u32 DecryptNandPartition(u32 param)
{
PartitionInfo* p_info = NULL;
char filename[64];
u8 magic[NAND_SECTOR_SIZE];
for (u32 partition_id = P_TWLN; partition_id <= P_CTRNAND; partition_id = partition_id << 1) {
if (param & partition_id) {
p_info = GetPartitionInfo(partition_id);
break;
}
}
if (p_info == NULL) {
Debug("No partition to dump");
return 1;
}
Debug("Dumping & Decrypting %s, size (MB): %u", p_info->name, p_info->size / (1024 * 1024));
if (DecryptNandToMem(magic, p_info->offset, 16, p_info) != 0)
return 1;
if ((p_info->magic[0] != 0xFF) && (memcmp(p_info->magic, magic, 8) != 0)) {
Debug("Decryption error, please contact us");
return 1;
}
if (OutputFileNameSelector(filename, p_info->name, "bin", param & N_EMUNAND) != 0)
return 1;
return DecryptNandToFile(filename, p_info->offset, p_info->size, p_info);
}
u32 SeekTitleInNandDb(u32* tid_low, u32* tmd_id, TitleListInfo* title_info)
{
PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND);
u8* titledb = (u8*) 0x20316000;
u32 offset_db;
u32 size_db;
if (SeekFileInNand(&offset_db, &size_db, "DBS TITLE DB ", ctrnand_info) != 0)
return 1; // database not found
if (size_db != 0x64C00)
return 1; // bad database size
if (DecryptNandToMem(titledb, offset_db, size_db, ctrnand_info) != 0)
return 1;
u8* entry_table = titledb + 0x39A80;
u8* info_data = titledb + 0x44B80;
if ((getle32(entry_table + 0) != 2) || (getle32(entry_table + 4) != 3))
return 1; // magic number not found
*tid_low = 0;
for (u32 i = 0; i < 1000; i++) {
u8* entry = entry_table + 0xA8 + (0x2C * i);
u8* info = info_data + (0x80 * i);
u32 r;
if (getle32(entry + 0xC) != title_info->tid_high) continue; // not a title id match
if (getle32(entry + 0x4) != 1) continue; // not an active entry
if ((getle32(entry + 0x18) - i != 0x162) || (getle32(entry + 0x1C) != 0x80) || (getle32(info + 0x08) != 0x40)) continue; // fishy title info / offset
for (r = 0; r < 6; r++) {
if ((title_info->tid_low[r] != 0) && (getle32(entry + 0x8) == title_info->tid_low[r])) break;
}
if (r >= 6) continue;
*tmd_id = getle32(info + 0x14);
*tid_low = title_info->tid_low[r];
break;
}
return (*tid_low) ? 0 : 1;
}
u32 CtrNandPadgen(u32 param)
{
u32 keyslot;
u32 nand_size;
// legacy sizes & offset, to work with 3DSFAT16Tool
if (GetUnitPlatform() == PLATFORM_3DS) {
keyslot = 0x4;
nand_size = 758;
} else {
keyslot = 0x5;
nand_size = 1055;
}
Debug("Creating NAND FAT16 xorpad. Size (MB): %u", nand_size);
Debug("Filename: nand.fat16.xorpad");
PadInfo padInfo = {
.keyslot = keyslot,
.setKeyY = 0,
.size_mb = nand_size,
.filename = "nand.fat16.xorpad",
.mode = AES_CNT_CTRNAND_MODE
};
if(GetNandCtr(padInfo.ctr, 0xB930000) != 0)
return 1;
return CreatePad(&padInfo);
}
u32 TwlNandPadgen(u32 param)
{
u32 size_mb = (partitions[0].size + (1024 * 1024) - 1) / (1024 * 1024);
Debug("Creating TWLN FAT16 xorpad. Size (MB): %u", size_mb);
Debug("Filename: twlnand.fat16.xorpad");
PadInfo padInfo = {
.keyslot = partitions[0].keyslot,
.setKeyY = 0,
.size_mb = size_mb,
.filename = "twlnand.fat16.xorpad",
.mode = AES_CNT_TWLNAND_MODE
};
if(GetNandCtr(padInfo.ctr, partitions[0].offset) != 0)
return 1;
return CreatePad(&padInfo);
}
u32 Firm0Firm1Padgen(u32 param)
{
