u32 DumpNand(u32 param) { char filename[64]; u8* buffer = BUFFER_ADDRESS; u32 nand_size = getMMCDevice(0)->total_size * NAND_SECTOR_SIZE; u32 result = 0; Debug("Dumping %sNAND. Size (MB): %u", (param & N_EMUNAND) ? "Emu" : "Sys", nand_size / (1024 * 1024)); if (OutputFileNameSelector(filename, "NAND.bin", NULL, param & N_EMUNAND) != 0) return 1; if (!DebugFileCreate(filename, true)) return 1; u32 n_sectors = nand_size / NAND_SECTOR_SIZE; for (u32 i = 0; i < n_sectors; i += SECTORS_PER_READ) { u32 read_sectors = min(SECTORS_PER_READ, (n_sectors - i)); ShowProgress(i, n_sectors); ReadNandSectors(i, read_sectors, buffer); if(!DebugFileWrite(buffer, NAND_SECTOR_SIZE * read_sectors, i * NAND_SECTOR_SIZE)) { result = 1; break; } } ShowProgress(0, 0); FileClose(); return result; }
u32 DecryptTitlekeys(void) { EncKeysInfo *info = (EncKeysInfo*)0x20316000; if (!DebugFileOpen("/encTitleKeys.bin")) return 1; if (!DebugFileRead(info, 16, 0)) { FileClose(); return 1; } if (!info->n_entries || info->n_entries > MAX_ENTRIES) { Debug("Too many/few entries specified: %i", info->n_entries); FileClose(); return 1; } Debug("Number of entries: %i", info->n_entries); if (!DebugFileRead(info->entries, info->n_entries * sizeof(TitleKeyEntry), 16)) { FileClose(); return 1; } FileClose(); Debug("Decrypting Title Keys..."); u8 ctr[16] __attribute__((aligned(32))); u8 keyY[16] __attribute__((aligned(32))); u32 i; for (i = 0; i < info->n_entries; i++) { memset(ctr, 0, 16); memcpy(ctr, info->entries[i].titleId, 8); set_ctr(AES_BIG_INPUT|AES_NORMAL_INPUT, ctr); memcpy(keyY, (void *)common_keyy[info->entries[i].commonKeyIndex], 16); setup_aeskey(0x3D, AES_BIG_INPUT|AES_NORMAL_INPUT, keyY); use_aeskey(0x3D); aes_decrypt(info->entries[i].encryptedTitleKey, info->entries[i].encryptedTitleKey, ctr, 1, AES_CBC_DECRYPT_MODE); } if (!DebugFileCreate("/decTitleKeys.bin", true)) return 1; if (!DebugFileWrite(info, info->n_entries * sizeof(TitleKeyEntry) + 16, 0)) { FileClose(); return 1; } FileClose(); Debug("Done!"); return 0; }
u32 NandPadgen() { u8* ctrStart = FindNandCtr(); if (ctrStart == NULL) return 1; u8 ctr[16] = {0x0}; u32 i = 0; for(i = 0; i < 16; i++) ctr[i] = *(ctrStart + (15 - i)); //The CTR is stored backwards in memory. add_ctr(ctr, 0xB93000); //The CTR stored in memory would theoretically be for NAND block 0, so we need to increment it some. u32 keyslot = 0x0; u32 nand_size = 0; switch (GetUnitPlatform()) { case PLATFORM_3DS: keyslot = 0x4; nand_size = 758; break; case PLATFORM_N3DS: keyslot = 0x5; nand_size = 1055; break; } Debug("Creating NAND FAT16 xorpad. Size (MB): %u", nand_size); Debug("Filename: nand.fat16.xorpad"); PadInfo padInfo = {.keyslot = keyslot, .setKeyY = 0, .size_mb = nand_size , .filename = "/nand.fat16.xorpad"}; memcpy(padInfo.CTR, ctr, 16); u32 result = CreatePad(&padInfo); if(result == 0) { Debug("Done!"); return 0; } else { return 1; } } u32 CreatePad(PadInfo *info) { static const uint8_t zero_buf[16] __attribute__((aligned(16))) = {0}; u8* buffer = BUFFER_ADDRESS; u32 result = 0; if (!FileCreate(info->filename, true)) // No DebugFileCreate() here - messages are already given return 1; if(info->setKeyY) setup_aeskey(info->keyslot, AES_BIG_INPUT | AES_NORMAL_INPUT, info->keyY); use_aeskey(info->keyslot); u8 ctr[16] __attribute__((aligned(32))); memcpy(ctr, info->CTR, 16); u32 size_bytes = info->size_mb * 1024*1024; for (u32 i = 0; i < size_bytes; i += BUFFER_MAX_SIZE) { u32 curr_block_size = min(BUFFER_MAX_SIZE, size_bytes - i); for (u32 j = 0; j < curr_block_size; j+= 16) { set_ctr(AES_BIG_INPUT | AES_NORMAL_INPUT, ctr); aes_decrypt((void*)zero_buf, (void*)buffer + j, ctr, 1, AES_CTR_MODE); add_ctr(ctr, 1); } ShowProgress(i, size_bytes); if (!DebugFileWrite((void*)buffer, curr_block_size, i)) { result = 1; break; } } ShowProgress(0, 0); FileClose(); return result; } u32 NandDumper() { u8* buffer = BUFFER_ADDRESS; u32 nand_size = (GetUnitPlatform() == PLATFORM_3DS) ? 0x3AF00000 : 0x4D800000; u32 result = 0; Debug("Dumping System NAND. Size (MB): %u", nand_size / (1024 * 1024)); if (!DebugFileCreate("/NAND.bin", true)) return 1; u32 n_sectors = nand_size / NAND_SECTOR_SIZE; for (u32 i = 0; i < n_sectors; i += SECTORS_PER_READ) { ShowProgress(i, n_sectors); sdmmc_nand_readsectors(i, SECTORS_PER_READ, buffer); if(!DebugFileWrite(buffer, NAND_SECTOR_SIZE * SECTORS_PER_READ, i * NAND_SECTOR_SIZE)) { result = 1; break; } } ShowProgress(0, 0); FileClose(); return result; } u32 NandPartitionsDumper() { u32 ctrnand_offset; u32 ctrnand_size; u32 keyslot; switch (GetUnitPlatform()) { case PLATFORM_3DS: ctrnand_offset = 0x0B95CA00; ctrnand_size = 0x2F3E3600; keyslot = 0x4; break; case PLATFORM_N3DS: ctrnand_offset = 0x0B95AE00; ctrnand_size = 0x41D2D200; keyslot = 0x5; break; } // see: http://3dbrew.org/wiki/Flash_Filesystem Debug("Dumping firm0.bin: %s!", DumpPartition("firm0.bin", 0x0B130000, 0x00400000, 0x6) == 0 ? "succeeded" : "failed"); Debug("Dumping firm1.bin: %s!", DumpPartition("firm1.bin", 0x0B530000, 0x00400000, 0x6) == 0 ? "succeeded" : "failed"); Debug("Dumping ctrnand.bin: %s!", DumpPartition("ctrnand.bin", ctrnand_offset, ctrnand_size, keyslot) == 0 ? "succeeded" : "failed"); return 0; }
u32 SdPadgen() { u32 result; SdInfo *info = (SdInfo*)0x20316000; u8 movable_seed[0x120] = {0}; // Load console 0x34 keyY from movable.sed if present on SD card if (DebugFileOpen("/movable.sed")) { if (!DebugFileRead(&movable_seed, 0x120, 0)) { FileClose(); return 1; } FileClose(); if (memcmp(movable_seed, "SEED", 4) != 0) { Debug("movable.sed is too corrupt!"); return 1; } setup_aeskey(0x34, AES_BIG_INPUT|AES_NORMAL_INPUT, &movable_seed[0x110]); use_aeskey(0x34); } if (!DebugFileOpen("/SDinfo.bin")) return 1; if (!DebugFileRead(info, 4, 0)) { FileClose(); return 1; } if (!info->n_entries || info->n_entries > MAX_ENTRIES) { Debug("Too many/few entries!"); return 1; } Debug("Number of entries: %i", info->n_entries); if (!DebugFileRead(info->entries, info->n_entries * sizeof(SdInfoEntry), 4)) { FileClose(); return 1; } FileClose(); for(u32 i = 0; i < info->n_entries; i++) { Debug ("Creating pad number: %i. Size (MB): %i", i+1, info->entries[i].size_mb); PadInfo padInfo = {.keyslot = 0x34, .setKeyY = 0, .size_mb = info->entries[i].size_mb}; memcpy(padInfo.CTR, info->entries[i].CTR, 16); memcpy(padInfo.filename, info->entries[i].filename, 180); result = CreatePad(&padInfo); if (!result) Debug("Done!"); else return 1; } return 0; } static u8* FindNandCtr() { static const char* versions[] = {"4.x", "5.x", "6.x", "7.x", "8.x", "9.x"}; static const u8* version_ctrs[] = { (u8*)0x080D7CAC, (u8*)0x080D858C, (u8*)0x080D748C, (u8*)0x080D740C, (u8*)0x080D74CC, (u8*)0x080D794C }; static const u32 version_ctrs_len = sizeof(version_ctrs) / sizeof(u32); for (u32 i = 0; i < version_ctrs_len; i++) { if (*(u32*)version_ctrs[i] == 0x5C980) { Debug("System version %s", versions[i]); return (u8*)(version_ctrs[i] + 0x30); } } // If value not in previous list start memory scanning (test range) for (u8* c = (u8*)0x080D8FFF; c > (u8*)0x08000000; c--) { if (*(u32*)c == 0x5C980 && *(u32*)(c + 1) == 0x800005C9) { Debug("CTR Start 0x%08X", c + 0x30); return c + 0x30; } } return NULL; } u32 DumpPartition(char* filename, u32 offset, u32 size, u32 keyslot) { DecryptBufferInfo info; u8* buffer = BUFFER_ADDRESS; u8* ctrStart = FindNandCtr(); u32 result = 0; Debug("Dumping System NAND Partition. Size (MB): %u", size / (1024 * 1024)); Debug("Filename: %s", filename); if (ctrStart == NULL) return 1; info.keyslot = keyslot; info.setKeyY = 0; info.size = SECTORS_PER_READ * NAND_SECTOR_SIZE; info.buffer = buffer; for (u32 i = 0; i < 16; i++) { info.CTR[i] = *(ctrStart + (0xF - i)); // The CTR is stored backwards in memory. } add_ctr(info.CTR, offset / 0x10); if (!DebugFileCreate(filename, true)) return 1; u32 n_sectors = size / NAND_SECTOR_SIZE; u32 start_sector = offset / NAND_SECTOR_SIZE; for (u32 i = 0; i < n_sectors; i += SECTORS_PER_READ) { ShowProgress(i, n_sectors); sdmmc_nand_readsectors(start_sector + i, SECTORS_PER_READ, buffer); DecryptBuffer(&info); if (!DebugFileWrite(buffer, NAND_SECTOR_SIZE * SECTORS_PER_READ, i * NAND_SECTOR_SIZE)) { result = 1; break; } } ShowProgress(0, 0); FileClose(); return result; }
