Difference between revisions of "System Settings"
EvilFlight (talk | contribs) (System Settings svcBreak) |
|||
(4 intermediate revisions by 2 users not shown) | |||
Line 111: | Line 111: | ||
When managing 3DS Software installed to the SD Card, the [[Title Database|title.db]] is read by the core receiving [[Application Manager Services PXI|AM]] commands. From the title.db file, AM gets a list of installed titles, title sizes and the name of the ".cmd" file for each title, which is used to check the authenticity of the title data(product code, title version, and if an electronic manaual is used, is also kept for each title, in the title.db, but won't be used by the Data Management Utility). For each title listed, it checks if the title is authentic(via the .cmd file). If the title passes authentication, Data Management decrypts/reads the ICN data from the executable NCCH([[CXI]]) and displays it along with the archived title size. If a title doesn't pass authentication, a placeholder icon(light grey with a '?' in the center), name ('????????') and a size of zero are used. Deleting titles removes the title data from the title.db and import.db, and deletes the directory of the content. | When managing 3DS Software installed to the SD Card, the [[Title Database|title.db]] is read by the core receiving [[Application Manager Services PXI|AM]] commands. From the title.db file, AM gets a list of installed titles, title sizes and the name of the ".cmd" file for each title, which is used to check the authenticity of the title data(product code, title version, and if an electronic manaual is used, is also kept for each title, in the title.db, but won't be used by the Data Management Utility). For each title listed, it checks if the title is authentic(via the .cmd file). If the title passes authentication, Data Management decrypts/reads the ICN data from the executable NCCH([[CXI]]) and displays it along with the archived title size. If a title doesn't pass authentication, a placeholder icon(light grey with a '?' in the center), name ('????????') and a size of zero are used. Deleting titles removes the title data from the title.db and import.db, and deletes the directory of the content. | ||
+ | |||
+ | Additionally, if a CTR-NAND or TWL-NAND installed title passes authentication, but has a fake-signed ticket, System Settings will call "[[SVC|svcBreak]]" upon entering Data Management -> 3DS | DSiWare. Barring patched RSA sig checks, this will prevent a user from viewing the 3DS and/or DSiWare Data Management menu depending on which NAND(s) the offending title(s) is installed. This phenomenon has been known to lock users out of executing widely used exploits like [https://github.com/zoogie/Bannerbomb3 Bannerbomb3], which need access to Data Management to trigger. | ||
=== DSiWare === | === DSiWare === | ||
Line 134: | Line 136: | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
− | ! System | + | ! System version, for the mset title |
! Parental controls reset functionality version | ! Parental controls reset functionality version | ||
− | ! | + | ! Inquiry number length |
! Notes | ! Notes | ||
|- | |- | ||
| [[1.0.0-0|1.0.0-X]] - [[6.3.0-12|6.3.0-X]] | | [[1.0.0-0|1.0.0-X]] - [[6.3.0-12|6.3.0-X]] | ||
| v0 | | v0 | ||
− | | | + | | 8 |
| Mostly inherited from the Wii/DSi algorithm which used CRC-32 (0xEDB88320) with custom XOR-out (0xAAAA). 0x14C1 was added to produce the final result. | | Mostly inherited from the Wii/DSi algorithm which used CRC-32 (0xEDB88320) with custom XOR-out (0xAAAA). 0x14C1 was added to produce the final result. | ||
Line 154: | Line 156: | ||
| [[7.0.0-13|7.0.0-X]] - [[7.1.0-16|7.1.0-X]] | | [[7.0.0-13|7.0.0-X]] - [[7.1.0-16|7.1.0-X]] | ||
| v1 | | v1 | ||
− | | 8 | + | | 10 |
− | + | | Introduced a new scheme using HMAC-SHA-256. The HMAC key is loaded from mset .rodata, and differs between regions. | |
