Homebrew [GM9][Script]All-in-One Megascript

[TurdPooCharger]

I can't do it. I like programming but not right at this moment. Need to get out the house, eat real food, and catch some sun!

@annson24, I'm throwing in the hat. If you were investigating the saves dumping and injecting, I leave these pathways info. I'll come back tomorrow. Retreat and code another day. Shazaam!

System Saves

seedsave.bin
1:/data/$[SYSID0]/sysdata/0001000f/00000000

nagsave.bin
1:/data/$[SYSID0]/sysdata/0001002c/00000000

nnidsave.bin
1:/data/$[SYSID0]/sysdata/00010038/00000000

friendsave.bin
1:/data/$[SYSID0]/sysdata/00010032/00000000

configsave.bin
1:/data/$[SYSID0]/sysdata/00010017/00000000

System Files

ticket.db
1:/dbs/ticket.db

title.db
1:/dbs/title.db

import.db
1:/dbs/import.db

certs.db
1:/dbs/certs.db

SecureInfo_A
1:/rw/sys/SecureInfo_B

LocalFriendCodeSeed_B
1:/rw/sys/LocalFriendCodeSeed_B

movable.sed
1:/private/movable.sed

 

[trecko1234]

Looked at the GM9 source and found this line regarding injecting into health and safety

I am no programmer but searching for the variables that this chunk of code uses might lead to some functions on how GM9 injects apps into the health and safety, that could be helpful in turning it into a gm9 script.

 

[Kazuma77]

@Kazuma77 why does your full SysNAND restore script require NTRBoot?

I think d0k3 was concerned about the possibility of old GW EmuNANDs being restored to SysNAND. GW used to block updates to the FIRM partitions on EmuNAND, so, if an old GW EmuNAND backup was restored to SysNAND, it would brick it, because the version of NATIVE FIRM in the firm partitions would not match the one in CTRNAND. Note that the version I used to include in InScripted before the branching commands were added and I replaced it with my "NAND Manager" had that line commented out, because IMHO the script already provided sufficient warning. But it's d0k3's app. Sometimes to get what you want, you have to be willing to compromise. And I can see why he would be concerned. Look at how many people download GM9, after all.

 

[TurdPooCharger]

https://www.3dbrew.org/wiki/System_SaveData

This talks about all the system saves you can find in, 1:/data/$[SYSID0]/sysdata/
Some are universal and others are region specific in their uniqueID.

*******
https://github.com/Plailect
https://github.com/Plailect/Guide_RedNAND/wiki/Region-Changing

Plailect has information about how the region changing is unnecessary on Luma3DS due to the built-in region unlocking when playing any games. How one back then spoofed a region outside their 3ds native region was by modifying SecureInfo .

The file can vary in names including on old/new/region 3DS but they should be all the same:

• SecureInfo_A
• SecureInfo_B
• SecureInfo_C

******

Be careful with this information, as injecting CIA files into Health & Safety is no joke. I think d0k3 was determined to have GodMode9 built-in H&S injector and restore handle this as his app does it much safer AND with the ability to choose any CIA. A script doesn't really allow injection unless it already knows what CIA it should look for.

A script, if badly coded without SHA checks, safety pre-checks for already injection, size checking the homebrew you want to inject is equal or smaller than 956 KB (the actual size of H&S), and a way to set aside the real renamed H&S, can easily mess up the H&S where recovery may require resorting to SysNAND restore.

On a USA region 3DS, Health & Safety is located
1:/title/00040010/20021300

Within the 2002130 folder, there is a content folder.

Within the content folder, there are these:
1:/title/00040010/20021300/content/...

