Hacking GATEWAY PUBLIC RELEASE 2.6

[KennyMckormick]

Guys, if you want to install some of the developer applications, you'll have to decrypt the csu files included with the leaked SDK, and repack them with a proper exheader. It's really not hard...

So what, decrypt using ncch decrypter and repack and then inject a proper exheader using some of the tools that have been floating around?

 

[liomajor]

EDIT:


The tools I used aren't public. They're not Nintendo's tools either. I did use the CSU.

Will they get public? We want a working SaveDataFiler with working Cart ability

 

[Huntereb]

They're encrypted? I thought they weren't.

The "csu" versions have been recompiled to work properly on normal systems. That's why the only Dev Menu we're able to install is the 2.3.4 one, because that's the only one we have in csu format.

 

[The Real Jdbye]

They are encrypted with zero keys, which can be decrypted with CTRtool on the fly.

Isn't zero keys what we want to use anyway? Or do CIA files need to be completely decrypted?

The "csu" versions have been recompiled to work properly on normal systems. That's why the only Dev Menu we're able to install is the 2.3.4 one, because that's the only one we have in csu format.

That didn't really have anything to do with my question...


So if ctrtool decrypts zero-key encrypted files on the fly, do any of you have any idea what I'm doing wrong? I'm getting an "INVALID_ARGUMENT" error on installing it in DevMenu. Is it my rsf file?

Spoiler

BasicInfo:
Title : "SaveDataFiler" #edit
CompanyCode : "01"
ProductCode : "SaveDataFiler" #edit
ContentType : Application
Logo : Licensed # Nintendo / Licensed / Distributed / iQue / iQueForSystem

RomFs:
# Specifies the root path of the file system to include in the ROM.
#HostRoot : "decrypted/romfs"


TitleInfo:
UniqueId : 0xff40a #edit
Category : Application

CardInfo:
MediaSize : 2GB # 128MB / 256MB / 512MB / 1GB / 2GB / 4GB #edit
MediaType : Card1 # Card1 / Card2
CardDevice : NorFlash # NorFlash(Pick this if you use savedata) / None #Choose None if it's a card2 game

Option:
UseOnSD : true # true if App is to be installed to SD
FreeProductCode : true # Removes limitations on ProductCode
MediaFootPadding : true # If true CCI files are created with padding
EnableCrypt : true # Enables encryption for NCCH and CIA
EnableCompress : true # Compresses exefs code

ExeFs: # these are the program segments from the ELF, check your elf for the appropriate segment names
ReadOnly:
- .rodata
- RO
ReadWrite:
- .data
- RO
Text:
- .init
- .text
- STUP_ENTRY

PlainRegion: # only used with SDK ELFs
- .module_id

AccessControlInfo:
#UseExtSaveData : true
#ExtSaveDataId: 0xff40a #edit, same as UniqueId
#SystemSaveDataId1: 0x00000000 # plaintext exheader
#SystemSaveDataId2: 0x00000000 # plaintext exheader
#OtherUserSaveDataId1: 0x00000 # plaintext exheader
#OtherUserSaveDataId2: 0x00000 # plaintext exheader
#OtherUserSaveDataId3: 0x00000 # plaintext exheader
#UseOtherVariationSaveData : false

SystemControlInfo:
SaveDataSize: 1MB
RemasterVersion: 0
StackSize: 0x40000

# DO NOT EDIT BELOW HERE OR PROGRAMS WILL NOT LAUNCH (most likely)

AccessControlInfo:
FileSystemAccess:
- CategorySystemApplication
- CategoryHardwareCheck
- CategoryFileSystemTool
- Debug
- TwlCardBackup
- TwlNandData
- Boss
- DirectSdmc
- Core
- CtrNandRo
- CtrNandRw
- CtrNandRoWrite
- CategorySystemSettings
- CardBoard
- ExportImportIvs
- DirectSdmcWrite
- SwitchCleanup
- SaveDataMove
- Shop
- Shell
- CategoryHomeMenu
IoAccessControl:
- FsMountNand
- FsMountNandRoWrite
- FsMountTwln
- FsMountWnand
- FsMountCardSpi
- UseSdif3
- CreateSeed
- UseCardSpi

