Rom Injection Tool

Discussion in '3DS - Flashcards & Custom Firmwares' started by FrankVVV, Aug 19, 2014.

  1. FrankVVV
    OP

    FrankVVV Member

    Newcomer
    36
    9
    Dec 1, 2013
    Belgium
    We have now seen a few releases where a rom from an older console was injected into a new one so it became a 3DS VC rom. Do you think someone will sooner or later release tool so we could do this ourself easily, or will that be too complicated? Imagine the 1000's of extra games that could be played on the 3DS!!!
     
    Idaho likes this.
  2. jonthedit

    jonthedit GBAtemp Advanced Maniac

    Member
    1,691
    438
    May 30, 2011
    Bangladesh
    Please, do post these "few releases" and any other examples.
    :blink:
     
  3. ChrisX930

    ChrisX930 Banned

    Banned
    788
    317
    Sep 3, 2013
    Gambia, The
    Germany
    Want to see it too o_o
    It should be possible to replace a rom inside of the vc-game like on the Wii.
    But I think we need to have a homebrew-loader or something or a method to signing the modified vc-games to run it on our 3DS ( like signing homebrews on PSP to run it on OFW)
     
  4. Ziggyro
    This message by Ziggyro has been removed from public view by BORTZ, Aug 19, 2014, Reason: thank you for that contribution.
    Aug 19, 2014
  5. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,164
    9,523
    Sep 23, 2013
    afaik the bbb gameboy pokemon releases are encrypted as homebrew i.e not using the proper encryption.......so if you look into how the homebrew is encrypted, you might be able to decrypt them and inject a different rom

    .....personally i think homebrew emulators would be better, instead of having a hundred and one different VC titles, just have an emulator that you can drop & drag games into........but whatever:P
     
  6. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,512
    5,473
    Mar 17, 2010
    Norway
    Alola
    Homebrew is just encrypted with a zero-filled key. ctrtool can extract the data from the ROM (so can 3DSExplorer to some degree), makerom can repack the ROM after editing.
    So if they really are encrypted with a zero key, it should be a simple task to inject another ROM into it.
    I may have a go at it later.
     
  7. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,407
    845
    May 5, 2010
    Mexico
    On a Strange Journey
    Warning: Spoilers inside!

    Those are by smealum except the last one. And he was only showing something he was able to do, not saying that is a reallity or maybe be released, so please don't start a flamewar about that, my pure intention is to show something requested here, not wihning something.
     
    Idaho likes this.
  8. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States

    Are you sure it's using encrypted as homebrew? Couldn't they uses the 3DSs AES engine to re-encrypt the file with the proper key since AES is a symmetric algorithm?

    "For homebrew you can decrypt the file to a readable format but we normally use the elf file (AES key for homebrew is 00000000000000000000000000000000 the NCCH Offset is located at 0x120 in media units (1 media unit = 0x200 bytes)) so if you want to add homebrew NCSD Support you can add that preaty easy. For nin code you need to run a decrypter on the 3ds or have the Y-Key and the final scrambler key" ~ichfly

    So, if it is encrypted with the homebrew key we should be able to extract it, inject ROM and repack. Also, it will be easier to inject a ROM into a BBB release that has already been injected (such as the Pokemon ones). The reason being is that Nintendo doesn't use scene releases for the NES/GBA etc. ROMs. It will be easier to identify the header of the injected ROM as you can just look at the scene releases for the NES/GBA ROMs.
     
    Ryanrocks462 likes this.
  9. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,512
    5,473
    Mar 17, 2010
    Norway
    Alola
    So, I had a look...
    [​IMG]
    Looks like the ROM is easily accessible, so injecting a new one should be no problem :)

    Edit:
    The ROM loaded up in VBA-M just fine too, once renamed to .gbc file extension:
    [​IMG]

    However, the edited file can not be repacked into a romFS using makerom. Quote from 3DSGuy: "However makerom fails to calculate two fields (relating to the organisation of the embedded FS) properly, so the 3DS doesn't accept the romfs makerom creates.. I never figured out how to generate those two fields. So romfs generation remains nearly working (close but no cigar)."
    If there is another tool to create romFS, or one is made, ROM injection will be easy. Otherwise... not so much.
     