• cmd folder, which contains the file 00000001.cmd (i dunno what this is)
  
• 00000000.tmd (ticket stuff)
• 00000002.app (Health & Safety, the "game" or title when launched)
• 00000003.app (e-manual, however this doesn't appear to show up in HOME Menu for H&S)

If you plan to do H&S injection, you'll need to somehow specify the script to:
- check the CIA you want to inject, lets say homebrew_launcher.cia (with proper SHA verification)
- mount and/or extract that CIA for a copy of its 00000002.app (with a size check of 956 KB or below)
- if first time injecting, rename the 00000002.app in Health & Safety to something else like 00000002_real.app
- if trying to inject where something already is there, stop the script from going any further if it detects 00000002_real.app is in place
- put a copy of hb_launcher 00000002.app into that H&S directory

For restoring Health & Safety
- check that 00000002_real.app is in place
- delete hb_launcher 00000002.app
- rename 00000002_real.app back to 00000002.app

Health & Safety title could be different from region to region. If this is the case, then the script would have to be inclusive for all the different pathways of H&S.

Edit - Interesting, I tried injecting an app into Health & Safety. 00000002.app for actual H&S is renamed as 00000002.bak (the 00000002_real.app in the steps described)

 

[annson24]

The file can vary in names including on old/new/region 3DS but they should be all the same:

• SecureInfo_A
• SecureInfo_B
• SecureInfo_C

IIRC, SecureInfo_C is only used by Luma3DS so that we won't have to replace A back then when region changing was a thing. Haven't seen any 3DS having the B tho.

Be careful with this information, as injecting CIA files into Health & Safety is no joke. I think d0k3 was determined to have GodMode9 built-in H&S injector and restore handle this as his app does it much safer AND with the ability to choose any CIA. A script doesn't really allow injection unless it already knows what CIA it should look for.

A script, if badly coded without SHA checks, safety pre-checks for already injection, size checking the homebrew you want to inject is equal or smaller than 956 KB (the actual size of H&S), and a way to set aside the real renamed H&S, can easily mess up the H&S where recovery may require resorting to SysNAND restore.

On a USA region 3DS, Health & Safety is located
1:/title/00040010/20021300

Within the 2002130 folder, there is a content folder.

Within the content folder, there are these:
1:/title/00040010/20021300/content/...

• cmd folder, which contains the file 00000001.cmd (i dunno what this is)
  
• 00000000.tmd (ticket stuff)
• 00000002.app (Health & Safety, the "game" or title when launched)
• 00000003.app (e-manual, however this doesn't appear to show up in HOME Menu for H&S)

If you plan to do H&S injection, you'll need to somehow specify the script to:
- check the CIA you want to inject, lets say homebrew_launcher.cia (with proper SHA verification)
- mount and/or extract that CIA for a copy of its 00000002.app (with a size check of 956 KB or below)
- if first time injecting, rename the 00000002.app in Health & Safety to something else like 00000002_real.app
- if trying to inject where something already is there, stop the script from going any further if it detects 00000002_real.app is in place
- put a copy of hb_launcher 00000002.app into that H&S directory

For restoring Health & Safety
- check that 00000002_real.app is in place
- delete hb_launcher 00000002.app
- rename 00000002_real.app back to 00000002.app

Health & Safety title could be different from region to region. If this is the case, then the script would have to be inclusive for all the different pathways of H&S.

Edit - Interesting, I tried injecting an app into Health & Safety. 00000002.app for actual H&S is renamed as 00000002.bak (the 00000002_real.app in the steps described)

I think I already tried injecting the .app from FBI directly to H&S before and ended up breaking H&S. If it was as easy as that, I could've already finished the script to support every region haha. I do wish it was as easy as that but injecting through a script, the offset should be indicated in the command and I have no idea regarding that. I've tried comparing the different .app0's Hex and didn't understand anything hahaha.

The workaround I did was:
1. manually inject FBI to H&S (per region) using GM9's built-in H&S injector.
2. Copy the new .app generated in the H&S folder from 1:/title...
3. Used that for the script.

Now in the script, I specifically made it to make a .bak first before replacing it with the generated .app.

So far I've only supported New&Old US&EU region.

 

[TurdPooCharger]

IIRC, SecureInfo_C is only used by Luma3DS so that we won't have to replace A back then when region changing was a thing. Haven't seen any 3DS having the B tho.