IdealProcessor : 0
AffinityMask : 1

Priority : 16

MaxCpu : 0x9E # Default

CoreVersion : 2
DescVersion : 2

ReleaseKernelMajor : "02"
ReleaseKernelMinor : "33"
MemoryType : Application
HandleTableSize: 512
IORegisterMapping:
- 1ff50000-1ff57fff
- 1ff70000-1ff77fff
MemoryMapping:
- 1f000000-1f5fffff:r
SystemCallAccess:
ArbitrateAddress: 34
Break: 60
CancelTimer: 28
ClearEvent: 25
ClearTimer: 29
CloseHandle: 35
ConnectToPort: 45
ControlMemory: 1
CreateAddressArbiter: 33
CreateEvent: 23
CreateMemoryBlock: 30
CreateMutex: 19
CreateSemaphore: 21
CreateThread: 8
CreateTimer: 26
DuplicateHandle: 39
ExitProcess: 3
ExitThread: 9
GetCurrentProcessorNumber: 17
GetHandleInfo: 41
GetProcessId: 53
GetProcessIdOfThread: 54
GetProcessIdealProcessor: 6
GetProcessInfo: 43
GetResourceLimit: 56
GetResourceLimitCurrentValues: 58
GetResourceLimitLimitValues: 57
GetSystemInfo: 42
GetSystemTick: 40
GetThreadContext: 59
GetThreadId: 55
GetThreadIdealProcessor: 15
GetThreadInfo: 44
GetThreadPriority: 11
MapMemoryBlock: 31
OutputDebugString: 61
QueryMemory: 2
ReleaseMutex: 20
ReleaseSemaphore: 22
SendSyncRequest1: 46
SendSyncRequest2: 47
SendSyncRequest3: 48
SendSyncRequest4: 49
SendSyncRequest: 50
SetThreadPriority: 12
SetTimer: 27
SignalEvent: 24
SleepThread: 10
UnmapMemoryBlock: 32
WaitSynchronization1: 36
WaitSynchronizationN: 37
InterruptNumbers:
ServiceAccessControl:
- APT:U
- $hioFIO
- $hostio0
- $hostio1
- ac:u
- boss:U
- cam:u
- cecd:u
- cfg:u
- dlp:FKCL
- dlp:SRVR
- dsp:SP
- frd:u
- fs:USER
- gsp::Gpu
- hid:USER
- http:C
- mic:u
- ndm:u
- news:u
- nwm::UDS
- ptm:u
- pxi:dev
- soc:U
- ssl:C
- y2r:u
- ldr:ro
- ir:USER


