ROM Hack Any way to dump N3DS firmware xorpads?

Wowfunhappy

Well-Known Member
OP
Member
Joined
May 14, 2008
Messages
578
Trophies
0
XP
420
Country
United States
I hate making threads like this—I know they don't usually amount to anything—but it's been driving me somewhat crazy over the past few days. With the recent Gateway release, the one big thing we still aren't able to do on the N3DS is decrypt the firmware. I know KARL3DS has a working tool, but that appears to still be quite far away from a release.

I'm assuming no one has found a tool that will work? And is there anyone who is working on one?

Edit: I'm referring to CTR-NAND Xorpads, on the N3DS. If a mod could change the topic title to make this more clear that would be great!
 

WulfyStylez

SALT/Bemani Princess
Member
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,857
Country
United States
We may or may not even end up including it in our final launcher since it doesn't really have any use to end-users. That being said, if anyone ever ends up shipping anything with arm9 exec on N3DS, everything you need to make arm9 xorpads is here.

I actually personally documented a bunch of that since yellows8 seemed to want to keep a bunch of info private or something.
 

powersaver

Well-Known Member
Member
Joined
Mar 15, 2015
Messages
297
Trophies
0
XP
118
Country
United States
I have my own donor system and I'm still trying to figure this out, can someone let me know?

We won't be able to region change a N3DS with 'SecureInfo_A' from an old3DS until arm9 exec and the tool WulfyStylez mentioned is released? These are the only roadblocks?
 

WulfyStylez

SALT/Bemani Princess
Member
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,857
Country
United States
I have my own donor system and I'm still trying to figure this out, can someone let me know?

We won't be able to region change a N3DS with 'SecureInfo_A' from an old3DS until arm9 exec and the tool WulfyStylez mentioned is released? These are the only roadblocks?

CTR-NAND xorpads are what you need for region changes, and that's a feature we will be including in KARL3DS. Wowfunhappy is asking about decrypting the ARM9 portion of New 3DS NATIVE_FIRM. That's something we won't be supporting since we won't be allowing people to run their own FIRMs for obvious reasons; but you can generate them with working ARM9 access through some other code if you really need them.
 

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,646
Trophies
2
XP
7,910
Country
Tuvalu
FunkyCIA, so we can make backups of our shop content, needs the ticket.db from the nand. Xorpads are very useful, even if you provide a ticket dumper
 

Wowfunhappy

Well-Known Member
OP
Member
Joined
May 14, 2008
Messages
578
Trophies
0
XP
420
Country
United States
We may or may not even end up including it in our final launcher since it doesn't really have any use to end-users. That being said, if anyone ever ends up shipping anything with arm9 exec on N3DS, everything you need to make arm9 xorpads is here.
That's... disappointing to say the least. I'll admit the reason I want this is to do region changes, but I want to do it to SysNand (which I'd assume isn't something you'd want to support). I really don't want to wait another month either...

For whatever it's worth, I'd absolutely be willing to put up a bounty for something like this. If everything really is documented already...
 

WulfyStylez

SALT/Bemani Princess
Member
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,857
Country
United States
That's... disappointing to say the least. I'll admit the reason I want this is to do region changes, but I want to do it to SysNand (which I'd assume isn't something you'd want to support). I really don't want to wait another month either...

For whatever it's worth, I'd absolutely be willing to put up a bounty for something like this. If everything really is documented already...

Wait, huh? You don't need the firmware xorpad to do region swaps, period. Generating CTR-NAND xorpads is what you need. That's totally supported through us, as I said before.
 

mvmiranda

Well-Known Member
Member
Joined
Oct 29, 2013
Messages
1,448
Trophies
0
Age
40
Location
Brazil, Sao Paulo
Website
www.gamemod.com.br
XP
1,487
Country
Brazil
I was wondering if there is already a method to extract NAND XORPADS for N3DS?
I want to transfer my OLD 3DS XL content to my N3DS not using the system transfer
I want to extract the XORPADS and FAT16 partition of my O3DS emuNAND, get the NAND based saves, extract the XORPADS and FAT16 partition of my N3DS emuNAND and inject the saves I got earlier, then rexor, reinject FAT16 partition into my N3DS emuNAND and inject back to my micro SD... I guess that will work...

I'm doing this because I've screwed up sys transfer and now I have to wait 7 days until I can try again :P

BTW, I've done this before but with O3DS.
 

Apache Thunder

I have cameras in your head!
Member
Joined
Oct 7, 2007
Messages
4,294
Trophies
3
Age
35
Location
Levelland, Texas
Website
www.mariopc.co.nr
XP
6,215
Country
United States
I was wondering if there is already a method to extract NAND XORPADS for N3DS?
I want to transfer my OLD 3DS XL content to my N3DS not using the system transfer
I want to extract the XORPADS and FAT16 partition of my O3DS emuNAND, get the NAND based saves, extract the XORPADS and FAT16 partition of my N3DS emuNAND and inject the saves I got earlier, then rexor, reinject FAT16 partition into my N3DS emuNAND and inject back to my micro SD... I guess that will work...

I'm doing this because I've screwed up sys transfer and now I have to wait 7 days until I can try again :P

BTW, I've done this before but with O3DS.


What you are wanting to do doesn't appear to be possible. I had tried to restore my friend code from a dump of my 3DS before it got bricked. The guy I sold it too was able to unbrick it and sent me the decrypted dump. But the Movable.sed file appears to be the issue.

