ROM Hack [Release] 3DS_CTR_Decryptor-VOiD

[CompCom]

oh yeah XD finally with quite a bit of help from hippy dave.....the most meaningful mod ever created

yeah full screen VC........what? not very impressive oh well

I think that's pretty cool. In the spirit of sharing progress I'd like to announce that I have created a tool that extracts all parts of a rom and decrypts them using their xorpads (created by the crt decryptor). It is also able to rebuild the romfs, ncch(cxi) and ncsd using zero keys to re-encrypt them (I have only done some quick testing but it appears to be working). The games I tested were able to save properly however I haven't tested if they work with existing saves. A big thanks goes to the creators of the ctrtool and makerom tools as their source was very helpful in encrypting and hashing the rom, also a big thanks to the people who contributed to 3DBrew's documentation of the file formats.

Here is a (poor quality) photo of running a re-encrypted game.

I am just working on making my tool a bit more efficient and easier to use, as well as testing it with more games but hopefully it should be ready for release in the next few days with C++ source code included.

 

[gamesquest1]

I think that's pretty cool. In the spirit of sharing progress I'd like to announce that I have created a tool that extracts all parts of a rom and decrypts them using their xorpads (created by the crt decryptor). It is also able to rebuild the romfs, ncch(cxi) and ncsd using zero keys to re-encrypt them (I have only done some quick testing but it appears to be working). The games I tested were able to save properly however I haven't tested if they work with existing saves. A big thanks goes to the creators of the ctrtool and makerom tools as their source was very helpful in encrypting and hashing the rom, also a big thanks to the people who contributed to 3DBrew's documentation of the file formats.

Here is a (poor quality) photo of running a re-encrypted game.
View attachment 10309
I am just working on making my tool a bit more efficient and easier to use, as well as testing it with more games but hopefully it should be ready for release in the next few days with C++ source code included.

convert the game to card2 and add "-alignwr" to makerom and they will save fine oh and a few adjustments to the rsf file so the padding is created so card 2 works, you can use this one if you like, just edit the card size to match whatever rom size your using

Spoiler

BasicInfo:
  Title                   : "Mario Bros Nes"
  CompanyCode             : "00"
  ProductCode             : "CTR-N-TABP"
  ContentType             : Application
  Logo                    : Nintendo # Nintendo / Licensed / Distributed / iQue / iQueForSystem

Rom:
  # Specifies the root path of the file system to include in the ROM.
  #HostRoot                : "rom"


TitleInfo:
  UniqueId                : 0x1242
  Category                : Application
  
CardInfo:
  MediaSize               : 128MB # 128MB / 256MB / 512MB / 1GB / 2GB / 4GB
  MediaType               : Card2 # Card1 / Card2
  CardDevice              : None # NorFlash(Pick this if you use savedata) / None
  

Option:
  FreeProductCode         : true # Removes limitations on ProductCode
  MediaFootPadding        : true # If true CCI files are created with padding
  EnableCrypt             : true # Enables encryption for NCCH and CIA
  EnableCompress          : true # Compresses exefs code

ExeFs: # these are the program segments from the ELF, check your elf for the appropriate segment names
  ReadOnly: 
   - .rodata
   - RO
  ReadWrite: 
   - .data
   - RO
  Text: 
   - .init
   - .text
   - STUP_ENTRY
   
PlainRegion: # only used with SDK ELFs 
 - .module_id
  
AccessControlInfo:
  #UseExtSaveData : true
  #ExtSaveDataId: 0xff3ff
  #UseExtendedSaveDataAccessControl: true
  #AccessibleSaveDataIds: [0x101, 0x202, 0x303, 0x404, 0x505, 0x606]

SystemControlInfo:
  SaveDataSize: 512KB
  RemasterVersion: 0
  StackSize: 0x40000
  
# DO NOT EDIT BELOW HERE OR PROGRAMS WILL NOT LAUNCH (most likely)

AccessControlInfo:
  FileSystemAccess:
   - Debug
   - DirectSdmc
   - DirectSdmcWrite
   