In Philect's guide,

Some consoles have a SecureInfo_B instead of SecureInfo_A; this is fine and you should use SecureInfo_B for the relevant steps.

Mine has the SecureInfo named as B, so it does exist.

Zee Proof.

I think I already tried injecting the .app from FBI directly to H&S before and ended up breaking H&S. If it was as easy as that, I could've already finished the script to support every region haha. I do wish it was as easy as that but injecting through a script, the offset should be indicated in the command and I have no idea regarding that. I've tried comparing the different .app0's Hex and didn't understand anything hahaha.

The workaround I did was:
1. manually inject FBI to H&S (per region) using GM9's built-in H&S injector.
2. Copy the new .app generated in the H&S folder from 1:/title...
3. Used that for the script.

Now in the script, I specifically made it to make a .bak first before replacing it with the generated .app.

So far I've only supported New&Old US&EU region.

You very well may be done it correctly. FBI sometimes crashes when injected into H&S through GM9. You should try another small sized cia like homebrew launcher. Actually, health & safety is bad to begin with. Some users get around the crashy H&S by injecting through Rosalina Menu* HB_Launcher into Online Play, AR Games, etc and then launching FBI and other homebrew to install their cia titles onto Home Menu. Try injecting into something other than Health & Safety.

 

[annson24]

Whoa. This is the first time I saw SecureInfo_B. Cool stuff.

You very well may be done it correctly. FBI sometimes crashes when injected into H&S through GM9. You should try another small sized cia like homebrew launcher. Actually, health & safety is bad to begin with. Some users get around the crashy H&S by injecting through Rosalina Menu* HB_Launcher into Online Play, AR Games, etc and then launching FBI and other homebrew to install their cia titles onto Home Menu. Try injecting into something other than Health & Safety.

You are quite right. FBI in H&S is very unstable. I've reproduced some crashes when using it. Like when powering off the 3ds or going into system settings after using H&S(FBI). Honestly, I wouldn't recommend injecting FBI to H&S too but a sometimes I find that option very handy, and others might too.

 

[TurdPooCharger]

You are quite right. FBI in H&S is very unstable. I've reproduced some crashes when using it. Like when powering off the 3ds or going into system settings after using H&S(FBI). Honestly, I wouldn't recommend injecting FBI to H&S too but a sometimes I find that option very handy, and others might too.

I did some H&S injecting through GM9 using TWLoader.cia and found out the 00000002.app from TWLoader does not match its actual 0000.5E0C6D86.app . Using that duplicate remover program for hash checks.

No injection & injection matches for H&S
00000000.tmd
00000003.app
00000001.cmd

Gotta go deeper in the 00000002.app for files that changed or stayed the same within that folder / archive.

 

[trecko1234]

Using that duplicate remover program for hash checks.

I got you

https://github.com/gurnec/HashCheck adds a checksums tab in the properties dialog box of files
http://www.slavasoft.com/hashcalc/ is a standalone app you can check many different hash types with

 

[TurdPooCharger]

I got you

https://github.com/gurnec/HashCheck adds a checksums tab in the properties dialog box of files
http://www.slavasoft.com/hashcalc/ is a standalone app you can check many different hash types with

Thanks. For the time being, I'll stick to me trusty ol' Duplicate Cleaner Pro program by DigitalVolcano Software. Hash checking is the easy part. It's seeing the files contained within the .app file

Those .app files are like ogres. You gotta peel back the layers to go deeper. You'll be surprised how much .3ds and .cia files are like Russian matryoshka doll, archives within other archives within even more archives all the waaay down.

 

[TurdPooCharger]

AND we have a prime suspect.

@annson24, you're not going to like reading about what's preventing a straight renaming and swapping places with the 00000002.app from one CIA into health & safety.