u32 size_mb = (partitions[3].size + partitions[4].size + (1024 * 1024) - 1) / (1024 * 1024);
Debug("Creating FIRM0FIRM1 xorpad. Size (MB): %u", size_mb);
Debug("Filename: firm0firm1.xorpad");
PadInfo padInfo = {
.keyslot = partitions[3].keyslot,
.setKeyY = 0,
.size_mb = size_mb,
.filename = "firm0firm1.xorpad",
.mode = AES_CNT_CTRNAND_MODE
};
if(GetNandCtr(padInfo.ctr, partitions[3].offset) != 0)
return 1;
return CreatePad(&padInfo);
}
u32 GetNandCtr(u8* ctr, u32 offset)
{
static const char* versions[] = {"4.x", "5.x", "6.x", "7.x", "8.x", "9.x"};
static const u8* version_ctrs[] = {
(u8*)0x080D7CAC,
(u8*)0x080D858C,
(u8*)0x080D748C,
(u8*)0x080D740C,
(u8*)0x080D74CC,
(u8*)0x080D794C
};
static const u32 version_ctrs_len = sizeof(version_ctrs) / sizeof(u32);
static u8* ctr_start = NULL;
if (ctr_start == NULL) {
for (u32 i = 0; i < version_ctrs_len; i++) {
if (*(u32*)version_ctrs[i] == 0x5C980) {
Debug("System version %s", versions[i]);
ctr_start = (u8*) version_ctrs[i] + 0x30;
}
}
// If value not in previous list start memory scanning (test range)
if (ctr_start == NULL) {
for (u8* c = (u8*) 0x080D8FFF; c > (u8*) 0x08000000; c--) {
if (*(u32*)c == 0x5C980 && *(u32*)(c + 1) == 0x800005C9) {
ctr_start = c + 0x30;
Debug("CTR start 0x%08X", ctr_start);
break;
}
}
}
if (ctr_start == NULL) {
Debug("CTR start not found!");
return 1;
}
}
// the ctr is stored backwards in memory
if (offset >= 0x0B100000) { // CTRNAND/AGBSAVE region
for (u32 i = 0; i < 16; i++)
ctr[i] = *(ctr_start + (0xF - i));
} else { // TWL region
for (u32 i = 0; i < 16; i++)
ctr[i] = *(ctr_start + 0x88 + (0xF - i));
}
// increment counter
add_ctr(ctr, offset / 0x10);
return 0;
}
u32 DecryptNandToMem(u8* buffer, u32 offset, u32 size, PartitionInfo* partition)
{
CryptBufferInfo info = {.keyslot = partition->keyslot, .setKeyY = 0, .size = size, .buffer = buffer, .mode = partition->mode};
if(GetNandCtr(info.ctr, offset) != 0)
return 1;
u32 n_sectors = (size + NAND_SECTOR_SIZE - 1) / NAND_SECTOR_SIZE;
u32 start_sector = offset / NAND_SECTOR_SIZE;
ReadNandSectors(start_sector, n_sectors, buffer);
CryptBuffer(&info);
return 0;
}
u32 DecryptNandToFile(const char* filename, u32 offset, u32 size, PartitionInfo* partition)
{
u8* buffer = BUFFER_ADDRESS;
u32 result = 0;
if (!DebugFileCreate(filename, true))
return 1;
for (u32 i = 0; i < size; i += NAND_SECTOR_SIZE * SECTORS_PER_READ) {
u32 read_bytes = min(NAND_SECTOR_SIZE * SECTORS_PER_READ, (size - i));
ShowProgress(i, size);
DecryptNandToMem(buffer, offset + i, read_bytes, partition);
if(!DebugFileWrite(buffer, read_bytes, i)) {
result = 1;
break;
}
}
ShowProgress(0, 0);
FileClose();
return result;
}
u32 SeekFileInNand(u32* offset, u32* size, const char* path, PartitionInfo* partition)
{
// poor mans NAND FAT file seeker:
// - path must be in FAT 8+3 format, without dots or slashes
// example: DIR1_______DIR2_______FILENAMEEXT
// - can't handle long filenames
// - dirs must not exceed 1024 entries
// - fragmentation not supported
u8* buffer = BUFFER_ADDRESS;
u32 p_size = partition->size;
u32 p_offset = partition->offset;
u32 fat_pos = 0;
bool found = false;
if (strnlen(path, 256) % (8+3) != 0)
return 1;
if (DecryptNandToMem(buffer, p_offset, NAND_SECTOR_SIZE, partition) != 0)
