Q: What is exactly a CTR Transfer and how does it work?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Alex658, Sep 6, 2016.

  1. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    The name suggests it's an obvious transfer of the CTR part of the nand, i know that. But what are the specifics related to it? How much is actually transferred?

    How is it even possible? AFAIK you couldn't possibly share any part of another's 3ds NAND one with another because it would see it as invalid signature and thus, brick.

    Did people just managed to circumvent the protection and make it seem legit? edited out console's specifics adresses?

    How does it work and why does it make a9lh easier?

    This can't be used to revive a 3ds that wasn't MCU bricked, right? if not, why then? Thanks for all your answers. Couldn't really get the specifics on 3dbrew.
     
  2. Sykoh

    Sykoh Leader of the Brick Masterrace

    Member
    477
    57
    Aug 21, 2015
    Your Bricked SYSNAND
    its basically a nand.bin transfer but it isn't console specific
     
  3. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    Sicklyboy and Alex658 like this.
  4. Ericjwg

    Ericjwg GBAtemp Psycho!

    Member
    3,135
    842
    Jul 2, 2015
    Canada
    basically, it's a nand without those console unique files.
     
  5. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,525
    Jan 26, 2015
    United States
    Nowhere
    He knows that.
    OP, iirc d0k3 made something on Reddit a bit ago explaining this. (Looks like ihaveamac found it) Basically, after a lot of cryptoanalysis, devs managed to derive the console unique encryption used for the NAND. This was taken advantage of with CTRNAND transfer: an unencrypted CTRNAND partition on 2.1 is given to to the target. Decrypt9 then re-encrypts it with the derived console-unique encryption, making it valid.
     
    Alex658 and Ericjwg like this.
  6. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela

    This is exactly what i was looking for, Now i'm even more curious.

    So theoretically would it be possible to use this in combination with a hardmod to revive a 3ds? (Assuming the console works with a frankenfirmware and can at least re-encrypt the decrypted nand.bin transfer)

    This makes the phailect guide safer because it doesn't exactly downgrade title per title, just inserts another's 3ds downgraded NAND altogether, the transferable part, at least?


    EDIT:

    Ahhhh, so without decrypy9, you'd basically be SoL with no way of validating this backup/inserting your 3ds keys+MAC(?)
     
    Last edited by Alex658, Sep 6, 2016
  7. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    if you have a bricked console, (depending on how it happened) the only thing that can save you is a previous NAND backup from the system. since you still need to encrypt some things using console-unique keyslots, and not to mention the NAND itself is encrypted using console-unique keyslots, you can't get far enough.
     
  8. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    Nah, both my 3ds's work just fine, although still on menuhax because i don't feel ready to do a9lh, and can't afford a hardmod (no one does it in my country, and can't possibly send it anywhere else) and menuhax+coldboot+lesshax works just 90-95% of the time without a hitch.

    With these it sounds like it may be worth it to give it a try and see how it goes, eventually...

    I have the nands backed up and update those backups every few months just in case new tools appeared (3ds scene has improved tremendously in about a year when downgrades to 9.2 became possible again).
     
  9. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    with the new ctrtransfer, it's almost impossible to brick when setting up arm9loaderhax. if you really want to be safe:
    • dump emunand and sysnand right before beginning
    • generate xorpads (in particular CTRNAND xorpad, filename "nand.fat16.xorpad"
    these two things would help you retain access to things like save files for digital games. you would be able to use files from the NAND to decrypt SD contents, or at least use them with a new system you get.
     
    Alex658 likes this.
  10. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela

    Would this also make it possible to CTR transfer the dump of two O3ds between each other? (Assuming both have been properly decrypted, and have the xorpads and NCCH dumped)
    I've asked this before but was told to just backup the savegames and be done with it...


