[Wip Release] ctrcdnfetch - Tool to download 3DS eshop content after 11.8

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by luigoalma, Oct 3, 2018.

  1. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    Hello everyone, I've made a tool for downloading content from 3DS's eshop after the 11.8 update.
    Like other tools (example, cearp's FunkyCIA), it allows an user to do a download backup of their purchased content from the eshop.

    The tool however, will require you to provide a signed ticket that will get sent to nintendo servers, as the server-side checks won't let without one or with an unsigned ticket access content. The tool itself does perform signature checks before accessing content. (And if you're curious, no, a ticket for A title won't work for B title, even if sign, can't access if title id is unmatching between the ticket and content.) But eshop tickets do contain console and account ids, so careful.
    The tool is open source under MIT and provided here, and I will also provide built releases for Windows (and Mac once I've got an environment setup for building).

    I've provided explanation on README.md but will give a short explanation on how to use it, either you grab a built release or built it yourself and having tool on path:
    1. Open the terminal/command line
    2. Having tool on path (or current directory on windows cmd, not powershell), type: ctrcdnfetch pathtoyourticketfile
    3. Let it work, it will check and start downloading if possible.

    The tool currently lets you also do --proxy if you need one to access the internet at all or whatever is a user's reason to use one, in that case, a user may do for example:
    ctrcdnfetch --proxy https://exampleuser:password@example.org:1234 pathtoyourticketfile

    The tool will also take multiple ticket files, so you can list them on arguments and it will go one by one.
    However the tool doesn't create cias for you yet, you'll need make_cdn_cia to make them for you (as for now).
    The resulting cias are installable since it produces a cetk that will allow to make a cia that won't prevent installation. Except if --use-for-cetk is used, in that case it will use your original ticket to make a cetk.
    Tickets like preinstall non unique console ones are always used since they already don't stop you from installing a cia made from them.

    Downloads end up on the currently active folder on your terminal, each title ending up on a folder named after it's title id read from the ticket.

    That's all for now, hope it's of use!

    Edited for new details on new code addition! Need to grab new build or source though.
     
    Last edited by luigoalma, Oct 5, 2018
  2. Olmectron

    Olmectron GBAtemp Addict

    Member
    9
    GBAtemp Patron
    Olmectron is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Dec 31, 2012
    Mexico
    A game
    Cool. I got a huge library of games to backup in my eShop account.
     
  3. brunocar

    brunocar GBAtemp Advanced Fan

    Member
    5
    Aug 14, 2017
    Argentina
    nice, i really didnt want to use eshop, can i buy games somewhere else and then use this?
     
  4. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    currently, i believe that's no way?
    you still would need a valid signed ticket to access contents, so....
     
  5. ThoD

    ThoD GBATemp Addict (apparently), but more like "bored"

    Member
    10
    Sep 8, 2017
    Greece
    This seems like an EXTREMELY niece way of doing things, since downloading legit titles can very easily just be done straight through the eshop. Only advantage I see this having is to avoid losing DLC of games/apps that are the kind to get auto-deleted if pirated (eg: SwapDoodle)... Any reasons besides that for anyone to choose this over straight up downloading directly from the eshop normally?
     
  6. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    Paranoia, paranoid users of entering the eshop of risk of being banned because they pirated before.
    Even tho this will send tickets that came from the console as well, even if i'm trying to keep tool matching a 3ds on requested access, you know, theres always a bit of risk. Unless the console preinstalled tickets i suppose?
    Also, it won't send ticket at all to nintendo servers if it's not signed, while eshop may. (i haven't tested if eshop does or not and don't really fully want to, considered it's sending to nintendo. e~e)
     
    Last edited by luigoalma, Oct 4, 2018
  7. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    I can use this with external download manager, like aria2c?
     
  8. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    i, don't think so? it's an individual tool itself, and what does is access cdn normally, but with ticket encrypted and wrapped in headers, with ticket checks and so on so access is not rejected.
    But i also I'm not sure how those download managers work soooo..
     
    Last edited by luigoalma, Oct 4, 2018
  9. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    Seeing the code, it reads the .tik, and then encrypts it in Base64, and it downloads with the Curl library, right?

    But this information is sent through the HTTP protocol, so I guess the information will be sent in the Headers, right?
    X-Authentication-Key and X-Authentication-Data Header's.
     
  10. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    Sorry for the multipost, but when installing the cia generated by this program, I get error of the Certificate in the FBI.