  IdealProcessor                : 0
  AffinityMask                  : 1
  
  Priority                      : 16
   
  MaxCpu                        : 0x9E # Default
  
  CoreVersion                   : 2
  DescVersion                   : 2
  
  ReleaseKernelMajor            : "02"
  ReleaseKernelMinor            : "33" 
  MemoryType                    : Application
  HandleTableSize: 512
  IORegisterMapping: 
   - 1ff50000-1ff57fff
   - 1ff70000-1ff77fff
  MemoryMapping: 
   - 1f000000-1f5fffff:r
  SystemCallAccess: 
    ArbitrateAddress: 34
    Break: 60
    CancelTimer: 28
    ClearEvent: 25
    ClearTimer: 29
    CloseHandle: 35
    ConnectToPort: 45
    ControlMemory: 1
    CreateAddressArbiter: 33
    CreateEvent: 23
    CreateMemoryBlock: 30
    CreateMutex: 19
    CreateSemaphore: 21
    CreateThread: 8
    CreateTimer: 26
    DuplicateHandle: 39
    ExitProcess: 3
    ExitThread: 9
    GetCurrentProcessorNumber: 17
    GetHandleInfo: 41
    GetProcessId: 53
    GetProcessIdOfThread: 54
    GetProcessIdealProcessor: 6
    GetProcessInfo: 43
    GetResourceLimit: 56
    GetResourceLimitCurrentValues: 58
    GetResourceLimitLimitValues: 57
    GetSystemInfo: 42
    GetSystemTick: 40
    GetThreadContext: 59
    GetThreadId: 55
    GetThreadIdealProcessor: 15
    GetThreadInfo: 44
    GetThreadPriority: 11
    MapMemoryBlock: 31
    OutputDebugString: 61
    QueryMemory: 2
    ReleaseMutex: 20
    ReleaseSemaphore: 22
    SendSyncRequest1: 46
    SendSyncRequest2: 47
    SendSyncRequest3: 48
    SendSyncRequest4: 49
    SendSyncRequest: 50
    SetThreadPriority: 12
    SetTimer: 27
    SignalEvent: 24
    SleepThread: 10
    UnmapMemoryBlock: 32
    WaitSynchronization1: 36
    WaitSynchronizationN: 37
  InterruptNumbers:
  ServiceAccessControl: 
   - APT:U
   - $hioFIO
   - $hostio0
   - $hostio1
   - ac:u
   - boss:U
   - cam:u
   - cecd:u
   - cfg:u
   - dlp:FKCL
   - dlp:SRVR
   - dsp::DSP
   - frd:u
   - fs:USER
   - gsp::Gpu
   - hid:USER
   - http:C
   - mic:u
   - ndm:u
   - news:u
   - nwm::UDS
   - ptm:u
   - pxi:dev
   - soc:U
   - ssl:C
   - y2r:u
   - ldr:ro
   - ir:USER
  
