Difference between revisions of "SD Filesystem"

From 3dbrew
Jump to navigation Jump to search
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The 3DS uses an SD Card for general storage of additional game data, music and photos taken with the 3DS.
+
== Overview ==
 +
The 3DS uses an SD Card for general storage of game data, music, photos and videos taken with the 3DS.
  
  /DCIM - Photos and images downloaded with the Internet Browser.
+
  sdmc
  /Music - Music Files
+
├── DCIM
  /Nintendo 3DS - Game Data
+
  ├── Nintendo 3DS
 +
│  ├── <ID0>
 +
│  │  └── <ID1>
 +
│  │      ├── [[SD Savedata Backups|backups]]
 +
│  │      ├── [[Title Database|dbs]]
 +
│  │      ├── [[extdata]]
 +
│  │      ├── [[Title Data Structure|title]]
 +
  │  │      └── [[DSiWare_Exports|Nintendo DSiWare]]
 +
│  └── [[SD Filesystem#Private|Private]]
 +
└── [[SD Filesystem#Other Private Data|private]]
 +
    └── Nintendo 3DS
 +
        └── app
  
/DCIM with [[3.0.0-5]] also stores .avi 3D videos from the camera title, video frames use MJPG.
 
  
== Extdata ==
+
* Everything stored under sdmc/Nintendo 3DS/<ID0>/<ID1> is encrypted by 128 bit AES-CTR with console-unique [[AES|keyslots]]. The keyslot is initialized by [[nand/private/movable.sed]].
Additional game data is stored here:
+
* The crypto IV/CTR for each file is generated as follows: take the UTF-16 path relative to sdmc/Nintendo 3DS/<ID0>/<ID1> (the path it self begins with "/") and hash it with SHA-256, including the null null-terminator. Then calculate CTR as CTRbyte[i] = Hashbyte[i] ^ Hashbyte[16+i] for i = 0 to 15.
: /Nintendo 3DS/<SomeID>/<SomeID>/extdata/00000000
+
* The base CTR is fixed for each file, therefore the CTR never changes after each write. Thus it is possible to obtain some cleartext by XORing one file(like newly created extdata) with a newer file, where the newer file overwrote zeros in the original file with non-zero data.
 
+
* Files stored under [[Flash Filesystem|nand/data/<ID0>]] also use the same keyslot, but it is only used for MACs.
See the [[extdata]] page for more extdata info and the extdataIDs list.
+
* ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]].
 
+
* ID1 is the scrambled SD card CID from the SD card which this directory was originally created on. To generate this directory name from the original CID, first the CID is rotated 8-bits to the left. Then, each u16 is moved as described in the below table:
All "extra data" under [[extdata]] is encrypted. Extdata can't be decrypted with the xorpad fail used for old FLASH saves. All "extra data" files can't be copied to other 3DS SD cards, they are locked to the console.
 
 
 
== import.db and title.db ==
 
With the introduction of the June update the folder structure changed slightly. You will now find "dbs" and "title" folders located in  /Nintendo 3DS/<SomeID>/<SomeID>/ along with the extdata folder. "dbs" contains two files, import.db and title.db. The purpose of the files in the "dbs" is to archive the list of titles installed on the SD card. These two files are only used for the management of SD Card installed 3DS Titles. The "title.db" file, archives the installed titles aswell as their, names, icons and size. The "import.db" also changes when a title is installed or deleted, but doesn't appear to contain info that the titles "title.db" does. Old and new of the "import.db" and "title.db" can be interchanged without any issues. Essentially the "title.db" acts as the DRM or access rights for downloaded SD card titles. The "import.db" is used during the download/install of SD Card titles, and until the download is complete, it is the only file of the two which is modified.
 
 
 
title.db seems to be encrypted.
 
 
 
* [https://gist.github.com/1113cbe10f124e5a2c72 Old and new import.db and title.db xored, revealing some plaintext].
 
 
 
== title ==
 
/title/ Contains eShop title downloads
 
00040000/00032600 - Pokedex 3D - EUR
 
00040000/00042a00 - Legend of Zelda - Link's Awakening - EUR
 
00040000/0004ab00 - Nintendo Video - EUR
 
00040000/00052000 - Let's Golf 3D - EUR
 
00040000/00054300 - 3D Classics Excitebike - USA
 
00040000/00054e00 - 3D Classics Excitebike - EUR
 
00040000/00045C00 - 3D Classics Excitebike - JPN
 
For more IDs, see the 00040000 titles on the [[Title_list]].
 
 
 
Directory Structure for SDMC Installed Titles:
 
 
 
/title/0004XXXX/XXXXXXXX/Content/00000000.tmd
 
                                /XXXXXXXX.app
 
                                /cmd/00000001.cmd
 
/title/0004XXXX/XXXXXXXX/Data/00000001.sav
 
/title/0004XXXX/XXXXXXXX/00000000.ctx
 
   
 
                                               
 
"'''00000000.tmd'''" - (file name varies depending on title revision) This is the Title Metadata associated with the title, it is encrypted with a per-console key. The decrypted TMD is available on Nintendo's CDN server at "http://nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleIDhere/tmd". Though CDN version of the title TMD has a certificate chain attached at the end of the TMD, so removing it will give you the 1:1 decrypted TMD. After title installation, the important information in TMD is likely stored somewhere, as modifying/deleteing the TMD file, doesn't usually have any effect.
 
