Quick Tuto : Decrypt your own Native Firmware ! (or any system titles)

Discussion in '3DS - Tutorials' started by pakrett, Aug 31, 2015.

  1. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    I've searched a lot for a way to do that. So firstly, thanks to everybody who helped me, even a little !
    Hall of fame : @motezazer, @Ronhero, @AlbertoSONIC, @d0k3, @MassExplosion213, @thaikhoa, @Gadorach, sansnumen !

    This method can be applied to any system titles.


    And now the great part !


    To Decrypt the sysNAND's native-firm, you need :


    - Decrypt9 :bow:
    - ctrTool
    - WinImage (or an equivalent software)

    1- Download decrypt9, copy the files to your SDcard and run it on your 3DS.
    2- On the menu, search for "CTR Partitions Dump" and do it. Shutdown your console.
    3- Copy CTRNAND.bin from the root of your SDcard to your PC and open it with WinImage.
    4- Go to \title\00040138\00000002\content, extract "000000XX.app" and rename it to "firm.app".
    5- Create a \D9titles folder, copy firm.app into it and run decrypt9 again on your 3DS.
    6- This time, on the menu, search for "Decryt Titles" and do it. Shutdown your console and put the SDcard back into your PC.
    7- download ctrtool, extract the archive and copy firm.app from the \D9titles folder into the /ctrtool folder.
    8- Run "extract-decrypted-ExeFS-x32/64.bat" and go to the \ExeFS folder, here there is a "firm.bin", this is your decrypted native-firm !


    To Decrypt the emuNAND's native-firm, you need :

    - Decrypt9 :bow:
    - ctrTool
    - WinImage (or an equivalent software)
    - 3DSFat16tool
    - emuNANDTool

    1- Download emuNANDTool and dump the emuNAND of your SDcard with it, rename this backup to "NAND.bin" !
    2- Download 3DSFat16tool exctract the archive and copy the previous NAND.bin into the \3DSFat16tool folder.
    3- Download decrypt9, copy the files to your SDcard and run it on your 3DS.
    4- On the menu, search for "CTRNAND Padgen" and do it. Shutdown your console.
    5- Copy "nand.fat16.xorpad" from the root of your SDcard to the \3DSFat16tool folder on your PC.
    6- Run "Decrypt-NAND.bat" and open CTRNAND.bin with WinImage.
    7- Go to \title\00040138\00000002\content, extract "000000XX.app" and rename it to "firm.app".
    8- Create a \D9titles folder, copy firm.app into it and run decrypt9 again on your 3DS.
    9- This time, on the menu, search for "Decryt Titles" and do it. Shutdown your console and put the SDcard back into your PC.
    10- download ctrtool, extract the archive and copy firm.app from the \D9titles folder into the /ctrtool folder.
    11- Run "extract-decrypted-ExeFS-x32/64.bat" and go to the \ExeFS folder, here there is a "firm.bin", this is your decrypted native-firm !

     

    Attached Files:

    Last edited by pakrett, Aug 31, 2015


  2. SickPuppy

    SickPuppy New Member

    Member
    1,783
    445
    Jul 29, 2009
    United States
    Thanks for sharing.
     
    Margen67 likes this.
  3. MassExplosion213

    MassExplosion213 .

    Member
    1,386
    934
    Feb 15, 2015
    United States
    This is great! I had no idea our PM would help make something! You know, other than what it was intended to make.
     
    Margen67, pakrett and Ronhero like this.
  4. gudenau

    gudenau Never a unique idea

    Member
    3,172
    1,189
    Jul 7, 2010
    United States
    /dev/random
    No Nix love?
     
  5. MassExplosion213

    MassExplosion213 .

    Member
    1,386
    934
    Feb 15, 2015
    United States
    What apps do you need? I have quite a few Nix versions.
     
    Margen67 likes this.
  6. gudenau

    gudenau Never a unique idea

    Member
    3,172
    1,189
    Jul 7, 2010
    United States
    /dev/random
    I have all the one I would need for this. ;-)
     
  7. MassExplosion213

    MassExplosion213 .

    Member
    1,386
    934
    Feb 15, 2015
    United States
    Ok. Just checking.
     
  8. Justin20020

    Justin20020 GBAtemp Advanced Fan

    Member
    504
    87
    Jun 22, 2015
    Gambia, The
    Sry for my question bit for what is it good?
     