  10. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States
    That's awesome!!! How did you do that??? I tried poking around in 3DS Explorer and got ExeFS.bin and RomFS.bin. I decrypted RomFS.bin with the AES key. I'm guessing FS stands for File System??? Do you have to mount it?
     
  11. Mikecrowfone

    Mikecrowfone Banned

    Banned
    250
    34
    Jul 25, 2014
    United States
    So a noob question here... here's my thoughts. correct me if I am incorrect with any of them
    1. Homebrew .3ds files are encrypted as homebrew
    2. These HB.3ds files can run using SSSpwn
    3. .3ds game roms files can be translated so long as they can be decrypted
    4. If perchance .3ds roms can be decrypted, they can be re-encrypted as HB and it will still run
    5. Since this .3ds rom are re-encrypted as HB, it will run on SSSpwn.
    6. Also, it seems to be that the current inject GB VC roms are incredibly inefficient. Bloating a ~5mb rom to occupy a minimum of 64mb.
     
  12. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States
    SSSpwn doesn't run .3DS files, so no that won't work. ;)
     
  13. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    But it will run homebrews. If commercial ROMs are repacked as HB ROMs they should work.
     
  14. Mikecrowfone

    Mikecrowfone Banned

    Banned
    250
    34
    Jul 25, 2014
    United States
    Where is it mentioned that it can't run .3ds files? I thought it was just mentioned that it doesn't allow the running of roms. If a rom can be encrypted as homebrew then it should theoretically work.
     
  15. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,512
    5,473
    Mar 17, 2010
    Norway
    Alola
    ctrtool can extract files from RomFS.
    makerom can create RomFS.bin but is missing an essential piece for the 3DS to accept the generated RomFS, there doesn't seem to be another tool that can create a RomFS either, so we're out of luck for the moment...

    No, .3ds is the file format of ROMs. No ROMs means no .3ds. Homebrew will likely be ran in an entirely different way than commercial games, so it will be impossible to run commercial games using the same method.
     
  16. Mikecrowfone

    Mikecrowfone Banned

    Banned
    250
    34
    Jul 25, 2014
    United States
    So this means that SSSpwn would require an app to load .3ds files and a tool to repack commercial roms as homebrew and SSSpwn will allow piracy! :wacko: Gosh!
     
  17. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States

    Homebrew .3DS files are official ROMs encrypted with 0000... AES key.

    SSSPwn is a userland exploit and they have their own way of executing code inside that sandbox.

    Sorry warez kiddies, it's not going to happen.


    It runs homebrew inside of userland. No, it doesn't work that way.



    Nope, nope, nope.
     
    filfat likes this.
  18. Relys

    Relys Master of Computer Science

    Member
    863
    789
    Jan 5, 2007
    United States
    I just built ctrtool. What are the arguments to pass it to extract the RomFS (sorry for n00b question, I haven't used it before).

    Is the source for makerom out there??? We might be able to fix it.
     
  19. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,512
    5,473
    Mar 17, 2010
    Norway
    Alola
    ctrtool --romfsdir out_directory RomFS.bin
    Will extract the contents of RomFS.bin to out_directory.

    Fixing makerom would be a simple matter for someone who has reverse engineered the RomFS format fully, but that's not my strong suit. If 3DSGuy wasn't able to figure it out, most of us aren't likely to.
    Source: https://github.com/3DSGuy/Project_CTR/tree/master/makerom
     
  20. Mikecrowfone

    Mikecrowfone Banned

    Banned
    250
    34
    Jul 25, 2014
    United States

    Ok. Ssspwn allows homebrew. Homebrew can do whatever the official dev kit can do. In theory, a homebrew to the scale of Pokemon X/Y can be created.

    Homebrew .3ds files are official stuff just encrypted with the 0000.... AES key. Aka, it is a rom that has been decrypted and reencrypted with homebrew keys. So if you can decrypt a 3ds game rom and re-encrypt it with homebrew keys, the .3ds rom is now recognized by the system as homebrew and will run it.

    SSSpwn executes code within a sandbox. The code that it can execute should include the code in .3ds game roms since 3ds homebrew by its very definition allows the creating of official SDK stuff but homebrew instead.
     
    Ryanrocks462 likes this.
  21. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    How about just decrypt the ROM and use a loader to load the ROM in?
    I'm assuming the exploit allows for permissions on par with commercial games.