u32 CtrNandPadgen(u32 param) { u32 keyslot; u32 nand_size; // legacy sizes & offset, to work with 3DSFAT16Tool if (GetUnitPlatform() == PLATFORM_3DS) { keyslot = 0x4; nand_size = 758; } else { keyslot = 0x5; nand_size = 1055; } Debug("Creating NAND FAT16 xorpad. Size (MB): %u", nand_size); Debug("Filename: nand.fat16.xorpad"); PadInfo padInfo = { .keyslot = keyslot, .setKeyY = 0, .size_mb = nand_size, .filename = "nand.fat16.xorpad", .mode = AES_CNT_CTRNAND_MODE }; if(GetNandCtr(padInfo.ctr, 0xB930000) != 0) return 1; return CreatePad(&padInfo); } u32 TwlNandPadgen(u32 param) { u32 size_mb = (partitions[0].size + (1024 * 1024) - 1) / (1024 * 1024); Debug("Creating TWLN FAT16 xorpad. Size (MB): %u", size_mb); Debug("Filename: twlnand.fat16.xorpad"); PadInfo padInfo = { .keyslot = partitions[0].keyslot, .setKeyY = 0, .size_mb = size_mb, .filename = "twlnand.fat16.xorpad", .mode = AES_CNT_TWLNAND_MODE }; if(GetNandCtr(padInfo.ctr, partitions[0].offset) != 0) return 1; return CreatePad(&padInfo); } u32 Firm0Firm1Padgen(u32 param) { u32 size_mb = (partitions[3].size + partitions[4].size + (1024 * 1024) - 1) / (1024 * 1024); Debug("Creating FIRM0FIRM1 xorpad. Size (MB): %u", size_mb); Debug("Filename: firm0firm1.xorpad"); PadInfo padInfo = { .keyslot = partitions[3].keyslot, .setKeyY = 0, .size_mb = size_mb, .filename = "firm0firm1.xorpad", .mode = AES_CNT_CTRNAND_MODE }; if(GetNandCtr(padInfo.ctr, partitions[3].offset) != 0) return 1; return CreatePad(&padInfo); } u32 GetNandCtr(u8* ctr, u32 offset) { static const char* versions[] = {"4.x", "5.x", "6.x", "7.x", "8.x", "9.x"}; static const u8* version_ctrs[] = { (u8*)0x080D7CAC, (u8*)0x080D858C, (u8*)0x080D748C, (u8*)0x080D740C, (u8*)0x080D74CC, (u8*)0x080D794C }; static const u32 version_ctrs_len = sizeof(version_ctrs) / sizeof(u32); static u8* ctr_start = NULL; if (ctr_start == NULL) { for (u32 i = 0; i < version_ctrs_len; i++) { if (*(u32*)version_ctrs[i] == 0x5C980) { Debug("System version %s", versions[i]); ctr_start = (u8*) version_ctrs[i] + 0x30; } } // If value not in previous list start memory scanning (test range) if (ctr_start == NULL) { for (u8* c = (u8*) 0x080D8FFF; c > (u8*) 0x08000000; c--) { if (*(u32*)c == 0x5C980 && *(u32*)(c + 1) == 0x800005C9) { ctr_start = c + 0x30; Debug("CTR start 0x%08X", ctr_start); break; } } } if (ctr_start == NULL) { Debug("CTR start not found!"); return 1; } } // the ctr is stored backwards in memory if (offset >= 0x0B100000) { // CTRNAND/AGBSAVE region for (u32 i = 0; i < 16; i++) ctr[i] = *(ctr_start + (0xF - i)); } else { // TWL region for (u32 i = 0; i < 16; i++) ctr[i] = *(ctr_start + 0x88 + (0xF - i)); } // increment counter add_ctr(ctr, offset / 0x10); return 0; } u32 DecryptNandToMem(u8* buffer, u32 offset, u32 size, PartitionInfo* partition) { CryptBufferInfo info = {.keyslot = partition->keyslot, .setKeyY = 0, .size = size, .buffer = buffer, .mode = partition->mode}; if(GetNandCtr(info.ctr, offset) != 0) return 1; u32 n_sectors = (size + NAND_SECTOR_SIZE - 1) / NAND_SECTOR_SIZE; u32 start_sector = offset / NAND_SECTOR_SIZE; ReadNandSectors(start_sector, n_sectors, buffer); CryptBuffer(&info); return 0; } u32 DecryptNandToFile(const char* filename, u32 offset, u32 size, PartitionInfo* partition) { u8* buffer = BUFFER_ADDRESS; u32 result = 0; if (!DebugFileCreate(filename, true)) return 1; for (u32 i = 0; i < size; i += NAND_SECTOR_SIZE * SECTORS_PER_READ) { u32 read_bytes = min(NAND_SECTOR_SIZE * SECTORS_PER_READ, (size - i)); ShowProgress(i, size); DecryptNandToMem(buffer, offset + i, read_bytes, partition); if(!DebugFileWrite(buffer, read_bytes, i)) { result = 1; break; } } ShowProgress(0, 0); FileClose(); return result; }
u32 UpdateSeedDb(u32 param) { (void) (param); // param is unused here PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND); u8* buffer = BUFFER_ADDRESS; SeedInfo *seedinfo = (SeedInfo*) 0x20400000; u32 nNewSeeds = 0; u32 offset; u32 size; // load full seedsave to memory Debug("Searching for seedsave..."); if (SeekFileInNand(&offset, &size, "DATA ???????????SYSDATA 0001000F 00000000 ", ctrnand_info) != 0) { Debug("Failed!"); return 1; } Debug("Found at %08X, size %ukB", offset, size / 1024); if (size != 0xAC000) { Debug("Expected %ukB, failed!", 0xAC000); return 1; } if (DecryptNandToMem(buffer, offset, size, ctrnand_info) != 0) return 1; // load / create seeddb.bin if (DebugFileOpen("seeddb.bin")) { if (!DebugFileRead(seedinfo, 16, 0)) { FileClose(); return 1; } if (seedinfo->n_entries > MAX_ENTRIES) { Debug("seeddb.bin seems to be corrupt!"); FileClose(); return 1; } if (!DebugFileRead(seedinfo->entries, seedinfo->n_entries * sizeof(SeedInfoEntry), 16)) { FileClose(); return 1; } } else { if (!DebugFileCreate("seeddb.bin", true)) return 1; memset(seedinfo, 0x00, 16); DebugFileWrite(seedinfo, 16, 0); } // search and extract seeds for ( int n = 0; n < 2; n++ ) { // there are two offsets where seeds can be found - 0x07000 & 0x5C000 static const int seed_offsets[2] = {0x7000, 0x5C000}; unsigned char* seed_data = buffer + seed_offsets[n]; for ( size_t i = 0; i < 2000; i++ ) { static const u8 zeroes[16] = { 0x00 }; // magic number is the reversed first 4 byte of a title id static const u8 magic[4] = { 0x00, 0x00, 0x04, 0x00 }; // 2000 seed entries max, splitted into title id and seed area u8* titleId = seed_data + (i*8); u8* seed = seed_data + (2000*8) + (i*16); if (memcmp(titleId + 4, magic, 4) != 0) continue; // Bravely Second demo seed workaround if (memcmp(seed, zeroes, 16) == 0) seed = buffer + seed_offsets[(n+1)%2] + (2000 * 8) + (i*16); if (memcmp(seed, zeroes, 16) == 0) continue; // seed found, check if it already exists u32 entryPos = 0; for (entryPos = 0; entryPos < seedinfo->n_entries; entryPos++) if (memcmp(titleId, &(seedinfo->entries[entryPos].titleId), 8) == 0) break; if (entryPos < seedinfo->n_entries) { Debug("Found %08X%08X seed (duplicate)", getle32(titleId + 4), getle32(titleId)); continue; } // seed is new, create a new entry Debug("Found %08X%08X seed (new)", getle32(titleId + 4), getle32(titleId)); memset(&(seedinfo->entries[entryPos]), 0x00, sizeof(SeedInfoEntry)); memcpy(&(seedinfo->entries[entryPos].titleId), titleId, 8); memcpy(&(seedinfo->entries[entryPos].external_seed), seed, 16); seedinfo->n_entries++; nNewSeeds++; } } if (nNewSeeds == 0) { Debug("Found no new seeds, %i total", seedinfo->n_entries); FileClose(); return 0; } Debug("Found %i new seeds, %i total", nNewSeeds, seedinfo->n_entries); if (!DebugFileWrite(seedinfo, 16 + seedinfo->n_entries * sizeof(SeedInfoEntry), 0)) return 1; FileClose(); return 0; }
u32 InjectHealthAndSafety(u32 param) { u8* buffer = BUFFER_ADDRESS; PartitionInfo* ctrnand_info = GetPartitionInfo(P_CTRNAND); TitleListInfo* health = titleList + ((GetUnitPlatform() == PLATFORM_3DS) ? 3 : 4); TitleListInfo* health_alt = (GetUnitPlatform() == PLATFORM_N3DS) ? titleList + 3 : NULL; NcchHeader* ncch = (NcchHeader*) 0x20316000; char filename[64]; u32 offset_app[4]; u32 size_app[4]; u32 offset_tmd; u32 size_tmd; u32 size_hs; if (!(param & N_NANDWRITE)) // developer screwup protection return 1; if ((DebugSeekTitleInNand(&offset_tmd, &size_tmd, offset_app, size_app, health, 4) != 0) && (!health_alt || (DebugSeekTitleInNand(&offset_tmd, &size_tmd, offset_app, size_app, health_alt, 4) != 0))) return 1; if (size_app[0] > 0x400000) { Debug("H&S system app is too big!"); return 1; } if (DecryptNandToMem((void*) ncch, offset_app[0], 0x200, ctrnand_info) != 0) return 1; if (InputFileNameSelector(filename, NULL, "app", ncch->signature, 0x100, 0, false) != 0) return 1; if (!DebugFileOpen(filename)) return 1; size_hs = FileGetSize(); memset(buffer, 0, size_app[0]); if (size_hs > size_app[0]) { Debug("H&S inject app is too big!"); return 1; } if (!DebugFileRead(buffer, size_hs, 0)) { FileClose(); return 1; } FileClose(); if (!DebugFileCreate("hs.enc", true)) return 1; if (!DebugFileWrite(buffer, size_app[0], 0)) { FileClose(); return 1; } FileClose(); if (CryptNcch("hs.enc", 0, 0, 0, ncch->flags) != 0) return 1; Debug("Injecting H&S app..."); if (EncryptFileToNand("hs.enc", offset_app[0], size_app[0], ctrnand_info) != 0) return 1; Debug("Fixing TMD..."); u8* tmd_data = (u8*) 0x20316000; if (DecryptNandToMem(tmd_data, offset_tmd, size_tmd, ctrnand_info) != 0) return 1; tmd_data += (tmd_data[3] == 3) ? 0x240 : (tmd_data[3] == 4) ? 0x140 : 0x80; u8* content_list = tmd_data + 0xC4 + (64 * 0x24); u32 cnt_count = getbe16(tmd_data + 0x9E); if (GetHashFromFile("hs.enc", 0, size_app[0], content_list + 0x10) != 0) { Debug("Failed!"); return 1; } for (u32 i = 0, kc = 0; i < 64 && kc < cnt_count; i++) { u32 k = getbe16(tmd_data + 0xC4 + (i * 0x24) + 0x02); u8* chunk_hash = tmd_data + 0xC4 + (i * 0x24) + 0x04; sha_quick(chunk_hash, content_list + kc * 0x30, k * 0x30, SHA256_MODE); kc += k; } u8* tmd_hash = tmd_data + 0xA4; sha_quick(tmd_hash, tmd_data + 0xC4, 64 * 0x24, SHA256_MODE); tmd_data = (u8*) 0x20316000; if (EncryptMemToNand(tmd_data, offset_tmd, size_tmd, ctrnand_info) != 0) return 1; return 0; }