Hacking ROM Headers Question

[CyrilCommando]

I'd rather not make a new thread to ask this question but... wouldn't converting a .3dz to a .cia allow online perfectly fine seeing as .cia's don't use headers? Or are headers essential for online play?

I believe they do allow online fine. Someone said CIA's online are very easy to detect, so a ban wave might happen to them in the future, but I don't think it's happened yet.

 

[CyrilCommando]

Does not work on 9.5.

+1. This does not work on 9.5. I tried Wulfy's method, and Cyan's methods, all returned "An error has occurred" and sent me back to the Home screen. No new files on the SD Card.

 

[Cyan]

The browser exploit works only up to 9.4

 

[djon]

The browser exploit works only up to 9.4

Oh really? i was on 9.5 and it worked and made a memory.bin, i guess i can't get a header from the ram dump?
Or you mean the gateway game dumper?
Anyways please someone should make a full tutorial on this especially when you get to the the part where you get the game header from the memory.bin.

 

[moonly]

I have my old 3ds on 9.4 and made a memory dump for a sky3ds game, Mario Kart 7, I made quite a few memory.bin,
first I tried to memory dump after i started the game,
second I tried to dump at the moment i tried to connect online(It actually cant go online since it is not being updated in 9.4, and it must be updated to 9.5 to use eshop and update),
so i view those 2 memory.bin in computer, tried to search for the header location,

Since I used the latest sky3ds template i went thru and found this:

"** : CTR-P-AMKJ

SHA1: 5F36D74A867015E66421C60B6DB210C78DBFACE3
00 00 00 00 C2 FA 02 90 62 26 13 00 24 F1 DB 0E
43 54 52 49 4D 41 47 45 00 00 00 00 00 00 00 00
C5 2F 29 A3 FC 60 23 56 BF 5B B1 B7 DA 9C 88 7E
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
43 54 52 2D 50 2D 41 4D 4B 4A 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 2F"

Supposingly "81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D" should be somewhere in the memory.bin (?correct me if I am wrong)
So it turns out I cant find any in those 2 bins, not even i flipped bytes.

Here comes the question, is it a MUST to have the game connected to online (in a lobby or sth) instead of "online attempts"(say trying to connect before it gives me an 002-0120 error) in order to dump the header out?
So if my genuine cart got no online function ( Super marios bros 2), the memory.bin method cant be used?


Or... maybe I am stupid that memory.bin isnt the right file to search for headers...

 

[DjoeN]

I have my old 3ds on 9.4 and made a memory dump for a sky3ds game, Mario Kart 7, I made quite a few memory.bin,
first I tried to memory dump after i started the game,
second I tried to dump at the moment i tried to connect online(It actually cant go online since it is not being updated in 9.4, and it must be updated to 9.5 to use eshop and update),
so i view those 2 memory.bin in computer, tried to search for the header location,

Since I used the latest sky3ds template i went thru and found this:

"** : CTR-P-AMKJ

SHA1: 5F36D74A867015E66421C60B6DB210C78DBFACE3
00 00 00 00 C2 FA 02 90 62 26 13 00 24 F1 DB 0E
43 54 52 49 4D 41 47 45 00 00 00 00 00 00 00 00
C5 2F 29 A3 FC 60 23 56 BF 5B B1 B7 DA 9C 88 7E
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
43 54 52 2D 50 2D 41 4D 4B 4A 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 2F"

Supposingly "81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D" should be somewhere in the memory.bin (?correct me if I am wrong)
So it turns out I cant find any in those 2 bins, not even i flipped bytes.

Here comes the question, is it a MUST to have the game connected to online (in a lobby or sth) instead of "online attempts"(say trying to connect before it gives me an 002-0120 error) in order to dump the header out?
So if my genuine cart got no online function ( Super marios bros 2), the memory.bin method cant be used?


Or... maybe I am stupid that memory.bin isnt the right file to search for headers...

1. The game info you gave is for Mario Kart 7 (Japanese)
2. No you will not find "81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D" in your memory.bin, cause it's a public headerID Sky3ds team used
3. For the US game you need to search "CTR-P-AMKE" in the template file (Europe "CTR-P-AMKP" )

 

[moonly]

Oh well yes I am using JPN 3ds fyi,
so then how can i extract the headers out after I have the memory.bin thing out?

According to Cyan

from there, you can continue the step by step guide you were following :

play the game and make a dump, search in this dump your Cartridge header you were using (like said, it can be byte swapped), note the address where you find it.


Play a cartridge and make another dump, look at the same address to find your cartridge header.

"play the game and make a dump, search in this dump your Cartridge header"
isnt that the cartridge header located in the dump?

 

[djon]

Oh well yes I am using JPN 3ds fyi,
so then how can i extract the headers out after I have the memory.bin thing out?

According to Cyan



"play the game and make a dump, search in this dump your Cartridge header"
isnt that the cartridge header located in the dump?

i really wish it was that simple... in a earlier post cyan said this below
"play the game and make a dump, search in this dump your Cartridge header you were using (like said, it can be byte swapped), note the address where you find it."
i would love to dump my pokemon y header to safely play online, but he said it may be byte swapped if you cant find it and all my hope was lost.
So i hope you figure it out.

 

[Cyan]

ah, the browser exploit works with 9.5 ?
I thought it worked only up to 9.4.
Isn't regionthree working up to 9.4, not 9.5? so I thought the exploit has been patched.


