Hardware Homebrew Homebrew game Need help with a custom game cartridge

[XLuma]

Ok thank you

Post automatically merged: Aug 6, 2024

Do you know any cheap clones? I can't seem to find any.

There are no clones. Sky3ds never took off because it only allowed to play signed backups (so you already needed a modded system to use it properly). Maybe someday the community will figure it out, but I doubt it would be popular due to how the scene is

 

[TheDuck3000]

There are no clones. Sky3ds never took off because it only allowed to play signed backups (so you already needed a modded system to use it properly). Maybe someday the community will figure it out, but I doubt it would be popular due to how the scene is

There are clones? It's in the GBATemp wiki. For example: KK3DS, Q3DS, Stargate maybe.

Post automatically merged: Aug 6, 2024

You didn't answer my question.


Sir, they don't exist.


Please provide a link to what you've found. Odds are it's just a DS flashcart.

Here you go

https://www.aliexpress.us/item/3256...3hYPwqDS&utparam-url=scene:search|query_from:

 

[The Real Jdbye]

I'm making a homebrew game for the 3DS, and want to be able to give some of my friends a custom game cartridge for the game. However, as I am using devkitARM, I can't sign it via nintendo (I don't have a license anyway). For getting this to work, I have the following ideas:

1) Flashcart and injecting my own .3ds file into another title, if that is possible.
2) Flashcart with an exploit that can boot a .3dsx.
3) Custom cartridge hardware that can manipulate the way the 3DS reads and loads games.
EDIT 2: 4) Somehow sign the .3ds file so that it can be run directly off a flashcart?
Any help here would be greatly appreciated!

EDIT: Important to note that they don't have CFW and are not willing to install it.

Using an exploitable game is the only way that would work, Cubic Ninja is the easiest exploit to launch AFAIK, as all other ones require you to go ingame and perform specific actions, Cubic Ninja just requires you to enter a specific menu.

 

[Kwyjor]

Here you go

https://www.aliexpress.us/item/3256...3hYPwqDS&utparam-url=scene:search|query_from:

That shows up as a lot more than $20 for me?

Anyway, yes, the Stargate is the last 3DS flashcart that was widely available - the successor to the Gateway and the Sky3DS. There have been recent threads about it.
https://gbatemp.net/threads/stargate-3ds-is-pretty-good.658534/

For example: KK3DS, Q3DS, Stargate maybe.

I don't think I've ever heard of the KK3DS or Q3DS before. You are the first person to mention them on these boards. Can you supply a link? Links are always useful.

Using an exploitable game is the only way that would work, Cubic Ninja is the easiest exploit to launch AFAIK, as all other ones require you to go ingame and perform specific actions, Cubic Ninja just requires you to enter a specific menu.

Well, you have to load up the exploit via QR codes first. And more importantly, it won't do anything except crash unless you deliberately copy specific files to the SD card. FreakyForms Deluxe is another possibility.

And other exploits like Oot3D and Sticker Star still work if you have some means of loading them up with exploited save data.

 

[The Real Jdbye]

That shows up as a lot more than $20 for me?

Anyway, yes, the Stargate is the last 3DS flashcart that was widely available - the successor to the Gateway and the Sky3DS.


I don't think I've ever heard of the KK3DS or Q3DS before. You are the first person to mention them on these boards. Can you supply a link? Links are always useful.

Well, you have to load up the exploit via QR codes first. And more importantly, it won't do anything except crash unless you deliberately copy specific files to the SD card. FreakyForms Deluxe is another possibility.

And other exploits like Oot3D and Sticker Star still work if you have some means of loading them up with exploited save data.

Well, OP would do that for their friends to make it easier. But yeah, it's not as easy as just putting the cartridge in.

 

[TheDuck3000]

That shows up as a lot more than $20 for me?

Anyway, yes, the Stargate is the last 3DS flashcart that was widely available - the successor to the Gateway and the Sky3DS. There have been recent threads about it.
https://gbatemp.net/threads/stargate-3ds-is-pretty-good.658534/


I don't think I've ever heard of the KK3DS or Q3DS before. You are the first person to mention them on these boards. Can you supply a link? Links are always useful.

Well, you have to load up the exploit via QR codes first. And more importantly, it won't do anything except crash unless you deliberately copy specific files to the SD card. FreakyForms Deluxe is another possibility.

And other exploits like Oot3D and Sticker Star still work if you have some means of loading them up with exploited save data.