    This actually has a lot of potential if people find a way to use two 3ds with the same NAND dump and both being valid with the same ID's. Really convenient. (of course, playing online with them would be stupid)
     
  11. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    with the ctrtransfer magic, any decrypted CTRNAND image is technically transferrable (assuming the console is not bricked, and you can use Decrypt9 of course). it's how I got one of my systems on 8.1.0-0J using a NAND dump + xorpad from another system.

    of course things like NNID and eShop won't work properly, since some of that is server-sided. but you could use it to region-change easier, and of course go to 2.1.0-4. (or just fuck around, like me, who knows?)
     
  12. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela

    That above, was someone wanting to manually transfer an O3ds CTR NAND image to a N3DS, which is obviously way more risky.
    Just found this on that reddit post. Technically i should be able to do what i think, since i barely use it online (mostly just to update them through MSET/System Settings)
     
  13. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    you can transfer Old3DS -> New3DS and I've done this for 9.2. and it actually boots! but it crashes a few seconds in unless I quickly launch a title.

    you also technically do this for 2.1 on New3DS, however it doesn't crash right away, and is just done to get a9lh installed.
     
  14. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    I know, a9lh is essentially transfering part of the n3ds firmware to the o3ds firmware.
    Thanks for all the help :]

    Wonder if the id0/id1 would change after the console encrypts the CTR transfer image again, if they did you couldn't possibly share the same mSD/Games between two consoles.
     
  15. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    kind of. not the same thing here with ctrtransfer.
    id0/id1 in "Nintendo 3DS" on the SD card is based on "nand/private/movable.sed". part of this gets moved in a system transfer. it's also used for certain NAND files, and is part of getting a CTRNAND image from one system to work on another.
     
    Alex658 likes this.
  16. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    SWEET! I'll keep this in check when i manage to a9lh them both, and maybe ask for a little help to create a valid virgin CTR transfer backup.
     
  17. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    there already exist ones for 2.1.0-4 and 9.2.0-20 USA/EUR/JPN. you could base it on these if you want to create ones for different versions.

    to dump a "transferrable" one, use Decrypt9: "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Dump transferable CTRNAND". note this will probably still include "sensitive" files like nand/rw/sys/SecureInfo_A (contains console serial number), so you'd want to remove them on a PC first if you intend to give this to someone else or make it public.
     
  18. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    Nah, I'd like to keep the secure info legit for the 2nd 3ds (So i'd have to find a way to dump it and re-insert it after I'd transfer the 1st 3DS CTR into the 2nd one). The one and only purpose of this would be to be able to take the mSD out, and just stick it to the other 3ds and keep everything working as it normally would on the XL one (Games, saves, friends, etc)

    Of course another option would just be to buy another 32 gb card, stick it to the other one, reinstall every cia and just insert the savefiles. But it would still be another separate entity all together. The transfer method would make everything more convenient.
     
  19. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,504
    6,095
    Apr 20, 2015
    United States
    Tigard, OR
    if both systems aren't the same type (New3DS/Old3DS), you're probably not looking for CTRNAND transfer. don't bother. actually, might be easier to just not bother doing that anyway if this is what you want.

    if you want to have the same saves under "Nintendo 3DS", try dumping movable.sed, inject it into the other system, then use "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Autofix CTRNAND" to fix things in NAND based on it. you'll have to install tickets for the games though.

    if you really want to keep the same friends list, despite the issues it might cause (they won't have the same friends list! that's local, not server sided), you can dump friendsave.bin, inject it to the new system, then use the same thing above.

    no, you can't have NNID or eShop purchases on two systems. if you try, it will not work or just unlink it from the older system.
     
  20. Alex658
    OP

    Alex658 GBAtemp Maniac

    Member
    1,153
    341
    Jun 4, 2010
    Venezuela
    Venezuela
    1st and main system: o3dsXL
    2nd system, only used for multiplayer games: small o3ds.

    They are the same type and the same region. (USA)

    I haven't even bothered to set up an NNID on either of them. If i did, i think it just happened on the small one (that i accidentally updated when 9.2 extravaganza came out to 9.4 and couldn't do anything with it other than playing my two cartridge games for about a year)

    What i'd like to do in that case is just to make everything work between one-another with the same mSD, although i do know it would break most online stuff.