return 1;
// good FAT header description found here: http://www.compuphase.com/mbr_fat.htm
u32 fat_start = NAND_SECTOR_SIZE * getle16(buffer + 0x0E);
u32 fat_count = buffer[0x10];
u32 fat_size = NAND_SECTOR_SIZE * getle16(buffer + 0x16) * fat_count;
u32 root_size = getle16(buffer + 0x11) * 0x20;
u32 cluster_start = fat_start + fat_size + root_size;
u32 cluster_size = buffer[0x0D] * NAND_SECTOR_SIZE;
for (*offset = p_offset + fat_start + fat_size; strnlen(path, 256) >= 8+3; path += 8+3) {
if (*offset - p_offset > p_size)
return 1;
found = false;
if (DecryptNandToMem(buffer, *offset, cluster_size, partition) != 0)
return 1;
for (u32 i = 0x00; i < cluster_size; i += 0x20) {
static const char zeroes[8+3] = { 0x00 };
// skip invisible, deleted and lfn entries
if ((buffer[i] == '.') || (buffer[i] == 0xE5) || (buffer[i+0x0B] == 0x0F))
continue;
else if (memcmp(buffer + i, zeroes, 8+3) == 0)
return 1;
u32 p; // search for path in fat folder structure, accept '?' wildcards
for (p = 0; (p < 8+3) && (path[p] == '?' || buffer[i+p] == path[p]); p++);
if (p != 8+3) continue;
// entry found, store offset and move on
fat_pos = getle16(buffer + i + 0x1A);
*offset = p_offset + cluster_start + (fat_pos - 2) * cluster_size;
*size = getle32(buffer + i + 0x1C);
found = true;
break;
}
if (!found) break;
}
// check for fragmentation
if (found && (*size > cluster_size)) {
if (fat_size / fat_count > 0x100000) // prevent buffer overflow
return 1; // fishy FAT table size - should never happen
if (DecryptNandToMem(buffer, p_offset + fat_start, fat_size / fat_count, partition) != 0)
return 1;
for (u32 i = 0; i < (*size - 1) / cluster_size; i++) {
if (*(((u16*) buffer) + fat_pos + i) != fat_pos + i + 1)
return 1;
} // no need to check the files last FAT table entry
}
return (found) ? 0 : 1;
}
u32 UpdateSeedDb(u32 param)
{
(void) (param); // param is unused here
PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND);
u8* buffer = BUFFER_ADDRESS;
SeedInfo *seedinfo = (SeedInfo*) 0x20400000;
u32 nNewSeeds = 0;
u32 offset;
u32 size;
// load full seedsave to memory
Debug("Searching for seedsave...");
if (SeekFileInNand(&offset, &size, "DATA ???????????SYSDATA 0001000F 00000000 ", ctrnand_info) != 0) {
Debug("Failed!");
return 1;
}
Debug("Found at %08X, size %ukB", offset, size / 1024);
if (size != 0xAC000) {
Debug("Expected %ukB, failed!", 0xAC000);
return 1;
}
if (DecryptNandToMem(buffer, offset, size, ctrnand_info) != 0)
return 1;
// load / create seeddb.bin
if (DebugFileOpen("seeddb.bin")) {
if (!DebugFileRead(seedinfo, 16, 0)) {
FileClose();
return 1;
}
if (seedinfo->n_entries > MAX_ENTRIES) {
Debug("seeddb.bin seems to be corrupt!");
FileClose();
return 1;
}
if (!DebugFileRead(seedinfo->entries, seedinfo->n_entries * sizeof(SeedInfoEntry), 16)) {
FileClose();
return 1;
}
} else {
if (!DebugFileCreate("seeddb.bin", true))
return 1;
memset(seedinfo, 0x00, 16);
DebugFileWrite(seedinfo, 16, 0);
}
// search and extract seeds
for ( int n = 0; n < 2; n++ ) {
// there are two offsets where seeds can be found - 0x07000 & 0x5C000
static const int seed_offsets[2] = {0x7000, 0x5C000};
unsigned char* seed_data = buffer + seed_offsets[n];
for ( size_t i = 0; i < 2000; i++ ) {