SystemControlInfo:
Dependency:
ac: 0x0004013000002402L
am: 0x0004013000001502L
boss: 0x0004013000003402L
camera: 0x0004013000001602L
cecd: 0x0004013000002602L
cfg: 0x0004013000001702L
codec: 0x0004013000001802L
csnd: 0x0004013000002702L
dlp: 0x0004013000002802L
dsp: 0x0004013000001a02L
friends: 0x0004013000003202L
gpio: 0x0004013000001b02L
gsp: 0x0004013000001c02L
hid: 0x0004013000001d02L
http: 0x0004013000002902L
i2c: 0x0004013000001e02L
ir: 0x0004013000003302L
mcu: 0x0004013000001f02L
mic: 0x0004013000002002L
ndm: 0x0004013000002b02L
news: 0x0004013000003502L
nim: 0x0004013000002c02L
nwm: 0x0004013000002d02L
pdn: 0x0004013000002102L
ps: 0x0004013000003102L
ptm: 0x0004013000002202L
ro: 0x0004013000003702L
socket: 0x0004013000002e02L
spi: 0x0004013000002302L
ssl: 0x0004013000002f02L
CommonHeaderKey:
D: |
jL2yO86eUQnYbXIrzgFVMm7FVze0LglZ2f5g+c42hWoEdnb5BOotaMQPBfqt
aUyAEmzQPaoi/4l4V+hTJRXQfthVRqIEx27B84l8LA6Tl5Fy9PaQaQ+4yRfP
g6ylH2l0EikrIVjy2uMlFgl0QJCrG+QGKHftxhaGCifdAwFNmiZuyJ/TmktZ
0RCb66lYcr2h/p2G7SnpKUliS9h9KnpmG+UEgVYQUK+4SCfByUa9PxYGpT0E
nw1UcRz0gsBmdOqcgzwnAd9vVqgb42hVn6uQZyAl+j1RKiMWywZarazIR/k5
Lmr4+groimSEa+3ajyoIho9WaWTDmFU3mkhA2tUDIQ==
Exponent: |
AQAB
Modulus: |
zwCcsyCgMkdlieCgQMVXA6X2jmb1ICjup0Q+jk/AydPkOgsx7I/MjUymFEkU
vgXBtCKtzh3NKXtFFuW51tJ60GPOabLKuG0Qm5li+UXALrWhzWuvd5vv2FZI
dTQCbrq/MFS/M02xNtwqzWiBjE/LwqIdbrDAAvX4HGy0ydaQJ1DKYeQeph5D
lAGBw2nQ4izXhhuLaU3w8VQkIJHdhxIKI5gJY/20AGkG0vHD553Mh5kBINrWp
CRYmmJS8DCYbAiQtKbkeUfzHViGTZuj6PwaY8Mv39PGO47a++pt45IUyCEs4/
LjMS72cyfo8tU4twRGp76SFGYejYj3wGC1f/POQw==
Signature: |
BOPR0jL0BOV5Zx502BuPbOvi/hvOq5ID8Dz1MQfOjkey6FKP/6cb4f9YXpm6c
ZCHAZLo0GduKdMepiKPUq1rsbbAxkRdQdjOOusEWoxNA58x3E4373tCAhlqM2
DvuQERrIIQ/XnYLV9C3uw4efZwhFqog1jvVyoEHpuvs8xnYtGbsKQ8FrgLwXv
pOZYy9cSgq+jqLy2D9IxiowPcbq2cRlbW9d2xlUfpq0AohyuXQhpxn7d9RUor
9veoARRAdxRJK12EpcSoEM1LhTRYdJnSRCY3x3p6YIV3c+l1sWvaQwKt0sZ/U
8TTDx2gb9g7r/+U9icneu/zlqUpSkexCS009Q==
Descriptor: |
AP///wAABAACAAAAAAAFGJ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiIAAAAAAAABBUFQ6VQAAACRo
aW9GSU8AJGhvc3RpbzAkaG9zdGlvMWFjOnUAAAAAYm9zczpVAABjYW06dQAA
AGNlY2Q6dQAAY2ZnOnUAAABkbHA6RktDTGRscDpTUlZSZHNwOjpEU1BmcmQ6
dQAAAGZzOlVTRVIAZ3NwOjpHcHVoaWQ6VVNFUmh0dHA6QwAAbWljOnUAAABu
ZG06dQAAAG5ld3M6dQAAbndtOjpVRFNwdG06dQAAAHB4aTpkZXYAc29jOlUA
AABzc2w6QwAAAHkycjp1AAAAbGRyOnJvAABpcjpVU0VSAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAABOn/rw/7//8ec/APIA8JH/APaR/1D/gf9Y/4H/cP+B/3j/gf8B
AQD/AAIA/iECAPz/////////////////////////////////////////////
////////////////////////////////////////AAAAAAAAAAAAAAAAAAAA
AAADAAAAAAAAAAAAAAAAAAI=

^ .rsf contents

 

[Huntereb]

So what, decrypt using ncch decrypter and repack and then inject a proper exheader using some of the tools that have been floating around?

You can't just inject the exheader into a cia. You'll have to fix up the rsf perfectly this time around.

 

[Vappy]

And you need to use a longform .rsf, no -desc when building. I've got a working one for Config, which I annoyingly only found out after opening it can't be suspended normally. Not sure if the same .rsf work for other apps, still testing.

EDIT: redacted

 

[The Real Jdbye]

Huntereb or CollosalPokemon can you upload your rsf files please? I think I've done everything else correctly but the rsf is a clusterfuck and I'm not sure what else I need to edit.

