Nintendo 3DS Digital Software Dumping Guide

From No-Intro ~ Wiki
Jump to navigation Jump to search

This is a guide for dumping software installed to the 3DS, not cartridges. For cartridges, see here.

Dumping Methods

To-do:
  • Merge this, if there is anything useful there
  • Update the guide to incorporate the new ctrcdnfetch fork, and also add windows support to that fork
  • Add info about how to download system titles without tickets, as they aren't needed for those

From CDN (Recommended)

Tools

  • A Nintendo (New) {2/3}DS with a method to run "bare-metal" ARM9 software. Methods include having a custom firmware installed or using a DS flashcart with ntrboothax.
  • GodMode9
  • A genuine install of the Game, DLC, or Update you wish to dump, installed on your SD Card or NAND.
  • ctrcdnfetch (commit 203d526)
    • or your can use the updated fork, commit 7266f87, but this only works on linux
  • tmd-printer (requires Python 3)

Dumping

  • Start GodMode9
  • Press the home button
  • Select "title manager"
  • Select "SD Card"
  • For each title you want to dump:
    • Select it from the list
    • Select "Manage title"
    • Select "Dump ticket file"
    • It should say its copied it to 0:/gm9/out, which is a location on the SD Card. When it prompts you to press A after this, do so.
  • Copy the tickets from your 3DS SD card to your PC.
  • In the command line, run ctrcdnfetch --response [ticket filename] and once it has downloaded the tmd, cancel the download.
  • Check what version number is listed in the tmd by using tmd-printer -version [tmd filename]
  • Delete the tmd
  • Start a new download, with the tmd version specified using ctrcdnfetch --response --version [version number] [ticket filename]
  • Copy the output into a txt file so you can get the HTTP response headers.
  • The newly downloaded tmd should have the version number appended to its filename
  • Delete the cetk file produced (its a "fake" ticket)
  • Hash the tmd and contents files

Homebrew-enabled 3DS (Dumping from Console)

Tools

  • A Nintendo (New) {2/3}DS with a method to run "bare-metal" ARM9 software. Methods include having a custom firmware installed or using a DS flashcart with ntrboothax.
  • GodMode9
  • The Game, DLC, or Update you wish to dump, installed on your SD Card or NAND.

Dumping

  • Run GodMode9 via your preferred method.
  • Navigate into "[A:] SYSNAND SD"
  • Scroll down to "title"
  • Press Home, then choose "Title Manager"
  • Select a title, choose "Build CIA (legit)". This will put a .cia file containg the title data into /gm9/out/. If it asks about the ticket, choose not to include a real ticket.
  • Navigate to /gm9/out/ and select the CIA, choose "CIA image options", then "Verify file". Note down if it succeeds or not.
  • [todo: extract relevant data from the CIA using ctrtool]

Alternatively, you can copy the contents from the SYSNAND title folders directly, and re-encrypt on PC:

In order to encrypt your decrypted (.app) contents into CDN-format encrypted contents,
you must first decrypt the encrypted title key of your title, which may be found within
the title's .tik or cetk file (the ticket).

Technically, this title key may be found in a number of different places depending on
your ticket, though in practice, it is always found from offsets 0x1BF to 0x1CE in Wii,
DSi, 3DS, and Wii U tickets, and is always 16 (0x10) bytes long. More information on
ticket structure and format may be found at https://wiibrew.org/wiki/Ticket (Wii/DSi) or
https://www.3dbrew.org/wiki/Ticket (3DS/Wii U)

An easy way I have found to decrypt a title key is to copy it into a file (AS HEX, NOT
TEXT) called "enckey.bin" (or whatever you want) and use OpenSSL to run the command
"openssl aes-128-cbc -d -in enckey.bin -out deckey.bin -K [COMMON_KEY] -iv [TITLE_ID]0000000000000000 -nopad"
on it. Here, "[COMMON_KEY]" should be replaced with your console's common key. This is
always the same for Wii, DSi, and Wii U, but could be one of many for 3DS depending on the
ticket. Replace "[TITLE_ID]" with your title's title ID and append the 16 zeroes to it.
You do not actually have to append the zeroes here or later, but I do it anyways because
I'm pedantic about it.

Next, you must get the content index of the content you want to encrypt. These can be
found in your title's TMD file in the "content chunk records". These start at 0x1E4 for
Wii and DSi TMDs, and are each 36 (0x24) bytes long, and start at 0xB04 for 3DS and Wii
U, and are each 48 (0x30) bytes long. There is one of these for each content file in a
TMD. They each start off with four bytes for the name of the content and then two bytes
for its content index. More details can be found at https://wiibrew.org/wiki/Title_metadata
(Wii/DSi) or https://www.3dbrew.org/wiki/Title_metadata (3DS/Wii U)
Now, you can encrypt your contents. For this, I use the command
"openssl aes-128-cbc -e -in [DECRYPTED_CONTENTS] -out [ENCRYPTED_CONTENTS] -K [DEC_TITLE_KEY]
-iv [CONTENT_INDEX]0000000000000000000000000000 -nopad". Replace "[DEC_TITLE_KEY]" with your
title's decrypted title key and "[CONTENT_INDEX]" with the specific content's 2-byte content
index, appending the 28 zeroes. Do this for each of your contents, remembering to change
the content index each time, to get your CDN-format encrypted contents.

Then re-add the TMD retail certificate chain* to the end of the tmd. Here is a 7-zip archive with the footer inside.
(*size 1792 sha256 915F773A0782D427C4CEF5492533E8ECF6FEA1EB8CCF596E69BA2A388D738AE1)

These are the relevant common keys: https://github.com/GerbilSoft/rom-properties/blob/5c16a08f6cab16625ccf3cf6ce80a4708aa03bdc/doc/keys.conf.example#L73

Gathering Dump Info

[todo]

Submitting Dump Info

Register on the forum (if you aren't already registered) and once your account has been activated, post the info in the "New Dumps & Redumps" sub-forum. Or if this is a one-off submission, you can use one of the other contact methods listed on the main page.

Or if you have a login for it, you can submit the dump info directly to the DAT-o-MATIC database.

Note: DAT-o-MATIC supports importing XMLs in this format directly: https://datomatic.no-intro.org/stuff/example_upload_custom.xml, although there isn't a proper specification (or tool to generate this format from folder(s)/file(s)) yet