Sure, here are the sources I used for that: https://wiki.gbatemp.net/wiki/Sky3DS+#Clones & https://wiki.gbatemp.net/wiki/Sky3DS#Clones

I'm just going to hope that Luma3DS allows for unsigned .3ds files on flashcards, if so they would just have to mod their system (I will eventually convince them). Otherwise I will prob just use the OoT exploit.

I just checked, it went off sale before I could buy one

 

[4d1xlaan]

If you use a stargate3ds or a Sky3ds+, probably. I don't think anybody tried this, so its a 50/50.

it doesn't work, to be clear. either the flashcart itself does its own signature checks to avoid showing improperly signed roms to the home menu, or cfw simply doesn't bypass 3ds cartridge verifications yet

 

[XLuma]

it doesn't work, to be clear. either the flashcart itself does its own signature checks to avoid showing improperly signed roms to the home menu, or cfw simply doesn't bypass 3ds cartridge verifications yet

cfw disables signature checks. the cartridge is just a slave. However, homebrew is not signed and also does not make any use of the cartridge encryption protocol.

If you want your homebrew to work via the sky3ds, you'd probably have to rebuild it as a .3ds (yes, its different than 3dsx. I'm talking about the actual rom format here) and modify the header values so it has correct encryption values, so the cartridge and the console can encrypt/derypt communications correctly. The sky3ds wont care if the rom has a valid signature or not, and the modded console also wont

I don't own one so I can try my theory unfort (probably never will too)

 

[4d1xlaan]

cfw disables signature checks. the cartridge is just a slave. However, homebrew is not signed and also does not make any use of the cartridge encryption protocol.

If you want your homebrew to work via the sky3ds, you'd probably have to rebuild it as a .3ds (yes, its different than 3dsx. I'm talking about the actual rom format here) and modify the header values so it has correct encryption values, so the cartridge and the console can encrypt/derypt communications correctly. The sky3ds wont care if the rom has a valid signature or not, and the modded console also wont

I don't own one so I can try my theory unfort (probably never will too)

I tried with bigbluemenu.3ds, that people used with gateway. it has to be encrypted first or the stargate twl menu doesnt recognize it. when encrypted then it becomes selectable, but it instead loads the next game when you try to load it

cfw disables signature checks for ncch and ticket yes, but i dont necessarily know if it also disables checks for cartridge verifications. we know it disables checks for ntr/twl cartridges, but 3ds cartridges have a lot of extra security on top of just signatures (if it was just signatures, it would be trivial to make bootleg carts), I wouldnt expect cfw to have gone so far out of their way to patch those cartridge checks out though. but at the same time, maybe they dont need to be patched out in the first place, since the flashcart itself is bypassing all of the cartridge security already. so maybe the existing signature patches would be enough, actually

if you have an idea how to set those header values (or rather, what they should be set to), I'd be happy to test that out. maybe they were wrong on bigbluemenu.3ds, if gateway didnt need them to be correct

 

[TheDuck3000]

I tried with bigbluemenu.3ds, that people used with gateway. it has to be encrypted first or the stargate twl menu doesnt recognize it. when encrypted then it becomes selectable, but it instead loads the next game when you try to load it

cfw disables signature checks for ncch and ticket yes, but i dont necessarily know if it also disables checks for cartridge verifications. we know it disables checks for ntr/twl cartridges, but 3ds cartridges have a lot of extra security on top of just signatures (if it was just signatures, it would be trivial to make bootleg carts), I wouldnt expect cfw to have gone so far out of their way to patch those cartridge checks out though. but at the same time, maybe they dont need to be patched out in the first place, since the flashcart itself is bypassing all of the cartridge security already. so maybe the existing signature patches would be enough, actually

if you have an idea how to set those header values (or rather, what they should be set to), I'd be happy to test that out. maybe they were wrong on bigbluemenu.3ds, if gateway didnt need them to be correct

Maybe try this? https://github.com/SabreTools/NDecrypt

 

[XLuma]

I tried with bigbluemenu.3ds, that people used with gateway. it has to be encrypted first or the stargate twl menu doesnt recognize it. when encrypted then it becomes selectable, but it instead loads the next game when you try to load it

cfw disables signature checks for ncch and ticket yes, but i dont necessarily know if it also disables checks for cartridge verifications. we know it disables checks for ntr/twl cartridges, but 3ds cartridges have a lot of extra security on top of just signatures (if it was just signatures, it would be trivial to make bootleg carts), I wouldnt expect cfw to have gone so far out of their way to patch those cartridge checks out though. but at the same time, maybe they dont need to be patched out in the first place, since the flashcart itself is bypassing all of the cartridge security already. so maybe the existing signature patches would be enough, actually

if you have an idea how to set those header values (or rather, what they should be set to), I'd be happy to test that out. maybe they were wrong on bigbluemenu.3ds, if gateway didnt need them to be correct

luma3ds probably doesnt patch out the titlekey verification, however I believe titlekey generation was actually cracked (which is what the cartridge encryption is based on). I could be wrong, but I saw that floating.

