Homebrew Official [Download] Decrypt9 - Open Source Decryption Tools (WIP)

[Mrrraou]

@Shadowtrance, @dark_samus3, @Apache Thunder and everyone else dabbling around in the dark and dangerous art of OTP dumping, I made a little something that may help streamline the OTP dumping process in the future.

I did some basic testing, but without a hardmod and only a N3DS at my disposal I can't test everything of course.

This is what this can / should do:

• Dump the OTP.bin (0x100 or 0x108)
• On-the-fly switching of the CTRNAND crypto slot 0x4 -> 0x5 or slor 0x5 -> 0x4
• Dumping the NCSD NAND header
• Inject the NCSD NAND header
• Includes a basic set of Decrypt9WIP functionality, including...
• ... dumping / injecting the cryptoswitched CTRNAND partition!

This is what needs testing:

• Duming the NAND header on O3DS (not dangerous!)
• OTP Dumping, cryptoswitching, injecting the NAND header
• Dumping / injecting the cryptoswitched CTRNAND partition

The code is rather simple, so I'm pretty sure we won't need a whole lot of testing, but i still need to refine some stuff until this can have a proper release.

I guess that the process could be done on Kernel9 like this (remove useless steps for O3DS/2DS):

1. Make sure WiFi is enabled
   
2. Dumping NAND (2 files: originalNAND, 2.1NAND)
   
3. Extracting CTRNAND
   
4. Generating 0x4 and 0x5 CTRNAND xorpads and FIRM0+FIRM1 xorpads
5. Decrypting CTRNAND with 0x5 xorpad
   
6. Installing CIAs to the CTRNAND, installing the older FIRMs
7. Injecting browser configuration and default page into CTRNAND
   
8. Encrypting CTRNAND with 0x4 xorpad into 2.1NAND
   
9. Patching the NCSD header of 2.1NAND
   
10. Reinjecting into 2.1NAND
11. Preparing Spider 2.1 payloads on the SD
    
12. Flashing NAND with 2.1NAND
    
13. Rebooting
14. User launches Spider 2.1 => Exploiting + RSA_VERIFY => dumping OTP + flashing back originalNAND
15. Done

if this could help there are some steps that are checking things like WiFi for N3DS and things like that

 

[SirByte]

Is there any way that a special OTP-dump tool might include a "bootablility" test of the 2.1 Emunand (for o3DS and n3DS)? Since we can't actually boot the emuNAND, it would be great if some 'sanity tests' can be performed before the step of flashing it to SysNAND.

 

[Apache Thunder]

Cool. My n3DS should come next week hopefully. It will be nand modded, so it's the perfect candidate for testing that stuff.

 

[Ninoh-FOX]

LoL

 

[soupman]

Oh well... What exactly is it that you are trying to do here? You need to use ncchinfo_gen.py with the 3DS / NCCH files that you want to generate XORpads for. I'd recommend you have a look at the readme and / or your tutorial of choice before moving on.

I was attempting to cryptofix the two games I posted earlier. Should've read the readme from Decrypt9WIP first before starting.

 

[d0k3]

Is there any way that a special OTP-dump tool might include a "bootablility" test of the 2.1 Emunand (for o3DS and n3DS)? Since we can't actually boot the emuNAND, it would be great if some 'sanity tests' can be performed before the step of flashing it to SysNAND.

Well, we're working on it, at least via some magic number checking (which isn't even near 100% safety). The holy grail of this would be booting the 2.1 image in EmuNAND, of course, so that nothing could break, but not possible now.

LoL

Nice, but I'd say you need to better align the text. Some of the menu options are too long .

 

[Ninoh-FOX]

Well, we're working on it, at least via some magic number checking (which isn't even near 100% safety). The holy grail of this would be booting the 2.1 image in EmuNAND, of course, so that nothing could break, but not possible now.


Nice, but I'd say you need to better align the text. Some of the menu options are too long .

Thas is a test, I need correct some texts.

