Patching region-free directly into Home Menu (arm9loaderhax or EmuNAND only)

Discussion in '3DS - Flashcards & Custom Firmwares' started by ihaveamac, Mar 15, 2016.

  1. ihaveamac
    OP

    ihaveamac GBAtemp Guru

    Member
    5,457
    5,928
    Apr 20, 2015
    United States
    Tigard, OR
    Some custom firmwares such as AuReiNand now have region-free built into them, so you should use that instead if you just care about playing out-of-region games.

    This could still be useful if you wanted to extract and rebuild Home Menu (or any system title) though. :)
    This should go without saying, but using a patched Home Menu or NS will only work if using EmuNAND or arm9loaderhax with SysNAND. If you do this and install the modified Home Menu/NS to SysNAND without arm9loaderhax, you will brick.

    Some might wait for a custom firmware to have this built in, some might want the Home Menu itself to do this. I like having this because it's more like actual custom firmware (loading pre-patched code into memory), but to each their own :P

    And finally, this isn't really my work. The patch for Home Menu and NS is taken from Free multi Patcher, @daxtsu and I found out we could rebuild a Home Menu/NS CIA with these included.

    Free multi Patcher searches for some bytes in memory when you try to use its region-free patch. Well, these bytes exist with Home Menu and NS system-module code.bin. If you can figure out how to rebuild a CIA (without doing 3DS -> CIA, unless that's possible for system titles?), then you can put these directly into the code.

    Home Menu needs to be patched to show out-of-region icons, NS only needs to for out-of-region game cards due to the update partition. If you are only using out-of-region CIAs, you don't need to patch NS.

    The exact bytes to patch are here:
    https://github.com/hartmannaf/Free-...7ec2e99eedb07213/source/patches.cpp#L158-L186

    The offsets for these change depending on region and version. For instance, here's 10.6.0-31U Home Menu:
    code.bin in hex editor
    For the Home Menu, 16 bytes need to be replaced. FMP only replaces 8, so the extra 8 are all 00.
    Code:
    normal:  00 00 55 E3 01 10 A0 E3 11 00 A0 E1 03 00 00 0A
    patched: 01 00 A0 E3 70 80 BD E8 00 00 00 00 00 00 00 00
    
    NS only needs 4 bytes to be replaced with 4. This appears in the code twice, at least with 10.0 - 10.3.
    Code:
    normal:  0C 18 E1 D8
    patched: 0B 18 21 C8
    
    I can't give a full tutorial on how to rebuild the CIA, however if you know how to use 3dstool and things, this might help you get started. Please back up your Sys/EmuNAND before you mess with important system titles.

    Decrypt the original CIA first with Decrypt9 (Game Decryptor Options -> CIA Decryptor (deep)).

    Once the CIA has been created, encrypt NCCH using Decrypt9 before installing, or it won't boot (Game Decryptor Options -> CIA Encryptor (NCCH)).
    Code:
    # extract CIA contents
    ctrtool --contents=contents 0004003000008F02.cia
    
    # extract CXI contents - the content ID (00000083) changes depending on region and version
    3dstool -xvtf cxi contents.0000.00000083 --header ncch.header --exh exheader.bin --exefs exefs.bin --romfs romfs.bin --plain plain.bin
    
    # extract ExeFS contents and header
    3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefs.header
    
    # decompress code
    3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin
    
    # copy "code-orig.bin" to "code-patched.bin" and patch here
    
    # re-compress code
    3dstool -zvf code-patched.bin --compress-type blz --compress-out exefs/code.bin
    
    # re-create ExeFS
    3dstool -cvtf exefs exefs2.bin --exefs-dir exefs --header exefs.header
    
    # re-create CXI
    3dstool -cvtf cxi patched.cxi --header ncch.header --exh exheader.bin --exefs exefs2.bin --romfs romfs.bin --plain plain.bin
    
    # re-create CIA
    makerom -f cia -o HomeMenu-U-10.6-patched-noncch.cia -content patched.cxi:0 -ver 45000
    # "ver" can be hex or an integer. you can change this without rebuilding by changing the two bytes at offset 0x2F9C of the CIA file
    
    (Thanks to this post for helping with extracting and rebuilding the CXI)

    Here's the video I made showing it off with normal ReiNand:
    Warning: Spoilers inside!
     
    Last edited by ihaveamac, Apr 10, 2016
    KJ1, CyberMario, I pwned U! and 34 others like this.


  2. Supster131

    Supster131 (づ。◕‿‿◕。)づ *:・゚✧

    Member
    3,193
    2,210
    Jan 19, 2016
    United States
    My Computer
    Oh sweet, nice!

