Looking for a pointer for decryption

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by StevenSeegal, Jul 22, 2015.

  1. StevenSeegal
    OP

    StevenSeegal Member

    Newcomer
    26
    3
    Jul 22, 2015
    Netherlands
    I've been trying to extract/decrypt a file from the nand of my o3ds (FW 9.2) for 4 days, searched around on the forums and the rest of internet, tried almost everything but still have no luck.

    What i did:
    - Create a Nand dump (Gateway).
    - Create a Nand xorpad (rxTools).
    - Xorred the whole thing and opened it in Win image.
    - Extracted the files from the Title dir what i need (1 .app, 1.tmd and 1 .cmd).
    - Read up on 3dsbrew what the files are and contain (like the tmd is an archive).
    - Readed out the .app and .tmd files with ctrtool and saw result (see images below).

    This whole process took me, with reading into it and generating the neccesary files, about 2 hours but then everything got worse. The thing i'm hanging on is if i extract the romfs from the .app ctrtool can read the romfs and neither extract it and it seems like i can't do any thing with the .tmd file except reading the info via ctrtool.

    With about 36 hours of searching and trying i've done this:
    - repeat the whole process with 2 different set of tools (dump and xor with either rxtools and decrypt9).
    - decrypted system titles, CTR titles, title.db for a key but did didn't do the trick either.
    - generated a sdinfo.bin for the .app and .tmd file for the xorpads but after xorring them they become unreadable (as if after the extraction the files are good to go).
    - used the title.db key to download the files from CDN and generate a .cia file to decrypt that, also didnt work.

    EDIT: Found the solution
     
    Last edited by StevenSeegal, Jul 22, 2015
  2. StevenSeegal
    OP

    StevenSeegal Member

    Newcomer
    26
    3
    Jul 22, 2015
    Netherlands
    After a good night of sleep i've found out i had to use the xorpad on the extracted romfs, not on the .app file. It did the trick and the romfs is decrypted and extracted now.