Hacking Q: What is exactly a CTR Transfer and how does it work?

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
The name suggests it's an obvious transfer of the CTR part of the nand, i know that. But what are the specifics related to it? How much is actually transferred?

How is it even possible? AFAIK you couldn't possibly share any part of another's 3ds NAND one with another because it would see it as invalid signature and thus, brick.

Did people just managed to circumvent the protection and make it seem legit? edited out console's specifics adresses?

How does it work and why does it make a9lh easier?

This can't be used to revive a 3ds that wasn't MCU bricked, right? if not, why then? Thanks for all your answers. Couldn't really get the specifics on 3dbrew.
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,770
Trophies
0
Location
Nowhere
XP
1,324
Country
United States
its basically a nand.bin transfer but it isn't console specific
He knows that.
OP, iirc d0k3 made something on Reddit a bit ago explaining this. (Looks like ihaveamac found it) Basically, after a lot of cryptoanalysis, devs managed to derive the console unique encryption used for the NAND. This was taken advantage of with CTRNAND transfer: an unencrypted CTRNAND partition on 2.1 is given to to the target. Decrypt9 then re-encrypts it with the derived console-unique encryption, making it valid.
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
consider reading https://www.reddit.com/r/3dshacks/comments/4zhe4a/ if you want technical details.


This is exactly what i was looking for, Now i'm even more curious.

So theoretically would it be possible to use this in combination with a hardmod to revive a 3ds? (Assuming the console works with a frankenfirmware and can at least re-encrypt the decrypted nand.bin transfer)

This makes the phailect guide safer because it doesn't exactly downgrade title per title, just inserts another's 3ds downgraded NAND altogether, the transferable part, at least?


EDIT:

He knows that.
OP, iirc d0k3 made something on Reddit a bit ago explaining this. (Looks like ihaveamac found it) Basically, after a lot of cryptoanalysis, devs managed to derive the console unique encryption used for the NAND. This was taken advantage of with CTRNAND transfer: an unencrypted CTRNAND partition on 2.1 is given to to the target. Decrypt9 then re-encrypts it with the derived console-unique encryption, making it valid.

Ahhhh, so without decrypy9, you'd basically be SoL with no way of validating this backup/inserting your 3ds keys+MAC(?)
 
Last edited by Alex658,

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
This is exactly what i was looking for, Now i'm even more curious.

So theoretically would it be possible to use this in combination with a hardmod to revive a 3ds? (Assuming the console works with a frankenfirmware and can at least re-encrypt the decrypted nand.bin transfer)

This makes the phailect guide safer because it doesn't exactly downgrade title per title, just inserts another's 3ds downgraded NAND altogether, the transferable part, at least?
if you have a bricked console, (depending on how it happened) the only thing that can save you is a previous NAND backup from the system. since you still need to encrypt some things using console-unique keyslots, and not to mention the NAND itself is encrypted using console-unique keyslots, you can't get far enough.
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
if you have a bricked console, (depending on how it happened) the only thing that can save you is a previous NAND backup from the system. since you still need to encrypt some things using console-unique keyslots, and not to mention the NAND itself is encrypted using console-unique keyslots, you can't get far enough.

Nah, both my 3ds's work just fine, although still on menuhax because i don't feel ready to do a9lh, and can't afford a hardmod (no one does it in my country, and can't possibly send it anywhere else) and menuhax+coldboot+lesshax works just 90-95% of the time without a hitch.

With these it sounds like it may be worth it to give it a try and see how it goes, eventually...

I have the nands backed up and update those backups every few months just in case new tools appeared (3ds scene has improved tremendously in about a year when downgrades to 9.2 became possible again).
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
Nah, both my 3ds's work just fine, although still on menuhax because i don't feel ready to do a9lh, and can't afford a hardmod (no one does it in my country, and can't possibly send it anywhere else) and menuhax+coldboot+lesshax works just 90-95% of the time without a hitch.

With these it sounds like it may be worth it to give it a try and see how it goes, eventually...

I have the nands backed up and update those backups every few months just in case new tools appeared (3ds scene has improved tremendously in about a year when downgrades to 9.2 became possible again).
with the new ctrtransfer, it's almost impossible to brick when setting up arm9loaderhax. if you really want to be safe:
  • dump emunand and sysnand right before beginning
  • generate xorpads (in particular CTRNAND xorpad, filename "nand.fat16.xorpad"
these two things would help you retain access to things like save files for digital games. you would be able to use files from the NAND to decrypt SD contents, or at least use them with a new system you get.
 