   
SystemControlInfo:
  Dependency: 
    ac: 0x0004013000002402L
    am: 0x0004013000001502L
    boss: 0x0004013000003402L
    camera: 0x0004013000001602L
    cecd: 0x0004013000002602L
    cfg: 0x0004013000001702L
    codec: 0x0004013000001802L
    csnd: 0x0004013000002702L
    dlp: 0x0004013000002802L
    dsp: 0x0004013000001a02L
    friends: 0x0004013000003202L
    gpio: 0x0004013000001b02L
    gsp: 0x0004013000001c02L
    hid: 0x0004013000001d02L
    http: 0x0004013000002902L
    i2c: 0x0004013000001e02L
    ir: 0x0004013000003302L
    mcu: 0x0004013000001f02L
    mic: 0x0004013000002002L
    ndm: 0x0004013000002b02L
    news: 0x0004013000003502L
    nim: 0x0004013000002c02L
    nwm: 0x0004013000002d02L
    pdn: 0x0004013000002102L
    ps: 0x0004013000003102L
    ptm: 0x0004013000002202L
    ro: 0x0004013000003702L
    socket: 0x0004013000002e02L
    spi: 0x0004013000002302L
    ssl: 0x0004013000002f02L
CommonHeaderKey: 
  D: |
    jL2yO86eUQnYbXIrzgFVMm7FVze0LglZ2f5g+c42hWoEdnb5BOotaMQPBfqt
    aUyAEmzQPaoi/4l4V+hTJRXQfthVRqIEx27B84l8LA6Tl5Fy9PaQaQ+4yRfP
    g6ylH2l0EikrIVjy2uMlFgl0QJCrG+QGKHftxhaGCifdAwFNmiZuyJ/TmktZ
    0RCb66lYcr2h/p2G7SnpKUliS9h9KnpmG+UEgVYQUK+4SCfByUa9PxYGpT0E
    nw1UcRz0gsBmdOqcgzwnAd9vVqgb42hVn6uQZyAl+j1RKiMWywZarazIR/k5
    Lmr4+groimSEa+3ajyoIho9WaWTDmFU3mkhA2tUDIQ==
  Exponent: |
    AQAB
  Modulus: |
    zwCcsyCgMkdlieCgQMVXA6X2jmb1ICjup0Q+jk/AydPkOgsx7I/MjUymFEkU
    vgXBtCKtzh3NKXtFFuW51tJ60GPOabLKuG0Qm5li+UXALrWhzWuvd5vv2FZI
    dTQCbrq/MFS/M02xNtwqzWiBjE/LwqIdbrDAAvX4HGy0ydaQJ1DKYeQeph5D
    lAGBw2nQ4izXhhuLaU3w8VQkIJHdhxIKI5gJY/20AGkG0vHD553Mh5kBINrWp
    CRYmmJS8DCYbAiQtKbkeUfzHViGTZuj6PwaY8Mv39PGO47a++pt45IUyCEs4/
    LjMS72cyfo8tU4twRGp76SFGYejYj3wGC1f/POQw==
  Signature: |
    BOPR0jL0BOV5Zx502BuPbOvi/hvOq5ID8Dz1MQfOjkey6FKP/6cb4f9YXpm6c
    ZCHAZLo0GduKdMepiKPUq1rsbbAxkRdQdjOOusEWoxNA58x3E4373tCAhlqM2
    DvuQERrIIQ/XnYLV9C3uw4efZwhFqog1jvVyoEHpuvs8xnYtGbsKQ8FrgLwXv
    pOZYy9cSgq+jqLy2D9IxiowPcbq2cRlbW9d2xlUfpq0AohyuXQhpxn7d9RUor
    9veoARRAdxRJK12EpcSoEM1LhTRYdJnSRCY3x3p6YIV3c+l1sWvaQwKt0sZ/U
    8TTDx2gb9g7r/+U9icneu/zlqUpSkexCS009Q==
  Descriptor: |
    AP///wAABAACAAAAAAAFGJ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiIAAAAAAAABBUFQ6VQAAACRo
    aW9GSU8AJGhvc3RpbzAkaG9zdGlvMWFjOnUAAAAAYm9zczpVAABjYW06dQAA
    AGNlY2Q6dQAAY2ZnOnUAAABkbHA6RktDTGRscDpTUlZSZHNwOjpEU1BmcmQ6
    dQAAAGZzOlVTRVIAZ3NwOjpHcHVoaWQ6VVNFUmh0dHA6QwAAbWljOnUAAABu
    ZG06dQAAAG5ld3M6dQAAbndtOjpVRFNwdG06dQAAAHB4aTpkZXYAc29jOlUA
    AABzc2w6QwAAAHkycjp1AAAAbGRyOnJvAABpcjpVU0VSAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAABOn/rw/7//8ec/APIA8JH/APaR/1D/gf9Y/4H/cP+B/3j/gf8B
    AQD/AAIA/iECAPz/////////////////////////////////////////////
    ////////////////////////////////////////AAAAAAAAAAAAAAAAAAAA
    AAADAAAAAAAAAAAAAAAAAAI=

 

[CompCom]

convert the game to card2 and add "-alignwr" to makerom and they will save fine

The games save fine in their current state I am just unsure whether they will work with existing saves not created by the re-encrypted game. I don't actually use an rsf file as I preserved as much of the original rom as possible I had to store all the settings provided in the original ncsd and ncch files. This means that all the settings in the re-encrypted games should be the same as the original apart from the ncch encryption type.

 

[Huntereb]

I am just working on making my tool a bit more efficient and easier to use, as well as testing it with more games but hopefully it should be ready for release in the next few days with C++ source code included.

Welp, guess that means I better start dumping my games and getting into this. Thanks for the info!

 

[Relys]

I am just working on making my tool a bit more efficient and easier to use, as well as testing it with more games but hopefully it should be ready for release in the next few days with C++ source code included.