+ | |||
+ | The inquiry number was bumped from 8 digits to 10 digits, but the same function is used to generate the digits as in v0 (derived from MAC address). | ||
+ | |||
+ | All digits of the inquiry number are now actually used in the master key derivation function, as the string format is now "%02u%02u%010u" (month, day, inquiry number). This buffer is hashed (as above), and a little-endian word is read from the start of the output hash. The low 5 decimal digits of this word are used as the master key. | ||
|- | |- | ||
| [[7.2.0-17|7.2.0-X]] - current | | [[7.2.0-17|7.2.0-X]] - current | ||
| v2 | | v2 | ||
| 10 | | 10 | ||
− | | The | + | | Extension of v1 featuring a number of changes which serve to obscure the HMAC key used. |
+ | |||
+ | The HMAC key is now stored in a separate file stored in the CVer RomFS, called [[CVer#masterkey.bin|masterkey.bin]]. This is used to update the key independently of the mset title. In order to make this possible, a scheme was devised to encode the required key within the inquiry number - the first digit denotes region, and the next two digits represent the key version. These values match up with values stored in the masterkey.bin header. For compatibility with v1 (as inquiry number length did not change), the version values begin at 10 - when parsing an inquiry number, a "version" of less than 10 should be handled as algorithm v1. | ||
+ | |||
+ | The HMAC key is now also encrypted in masterkey.bin. This uses AES-128-CTR using a (normal) key in mset .rodata (which differs between regions), with the initial counter value also stored in masterkey.bin. | ||
+ | |||
+ | At some point, Nintendo chose to "abandon" the original JPN region ID (0), and moved to region ID 9 instead (which usually doesn't exist). It is unknown why they made this change, as the AES key used for both of these IDs is the same. | ||
|} | |} | ||
Line 252: | Line 264: | ||
| 0x10 | | 0x10 | ||
| Reserved | | Reserved | ||
+ | |} | ||
+ | |||
+ | == Launch parameters == | ||
+ | System Settings can start at specific menus when certain parameters are given. | ||
+ | |||
+ | <nowiki>*</nowiki> - returns to settings menu instead of rebooting | ||
+ | |||
+ | {| class="wikitable" border="1" | ||
+ | |- | ||
+ | ! Value | ||
+ | ! Action | ||
+ | |- | ||
+ | | 0x01 | ||
+ | | Initial setup (system not actually formatted, music plays earlier) | ||
+ | |- | ||
+ | | 0x10 | ||
+ | | Internet Settings -> Connection Settings | ||
+ | |- | ||
+ | | 0x11 | ||
+ | | Internet Settings -> Other Information | ||
+ | |- | ||
+ | | 0x6e | ||
+ | | Internet Settings -> Connection Settings | ||
+ | |- | ||
+ | | 0x6f | ||
+ | | Parental Controls | ||
+ | |- | ||
+ | | 0x70 | ||
+ | | Parental Controls birthday entry | ||
+ | |- | ||
+ | | 0x71 | ||
+ | | Data Management | ||
+ | |- | ||
+ | | 0x72 | ||
+ | | 3DS Software Management | ||
+ | |- | ||
+ | | 0x73 | ||
+ | | 3DS Extra Data Management | ||
+ | |- | ||
+ | | 0x74 | ||
+ | | DSiWare Management | ||
+ | |- | ||
+ | | 0x75 | ||
+ | | StreetPass Management | ||
+ | |- | ||
+ | | 0x76 | ||
+ | | Internet Settings* | ||
+ | |- | ||
+ | | 0x77 | ||
+ | | Other Settings, second-to-last page* | ||
+ | |- | ||
+ | | 0x78 | ||
+ | | Touch Screen calibration | ||
+ | |- | ||
+ | | 0x79 | ||
+ | | Circle Pad calibration | ||
+ | |- | ||
+ | | 0x7a | ||
+ | | System Update | ||
+ | |- | ||
+ | | 0x7b | ||
+ | | System Update | ||
+ | |- | ||
+ | | 0x7c | ||
+ | | Format System Memory* | ||
|} | |} |
Latest revision as of 05:00, 18 January 2023
System Settings allows you to manage various settings, use System Transfer, and use Data Management.
All applications(CTR/TWL) launched by System Settings are launched via APT:PrepareToDoApplicationJump/APT:DoApplicationJump, such as DS INTERNET and System Transfer.
