Homebrew [Release] GodMode9 Scripts Megathread

D

Deleted User

Guest
This is a continuation of post #135 found here. If you are unfamiliar about this script, please read the previous post before proceeding.

For version 2.0 of Inject and Restore Apps, these updates warrant a dedicated post explaining in detail the benefits, drawbacks, and mechanics behind this revamped script. The script can be downloaded here.

This script now includes:
  • Safety checks to prevent injecting CIA files that are DSiWare, Updates, DLC’s, eShop demos, and too big in size
  • “Stealth” injection to better hide injected titles from Nintendo’s detection
  • Splash screen choice option

As usual, I’ll try to Q&A the role of the skeptical user who insists on grilling me.

Safety checks? Pfff. Who do you think I am?
Someone who deserves some peace of mind. Don’t take what I wrote next the wrong way as I’m not calling into question anyone’s intelligence. If a script (or program) allows you to do something you shouldn’t or didn’t intend to do in the first place, that makes it a bad script, and the blame solely rests on the person who coded it.

With that in mind, this script was created from the onset with as much idiot proofing as possible, but that doesn’t cover the flip side of those safety checks. There is one factor neither you (as the script user) nor I (as the programmer) can ever fully account for: nefarious CIA malware intended to corrupt your 3DS system titles. In the case of CIA files, this is as simple as renaming a file as Game A.cia to Game B.cia . Sounds harmless? Not really.

In the very unlikely but possible scenario that you unsuspectedly download/receive a fake or bad CIA file from somewhere or someone who wishes to harm your prized possession, those safety checks listed above should foil the most basic entries of causing injection mayhem.

System app injection is no joke. Just because something is named with a .cia extension and is image mountable by GodMode9 does not necessarily mean the file in question is injectable or safe to inject to begin with. It basically boils down to this: garbage in, garbage out.

This is probably going off topic from the stated question, but I feel it’s important to mention this.

GM9 scripting has its limitations. This script can’t account for every conceivable bad or harmful injection cases, like seemingly legitimately CIA homebrew re-coded to wreck havoc once installed on your 3DS and that can pass those above sniff tests. As the end user, it is your responsibility to download CIA titles from reputable and trustworthy sources.

And if you don’t believe 3DS malware is a thing, here is the tragic and cautionary tale of the once prodigious dev best known for creating Themely, Erman and his fall from grace in the UnbanMii debacle.

http://malware.wikia.com/wiki/UnbanMii
https://hackinformer.com/2017/07/28/warning-first-3ds-malware-spotted-wild/
https://www.reddit.com/r/3dshacks/comments/6pz1ic/warning_for_anyone_thinking_of_using_unbanmii/

… Bro, you scare me. This inject app script biz sounds bad.
You have every reason to be concern with whichever homebrew you use on your 3DS/2DS. My job here is to help assuage this and answer to the best of my abilities those concerns regarding this script.

The Inject and Restore Apps script is geared towards those who are hitting their 300 titles limit and are looking to utilize homebrew titles in place of those 10 listed Nintendo sys apps. With the “stealth” injection method that’ll later be covered below this post, this type of injection may prove useful for those who favor quickly launching a select few homebrews straight from HOME Menu instead of first booting into Homebrew Launcher.

While there’s nothing technically stopping you from deleting those Nintendo titles using GodMode9 or FBI to free up title count, it has been mentioned elsewhere on this forum that Nintendo is able to detect when those sys apps are missing. Should you connect online with deleted system titles, you can get hit with a ban. The same rule applies for installing CIA homebrews straight onto HOME Menu.

This script allows you to put those “wasted” titles to good use but only if it has determined your shoe-in homebrew titles are deemed safe for injection.

Here are the reasons why certain CIA types cannot or should not be injected:
  1. Fake CIA (renamed from any file) – a real .cia file contains at minimum one .app file (your game). If that’s not present, there’s nothing injectable to begin with. It would be amazing if this could inject Switch ROM dumps, but renaming something like LoZ - BotW.iso to LoZ - BotW.cia doesn’t change the fact it’s not real and won’t work on the 3DS.
  2. Fake CIA (GM9 image mountable, renamed) – 3DS related files like .app, .3ds, .3dsx, etc. can be renamed with the wrong extension moniker. Again, this goes back to reason #1.
  3. Real but corrupted CIA (not intact) – If GM9 can’t read it, this is just as bad as reason #1.
  4. DSiWare – DSiWare CIAs are structured differently than typical CIA dumped from .3ds/.3dsx . Perhaps a DSiWare version of this script is in order for later development if this type of injection can be extended and is determined feasible. Maybe NTR Launcher “stealth” injected into Zelda Four Swords?
  5. Updates & DLCs – These are accessory or appendages to whichever titles they belong to. While some are very similar file structure wise when compared to complete CIA titles, launching them at HOME Menu will throw an exception.
  6. eShop demos – Officially released 3DS titles are injectable but (universally?) incompatible when launched from HOME Menu. In case this incompatibility bug is ever fixed, eShop demos were thrown in because I’m democist. I hate getting teased. Stick to the full copy versions.
  7. CIAs with .app larger than 16 MB – Most homebrews come nowhere near 16 MB. The largest Nintendo sys app is StreetPass Mii Plaza at 15.3 MB for 00000021.app. Your 3DS internal NAND has a capacity of 1 GB. Approximately 600 MB of that NAND is used to house your 3DS operating system. The rest goes to your DSiWare library, photos, game notes, etc. You wouldn’t want to accidentally inject a CIA that is 3.76 GB onto 400 MB, right?
One other noteworthy safety check is that the script does not attempt injection for missing system titles deleted off the 3DS.

You’re not the boss of me. What if I have this killer CIA homebrew I want to inject, but it’s bigger than 16 MB? What then, huh!?
There are two ways to overcome this script’s size safety limiter. The permanent method is to open the script in Notepad, and edit the values for these variables from the beginning.

CIA_SIZE_LIMIT
CIA_SIZE_NUMBER

CIA_SIZE_LIMIT is the byte size of the largest allowable injection written in hex number.
  • 1 MB (megabyte) equals 10242 bytes.
  • 10242 is equal to 1,048,576
  • Add +1 byte to have the limiter triggered for anything over exactly 1 MB.
  • 1,048,577 in decimal is equal to 0x100001 in hex.
  • The 0x is not written in the CIA_SIZE_LIMIT input value. This notation is for denoting it’s a hex number.
  • The CIA_SIZE_NUMBER variable is for error messaging purpose.
Example
Set CIA_SIZE_LIMIT “100001”
Set CIA_SIZE_NUMBER “1 MB”

To obtain your converted hex number, you use a decimal to hex converter.
https://www.rapidtables.com/convert/number/decimal-to-hex.html

So the formula is: ( # of MB ) x 1024 x 1024 + 1 = decimal numbers
Convert the decimal numbers to hex numbers using the calculator like the one above.

Here are some other provided values for raising the limiter if you’re not comfortable calculating the hex numbers.

Set CIA_SIZE_LIMIT “2000001”
Set CIA_SIZE_NUMBER “32 MB”

Set CIA_SIZE_LIMIT “4000001”
Set CIA_SIZE_NUMBER “64 MB”

Set CIA_SIZE_LIMIT “8000001”
Set CIA_SIZE_NUMBER “128 MB”

The second method of overcoming the default 16 MB safety limiter is by user discretion. Right after selecting a CIA for injection, quickly press and hold the B button for a few seconds. This will skip the warning message that the file is too big, override the limiter, and continue injection.

Due to limitations of GM9 script, there is no way to patch out this bug without negatively affecting the user experience. The alternative would have been error nags every time you elect to inject. Although not intended this way, you may treat this is a feature in case the first method is too cumbersome. Just keep in mind of the physical 1 GB NAND when employing method two.

What is this “stealth” injection you speak of? Why the quotation marks? Is it or is it not stealth?
Before I start referring to this subject without those quotations, we need to be clear about several points.
  1. Nintendo does not differentiate the difference between homebrew and piracy. The company treats the two as one and the same.
  2. Nintendo can and will ban your 3DS if they detect there is non-licensed installed software on your handheld system.
  3. Except for Nintendo itself, no person can claim knowing the exact extent of Nintendo’s homebrew detection capabilities. We only have theories and speculations. Nothing more.
  4. Also, anyone claiming to have a sure proof method of avoiding said detection is either lying or needs to come spill the beans in how, ASAP. We the community would greatly appreciate that you share and demonstrate a working proof of concept.
  5. Homebrewers have to assume the possibility it is not a matter of if but when they’ll get banned. Any of us who has ever hacked their 3DS/2DS and went online may have already been marked for a future ban. If you’re still able to use Nintendo’s online services despite having CFW, assume that your system is living on borrowed time staying ban-free by Nintendo’s own discretion.
With that said, “stealth” injection is a bit of a misnomer. Stealth(ier) is arguable a better term that describes it. “Stealth” is meant to denote the intended purpose of said injection method but does not necessarily mean it actually achieves that purpose. I don’t want to mislead you as the reader, so any pretenses that this type of injection will completely disguise your injected titles from Nintendo’s watchful eyes should be dropped. Okay? Thanks. *Quotation marks will now be removed from here on out.

Get to the point already! What the hell is stealth injection?
Stealth injection is an advancement of GM9’s original method of H&S injection. Its function is to attempt passing off your homebrew title as the “real thing”. Stealth incorporates certain identifier data from the ncch.bin [NCCH0 header], extheader.bin [extended header], and icon [title meta info] files. When a homebrew title gets stealth injected, that title is given the identity of its container system title.

Whenever you launch a title from HOME Menu and stay connected to the Internet, it is believed Nintendo has the ability to search up and track what title you last played. This is speculation from my part, but I believe the biggest dead giveaway in how Nintendo knows this is due mostly in part from those identifier data in those files.

Observe by injecting FBI using GM9’s built-in H&S injector. I recommend having WiFi turned off beforehand and Cthulhu at the ready for cache clearing if you intend to verify this.

Launch your injected FBI and do a Titles lookup for where Health & Safety should be. Notice anything amiss?

Title_FBI_vs_H_S.png

Left: FBI (normal) injected in H&S as-is. Right: Health & Safety without injection in place. System titles are highlighted red. On the left, H&S is missing due to FBI’s occupation.

Let’s see another effect of FBI injected in H&S. I’m sure some of you out there are familiar with this one. Turn off the 3DS, remove the SD card, turn the 3DS on, and check where injected FBI is located on HOME Menu. Do not launch FBI.

HOME_Menu_FBI.png

Left: FBI (normal) injected in H&S without SD card. Right: FBI injected in H&S when shared icon cache is synced correctly between SD card and NAND.

If you ever had FBI icon stuck in place of H&S and needed Cthulhu to fix this issue, this is why. Your HOME Menu icon cache updated to FBI’s icon on both SD card and NAND.

This same phenomena appears when injecting into other system titles using prior versions of the script. Here is freeShop injected in Nintendo eShop:

HOME_Menu_fre_e_Shop.png


Title_fre_e_Shop.png


e_Manual_fre_e_Shop.png


As the old saying goes about looking and quacking like a duck, stealth injection might be enough to masquerade something like freeShop to its official namesake counterpart. This all depends if Nintendo does not look past this as an initial telemetric call back.

What exactly happens to my titles when injecting? I don’t want any funny business going on when using your script. No bueno if not explained in details.
This Q&A wasn’t meant to be an introductory crash course studying the structure of CIA-related title/game files, but here we are. For the general user, I suppose it helps to not only know what this script does but how it does it. Let’s peel back some layers off the onion we know as a CIA file. We will primarily focus on its .app file; there are other files within the CIA like the ticket, certificate, secondary .app (e-manual), etc., but those are not of relevance to this script. The .app of interest will be the primary or game/title one.

