Any way to dump N3DS firmware xorpads?

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by Wowfunhappy, Mar 15, 2015.

  1. Wowfunhappy
    OP

    Wowfunhappy GBAtemp Advanced Fan

    Member
    568
    158
    May 14, 2008
    United States
    I hate making threads like this—I know they don't usually amount to anything—but it's been driving me somewhat crazy over the past few days. With the recent Gateway release, the one big thing we still aren't able to do on the N3DS is decrypt the firmware. I know KARL3DS has a working tool, but that appears to still be quite far away from a release.

    I'm assuming no one has found a tool that will work? And is there anyone who is working on one?

    Edit: I'm referring to CTR-NAND Xorpads, on the N3DS. If a mod could change the topic title to make this more clear that would be great!
     
  2. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    We may or may not even end up including it in our final launcher since it doesn't really have any use to end-users. That being said, if anyone ever ends up shipping anything with arm9 exec on N3DS, everything you need to make arm9 xorpads is here.

    I actually personally documented a bunch of that since yellows8 seemed to want to keep a bunch of info private or something.
     
  3. powersaver

    powersaver GBAtemp Regular

    Member
    297
    31
    Mar 15, 2015
    United States
    I have my own donor system and I'm still trying to figure this out, can someone let me know?

    We won't be able to region change a N3DS with 'SecureInfo_A' from an old3DS until arm9 exec and the tool WulfyStylez mentioned is released? These are the only roadblocks?
     
  4. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    CTR-NAND xorpads are what you need for region changes, and that's a feature we will be including in KARL3DS. Wowfunhappy is asking about decrypting the ARM9 portion of New 3DS NATIVE_FIRM. That's something we won't be supporting since we won't be allowing people to run their own FIRMs for obvious reasons; but you can generate them with working ARM9 access through some other code if you really need them.
     
  5. narutonic

    narutonic GBAtemp Regular

    Member
    233
    48
    Feb 21, 2015
    France
    We can dump ticket.db of N3DS ?
     
  6. cearp

    cearp the ticket master

    Member
    7,476
    4,710
    May 26, 2008
    Tuvalu
    FunkyCIA, so we can make backups of our shop content, needs the ticket.db from the nand. Xorpads are very useful, even if you provide a ticket dumper
     
  7. narutonic

    narutonic GBAtemp Regular

    Member
    233
    48
    Feb 21, 2015
    France
    Too bad.
    To do a legit cia of MM. Maybe in 2 months...
     
  8. Wowfunhappy
    OP

    Wowfunhappy GBAtemp Advanced Fan

    Member
    568
    158
    May 14, 2008
    United States
    That's... disappointing to say the least. I'll admit the reason I want this is to do region changes, but I want to do it to SysNand (which I'd assume isn't something you'd want to support). I really don't want to wait another month either...

    For whatever it's worth, I'd absolutely be willing to put up a bounty for something like this. If everything really is documented already...
     
  9. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Wait, huh? You don't need the firmware xorpad to do region swaps, period. Generating CTR-NAND xorpads is what you need. That's totally supported through us, as I said before.
     
  10. Wowfunhappy
    OP

    Wowfunhappy GBAtemp Advanced Fan

    Member
    568
    158
    May 14, 2008
    United States
    Oops, I got the terminology wrong then. I said firmware because the files the firmware loads are stored in the NAND. Sorry for the confusion.
     
    WulfyStylez likes this.
  11. cearp

    cearp the ticket master

    Member
    7,476
    4,710
    May 26, 2008
    Tuvalu
    ah ok, good :)
     
  12. mvmiranda

    mvmiranda GBAtemp Maniac

    Member
    1,212
    419
    Oct 29, 2013
    Brazil
    Brazil, Sao Paulo
    I was wondering if there is already a method to extract NAND XORPADS for N3DS?
    I want to transfer my OLD 3DS XL content to my N3DS not using the system transfer
    I want to extract the XORPADS and FAT16 partition of my O3DS emuNAND, get the NAND based saves, extract the XORPADS and FAT16 partition of my N3DS emuNAND and inject the saves I got earlier, then rexor, reinject FAT16 partition into my N3DS emuNAND and inject back to my micro SD... I guess that will work...

