[Request] CTRAging (3ds debug app) research.

Discussion in '3DS - Homebrew Development and Emulators' started by PabloMK7, Jan 23, 2016.

  1. Inthescene

    Inthescene Advanced Member

    Newcomer
    3
    Feb 18, 2018
    Canada
    htraE
    Got an error saying the fffuck.exe is for 64 bit only. Is there a 32 bit build I can use? Wanting to get this working on the off off chance I have ctraging still in my partition.
     
    alivebacon likes this.
  2. Razor83

    Razor83 GBAtemp Fan

    Member
    5
    Dec 23, 2009
    So if I extract a nand.bin using fuse-3ds would CTRAging be in the 'titles' folder if it still exists? Or would the fragments only be visible if the NAND is searched using fff*ck.exe?

    Basically i'm confused if the fragments of O3DS CTRAging we have found so far would be immediately visable on the extracted NAND, or if we would need to search the NAND for file fragments that have already been marked as 'deleted' by the filesystem. In which case is there any more modern method to search a nand dump made by Godmode9? (Since a Godmode9 dump doesn't include the xorkeys the fff*ck.exe requires)

    Also has anyone managed to dump the latest version of CTRAging from a N2DS XL?
     
    Last edited by Razor83, Jun 13, 2018
  3. PabloMK7
    OP

    PabloMK7 Red Yoshi! ^ω^

    Member
    10
    Feb 21, 2014
    Spain
    Yoshi's Island
    Yeah this tutorial is outdated, I will add new methods as soon as I have time.

    Also, CTRAging is marked deleted by the filesystem so any further write could overwrite it very easily.
     
    SirNapkin1334 and Razor83 like this.
  4. Itzumi

    Itzumi goofball of the interwebs

    Member
    4
    Jun 27, 2018
    United States
    USA
    edit: nevermind.
     
    Last edited by Itzumi, Aug 17, 2018
  5. 5pla77er

    5pla77er Newbie

    Newcomer
    2
    Sep 18, 2018
    Italy
    Lombardia, Italia
    Hey I visited the pastebin but MEGA asked a password. What is it?
     
  6. MK7Hax1811

    MK7Hax1811 Member

    Newcomer
    5
    Mar 6, 2018
    Germany
    I trying to launch it but i hangs at " wait" and nothing happens. I can launch it with the Main Menu but without sound usw. Where i can launch it directly and with sound? Or what i doing wrong?
     
  7. NekoMichi

    NekoMichi Retro Collector

    Member
    9
    Jun 4, 2015
    Minus World
    Eject any game carts from the card slot before launching.
     
    trainboy2019 likes this.
  8. Hiccup

    Hiccup GBAtemp Advanced Fan

    Member
    6
    Nov 21, 2009
    Do you think you could update this? I'd like to try it out.
    I also wonder if a similar thing could be done for the SD card of a new/nearly-new console (in case dev apps in the form of CIAs-waiting-be-installed can be found, or something like that)
     
  9. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    Edit: yes, I did necrobump, but at least I have useful stuff to share


    I've made some progress on old3DS CTRAging research, so I thought I'd leave some stuff here.

    First of all, it's impossible to get CTRAging unless they manage to make a gap big enough for CTRAging to fully fit in without being overwritten. I have a near-complete old3DS CTRAging, it's just missing the start of the code, but it's missing enough to not be reconstruable, and no old3DS dump I have has that part intact, so fail.

    The reason CTRAging gets overwritten can be observed in a NAND dump I received. First a very basic firmware (probably pre-1.0.0) is installed with a very limited set of sysmodules (if anyone is interested, I can exactly list which sysmodules), TestMenu, CTRAging, and probably 1 or 2 smaller programs, if any, then once the testing is done, they very first delete CTRAging, any other dev app which could come after it, replace the old sysmodules with their new counterparts, delete TestMenu, install some misc factory files, then from where it's a mystery, and it ends up on the shelves.

    To put it shortly, CTRAging gets overwritten by account.dat and mset. We did overestimate how smart Nintendo could be with CTRAging, but no, it's purely unintentional. It just gets uninstalled too early for the last part to not get overwritten.

    As for those who are having problems with the awful program everyone has been using, I made my own. Works in wine too. You need a decrypted CTRNAND for this program to work, and it doesn't accept xorpads yet. You know if your CTRNAND is decrypted because you can find "CTR" and "FAT16" very close to eachother. I attached the program.
    PUT THE EXE IN AN EMPTY DIRECTORY BECAUSE IT'LL CREATE A LOT OF FILES! The reason is so that we can catch any duplicate titles and have a chance of one of them being hopefully intact.

    Edit3: you can get a decrypted CTRNAND by copying your NAND backup to your 3DS's SDCard, using Godmode9 to mount it, and copy ctrnand_fat.img to /gm9/out
    Or alternatively get ninfs (formerly fusectr (?)) at https://github.com/ihaveamac/ninfs#windows and copy ctrnand_fat.img out of there.

    Edit2: drag the decrypted CTRNAND file on the exe, it has no GUI. A black window (command prompt) will open, scan your CTRNAND, write lots of files to the disk, then close. This is normal. If no files are made then your CTRNAND is not decrypted.

