Skip to content

Multipurpose content dumper and decryptor for the Nintendo 3DS

License

Notifications You must be signed in to change notification settings

SteveMyers75/Decrypt9WIP

 
 

Repository files navigation

Decrypt9

Multipurpose content dumper and decryptor for the Nintendo 3DS

Decrypt9 WIP (work-in-progress) by d0k3

This is a work in progress fork of Archshifts original Decrypt9, including bleeding edge new features. Note that the names of the exectuable files for this are Decrypt9WIP.* instead of Decrypt9.*. New features introduced in this will eventually get pulled into Archshifts repo.

You may discuss this work in progress version, help testing, participate in the development and on GBAtemp.

Decrypt9, Decrypt9WIP, Decrypt9UI - which one to use?

There are at the present time, three main versions of Decrypt9 available:

  • Decrypt9 by Archshift: This is the original version of Decrypt9 by Archshift. New features are pulled into this once they are thoroughly tested. This is as stable as it gets, but may also miss some of the newer features.
  • Decrypt9 WIP by d0k3: This is the work in progress fork of Archshifts original Decrypt9. It contains the newest features and is always up to date. Releases in here can be considered tested beta versions.
  • Decrypt9 UI by Shadowtrance: This is a themed version of Decrypt9 WIP created by Shadowtrance. It contains a nice graphical user interface (instead of text only as the other two versions), but may not be up to date at all times

What can I do with this??

See this incomplete list, more detailed descriptions are found further below.

  • Create XORpads for decryption of NCCH ('.3DS') files
  • Create XORpads for decryption of files in the '/Nintendo 3DS' folder
  • Create XORpads for decryption of the TWLN and CTRNAND partitions
  • Decrypt Titlekeys, either from a file or directly from SysNAND / EmuNAND
  • Backup & restore your SysNAND and EmuNAND
  • Dump & Inject any partition from your SysNAND and EmuNAND
  • Dump & Inject a number of files (ticket.db, ..) from your SysNAND and EmuNAND
  • Inject any app into the Health & Safety app
  • Create and update the SeedDB file
  • Directly decrypt (cryptofix) NCCH ('.3DS') and CIA files
  • Directly decrypt files from the '/Nintendo 3DS/' folder

How to run this / entry points

Decrypt9 can be built to run from a number of entry points, descriptions are below. Note that you need to be on or below 3DS firmware version v9.2 for any of these to work.

  • A9LH & Brahma: Copy Decrypt9.bin to somewhere on your SD card and run it via either Brahma or arm9loaderhax. Brahma derivatives / loaders (such as BrahmaLoader, BootCTR and CTR Boot Manager) and A9LH chainloaders (such as Luma3DS and BootCTR9) will work with this as well. Build this with make a9lh.
  • Homebrew Launcher: Copy Decrypt9.3dsx & Decrypt9.smdh into /3DS/Decrypt9 on your SD card. Run this via Smealums Homebrew Launcher, Mashers Grid Launcher or any other compatible software. Build this with make brahma.
  • CakeHax Browser: Copy Decrypt9.dat to the root of your SD card. For MSET also copy Decrypt9.nds to your SD card. You can then run it via http://dukesrg.github.io/?Decrypt9.dat from your 3DS browser. Build this via make cakehax.
  • CakeHax MSET: Copy Decrypt9.dat to the root of your SD card and Decrypt9.nds to anywhere on the SD card. You can then run it either via MSET and Decrypt9.nds. Build this via make cakerop.
  • Gateway Browser Exploit: Copy Launcher.dat to your SD card root and run this via http://go.gateway-3ds.com/ from your 3DS browser. Build this with make gateway. Please note: this entrypoint is deprecated. While it may still work at the present time with little to no problems, bugs will no more be fixed and it may be completely removed at a later time. Use CakeHax instead.

If you are a developer and you are building this, you may also just run make release to build all files at once. If you are a user, all files are already included in the release archive.

Working folders

Basically every input file for Decrypt9 can be placed into the SD card root and output files can be written there, too. Working folders are mostly optional. However, using them is recommended and even required for some of the Decrypt9 features to work. These two folders (on the root of your SD card) are used:

  • /D9Game/: NCCH (.3DS), CIA, BOSS, SD card files (from the '/Nintendo 3DS/' folder) go here and are decrypted in place by the respective features.
  • /Decrypt9/: Everything that doesn't go into /D9Game/ goes here, and this is also the standard output folder. If /D9Game/ does not exist, NCCH, CIA, BOSS and SD card files are also processed in this folder.

Decryption of game files (NCCH, CIA, BOSS, SD) needs at least one of these two folders to exist. Input files are first searched in /Decrypt9/ and (if not found) then in the SD card root.

Support files

Depending on the environment, Decrypt9 is ran from, you may need support files to have full functionality. Support files are placed into either the root folder, or the work folder (/Decrypt9/). Here's a list of support files used in Decrypt9, when you need them and what they are used for:

  • slot0x05keyY.bin: This file was previously needed for access to CTRNAND features (which is basically everything) on N3DS. At the moment it is not needed on any entrypoint.
  • slot0x25keyX.bin: This file is needed to decrypt 7x crypto NCCHs and CIAs on O3DS < 7.0 and on A9LH.
  • slot0x18keyX.bin: This file is needed to decrypt Secure 3 crypto NCCHs and CIAs on O3DS without A9LH.
  • slot0x1BkeyX.bin: This file is needed to decrypt Secure 4 crypto NCCHs and CIAs in every environment.
  • aeskeydb.bin: This is an alternative to the four slot0x??key?.bin files mentioned above. It can contain multiple keys. It can be created from your existing slot0x??key?.binfiles in Decrypt9 via the 'Build Key Database' feature.
  • seeddb.bin: Decrypt9 can create and update this file from the seeds installed in your system. This file is needed to decrypt seed crypto NCCHs and CIAs. Note that your seeddb.bin must also contain the seed for the specific game you need to decrypt.
  • movable.sed: This is dumpable by Decrypt9. It is needed to decrypt SD files from another 3DS, or from another installation on your own 3DS. It is not needed when decrypting your own SysNAND / EmuNAND SD files.
  • d9logo.bin: Contains a logo (or, in fact, anything) to be displayed on the bottom screen. A 'd9logo.bin' file is included in the release archive. If you want to create one yourself, install ImageMagick and run convert [your image] -rotate 90 bgr:d9logo.bin, where [your image] is any image of 320x240px resolution.

Decrypt9 controls

The most important controls are displayed on screen, here is a list of all:

  • DOWN/UP - Navigate menus, scroll output, select between options.
  • A - Enter submenu or confirm action.
  • B - Depending on location, leave submenu or cancel.
  • L/R - Switch between submenus (first level submenu only).
  • X - Make a screenshot. Works in menu and on console output, after a feature finishes.
  • X + LEFT/RIGHT - Batch screenshot all submenus / entries (only on menu)
  • SELECT - Unmount SD card (only on menu).
  • START (+ LEFT) - Reboot (START only) / Poweroff (with LEFT).

There are some features (NAND backup and restore, f.e.), that require the user to choose a file or a directory. In these cases, use the arrow keys to select and A / B to confirm and cancel.

Decrypt9 features description

Features in Decrypt9 are categorized into 5 main categories, see the descriptions of each below.

XORpad Generator Options

This category includes all features that generate XORpads. XORpads are not useful on their own, but they can be used (with additional tools) to decrypt things on your PC. Most, if not all, of the functionality provided by these features can now be achieved in Decrypt9 in a more comfortable way by newer dump/decrypt features, but these are still useful for following older tutorials and to work with other tools.

  • NCCH Padgen: This generates XORpads for NCCH/NCSD files ('.3DS' f.e.) from ncchinfo.bin files. Generate the ncchinfo.bin via the included Python script ncchinfo_gen.py (or ncchinfo_tgen.py for theme packs) and place it into the /Decrypt9/ work folder. Use Archshift's XORer to apply XORpads to .3DS files. NCCH Padgen is also used in conjunction with Riku's 3DS Simple CIA Converter. Important Note: Depending on you 3DS console type / FW version and the encryption in your NCCH/NCSD files you may need additional files (see 'Support files' above) and / or seeddb.bin.
  • SD Padgen (SDinfo.bin): This generates XORpads for files installed into the '/Nintendo 3DS/' folder of your SD card. Use the included Python script sdinfo_gen.py and place the the resulting sdinfo.bin into your /Decrypt9/ work folder. If the SD files to generate XORpads for are from a different NAND (different console, f.e.), you also need the respective movable.sed file (dumpable via Dercrypt9) to generate valid XORpads. By now, this feature should only make sense when decrypting stuff from another 3DS - use one of the two features below or the SD Decryptor instead. Use padXORer by xerpi to apply XORpads.
  • SD Padgen (SysNAND dir): This is basically an improved version of the above feature. For typical users, there are two folders in '/Nintendo 3DS/' on the SD card, one belonging to the SysNAND, the other to EmuNAND. This feature will generate XORpads for encrypted content inside the folder belonging to the SysNAND. It won't touch your SysNAND, thus it is not a dangerous feature. A folder selection prompt will allow you to specify exactly the XORpads you want to be generated (use the arrow keys to select). Generating all of them at once is not recommended, because this can lead to several GBs of data and very long processing time.
  • SD Padgen (EmuNAND dir): This is the same as the above feature, but utilizing the EmuNAND folder below '/Nintendo 3DS/' on the SD card. The EmuNAND folder is typically a lot larger than the SysNAND folder, so be careful when selecting the content for which to generate XORpads for.
  • CTRNAND Padgen: This generates a XORpad for the CTRNAND partition inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the CTRNAND partition on PC. This is useful for any modification you might want to do to the main file system of your 3DS.
  • TWLNAND Padgen: This generates a XORpad for the TWLNAND partition inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the TWLNAND partition on PC. This can be used, f.e. to set up the SudokuHax exploit.
  • FIRM0FIRM1 Padgen: This generates the combined XORpad for the FIRM0 and FIRM1 partitions inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the FIRM0 / FIRM1 partition on PC. This is useful f.e. for manual installation of the arm9loaderhax exploit.

Titlekey Options

This category includes all titlekey related features. Decrypted titlekeys (decTitleKeys.bin) are used to download software from CDN via the included Python script cdn_download.py and PlaiCDN. Encrypted titlekeys are used, for the same purpose, by FunKeyCIA. You may also view the (encrypted or decrypted) titlekeys via print_ticket_keys.py.

  • Titlekey Decrypt (file): First, generate the encTitleKeys.bin via the included Python script dump_ticket_keys.py and place it into the /Decrypt9/ work folder. This feature will decrypt the file and generate the decTitleKeys.bin, containing the decrypted titlekeys.
  • Titlekey Decrypt (SysNAND): This will find and decrypt all the titlekeys contained on your SysNAND, without the need for additional tools. The decTitleKeys.bin file will be generated on your SD card.
  • Titlekey Decrypt (EmuNAND): This will find and decrypt all the titlekeys contained on your EmuNAND, without the need for additional tools. The decTitleKeys_emu.bin file will be generated on your SD card.
  • Titlekey Encrypt (file): This feature takes a decTitleKeys.bin file and encrypts it to encTitleKeys.bin. This is useful to convert between the two formats, to make sure you have the right format for the tools you use.
  • Titlekey Dump (SysNAND): This will find all the titlekeys contained on your SysNAND and dump them, without the additional step of decryption, to encTitleKeys.bin.
  • Titlekey Dump (EmuNAND): This will find all the titlekeys contained on your EmuNAND and dump them, without the additional step of decryption, to encTitleKeys_emu.bin.

SysNAND / EmuNAND Options

This is actually two categories in the main menu, but the functionality provided the same (for SysNAND / EmuNAND respectively). These categories include all features that dump, inject, modify or extract information from/to the SysNAND/EmuNAND. For functions that output files to the SD card, the user can choose a filename from a predefined list. For functions that use files from the SD card for input, the user can choose among all candidates existing on the SD card. For an extra layer of safety, critical(!) features - meaning all features that actually introduce change to the NAND - are protected by a warning message and an unlock sequence that the user has to enter. Caution is adviced with these protected features. They should only be used by the informed user.

  • (Sys/Emu)NAND Backup & Restore: This contains multiple options to backup or restore your SysNAND or EmuNAND. The submenu contains the following entries:
    • NAND Backup: Dumps the NAND.bin file from your SysNAND or the ÈmuNAND.bin file from your EmuNAND. This is a full backup of your 3DS System NAND and can be used to restore your 3DS SysNAND / EmuNAND to a previous state or for modifications.
    • NAND Backup (minsize): Same as the above option, but only dumps the actually used size of the NAND (the remainder is only unused data). Use this instead of the above to save some space on your SD card.
    • NAND Restore(!): This fully restores your SysNAND or EmuNAND from the provided NAND.bin file (needs to be in the /Decrypt9/ work folder or in the SD card root). Although backups will be checked before restoring, be careful not to restore a corrupted NAND.bin file. Also note that you won't have access to this feature if your SysNAND is too messed up or on a too high FW version to even start Decrypt9 (should be self explanatory).
    • NAND Restore (forced)(!): Same as the above option, but skips most safety checks. This is not recommended to be used without being properly informed. Keep in mind that, if the above option stops you from restoring a NAND backup, it is normally with good reason and means a prevented brick.
    • NAND Restore (keep a9lh)(!): Only available on SysNAND, this is the same as the standard (unforced) restore option, but keeps all your arm9loaderhax files intact. Only use if you actually have arm9loaderhax installed.
    • Validate NAND Dump: Use this to check and verify NAND dumps on your SD card. If this check passes on a NAND dump, you will also be able to restore it via the standard restore option.
  • Partition Dump...: This allows you to dump & decrypt any of the partitions inside your NANDs (TWLN / TWLP / AGBSAVE / FIRM0 / FIRM1 / CTRNAND). Partitions with a file system (TWLN / TWLP / CTRNAND) can easily be mounted, viewed and edited on Windows via OSFMount. These partitions are included in your NAND and can be dumped by this feature:
    • TWLN: TWL-NAND FAT16 File System - this is the same as on a Nintendo DSi console. Installed DSiWare titles reside in this partition. This partition can be used, f.e. to set up SudokuHax.
    • TWLP: TWL-NAND PHOTO FAT12 File System - this is a Nintendo DSi specific partition for storing photos.
    • AGBSAVE: AGB_FIRM GBA savegame - this contains a temporary copy of the current GBA games savegame.
    • FIRM0: Firmware partition - this is here for development purposes only and should not be changed by users.
    • FIRM1: Firmware partition backup - usually an exact copy of FIRM0.
    • CTRNAND: CTR-NAND FAT16 File System - this contains basically you complete 3DS setup. Titles installed to the NAND reside here, and you can extract basically any file of interest from this partition.
  • Partition Inject...(!): This allows you to reencrypt & inject any of the partitions on your NAND from the respective files (TWLN.bin / TWLP.bin / AGBSAVE.bin / FIRM0.bin / FIRM1.bin / CTRNAND.bin) (see above). Only use this if you know exactly what you're doing and be careful. While there are some safety clamps in place, they won't protect you from a major messup caused by yourself.
  • File Dump...: This allows you to directly dump & decrypt various files of interest from your SysNAND and EmuNAND. These files are included in this feature:
    • ticket.db: Contains titlekeys for installed titles - use this with Cearps FunkyCIA to download installed (legit, purchased) titles directly to your PCs ard drive.
    • title.db: A database of installed titles - apart from informative purposes this doesn't serve a direct purpose for most users at the moment.
    • import.db: A database of titles to be installed - this can be used to get rid of the FW update nag at a later time. Read more on it in this GBAtemp thread.
    • certs.db: A database of certificates - any practical use for this is unknown at the moment.
    • SecureInfo_A: This contains your region and an ASCII serial number - this can be used to temporarily change your 3DS region. The dump / inject options in Decrypt9 simplify the tutorial found here.
    • LocalFriendCodeSeed_B: This contains your FriendCodeSeed - in theory this can be used to import your friend list to another 3DS.
    • movable.sed: This contains the keyY for decryption of data on the SD card - Decrypt9 itself uses this in the SD Decryptor / Encryptor and in SD padgen.
    • seedsave.bin: Contains the seeds for decryption of 9.6x seed encrypted titles - only the seeds for installed (legit, purchased) titles are included in this. Use SEEDconv (recommended) or the included Python script seeddb_gen.py to extract the seeds from this into the Decrypt9 readable seeddb.bin.
    • nagsave.bin: Contains some data relating to system updates - it is possible to block automatic system updates (ie. the 'update nag') with this file. Research is still in progress. Read this and the posts after it for more information.
    • nnidsave.bin: Contains your NNID data - this can be used to reset / remove the NNID from your system, without removing any other data. See here for instructions.
    • friendsave.bin: Contains your actual friendlist - this can be used to backup and restore your friendlist in conjunction with LocalFriendCodeSeed_B. Also see here.
  • File Inject...(!): This allows you to directly encrypt & inject various files of interest into the SysNAND and EmuNAND. For more information check out the list above.
  • Health&Safety Dump: This allows you to to dump the decrypted Health and Safety system app to your SD card. The dumped H&S app can be used to create injectable files for any homebrew software.
  • Health&Safety Inject(!): This is used to inject any app into your Health & Safety system app (as long as it is smaller than the original H&S app). Multiple safety clamps are in place, and this is a pretty safe feature. Users are still adviced to be cautious using this and only use eiter the original hs.app or inject apps created with the Universal Inject Generator. This feature will detect all injectable apps on the SD card and let the user choose which one to inject.
  • Update SeedDB: Use this to create or update the ´seeddb.bin´ file on your SD card with the seeds currently installed in your Sys/EmuNAND. Only new seeds will get added to seeddb.bin, seeds already in the database stay untouched.