    I tried to download it with aria2c, extracting the base64 headers, and it worked, but when compiling it with make_cdn_cia, I got an error that the cetk did not find, and the cetk did not exist (404) in the title that I am downloading
     
  11. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    I was about to reply to your question earlier but i'll reply to this one first
    CETK is ticket basically
    And yes it errors right now, there's a reason, AM throws an error at cia files with unique tickets, eshop ones, instead of universally signed like a system title ticket
    so you'd need to change hex edit the cia file in one spot (around ticket region) and 0 out the console id info of the ticket or run make_cdn_cia with a fabricated CETK instead of original ticket file, something I'm yet to implement onto the code to do for the user

    — Posts automatically merged - Please don't double post! —

    To explain basically the process of it
    Read and check the ticket file, loading it to a buffer and checking signature, and reading Title ID to know what to download
    If properly signed, we take the ticket, encrypt it with AES-CBC 128 bit with two randomly generated 128 bit values (a Key and an IV), then grab both key and iv and put them together, since they don't use the normal PKCS1 v1.5 padding on the console when padding for RSA encryption of the two, I imitated the actual padding done in the console and then encrypted with rsa raw padding. Then both after encrypted are formatted into Base64, the encrypted key and iv are sent in X-Authentication-Key and encrypted ticket (by that key and iv) is sent in X-Authentication-Data in http headers when accessing the title content.
    The Public RSA Key used is from 11.8 NFIRM since it was introduced on this version.
     
    yonaikerlol likes this.
  12. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    How can I make a cetk with make_cdn_cia?
    I also have ctrtool, 3dstool, just in case.

    This is cetk? http://ccs.cdn.c.shop.nintendowifi.net/ccs/download/0004013800000002/cetk

    Wow, I think I understood, thanks.
     
    Last edited by yonaikerlol, Oct 4, 2018
  13. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    The program makes one with your ticket on the folder unless it encounters an issue
    if so, on windows, check %appdata%\3ds, if not existant, check %userprofile%\.3ds, if also non existant check %userprofile%\3ds, and find the file named "CA00000003-XS0000000c.bin", downloaded along this process from a cetk of a system title, which is the same issuer. (on mac check ~/Library/Application Support/3ds, ~/.3ds and ~/3ds. Any others just check in ~/.3ds and ~/3ds)
    Hexedit a copy of your target ticket, glue the ticket and CA00000003-XS0000000c.bin together IF your ticket is 848 bytes long (first ticket data, then CA00000003-XS0000000c.bin following it after), if it's 2640 bytes, it already is set to go then. (Ninty only uses one key to sign tickets on 3ds currently)
    Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes.
    Once done, save as a new copy, that's your CETK and should be 2640 bytes long.
    If need clarification, ask >~<
     
    Last edited by luigoalma, Oct 4, 2018
  14. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    Ok, I have a file in ~/.3ds, called CA00000003-XS0000000c.bin

    It has a length of 1792 bytes, I open it in Vim (with the command %!xxd for Hex editor), and what do I do?

    I did not understand very well.
     
  15. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    I'm assuming you're on linux or mac
    check your ticket size, it should be 848 bytes
    if that's correct, run cat yourtikfile ~/.3ds/CA00000003-XS0000000c.bin > yourtitleidfoldertarget/CETK
    this will glue the two
    get an hex editor if you don't have (these are binary files, not text, don't use vim) and, "Go to offset 0x1D0 and set 12 bytes in hex to 00, and also at offset 0x21C set also to 00 4 bytes." on the produced CETK file
     
    Last edited by luigoalma, Oct 4, 2018
    yonaikerlol likes this.
  16. yonaikerlol

    yonaikerlol Member

    Newcomer
    1
    Feb 7, 2018
    Venezuela
    Venezuela.
    It worked, thank you very much :)
     
    luigoalma likes this.
  17. Aletron9000

    Aletron9000 GBAtemp Advanced Maniac

    Member
    6
    May 10, 2016
    United States
    Classified
    Sorry to bump a thread that has been inactive for about a month, but this seems important. I noticed that when the application downloads dlc, it downloads all the dlc for that title. Since the application sends the console unique ticket with account information, Nintendo can see that the account that is associated with the ticket being used does not own the dlc being downloaded. This could be used for banning. Just be cautious using this tool.
     
  18. luigoalma
    OP

    luigoalma Member

    Newcomer
    2
    Sep 9, 2015
    Portugal
    indeed, it does, that's part of why i have a warning on the README.md
     
    zoogie likes this.
  19. redunka

    redunka GBAtemp Fan

    Member
    5
    Nov 26, 2014
    Russia
    Well, unless there's some way to read from the ticket which content is actually owned (if it even stores such info)…
    Maybe make a change to download only content with index 0 by default as a precaution?
    Nintendo usually gives away that "meta" content for free when one visits DLC shop ingame (how generous), so it should be somewhat less dangerous.
    The ability to download all of the content may be optional this way, by adding something like "--download-all", for example.
    Just a wild (and probably stupid) idea. ¯\(ツ)/¯
     
    Last edited by redunka, Oct 29, 2018
    yonaikerlol likes this.
Loading...