Neimod is making progress!

Discussion in '3DS - Homebrew Development and Emulators' started by Quincy, May 31, 2011.

Thread Status:
Not open for further replies.
  1. Quincy

    Quincy Your own personal guitarist :3

    Nov 13, 2008
    Your house, robbing your stuff
    This is very interesting. It is kind of a nerd read tho, but still read it up.

    A CXI file contains the 'application' program code, which runs on a single ARM11 core. It can communicate through SVC calls with the other ARM11 core running the 'system' program code. For reasons of clarity, the ARM11 cores will sometimes be called the 'appcore' and 'syscore' respectively.
    The CXI file format contains application ARM11 code, the menu icon, the menu 3D model, and an embedded read-only (ROM) filesystem for external filestorage. In fact, the application ARM11 code, menu icon, and menu 3D model are embedded into its own filesystem too, called the ExeFS.
    More specifically, the CXI file format is structured in the following order:
    first an NCCH header,
    followed by an extended header,
    followed by a plain binary region,
    followed by an embedded executable filesystem (ExeFS),
    and finally followed by a read-only filesystem (RomFS).
    The extended header contains additional information regarding access control. The plain binary region is an area specifically stored in plaintext, mostly containing SDK library strings for identification.
    The extended header, the ExeFS and the RomFS are encrypted using AES CTR.

    NCCH Header
    0x000ÂÂÂÂ 0x100ÂÂÂÂ RSA-2048 signature of the NCCH header, using SHA-256.
    0x100ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Magic ID, always 'NCCH'
    0x104ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Content size, in media units (1 media unit = 0x200 bytes)
    0x108ÂÂÂÂ 8ÂÂÂÂÂÂÂÂÂÂÂÂ Partition ID
    0x110ÂÂÂÂ 2ÂÂÂÂÂÂÂÂÂÂÂÂ Maker code
    0x112ÂÂÂÂ 2ÂÂÂÂÂÂÂÂÂÂÂÂ Version
    0x114ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Reserved
    0x118ÂÂÂÂ 8ÂÂÂÂÂÂÂÂÂÂÂÂ Program ID
    0x120ÂÂÂÂ 1ÂÂÂÂÂÂÂÂÂÂÂÂ Temp flag
    0x121ÂÂÂÂ 0x2FÂÂÂÂÂÂÂÂÂÂÂÂ Reserved
    0x150ÂÂÂÂ 0x10ÂÂÂÂ Product code
    0x160ÂÂÂÂ 0x20ÂÂÂÂ Extended header hash
    0x180ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Extended header size
    0x184ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Reserved
    0x190ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Plain region offset, in media units
    0x194ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ Plain region size, in media units
    0x198ÂÂÂÂ 8ÂÂÂÂÂÂÂÂÂÂÂÂ Reserved
    0x1A0ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ ExeFS offset, in media units
    0x1A4ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ ExeFS size, in media units
    0x1A8ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ ExeFS hash region size, in media units
    0x1B0ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ RomFS offset, in media units
    0x1B4ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ RomFS size, in media units
    0x1B8ÂÂÂÂ 4ÂÂÂÂÂÂÂÂÂÂÂÂ RomFS hash region size, in media units
    0x1C0ÂÂÂÂ 0x20ÂÂÂÂ ExeFS superblock hash
    0x1E0ÂÂÂÂ 0x20ÂÂÂÂ RomFS superblock hash
    NCCH header example for Lego Starwars III