Byte swap is a way to read data in reversed order, or grouped-reversed.
header : 0123 4567

full swap : 7654 3210
byte swap : 3210 7654

so, if you know your public header (you should), you need to look at all possible combinations of that header to find the location in the dump.

 

[djon]

ah, the browser exploit works with 9.5 ?
I thought it worked only up to 9.4.
Isn't regionthree working up to 9.4, not 9.5? so I thought the exploit has been patched.


Byte swap is a way to read data in reversed order, or grouped-reversed.
header : 0123 4567

full swap : 7654 3210
byte swap : 3210 7654

so, if you know your public header (you should), you need to look at all possible combinations of that header to find the location in the dump.

Yes, regionthree works on my 9.5, just tested it with RE revelations EUR.
Thank you for that explanation on the byte swap ill see what i can try and pull out, if not ill just give up

 

[CyrilCommando]

Oh really? i was on 9.5 and it worked and made a memory.bin, i guess i can't get a header from the ram dump?

Which method did you use?

 

[moonly]

2. No you will not find "81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D" in your memory.bin, cause it's a public headerID Sky3ds team used

so, if you know your public header (you should), you need to look at all possible combinations of that header to find the location in the dump.

So I am now confused. Does the public header exist in the memory.bin?
I tried byteswap the "81 D5 AD 27 13 A6 2B C2 91 A0 C9 90 DA 90 D7 4D" can couldnt find anything in the memory.bin....
I wonder if I dump the memory.bin incorrectly? Like I asked before, does it have to be connected to internet before the dump of memory.bin?

A little help from you all would save my MH4G and Mario Kart on sky3ds...(well and probably others too)

 

[Cyan]

I didn't do it myself, I only followed what the other user said two page ago.
I think you need to be connecting, so the header is actually used and in memory. but I don't know how long it stays here, it's probably loaded right at connection time.

 

[4ur0r]

Wait wait wait you're telling me that there is a way to dump 3ds ram and so get the header of a game? Is it doable on N3DS?

 

[Cyan]

if N3DS can use the browser exploit and dump RAM, you can find your own cartridge's ID.

 

[4ur0r]

if N3DS can use the browser exploit and dump RAM, you can find your own cartridge's ID.

How do I do that?

I read that:

I'm too busy with some other RE to type up a full guide at the moment, but the gist is:
1) Use a public header on your rom of the game you own. Note the cartridge (unique) ID of that rom. (0x1240, 16 bytes, or 0x40 in sky3ds template)
2) Start the backup of that game up, try to connect to its online functions, then hit home as it's trying to connect and dump memory.
3) Do that again, but with your real cart.
4) Find your unique ID from your public header in your dump from that. Flip byte order if you can't find it.
5) Search for the same region in your genuine dump. Do this by either jumping to the same address in your first dump (unlikely) or searching for data that was close to your ID in the first dump (do this).
6) When you've found your legit unique ID, add it to your template with sky template maker (or manually if you hate yourself)
EDIT: Oh and here's the dumper I use for my 9.x hax, use it if you don't have your own already.

but I still don't understand how this hack works, do I need some files to be put on my micro sd 3ds card? like homebrews? Also is it fine to use an offline game header with an online content game? I have ninjhax

 

[Cyan]

we don't know if it's fine (detection-wise), but it works.
nintendo could be detecting headers from wrong games, or just detecting flashcart/patched firmware.


I'll wait for wulfyStylez to come here and explain better, as I never dumped RAM myself (I can't use browser exploit for ram dumping, I think it's only for 9.x)

 

[Bananawagon]

I'd rather not make a new thread to ask this question but... wouldn't converting a .3dz to a .cia allow online perfectly fine seeing as .cia's don't use headers? Or are headers essential for online play?

.cia use the header of the 3ds. It works for online play and Nintendo doesn't ban it at the moment.

 

[Zkajavier]

I'm too busy with some other RE to type up a full guide at the moment, but the gist is:
1) Use a public header on your rom of the game you own. Note the cartridge (unique) ID of that rom. (0x1240, 16 bytes, or 0x40 in sky3ds template)
2) Start the backup of that game up, try to connect to its online functions, then hit home as it's trying to connect and dump memory.

3) Do that again, but with your real cart.
4) Find your unique ID from your public header in your dump from that. Flip byte order if you can't find it.
5) Search for the same region in your genuine dump. Do this by either jumping to the same address in your first dump (unlikely) or searching for data that was close to your ID in the first dump (do this).
6) When you've found your legit unique ID, add it to your template with sky template maker (or manually if you hate yourself)
EDIT: Oh and here's the dumper I use for my 9.x hax, use it if you don't have your own already.

I decided to give this a try. Noob and all,

- The code.bin from your link is not dumping anything in 9.5. I tried with duke_srg dumping links then.
- How are you supposed to hit HOME when every game will lock the Home Button while trying to connect?
- I heard someone saying you could press the power button, then home, then dump, but when I do that, I am unable to find the Unique ID anywhere in the dump. I am guessing the Power Button closes the software and therefore will remove the game from the RAM.

I think we are missing something from your steps.

 

[The Real Jdbye]

i see that sky3ds users are getting banned by overusing public headers... however, how does a sky3ds user go about using a legitimate header? how do you find a rom header on a real flashcart? also, how soon are roms dumped online after they are released? thanks guys!

Roms used to be really slow at being released, but now you can usually find them 3+ days before launch day for big releases The 3DS scene stepped up their game. Pokemon OR/AS, Smash 4 and Majoras Mask 3D were all available online at least 3 days before release.
Lesser games can still be pretty slow at appearing on ROM sites though.