    May try this once I get home!
    Great work! :D
     
  3. Classicgamer

    Classicgamer GBAtemp Advanced Fan

    Member
    512
    135
    Aug 20, 2012
    United States
    I suspect there will be patched home menu cias on that iso site in no time!
     
    wurstpistole likes this.
  4. wurstpistole

    wurstpistole N3DS B9S

    Member
    2,639
    944
    Nov 19, 2015
    Gambia, The
    So I suspect the CFW will include this soon anyway, but this would've been done after every Emunand update, right?
     
  5. ihaveamac
    OP

    ihaveamac GBAtemp Guru

    Member
    5,457
    5,928
    Apr 20, 2015
    United States
    Tigard, OR
    I plan on setting up a system so I can quickly extract, patch, and rebuild the CIAs if they ever get updates again, so... :P
    if you change the version of the CIA, it will resist Nintendo updates.
     
  6. stl25

    stl25 GBAtemp Advanced Fan

    Member
    964
    536
    Feb 3, 2008
    United States
    Here, there and everywhere
    Can the created Home Menu cia be installed on any 3DS. Home menu is not console specific right? Excellent work by the way.
     
  7. Supster131

    Supster131 (づ。◕‿‿◕。)づ *:・゚✧

    Member
    3,193
    2,210
    Jan 19, 2016
    United States
    My Computer
    It shouldn't be console specific, afaik.

    Although you can't install the n3DS home menu to the o3DS and vice versa, iirc.
     
  8. ihaveamac
    OP

    ihaveamac GBAtemp Guru

    Member
    5,457
    5,928
    Apr 20, 2015
    United States
    Tigard, OR
    not true, it's only region specific.
     
  9. Supster131

    Supster131 (づ。◕‿‿◕。)づ *:・゚✧

    Member
    3,193
    2,210
    Jan 19, 2016
    United States
    My Computer
    That's good to know, only need to worry about 3 regions (mainly) then.
     
  10. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,546
    3,952
    Jun 9, 2007
    Antarctica
    It would have to be done on every update that updates Home Menu and NS, but like @ihaveamac said, if you change the version numbers to something really high (like 0xAA00) they won't be changed. However, I don't recommend doing that personally, at least for NS, because while NATIVE_FIRM will happily load an old Home Menu, I'm not entirely sure what'll happen if you have it trying to load an [eventually] really old NS module.
     
  11. peteruk

    peteruk GBAtemp Maniac

    Member
    1,430
    683
    Jun 26, 2015
    fantastic work @ihaveamac and @daxtsu

    you are helping to keep the scene moving, thank you
     
    VinsCool and ihaveamac like this.
  12. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    I experimented with this idea earlier but I gave up after bricking my 3DS multiple times by botching NS:https://gbatemp.net/threads/help-with-repacking-system-cias.416706/

    (I also broke a JPN emunand beyond repair by trying to patch ngword, it won't update or install the clean CIA so I had to reformat it :/)

    I'm not asking for credits but I'm happy someone has finally caught on
     
    Last edited by lefthandsword, Mar 15, 2016
  13. laharl22

    laharl22 GBAtemp Advanced Maniac

    Member
    1,583
    163
    Dec 19, 2014
    France
    anyone can pm me the homenu cia please ?
     
  14. ihaveamac
    OP

    ihaveamac GBAtemp Guru

    Member
    5,457
    5,928
    Apr 20, 2015
    United States
    Tigard, OR
    did you encrypt NCCH with Decrypt9 after generating the CIA? you need to do that for system titles to work. :)
     
  15. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    Will try again /w your guide tonight
     
  16. wurstpistole

    wurstpistole N3DS B9S

    Member
    2,639
    944
    Nov 19, 2015
    Gambia, The
    If anyone happens to come across 10.7 EUR .cia, a PN would be appreciated :lol:
     
  17. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    Download the CIAs from 3dnus and patch them yourself, altnatively you can wait for some one to put the prepatched files on that iso site.
     
  18. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Oh. I finally have me some FE:If without bootNTR on aureinand
     
    LinkSoraZelda likes this.
  19. miraclaime

    miraclaime custom themes maniac

    Member
    449
    161
    Jun 12, 2015
    Indonesia
    In your house, naked
    will wait for it a bit longer till it become an easy to use patch :>
    anyway goodjob, my brain won't keep up with code things @,@
     
  20. VinsCool

    VinsCool Comfortably Numb

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,851
    28,344
    Jan 7, 2014
    Canada
    Another World
    It's happening! :D