    Content size:ÂÂÂÂÂÂÂÂÂÂ 0x1cfef400
    Partition id:ÂÂÂÂÂÂÂÂÂÂ 0004000000038c00
    Maker code:ÂÂÂÂÂÂÂÂÂÂÂÂ 3436 ("46")
    Program id:ÂÂÂÂÂÂÂÂÂÂÂÂ 0004000000038c00
    Temp flag:ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ00
    Product code:ÂÂÂÂÂÂÂÂÂÂ CTR-P-ALGP
    Extended header hash:ÂÂ 0C27E3C1DE7B2AE2D3114F32A4EEBF46
    Extended header size:ÂÂ 00000400
    Plain region offset:ÂÂÂÂ0x00004a00
    Plain region size:ÂÂÂÂÂÂ0x00000200
    ExeFS offset:ÂÂÂÂÂÂÂÂÂÂ 0x00004c00
    ExeFS size:ÂÂÂÂÂÂÂÂÂÂÂÂ 0x00143800
    ExeFS hash region size: 0x00000200
    RomFS offset:ÂÂÂÂÂÂÂÂÂÂ 0x00148400
    RomFS size:ÂÂÂÂÂÂÂÂÂÂÂÂ 0x1ceab000
    RomFS hash region size: 0x00000200
    ExeFS Superblock Hash:ÂÂ130C042615F647C4C63225EA9E67F8A2
    RomFS Superblock Hash:ÂÂA65BEE1060BB6A6821BBCEC600035B7E
    Note: Offsets and sizes in media units have been converted to byte sizes.
    Plain region example for Lego Starwars III
    0004a00: 5b 53 44 4b 2b 4e 49 4e 54 45 4e 44 4f 3a 43 54ÂÂ[SDK+NINTENDO:CTÂÂÂÂ[SDK+NINTENDO:CTR_SDK-0_14_23_200_none]
    0004a10: 52 5f 53 44 4b 2d 30 5f 31 34 5f 32 33 5f 32 30ÂÂR_SDK-0_14_23_20
    0004a20: 30 5f 6e 6f 6e 65 5d 00 5b 53 44 4b 2b 4e 49 4eÂÂ0_none].[SDK+NINÂÂÂÂ[SDK+NINTENDO:Firmware-02_27]
    0004a30: 54 45 4e 44 4f 3a 46 69 72 6d 77 61 72 65 2d 30ÂÂTENDO:Firmware-0
    0004a40: 32 5f 32 37 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63ÂÂ2_27].[SDK+MobicÂÂÂÂ[SDK+Mobiclip:Deblocker_1_0_2]
    0004a50: 6c 69 70 3a 44 65 62 6c 6f 63 6b 65 72 5f 31 5fÂÂlip:Deblocker_1_
    0004a60: 30 5f 32 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63 6cÂÂ0_2].[SDK+MobiclÂÂÂÂ[SDK+Mobiclip:ImaAdpcmDec_1_0_0]
    0004a70: 69 70 3a 49 6d 61 41 64 70 63 6d 44 65 63 5f 31ÂÂip:ImaAdpcmDec_1
    0004a80: 5f 30 5f 30 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63ÂÂ_0_0].[SDK+MobicÂÂÂÂ[SDK+Mobiclip:MobiclipDec_1_0_1]
    0004a90: 6c 69 70 3a 4d 6f 62 69 63 6c 69 70 44 65 63 5fÂÂlip:MobiclipDec_
    0004aa0: 31 5f 30 5f 31 5d 00 5b 53 44 4b 2b 4d 6f 62 69ÂÂ1_0_1].[SDK+MobiÂÂÂÂ[SDK+Mobiclip:MoflexDemuxer_1_0_2]
    0004ab0: 63 6c 69 70 3a 4d 6f 66 6c 65 78 44 65 6d 75 78ÂÂclip:MoflexDemux
    0004ac0: 65 72 5f 31 5f 30 5f 32 5d 00 00 00 00 00 00 00ÂÂer_1_0_2].......
    0004ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00ÂÂ................
    0004ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00ÂÂ................

    Credit goes to Neimod and all people who worked on this document
  2. AlanJohn

    AlanJohn くたばれ

    GBAtemp Patron
    AlanJohn is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jan 6, 2011
    Canada,New Jersey
    I don't understand a thing in hacking so I thinks its normal that I have no idea what your talking about.
  3. Quincy

    Quincy Your own personal guitarist :3

    Nov 13, 2008
    Your house, robbing your stuff
    As I said, it's a nerd read [​IMG]
  4. Keva

    Keva GBAtemp Fan

    Sep 28, 2004
    Hasn't that been on there for a while now?

    Still.. glad to see that people are getting to understand how it works [​IMG]
  5. Quincy

    Quincy Your own personal guitarist :3

    Nov 13, 2008
    Your house, robbing your stuff
    That info h as been documented yesterday iirc
  6. FAST6191

    FAST6191 Techromancer

    pip Reporter
    Nov 21, 2005
    United Kingdom
    Nice info, naturally it left me with more questions but early days stuff always does.

    Mobiclip is back.... interesting although I think I might have to try my hand at knocking together some form of decoder as and when rom hacking gets to kick off. Some of those might just be decoders of known formats though rather than the proprietary stuff mobiclip is usually associated with.

    Back on topic so to speak it looks like they furthered the DS model somewhat and maybe looked at the wii at the same time. I wonder where the SVC calls will land; GBA/DS SWI grade, Wii IOS stuff or something more akin to the DS ARM7 commercial rom stuff.

    "0x108 8 Partition ID" caught my eye; although it says nothing of the implementation I am drawn to wonder how that will work in practice. This being said we were brushing up against limits on the DS with direct addressing so it was inevitable with 3d and increased power.

    "followed by an embedded executable filesystem (ExeFS)," and other things most notably that it contains application code and seemingly kicks assets to another filesystem.
    I am hesitant to throw a phrase around like poor man's harvard architecture or hypervisor but I wonder if/how this will play with some of the scripting languages (especially the JIT stuff)- these have the potential to compromise security but on the flipside they are quite powerful and easier to learn (Puzzle quest is written in a form of lua if looking at the DS and we have all seen some of the stuff going on elsewhere with scripting languages). Of course I guess it could all be packed in the binary.
    Also some of the dynamic recompilation type arrangements (this device is certainly powerful enough to do some decent emulation where such techniques are quite potent- why port when you wrap it in an emulator) although I guess that is more of a memory issue (head in the 360 still).