Within the 00000002.app, there is a file called ncch.bin , or the header. More info about this file here: https://www.3dbrew.org/wiki/NCCH

When GodMode9 borrows and copies an external CIA's .app into the Health & Safety's 00000002.app, everything in that .app archive from that external CIA is copied over one-to-one EXCEPT ncch.bin . This header file is retained from Health & Safety itself. My hash/duplicate cleaner program finds that the injected ncch.bin and original H&S ncch.bin share a similarity of 71%. This means there's some voodoo magic modifications GodMode9 is doing onto that file in order to fool the 3DS into seeing injected CIAs as if it was Health & Safety.

You could try straight up dumping and replacing the ncch.bin from H&S into FBI's .app, but I have hunch that won't work. Unless those 29% difference is the injected ncch.bin differing due to time & date stamp meta info, H&S injection is looking like a dead end.

 

[annson24]

AND we have a prime suspect.

@annson24, you're not going to like reading about what's preventing a straight renaming and swapping places with the 00000002.app from one CIA into health & safety.

Within the 00000002.app, there is a file called ncch.bin , or the header. More info about this file here: https://www.3dbrew.org/wiki/NCCH

When GodMode9 borrows and copies an external CIA's .app into the Health & Safety's 00000002.app, everything in that .app archive from that external CIA is copied over one-to-one EXCEPT ncch.bin . This header file is retained from Health & Safety itself. My hash/duplicate cleaner program finds that the injected ncch.bin and original H&S ncch.bin share a similarity of 71%. This means there's some voodoo magic modifications GodMode9 is doing onto that file in order to fool the 3DS into seeing injected CIAs as if it was Health & Safety.

You could try straight up dumping and replacing the ncch.bin from H&S into FBI's .app, but I have hunch that won't work. Unless those 29% difference is the injected ncch.bin differing due to time & date stamp meta info, H&S injection is looking like a dead end.

Thanks for the thorough explanation. 29% is quite big of a difference. And the workaround I'm doing would give me so much work if I ever wanted FBI to be updated whenever FBI has. Tsk. Have to reconsider if I'll add a separate option for FBI injection or to just keep it optional in the PC-Less b9s Installation.

Sent from my SM-G950F using Tapatalk

 

[TurdPooCharger]

Thanks for the thorough explanation. 29% is quite big of a difference. And the workaround I'm doing would give me so much work if I ever wanted FBI to be updated whenever FBI has. Tsk. Have to reconsider if I'll add a separate option for FBI injection or to just keep it optional in the PC-Less b9s Installation.

Sent from my SM-G950F using Tapatalk

Did some more digging into the differences between those ncch.bin files. Here's the voodoo of what's happening. This is a BIG IF. Unless GM9 script can handle hex editing, we can put this injection idea to rest. Who would have guessed?

Spoiler: Pretty Picture Inside. Come look at hex n00dz

Edit - Maybe you can! This is going to be a REALLY hard script to pull off.

From HelloScript.gm9

# 'inject' COMMAND
# This command is used to inject part of one file into another
# The syntax is: inject origin@x:y destination@z
#                x: origin offset (in hex)
#                y: origin size, starting at x (in hex)
#                z: destination offset (in hex)
# If destination does not exist or z is not given, a new destination file will be created(!)
# If x is not given, the full origin file size, starting from offset 0, is used to inject
# If y is not given, everything starting from offset x is used to inject
# -n / --no_cancel prevents user cancels (useful on critical operations)
inject S:/nand_hdr.bin@100:4 $[RENPATH]@200 # offsets and sizes are in hex
# As we just deliberately corrupted our test file, the subsequent SHA check will fail
set ERRORMSG "SHA check failed (this was expected)"
sha -o $[RENPATH] $[TESTPATH].sha
set ERRORMSG "

# 'fill' COMMAND
# This command fills (a portition of) a file with the specified byte value
# The syntax is: fill destination@x:y fillbyte
#                x: destination offset (in hex)
#                y: destination size, starting at x (in hex)
# If x is not given, the full file size, starting from offset 0, is overwritten
# If y is not given, everything starting from offset x is overwritten
# -n / --no_cancel prevents user cancels (useful on critical operations)
fill $[DUMMY]@100:100 FF
fill $[DUMMY]@300 80

Holy crap do you know how awful it'll be to figure out exactly which portions of the two scripts need to mesh in correctly? You'll notice that there are parts that don't break and switch cleanly from H&S to the injected target app.

 

[annson24]

Did some more digging into the differences between those ncch.bin files. Here's the voodoo of what's happening. This is a BIG IF. Unless GM9 script can handle hex editing, we can put this injection idea to rest. Who would have guessed?

Spoiler: Pretty Picture Inside. Come look at hex n00dz

The inject command can do an offsetting but about those two lines in the middle, if I understand correctly, we should offset at 0x0104 but skip 0x0109-0x010C and 0x0119-0x011C, right? I don't think GM9 can do that. I'm sorry @TurdPooCharger , this is the extent of my HEX knowledge. I didn't study programming and haven't got the time to do a self-study.

 

[TurdPooCharger]

The inject command can do an offsetting but about those two lines in the middle, if I understand correctly, we should offset at 0x0104 but skip 0x0109-0x010C and 0x0119-0x011C, right? I don't think GM9 can do that.

There are some shared hex between the two parent ncch.bin files. More injections with various apps will need to be done checking which parts really belong to H&S and the rest filled in from target injection. I think for the benefit of doubt, leave H&S injection for a much later scripting.

I'm sorry @TurdPooCharger , this is the extent of my HEX knowledge. I didn't study programming and haven't got the time to do a self-study.

You think I know hex? I don't!

 

[SirNapkin1334]

My 3DS is stuck with a SecureInfo_C. It used to be A, but then I region changed it to E, and then I region changed it back to U, and it still has C. Renaming it to A causes the system to ignore it and the OS panics on boot.

 

[TurdPooCharger]

My 3DS is stuck with a SecureInfo_C. It used to be A, but then I region changed it to E, and then I region changed it back to U, and it still has C. Renaming it to A causes the system to ignore it and the OS panics on boot.

Is your current copy of SecureInfo_C an unedited, renamed version of your SecureInfo_A ? Do you have a copy of SecureInfo_A not touched with hex editor? For your 3DS to go back to using only A file, A and C file cannot be both present with A having to match the original USA "01" in step 15.

** You should have had both A and C, with C being the only one to edit and use. Delete C if A has stayed A throughout without editing.

https://github.com/Plailect/Guide_3...4f439dc0/_pages/en_US/Region-Changing.txt#L77

##### Section IV - Editing SecureInfo

1. Press (Start) then hold (Up) to reboot into arm9loaderhax GodMode9
2. Navigate to `SYSNAND CTRNAND` -> `rw` -> `sys`
3. Press (Y) on `SecureInfo_A` to copy it
4. Press (Y) to paste a copy of `SecureInfo_A`
5. Select "Copy path(s)"
6. Press (A) to unlock SysNAND writing, then input the key combo given
7. Select "Choose new name"
8. Use the D-Pad to rename the file to `SecureInfo_C`, pressing (A) when you're done (overwrite any existing `SecureInfo_C`)
9. Scroll down to the `SecureInfo_C` you just pasted
10. Press (A) on `SecureInfo_C` then select "Show in Hexeditor"
11. Press (A) to continue
12. Press (A) to enter edit mode
13. Go to the beginning of line 00000100 and press (A) on it
14. Hold (A) while pressing (Up) or (Down) on the D-Pad to edit the number
15. Change the first number pair on line 00000100 to the following pair that corresponds to *the region you want to change to*:
- "00" : JPN
- "01" : USA
- "02" : EUR
16. Press (B) to exit edit mode, then save changes, then press (B) again to return to the directory
17. You should see both a `SecureInfo_A` and `SecureInfo_C` if everything was done properly. (`SecureInfo_C` is used in place of `SecureInfo_A` when using Luma3DS if it detects the file on boot)
18. Press and hold (Start) to reboot into Hourglass9

 

[trecko1234]

Maybe @d0k3 might be able to share some insight on explaining how GM9 properly injects apps into health and safety.

