also take multiple ticket files, so you can list them on arguments and it will go one by one.
However the tool doesn't create cias for you yet, you'll need make_cdn_cia to make them for you (as for now).

Downloads end up on the currently active folder on your terminal, each title ending up on a folder named after it's title id read from the ticket.

That's all for now, hope it's of use!

I can use this with external download manager, like aria2c?

 

[luigoalma]

I can use this with external download manager, like aria2c?

i, don't think so? it's an individual tool itself, and what does is access cdn normally, but with ticket encrypted and wrapped in headers, with ticket checks and so on so access is not rejected.
But i also I'm not sure how those download managers work soooo..

 

[yonaikerlol]

i, don't think so? it's an individual tool itself, and what does is access cdn normally, but with ticket encrypted and wrapped in headers, with ticket checks and so on so access is not rejected.
But i also I'm not sure how those download managers work soooo..

Seeing the code, it reads the .tik, and then encrypts it in Base64, and it downloads with the Curl library, right?

But this information is sent through the HTTP protocol, so I guess the information will be sent in the Headers, right?
X-Authentication-Key and X-Authentication-Data Header's.

 

[yonaikerlol]

Sorry for the multipost, but when installing the cia generated by this program, I get error of the Certificate in the FBI.

I tried to download it with aria2c, extracting the base64 headers, and it worked, but when compiling it with make_cdn_cia, I got an error that the cetk did not find, and the cetk did not exist (404) in the title that I am downloading

 

[luigoalma]

Sorry for the multipost, but when installing the cia generated by this program, I get error of the Certificate in the FBI.

I tried to download it with aria2c, extracting the base64 headers, and it worked, but when compiling it with make_cdn_cia, I got an error that the cetk did not find, and the cetk did not exist (404) in the title that I am downloading

I was about to reply to your question earlier but i'll reply to this one first
CETK is ticket basically
And yes it errors right now, there's a reason, AM throws an error at cia files with unique tickets, eshop ones, instead of universally signed like a system title ticket
so you'd need to change hex edit the cia file in one spot (around ticket region) and 0 out the console id info of the ticket or run make_cdn_cia with a fabricated CETK instead of original ticket file, something I'm yet to implement onto the code to do for the user

--------------------- MERGED ---------------------------

Seeing the code, it reads the .tik, and then encrypts it in Base64, and it downloads with the Curl library, right?

But this information is sent through the HTTP protocol, so I guess the information will be sent in the Headers, right?
X-Authentication-Key and X-Authentication-Data Header's.

To explain basically the process of it
Read and check the ticket file, loading it to a buffer and checking signature, and reading Title ID to know what to download
If properly signed, we take the ticket, encrypt it with AES-CBC 128 bit with two randomly generated 128 bit values (a Key and an IV), then grab both key and iv and put them together, since they don't use the normal PKCS1 v1.5 padding on the console when padding for RSA encryption of the two, I imitated the actual padding done in the console and then encrypted with rsa raw padding. Then both after encrypted are formatted into Base64, the encrypted key and iv are sent in X-Authentication-Key and encrypted ticket (by that key and iv) is sent in X-Authentication-Data in http headers when accessing the title content.
The Public RSA Key used is from 11.8 NFIRM since it was introduced on this version.

 

[yonaikerlol]

I was about to reply to your question earlier but i'll reply to this one first
CETK is ticket basically
And yes it errors right now, there's a reason, AM throws an error at cia files with unique tickets, eshop ones, instead of universally signed like a system title ticket
so you'd need to change hex edit the cia file in one spot (around ticket region) and 0 out the console id info of the ticket or run make_cdn_cia with a fabricated CETK instead of original ticket file, something I'm yet to implement onto the code to do for the user

--------------------- MERGED ---------------------------

How can I make a cetk with make_cdn_cia?
I also have ctrtool, 3dstool, just in case.

This is cetk? http://ccs.cdn.c.shop.nintendowifi.net/ccs/download/0004013800000002/cetk

To explain basically the process of it
Read and check the ticket file, loading it to a buffer and checking signature, and reading Title ID to know what to download
If properly signed, we take the ticket, encrypt it with AES-CBC 128 bit with two randomly generated 128 bit values (a Key and an IV), then grab both key and iv and put them together, since they don't use the normal PKCS1 v1.5 padding on the console when padding for RSA encryption of the two, I imitated the actual padding done in the console and then encrypted with rsa raw padding. Then both after encrypted are formatted into Base64, the encrypted key and iv are sent in X-Authentication-Key and encrypted ticket (by that key and iv) is sent in X-Authentication-Data in http headers when accessing the title content.
The Public RSA Key used is from 11.8 NFIRM since it was introduced on this version.

Wow, I think I understood, thanks.

 

[luigoalma]

How can I make a cetk with make_cdn_cia?
I also have ctrtool, 3dstool, just in case.

The program makes one with your ticket on the folder unless it encounters an issue
if so, on windows, check %appdata%\3ds, if not existant, check %userprofile%\.3ds, if also non existant check %userprofile%\3ds, and find the file named "CA00000003-XS0000000c.bin", downloaded along this process from a cetk of a system title, which is the same issuer. (on mac check ~/Library/Application Support/3ds, ~/.3ds and ~/3ds. Any others just check in ~/.3ds and ~/3ds)
Hexedit a copy of your target ticket, glue the ticket and CA00000003-XS0000000c.bin together IF your ticket is 848 bytes long (first ticket data, then CA00000003-XS0000000c.bin following it after), if it's 2640 bytes, it already is set to go then. (Ninty only uses one key to sign tickets on 3ds currently)
Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes.
Once done, save as a new copy, that's your CETK and should be 2640 bytes long.
If need clarification, ask >~<

 

[yonaikerlol]

The program makes one with your ticket on the folder unless it encounters an issue
if so, on windows, check %appdata%\3ds, if not existant, check %userprofile%\.3ds, if also non existant check %userprofile%\3ds, and find the file named "CA00000003-XS0000000c.bin", downloaded along this process from a cetk of a system title, which is the same issuer. (on mac check ~/Library/Application Support/3ds, ~/.3ds and ~/3ds. Any others just check in ~/.3ds and ~/3ds)
Hexedit a copy of your target ticket, glue the ticket and CA00000003-XS0000000c.bin together IF your ticket is 848 bytes long (first ticket data, then CA00000003-XS0000000c.bin following it after), if it's 2640 bytes, it already is set to go then. (Ninty only uses one key to sign tickets on 3ds currently)
Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes.
Once done, save as a new copy, that's your CETK and should be 2640 bytes long.
If need clarification, ask >~<

Ok, I have a file in ~/.3ds, called CA00000003-XS0000000c.bin

It has a length of 1792 bytes, I open it in Vim (with the command %!xxd for Hex editor), and what do I do?

I did not understand very well.

 

[luigoalma]

Ok, I have a file in ~/.3ds, called CA00000003-XS0000000c.bin

It has a length of 1792 bytes, I open it in Vim (with the command %!xxd for Hex editor), and what do I do?

I did not understand very well.

I'm assuming you're on linux or mac
check your ticket size, it should be 848 bytes
if that's correct, run cat yourtikfile ~/.3ds/CA00000003-XS0000000c.bin > yourtitleidfoldertarget/CETK
this will glue the two
get an hex editor if you don't have (these are binary files, not text, don't use vim) and, "Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes." on the produced CETK file

 

[yonaikerlol]

I'm assuming you're on linux or mac
check your ticket size, it should be 848 bytes
if that's correct, run cat yourtikfile ~/.3ds/CA00000003-XS0000000c.bin > yourtitleidfoldertarget/CETK
this will glue the two
get an hex editor if you don't have (these are binary files, not text, don't use vim) and, "Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes."

It worked, thank you very much

 

[Aletron9000]

Sorry to bump a thread that has been inactive for about a month, but this seems important. I noticed that when the application downloads dlc, it downloads all the dlc for that title. Since the application sends the console unique ticket with account information, Nintendo can see that the account that is associated with the ticket being used does not own the dlc being downloaded. This could be used for banning. Just be cautious using this tool.

 

[luigoalma]

Sorry to bump a thread that has been inactive for about a month, but this seems important. I noticed that when the application downloads dlc, it downloads all the dlc for that title. Since the application sends the console unique ticket with account information, Nintendo can see that the account that is associated with the ticket being used does not own the dlc being downloaded. This could be used for banning. Just be cautious using this tool.

indeed, it does, that's part of why i have a warning on the README.md

 

[redunka]

Well, unless there's some way to read from the ticket which content is actually owned (if it even stores such info)…
Maybe make a change to download only content with index 0 by default as a precaution?
Nintendo usually gives away that "meta" content for free when one visits DLC shop ingame (how generous), so it should be somewhat less dangerous.
The ability to download all of the content may be optional this way, by adding something like "--download-all", for example.
Just a wild (and probably stupid) idea. ¯\(ツ)/¯

 

[botik]

I want to make an analogue of the program in Python. I have a question. What data from the original ticket should be sent to the Nintendo server so that it allowed downloading the content?