    Thanks for pointing me at this Quincy; I shall look it over for a while.
  7. Pong20302000

    Pong20302000 making notes on everything

    Sep 8, 2009
    One's inner self

    is this not proof of 3DS rom dump?

    because of star wars III header data?

    that the data has been decrypted?

    that region changing is possible?

    same sort of offsetting used for DS Anti-Piracy
  8. FAST6191

    FAST6191 Techromancer

    pip Reporter
    Nov 21, 2005
    United Kingdom
    It could just as easily have been pulled from a memory dump Pong20302000; even on the DS the header and stuff like it is copied to memory on boot* and memory is usually in plaintext so to speak (cheat makers have long been familiar with obfuscation techniques for values of interest but pretty much only the 360 has large scale encrypted memory).

    *"Header Overview (loaded from ROM Addr 0 to Main RAM 27FFE00h on Power-up)" from

    This being said that is quite a bit of info and although it could be inferred encryption aside a rom dump would probably be easier to pull info from.
  9. pachura

    pachura GBAtemp Advanced Fan

    Dec 9, 2006
    So when will it be hacked ?

    Just joking. This is definitively interesting - this information must have been extracted either:
    - directly from the cartridge
    - from RAM after the cartridge is loaded
    - using 3DS SDK

    Whichever's the case, the hackers are moving forward.

    Some more observations:
    - it seems Nintendo is still using the Mobiclip/ActImagine codec for video & IMA ADPCM codec for sound, just like the original DS. These codecs are quite outdated and not that great quality
    - is it now confirmed that 3DS runs on two ARM11 cores ?
    - the syscore/appcore thing... does it mean that games can use just one core, and the second one is always running some kind of "system services" ? That would be a giant waste of processing power...
    - Pong20302000: the data has been decrypted? - no, they are saying explicitly that "the plain region" area is unencrypted, but the rest is encrypted using AES and signed with SHA-256 hashes
  10. ilman

    ilman Gbatemp's Official Noise Eraser

    Jul 25, 2010
    so this means that the 3ds system menu and lego star wars have been extracted and encrypted?
    if it is so, then this will be a huge step forward for hackers.
  11. Tom Bombadildo

    Tom Bombadildo Tom BombaDadlo

    pip Contributor
    GBAtemp Patron
    Tom Bombadildo is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 11, 2009
    United States
    I forgot

    I would assume it's running the Home menu, so you can easily access it with the home button.
  12. Coto


    Jun 4, 2010
    Exe FS more like system menu access libraries. RomFS reads from ROMexternal carts incluiding external storage.

    Tempflag variables caught my attention, wonder what´d do them. I pseudo believe 3DS has somekind of kirk´s psp security chip. Which will always read the same very offsets from RomFS addresses, in case of flashcards, those values always change.
  13. WiiUBricker

    WiiUBricker Insert Custom Title

    Sep 19, 2009
    What an aweful icon.
  14. SifJar

    SifJar Not a pirate

    Apr 4, 2009
    It seems to me to be similar to how the DS worked (with ARM7 and ARM9 - not sure if they were designated one for "application code" and one for "system code") and the Wii (with PPC being equivalent to "appcore" and ARM equivalent to "syscore"). Seems to be how Nintendo like to do things. It's not really a waste at all. Presumably the syscore provides access to hardware, the way IOS running on ARM does on the Wii. And implements the security system while they're at it (i.e. preventing unauthorised access to hardware). It is in Nintendo's interests to prevent games from being pirated, which will inevitably follow a hack, so from their point of view it is not all a waste of processing power to dedicate a core to this type of thing. And I guess it makes life easier for developers having hardware stuff handled by one core, and having one core purely dedicated to running actual applications.
  15. pachura

    pachura GBAtemp Advanced Fan

    Dec 9, 2006
    As far as I remember, ARM7 was responsible for sound and touchscreen input, and ARM9 for the rest.
  16. Melter

    Melter GBAtemp Regular

    Mar 31, 2011
    United States
    seems like kind of a waste to dedicate an entire ARM11 core to the system menu. How did neimod get this information though? Logic analyzer?
  17. popoffka

    popoffka GBAtemp Fan

    Jun 9, 2009
    Here's an interesting quote straight from the discussion page on the wiki:
  18. SifJar

    SifJar Not a pirate

    Apr 4, 2009
    Not system menu. System processes. i.e. the code providing access to hardware for the code running on appcore. As I said before, this is very similar to what happened on the Wii. There were two processors in the Wii, one for system processed (IOS) and one for actual games etc.
  19. Keva

    Keva GBAtemp Fan

    Sep 28, 2004

    I wonder why he can't disclose it [​IMG]

    Many hands make light work after all.
  20. Melter

    Melter GBAtemp Regular

    Mar 31, 2011
    United States
    probably so nintendo does not patch/fix the exploit.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice