Difference between revisions of "Titles"

From 3dbrew
Jump to navigation Jump to search
Line 89: Line 89:
  
 
"'''<ContentID>.cmd'''" - (The Content ID is a u32, initially: '''00000001''' when the title is first installed. Changing by an increment of +'''0x1''' for each time the 3DS adds/removes '.app' files) This file contains data taken from the title's [[TMD]]. See the below table for the format of the cleartext .cmd file. The [[Title Database|Title.db]] contains the Content ID for the '.cmd' file, but does not contain a hash of the '.cmd' file. In addition it is also encrypted with a console-unique [[AES|keyslot]]. This acts as part of the DRM for installed titles, along with the [[Title Database|title.db]].
 
"'''<ContentID>.cmd'''" - (The Content ID is a u32, initially: '''00000001''' when the title is first installed. Changing by an increment of +'''0x1''' for each time the 3DS adds/removes '.app' files) This file contains data taken from the title's [[TMD]]. See the below table for the format of the cleartext .cmd file. The [[Title Database|Title.db]] contains the Content ID for the '.cmd' file, but does not contain a hash of the '.cmd' file. In addition it is also encrypted with a console-unique [[AES|keyslot]]. This acts as part of the DRM for installed titles, along with the [[Title Database|title.db]].
 +
 +
The below AES-MACs(including the last 0x10-bytes of the header) are only used for SD titles, and for NAND [[Title_list|download-play]] titles. For other titles, these MACs are set to all-zero.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 102: Line 104:
 
| 0x4
 
| 0x4
 
| 0x1C
 
| 0x1C
| For NAND titles' .cmd these 2 words are usually value 1, the rest of the header is all-zero. For SD titles the last 0x10-bytes of this header is an AES MAC?
+
| For NAND titles' .cmd these 2 words are usually value 1, the rest of the header is all-zero. The last 0x10-bytes of this header is an AES MAC?
 
|-
 
|-
 
| 0x20
 
| 0x20
Line 110: Line 112:
 
| 0x20+0x8*(No. of entries)
 
| 0x20+0x8*(No. of entries)
 
| 0x10*(No. of entries)
 
| 0x10*(No. of entries)
| These are MACs, one for each content. These MACs are only stored in .cmd for SD titles.
+
| These are MACs, one for each content.
 
|}
 
|}
  

Revision as of 02:36, 26 January 2014

Titles installed to the 3DS are installed to either the NAND(System and Application) or SD Card(Application only), and their respective directory locations are:

NAND:

  • nand/title - Title Data
  • nand/data/<ID0>/sysdata - Save Data

SD Card:

  • sdmc/Nintendo 3DS/<ID0>/<ID1>/title - Title Data/Save Data

ID0 is the first 0x10-bytes from a SHA256 hash.

Title data stored on the SD Card is encrypted with the console-unique keyslots, however the NAND title data is stored as cleartext.

The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and filename. The base CTR never changes after creation of each file.

When a newer version of a title is installed, the new .app content, .tmd, and .cmd(and .ctx for NAND titles) are written to the /title directory, however the old files here are not yet deleted. Once installation of the title is finalized, the info from import.db is moved to title.db so that the system uses the newer files instead, then the old /title files are deleted.

And the title data is contained in this directory structure:

NAND Directory Structure:

Title Data:

<Title ID High>
└── <Title ID Low>
    ├── 00000000.ctx
    └── content
        ├── <ContentID>.app
        ├── <ContentID>.tmd
        └── cmd
            └── <ContentID>.cmd

Save Data:

<SaveID0>
└── <SaveID1>
    └── 00000001.sav

SD Card Directory Structure:

Title Data/Save Data:

<Title ID High>
└── <Title ID Low>
    ├── 00000000.ctx
    ├── content
    │   ├── <ContentID>.app
    │   ├── <ContentID>.tmd
    │   └── cmd
    │       └── <ContentID>.cmd
    └── data
        └── 00000001.sav

The structure differs for DLC Titles:

0004008C
└── <Title ID Low>
    ├── 00000000.ctx
    └── content
        ├── <ContentID>.tmd
        ├── 00000000
        │   └── <ContentID>.app
        └── cmd
            └── <ContentID>.cmd
   

For a list of 3DS titles see the Title list.

