Allright, so we have an encrypted ROM, which consists of: 1. a Header, 2. a Bootloader, 3. the Actual Game. Would it be possible to keep the current Header and bootloader encrypted and in place, while replacing the code segment to which the bootloader points to with some decrypted (or unsigned custom) executable?
Also, I remember those bulky LPT cables, which were connected to large dongles, in which we could slide a GBA-cartridge sized flash cart. Then, we'd use software to flash the NAND of that cart with a single game, which we then could play as if it were a real cartridge. (Fooling even the GC Gameboy Player, and a vareity of GC Games with linking ability, like HM:AWL. I believe The same can be done with 3DS games, as developers use a nintendo branded flashable cartridge to test games on regular 3DS consoles. Of course, a more usable USB connected dongle to Dump Original games and Flash the Flashcart would be nice... Then again, even if this would be pulled off, we'd still not have a way of running unsigned code.
However: There's still a possibility we can do stuff with the downloadable content of the 3DS. For the sake of research, I've been meddling around with some of the GBA titles only obtainable for participants of the "3DS Ambassador Programme". These are my findings: (mind you, I have no way of knowing this for certain, as all files are encrypted, and I have no way to decrypt most of them.)
For the GBA "emulated" games (I'll explain later why emulated is encapsulated by quotes), this is the file structure on the SD card after download and playing at least once:
My explanation:
00000001.sav: obviously, this would be the Game's saved data. Encrypted, probably unsigned due to checksums or CRC.
00000000.tmd: Seems to be the ticket file, telling the 3DS if this console is eligable to use this title, using the unique console ID. Encrypted and most definitly Signed, as this would be the key point to distribute "3DS-Ware".
00000001.cmd: I suspect this to be a bootloader to tell the 3DS to disable some hardware, go into some hardware assisted virtual mode and presumably sandbox the game and memory used by it. Encrypted, probably signed.
00000002.app: This appears to be the ROM file, but encrypted and probably signed.
00000003.app: Due to the huge file size differences from GBA game to GBA game (from ~1200kB to ~1800kB) I doubt this is an emulator (hence my quotes by emulated above). I have yet to see an encryption algorithm to cause such huge file size differences. I suspect it to be merely a "converted function file", to assist the 3DS hardware to run code native to the GBA. Especially thinking about how Nintendo at this time claims the GBA games probably won't be made publicly available, I suspect them to be game-specific, as in only functions this game needs are in there. This defeats the probability of ROM injection, and would be a Nintendo way to block such attempts.
IMHO, to get somewhere, we first need to crack the ticket file. This would give us insights how to make the 3DS accept custom code. But then again, I could be completely off...
*edited: copy and paste made a number of unnecessary linebreaks
Also, I remember those bulky LPT cables, which were connected to large dongles, in which we could slide a GBA-cartridge sized flash cart. Then, we'd use software to flash the NAND of that cart with a single game, which we then could play as if it were a real cartridge. (Fooling even the GC Gameboy Player, and a vareity of GC Games with linking ability, like HM:AWL. I believe The same can be done with 3DS games, as developers use a nintendo branded flashable cartridge to test games on regular 3DS consoles. Of course, a more usable USB connected dongle to Dump Original games and Flash the Flashcart would be nice... Then again, even if this would be pulled off, we'd still not have a way of running unsigned code.
However: There's still a possibility we can do stuff with the downloadable content of the 3DS. For the sake of research, I've been meddling around with some of the GBA titles only obtainable for participants of the "3DS Ambassador Programme". These are my findings: (mind you, I have no way of knowing this for certain, as all files are encrypted, and I have no way to decrypt most of them.)
For the GBA "emulated" games (I'll explain later why emulated is encapsulated by quotes), this is the file structure on the SD card after download and playing at least once:
Code:
|-
|-
|-
|-
|-
|-
| |- 00000001.sav
|-
|-
| |- 00000001.cmd
|- 00000000.tmd
|- 00000002.app
|- 00000003.app
My explanation:
00000001.sav: obviously, this would be the Game's saved data. Encrypted, probably unsigned due to checksums or CRC.
00000000.tmd: Seems to be the ticket file, telling the 3DS if this console is eligable to use this title, using the unique console ID. Encrypted and most definitly Signed, as this would be the key point to distribute "3DS-Ware".
00000001.cmd: I suspect this to be a bootloader to tell the 3DS to disable some hardware, go into some hardware assisted virtual mode and presumably sandbox the game and memory used by it. Encrypted, probably signed.
00000002.app: This appears to be the ROM file, but encrypted and probably signed.
00000003.app: Due to the huge file size differences from GBA game to GBA game (from ~1200kB to ~1800kB) I doubt this is an emulator (hence my quotes by emulated above). I have yet to see an encryption algorithm to cause such huge file size differences. I suspect it to be merely a "converted function file", to assist the 3DS hardware to run code native to the GBA. Especially thinking about how Nintendo at this time claims the GBA games probably won't be made publicly available, I suspect them to be game-specific, as in only functions this game needs are in there. This defeats the probability of ROM injection, and would be a Nintendo way to block such attempts.
IMHO, to get somewhere, we first need to crack the ticket file. This would give us insights how to make the 3DS accept custom code. But then again, I could be completely off...
*edited: copy and paste made a number of unnecessary linebreaks