Game Decryptor Options

This category includes all features that allow the decryption (and encryption) of external and internal game files. Game files are any files that contain games and other software. Typical game file extensions are .CIA, .3DS and .APP. Game files are directly processed - the encrypted versions are overwritten with the decrypted ones and vice versa, so keep backups. The standard work folder for game files is /D9Game/, but if that does not exist, game files are processed inside the /Decrypt9/ work folder.

  • NCCH/NCSD Decryptor: Use this to fully decrypt all NCCH / NCSD files in the folder. Files with .3DS and .APP extension are typically NCCH / NCSD files. A full decryption of a .3DS file is otherwise also known as cryptofixing. Important Note: Depending on you 3DS console type / FW version and the encryption in your NCCH/NCSD files you may need additional files key files (see 'Support files' above) and / or seeddb.bin.
  • NCCH/NCSD Encryptor: Use this to (re-)encrypt all NCCH / NCSD files in the folder using standard encryption (f.e. after decrypting them). Standard encryption can be processed on any 3DS, starting from the lowest firmware versions. On some hardware, .3DS files might need to be encrypted for compatibility.
  • CIA Decryptor (shallow): Use this to decrypt, for all CIA files in the folder, the first layer of CIA decryption. The internal NCCH encryption is left untouched.
  • CIA Decryptor (deep): Use this to fully decrypt all CIA files in the folder. This also processes the internal NCCH encryption. Deep decryption of a CIA file is otherwise known as cryptofixing. This also may need additional key files and / or seeddb.bin, see 'Support files' above.
  • CIA Decryptor (CXI only): This is the same as CIA Decryptor (deep), but it does not process the 'deep' NCCH encryption for anything but the first CXI content. On some hardware, fully deep decrypted CIA files might not be installable, but CIA files processed with feature will work.
  • CIA Encryptor (NCCH): Use this to encrypt the NCCH containers inside of the CIA files in the folder. NCCH encryption is required, for example, for system CIA files to be installable.
  • BOSS Decryptor: Use this to decrypt BOSS files, which are typically received via Spotpass. This feature will decrypt all encrypted BOSS files (with a valid BOSS header) found in the folder.
  • BOSS Encryptor: Use this to encrypt BOSS files. This feature will encrypt all unencrypted BOSS files (with a valid BOSS header) found in the folder.
  • SD Decryptor/Encryptor: Use this to decrypt or encrypt 'SD files'. SD files are titles, extdata and databases found inside the /Nintendo 3DS/<id0>/<id1>/ folder. For this feature to work, you need to manually copy the file(s) you want to process. Copy them with their full folder structure (that's everything after /Nintendo 3DS/<id0>/<id1>/) to the work / game folder. This feature should by now only be useful to encrypt content, decryption is much easier handled by the two features below.
  • SD Decryptor (SysNAND dir): An improved version of the feature above. This allows you to select content from '/Nintendo 3DS/' (more specifically from the subfolder belonging to SysNAND) to be directly copied to your work / game folder and then decrypted from there.
  • SD Decryptor (EmuNAND dir): This has the same functionality as the feature above, but handles the content of the '/Nintendo 3DS/' subfolder belonging to the EmuNAND instead.