Take a moment to study and familiarize yourself with this diagram. When decompiled and cross compared with a hex viewer, the .app file is an archive that contains those constituents “stacked” or place in that order.
App_file_Abstract.png


Brief Description of Each File
  • ncch.bin (HeaderNCCH0.bin, Nintendo Content Container Header) – When launching a title, this file instructs the 3DS system the basic layout, locations, and sizes of the other files. Size: 512 bytes.
  • extheader.bin (ExHeader.bin, Extended Header) – This instructs the 3DS what sort of system and access controls the title requires. Size: 2 KB (2048 bytes).
  • logo.bin (LogoLZ.bin, logo) – This is the splash screen you see after launching a title while it loads. The file may either be located after the extended header, contained within ExeFS.bin, or sometimes in both locations. Size: 8 KB (8192 bytes).
  • plain.bin (PlainRGN.bin) – I’m not entirely sure of this file’s purpose. My best guess is that this instructs the 3DS the minimum version update for the title to work. Newer CIA titles seem to lack it. Size: 512 bytes.
  • ExeFS.bin (Executable File System) – An archive that contains several key files (explained more later). Size: varies by title.
  • RomFS.bin (Read-only memory File System) – An archive that contains anything ranging from images, sounds, graphics, texts, etc. Size: varies by title.

Under the ExeFS umbrella
  • HeaderExeFS.bin (ExeFS Header) – A header file that tells the sizes and locations of the other files within ExeFS. Size: 512 bytes.
  • .code – The heart and soul of your title or game. Size: varies.
  • banner – What you see in the top screen at HOME Menu when hovering over your title. In the case of FBI, that’s the spinning blue and white cube. Size: varies.
  • icon – Contains information about the title’s name, publisher, and icon. Size: 13.6 KB (14,016 bytes).
  • logo – Refer to logo.bin from above.

Next, look at the close-up hex view of the Nintendo eShop NCCH header and its data field. You’ll need this to follow what gets injected when making freeShop into freeShop.

NCCH_e_Shop.png


Unlike the previous method, stealth injection employs carrying over anything that could, from eShop. Essential items are left only or modified at the bare minimum to keep freeShop portion working as intended.

NCCH_fre_e_Shop.png


Similar changes are made in the first 1024 bytes of extheader.bin. For Application Title (in case this is read off), eShop’s internal codename is “tiger”. The Program ID is matched to keep freeShop from throwing ARM9 crashes.

Lastly, icon and its hash gets swapped in ExeFS and HeaderExeFS.

And that’s it. That’s the secret behind stealth injection. If you wish to audit the script and verify that it does indeed do what I said it does, you’re free to examine the source code at my GitHub page here.

What is the splash screen option? How do I use it?
The splash screen option allows you to inject either the homebrew or Nintendo logo. This component is not believed to contribute to stealth. It’s a personal preference feature if you like switching to the Nintendo splash. The script’s startup default is homebrew. To change the splash screen you wish to inject, press the B button during your system title’s menu choices.

Splash_FBI.png


Splash_fre_e_Shop.png


What the crap? I’ve used older versions of this script. Injection is slow as shiet now. Also, why is the script’s file size so much bigger than v1.9?
These are the sore points of this script… Stealth injection requires reading hex offsets from HeaderExeFS. Without those addresses, injection wouldn’t be possible in modifying and rebuilding the ExeFS container. GM9 script (v1.6.1) can’t directly copy hex values from a file and use them in variables. The only way to get around this hurdle is by converting a hex number into a SHA-256 hash value and then reconverting it back with a hash-to-hex lookup table. Most of the increase in file size is because of that table housing all 256 possible hex numbers from 00 to FF.

Version 1.9, file size = 16.3 KB
Version 2.0, file size = 53.2 KB

Up to 12 individual hex numbers, 4 numbers for each file, are retrieved when injecting banner, icon, and/or logo. As for .code, that’s a freebie because its offset is always 0.

You’ll notice the injection start to finish run time has sharply increased.

Example
Version 1.9, FBI injected in H&S = 6 sec
Version 2.0, FBI injected in H&S = 58 sec

While I would like to improve this script’s speed performance and reduce the file size to something more reasonable in a version 2.1 update, we’ll have to wait first until GM9 script offers a ‘hexget’ command before that happens.

You’ve said too much. -But, anything left to add?
Practice safe injection. Word of advice, don’t pick up programming if you don’t have to. That stuff should be placed in the schedule 1 drug list. It’ll hurt your brains real good, kids.

I think that we all need to give this man a round of applause. Not only for the countless hours it must have taken him to discover and verify all of this, but because of how long it must have taken him to type and format this entire post all for the purpose of infroming us to practice safe injecting, among a lot of other things. Also, you should probably add a TL;DR.
 
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
I think that we all need to give this man a round of applause. Not only for the countless hours it must have taken him to discover and verify all of this, but because of how long it must have taken him to type and format this entire post all for the purpose of infroming us to practice safe injecting, among a lot of other things. Also, you should probably add a TL;DR.

I'm on it. Still editing the post as I go.
 
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
Re-posted as it'll probably make its way here. I'll pass due to lack of title key expertise.

https://github.com/d0k3/GodMode9/issues/342
trainboy2019 said:
Could the ability to extract enctitlekey.bin from ticket.db with a script be implemented? It was a really helpful feature of d9. And it doesn't seem like it would be too hard to implement, considering this can be done manually.
 

d0k3

3DS Homebrew Legend
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
Something else entirely - as a lot of ou may have noticed, GM9 scripting is in some dire need for proper documentation. I think a Wiki may be a good way to solve this, so I set up this GitHub issue to discuss the further course of action. Maybe some of you guys are willing to help me with that. To be honest, you guys do actually know more about the scripting quirks than me :D.
 
  • Like
Reactions: 8BitWonder
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
Homebrew Checker

Credit goes to:
  • @d0k3 - For fulfilling my very niche command request. And to boot, he did it in a really quick too quick neck breaking pace, workaround time frame creating them. I wanted this, but now the keyboard bacons (yes, food bacon) for moAr GM9 scripts. Argrghgugghh!! :cry:
  • TitleDB.com - For the supplied information
... What is it this time? This better be good.
Presenting a script no one was asking for in the first place and probably almost no one needs or wants either:
  • Homebrew Checker.gm9
This script was written to test and validate two new gm9 script commands, fget and fset, in the guise of checking your CIA files against a homebrew database.

If your selected CIA file is a known homebrew title, you get output information about its Name, Description, Author, Title ID, and Product ID. If it's not a known homebrew title, you're either warned what kind of CIA file it is, or that the selected title is unknown if it's a legitimate game/title-type CIA.

You wrote this just to mess around with two commands? KISS, learn it.
Sometimes the easy way is great if you're in a pinch. This was created as a means to be creative in testing out those new commands as normal testing procedures, IMO, can be a real chore. I wanted to put them to real practice while cooking up a script that might be useful to some 3DS users.

And if that wasn't thorough or stringent enough for controlling testing variables, a second test script was eventually written in making sure fget and fset weren't doing anything they weren't suppose to. You can find that other one over at GM9 GitHub here (look for fget_fset_debug.zip), which is better in studying how these new commands work.

Lastly, the real tertiary reason I wrote this is, you guessed it, for another gm9 script. Details of why this script was created can be read starting at post #992 here.

Hey! Your script is broken. This doesn't work on GodMode9 v1.6.3.
Stable v1.6.3 release don't have fget and fset command. You'll need the latest nightly found here. There's a good chance the official debut of these two commands will find their way in the v1.6.4 release.
 

Attachments

  • Homebrew Checker.zip
    10.4 KB · Views: 188
  • Like
Reactions: d0k3

twithtots

New Member
Newbie
Joined
Jul 27, 2018
Messages
1
Trophies
0
Age
40
XP
38
Country
United States
I've scoured this post ... hopefully all of it as best that I can ... and haven't been able to see an answer. Is there a script to dump all installed SD titles at once to CIA's? Or are we stuck having to do them one at a time? I'm very sorry if I missed this in the thread here.

Thanks!
 
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
I've scoured this post ... hopefully all of it as best that I can ... and haven't been able to see an answer. Is there a script to dump all installed SD titles at once to CIA's? Or are we stuck having to do them one at a time? I'm very sorry if I missed this in the thread here.

Thanks!

Oh, you sweet summer child. Lol.

Hold the L-shoulder button and highlight select everything in yellow to do mass CIA building.
 
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
Leaving this here since I haven't figured out if GodMode9 already has a built-in feature that does this or if an automated method is feasible in coding.

For anyone who wants to tackles writing a GM9 script that batch converts RAW Villain3DS downloads into CIA.

There's a way to convert a single title with an output name as tmd.cia

I'm not quite sure how to go about outputting multiple titles with unique names.

Example
Folder with Title ID 0004008c001bc600 outputs in gm9/out as 0004008c001bc600.cia

****

I'm sitting out on this one due to a backlog of projects. Have fun with it!

Edit - This script would be really niche because of the end of CDN downloaders and rarity of raw precursor CIA files. Probably not a long term usage of a gm9 script.
 
Last edited by TurdPooCharger,
CTRTransfer (Type D9) Script - TurdPooCharger
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States

(Type D9) Main Menu [updated].png

CTRTransfer (Type D9)

Credit goes to:
  • @d0k3 - The CTRTransfer from both GodMode9 and Decrypt9WIP are the foundations that this script is built upon.
  • @Quantumcat - Helped saved the day solving someone's terribly softbricked o2DS with the power of Decrypt9.
    • This led to learning firsthand what those differences are between the two programs in how they perform it.
    • She also shared the title id for Nintendo 3DS Camera for AUS region.
  • @AnalogMan - His Lazarus3DS and related NAND gm9 scripts are major influences in understanding key aspects about 3DS firmware recovery.
  • @Namesnipe - Shared the neat knowledge that individual tickets can be backed up from the ticket.db.
  • @CodyWGamer - Showcased that the [S:] SYSNAND VIRTUAL isn't something to be trifled with if one does not treat that drive with caution and care.
  • @KleinesSinchen - Demonstrated and verified that the twln.bin and twlp.bin partitions can be super bricked.
    • This interesting knowledge was the final piece of the puzzle in making this script possible by showing that parts of the NAND are manually reflashable (perhaps too easily).
  • @botik (BpyH64) - Found a way to quickly install 3DS titles using dummy CIAs. I borrowed his idea from the .cmd CMACs research.
  • @zoogie - The research data for the Bypass Profile Setup was borrowed from 2DSaver.
  • @aspargas2 - Added DISA/DIFF handling in GM9 v1.9.0, which makes it possible to edit (sys/ext)data files.
  • @Aurora Wright - Luma3DS.
  • @SciresM - Boot9strap and perfect retail NAND NCSD header signature.
  • And many partners in crime busting all sorts of 3DS bricks and issues. While we can't fix them all, we sure as hell do solve a lot of 'em.

Release Page

Table of Contents


What is this?
Here's a detailed crash course about this subject.
TL;DR - Basically, CTRTransfer is like a universal SysNAND image used for recovering from softbricks and region changing the firmware.
If you're familiar with computer operating systems, this is similar to Windows Recovery and Mac Time Machine.

***

This is a gm9 script for performing a variation of Decrypt9 CTRTransfer. Homebrew 3DS users are likely to be more familiar with standard or (built-in) GodMode9 CTRTransfer. While both types are used for repairing or region changing the 3DS firmware, there are stark differences in how they go about changing or correcting the CTRNAND.