 

[CollosalPokemon]

Will they get public? We want a working SaveDataFiler with working Cart ability

fwiw SaveDataFiler doesn't seem to work with gateway. I think it uses some calls to get the save file from the cartridge differently than a normal game would use, so instead of checking the SD for the save file like gateway patched normal games to do, it checks the gateway cartridge which shows up as corrupt. I guess since it's not technically the owner of the save file, it needs to do special things to access and modify other games' saves. Or maybe it tries something specific for development cartridge saves and fails since Gateway isn't an official development cartridge.
I'd love to check if retail cartridges would be recognised but I can't. Obviously I can't boot SaveDataFiler in classic mode (and for that matter, any other of the developer applications I installed) since it's not signed for retail and gateway doesn't patch the signature checks in classic mode.

 

[gamefan5]

I managed to install other SDK related files, icon shows but no function >>> crash/reboot 3ds on starting.

Wish he would share some more infos
Can u test it for kid icarus uprising, and how to hex edit the weapons please?


Offset might not static, but should work for most other games.

Can u test it for Kid Icarus uprising? I want to know if it is possible to hex edit weapons.

 

[Queno138]

Huntereb or CollosalPokemon can you upload your rsf files please? I think I've done everything else correctly but the rsf is a clusterfuck and I'm not sure what else I need to edit.

MY RSF that works.
Used it for Pokemon X.

BasicInfo:
  Title                  : "Pokemon X" # change here
  CompanyCode            : "01" # change here
  ProductCode            : "CTR-P-EKJA" # change here
  ContentType            : Application
  Logo                    : Nintendo
 
TitleInfo:
  UniqueId                : 0x055D # jump id without last 2 zeros
  Category                : Application
 
Option:
  UseOnSD                : true 
  EnableCompress          : true 
  FreeProductCode        : true 
  EnableCrypt            : true 
  MediaFootPadding        : true 
 
AccessControlInfo:
  UseExtSaveData : true
  ExtSaveDataId: 0x055D # use unique ID
  SystemSaveDataId1: 0x00000000 
  SystemSaveDataId2: 0x00000000  
  OtherUserSaveDataId1: 0x00000 
  OtherUserSaveDataId2: 0x00000 
  OtherUserSaveDataId3: 0x00000 
  UseOtherVariationSaveData : false
 
SystemControlInfo:
  SaveDataSize: 1M # change when necessary
  RemasterVersion: 0 
  StackSize: 0x00040000 
  JumpId: 0x0004000000055D00L # plaintext exheader (<full UniqueID>L

 

[liomajor]

Can u test it for Kid Icarus uprising? I want to know if it is possible to hex edit weapons.

I don't have Kid Icarus.

HexEdit Weapons might be possible, but will take a lot longer to find.

Queno138

Pokemon X is another case than SDK Utils.

fwiw SaveDataFiler doesn't seem to work with gateway. I think it uses some calls to get the save file from the cartridge differently than a normal game would use, so instead of checking the SD for the save file like gateway patched normal games to do, it checks the gateway cartridge which shows up as corrupt. I guess since it's not technically the owner of the save file, it needs to do special things to access and modify other games' saves. Or maybe it tries something specific for development cartridge saves and fails since Gateway isn't an official development cartridge.
I'd love to check if retail cartridges would be recognised but I can't. Obviously I can't boot SaveDataFiler in classic mode (and for that matter, any other of the developer applications I installed) since it's not signed for retail and gateway doesn't patch the signature checks in classic mode.

Even if its not working in classic mode, does it work in normal gateway mode with rom?

 

[The Real Jdbye]

MY RSF that works.
Used it for Pokemon X.