About 3ds bootlegs and signatures: The only reason the DSi cannot boot unsigned code without mods like unlaunch, is because of signatures lmao. You are right that 3ds cartridges are more sophisticated than ntr/twl, but the 3ds cartridge encryption is also broken, and very detailed on 3dbrew. Signatures are saving the 3ds from being loaded with bootlegs.

You could try opening a retail game and your own executable in something like 3dsexplorer (i think thats the name?) which analyses the rom header and displays all the values. and then you'd simply copy over most of these header values using the same tool (or hxd) and just trial and error until something happens

EDIT: confirmed luma3ds patches out *every* signature check, so bootlegs would work on a modded system assuming the cartridge used can properly communicate with the system.

 

[ber71]

Early no-intro dumps, for eshop games (not retail) were made in .3ds format too. iirc I tried loading some of these on my sky3ds+ but didn't work, besides running in latest luma.

 

[XLuma]

Early no-intro dumps, for eshop games (not retail) were made in .3ds format too. iirc I tried loading some of these on my sky3ds+ but didn't work, besides running in latest luma.

in theory the digital format is different than the one found in cartridges (CIA format). cartridges usually store CXI (or CCI, they might be interchangeable). .3ds is just a made up extension by the community, but it usually represents a CXI or CCI.

 

[ber71]

I mean, that legacy nointro dumps were released in 3ds format somehow, not cia. You can even install them sucesfully with gm9 or convert to cia to install with fbi. Nowadays a proper tmd/app dump is used.
Not working on sky3dsplus+cfw, anyway.

 

[XLuma]

I mean, that legacy nointro dumps were released in 3ds format somehow, not cia. You can even install them sucesfully with gm9 or convert to cia to install with fbi. Nowadays a proper tmd/app dump is used.
Not working on sky3dsplus+cfw, anyway.

I'd try modern dumps with current gm9, if anything. Kinda unfort that they don't work with a sky3ds though

 

[TheDuck3000]

luma3ds probably doesnt patch out the titlekey verification, however I believe titlekey generation was actually cracked (which is what the cartridge encryption is based on). I could be wrong, but I saw that floating.

About 3ds bootlegs and signatures: The only reason the DSi cannot boot unsigned code without mods like unlaunch, is because of signatures lmao. You are right that 3ds cartridges are more sophisticated than ntr/twl, but the 3ds cartridge encryption is also broken, and very detailed on 3dbrew. Signatures are saving the 3ds from being loaded with bootlegs.

You could try opening a retail game and your own executable in something like 3dsexplorer (i think thats the name?) which analyses the rom header and displays all the values. and then you'd simply copy over most of these header values using the same tool (or hxd) and just trial and error until something happens

EDIT: confirmed luma3ds patches out *every* signature check, so bootlegs would work on a modded system assuming the cartridge used can properly communicate with the system.

That’s good, so I should just be able to buy a card and put my ROM on it.

 

[4d1xlaan]

luma3ds probably doesnt patch out the titlekey verification, however I believe titlekey generation was actually cracked (which is what the cartridge encryption is based on). I could be wrong, but I saw that floating.

About 3ds bootlegs and signatures: The only reason the DSi cannot boot unsigned code without mods like unlaunch, is because of signatures lmao. You are right that 3ds cartridges are more sophisticated than ntr/twl, but the 3ds cartridge encryption is also broken, and very detailed on 3dbrew. Signatures are saving the 3ds from being loaded with bootlegs.