Decrypt9 Method
  • A few console unique files such as the movable.sed, configsave.bin, LocalFriendCodeSeed_B, and SecureInfo_A/B are first extracted from the CTRNAND drive. Afterwards, Decrypt9 (the program) flashes the entire raw donor CTRNAND *.bin image file onto the CTRNAND partition. Those backed up files are moved back in the drive to their respective locations and CMAC hash corrections are done throughout such as for the *.db datebase files and user's extdata + sysdata.
GodMode9 Method
  • GodMode9 (the program) selectively replaces only the title folder and *.db files. This is to surgically fix the broken system apps while keeping the rest of the user's personal and console unique files intact. Once these folders and files are replaced as needed, this is followed by CMAC hash corrections for those *.db files.
To put this into a comparable life analogy of the two, GM9 CTRTransfer is like replacing worn houseware parts, patching holes for stone walls to a structurally sound but very old house, and renovating its dainty decorations, flooring, and walls. D9 CTRTransfer is like removing your furnishings and personal belongs out of the house, knocking that house down because it's deemed too decrepit, building a replica in its place, and then moving as much of your stuff back in, assuming you haven't forgotten leaving behind anything before the teardown.

GodMode9 is the safer and less intrusive of the two while fixing most general softbricks. Although Decrypt9 is arguably more effective at dealing with severe softbricks, the older app's implementation fails to back up and restore crucial files such as hardware calibration HWCAL0.dat and HWCAL1.dat, personal legit tickets, and [seed|nag|friend|nnid|etc.]save.bin.

With those differences in mind, this script was created with the goal of combining the Decrypt9 approach of flashing a clean slate CTRNAND drive while also maintaining as much of the user's original setup like that of GodMode9.

[Table of Contents]


Bricks that this can fix.
  1. Files and folders that are partially or fully deleted off the [1:] SYSNAND CTRNAND.
    • For whatever reason, the 3DS or 2DS system you have had its setup accidentally erased. Perhaps you bought/received yours prehacked from a previous owner who was neglectful. As long as something called the essential.exefs is present and has not been tampered with, it's possible to create a fresh firmware setup.
    • Empty CTRNAND.png
  2. The [1:] SYSNAND CTRNAND is missing.
    • Let's imagine you experienced a catastrophic softbrick which required remedying the issue by restoring the SysNAND with a personal image backup. However, luck would have it that the one and only SysNAND *.bin image you kept was trashed by an unknowingly fake SD card. To add further insult to injury, during your restoration of the corrupted image, your system has a very old and untrustworthy battery that dies on you during mid-restore. This incident bricks the CTRNAND partition where GodMode9 doesn't even acknowledge the presence of the drive. Again, this is recoverable so long as the essential.exefs is present and hasn't been tampered with.
    • Missing CTRNAND.png
  3. Strange '?' files that are stubbornly stuck in CTRNAND or cannot be deleted/replaced by conventional means.
    • Despite H2testw checking the SD card for issues, updating the custom firmware & 3DS firmware, and troubleshooting for any and all hardware issues, your system has unexplainable boot issues, poor GUI functionality, or random crashes. You (surprise, surprise!) don't have the benefit of a clean, backed up SysNAND *.bin image to recovery from. Attempts at using standard CTRTransfer are not providing favorable results. You may very well have a broken file allocation table at hand. If those damaged files are limited to replaceable or non-unique items, this script will try maintaining anything that's salvageable.
    • 2DS softlocks or crashes when trying to launch anything from the home menu [post #84]
    • 2ds_5-jpg.149838
  4. The system turns on with Blue Screens of Death.
    • The nand header (nand_hdr.bin), TWL partition table (twlmbr.bin), [New 3DS only] secret sector (sector0x96.bin), and/or bootloaders (firm0.bin & firm1.bin) were corrupted from careless firmware modding, A9LH downgrade softbrick, or Gateway3DS malicious brickcode running a firmware newer than 11.2. In order to bypass the bootrom 8046 and launch GodMode9, an ntrboot flashcart would be required such as the R4i Gold 3DS Plus (recommended) or R4iSDHC series (shitty timebomb).
    • :!: This cannot fix hardware based BSoD where the nand chip is fried from a failed hardmod or physically damaged by other means such as spilled water.
    • bootrom_8046.png
  5. [New 3DS only] Franken firmware due to 2.1.0 downgrade from older A9LH guide followed by newer (2xrsa) B9S guide.
[Table of Contents]


Safety Features & Process Overview
This script...
  1. Checks against itself if GodMode9 is a recent enough version that's capable of using these script functions:
    • Code:
      fget
      fset
  2. Automatically updates the sdmc:/luma/payloads/GodMode9.firm if an older version is found running. Reboots the GM9 session.
  3. Determines if the system in question can be identified as either "retail" vs "devkit" and "Old" or "New" before proceeding.
  4. Exits out much earlier and mentions if CTRNAND images are missing at the specified input directory.
    • Update March-21-2019: Version 1.1 allows you to continue using the script with a reminder instead of a hard exit.
  5. Force fixes the nand_hdr.bin, twlmbr.bin, sector0x96.bin, firm0.bin, and firm1.bin if a bootrom 8046 softbrick is detected.
  6. Asks upfront for write permissions to work in the [1:] SYSNAND CTRNAND and [S:] SYSNAND VIRTUAL/ctrnand_full.bin.
  7. Looks for the accompanying *.sha file that's goes with the CTRNAND *.bin image.
  8. Verifies that the *.sha file is of the correct size and acceptable region code.
  9. Spot checks two offsets to determine whether the CTRNAND image is the correct FULL kind versus FAT/unknown.
  10. Rejects the selected CTRNAND image if it's meant for the other system type (O3DS vs N3DS).
  11. Measures the CTRNAND image size to make sure it's the correct exact size for the system type.
  12. Measures the size of S:/ctrnand_full.bin to see if it's the expected partition size.
  13. Mounts the CTRNAND image to check that it is an intact image.
  14. Writes a 1 GB dummy file onto the SD card and then deletes it so that there's enough free space to work with.
  15. Compares CTRNAND image hash against its *.sha file.
  16. Backs-up the user's entire CTRNAND setup, except for the title folder.
  17. Flashes the CTRNAND image to S:/ctrnand_full.bin without the option to cancel.
  18. Backs-up the system tickets from the donor CTRNAND image.
    • This is done to keep the user's original ticket.db in place with the private legit eShop tickets intact.
    • The console's original system tickets are also dumped on top of the donor system tickets for further preservation.
  19. Deletes the donor's essential files in preparation of cleanly restoring the user's setup.
  20. Restores the user's setup back to the CTRNAND drive, except for certain *.db files.
  21. Image mounts the backup essential.exefs and restores any of these five if missing.
    • LocalFriendCodeSeed_B, HWCAL0.dat, HWCAL1.dat, movable.sed, SecureInfo_A
  22. Examines the SecureInfo_A|B against the *.sha file if region changing is undertaken.
  23. If region changing is intended, defaults _A, creates & edits _B and copies _B to _C.
    • A - original, B - region edited (for Recovery Mode), C - a copy of B (for HOME Menu)
  24. Fixes the entire 1:/ drive's CMACs.
  25. Fixes the S:/twlmbr.bin partition table if required.
  26. Backs-up the DSiWare titles as CIAs and save files. Backs-up TWL system titles into legit CIAs if they're salvageable.
    • CTRTransfer makes TWLN titles forgotten due to changing out the title.db.
  27. Rebuilds the S:/twln.bin partition; reformat the [2:] SYSAND TWLN(AND) drive.
    • Console unique TWL nand files such as inspect.log(~), product.log(~), sysmenu.log, TWLFontTable.dat, opera.ini, and 0000 are retained.
    • If the 2:/shared2/0000 (soundsave.bin) is missing, generate a new copy.
  28. Rebuilds the S:/twlp.bin partition; reformat the [3:] SYSNAND TWLP(HOTO) drive.
    • The photo folder with *.JPG images are retained and restored if present.
    • If the 3:/photo/private/ds/app/484E494A/pit.bin is missing, generate a new copy.
  29. Installs or updates CTRNAND Luma3DS if 1:/boot.firm is missing or older than v9.1.
    • CTRNAND Luma3DS v10, v10.0.1, or newer that is in place will not be downgraded.
  30. Updates CTRNAND GodMode9 if 1:/rw/luma/payloads/GodMode9.firm is older than v1.9.1.
    • CTRNAND GodMode9 will not be installed if it is missing.
  31. New 3DS series only: Fixes the S:/sector0x96.bin if required.
    • Note: This script does not contain copyright material or a raw copy of the secret_sector.bin.
    • To compare and hex review the script, the secret_sector file is found at A9LH to B9S.
  32. Installs or updates boot9strap on both S:/firm0.bin and firm1.bin partitions if older than v1.3.
    • Note: Any other installed bootloaders such as fastboot3DS will be automatically replaced.
  33. Asks to Rosalina menu inject Homebrew Launcher to Nintendo 3DS Camera.
[Table of Contents]


Instructions

3ds-hacks-guide-languages-png.260287


If you do not understand English or it is not your main language...

[ Español | Deutsch | Français | Italiano | Português | Nederlands | Dansk | Svenska | Norsk | 한국어 | 简体中文 | 繁體中文 | 日本語 | Tiếng Việt | ภาษาไทย | Filipino | हिन्दी | اُردُو‎ | اَلْعَرَبِيَّةُ | Türkçe | עִבְרִית | Ελληνικά | Русский | Polski | Magyar | Română | Suomi ]
___

○ [ bold = folder | Courier New = file | sdmc:/ = root of the SD card | underlined = hyperlink ]
51u6GcECVKL._AC_SX679_.jpg