static const u8 zeroes[16] = { 0x00 };
// magic number is the reversed first 4 byte of a title id
static const u8 magic[4] = { 0x00, 0x00, 0x04, 0x00 };
// 2000 seed entries max, splitted into title id and seed area
u8* titleId = seed_data + (i*8);
u8* seed = seed_data + (2000*8) + (i*16);
if (memcmp(titleId + 4, magic, 4) != 0)
continue;
// Bravely Second demo seed workaround
if (memcmp(seed, zeroes, 16) == 0)
seed = buffer + seed_offsets[(n+1)%2] + (2000 * 8) + (i*16);
if (memcmp(seed, zeroes, 16) == 0)
continue;
// seed found, check if it already exists
u32 entryPos = 0;
for (entryPos = 0; entryPos < seedinfo->n_entries; entryPos++)
if (memcmp(titleId, &(seedinfo->entries[entryPos].titleId), 8) == 0)
break;
if (entryPos < seedinfo->n_entries) {
Debug("Found %08X%08X seed (duplicate)", getle32(titleId + 4), getle32(titleId));
continue;
}
// seed is new, create a new entry
Debug("Found %08X%08X seed (new)", getle32(titleId + 4), getle32(titleId));
memset(&(seedinfo->entries[entryPos]), 0x00, sizeof(SeedInfoEntry));
memcpy(&(seedinfo->entries[entryPos].titleId), titleId, 8);
memcpy(&(seedinfo->entries[entryPos].external_seed), seed, 16);
seedinfo->n_entries++;
nNewSeeds++;
}
}
if (nNewSeeds == 0) {
Debug("Found no new seeds, %i total", seedinfo->n_entries);
FileClose();
return 0;
}
Debug("Found %i new seeds, %i total", nNewSeeds, seedinfo->n_entries);
if (!DebugFileWrite(seedinfo, 16 + seedinfo->n_entries * sizeof(SeedInfoEntry), 0))
return 1;
FileClose();
return 0;
}
u32 InjectHealthAndSafety(u32 param)
{
u8* buffer = BUFFER_ADDRESS;
PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND);
TitleListInfo* health = titleList + ((GetUnitPlatform() == PLATFORM_3DS) ? 3 : 4);
TitleListInfo* health_alt = (GetUnitPlatform() == PLATFORM_N3DS) ? titleList + 3 : NULL;
NcchHeader* ncch = (NcchHeader*) 0x20316000;
char filename[64];
u32 offset_app[4];
u32 size_app[4];
u32 offset_tmd;
u32 size_tmd;
u32 size_hs;
if (!(param & N_NANDWRITE)) // developer screwup protection
return 1;
if ((DebugSeekTitleInNand(&offset_tmd, &size_tmd, offset_app, size_app, health, 4) != 0) && (!health_alt ||
(DebugSeekTitleInNand(&offset_tmd, &size_tmd, offset_app, size_app, health_alt, 4) != 0)))
return 1;
if (size_app[0] > 0x400000) {
Debug("H&S system app is too big!");
return 1;
}
if (DecryptNandToMem((void*) ncch, offset_app[0], 0x200, ctrnand_info) != 0)
return 1;
if (InputFileNameSelector(filename, NULL, "app", ncch->signature, 0x100, 0, false) != 0)
return 1;
if (!DebugFileOpen(filename))
return 1;
size_hs = FileGetSize();
memset(buffer, 0, size_app[0]);
if (size_hs > size_app[0]) {
Debug("H&S inject app is too big!");
return 1;
}
if (!DebugFileRead(buffer, size_hs, 0)) {
FileClose();
return 1;
}
FileClose();
if (!DebugFileCreate("hs.enc", true))
return 1;
if (!DebugFileWrite(buffer, size_app[0], 0)) {
FileClose();
return 1;
}
FileClose();
if (CryptNcch("hs.enc", 0, 0, 0, ncch->flags) != 0)
return 1;
Debug("Injecting H&S app...");
if (EncryptFileToNand("hs.enc", offset_app[0], size_app[0], ctrnand_info) != 0)
return 1;
Debug("Fixing TMD...");
u8* tmd_data = (u8*) 0x20316000;
if (DecryptNandToMem(tmd_data, offset_tmd, size_tmd, ctrnand_info) != 0)
return 1;