 

[TurdPooCharger]

Introducing the hex_sex.gm9 script, for producing lovechild ncch.bin between Health & Safety and the CIA app you want to inject into H&S. This script is NOT for public use but for devs troubleshooting and building a H&S injector from this as base code template.

After several attempts of hex spell casting with HxD editor and GodMode9 hex editor in the gm9 script, these are the slots to fill in to produce the modified, correct ncch.bin

You cannot run this script without the needed example ncch.bin files. I cannot post the example files because of ToS in sharing copyright files (ncch.bin dumped from health & safety). You will have to recreate your own ncch.bin files, or re-code the script to make it for your own example files.

This script is a rough draft and is not finalized due to not having included image mounting the CIA and .app for ncch.bin extraction and modifications.

### make this test directory if it doesn't exist
mkdir "0:/testdir"

### define the variable for our dummy test header
set DUMMY "0:/testdir/ncch_dummy.bin"

### delete the dummy test header if one exists
### GodMode9 doesn't allow overwriting a dummy file with fdummy
if find "0:/testdir/ncch_dummy.bin" $[DUMMY]
rm "0:/testdir/ncch_dummy.bin"
end

### Delete the SHA files for hash comparisons
if find "0:/testdir/dummy.sha" "0:/testdir/dummy.sha"
rm "0:/testdir/dummy.sha"
end

if find 0:/testdir/mix.sha" "0:/testdir/mix.sha"
rm "0:/testdir/mix.sha"
end

### create the dummy test header with random HEX numbers
### '1FF' is hex for 200 slots. We define the size of the file.
### Example: 63 E2 86 = three (3) slots.
fdummy $[DUMMY] 1FF

### fill all 200 slots with 00 or null values
fill $[DUMMY]@000:200 00

### Inject the YELLOW section
inject 0:/testdir/ncch_H&S.bin@000:100 $[DUMMY]@000

### Inject the 1st RED section
inject 0:/testdir/ncch_TWL.bin@100:8 $[DUMMY]@100

### Inject the 1st BLUE section
inject 0:/testdir/ncch_H&S.bin@108:8 $[DUMMY]@108

### Inject the 2nd RED section
inject 0:/testdir/ncch_TWL.bin@110:8 $[DUMMY]@110

### Inject the 2nd BLUE section
inject 0:/testdir/ncch_H&S.bin@118:8 $[DUMMY]@118

### Inject the GREEN section
inject 0:/testdir/ncch_TWL.bin@120:E0 $[DUMMY]@120

### Inject the single PURPLE slot
inject 0:/testdir/ncch_H&S.bin@18F:1 $[DUMMY]@18F

echo "Comparing SHA between \nncch_mix.bin\nand ncch_dummy.bin"

### Create files that contain the SHA hashes for
### the test dummy header compared to
### the real GM9 made injected mix header
shaget $[DUMMY] "0:/testdir/dummy.sha"
shaget "0:/testdir/ncch_mix.bin" "0:/testdir/mix.sha"

set SHA_DUMMY "0:/testdir/dummy.sha"
set SHA_MIX "0:/testdir/mix.sha"

### compare ncch_dummy.bin
### against SHA from ncch_mix.bin
if sha $[DUMMY] $[SHA_MIX]
echo "ncch_dummy.bin matches to ncch_mix.bin"
else
echo "SHA hash failure."
end

### compare ncch_mix.bin
### against SHA from ncch_dummy.bin
if sha "0:/testdir/ncch_mix.bin" $[SHA_DUMMY]
echo "ncch_mix.bin matches to ncch_dummy.bin"
else
echo "SHA hash failure."
end

Edit - Messed up image editing the comparison picture. Posted the corrected image.

 

[d0k3]

Maybe @d0k3 might be able to share some insight on explaining how GM9 properly injects apps into health and safety.

I can, and it's most likely much simpler than you guys think. You only need to swap out the title ID for the H&S one and make sure the injected title is encrypted in the same way as original H&S.

Source code:
https://github.com/d0k3/GodMode9/blob/master/arm9/source/utils/gameutil.c#L1784