 

[Asia81]

When I try to decrypt the recent pokemon red cia:

Opening /D9Game ...
Processing CIA "0004000000171000.cia"
Pass #1: CIA decryption...
Decrypting Content 1 of 2 (6MB)...
Verifying decrypted content...
Verified OK!
Decrypting Content 2 of 2 (2MB)...
Verifying decrypted content...
Verified OK!
Pass #2: NCCH decryption...
Processing Content 1 of 2 (6MB)...
Code / Crypto: CTR-P-RCQA / 7x Seed
Seed not found in seeddb.bin!
Failed!
Processing Content 2 of 2 (2MB)...
Code / Crypto: CTR-P-CTAP / Seed
Seed not found in seeddb.bin!
Failed!
Recalculating TMD hashes...
Failed!
CIA Decryptor (deep): failed!

Press B to return, START to reboot.

How can I get that missing seed?

 

[Shadowtrance]

When I try to decrypt the recent pokemon red cia:

How can I get that missing seed?

Go to the game page on eshop > update seeddb in Decrypt9.

 

[Asia81]

Oh.
Thanks, I will try

--------------------- MERGED ---------------------------

Go to the game page on eshop > update seeddb in Decrypt9.

Always not working
TitleID of Red is 17C1

Using EmuNAND @ 26C000/000000
Searching for seedsave...
CTR start 0x080D8BBC
Found at 260E8000, size 688kB
Opening seeddb.bin ...
Found 000400000017C100 seed (duplicate)
Found 000400000017C100 seed (duplicate)
Found 0004000000183800 seed (new)
Found 1 new seeds, 360 total
Update SeedDB: succeeded!

Press B to return, START to reboot.

Opening /D9Game ...
Processing CIA "Red.cia"
Pass #1: CIA decryption...
Decrypting Content 1 of 2 (6MB)...
Verifying decrypted content...
Verified OK!
Decrypting Content 2 of 2 (2MB)...
Verifying decrypted content...
Verified OK!
Pass #2: NCCH decryption...
Processing Content 1 of 2 (6MB)...
Code / Crypto: CTR-P-RCQA / 7x Seed
Seed not found in seeddb.bin!
Failed!
Processing Content 2 of 2 (2MB)...
Code / Crypto: CTR-P-CTAP / Seed
Seed not found in seeddb.bin!
Failed!
Recalculating TMD hashes...
Failed!
CIA Decryptor (deep): failed!

Press B to return, START to reboot.

 

[d0k3]

Oh.
Thanks, I will try

--------------------- MERGED ---------------------------


Always not working
TitleID of Red is 17C1

Send me your seedsave via PM, I will take a look.

EDIT: Also inlcude the full title id.

 

[hobbledehoy899]

How's the Uncart merging going?

 

[d0k3]

How's the Uncart merging going?

Oh well, that's pretty much on the bottom of the list. Not forgotten, though.

 

[hobbledehoy899]

Oh well, that's pretty much on the bottom of the list. Not forgotten, though.

Once you get around to merging it I could be a tester.

 

[Shadowtrance]

Just leave Uncart where it is imo. as Uncart...
That is all...

Also @d0k3 what else is on the list, that isn't at the bottom?

 

[d0k3]

Just leave Uncart where it is imo. as Uncart...
That is all...

Also @d0k3 what else is on the list, that isn't at the bottom?

This stuff:

• I need to inspect the FIRM 1.0 CIA files. For some reason they don't properly decrypt on Decrypt9. Need to find out why.
• ... and there is still trouble with the seeddb updater (look a few posts above). I'm starting to suspect Nintendo is deliberately obfuscating the format of the seedsave. One way or the other, I want to take a look. Maybe it is still fixable.
• Well, and then there's GodMode9 (the all access file explorer). In fact, we will soon have a proof of concept.
• .... and I'm waiting for testers to give me feedback on OTPHelper. Will see what I still have to fix in this.

 

[Asia81]

Send me your seedsave via PM, I will take a look.

EDIT: Also inlcude the full title id.

no need, it's solved, thanks

 

[d0k3]

no need, it's solved, thanks

Can you tell me how? @Shadowtrance, you can remove that entry from the list .

 

[Asia81]

Can you tell me how? @Shadowtrance, you can remove that entry from the list .

Repair the game on the eshop, and after use the seedupdate.

 

[Shadowtrance]

Can you tell me how? @Shadowtrance, you can remove that entry from the list .

Which entry?