Accessible services[edit]
Service | Last seen on version |
---|---|
fs:USER | v8202 |
gsp:Gpu | v8202 |
ndm:u | v8202 |
APT:A | v8202 |
ac:i | v8202 |
act:a | v8202 |
am:sys | v8202 |
boss:P | v8202 |
cam:s | v8202 |
cecd:s | v8202 |
cfg:nor | v8202 |
dsp::DSP | v8202 |
frd:a | v8202 |
gsp::Lcd | v8202 |
http:C | v8202 |
mic:u | v8202 |
news:s | v8202 |
nim:u | v8202 |
ns:s | v8202 |
nwm::EXT | v8202 |
nwm::INF | v8202 |
nwm::SOC | v8202 |
ptm:gets | v8202 |
ptm:sysm | v8202 |
soc:P | v8202 |
soc:U | v8202 |
ssl:C | v8202 |
y2r:u | v8202 |
qtm:s | v8202 |
cfg:i | v8202 |
hid:SPVR | v8202 |
Data Management[edit]
3DS[edit]
Here you can manage 3DS extra data, and 3DSWare/"Software".
When managing 3DS Software installed to the SD Card, the title.db is read by the core receiving AM commands. From the title.db file, AM gets a list of installed titles, title sizes and the name of the ".cmd" file for each title, which is used to check the authenticity of the title data(product code, title version, and if an electronic manaual is used, is also kept for each title, in the title.db, but won't be used by the Data Management Utility). For each title listed, it checks if the title is authentic(via the .cmd file). If the title passes authentication, Data Management decrypts/reads the ICN data from the executable NCCH(CXI) and displays it along with the archived title size. If a title doesn't pass authentication, a placeholder icon(light grey with a '?' in the center), name ('????????') and a size of zero are used. Deleting titles removes the title data from the title.db and import.db, and deletes the directory of the content.
Additionally, if a CTR-NAND or TWL-NAND installed title passes authentication, but has a fake-signed ticket, System Settings will call "svcBreak" upon entering Data Management -> 3DS | DSiWare. Barring patched RSA sig checks, this will prevent a user from viewing the 3DS and/or DSiWare Data Management menu depending on which NAND(s) the offending title(s) is installed. This phenomenon has been known to lock users out of executing widely used exploits like Bannerbomb3, which need access to Data Management to trigger.
DSiWare[edit]
See DSiWare Exports.
System Format[edit]
Most of the System Format is done with FS:InitializeCtrFileSystem. This command updates the high u64 of the keyY stored in movable.sed. Since this keyY was updated, the data stored on SD card(sdmc/Nintendo 3DS/<ID0>/<ID1>) and the data under nand/data/<ID0> is rendered useless, since that data used the old keyY. Since that data is no longer usable, the system then deletes the two above SD/NAND directories.
When you first enter the System Format menu, it will check if a NNID is linked. If there's a linked-NNID, it will then display: "Are you ready to connect to the Internet to check whether data can be formatted"? Continuing will only result in connecting to wifi for checking in with Nintendo's servers, which may fail if the console is banned. Once that's done it will continue with the usual system-format messages; proceeding will result in the NNID cookie, potentially still present on NAND backups or multiboot scenarios, being invalidated until the next sign-in (at which point even old sessions will be valid again).
System Updater[edit]
The system updater title is identical to the regular system settings, except only system update is accessible with this. On dev units, this title can only be launched under certain conditions.
On retail units, this title is accessible in scenarios where you have to update via the Internet to use certain 3DS software other than the home menu. i.e. using the eShop, on a system version less than the current one. When one selects "Cancel" from here on retail, the system will shutdown. NS launches SAFE_MODE_FIRM for running this title, when the UPDATEFLAG is set during system boot.
Exiting System Settings[edit]
Upon exit, the system reboots instead of simply returning to home menu.
Parental Controls Reset[edit]
The following refers to the functionality which generates the Parental Controls "Master Key".
System version, for the mset title | Parental controls reset functionality version | Inquiry number length | Notes |
---|---|---|---|
1.0.0-X - 6.3.0-X | v0 | 8 | Mostly inherited from the Wii/DSi algorithm which used CRC-32 (0xEDB88320) with custom XOR-out (0xAAAA). 0x14C1 was added to produce the final result.
