Difference between revisions of "Titles"
Line 12: | Line 12: | ||
Note: While all title data found on the SD Card is encrypted with the console-unique [[nand/private/movable.sed|keyslots]], it is not known whether title data on the NAND has additional encryption. | Note: While all title data found on the SD Card is encrypted with the console-unique [[nand/private/movable.sed|keyslots]], it is not known whether title data on the NAND has additional encryption. | ||
− | The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and | + | The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and filename. The base CTR never changes after creation of each file. |
And the title data is contained in this directory structure: | And the title data is contained in this directory structure: | ||
Line 86: | Line 86: | ||
− | "'''XXXXXXXX.cmd'''" - (file name starts with 00000001.cmd and increases with an increment of "1" for each title version the 3DS is introduced to) This file contains data taken from the title's [[TMD]] during install. | + | "'''XXXXXXXX.cmd'''" - (file name starts with 00000001.cmd and increases with an increment of "1" for each title version the 3DS is introduced to) This file contains data taken from the title's [[TMD]] during install. See the below table for the format of the cleartext .cmd file. [[Title Database|Title.db]] likely contains a hash over this .cmd file, title.db also likely contains the ID for the .cmd filename. In addition it is also encrypted with a console-unique [[AES|keyslot]]. This acts as part of the DRM for installed titles, along with the [[Title Database|title.db]]. |
+ | {| class="wikitable" border="1" | ||
+ | |- | ||
+ | ! Offset | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x20 | ||
+ | | Header, for TWL .cmd the first 3 words are value 1, the rest of the header is all-zero. | ||
+ | |- | ||
+ | | 0x20 | ||
+ | | 0x18 | ||
+ | | Entries for each content begin here with size 0x18 for each entry, entry size is 0x8 for TWL. | ||
+ | |} | ||
+ | |||
+ | Entries format: | ||
+ | {| class="wikitable" border="1" | ||
+ | |- | ||
+ | ! Start | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x4 | ||
+ | | Unknown, zero for TWL | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x4 | ||
+ | | Unknown, zero for TWL | ||
+ | |- | ||
+ | | 0x8 | ||
+ | | 0x10 | ||
+ | | AES-CBC MAC over data in the NCCH content? | ||
+ | |} | ||
− | '''"00000001.sav"''' - This is the title's encrypted savegame | + | '''"00000001.sav"''' - This is the title's encrypted savegame. Renaming these savegames causes home-menu to hang while launching titles, modifying these saves results in the same corruption errors as other savegames. |
Revision as of 03:02, 8 October 2012
Titles installed to the 3DS are installed to either the NAND(System and Application) or SD Card(Application only), and their respective directory locations are:
NAND:
- nand/title - Title Data
- nand/data/<ID0>/sysdata - Save Data
- sdmc/Nintendo 3DS/<ID0>/<ID1>/title - Title Data/Save Data
ID0 is the first 0x10-bytes from a SHA256 hash.
Note: While all title data found on the SD Card is encrypted with the console-unique keyslots, it is not known whether title data on the NAND has additional encryption.
The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and filename. The base CTR never changes after creation of each file.
And the title data is contained in this directory structure:
NAND Directory Structure:
Title Data: <Title ID High> └── <Title ID Low> ├── 00000000.ctx └── content ├── <ContentID>.app ├── XXXXXXXX.tmd └── cmd └── XXXXXXXX.cmd Save Data: <SaveID0> └── <SaveID1> └── 00000001.sav
SD Card Directory Structure:
Title Data/Save Data: <Title ID High> └── <Title ID Low> ├── 00000000.ctx ├── content │ ├── <ContentID>.app │ ├── XXXXXXXX.tmd │ └── cmd │ └── XXXXXXXX.cmd └── data └── 00000001.sav
The structure differs for DLC Titles:
0004008C └── <Title ID Low> ├── 00000000.ctx └── content ├── XXXXXXXX.tmd ├── XXXXXXXX │ └── <ContentID>.app └── cmd └── XXXXXXXX.cmd
For a list of 3DS titles see the Title list.
"XXXXXXXX.tmd" - (file name starts with 00000000.tmd and increases with an increment of "1" for each title version the 3DS is introduced to) This is the Title Metadata associated with the title, it is encrypted with a console-unique keyslot. The decrypted TMD is available on Nintendo's CDN server at "http://nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleIDhere/tmd". Though CDN version of the title TMD has a certificate chain attached at the end of the TMD, so removing it will give you the 1:1 decrypted TMD. After installation the "00000000.tmd" is redundant, because important title data is extracted and imported into the title.db and ".cmd" files.
"<ContentID>.app" - (The names for these files are taken from the title's TMD) These files are NCCH files, where the entire file is encrypted with a console-unique keyslot(this is on top of the encryption of the NCCH contents). There can be more than one NCCH in this directory, as seen with .CCI files, the game executable (CXI) can be accompanied with additional non-executable NCCH files (CFA) such as the electronic manual and DLP Child containers. Determining the function of the encrypted NCCH, is done by finding the Content Index of the "XXXXXXXX.app" file in the title's TMD(see above for retrieving decrypted TMD), interpreting the Content Index is as follows*:
Index | Content Type |
---|---|
0000 | Main Executable (.CXI)(In the case of System Data Archives, this is a CFA file) |
0001 | Home Menu Manual (.CFA) |
0002 | DLP Child Container (.CFA) |
- The above table does not apply to DLC content.
Unlike the TMD, a decrypted version of the NCCH files cannot be retrieved from Nintendo's CDN, the NCCH files do exist on Nintendo's CDN but are encrypted. Of course editing/deleting ".app" files will have an effect. Deleting/renaming the manual ".app' will cause the manual not to load when clicked on. And deleting/renaming the executable ".app" will cause the application to not load, and the 3D Banner does not show(The banner is loaded each time from the game's executable NCCH when the home menu loads, it is not cached like the icon and name).
"XXXXXXXX.cmd" - (file name starts with 00000001.cmd and increases with an increment of "1" for each title version the 3DS is introduced to) This file contains data taken from the title's TMD during install. See the below table for the format of the cleartext .cmd file. Title.db likely contains a hash over this .cmd file, title.db also likely contains the ID for the .cmd filename. In addition it is also encrypted with a console-unique keyslot. This acts as part of the DRM for installed titles, along with the title.db.
Offset | Size | Description |
---|---|---|
0x0 | 0x20 | Header, for TWL .cmd the first 3 words are value 1, the rest of the header is all-zero. |
0x20 | 0x18 | Entries for each content begin here with size 0x18 for each entry, entry size is 0x8 for TWL. |
Entries format:
Start | Size | Description |
---|---|---|
0x0 | 0x4 | Unknown, zero for TWL |
0x0 | 0x4 | Unknown, zero for TWL |
0x8 | 0x10 | AES-CBC MAC over data in the NCCH content? |
"00000001.sav" - This is the title's encrypted savegame. Renaming these savegames causes home-menu to hang while launching titles, modifying these saves results in the same corruption errors as other savegames.
"00000000.ctx" - This file encrypted with a console-unique keyslot is temporarily stored on SD card while a title is being downloaded from the eShop, it is deleted after the download is completed. This is presumably moved to NAND once installation is finished. This contains an AP0000000000000000 cert used to sign the data following the cert, this cert is signed by the CTCert.
The unknown signed data is likely an ECDSA public key.
"XXXXXXXX" - This extra directory only found in DLC titles, contains the DLC NCCH content.