    I'm doing this because I've screwed up sys transfer and now I have to wait 7 days until I can try again :P

    BTW, I've done this before but with O3DS.
     
  13. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,101
    4,024
    Oct 7, 2007
    United States
    Levelland, Texas

    What you are wanting to do doesn't appear to be possible. I had tried to restore my friend code from a dump of my 3DS before it got bricked. The guy I sold it too was able to unbrick it and sent me the decrypted dump. But the Movable.sed file appears to be the issue.

    Part of the KeyY string in the Movable.sed has to be updated to match the new console's unique KeyY. The rest of the key determines the encryption for the contends of the "data" folder in the NAND partitition. (this also controls encryption of SD card content). So you can't just move that folder from your old image to the new 3DS image with having it go through System Transfer. The end result will be it simply rejecting the data folder contents and ending up with a factory reset state where it asks for your information as if you just formatted it.

    Also modifying the movable.sed with the correct key appears to break signature checks of the file. Because of this, modifying the file bricks emunand (and would brick the console if you attempted this on sysnand). So no way to manually move your data over unfortunately.

    Perhaps someone can code a tool to import export sysdata/extdata from the data partition using homebrew as I've seen on 3DBrew that there is a service command that is available for apps to use to access that data. But this content is beyond the reach of SaveDataFiler, so you can't use that one to access it. Someone will need to make homebrew or Arm9 homebrew to decrypt/encrypt it. (rxTools might provide this I hope?)

    But the friend code appears to be derived from the keyY stored in the movable.sed. Because of this, I'm SOL because I can't modify the file.

    The only real solution would be to patch out signecture checks for NAND/system files. Something Gateway hasn't done yet. (thus no custom SecureInfo_A file or modified movable.sed file. Also the reason you can't install custom themes via CIAs right now. :(
     
  14. liomajor

    liomajor GBAtemp Maniac

    Member
    1,463
    1,065
    Jun 10, 2008
    United States
    I'm interested in fat16 xorpads too.

    Maybe we can get cearp to create a full fledged .db editor capeable of inject/remove content, at least this would be awesome! ^^
     
    cearp and mvmiranda like this.
  15. mvmiranda

    mvmiranda GBAtemp Maniac

    Member
    1,212
    419
    Oct 29, 2013
    Brazil
    Brazil, Sao Paulo

    This is what I already did and worked (but for the same console)
    http://gbatemp.net/threads/tutorial...tain-old-data-like-mii-streetpass-etc.380678/

    But thinking twice, you're right, there's the SD card encrypted saves I'll also need to move and that I cannot decrypt, right?
     
  16. liomajor

    liomajor GBAtemp Maniac

    Member
    1,463
    1,065
    Jun 10, 2008
    United States
    eShop Saves o3DS > SDF > new3DS

    As for files inside nand, what we can do is very limited and most of it to the same 3DS without breaking RSA signing.
     
  17. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,101
    4,024
    Oct 7, 2007
    United States
    Levelland, Texas
    You can manually transfer data over if it's the same console as the KeyY string won't have to be modified. The console will accept it just fine and you can move your content over from one emunand image to another. (don't forget you probably need to copy over the dbs folder as well as that contains your title keys)

    SD card content is also encrypted using part of the KeyY string stored in the movable.sed file. If you are doing this on the same console, moving the file along with the other needed files to a new emunand image will allow your SD content to work in that emunand image. (notice how the folder found inside the "data" folder has the really long file name and it matches the filename of the folder in the Nintendo 3DS folder of your SD card. This is how you know which SD card content your current emunand image will use. ;) )

    But from one console to another. It has to go through System Transfer currently as the movable.sed file needs to be modified to work on the new console and currently can't be done manually without breaking the file's signature.
     
    mvmiranda likes this.
  18. cearp

    cearp the ticket master

    Member
    7,476
    4,710
    May 26, 2008
    Tuvalu
    sure it would be nice, i have thought about a whole ticket.db editor, although i don't know what the rest of the file is made up of... i guess i can try and have a look one day. i hope it is not signed :D