ROM Hack [Release] 3DS_CTR_Decryptor-VOiD

[Nic333]

They did it some unknown, unreleased way. Dunno why nothing has been released relating to them. It doesn't even have to be proper right now, I just want something that works.

They did by the rexoring stuff, just a few members figure out how that works....
I Still think as using the PatchRom to rebuild roms is the better way... You can even redirect RomFS to the SD....

 

[ground]

They did it some unknown, unreleased way. Dunno why nothing has been released relating to them. It doesn't even have to be proper right now, I just want something that works.

ah i see. i didnt look into that too much, but i think this should do the trick:

http://rumkin.com/software/tools/padxor.php

 

[gamesquest1]

ah i see. i didnt look into that too much, but i think this should do the trick:

http://rumkin.com/software/tools/padxor.php

the xorpads are generated by the 3ds, they are unique to the title, its the same xorpad used to decrypt the content is reused to encrypt it, its not thats the methods are some secret its just that people struggle with a 2 step bat file to decrypt and rebuild i can only imagine what would happen if i tried to explain the re-xoring method, i would prefer to let someone automate the process if they can to save on the headache

but anyone who can figure it out, all the info is there and public

 

[ground]

the xorpads are generated by the 3ds, they are unique to the title, its the same xorpad used to decrypt the content is reused to encrypt it, its not thats the methods are some secret its just that people struggle with a 2 step bat file to decrypt and rebuild i can only imagine what would happen if i tried to explain the re-xoring method, i would prefer to let someone automate the process if they can to save on the headache

but anyone who can figure it out, all the info is there and public

i know i wasnt pointing to the creating xorpads, but just using the existing xorpads to encrypt files. but as I said, i didnt look at it

edit:
anyway, i was puzzling witht his for a while. but is it possible to decrypt the nand with this? I lokoed in the source and i know how to change the keyslots but i dont know hoe to create a proper .bin file for it.

if we have an xorpad we can mount it with this script:
http://pastebin.com/Nj9n10y8 (written by smealum)

 

[Relys]

i know i wasnt pointing to the creating xorpads, but just using the existing xorpads to encrypt files. but as I said, i didnt look at it

edit:
anyway, i was puzzling witht his for a while. but is it possible to decrypt the nand with this? I lokoed in the source and i know how to change the keyslots but i dont know hoe to create a proper .bin file for it.

if we have an xorpad we can mount it with this script:
http://pastebin.com/Nj9n10y8 (written by smealum)

To decrypt NAND you'd have to RE the NAND decryption function in the kernel. You need to know:
1) Which keyslot to select.
2) How to calculate keyY (public key)
3) How to calculate ctr (Initialization Vector)

 

[kyogre123]

They did by the rexoring stuff, just a few members figure out how that works....
I Still think as using the PatchRom to rebuild roms is the better way... You can even redirect RomFS to the SD....

So is that actually working for roms of retail games?

 

[piratesephiroth]

So is that actually working for roms of retail games?

Yeah, the original project had an example there using Tetris Axis plus 2 other games.
Now it has scripts to find and patch the necessary functions in any rom's extracted code.

 

[kyogre123]

It was updated 10 days ago so I don't think it has the latest update of Applestash. How come nobody has uploaded screenshots of a mod of a game other than the guys who are hacking Pokemon?

 

[piratesephiroth]

It was updated 10 days ago so I don't think it has the latest update of Applestash. How come nobody has uploaded screenshots of a mod of a game other than the guys who are hacking Pokemon?

people are lazy

 

[cracker]

I think the biggest reason why not much has happened in way of rebuilding is the need for hashing and patching by hand before rebuilding. I'm not sure if anyone has created a script or program to do that automatically yet but I was thinking about it if I get time.

 

[piratesephiroth]

I think the biggest reason why not much has happened in way of rebuilding is the need for hashing and patching by hand before rebuilding. I'm not sure if anyone has created a script or program to do that automatically yet but I was thinking about it if I get time.

I'm going to try to mess with Pokemon Y some time so I made a simple tool to edit ncchinfo.bin (to quickly change romfs size for a new xorpad, for example) and I guess I'm going to make batch files for the repacking (or use patchrom to redirect reads to the SD card if I figure out how to do it)

 

[cracker]

I was referring to the IVFC header editing to pass the checks.

 

[piratesephiroth]

I was referring to the IVFC header editing to pass the checks.

Well yeah that would be nice if the tool also rebuilt the RomFS separately.
We can only rebuild it through makerom, and it packs it into an NCCH container already.

As it is now it's simpler to make a batch file to rebuild the rom with makerom and then extract the proper romfs.bin with ctrtool. Then generate the new xorpad, xor it and repack it into the rom again.

 

[kyogre123]

So it is not possible to repack a rom with the patchrom tools alone after all...

 

[piratesephiroth]

So it is not possible to repack a rom with the patchrom tools alone after all...

There's not much explanation in patchrom, only "patching code.bin to redirect romfs access to sdcard".
So I suppose we put the romfs files somewhere on the SD card. No idea if it's romfs.bin, a romfs folder or simply the romfs files on the SD card's root though.

 

[gamesquest1]

Tbh it's a toss up between romfs rebuilding and the redirect to Sd, I actually haven't gotten the patch rom to work, I had it decrypt the rom extract the offsets and rebuild the rom, but I'm guessing it needs something more to actually apply the patches....so I think there is a step 2 that I missed out,

As for re-xoring I know how to do it, but I did it all manually without rebuilding the romfs etc, I just edited the romfs, fixed the ivfc hashes, re-xored it and copied the romfs back into the original rom, then.just fix the romfs hash in the rom

 

[kaidex]

how to fix Romfs hash?
makerom can‘t rebuild Romfs

 

[kaidex]

For those you looking to rebuild the romfs using the source above is a good place to start that along with the information in this thread should be enough to repack the romfs. As for romfs generation I think I am starting to see a pattern with the weird offsets and I will probably look into romfs generation when I am finished coding my tool.

Current update on my tool here is what I have working:

• RomFS/NCCH/NCSD unpacking and repacking
• Re-encryption of NCCH using zero keys
• The ability to decrypt files using the xorpads created by the ctr decryptor
• Conforms to the same naming format as ctr decryptor

What I have remaining is:

• Replacing NCCHs in an NCSD without extraction

I am hoping to have it release ready very soon.

If anyone else has any feature requests or any questions please feel free to PM me.

Could you tell me how to fix Romfs hash or repack Romfs?

 

[ground]

To decrypt NAND you'd have to RE the NAND decryption function in the kernel. You need to know:
1) Which keyslot to select.
2) How to calculate keyY (public key)
3) How to calculate ctr (Initialization Vector)

the keyslots are listed here: http://3dbrew.org/wiki/AES#Keyslots
i think the last the keys are the harder part

 

[gamesquest1]

edited my post, is asking anything related such as decrypting and else also against the rules ?

Well sharing any copwritten code is not allowed, the xorpad is kind of part and parcel of the ROM (sort of like a mirror image) if you look around there has been people sharing bits of extracted ROMs on the internet, also if you just wanted to look at something and not any specific game the bigbluebox pokemon VC games don't need xorpads to be extracted