For the 3DS algorithm, only constants were changed: the polynomial was changed to 0xEDBA6320 and the addition constant became 0x1657. The input to either function is an ASCII string of the format "%02u%02u%04u" where the parameters are month, day, and low 4 digits of the inquiry number. The low 5 decimal digits from the output u32 are then used for the master key. Because of the date being used in the algorithm, this results in the master key only being valid on a particular day, though this is trivially defeated by setting the system time to the correct date that the key was generated on. This had a minor refactor in 6.0.0-X but is functionally identical. |
7.0.0-X - 7.1.0-X | v1 | 10 | Introduced a new scheme using HMAC-SHA-256. The HMAC key is loaded from mset .rodata, and differs between regions.
The inquiry number was bumped from 8 digits to 10 digits, but the same function is used to generate the digits as in v0 (derived from MAC address). All digits of the inquiry number are now actually used in the master key derivation function, as the string format is now "%02u%02u%010u" (month, day, inquiry number). This buffer is hashed (as above), and a little-endian word is read from the start of the output hash. The low 5 decimal digits of this word are used as the master key. |
7.2.0-X - current | v2 | 10 | Extension of v1 featuring a number of changes which serve to obscure the HMAC key used.
The HMAC key is now stored in a separate file stored in the CVer RomFS, called masterkey.bin. This is used to update the key independently of the mset title. In order to make this possible, a scheme was devised to encode the required key within the inquiry number - the first digit denotes region, and the next two digits represent the key version. These values match up with values stored in the masterkey.bin header. For compatibility with v1 (as inquiry number length did not change), the version values begin at 10 - when parsing an inquiry number, a "version" of less than 10 should be handled as algorithm v1. The HMAC key is now also encrypted in masterkey.bin. This uses AES-128-CTR using a (normal) key in mset .rodata (which differs between regions), with the initial counter value also stored in masterkey.bin. At some point, Nintendo chose to "abandon" the original JPN region ID (0), and moved to region ID 9 instead (which usually doesn't exist). It is unknown why they made this change, as the AES key used for both of these IDs is the same. |
ExtData[edit]
The ExtData File System for System Settings is as follows:
root ├── icon ├── boss └── user ├── Backup.dat └── MsetExt.dat
File | Details | Size | FW Introduced | Plaintext |
---|---|---|---|---|
icon | Stubbed. Always image 00000002. | 0x4 Bytes | n/a | |
MsetExt.dat | DSiWare Exports Management | 0x960 Bytes | 2.0.0-2 | Download |
Backup.dat | SD Savedata Backups Management | 0xf5a0 Bytes | 6.0.0-11 | Download |
MsetExt.dat[edit]
This keeps a record for the DSiWare Exports for a maximum of 300 exports. Each record is in the format:
OFFSET | SIZE | DESCRIPTION |
---|---|---|
0 | 4 | Game Code in Little Endian |
0x4 | 4 | Reserved |
All unused entries are filled with "0xff".
Backup.dat[edit]
This keeps a record for the 30 save data backup slots for SD Savedata Backups. Each entry corresponds to an individual backup slot.
Entry:
OFFSET | SIZE | DESCRIPTION |
---|---|---|
0x000 | 8 | Reserved |
0x8 | 0x800 (0x80*16) | 16 UTF-16 Title Strings |
0x808 | 8 | Title ID |
0x810 | 8 | Unknown |
0x818 | 8 | Total Save Data Size |
0x820 | 0x10 | Reserved |
Launch parameters[edit]
System Settings can start at specific menus when certain parameters are given.
* - returns to settings menu instead of rebooting
Value | Action |
---|---|
0x01 | Initial setup (system not actually formatted, music plays earlier) |
0x10 | Internet Settings -> Connection Settings |
0x11 | Internet Settings -> Other Information |
0x6e | Internet Settings -> Connection Settings |
0x6f | Parental Controls |
0x70 | Parental Controls birthday entry |
0x71 | Data Management |
0x72 | 3DS Software Management |
0x73 | 3DS Extra Data Management |
0x74 | DSiWare Management |
0x75 | StreetPass Management |
0x76 | Internet Settings* |
0x77 | Other Settings, second-to-last page* |
0x78 | Touch Screen calibration |
0x79 | Circle Pad calibration |
0x7a | System Update |
0x7b | System Update |
0x7c | Format System Memory* |