Cam the Cat, from Squishmallows.
  1. Copy everything off your SD card over to a computer.
    • Recommended: If you have another SD card, preferably small sized (minimum 4 GB), use that spare one instead of your main card.
  2. Reformat the card in [ FAT32 format | 32 KB cluster size | Primary partition | MBR disk ] settings with Windows File Explorer, guiformat if bigger than 32 GB, or MiniTool Partition Wizard (free edition).
  3. Test the SD card for hardware problems; full Write + Verify the empty card with H2testw (Windows), F3 (Linux), F3X (Mac), or SD Insight (Android / Chrome OS).
    • :!: A fake or faulty SD card will cause a secondary brick where the user's setup is permanently corrupted when backed up.
    • h2testw_menu-png.210567
  4. [GOOD] If the result comes back clean, delete the *.h2w test files and go to step 5. [BAD] If a problem was reported, replace the card and go back to step 1.
    • [GOOD] - Test finished without errors.
    • [BAD] - The media is likely to be defective.
    • h2testw_results-png.210862
  5. Either move back your main setup or create a temporary test setup.
    • (1) Your setup must have GodMode9, the 3DSX versions of FBI, faketik, and Cthulhu, Homebrew Launcher, and Luma3DS.
    • (2) Extract files from [ .7z | .rar | .zip ] archives with 7-Zip or WinRAR.
    • (3) Download Links: GodMode9 , FBI , faketik , Cthulhu , new-hbmenu , Luma3DS
      • sdmc:/
        • 3ds/
          • Cthulhu.3dsx
          • faketik.3dsx
          • FBI.3dsx
        • gm9/
          • scripts/
            • GM9Megascript.gm9
            • NANDManager.gm9
        • luma/
          • payloads/
            • GodMode9.firm
        • boot.3dsx
        • boot.firm
    • (4) Here is an optional CFW starter kit for reference and convenience.
    • (5) The script requires a minimum 1 GB of free space.
  6. Put the CTRTransfer files of choice at:
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin.sha
    • [ X = region | x = series ] The images are found at [3ds.hacks.guide] CTRTransfer.
  7. Put the script at:
    • sdmc:/gm9/scripts/CTRTransfer (Type D9).gm9
    • Download here.
  8. Insert the SD card to the 3DS system. Press (POWER) → quickly press and hold (START) → Luma3DS chainloaderGodMode9.
    • Even if the firmware is bricked, backup the SysNAND.
    • This will serve as an extra safety precaution in case firmware recovery is not successful, or the script crashes midrun.
  9. GodMode9 → (HOME) button → Scripts...CTRTransfer (Type D9)CTRTransfer.
    • The rest of the script will be self-explanatory.
  10. During script run, :!: do not press and hold the (B) button when the DSiWare games are being dumped and especially for the system tickets.
    • These are the two sections I could not idiot proof. If you try to cancel building a DSiWare CIA, it'll ask you to try again with the choice to cancel. For the system tickets, the script will fail to completely mount ticket.db.
  11. Exit the script, and press (POWER) → Poweroff system. Turn the system back on, and hold the (SELECT) button to access Luma3DS v#.# configuration. Use these exact settings. Press (START) to save and exit. The system should boot to HOME Menu.
    • luma3ds_v10-2-1-png.244316
    • Note: In the off chance the 3DS fails to boot HOME Menu with the below (or similar) error, fixing this requires manually finding and deleting the (ext/sys)data subfolder that is causing the hang-up: Debugging "gamecoin"-type brick
    • Message No. 1 said:
      An exception occurred
      Processor: ARM11 (core 0)
      Exception type: prefetch abort (svcBreak)
      Fault status: Debug event
      Current process: menu (000400300000XX02)
    • XX02 = [ JPN: 8202 | USA: 8F02 | EUR: 9802 | CHN: A102 | KOR: A902 | TWN: B102 ]
    • Message No. 2 said:
      An error occurred (ErrDisp)
      Error type: generic
      Process ID: 67115840
      Address: 0x00000cea
      Error code: 0x000000ce
      Press any button to reboot.
    • Message No. 3 said:
      An exception occurred
      Processor: Arm11 (Core 1)
      Exception type: Prefetch abort (svcBreak)
      Fault status: Debug event
      Current process: fs (0000000000000000)
  12. Open the Nintendo 3DS Camera to access Homebrew Launcher. If region changing the 3DS firmware and there are no system titles shown in HOME Menu, press the { (L)-shoulder + (R)-shoulder } button combo to launch the camera applet → Nintendo 3DS Camera Homebrew Launcher.
    • Inject HBL to Camera (updated).png
    • Note: If you have a [ o3DS | o3DSXL | o2DS ] and it gets stuck with black screens, press the { (L)-shoulder + (DOWN) d-pad + (SELECT) } button combo to open Rosalina menuReboot. This should restart the system and open Homebrew Launcher.
    • Note: If the shoulder buttons and/or cameras are broken, rerun the Inject HBL to Camera with an inserted 3DS game cartridge.
    • inject-hbl-to-game-cart-png.203620
  13. Install the system tickets and DSiWare CIAs with FBI. Restore missing tickets for nonlegit titles with faketik. If you have a lot of games, mass unwrap them all with Cthulhu.
    • homebrew apps.png
    • Install_system_legit_tickets.png
      Install_DSiWare_CIAs.png
      • The tickets and CIAs folders are named in the following formats found at sdmc:/gm9/out/
        • <date>_<serial>_dsiware_000
        • <date>_<serial>_system tickets_(<region>)_000
      • :!: See the FBI errors 0xD8E08066, 0xD8E0806C, and 0xD8E0806A section found below if the tickets or CIAs fail to install.
    • restore_nonlegit_titles_tickets-png.210822
    • Unwrap_HOME_Menu_icons.png
  14. Update to the latest firmware version in System SettingsOther SettingsSystem Update.
    • :!: The system legit tickets from step 13 must be installed. Fake or missing system tickets will prevent the firmware from updating.
    • :!: Do not update via Recovery Mode. This can lead to a mismatch between what's installed in the title folder and database files: title.db, import.db, ticket.db.
  15. Go back to the script to restore the DSiWare saves.
    • GodMode9 → (HOME) button → Scripts...CTRTransfer (Type D9)DSiWare CIAs & SavesRestore Saves → choose the 'dsiware' folder.
    • Note: If you don't play or have DSiWare games to begin with, there are no saves to restore. Continue with the next step.
  16. See if the DSiWare games launch with their saves restored. Check if DS(i) mode is broken. You may need to follow up with:
    • [3ds.hacks.guide] DSi / DS functionality is broken after completing the guide
    • For firmware 11.13.0-45, look in FBI → Titles. The TWL_FIRM should be:
      • 0004013800000102
        • Old_3DS TWL_FIRM
        • Version: 10864 (10.39.0)
        • Product Code: CTR-P-CTAP
      • 0004013820000102
        • New_3DS TWL_FIRM
        • Version: 10962 (10.45.2)
        • Product Code: CTR-P-CTAP
    • If the TWL_FIRM was found to be outdated, try again in updating the firmware in System Settings even if it is already on 11.13.
    • Replacement CIAs of the other four (4) TWL system titles can be obtained at https://quantumcat1.github.io/troubleshooting.
      • 00048005484E4441
        • DS Download Play
        • Version: 1024 (1.0.0)
        • Product Code: dlplay
      • 0004800542383841
        • Nintendo DSi™
        • Version: 2048 (2.0.0)
        • Product Code: DS INTERNET
      • 0004800F484E4841
        • Nintendo DS Cart Whitelist
        • Version: 11264 (11.0.0)
        • Product Code: <blank>
      • 0004800F484E4C41
        • TWL Version Data
        • Version: 0 (0.0.0)
        • Product Code: <blank>
    • Note: A log report is created for DSiWare games that fail to get converted into CIAs. Find replacement CIAs based on the TitleID list.
Conditional: This last step depends if the [2:] SYSNAND TWLN was found to be missing console unique files.

17. Image mount the twlnand.bin and run a data recovery to retrieve lost or deleted files listed in the twlnand_missing_files.txt.
  • Option (A) OSFMount + Recuva
  • Option (B) IsoBuster
  • sdmc:/gm9/out/<date>_<serial>_dsiware_000/TWL backup/twlnand.bin
  • sdmc:/gm9/out/<date>_<serial>_dsiware_000/TWL backup/twlnand_missing_files.txt
  • twlnand_missing_files.png
  • OSFMount + Recuva -or- IsoBuster.png
  • Certain DSiWare games will refuse to work if the TWLFontTable.dat is missing. When launched without this file, the game gets stuck at white screens. Because this is a copyright material, this is also up to the end user to find the file on their own. The TWLFontTable.dat is the same for every 3DS and DSi system with the following size/hash(es).

    • Size: 863296 bytes | 843 KB | 0xD2C40 bytes
    • CRC32: F1953B32
    • SHA256: 2833D4BBA599D5559E482C735F24682CCD44C375BA2940D1206CE85B7A0DD7E4
    • MD5: EE83C579E9E69F94CC8317BD66533A36
  • missing-twlfonttable-dat-png.175091
[Table of Contents]


FBI errors 0xD8E08066, 0xD8E0806C, and 0xD8E0806A
  • 0xD8E08066 - The system tickets may fail to install due to something called the certs.db (certificates). Your setup at one point either corrupted it or erased & regenerated that file with a dummy nonfunctional copy. A replacement copy borrowed from the CTRTransfer image would then be required. The script can replace that file if you come across this issue. Do not use this option if the problem doesn't exist; certs.db is partially involved with transiting 3DS online play.
    • Failed to install ticket.png
  • 0xD8E0806C - The backed up DSiWare titles may fail to install. This is likely to occur if the CTRTransfer was used to region change the firmware. To fix this, install a different DSiWare *.cia file that's not from that backed up set. I have no clue why this hiccup occurs...
  • 0xD8E0806A - The backed up DSiWare legit game titles may fail to install. To fix this, either redownload these previously purchased games from Nintendo eShop or convert the dumped legit CIAs into standard CIAs.
    • Failed to install legit cia.png
    • DSiWare CIAs & SavesConvert CIAs (legit to standard)
    • Install the files in '3. cias (converted)' first followed by '5. tickets (legit)' to retain your private legit dsiware tickets.
[Table of Contents]


Additional Features

Finding and restoring the KeyY.

If you have the Nintendo 3DS folder backed up from a previous profile that was removed from (1) Format System Memory and (2) NOT involved in a System Transfer, this script can brute force up to 256 iterations finding the lost KeyY in the movable.sed linked to a specific <ID0> subfolder. To read more how this works,
Assuming the rest of the KeyY string is correct, finding the 0x118 hex counter that matches the target <ID0> can take up to 1.5 hour to complete or as little as 1 minute. This depends on the search order (this script looks backwards, ex: 03 → 02) versus value of the "correct" hex counter relative to the starting search value (ex, "correct" value is 04 but script is looking backwards, which will take a long time to find and calculate).

Update March-21-2019:
Version 1.1 includes backing up the user's original sysnand ctrnand data profile if the KeyY is fixed. :!: Changing the KeyY will automatically delete the 1:/data/<ID0> that's in place due to mismatch in encryption upon the next HOME Menu boot. This would force the user to create a new profile. The script provides the option to correct the 1:/data/<ID0> to the new KeyY. However, certain previous items like Friends List will be corrupted; the Friend Code is directly derived from KeyY.

Update May-21-2019: Version 1.3 does bi-directional searching where it splits the effort in looking both backwards (ex: 03 → 02) and forwards (ex: 03 → 04). There is now the option to quit the search run by pressing and holding the (B) button long enough. A 200 MB free space safety check was implement in case the data folder is backed up.

[Table of Contents]


Backing up the DSiWare CIAs and saves only.
Update March-21-2019: Version 1.1 - You can use this script for the ease of moving or importing nonlegit DSiWare titles and their saves involved in System Transfer or library duping.
Update April-27-2019: Version 1.2 - The TWL system titles are no longer backed up in order to prevent reinstalling bad copies. This is to prevent bricking the DS mode with fake tickets.
Update May-21-2019: Version 1.3 - Saves are no longer restored by mass dumping everything so as to not leave behind orphaned files. Saves are individually restored by cross checking for installed titles.

[Table of Contents]


Relisting or rebuilding the 3DS database files.
In the event the title.db and import.db found in 0:/Nintendo 3DS/<ID0>/<ID1>/dbs are corrupted, all games, DLCs, and updates would be forgotten.
  • HOME Menu: <blank>
  • System Settings → Data Management → Nintendo 3DS → [Software|Downloadable Content]
    • Being asked to reset or delete all software and savedata.
    • Saved Software Titles has gray question marks [ ? ].
    • Saved Software Titles is <blank> or has no icons.
    • For missing tickets, this can be fixed with faketik. ← (This is not a database issue.)
  • FBI → Titles: SD titles in green do not appear.
  • GodMode9: They can still be found when doing [A:] SYSNAND SD → Hold (R)-shoulder and press (A) Search for titles...
  • severe_damaged_dbs-png.194776
    damaged_database.png

You can rebuild the list with one of these three options.
  • Option (A) - Quick
  • Option (B) - Full
  • Option (C) - Manual
[Table of Contents]

:!: General Warnings
1. (Re-)installing a CIA over a previously installed game will overwrite and delete its save currently in place. The Rebuild 3DS Database options were designed to fix the import.db and title.db without losing the saves and to keep whatever legit tickets you might have acquired from real Nintendo eShop purchases and updates.

2. During the options' script runs, do not press the (B) button. There is no way to idiot proof the CIA building process. If you press (B) button, you are forced to manually rebuild those titles into CIAs if they were interrupted. Just plug the 3DS system to a AC charger, flip the clam shell closed to let the script do its thing, and leave it alone. Except for Option (C) and if everything goes smoothly without error, the script will turn off the 3DS/2DS to let you know to move onto the next part.

3. Each option has two parts (1 - starting , 2 - finalizing) with an intermediate step of installing CIAs. Do not mix and match the parts between different options.