  9. Syphurith

    Syphurith Beginner

    Member
    641
    221
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Maybe you could add this manual version of the title decryption.
    Get the .app files you want to play with
    _ From the decrypted NAND, using WinImage/UltraISO or other mount tools. Go to check path "/title/<TItleIDHigh>/<TItleIDLow>"
    _ You would need the TitleID. If you're playing with system titles feel free to search for the name on 3dbrew Title List page.
    _ Get the .app files from the folder "content". There may be more than one, go get all of them.
    _ Most .app files could be encrypted as Game .3DS. Use ncchinfo_gen.py to generate the ncchinfo.bin and use that to generate the xorpads.
    _ If you don't think that is encrypted, use ctrtool -i <Name.app> to check if there is a "hash mismatch". If yes that is encrypted surely (for now).
    _ Use ctrtool to unpack the .app, as what you do when converting the .3DS. Like: ctrtool -p --exefs=exefs.bin --romfs=romfs.bin --exheader=exheader.bin <Name.app>
    _ Once you get the xorpads from your console, use padxorer to decrypt the unpacked .bin files for you. Like: padxorer exefs.bin 0000.Main.norm_exe.xorpad
    _ Then you can unpack the romfs, or other, using ctrtool. Like: ctrtool -t romfs --romfsdir=./romfs decrypted_romfs.bin
    _ Feel free to play with the files decrypted. Like: ctrtool -t exheader -i decrypted_exheader.bin

    Following the manual way you may even patch and re-encrypt it back, however NO SIGNATURE GENERATED!
    Edit the decrypted content. Once done, get it encrypted using padxorer: padxorer decrypted_modified_romfs.bin 0000.Main.romfs.xorpad.
    Then, get your HxD, Open the original .app file, the original encrypted part, your re-encrypted part.
    Simply search for the original binary offset and calculate its end, and copy all of your re-encrypted content to replace it.
    Note: Only useful when both encrypted parts have the same length. Otherwise you may have to edit the .app to change its regions, and this is beyond my knowledge.

    I personally used the patchrom from 44670. To use this you would have to get devkitPro+devkitARM, and python installed.
    Place the extracted exefs (mostly a code.bin would be produced) and decrypted exheader.bin, romfs.bin, exefs.bin to the repo's /workdir folder.
    Rename exheader.bin to exh.bin. Make sure, you have exh.bin, romfs.bin, exefs.bin, and a exefs/code.bin in the workdir folder.
    Next call the cmd.exe and add devkitARM/bin to path, Like "set PATH=%PATH%;C:\devkitPro\devkitARM\bin". Then call the python script "exe2elf.py".
    This tool is not so good for use, and you may have other tools for the purpose converting the exefs to ELF.
    To my knowledge this tool only calls the arm-none-eabi-gcc from devkitARM to link the content again. So most part you edited could be found in original decrypted file.

    BTW, there is something weird for me. I do know every version of those system apps could have different xorpads..
    But once i tried to do all these with the O3DS Native_FIRM.. The one rxTools decrypted and patched is around 943KB while the decrypted & unpacked firm.bin only ~940KB.
    Compared the two files with WinMerge2011 and figured out there is almost only the difference in the end of the file, ~2KB missing from manually decrypted one.
    Almost? cause the one in rxTools folder is patched also, and there are some bytes different from the original.

    Anyway hope those above helps with some development... And? Didn't find a 0x10082 in any binary in my decrypted "cfg".
     
    pakrett likes this.
  10. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    What's Nix ?
     
  11. MassExplosion213

    MassExplosion213 .

    Member
    1,386
    934
    Feb 15, 2015
    United States
    Any Unix based system.
     
    pakrett likes this.
  12. gudenau

    gudenau Never a unique idea

    Member
    3,172
    1,189
    Jul 7, 2010
    United States
    /dev/random
    Like Linux.
     
  13. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    Thank you ! Be sure that I will add this, but I'll test what you said before to be sure to not mis-understand something ^^
    mmmmm, I like to play with linux too ^^
     
    Last edited by pakrett, Sep 1, 2015
    Syphurith likes this.
  14. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    @Syphurith, do you know how I can build a cia from a system titles (.app), I have a way but I don't know how to build a working rsf...
     
  15. leerpsp

    leerpsp GBAtemp Advanced Fan

    Member
    768
    161
    Feb 22, 2014
    United States
    I hate to be this guy and ask and i know better then to ask but im going to so others will see this before we get a lot of them asking about it......................... here it comes............ (can this be used to downgrade 9.9?)
     
  16. Cavioe

    Cavioe GBAtemp Fan

    Member
    308
    72
    May 28, 2015
    United States
    Just sell your 9.9 and get another.
     
  17. thaikhoa

    thaikhoa GBAtemp Maniac

    Member
    1,110
    319
    Sep 16, 2008
    If I had a decrypted native firm from someone I won't need to do the same again with my own system. Is it right?
     
  18. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    Correct ^^ This is for who want another version of the native-firm, the files that was deleted from the nintendo's servers.
    NO way ^^
     
    Last edited by pakrett, Sep 4, 2015
    thaikhoa likes this.
  19. MassExplosion213

    MassExplosion213 .

    Member
    1,386
    934
    Feb 15, 2015
    United States
    With a xorpad, yes.
     
  20. pakrett
    OP

    pakrett GBAtemp Maniac

    Member
    1,468
    559
    Apr 6, 2015
    France
    But he need an hardmode, a way to generate this xorpdad in 9.9 (without any acces ^^) and a way to re-encrypt the system titles for his console, so...