"<ContentID>.tmd" - (The Content ID is a u32, initially: 00000000 when the title is first installed. Changing by an increment of +0x1 for each title update the 3DS installs) This is the Title Metadata associated with the title, it is encrypted with a console-unique keyslot. The decrypted TMD is available on Nintendo's CDN server at "http://nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleIDhere/tmd". Though CDN version of the title TMD has a certificate chain attached at the end of the TMD, so removing it will give you the 1:1 decrypted TMD. After installation the "<ContentID>.tmd" is redundant, because important title data is extracted and imported into the title.db and ".cmd" files, but is however kept as a reference.


"<ContentID>.app" - (The Content ID is a u32, taken from the title's TMD) These files are NCCH files, where the entire file is encrypted with a console-unique keyslot(this is on top of the encryption of the NCCH contents). There can be more than one NCCH in this directory, as seen with .CCI files, the game executable (CXI) can be accompanied with additional non-executable NCCH files (CFA) such as the electronic manual and DLP Child containers. Determining the function of the encrypted NCCH, is done by finding the Content Index of the "XXXXXXXX.app" file in the title's TMD(see above for retrieving decrypted TMD), interpreting the Content Index is as follows*:

Index Content Type
0000 Main Executable (.CXI)(In the case of System Data Archives, this is a CFA file)
0001 Home Menu Manual (.CFA)
0002 DLP Child Container (.CFA)
  • The above table does not apply to DLC content.

Unlike the TMD, a decrypted version of the NCCH files cannot be retrieved from Nintendo's CDN, the NCCH files do exist on Nintendo's CDN but are encrypted. Decrypting CDN versions of content, requires the title's ticket, and the common key specified by an index in the ticket. Of course editing/deleting ".app" files will have an effect. Deleting/renaming the manual ".app' will cause the manual not to load when clicked on. And deleting/renaming the executable ".app" will cause the application to not load, and the 3D Banner does not show(The banner is loaded each time from the game's executable NCCH when the home menu loads, it is not cached like the icon and name).


"<ContentID>.cmd" - (The Content ID is a u32, initially: 00000001 when the title is first installed. Changing by an increment of +0x1 for each time the 3DS adds/removes '.app' files) This file contains data taken from the title's TMD. See the below table for the format of the cleartext .cmd file. The Title.db contains the Content ID for the '.cmd' file, but does not contain a hash of the '.cmd' file. In addition it is also encrypted with a console-unique keyslot. This acts as part of the DRM for installed titles, along with the title.db.

The below AES-MACs(including the last 0x10-bytes of the header) are only used for SD titles, and for NAND download-play titles. For other titles, these MACs are set to all-zero.

Offset Size Description
0x0 0x4 .cmd ContentID, for the .cmd filename. This is the beginning of the header.
0x4 0x1C For NAND titles' .cmd these 2 words are usually value 1, the rest of the header is all-zero. The last 0x10-bytes of this header is an AES MAC?
0x20 0x8*(No. of entries) Entries for each content begin here with size 0x8.
0x20+0x8*(No. of entries) 0x10*(No. of entries) These are MACs, one for each content.

Entries format:

Start Size Description
0x0 0x4 ContentID
0x4 0x8 Unknown

"00000001.sav" - This is the title's encrypted savegame. Renaming these savegames causes home-menu to hang while launching titles, modifying these saves results in the same corruption errors as other savegames.


"00000000.ctx" - This file encrypted with a console-unique keyslot is temporarily stored on SD card while a title is being downloaded from the eShop, it is deleted after the download is completed. This contains an AP0000000000000000 cert used to sign the data following the cert, this cert is signed by the CTCert. The unknown signed data is likely an ECDSA public key. There's .ctx files stored under the /title directory for NAND CTR/TWL titles, however those use the CTXT format which is completely different from this SD .ctx format. These .ctx files for NAND/SD titles only exist for titles where installation was not yet finalized(like when a system update install was not yet finalized).

DLC Titles

DLC titles have a different directory structure to most installed titles. This is because all DLC content for a given title is installed under the same Title ID, but DLC add-ons are usually separate purchases, hense the structure altered so any combination of DLC content can be installed. DLC titles can receive 'updates', this is usually in the form of more DLC content and/or DLC bug fixes. Individual DLC content can only be managed from with-in the application using the DLC.

"00000000" - This extra directory only found in DLC titles, contains the DLC NCCH content.


"<ContentID>.tmd" - This is not modified by the 3DS, and contains the details for all DLC content(installed or not).


"<ContentID>.cmd" - This contains entries for all installed DLC NCCH content, and is updated(<ContentID> will change) every time DLC content is installed/removed.