    Edit4:
    I made a typo, so the ff.exe in the attachment only dumps CTRAging. DO NOT DELETE YOUR BACKUPS! Keep ctrnand_fat.img until I release a new tool which does forensic analysis on ctrnand_fat.img (instead of just dummy scanning for NCCH) which has a much higher chance of recovering corrupted titles.
     

    Attached Files:

    Last edited by Sono, Jun 7, 2019
  10. PabloMK7
    OP

    PabloMK7 Red Yoshi! ^ω^

    Member
    10
    Feb 21, 2014
    Spain
    Yoshi's Island
    How much of the starting part of the code is overwritten?
     
  11. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    100000h to 11B758h

    And those are 100% lost due to being overwritten by account.dat and mset.
     
    alivebacon likes this.
  12. PabloMK7
    OP

    PabloMK7 Red Yoshi! ^ω^

    Member
    10
    Feb 21, 2014
    Spain
    Yoshi's Island
    That section is actually part of the SDK, but since we don't have any other app compiled with such an old SDK version I don't think it's recoverable.
     
  13. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    Nope. Most of the SDK functions are intact. There are actually some CTRAging-unique functions very early in there, like Serial port functions, undocumented MCU stuff, A LOT of test scripts, and other juicy stuff which are lost to the corruption.
     
  14. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    Last edited by Sono, Jun 7, 2019
  15. Razor83

    Razor83 GBAtemp Fan

    Member
    5
    Dec 23, 2009
    There are at least 3 (Possibly 4) versions of CTRAging, but so far we have only managed to recover one version - V3. The cxi size of each version is:-

    V1 = 13,821KB
    V2 = 14,720KB
    V3 = 31,592KB

    V3 appears to be exclusive to the N3DS / N3DS XL models, but for the O3DS / O3DS XL / 2DS models the version your system has depends on when it was manufactured, not what type of system it is (So for instance you could have an O3DS with V2 or an O3DS XL with V1, if that was the latest version available when it was manufactured)

    I'm guessing that there may even be a V4 on N2DS XL systems, but so far no-one has recovered CTRAging from a N2DS XL.

    Great guide Sono :)

    I had actually been writing up a guide myself which I was hoping could replace the one in the OP, but hadn't got around to posting it yet. I'm sure its not as good as yours, but I may as well post the draft version here as an alternative method, since it may be useful to some people and the more people searching the better chance we have of finding an intact O3DS CTRAging.
    CTRAging Recovery Guide
    What I would really appreciate now is an automated method to check if the 100000h to 11B758h offsets are intact or have been overwritten in the cxi / ncch
     
    Last edited by Razor83, Jun 7, 2019
    Sono likes this.
  16. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    I managed to get old3DS CTRAging v2 working with a broken ROMFS. Sadly it's not possible yet to get v1 working due to all 13 of the dumps I've got having the EXACT SAME corruption at the exact same place, but I managed to bruteforce the code.bin into being functional.
    The only thing which crashes (as in, data abort) is the key tests, the rest only do an errF due to a broken ROMFS which I'll try to fix for a video.
    Just to save your time, v2 is almost like v3 (new3DS-only), except the camera test is working, and there are some useless tests which are missing from v3.

    Video coming soon (albeit it's extremely boring)
     
    Zurdonx, Razor83, PabloMK7 and 2 others like this.
  17. PabloMK7
    OP

    PabloMK7 Red Yoshi! ^ω^

    Member
    10
    Feb 21, 2014
    Spain
    Yoshi's Island
    Nice finding! You can use the ROMFS from the v3 one as iirc it's the same
     
    Sono likes this.
  18. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    <celebration>
    I would like to thank everyone who has helped me with this project!

    Special shoutouts to @ClickCLK and Normatt, without them I would not have been able to do the research required to do this.

    </celebration>

    Too bad v2 is just a dumbed-down v3 (new3DS). CTRAging v1 is STILL the most interesting CTRAging, as it includes A LOT of stuff which was removed from v2.

    Here's the video I promised yesterday:


    There's no download link because
    1) it's against the forum rules
    2) it's pointless, and I showed everything in the video
     
    Voxel likes this.
  19. zoogie

    zoogie playing around in the dsiware

    Member
    21
    Nov 30, 2014
    Micronesia, Federated States of
    "pointless"
    This app has twl archive access, which could grant cfw access in a homebrew takeover situation.
    If this app is signed and legit, it would be very valuable.
     
  20. Sono

    Sono The MCU Deity

    Member
    11
    Oct 16, 2015
    Hungary
    Austro-Hungarian Monarchy
    Nope. Sadly I had to recreate the NCCH *from scratch* because of how much corruption has infested all of the samples I have.
    I had to recreate code.bin from scratch, and it still has some bit errors which don't seem to affect anything. As for the ROMFS, I had to use the files from the public leak of the v3 CTRAging because I only have three v2 samples, and the only one which has a readable ROMFS is missing a lot of files still, and they are also corrupted.

    So yeah, sadly this is not usable, we'd need a perfect dump for that.
     
    zoogie likes this.
Loading...