Maintenance Options

This category includes special features which allow you to test and manage Decrypt9 internal functionality.

  • System Info: Displays various information about your 3DS and SD card on screen. Used for informational purposes and to test if information is available.
  • Create Selftest Reference: Run this first on a known working entrypoint to generate the selftest reference data. This will create a file called d9_selftest.ref inside your SD card root or work folder.
  • Run Selftest: Run the actual selftest (must have created the reference data before). This will create or update a file called d9_selftest.lst on your SD card root or work folder. Note: on O3DS failed ncch_sec3_key, ncch_sec4_key and nand_ctrn_key tests are normal and expected. On O3DS <= FW 7.0, ncch_7x_key may fail. On N3DS and O3DS ncch_sec4_key may fail. With all key files (see 'Support files' available, no test should fail. This is used, for example, to assure that everything works as intended on a new entrypoint.
  • Build Key Database: This is used to build the aeskeydb.binfile from all available slot0x??key?.bin files. It will also process files that are not used by Decrypt9. With the aeskeydb.binavailable, Decrypt9 can load keys from it and doesn't need the slot0x??key?.bin files anymore.
  • De/Encrypt Key Database: By default, the aeskeydb.bin created in Decrypt9 is encrypted, and the keys in it are not readable via a Hex Editor. Use this to either decrypt an encrypted database, or to encrypt a decrypted one. Note that Decrypt9 can load keys from both.

Credits by Archshift

  • Roxas75 for the method of ARM9 code injection
  • Cha(N), Kane49, and all other FatFS contributors for FatFS
  • Normmatt for sdmmc.c as well as project infrastructure (Makefile, linker setup, etc)
  • Relys, sbJFn5r for the decryptor

Credits by d0k3

  • Everyone mentioned by Archshift above
  • Archshift for starting this project and being a great project maintainer
  • b1l1s, Normmatt for their 'behind-the-scenes' work and for making arm9loaderhax support possible
  • patois, delebile, SteveIce10 for Brahma and it's updates
  • mid-kid for CakeHax and for hosting freenode #Cakey
  • Shadowtrance, dark_samus3, Syphurith, AuroraWright for being of great help developing this
  • profi200 for helpful hints that first made developing some features possible
  • Datalogger, zoogie, atkfromabove, mixups, key1340, k8099, Al3x_10m, Supster131, stbinan, Wolfvak, Gelex and countless others from freenode #Cakey and the GBAtemp forums for testing, feedback and helpful hints
  • Everyone I forgot about - if you think you deserve to be mentioned, just contact me

About

Multipurpose content dumper and decryptor for the Nintendo 3DS

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 90.0%
  • Python 5.6%
  • Objective-C 1.7%
  • C++ 1.1%
  • Other 1.6%