  • Like
Reactions: Alex658

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
with the new ctrtransfer, it's almost impossible to brick when setting up arm9loaderhax. if you really want to be safe:
  • dump emunand and sysnand right before beginning
  • generate xorpads (in particular CTRNAND xorpad, filename "nand.fat16.xorpad"
these two things would help you retain access to things like save files for digital games. you would be able to use files from the NAND to decrypt SD contents, or at least use them with a new system you get.


Would this also make it possible to CTR transfer the dump of two O3ds between each other? (Assuming both have been properly decrypted, and have the xorpads and NCCH dumped)
I've asked this before but was told to just backup the savegames and be done with it...


This actually has a lot of potential if people find a way to use two 3ds with the same NAND dump and both being valid with the same ID's. Really convenient. (of course, playing online with them would be stupid)
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
Would this also make it possible to CTR transfer the dump of two O3ds between each other? (Assuming both have been properly decrypted, and have the xorpads and NCCH dumped)
I've asked this before but was told to just backup the savegames and be done with it...


This actually has a lot of potential if people find a way to use two 3ds with the same NAND dump and both being valid with the same ID's. Really convenient. (of course, playing online with them would be stupid)
with the ctrtransfer magic, any decrypted CTRNAND image is technically transferrable (assuming the console is not bricked, and you can use Decrypt9 of course). it's how I got one of my systems on 8.1.0-0J using a NAND dump + xorpad from another system.

of course things like NNID and eShop won't work properly, since some of that is server-sided. but you could use it to region-change easier, and of course go to 2.1.0-4. (or just fuck around, like me, who knows?)
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
with the ctrtransfer magic, any decrypted CTRNAND image is technically transferrable (assuming the console is not bricked, and you can use Decrypt9 of course). it's how I got one of my systems on 8.1.0-0J using a NAND dump + xorpad from another system.

of course things like NNID and eShop won't work properly, since some of that is server-sided. but you could use it to region-change easier, and of course go to 2.1.0-4. (or just fuck around, like me, who knows?)


Reddit said:
As it stands, no. Being able to boot your bricked O3DS is still a requirement. Unless you have the OTP region for said bricked O3DS, that will not change.

Because the OTP contains the console-unique keys and the OTP decryption key is in the bootroms, you could revive it: If you do have the OTP for it, then a transfer without it being able to boot will become possible as soon as the protected bootroms become available to the public scene.

You cannot use the OTP of another 3DS, of course.

In theory, maybe. A ctrtransfer involves copying a CTRNAND image 1:1 from the source to the destination system. The O3DS firmware may notice that it is running on an N3DS and break or you may encounter the issue where suspending the system bricks it.

I would highly suggest you just set up arm9loaderhax on your N3DS and just doing a proper system transfer./u/Plailect's guide has recently been updated to be much shorter precisely because of the ctrtransfer being possible.

That above, was someone wanting to manually transfer an O3ds CTR NAND image to a N3DS, which is obviously way more risky.
Just found this on that reddit post. Technically i should be able to do what i think, since i barely use it online (mostly just to update them through MSET/System Settings)
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
That above, was someone wanting to manually transfer an O3ds CTR NAND image to a N3DS, which is obviously way more risky.
Just found this on that reddit post. Technically i should be able to do what i think, since i barely use it online (mostly just to update them through MSET/System Settings)
you can transfer Old3DS -> New3DS and I've done this for 9.2. and it actually boots! but it crashes a few seconds in unless I quickly launch a title.

you also technically do this for 2.1 on New3DS, however it doesn't crash right away, and is just done to get a9lh installed.
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
you can transfer Old3DS -> New3DS and I've done this for 9.2. and it actually boots! but it crashes a few seconds in unless I quickly launch a title.

you also technically do this for 2.1 on New3DS, however it doesn't crash right away, and is just done to get a9lh installed.

I know, a9lh is essentially transfering part of the n3ds firmware to the o3ds firmware.
Thanks for all the help :]

Wonder if the id0/id1 would change after the console encrypts the CTR transfer image again, if they did you couldn't possibly share the same mSD/Games between two consoles.
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
I know, a9lh is essentially transfering part of the n3ds firmware to the o3ds firmware.
Thanks for all the help :]
kind of. not the same thing here with ctrtransfer.
Wonder if the id0/id1 would change after the console encrypts the CTR transfer image again, if they did you couldn't possibly share the same mSD/Games between two consoles.
id0/id1 in "Nintendo 3DS" on the SD card is based on "nand/private/movable.sed". part of this gets moved in a system transfer. it's also used for certain NAND files, and is part of getting a CTRNAND image from one system to work on another.
 