BasicInfo:
  Title                  : "Pokemon X" # change here
  CompanyCode            : "01" # change here
  ProductCode            : "CTR-P-EKJA" # change here
  ContentType            : Application
  Logo                    : Nintendo
 
TitleInfo:
  UniqueId                : 0x055D # jump id without last 2 zeros
  Category                : Application
 
Option:
  UseOnSD                : true
  EnableCompress          : true
  FreeProductCode        : true
  EnableCrypt            : true
  MediaFootPadding        : true
 
AccessControlInfo:
  UseExtSaveData : true
  ExtSaveDataId: 0x055D # use unique ID
  SystemSaveDataId1: 0x00000000
  SystemSaveDataId2: 0x00000000
  OtherUserSaveDataId1: 0x00000
  OtherUserSaveDataId2: 0x00000
  OtherUserSaveDataId3: 0x00000
  UseOtherVariationSaveData : false
 
SystemControlInfo:
  SaveDataSize: 1M # change when necessary
  RemasterVersion: 0
  StackSize: 0x00040000
  JumpId: 0x0004000000055D00L # plaintext exheader (<full UniqueID>L

Thanks, but it's not much use for repacking SDK tools. Those need a different rsf file.

I don't have Kid Icarus.

HexEdit Weapons might be possible, but will take a lot longer to find.

Queno138

Pokemon X is another case than SDK Utils.



Even if its not working in classic mode, does it work in normal gateway mode with rom?

If it doesn't work in classic mode or with GW cards as he said, then it can only be used with eShop saves. But if that's all you need, then it will work.

 

[mathieulh]

Hum... Apparently some of the development keys from the SDK (presumably extracted from the SDK tools) were leaked at some point on this forum: https://gbatemp.net/threads/3ds-sdk-keys.351626/
I am not quite sure how relevant these keys are in decrypting development .cia files though.
According to the thread the keys are legit but I could never get my hands on the original 7zip archive.

 

[kyogre123]

Hum... Apparently some of the development keys from the SDK (presumably extracted from the SDK tools) were leaked at some point on this forum: https://gbatemp.net/threads/3ds-sdk-keys.351626/
I am not quite sure how relevant these keys are in decrypting development .cia files though.
According to the thread the keys are legit but I could never get my hands on the original 7zip archive.

Woah, a pre-Gateway 3DS leak. No doubt I didn't know about that.

 

[sbJFn5r]

Hum... Apparently some of the development keys from the SDK (presumably extracted from the SDK tools) were leaked at some point on this forum: https://gbatemp.net/threads/3ds-sdk-keys.351626/ I am not quite sure how relevant these keys are in decrypting development .cia files though. According to the thread the keys are legit but I could never get my hands on the original 7zip archive.

I'm pretty sure most of that stuff is here: https://github.com/3DSGuy/Project_CTR/blob/master/makerom/pki/dev.h
You can decrypt the newer SDK CIAs with "ctrtool --commonkey=XXXX --contents=out file.cia", where XXXX is the first key in "ctr_common_etd_key_dpki". But then you get an NCCH file that you can't decrypt.


EDIT: Meant first key in "ctr_common_etd_key_dpki", not second key of "dev_fixed_ncch_key".

 

[jonthedit]

Pretty sure this is false. I'm running Dev Menu on a 64 GB Red Card.

The .3DS file? Or the installed CIA?

What brand is your card, class etc

I wonder what the issue is. It would not work for me using my 32GB card, but worked fine with a 4GB card. So I used the 4GB card to install the Devmenu.cia then switched back to the 32GB.

What brand was your 32gb one, class card, etc.

 

[kyogre123]

The .3DS file? Or the installed CIA?

What brand is your card, class etc


What brand was your 32gb one, class card, etc.

I installed the DevMenu and I have both the same model of MicroSD for both slots (32GB for GW card, 32GB for SD slot of 3DS).

 

[Queno138]

Created a pictorial to help

http://gbatemp.net/threads/tutorial-converting-3ds-to-cia-for-dummies.373722/

 

[Nurio]

OMG! do you think there is anyway to transfer my EUR save to USA?!
I downloaded EUR to try out the game and I fell in love with it... i would kill to be able to purchase the game (USA) and continue with my save and buy the DLC.

I believe the savegame is already region-unlocked. That's what I read, anyhow. People were able to use their US games with the EUR saves without having to do anything.

What I am interested in is to transfer Fantasy Life saves from one 3DS to another. Can anyone tell me if this is possible now?

 

[pLaYeR^^]

Someone knows how to install SaveDataFiler?