4. Certain games have anti-cheat save protection that will erase itself if tampering or swapping is detected.
Two well known examples include:
  • Animal Crossing: New Leaf (including Welcome Amiibo edition)
  • Super Smash Bros. for 3DS
To bypass or reset the secure value, either:
  • (1) Backup & restore the saves with Checkpoint/JKSM.
  • (2) Delete the secure values for games that are known to have this using FBI. Do not try to delete the secure value for games that don't have it.
  • ACNL_secure_value.png
  • Update January 23, 2020: Version 1.4 automatically removes the secure values when restoring the setup/saves in part [ 2a | 2b | 2c ].
[Table of Contents]

# ~ # ~ #

Option (A) - Quick
The fastest of the three where dummy CIAs are generated, and all installed titles (saves included) are relocated offside to a temporary title_<ID0> folder. Once the dummy CIAs are installed:
  1. The original ticket.db is restored to keep the user's real tickets in place.
  2. To prevent accidental reinstallations of the dummy CIAs, the cias (dummy)_<ID0> folder is deleted.
  3. The titles are moved back to the title folder.
  4. Their individual *.cmd header CMACs are corrected.
:!: A minimum 256 MB of free space is required when making the dummy CIAs.
:!: Installing dummy DLCs with lots of contents can make FBI appear to crash or become stuck frozen. However, the progress is rather really slow for these titles. Look at the top row's moving clock for proof; be patient and don't force shut off!
:!: The sizes and blocks will be reported wrong in FBI and System Settings. There's no away around this annoyance except to use or redo rebuilding the database with one of the other two options.
rebuild_options_differences.png

:teach: If curiosity got the better of you, where you completed both parts (1a) Generate Dummy CIAs and (2a) Restore Setup, and you want to restore your SD setup just like how it was before having started Option (A), this is entirely reversible with the backed up files found in dbs_cmd_<ID0> folder.
dbs_cmd_1.png


dbs_cmd_2.png
option-a-description-instructions-png.210260

[Table of Contents]

# ~ # ~ #

Option (B) - Full
This is the slowest option when rebuilding the database. Alongside with Option (C), however, the final reported sizes and blocks in FBI and System Settings will be correct. For each title that is successfully backed up as a CIA, its <TID LOW> subfolder within title/<TID HIGH> folder will be deleted. In case of errors, outside files and titles that aren't made into CIAs are not deleted but moved over to a collection title_<ID0> folder for your later examination. If found, saves are decrypted and extracted to a separate saves_<ID0> folder regardless if their parent games were built into a CIA.

Once the CIAs are backed up, and the titles are reinstalled:
  1. The original ticket.db is restored to keep the user's real tickets in place.
  2. The saves are individually restored depending if the parent games were found to be reinstalled.
:!: A minimum 4 GB of free space is required to account for building the largest possible CIAs.
:!: To avoid misuse or misunderstanding, option (B) requires a certain action outside of the script. Read the option description on what to do before using (1b) Backup CIAs & Saves.
:arrow: Unlike Option (A), the cias (proper)_<ID0> output folder is left alone. You can keep copies of those backed up CIAs on your computer.
:arrow: If your SD card has less free space than the total amount of all the CIAs, use:
  • FBI → cias (proper)_<ID0><current directory> → Install and delete all CIAs
option-b-description-instructions-png.210261

[Table of Contents]

# ~ # ~ #

Option (C) - Manual
In case your SD card does not have 4 GB of free space, or you already have all your games, DLCs, and updates previously backed up as CIAs, this option requires your due diligence supplying a 1-to-1 collection of CIAs for all the titles installed in the Nintendo 3DS folder. A simple installed_titles_list.txt can be cross referenced by TitleIDs against those found at:
Once the saves are backed up, and the titles are reinstalled:
  1. The original ticket.db is restored to keep the user's real tickets in place.
  2. The saves are individually restored depending if the parent games were found to be reinstalled.
:!: A minimum 512 MB of free space is required when backing up the saves.
:arrow: Unlike Option (B), you're not tasked to do anything outside of the script.
:arrow: The title folder will be left as-is once the saves are copied.
:arrow: The two (2) DB files do not necessarily have to bad. While not recommended compared to Checkpoint or JKSM, you can use (1c) Backup Saves to extract copies of your (decrypted) saves. On a different 3DS system with a cloned SD setup, you can use the (2c) Restore Saves (with minor naming adjustments to saves_<ID0> folder) if you intend to import over the saves. Just make sure you remove the ticket.db out of saves_<ID0> if the saves are going on a different system!!

option-c-description-instructions-png.210262

[Table of Contents]


Remapping the Rosalina menu button combo.
If your 3DS system has broken buttons where the default { (L)-shoulder + (DOWN) d-pad + (SELECT) } can't be used, the combo can be remapped with one of these choices:
  • (L)-shoulder
  • (R)-shoulder
  • (Y)
  • (X)
  • (START)
  • (SELECT)
  • (UP) d-pad
  • (DOWN) d-pad
Once you can gain access to Rosalina menu, change the combo preference:
  • Miscellaneous options... → Change the menu combo → <input your new combo> → Save settings
[Table of Contents]


Bypassing the new user profile setup.
3DS systems that have broken 3D slider switch will get stuck at the 3D Screen Check after performing a system reformat.
  • System SettingsOther SettingsFormat System Memory
  • 3D Screen Check.png
Those who have hacked their o2DS by following outdated 2.1.0 CTRTransfer downgrade guides may also get theirs stuck at that screen, albeit with a distorted appearance.
  • 2.1.0 CTRTransfer o2DS downgrade brick.png
This pitfall scenario can be skipped with this script. Once HOME Menu is reached, filling out personal information and user agreements is still mandatory for access to online services and system updates.
  • System Settings → Internet Settings → Spotpass →
    • Automatic Software Downloads
    • Sending of System Information
  • System Settings → Other Settings →
    • Profile: User Name, Birthday, Region Settings
    • Date & Time
    • Language
[Table of Contents]


Looking up the Parental Controls PIN number.
Did you forget the four-digit password to the Parental Controls? Did you receive or purchase a 3DS system that the previous owner didn't unlock? No problem!
  • Parental Controls - PIN.png
[Table of Contents]


Checking the integrity of the eMMC (NAND chip).
<placeholder>

[Table of Contents]


Resetting the NVRAM.
<placeholder>

[Table of Contents]


Some details of this script, what it does, and why. Ending comment.
  • For "best" case brick scenarios where nothing is missing, this script will only replace import.db, title.db, and title folder.
  • In the 1:/ drive, only data, dbs, fastboot3ds, fixdata, private, ro, rw, ticket, title, tmp, __journal.nn_, and boot.firm will be backed up. Everything else will be overwritten/deleted.
  • The user's original ticket.db is kept in place so that personal legit tickets can still be individually dumped if the user chooses to do so later.
    • GodMode9 does not appear to recognize personal legit tickets installed on a different or replacement ticket.db.
  • However, universal legit tickets like system titles can be installed on any ticket.db and still be recognized by GodMode9 .
  • Due to the two bulletin points above, this is the reason why Homebrew Launcher is injected in Nintendo 3DS Camera in order to install those system tickets in a round about way.
    • With that said, this script isn't appropriate for those region changing the firmware with broken shoulder buttons and broken cameras.
  • Anyone examining the script's code might be baffled as to why certain sections may seem very redundant. Let's just say trial and error has made this deliberately overprotective as possible.
  • This script wasn't made with speed in mind. Besides, repairing a firmware softbrick isn't a race. Much of the script has comments with pauses so anyone using the script can know what's going on at a given moment.
  • While I hope this script finds good use to those who may need it, I also wish that no one finds himself or herself of having to do so in the first place. But, shit happens.
[Table of Contents]
 
Last edited by TurdPooCharger,

Quantumcat

Dead and alive
Member
Joined
Nov 23, 2014
Messages
15,149
Trophies
0
Location
Canberra, Australia
Website
boot9strap.com
XP
11,057
Country
Australia
CTRTransfer (Type D9)

Credit goes to:
  • @d0k3 - The CTRTransfer from both GodMode9 and Decrypt9WIP are the foundations that this script is built upon.
  • @Quantumcat - Helped saved the day solving someone's terribly softbricked o2DS with the power of Decrypt9.
    • This led to learning firsthand what those differences are between the two programs in how they perform it.
  • @AnalogMan - His Lazarus3DS and related NAND gm9 scripts are major influences in understanding key aspects about 3DS firmware recovery.
  • @Namesnipe - Shared the neat knowledge that individual tickets can be backed up from the ticket.db.
  • @CodyWGamer - Showcased that the [S:] SYSNAND VIRTUAL isn't something to be trifled with if one does not treat that drive with caution and care.
  • @KleinesSinchen - Demonstrated and verified that the twln.bin and twlp.bin partitions can be super bricked.
    • This interesting knowledge was the final piece of the puzzle in making this script possible by showing that parts of the NAND are manually reflashable (perhaps too easily).
  • And many partners in crime busting all sorts of 3DS bricks and issues. While we can't fix them all, we sure as hell do solve a lot of 'em.
***
***

Here's a detailed crash course about this subject:
TL;DR - Basically, CTRTransfer is like a universal SysNAND image used for recovering from softbricks and region changing the firmware.
If you're familiar with computer operating systems, this is similar to Windows Recovery and Mac Time Machine (?).

***

What is this?
This is a gm9 script for performing a variation of Decrypt9 CTRTransfer. Homebrew 3DS users are likely to be more familiar with standard or (built-in) GodMode9 CTRTransfer. While both types are used for repairing or region changing the 3DS firmware, there are stark differences in how they go about changing or correcting the CTRNAND.

Decrypt9 Method
  • A few console unique files such as the movable.sed, configsave.bin, LocalFriendCodeSeed_B, and SecureInfo_A/B are first extracted from the CTRNAND drive. Afterwards, Decrypt9 (the program) flashes the entire raw donor CTRNAND *.bin image file onto the CTRNAND partition. Those backed up files are moved back in the drive to their respective locations and CMAC hash corrections are done throughout such as for the *.db datebase files and user's extdata + sysdata.
GodMode9 Method
  • GodMode9 (the program) selectively replaces only the titles folder and *.db files. This is to surgically fix the broken system apps while keeping the rest of the user's personal and console unique files intact. Once these folders and files are replaced as needed, this is followed by CMAC hash corrections for those *.db files.
To put this into a comparable life analogy of the two, GM9 CTRTransfer is like replacing worn houseware parts, patching holes for stone walls to a structurally sound but very old house, and renovating its dainty decorations, flooring, and walls. D9 CTRTransfer is like removing your furnishings and personal belongs out of the house, knocking that house down because it's deemed too decrepit, building a replica in its place, and then moving as much of your stuff back in, assuming you haven't forgotten leaving behind anything before the teardown.

GodMode9 is the safer and less intrusive of the two while fixing most general softbricks. Although Decrypt9 is arguably more effective at dealing with severe softbricks, the older app's implementation fails to back up and restore crucial files such as hardware calibration HWCAL0.DAt and HWCAL1.DAt, personal legit tickets, and [seed|nag|friend|nnid|etc.]save.bin.

With those differences in mind, this script was created with the goal of combining the Decrypt9 approach of flashing a clean slate CTRNAND drive while also maintaining as much of the user's original setup like that of GodMode9.