Part of the KeyY string in the Movable.sed has to be updated to match the new console's unique KeyY. The rest of the key determines the encryption for the contends of the "data" folder in the NAND partitition. (this also controls encryption of SD card content). So you can't just move that folder from your old image to the new 3DS image with having it go through System Transfer. The end result will be it simply rejecting the data folder contents and ending up with a factory reset state where it asks for your information as if you just formatted it.

Also modifying the movable.sed with the correct key appears to break signature checks of the file. Because of this, modifying the file bricks emunand (and would brick the console if you attempted this on sysnand). So no way to manually move your data over unfortunately.

Perhaps someone can code a tool to import export sysdata/extdata from the data partition using homebrew as I've seen on 3DBrew that there is a service command that is available for apps to use to access that data. But this content is beyond the reach of SaveDataFiler, so you can't use that one to access it. Someone will need to make homebrew or Arm9 homebrew to decrypt/encrypt it. (rxTools might provide this I hope?)

But the friend code appears to be derived from the keyY stored in the movable.sed. Because of this, I'm SOL because I can't modify the file.

The only real solution would be to patch out signecture checks for NAND/system files. Something Gateway hasn't done yet. (thus no custom SecureInfo_A file or modified movable.sed file. Also the reason you can't install custom themes via CIAs right now. :(
 

mvmiranda

Well-Known Member
Member
Joined
Oct 29, 2013
Messages
1,448
Trophies
0
Age
40
Location
Brazil, Sao Paulo
Website
www.gamemod.com.br
XP
1,487
Country
Brazil
What you are wanting to do doesn't appear to be possible. I had tried to restore my friend code from a dump of my 3DS before it got bricked. The guy I sold it too was able to unbrick it and sent me the decrypted dump. But the Movable.sed file appears to be the issue.

Part of the KeyY string in the Movable.sed has to be updated to match the new console's unique KeyY. The rest of the key determines the encryption for the contends of the "data" folder in the NAND partitition. (this also controls encryption of SD card content). So you can't just move that folder from your old image to the new 3DS image with having it go through System Transfer. The end result will be it simply rejecting the data folder contents and ending up with a factory reset state where it asks for your information as if you just formatted it.

Also modifying the movable.sed with the correct key appears to break signature checks of the file. Because of this, modifying the file bricks emunand (and would brick the console if you attempted this on sysnand). So no way to manually move your data over unfortunately.

Perhaps someone can code a tool to import export sysdata/extdata from the data partition using homebrew as I've seen on 3DBrew that there is a service command that is available for apps to use to access that data. But this content is beyond the reach of SaveDataFiler, so you can't use that one to access it. Someone will need to make homebrew or Arm9 homebrew to decrypt/encrypt it. (rxTools might provide this I hope?)

But the friend code appears to be derived from the keyY stored in the movable.sed. Because of this, I'm SOL because I can't modify the file.

The only real solution would be to patch out signecture checks for NAND/system files. Something Gateway hasn't done yet. (thus no custom SecureInfo_A file or modified movable.sed file. Also the reason you can't install custom themes via CIAs right now. :(


This is what I already did and worked (but for the same console)
http://gbatemp.net/threads/tutorial...tain-old-data-like-mii-streetpass-etc.380678/

But thinking twice, you're right, there's the SD card encrypted saves I'll also need to move and that I cannot decrypt, right?
 

liomajor

Well-Known Member
Member
Joined
Jun 10, 2008
Messages
1,468
Trophies
0
XP
1,369
Country
United States
eShop Saves o3DS > SDF > new3DS

As for files inside nand, what we can do is very limited and most of it to the same 3DS without breaking RSA signing.
 

Apache Thunder

I have cameras in your head!
Member
Joined
Oct 7, 2007
Messages
4,294
Trophies
3
Age
35
Location
Levelland, Texas
Website
www.mariopc.co.nr
XP
6,215
Country
United States
This is what I already did and worked (but for the same console)
http://gbatemp.net/threads/tutorial...tain-old-data-like-mii-streetpass-etc.380678/

But thinking twice, you're right, there's the SD card encrypted saves I'll also need to move and that I cannot decrypt, right?

You can manually transfer data over if it's the same console as the KeyY string won't have to be modified. The console will accept it just fine and you can move your content over from one emunand image to another. (don't forget you probably need to copy over the dbs folder as well as that contains your title keys)

SD card content is also encrypted using part of the KeyY string stored in the movable.sed file. If you are doing this on the same console, moving the file along with the other needed files to a new emunand image will allow your SD content to work in that emunand image. (notice how the folder found inside the "data" folder has the really long file name and it matches the filename of the folder in the Nintendo 3DS folder of your SD card. This is how you know which SD card content your current emunand image will use. ;) )

But from one console to another. It has to go through System Transfer currently as the movable.sed file needs to be modified to work on the new console and currently can't be done manually without breaking the file's signature.
 
  • Like
Reactions: mvmiranda

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,646
Trophies
2
XP
7,910
Country
Tuvalu
I'm interested in fat16 xorpads too.

Maybe we can get cearp to create a full fledged .db editor capeable of inject/remove content, at least this would be awesome! ^^

sure it would be nice, i have thought about a whole ticket.db editor, although i don't know what the rest of the file is made up of... i guess i can try and have a look one day. i hope it is not signed :D
 

You may also like...

General chit-chat
Help Users
    ZhiShuiTingLan @ ZhiShuiTingLan: QAQ