  • Like
Reactions: Alex658

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
kind of. not the same thing here with ctrtransfer.

id0/id1 in "Nintendo 3DS" on the SD card is based on "nand/private/movable.sed". part of this gets moved in a system transfer. it's also used for certain NAND files, and is part of getting a CTRNAND image from one system to work on another.

SWEET! I'll keep this in check when i manage to a9lh them both, and maybe ask for a little help to create a valid virgin CTR transfer backup.
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
SWEET! I'll keep this in check when i manage to a9lh them both, and maybe ask for a little help to create a valid virgin CTR transfer backup.
there already exist ones for 2.1.0-4 and 9.2.0-20 USA/EUR/JPN. you could base it on these if you want to create ones for different versions.

to dump a "transferrable" one, use Decrypt9: "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Dump transferable CTRNAND". note this will probably still include "sensitive" files like nand/rw/sys/SecureInfo_A (contains console serial number), so you'd want to remove them on a PC first if you intend to give this to someone else or make it public.
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
there already exist ones for 2.1.0-4 and 9.2.0-20 USA/EUR/JPN. you could base it on these if you want to create ones for different versions.

to dump a "transferrable" one, use Decrypt9: "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Dump transferable CTRNAND". note this will probably still include "sensitive" files like SecureInfo_A (contains console serial number), so you'd want to remove them on a PC first if you intend to give this to someone else or make it public.

Nah, I'd like to keep the secure info legit for the 2nd 3ds (So i'd have to find a way to dump it and re-insert it after I'd transfer the 1st 3DS CTR into the 2nd one). The one and only purpose of this would be to be able to take the mSD out, and just stick it to the other 3ds and keep everything working as it normally would on the XL one (Games, saves, friends, etc)

Of course another option would just be to buy another 32 gb card, stick it to the other one, reinstall every cia and just insert the savefiles. But it would still be another separate entity all together. The transfer method would make everything more convenient.
 

ihaveahax

Well-Known Member
Member
Joined
Apr 20, 2015
Messages
5,985
Trophies
2
XP
6,852
Country
United States
Nah, I'd like to keep the secure info legit for the 2nd 3ds (So i'd have to find a way to dump it and re-insert it after I'd transfer the 1st 3DS CTR into the 2nd one). The one and only purpose of this would be to be able to take the mSD out, and just stick it to the other 3ds and keep everything working as it normally would on the XL one (Games, saves, friends, etc)

Of course another option would just be to buy another 32 gb card, stick it to the other one, reinstall every cia and just insert the savefiles. But it would still be another separate entity all together. The transfer method would make everything more convenient.
if both systems aren't the same type (New3DS/Old3DS), you're probably not looking for CTRNAND transfer. don't bother. actually, might be easier to just not bother doing that anyway if this is what you want.

if you want to have the same saves under "Nintendo 3DS", try dumping movable.sed, inject it into the other system, then use "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Autofix CTRNAND" to fix things in NAND based on it. you'll have to install tickets for the games though.

if you really want to keep the same friends list, despite the issues it might cause (they won't have the same friends list! that's local, not server sided), you can dump friendsave.bin, inject it to the new system, then use the same thing above.

no, you can't have NNID or eShop purchases on two systems. if you try, it will not work or just unlink it from the older system.
 

Alex658

Well-Known Member
OP
Member
Joined
Jun 4, 2010
Messages
1,201
Trophies
0
Age
27
Location
Venezuela
XP
1,135
Country
Venezuela
if both systems aren't the same type (New3DS/Old3DS), you're probably not looking for CTRNAND transfer. don't bother. actually, might be easier to just not bother doing that anyway if this is what you want.

if you want to have the same saves under "Nintendo 3DS", try dumping movable.sed, inject it into the other system, then use "SysNAND/EmuNAND Options" -> "CTRNAND transfer..." -> "Autofix CTRNAND" to fix things in NAND based on it. you'll have to install tickets for the games though.

if you really want to keep the same friends list, despite the issues it might cause (they won't have the same friends list! that's local, not server sided), you can dump friendsave.bin, inject it to the new system, then use the same thing above.

no, you can't have NNID or eShop purchases on two systems. if you try, it will not work or just unlink it from the older system.

1st and main system: o3dsXL
2nd system, only used for multiplayer games: small o3ds.

They are the same type and the same region. (USA)

I haven't even bothered to set up an NNID on either of them. If i did, i think it just happened on the small one (that i accidentally updated when 9.2 extravaganza came out to 9.4 and couldn't do anything with it other than playing my two cartridge games for about a year)

What i'd like to do in that case is just to make everything work between one-another with the same mSD, although i do know it would break most online stuff.
 
General chit-chat
Help Users
    Veho @ Veho: https://i.imgur.com/TpCA27Z.jpg +1