You could try opening a retail game and your own executable in something like 3dsexplorer (i think thats the name?) which analyses the rom header and displays all the values. and then you'd simply copy over most of these header values using the same tool (or hxd) and just trial and error until something happens

EDIT: confirmed luma3ds patches out *every* signature check, so bootlegs would work on a modded system assuming the cartridge used can properly communicate with the system.

title key verification isn't a thing. title key is an additional layer of encryption for digital contents, you either have the correct title key in the ticket or you don't. it can't just be bypassed

cartridges don't do title key encryption, because cartridges don't have tickets. instead there is a different kind of (universal) game card encryption, several different kinds of keys contained in bootrom depending on if it's an older or newer game, and new 3ds-exclusive cartridges use different keys too. the way it works is a little complicated but in layman's term the key slot(s) we care about is write-only, and before the bootrom was dumped, we couldnt know what the keys actually were. you could ask the console to read and decrypt a 3ds rom, and we could still use the keys to decrypt, but without knowing what the actual key was (so we couldnt do decryption on pc without first generating xorpads on console)

you underestimate how strong the cartridge verifications are on the 3ds, if signatures were the only barrier then they would be no barrier at all... considering that making perfect signed copies of a cartridge rom is trivial, all you would need to do is put that same data on a bootleg chip and... that hasn't happened, because it's a lot more complicated than just passing signature checks. bootlegs can easily pass signature checks because it would be very easy to just use a signed rom. there's a reason why sky3ds had problems with antipiracy btw

my mistake though, I was thinking you actually knew what you were talking about and could help me figure it out

in theory the digital format is different than the one found in cartridges (CIA format). cartridges usually store CXI (or CCI, they might be interchangeable). .3ds is just a made up extension by the community, but it usually represents a CXI or CCI.

digital is different than physical, sort of. both are essentially just ncch containers, but cia also includes a ticket and a tmd (ncch metadata) where cartridges don't. they are encrypted differently but that doesnt really make a difference

cci is .3ds, it means nothing but a made up extension for familiarity because nobody would know what a .cci is otherwise. cxi is ncch, which is contents, which for game executables generally contains an exefs and romfs, among other things

 

[XLuma]

title key verification isn't a thing. title key is an additional layer of encryption for digital contents, you either have the correct title key in the ticket or you don't. it can't just be bypassed

cartridges don't do title key encryption, because cartridges don't have tickets. instead there is a different kind of (universal) game card encryption, several different kinds of keys contained in bootrom depending on if it's an older or newer game, and new 3ds-exclusive cartridges use different keys too. the way it works is a little complicated but in layman's term the key slot(s) we care about is write-only, and before the bootrom was dumped, we couldnt know what the keys actually were. you could ask the console to read and decrypt a 3ds rom, and we could still use the keys to decrypt, but without knowing what the actual key was (so we couldnt do decryption on pc without first generating xorpads on console)

you underestimate how strong the cartridge verifications are on the 3ds, if signatures were the only barrier then they would be no barrier at all... considering that making perfect signed copies of a cartridge rom is trivial, all you would need to do is put that same data on a bootleg chip and... that hasn't happened, because it's a lot more complicated than just passing signature checks. bootlegs can easily pass signature checks because it would be very easy to just use a signed rom. there's a reason why sky3ds had problems with antipiracy btw

my mistake though, I was thinking you actually knew what you were talking about and could help me figure it out


digital is different than physical, sort of. both are essentially just ncch containers, but cia also includes a ticket and a tmd (ncch metadata) where cartridges don't. they are encrypted differently but that doesnt really make a difference

cci is .3ds, it means nothing but a made up extension for familiarity because nobody would know what a .cci is otherwise. cxi is ncch, which is contents, which for game executables generally contains an exefs and romfs, among other things

I actually do know what I am talking about, though. Heck, just go read the gamecard page on 3dbrew. The whole protocol is explained over there, and anybody could make a bootleg 3ds cartridge with the right hardware. The only reason nobody has done it, is because it would be a waste of time. Softmodding is more trivial, and a bootleg cartridge would cost more money to produce than buying a game from ebay or something.
Youre actually right by saying you put the data on a bootleg chip and it would work, if the chip is programmed correctly. Thats the entire point of a bootleg cartridge. You'll never be able to run unsigned code on a stock console, even if you had the cartridge encryption nailed down, because the signatures would fail. This is exactly why the DSi never had flashcarts built for it like the DS lite did (and im talking about true dsi mode flashcarts, not the ones that run in DS mode)

Post automatically merged: Aug 8, 2024

That’s good, so I should just be able to buy a card and put my ROM on it.

Thats a maybe, i can't say it would work for sure. Just a theory. Also it would definetely not work on stock consoles still.

 

[Technicmaster0]

Hence why im saying "closest". His friend's 3ds would still need to be modded to let the sky3ds run unauthorized code

The homebrew could be bundled with/in a savegame exploit that's stored on the sky3ds.

Ok, one last question. If I were to put my own unsigned .3ds file on a flashcart, would it run on a modded 3DS?

I think that luma doesn't contain the patches necessary for that but I'm not 100% sure.