tmd_data += (tmd_data[3] == 3) ? 0x240 : (tmd_data[3] == 4) ? 0x140 : 0x80;
u8* content_list = tmd_data + 0xC4 + (64 * 0x24);
u32 cnt_count = getbe16(tmd_data + 0x9E);
if (GetHashFromFile("hs.enc", 0, size_app[0], content_list + 0x10) != 0) {
Debug("Failed!");
return 1;
}
for (u32 i = 0, kc = 0; i < 64 && kc < cnt_count; i++) {
u32 k = getbe16(tmd_data + 0xC4 + (i * 0x24) + 0x02);
u8* chunk_hash = tmd_data + 0xC4 + (i * 0x24) + 0x04;
sha_quick(chunk_hash, content_list + kc * 0x30, k * 0x30, SHA256_MODE);
kc += k;
}
u8* tmd_hash = tmd_data + 0xA4;
sha_quick(tmd_hash, tmd_data + 0xC4, 64 * 0x24, SHA256_MODE);
tmd_data = (u8*) 0x20316000;
if (EncryptMemToNand(tmd_data, offset_tmd, size_tmd, ctrnand_info) != 0)
return 1;
return 0;
}
u32 DebugSeekTitleInNand(u32* offset_tmd, u32* size_tmd, u32* offset_app, u32* size_app, TitleListInfo* title_info, u32 max_cnt)
{
PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND);
u8* buffer = (u8*) 0x20316000;
u32 cnt_count = 0;
u32 tid_low = 0;
u32 tmd_id = 0;
Debug("Searching title \"%s\"...", title_info->name);
Debug("Method 1: Search in title.db...");
if (SeekTitleInNandDb(&tid_low, &tmd_id, title_info) == 0) {
char path[64];
sprintf(path, "TITLE %08X %08X CONTENT %08XTMD", (unsigned int) title_info->tid_high, (unsigned int) tid_low, (unsigned int) tmd_id);
if (SeekFileInNand(offset_tmd, size_tmd, path, ctrnand_info) != 0)
tid_low = 0;
}
if (!tid_low) {
Debug("Method 2: Search in file system...");
for (u32 i = 0; i < 6; i++) {
char path[64];
if (title_info->tid_low[i] == 0)
continue;
sprintf(path, "TITLE %08X %08X CONTENT ????????TMD", (unsigned int) title_info->tid_high, (unsigned int) title_info->tid_low[i]);
if (SeekFileInNand(offset_tmd, size_tmd, path, ctrnand_info) == 0) {
tid_low = title_info->tid_low[i];
break;
}
}
}
if (!tid_low) {
Debug("Failed!");
return 1;
}
Debug("Found title %08X%08X", title_info->tid_high, tid_low);
Debug("TMD0 found at %08X, size %ub", *offset_tmd, *size_tmd);
if ((*size_tmd < 0xC4 + (0x40 * 0x24)) || (*size_tmd > 0x4000)) {
Debug("TMD has bad size!");
return 1;
}
if (DecryptNandToMem(buffer, *offset_tmd, *size_tmd, ctrnand_info) != 0)
return 1;
u32 size_sig = (buffer[3] == 3) ? 0x240 : (buffer[3] == 4) ? 0x140 : (buffer[3] == 5) ? 0x80 : 0;
if ((size_sig == 0) || (memcmp(buffer, "\x00\x01\x00", 3) != 0)) {
Debug("Unknown signature type: %08X", getbe32(buffer));
return 1;
}
cnt_count = getbe16(buffer + size_sig + 0x9E);
u32 size_tmd_expected = size_sig + 0xC4 + (0x40 * 0x24) + (cnt_count * 0x30);
if (*size_tmd < size_tmd_expected) {
Debug("TMD bad size (expected %ub)!", size_tmd_expected );
return 1;
}
buffer += size_sig + 0xC4 + (0x40 * 0x24);
for (u32 i = 0; i < cnt_count && i < max_cnt; i++) {
char path[64];
u32 cnt_id = getbe32(buffer + (0x30 * i));
if (i >= max_cnt) {
Debug("APP%i was skipped", i);
continue;
}
sprintf(path, "TITLE %08X %08X CONTENT %08XAPP", (unsigned int) title_info->tid_high, (unsigned int) tid_low, (unsigned int) cnt_id);
if (SeekFileInNand(offset_app + i, size_app + i, path, ctrnand_info) != 0) {
Debug("APP%i not found or fragmented!", i);
return 1;
}
Debug("APP%i found at %08X, size %ukB", i, offset_app[i], size_app[i] / 1024);
}
return 0;
}