Bricks that this can fix.
  1. Files and folders that are partially or fully deleted off the [1:] SYSNAND CTRNAND.
    • For whatever reason, the 3DS or 2DS system you have had its setup accidentally erased. Perhaps you bought/received yours prehacked from a previous owner who was neglectful. As long as something called the essential.exefs is present and has not been tampered with, it's possible to create a fresh firmware setup.
  2. The [1:] SYSNAND CTRNAND is missing.
    • Let's imagine you experienced a catastrophic softbrick which required remedying the issue by restoring the SysNAND with a personal image backup. However, luck would have it that the one and only SysNAND *.bin image you kept was trashed by an unknowingly fake SD card. To add further insult to injury, during your restoration of the corrupted image, your system has a very old and untrustworthy battery that dies on you during mid-restore. This incident bricks the CTRNAND partition where GodMode9 doesn't even acknowledge the presence of the drive. Again, this is recoverable so long as the essential.exefs is present and hasn't been tampered with.
  3. Strange '?' files that are stubbornly stuck in CTRNAND or cannot be deleted/replaced by conventional means.
    • Despite H2testw checking the SD card for issues, updating the custom firmware & 3DS firmware, and troubleshooting for any and all hardware issues, your system has unexplainable boot issues, poor GUI functionality, or random crashes. You (surprise, surprise!) don't have the benefit of a clean, backed up SysNAND *.bin image to recovery from. Attempts at using standard CTRTransfer are not providing favorable results. You may very well have a broken file allocation table at hand. If those damaged files are limited to replaceable or non-unique items, this script will try maintaining anything that's salvageable.
    • 2DS softlocks or crashes when trying to launch anything from the home menu [post #84]
    • 2ds_5-jpg.149838

Safety Features & Process Overview

This script...
  1. Checks against itself if GodMode9 is a recent enough version that's capable of using these script functions:
    • Code:
      fget
      fset
  2. Determines if the system in question can be identified as either "Old" or "New" before proceeding.
  3. Exits out much earlier and mentions if CTRNAND images are missing at the specified input directory.
  4. Asks upfront for write permissions to work in the [1:] SYSNAND CTRNAND and [S:] SYSNAND VIRTUAL/ctrnand_full.bin.
  5. Looks for the accompanying *.sha file that's goes with the CTRNAND *.bin image.
  6. Verifies that the *.sha file is of the correct size and acceptable region code.
  7. Spot checks two offsets to determine whether the CTRNAND image is the correct FULL kind versus FAT/unknown.
  8. Rejects the selected CTRNAND image if it's meant for the other system type (O3DS vs N3DS).
  9. Measures the CTRNAND image size to make sure it's the correct exact size for the system type.
  10. Measures the size of S:/ctrnand_full.bin to see if it's the expected partition size.
  11. Mounts the CTRNAND image to check that it is an intact image.
  12. Writes a 1 GB dummy file onto the SD card and then deletes it so that there's enough free space to work with.
  13. Compares CTRNAND image hash against its *.sha file.
  14. Backs-up the user's entire CTRNAND setup, except for the titles folder.
  15. Backs-up the DSiWare titles as CIA and save files.
  16. Flashes the CTRNAND image to S:/ctrnand_full.bin without the option to cancel.
  17. Backs-up the system tickets from the donor CTRNAND image.
    • This is done to keep the user's original ticket.db.
  18. Deletes the donor's essential files in preparation of cleanly restoring the user's setup.
  19. Restores the user's setup back to the CTRNAND drive, except for certain *.db files.
  20. Image mounts the backup essential.exefs and restores any of these five if missing.
    • LocalFriendCodeSeed_B, HWCAL0.DAt, HWCAL1.DAt, movable.sed, SecureInfo_A
  21. Examines the SecureInfo_A|B against the *.sha file if region changing is undertaken.
  22. If region changing is intended, defaults _A, creates & edits _B and copies _B to _C.
    • A - original, B - region edited (for Recovery Mode), C - a copy of B (for HOME Menu)
  23. Fixes the entire 1:/ drive's CMACs.
  24. Asks to Rosalina menu inject Homebrew Launcher to Nintendo 3DS Camera.

Instructions

  1. Copy everything off your SD card onto a computer.
  2. Test the empty card for hardware problems with H2testw (Windows), F3 (Linux), or F3X (Mac).
    • :!: A fake or faulty SD card will cause a secondary brick where the user's setup is permanently corrupted when backed up.
  3. Delete the *.h2w test files if the card checks out fine. If the card was found to have issues, replace it and go back to step 1.
  4. Either move back your main setup or create a temporary test setup on the card.
    • (1) (Optional) Here's a starter kit for reference and convenience.
    • (2) Your setup must have GodMode9 (v1.7.1 or newer) and the 3DSX versions of FBI, faketik, and Cthuhlu.
    • (3) The script requires a minimum 1 GB of free space.
  5. Put the CTRTransfer files of choice at:
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin.sha
  6. Put the script at:
    • sdmc:/gm9/scripts/CTRTransfer (Type D9).gm9
  7. Unless it's really bad, backup the SysNAND for extra safety even if it is currently bricked.
  8. GodMode9 → (HOME) button → Scripts...CTRTransfer (Type D9).
    • The rest of the script will be self-explanatory.
  9. During script run, :!: do not press and hold the (B) button when the DSiWare games are being dumped and especially for the system tickets.
    • These are the two sections I could not idiot proof. If you try to cancel building a DSiWare CIA, it'll ask you to try again with the choice to cancel. For the system tickets, the script will fail to completely mount ticket.db.
  10. If region changing the 3DS firmware and there are no system titles shown in HOME Menu, launch the camera applet → Nintendo 3DS Camera → Homebrew Launcher.
  11. Install the system tickets and DSiWare CIAs with FBI. Restore tickets for nonlegit titles with faketik. If you have a lot of games, unwrap them all with Cthuhlu.
  12. Update to the latest firmware version in Recovery Mode or System Settings.
  13. Go back to the script to restore the DSiWare saves.
  14. See if the DSiWare games launch with their saves. Check if DS(i) mode is broken. You may need to follow up with:
    • [3ds.hacks.guide] DSi / DS functionality is broken after completing the guide *
    • * March-12, 2019: At the time of writing this, the hacks.guide has/had outdated CIAs for the Old 3DS TWL_FIRM and New 3DS TWL_FIRM.
    • For firmware 11.9.0-42, the TWL_FIRM should be:
      • 0004013800000102
        • Old_3DS TWL_FIRM
        • Version: 10864 (10.39.0)
        • Product Code: CTR-P-CTAP
      • 0004013820000102
        • New_3DS TWL_FIRM
        • Version: 10962 (10.45.2)
        • Product Code: CTR-P-CTAP

FBI errors 0xD8E08066 and 0xD8E0806C
  • 0xD8E08066 - The system tickets may fail to install due to something called the certs.db (certificates). Your setup at one point either corrupted it or erased & regenerated that file with a dummy nonfunctional copy. A replacement copy borrowed from the CTRTransfer image would then be required. The script can replace that file if you come across this issue. Do not use this option if the problem doesn't exist; certs.db is partially involved with transiting 3DS online play.
  • 0xD8E0806C - The backed up DSiWare titles may fail to install. This is likely to occur if the CTRTransfer was used to region change the firmware. To fix this, install a different DSiWare *.cia file that's not from that backed up set. I have no clue why this hiccup occurs...
Additional Feature: finding and restoring the KeyY.
If you have the Nintendo 3DS folder backed up from a previous profile that was removed from (1) Format System Memory and (2) NOT involved in a System Transfer, this script can brute force up to 256 iterations finding the lost KeyY in the movable.sed linked to a specific <ID0> subfolder. To read more how this works,
Assuming the rest of the KeyY string is correct, finding the 0x118 hex counter that matches the target <ID0> can take up to 1.5 hour to complete or as little as 1 minute. This depends on the search order (this script looks backwards, ex: 03 → 02) versus value of the "correct" hex counter relative to the starting search value (ex, "correct" value is 04 but script is looking backwards, which will take a long time to find and calculate).


Some details of this script, what it does, and why. Ending comment.
  • For "best" case brick scenarios where nothing is missing, this script will only replace import.db, title.db, and titles folder.
  • In the 1:/ drive, anything that's not data, dbs, fixdata, private, ro, rw, ticket, title, tmp, __journal.nn_, and boot.firm will be overwritten/deleted.
  • The user's original ticket.db is kept in place so that personal legit tickets can still be individually dumped if the user chooses to do so later.
    • GodMode9 does not appear to recognize personal legit tickets installed on a different or replacement ticket.db.
  • However, universal legit tickets like system titles can be installed on any ticket.db and still be recognized by GodMode9 .
  • Due to the two bulletin points above, this is the reason why Homebrew Launcher is injected in Nintendo 3DS Camera in order to install those system tickets in a round about way.
    • With that said, this script isn't appropriate for those region changing the firmware with broken shoulder buttons and broken cameras.
  • Anyone examining the script's code might be baffled why certain sections may seem very redundant. Let's just say trial and error has made this deliberately overprotective as possible.
  • This script wasn't made with speed in mind. Besides, repairing a firmware softbrick isn't a race. Much of the script has comments with pauses so anyone using the script can know what's going on at a given moment.
  • While I hope this script finds good use to those who may need it, I also wish that no one finds himself or herself of having to in the first place. But, shit happens.
Very impressive, nice work!!
 

CodyWGamer

Well-Known Member
Member
Joined
Dec 10, 2018
Messages
155
Trophies
0
Age
18
XP
364
Country
United States
CTRTransfer (Type D9)

Credit goes to:
  • @d0k3 - The CTRTransfer from both GodMode9 and Decrypt9WIP are the foundations that this script is built upon.
  • @Quantumcat - Helped saved the day solving someone's terribly softbricked o2DS with the power of Decrypt9.
    • This led to learning firsthand what those differences are between the two programs in how they perform it.
    • She also shared the title id for Nintendo 3DS Camera for AUS region.
  • @AnalogMan - His Lazarus3DS and related NAND gm9 scripts are major influences in understanding key aspects about 3DS firmware recovery.
  • @Namesnipe - Shared the neat knowledge that individual tickets can be backed up from the ticket.db.
  • @CodyWGamer - Showcased that the [S:] SYSNAND VIRTUAL isn't something to be trifled with if one does not treat that drive with caution and care.
  • @KleinesSinchen - Demonstrated and verified that the twln.bin and twlp.bin partitions can be super bricked.
    • This interesting knowledge was the final piece of the puzzle in making this script possible by showing that parts of the NAND are manually reflashable (perhaps too easily).
  • And many partners in crime busting all sorts of 3DS bricks and issues. While we can't fix them all, we sure as hell do solve a lot of 'em.
***
***

Here's a detailed crash course about this subject:
TL;DR - Basically, CTRTransfer is like a universal SysNAND image used for recovering from softbricks and region changing the firmware.
If you're familiar with computer operating systems, this is similar to Windows Recovery and Mac Time Machine (?).

***

What is this?
This is a gm9 script for performing a variation of Decrypt9 CTRTransfer. Homebrew 3DS users are likely to be more familiar with standard or (built-in) GodMode9 CTRTransfer. While both types are used for repairing or region changing the 3DS firmware, there are stark differences in how they go about changing or correcting the CTRNAND.

Decrypt9 Method
  • A few console unique files such as the movable.sed, configsave.bin, LocalFriendCodeSeed_B, and SecureInfo_A/B are first extracted from the CTRNAND drive. Afterwards, Decrypt9 (the program) flashes the entire raw donor CTRNAND *.bin image file onto the CTRNAND partition. Those backed up files are moved back in the drive to their respective locations and CMAC hash corrections are done throughout such as for the *.db datebase files and user's extdata + sysdata.
GodMode9 Method
  • GodMode9 (the program) selectively replaces only the titles folder and *.db files. This is to surgically fix the broken system apps while keeping the rest of the user's personal and console unique files intact. Once these folders and files are replaced as needed, this is followed by CMAC hash corrections for those *.db files.
To put this into a comparable life analogy of the two, GM9 CTRTransfer is like replacing worn houseware parts, patching holes for stone walls to a structurally sound but very old house, and renovating its dainty decorations, flooring, and walls. D9 CTRTransfer is like removing your furnishings and personal belongs out of the house, knocking that house down because it's deemed too decrepit, building a replica in its place, and then moving as much of your stuff back in, assuming you haven't forgotten leaving behind anything before the teardown.

GodMode9 is the safer and less intrusive of the two while fixing most general softbricks. Although Decrypt9 is arguably more effective at dealing with severe softbricks, the older app's implementation fails to back up and restore crucial files such as hardware calibration HWCAL0.DAt and HWCAL1.DAt, personal legit tickets, and [seed|nag|friend|nnid|etc.]save.bin.

With those differences in mind, this script was created with the goal of combining the Decrypt9 approach of flashing a clean slate CTRNAND drive while also maintaining as much of the user's original setup like that of GodMode9.