Great news! Looking forward to the release! I'm loving the open source attitude around here.

 

[Nic333]

I need some help, exefs2elf give me this using the BBB Pokemon Games
textBase: -47d6c150
textSize: -44cc2c79000
roSize: 33df060d000
rwSize: -44a9a830000
bssSize: -4a95000

textBase mismatch, might be an encrypted exheader file
But ctrtool see the exheader as vaild and i can see the exheader in a Hex Editor and it isn't encrypted, so... anyone here knows how to fix it?

 

[hippy dave]

Have you unpacked the exefs and decompressed the code file?

 

[ground]

Have you unpacked the exefs and decompressed the code file?

probably youre talking to somebody else, but i have a question for you:

I know how to unpack the exefs, but how do i decompress the code file?
maybe that is the reason why none of my repacked roms run yet (they show up with the banner and menu, but freeze at the 3ds screen)

 

[windwakr]

probably youre talking to somebody else, but i have a question for you:

I know how to unpack the exefs, but how do i decompress the code file?
maybe that is the reason why none of my repacked roms run yet (they show up with the banner and menu, but freeze at the 3ds screen)

Someone posted this a few pages back:

ctrtool --exefsdir=. --decompresscode -t exefs exefs.bin

 

[ground]

Someone posted this a few pages back:

Yeah i tried that already, but it gives me the following error:
"ctrtool: unrecognized option --decrompresscode

 

[idunoe]

Yeah i tried that already, but it gives me the following error:
"ctrtool: unrecognized option --decrompresscode

if you use an old version of ctrtool new features won't work

 

[ground]

if you use an old version of ctrtool new features won't work

I know, but there are a lot versions of ctrtool around now. Do you have the version which uses this code? I use the ctrtool linked by enilos on page 38.

edit:
nm i updated my ctrtool through github, maybe its working now

 

[ground]

I know, but there are a lot versions of ctrtool around now. Do you have the version which uses this code? I use the ctrtool linked by enilos on page 38.

edit:
nm i updated my ctrtool through github, maybe its working now

edit2:
ok thanks everyody, everything is working including saving!

 

[Nic333]

Have you unpacked the exefs and decompressed the code file?

Yes, i have, and also have that problem which the GBA Games, and well, the .code file CAN'T be compressed becase the .code is a pure GBA Rom (3DBrew says that, and if you decrypt a GBA VC rom and open the .code in a GBA Emu, the rom will play)

 

[gtaking112]

Does someone know what offsets are needed to redirect Pokemon X's RomFS to the SD card?

 

[Kaphotics]

Does someone know what offsets are needed to redirect Pokemon X's RomFS to the SD card?

Scan the file for the "hints" and compare your results to the examples.

--

Posted an update to my GARC Unpacker to allow for packing, but obsoleted it with another tool which does it better.

GARCTool

 

[einstein95]

Scan the file for the "hints" and compare your results to the examples.

--

Posted an update to my GARC Unpacker to allow for packing, but obsoleted it with another tool which does it better.

GARCTool

Doesn't seem to work on little-endian GARC files ("CRAG" files), PM me for some example files if you need any.

 

[Dean_]

I did some dirty GBC-injection job.

(Pokemon silver, korean version)



1. unpack BBB's pokemon rom with ctrtool (which produces un-encrypted exefs.bin, exheader.bin, romfs.bin)

2. inject whatever gbc rom into romfs.bin with hex editor

3. find and edit correct IVFC hash value with hex editor (romfs.bin)

4. modify rsf file

5. with cell9's tools, i was able to recreate cci file

 

[Huntereb]

I did some dirty GBC-injection job.

Awesome! Can this be done with all of the virtual console types? Like GBA and SNES?

 

[Mikecrowfone]

I did some dirty GBC-injection job.


(Pokemon silver, korean version)



1. unpack BBB's pokemon rom with ctrtool (which produces un-encrypted exefs.bin, exheader.bin, romfs.bin)

2. inject whatever gbc rom into romfs.bin with hex editor

3. find and edit correct IVFC hash value with hex editor (romfs.bin)

4. modify rsf file

5. with cell9's tools, i was able to recreate cci file

I presume you then proceeded to convert cci to 3ds? Were you able to substantially reduce the file size? Having a 128mb .3ds file for a ~4mb rom is ridiculous