Bricks that this can fix.
  1. Files and folders that are partially or fully deleted off the [1:] SYSNAND CTRNAND.
    • For whatever reason, the 3DS or 2DS system you have had its setup accidentally erased. Perhaps you bought/received yours prehacked from a previous owner who was neglectful. As long as something called the essential.exefs is present and has not been tampered with, it's possible to create a fresh firmware setup.
  2. The [1:] SYSNAND CTRNAND is missing.
    • Let's imagine you experienced a catastrophic softbrick which required remedying the issue by restoring the SysNAND with a personal image backup. However, luck would have it that the one and only SysNAND *.bin image you kept was trashed by an unknowingly fake SD card. To add further insult to injury, during your restoration of the corrupted image, your system has a very old and untrustworthy battery that dies on you during mid-restore. This incident bricks the CTRNAND partition where GodMode9 doesn't even acknowledge the presence of the drive. Again, this is recoverable so long as the essential.exefs is present and hasn't been tampered with.
  3. Strange '?' files that are stubbornly stuck in CTRNAND or cannot be deleted/replaced by conventional means.
    • Despite H2testw checking the SD card for issues, updating the custom firmware & 3DS firmware, and troubleshooting for any and all hardware issues, your system has unexplainable boot issues, poor GUI functionality, or random crashes. You (surprise, surprise!) don't have the benefit of a clean, backed up SysNAND *.bin image to recovery from. Attempts at using standard CTRTransfer are not providing favorable results. You may very well have a broken file allocation table at hand. If those damaged files are limited to replaceable or non-unique items, this script will try maintaining anything that's salvageable.
    • 2DS softlocks or crashes when trying to launch anything from the home menu [post #84]
    • 2ds_5-jpg.149838

Safety Features & Process Overview

This script...
  1. Checks against itself if GodMode9 is a recent enough version that's capable of using these script functions:
    • Code:
      fget
      fset
  2. Determines if the system in question can be identified as either "Old" or "New" before proceeding.
  3. Exits out much earlier and mentions if CTRNAND images are missing at the specified input directory.
  4. Asks upfront for write permissions to work in the [1:] SYSNAND CTRNAND and [S:] SYSNAND VIRTUAL/ctrnand_full.bin.
  5. Looks for the accompanying *.sha file that's goes with the CTRNAND *.bin image.
  6. Verifies that the *.sha file is of the correct size and acceptable region code.
  7. Spot checks two offsets to determine whether the CTRNAND image is the correct FULL kind versus FAT/unknown.
  8. Rejects the selected CTRNAND image if it's meant for the other system type (O3DS vs N3DS).
  9. Measures the CTRNAND image size to make sure it's the correct exact size for the system type.
  10. Measures the size of S:/ctrnand_full.bin to see if it's the expected partition size.
  11. Mounts the CTRNAND image to check that it is an intact image.
  12. Writes a 1 GB dummy file onto the SD card and then deletes it so that there's enough free space to work with.
  13. Compares CTRNAND image hash against its *.sha file.
  14. Backs-up the user's entire CTRNAND setup, except for the titles folder.
  15. Backs-up the DSiWare titles as CIA and save files.
    • CTRTransfer makes TWLN titles forgotten due to changing out the title.db.
  16. Flashes the CTRNAND image to S:/ctrnand_full.bin without the option to cancel.
  17. Backs-up the system tickets from the donor CTRNAND image.
    • This is done to keep the user's original ticket.db.
  18. Deletes the donor's essential files in preparation of cleanly restoring the user's setup.
  19. Restores the user's setup back to the CTRNAND drive, except for certain *.db files.
  20. Image mounts the backup essential.exefs and restores any of these five if missing.
    • LocalFriendCodeSeed_B, HWCAL0.DAt, HWCAL1.DAt, movable.sed, SecureInfo_A
  21. Examines the SecureInfo_A|B against the *.sha file if region changing is undertaken.
  22. If region changing is intended, defaults _A, creates & edits _B and copies _B to _C.
    • A - original, B - region edited (for Recovery Mode), C - a copy of B (for HOME Menu)
  23. Fixes the entire 1:/ drive's CMACs.
  24. Asks to Rosalina menu inject Homebrew Launcher to Nintendo 3DS Camera.

Instructions

  1. Copy everything off your SD card onto a computer.
  2. Test the empty card for hardware problems with H2testw (Windows), F3 (Linux), or F3X (Mac).
    • :!: A fake or faulty SD card will cause a secondary brick where the user's setup is permanently corrupted when backed up.
  3. Delete the *.h2w test files if the card checks out fine. If the card was found to have issues, replace it and go back to step 1.
  4. Either move back your main setup or create a temporary test setup on the card.
    • (1) (Optional) Here's a starter kit for reference and convenience.
    • (2) Your setup must have GodMode9 (v1.7.1 or newer) and the 3DSX versions of FBI, faketik, and Cthuhlu.
    • (3) The script requires a minimum 1 GB of free space.
  5. Put the CTRTransfer files of choice at:
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin.sha
  6. Put the script at:
    • sdmc:/gm9/scripts/CTRTransfer (Type D9).gm9
  7. Unless it's really bad, backup the SysNAND for extra safety even if it is currently bricked.
  8. GodMode9 → (HOME) button → Scripts...CTRTransfer (Type D9).
    • The rest of the script will be self-explanatory.
  9. During script run, :!: do not press and hold the (B) button when the DSiWare games are being dumped and especially for the system tickets.
    • These are the two sections I could not idiot proof. If you try to cancel building a DSiWare CIA, it'll ask you to try again with the choice to cancel. For the system tickets, the script will fail to completely mount ticket.db.
  10. If region changing the 3DS firmware and there are no system titles shown in HOME Menu, launch the camera applet → Nintendo 3DS Camera → Homebrew Launcher.
  11. Install the system tickets and DSiWare CIAs with FBI. Restore tickets for nonlegit titles with faketik. If you have a lot of games, unwrap them all with Cthuhlu.
  12. Update to the latest firmware version in Recovery Mode or System Settings.
  13. Go back to the script to restore the DSiWare saves.
  14. See if the DSiWare games launch with their saves. Check if DS(i) mode is broken. You may need to follow up with:
    • [3ds.hacks.guide] DSi / DS functionality is broken after completing the guide *
    • * March-12, 2019: At the time of writing this, the hacks.guide has/had outdated CIAs for the Old 3DS TWL_FIRM and New 3DS TWL_FIRM.
    • For firmware 11.9.0-42, the TWL_FIRM should be:
      • 0004013800000102
        • Old_3DS TWL_FIRM
        • Version: 10864 (10.39.0)
        • Product Code: CTR-P-CTAP
      • 0004013820000102
        • New_3DS TWL_FIRM
        • Version: 10962 (10.45.2)
        • Product Code: CTR-P-CTAP

FBI errors 0xD8E08066 and 0xD8E0806C
  • 0xD8E08066 - The system tickets may fail to install due to something called the certs.db (certificates). Your setup at one point either corrupted it or erased & regenerated that file with a dummy nonfunctional copy. A replacement copy borrowed from the CTRTransfer image would then be required. The script can replace that file if you come across this issue. Do not use this option if the problem doesn't exist; certs.db is partially involved with transiting 3DS online play.
  • 0xD8E0806C - The backed up DSiWare titles may fail to install. This is likely to occur if the CTRTransfer was used to region change the firmware. To fix this, install a different DSiWare *.cia file that's not from that backed up set. I have no clue why this hiccup occurs...
Additional Feature: finding and restoring the KeyY.
If you have the Nintendo 3DS folder backed up from a previous profile that was removed from (1) Format System Memory and (2) NOT involved in a System Transfer, this script can brute force up to 256 iterations finding the lost KeyY in the movable.sed linked to a specific <ID0> subfolder. To read more how this works,
Assuming the rest of the KeyY string is correct, finding the 0x118 hex counter that matches the target <ID0> can take up to 1.5 hour to complete or as little as 1 minute. This depends on the search order (this script looks backwards, ex: 03 → 02) versus value of the "correct" hex counter relative to the starting search value (ex, "correct" value is 04 but script is looking backwards, which will take a long time to find and calculate).


Some details of this script, what it does, and why. Ending comment.
  • For "best" case brick scenarios where nothing is missing, this script will only replace import.db, title.db, and titles folder.
  • In the 1:/ drive, only data, dbs, fastboot3ds, fixdata, private, ro, rw, ticket, title, tmp, __journal.nn_, and boot.firm will be backed up. Everything else will be overwritten/deleted.
  • The user's original ticket.db is kept in place so that personal legit tickets can still be individually dumped if the user chooses to do so later.
    • GodMode9 does not appear to recognize personal legit tickets installed on a different or replacement ticket.db.
  • However, universal legit tickets like system titles can be installed on any ticket.db and still be recognized by GodMode9 .
  • Due to the two bulletin points above, this is the reason why Homebrew Launcher is injected in Nintendo 3DS Camera in order to install those system tickets in a round about way.
    • With that said, this script isn't appropriate for those region changing the firmware with broken shoulder buttons and broken cameras.
  • Anyone examining the script's code might be baffled as to why certain sections may seem very redundant. Let's just say trial and error has made this deliberately overprotective as possible.
  • This script wasn't made with speed in mind. Besides, repairing a firmware softbrick isn't a race. Much of the script has comments with pauses so anyone using the script can know what's going on at a given moment.
  • While I hope this script finds good use to those who may need it, I also wish that no one finds himself or herself of having to do so in the first place. But, shit happens.
glad to be your test monkey XD



EDIT: So what can i do with this new software now? I managed to install it and now i want to know what else it's capable of... I read your WHOLE thread and want to know what else it can do... can it MCU unbrick my ds mode
 
Last edited by CodyWGamer,
Joined
Jan 1, 2018
Messages
7,292
Trophies
2
XP
5,868
Country
United States
glad to be your test monkey XD

EDIT: So what can i do with this new software now? I managed to install it and now i want to know what else it's capable of... I read your WHOLE thread and want to know what else it can do... can it MCU unbrick my ds mode
To be clear, the script is technically an add-on to the actual software, GodMode9. Because you already attempted a specialized form of (CTR+TWL)Transfer that's closely related to D9 CTRTransfer, this script won't fix your very strange DS(i) mode brick. As was explained in PM, MCU bricks (if assuming yours is MCU related) is for all intents and purposes, permanent and not fixable.
 

NFates

Wants to understand™
Member
Joined
Mar 13, 2016
Messages
646
Trophies
0
Location
Probably home.
XP
2,046
Country
Dominican Republic
CTRTransfer (Type D9)

Credit goes to:
  • @d0k3 - The CTRTransfer from both GodMode9 and Decrypt9WIP are the foundations that this script is built upon.
  • @Quantumcat - Helped saved the day solving someone's terribly softbricked o2DS with the power of Decrypt9.
    • This led to learning firsthand what those differences are between the two programs in how they perform it.
    • She also shared the title id for Nintendo 3DS Camera for AUS region.
  • @AnalogMan - His Lazarus3DS and related NAND gm9 scripts are major influences in understanding key aspects about 3DS firmware recovery.
  • @Namesnipe - Shared the neat knowledge that individual tickets can be backed up from the ticket.db.
  • @CodyWGamer - Showcased that the [S:] SYSNAND VIRTUAL isn't something to be trifled with if one does not treat that drive with caution and care.
  • @KleinesSinchen - Demonstrated and verified that the twln.bin and twlp.bin partitions can be super bricked.
    • This interesting knowledge was the final piece of the puzzle in making this script possible by showing that parts of the NAND are manually reflashable (perhaps too easily).
  • And many partners in crime busting all sorts of 3DS bricks and issues. While we can't fix them all, we sure as hell do solve a lot of 'em.
***
***

Here's a detailed crash course about this subject:
TL;DR - Basically, CTRTransfer is like a universal SysNAND image used for recovering from softbricks and region changing the firmware.
If you're familiar with computer operating systems, this is similar to Windows Recovery and Mac Time Machine (?).

***

What is this?
This is a gm9 script for performing a variation of Decrypt9 CTRTransfer. Homebrew 3DS users are likely to be more familiar with standard or (built-in) GodMode9 CTRTransfer. While both types are used for repairing or region changing the 3DS firmware, there are stark differences in how they go about changing or correcting the CTRNAND.

Decrypt9 Method
  • A few console unique files such as the movable.sed, configsave.bin, LocalFriendCodeSeed_B, and SecureInfo_A/B are first extracted from the CTRNAND drive. Afterwards, Decrypt9 (the program) flashes the entire raw donor CTRNAND *.bin image file onto the CTRNAND partition. Those backed up files are moved back in the drive to their respective locations and CMAC hash corrections are done throughout such as for the *.db datebase files and user's extdata + sysdata.
GodMode9 Method
  • GodMode9 (the program) selectively replaces only the titles folder and *.db files. This is to surgically fix the broken system apps while keeping the rest of the user's personal and console unique files intact. Once these folders and files are replaced as needed, this is followed by CMAC hash corrections for those *.db files.
To put this into a comparable life analogy of the two, GM9 CTRTransfer is like replacing worn houseware parts, patching holes for stone walls to a structurally sound but very old house, and renovating its dainty decorations, flooring, and walls. D9 CTRTransfer is like removing your furnishings and personal belongs out of the house, knocking that house down because it's deemed too decrepit, building a replica in its place, and then moving as much of your stuff back in, assuming you haven't forgotten leaving behind anything before the teardown.

GodMode9 is the safer and less intrusive of the two while fixing most general softbricks. Although Decrypt9 is arguably more effective at dealing with severe softbricks, the older app's implementation fails to back up and restore crucial files such as hardware calibration HWCAL0.DAt and HWCAL1.DAt, personal legit tickets, and [seed|nag|friend|nnid|etc.]save.bin.

With those differences in mind, this script was created with the goal of combining the Decrypt9 approach of flashing a clean slate CTRNAND drive while also maintaining as much of the user's original setup like that of GodMode9.


Bricks that this can fix.
  1. Files and folders that are partially or fully deleted off the [1:] SYSNAND CTRNAND.
    • For whatever reason, the 3DS or 2DS system you have had its setup accidentally erased. Perhaps you bought/received yours prehacked from a previous owner who was neglectful. As long as something called the essential.exefs is present and has not been tampered with, it's possible to create a fresh firmware setup.
  2. The [1:] SYSNAND CTRNAND is missing.
    • Let's imagine you experienced a catastrophic softbrick which required remedying the issue by restoring the SysNAND with a personal image backup. However, luck would have it that the one and only SysNAND *.bin image you kept was trashed by an unknowingly fake SD card. To add further insult to injury, during your restoration of the corrupted image, your system has a very old and untrustworthy battery that dies on you during mid-restore. This incident bricks the CTRNAND partition where GodMode9 doesn't even acknowledge the presence of the drive. Again, this is recoverable so long as the essential.exefs is present and hasn't been tampered with.
  3. Strange '?' files that are stubbornly stuck in CTRNAND or cannot be deleted/replaced by conventional means.
    • Despite H2testw checking the SD card for issues, updating the custom firmware & 3DS firmware, and troubleshooting for any and all hardware issues, your system has unexplainable boot issues, poor GUI functionality, or random crashes. You (surprise, surprise!) don't have the benefit of a clean, backed up SysNAND *.bin image to recovery from. Attempts at using standard CTRTransfer are not providing favorable results. You may very well have a broken file allocation table at hand. If those damaged files are limited to replaceable or non-unique items, this script will try maintaining anything that's salvageable.
    • 2DS softlocks or crashes when trying to launch anything from the home menu [post #84]
    • 2ds_5-jpg.149838

Safety Features & Process Overview

This script...
  1. Checks against itself if GodMode9 is a recent enough version that's capable of using these script functions:
    • Code:
      fget
      fset
  2. Determines if the system in question can be identified as either "Old" or "New" before proceeding.
  3. Exits out much earlier and mentions if CTRNAND images are missing at the specified input directory.
  4. Asks upfront for write permissions to work in the [1:] SYSNAND CTRNAND and [S:] SYSNAND VIRTUAL/ctrnand_full.bin.
  5. Looks for the accompanying *.sha file that's goes with the CTRNAND *.bin image.
  6. Verifies that the *.sha file is of the correct size and acceptable region code.
  7. Spot checks two offsets to determine whether the CTRNAND image is the correct FULL kind versus FAT/unknown.
  8. Rejects the selected CTRNAND image if it's meant for the other system type (O3DS vs N3DS).
  9. Measures the CTRNAND image size to make sure it's the correct exact size for the system type.
  10. Measures the size of S:/ctrnand_full.bin to see if it's the expected partition size.
  11. Mounts the CTRNAND image to check that it is an intact image.
  12. Writes a 1 GB dummy file onto the SD card and then deletes it so that there's enough free space to work with.
  13. Compares CTRNAND image hash against its *.sha file.
  14. Backs-up the user's entire CTRNAND setup, except for the titles folder.
  15. Backs-up the DSiWare titles as CIA and save files.
    • CTRTransfer makes TWLN titles forgotten due to changing out the title.db.
  16. Flashes the CTRNAND image to S:/ctrnand_full.bin without the option to cancel.
  17. Backs-up the system tickets from the donor CTRNAND image.
    • This is done to keep the user's original ticket.db.
  18. Deletes the donor's essential files in preparation of cleanly restoring the user's setup.
  19. Restores the user's setup back to the CTRNAND drive, except for certain *.db files.
  20. Image mounts the backup essential.exefs and restores any of these five if missing.
    • LocalFriendCodeSeed_B, HWCAL0.DAt, HWCAL1.DAt, movable.sed, SecureInfo_A
  21. Examines the SecureInfo_A|B against the *.sha file if region changing is undertaken.
  22. If region changing is intended, defaults _A, creates & edits _B and copies _B to _C.
    • A - original, B - region edited (for Recovery Mode), C - a copy of B (for HOME Menu)
  23. Fixes the entire 1:/ drive's CMACs.
  24. Asks to Rosalina menu inject Homebrew Launcher to Nintendo 3DS Camera.

Instructions

  1. Copy everything off your SD card onto a computer.
  2. Test the empty card for hardware problems with H2testw (Windows), F3 (Linux), or F3X (Mac).
    • :!: A fake or faulty SD card will cause a secondary brick where the user's setup is permanently corrupted when backed up.
  3. Delete the *.h2w test files if the card checks out fine. If the card was found to have issues, replace it and go back to step 1.
  4. Either move back your main setup or create a temporary test setup on the card.
    • (1) (Optional) Here's a starter kit for reference and convenience.
    • (2) Your setup must have GodMode9 (v1.7.1 or newer) and the 3DSX versions of FBI, faketik, and Cthuhlu.
    • (3) The script requires a minimum 1 GB of free space.
  5. Put the CTRTransfer files of choice at:
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin
    • sdmc:/gm9/in/11.5.0-38X_ctrtransfer_x3ds.bin.sha
  6. Put the script at:
    • sdmc:/gm9/scripts/CTRTransfer (Type D9).gm9
  7. Unless it's really bad, backup the SysNAND for extra safety even if it is currently bricked.
  8. GodMode9 → (HOME) button → Scripts...CTRTransfer (Type D9).
    • The rest of the script will be self-explanatory.
  9. During script run, :!: do not press and hold the (B) button when the DSiWare games are being dumped and especially for the system tickets.
    • These are the two sections I could not idiot proof. If you try to cancel building a DSiWare CIA, it'll ask you to try again with the choice to cancel. For the system tickets, the script will fail to completely mount ticket.db.
  10. If region changing the 3DS firmware and there are no system titles shown in HOME Menu, launch the camera applet → Nintendo 3DS Camera → Homebrew Launcher.
  11. Install the system tickets and DSiWare CIAs with FBI. Restore tickets for nonlegit titles with faketik. If you have a lot of games, unwrap them all with Cthuhlu.
  12. Update to the latest firmware version in Recovery Mode or System Settings.
  13. Go back to the script to restore the DSiWare saves.
  14. See if the DSiWare games launch with their saves. Check if DS(i) mode is broken. You may need to follow up with:
    • [3ds.hacks.guide] DSi / DS functionality is broken after completing the guide *
    • * March-12, 2019: At the time of writing this, the hacks.guide has/had outdated CIAs for the Old 3DS TWL_FIRM and New 3DS TWL_FIRM.
    • For firmware 11.9.0-42, the TWL_FIRM should be:
      • 0004013800000102
        • Old_3DS TWL_FIRM
        • Version: 10864 (10.39.0)
        • Product Code: CTR-P-CTAP
      • 0004013820000102
        • New_3DS TWL_FIRM
        • Version: 10962 (10.45.2)
        • Product Code: CTR-P-CTAP

FBI errors 0xD8E08066 and 0xD8E0806C
  • 0xD8E08066 - The system tickets may fail to install due to something called the certs.db (certificates). Your setup at one point either corrupted it or erased & regenerated that file with a dummy nonfunctional copy. A replacement copy borrowed from the CTRTransfer image would then be required. The script can replace that file if you come across this issue. Do not use this option if the problem doesn't exist; certs.db is partially involved with transiting 3DS online play.
  • 0xD8E0806C - The backed up DSiWare titles may fail to install. This is likely to occur if the CTRTransfer was used to region change the firmware. To fix this, install a different DSiWare *.cia file that's not from that backed up set. I have no clue why this hiccup occurs...
Additional Feature: finding and restoring the KeyY.
If you have the Nintendo 3DS folder backed up from a previous profile that was removed from (1) Format System Memory and (2) NOT involved in a System Transfer, this script can brute force up to 256 iterations finding the lost KeyY in the movable.sed linked to a specific <ID0> subfolder. To read more how this works,
Assuming the rest of the KeyY string is correct, finding the 0x118 hex counter that matches the target <ID0> can take up to 1.5 hour to complete or as little as 1 minute. This depends on the search order (this script looks backwards, ex: 03 → 02) versus value of the "correct" hex counter relative to the starting search value (ex, "correct" value is 04 but script is looking backwards, which will take a long time to find and calculate).


Some details of this script, what it does, and why. Ending comment.
  • For "best" case brick scenarios where nothing is missing, this script will only replace import.db, title.db, and titles folder.
  • In the 1:/ drive, only data, dbs, fastboot3ds, fixdata, private, ro, rw, ticket, title, tmp, __journal.nn_, and boot.firm will be backed up. Everything else will be overwritten/deleted.
  • The user's original ticket.db is kept in place so that personal legit tickets can still be individually dumped if the user chooses to do so later.
    • GodMode9 does not appear to recognize personal legit tickets installed on a different or replacement ticket.db.
  • However, universal legit tickets like system titles can be installed on any ticket.db and still be recognized by GodMode9 .
  • Due to the two bulletin points above, this is the reason why Homebrew Launcher is injected in Nintendo 3DS Camera in order to install those system tickets in a round about way.
    • With that said, this script isn't appropriate for those region changing the firmware with broken shoulder buttons and broken cameras.
  • Anyone examining the script's code might be baffled as to why certain sections may seem very redundant. Let's just say trial and error has made this deliberately overprotective as possible.
  • This script wasn't made with speed in mind. Besides, repairing a firmware softbrick isn't a race. Much of the script has comments with pauses so anyone using the script can know what's going on at a given moment.
  • While I hope this script finds good use to those who may need it, I also wish that no one finds himself or herself of having to do so in the first place. But, shit happens.
Almost two days late, but...
Very impressive, nice work!!
I tried my best to understand all the technicalities. The fact I think I did so with most shows the write-up (your nightmare) was a success. So,
Very impressive, nice work!!
 
Last edited by NFates, , Reason: Added a comma because I'm picky
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: https://www.kshb.com/news/local-news/local-brewery-nonprofit-team-up-for-mental-health-awareness...