 
 
 
 
"'''XXXXXXXX.app'''" - (There is no pattern to the file name) These files are [[NCCH]] files, where the entire file is encrypted with a per-console key. There can be more than one NCCH in this directory, as seen with .[[CCI]] files, the game executable ([[CXI]]) can be accompanied with additionally non-executable NCCH files ([[NCCH#CFA|CFA]]) such as the game manual and DLP Child containers. Determining the function of the encrypted NCCH, is done by finding the Content Index of the "XXXXXXXX.app" file in the title's TMD(see above for retrieving decrypted TMD), interpreting the Content Index is as follows:
 
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Index
+
Input rotated CID u16 index
Content Type
+
Output CID u16 index
 
|-
 
|-
0000
+
6
Main Executable (.[[NCCH#CXI|CXI]])
+
0
 
|-
 
|-
0001
+
7
Home Menu Manual (.[[NCCH#CFA|CFA]])
+
1
 
|-
 
|-
0002
+
4
DLP Child Container (.[[NCCH#CFA|CFA]])
+
2
 +
|-
 +
|  5
 +
|  3
 +
|-
 +
|  2
 +
|  4
 +
|-
 +
|  3
 +
|  5
 +
|-
 +
|  0
 +
|  6
 +
|-
 +
|  1
 +
|  7
 
|}
 
|}
  
Unlike the TMD, a decrypted version of the NCCH files cannot be retrieved from Nintendo's CDN, the NCCH files do exist on Nintendo's CDN but are encrypted. Of course editing/deleting ".app" files will have an effect. Deleting/renaming the manual ".app' will cause the manual not to load when clicked on. And deleting/renaming the executable ".app" will cause the application to not load, and the 3D Banner does not show(The banner is loaded each time from the game's executable NCCH when the home menu loads, it is not cached like the icon and name).
+
'''DCIM''' - Photos and Videos taken by the [[Nintendo 3DS Camera]] application are stored in this directory. Internet Browser image downloads are stored here too.  
 
 
 
 
"'''00000001.cmd'''" - (file name varies depending on title revision) May contain hashes, or some other kind of file authentication, as the size of the "00000001.cmd" varies with the number of files in the 'Content' directory. Also, if the "00000001.cmd" cannot be found or is edited, the title is completely non-functional.
 
  
 +
Note: Playing/Recording (3D) Videos was introduced with update [[3.0.0-5]]. The 3D videos are in .avi format and the video frames use MJPG.
  
'''"00000001.sav"''' - This is the title's encrypted savegame. Although these saves look similar to FLASH savegames, these savegames use proper unique CTR for each AES block in the file, and the CTR properly changes for each savegame write. Renaming these savegames causes home-menu to hang while launching titles, modifying saves throws the usual checksum/hash corruption like gamecard flash saves.
+
'''backups''' - This directory contains SD Title Savedata backups. For more info, see [[SD Savedata Backups]].
  
 +
'''dbs''' - This contains database files relating to the titles installed on the SD Card. These files are encrypted. For more info, see [[Title Database]]
  
'''"00000000.ctx"''' - This file is used only while a title is being downloaded from the eShop, it is deleted after the download is completed
+
'''title''' - Title data for titles installed to the SD Card are found here. All data in this directory is encrypted with a console-unique [[AES|keyslot]]. For a list of SD Card titles see the [[Title list]]. For more info on the title data structure see [[Title Data Structure]].
  
 +
'''Nintendo DSiWare''' - DSiWare titles are [[DSiWare_Exports|exported]] here.
  
 
== Private ==
 
== Private ==
"Private" data is stored here:
+
"Private" data is stored here as cleartext:
  
 
  /Nintendo 3DS/Private/<Title ID Low>/
 
  /Nintendo 3DS/Private/<Title ID Low>/
Line 82: Line 75:
 
  00020500 - Nintendo 3DS Sound
 
  00020500 - Nintendo 3DS Sound
  
 +
Under the camera private dir is [[phtcache.bin]].
 +
When you want to install and see pictures with 3DS, rename to 8 numbers.mpo and save it on /DCIM.
 +
Under the sound private dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.
 +
 +
== Other Private Data ==
 +
 +
There is also a directory called "private" on the root of the SD card that contains data, in which would otherwise be completely different from what the Nintendo 3DS normally uses, but known to the application itself.
 +
 +
Some apps, such as Flipnote Studio 3D create a directory called "private" on the root of the SD Card, it contains a Nintendo 3DS directory inside it. Inside the app directory contains a directory with the game code of the application (eg. "JKZP" for Flipnote Studio 3D), then its corresponding data, as shown here:
 +
 +
/private/Nintendo 3DS/app/<Game Code>/
  
"Private" data for 3DS Sound/Camera are cleartext.
+
In this case of Flipnote Studio 3D, there are multiple files with an ID, then ending with the .kwz extension. There is also a !!.lst file as well.
Under the camera priv dir is [[phtcache.bin]], this seems to list the pictures on SD card?
 
When you want to install and see pictures with 3DS,rename to 8 numbers.mpo and save it on /DCIM .
 
Under the sound priv dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.
 

Latest revision as of 12:24, 15 November 2017

Overview[edit]

The 3DS uses an SD Card for general storage of game data, music, photos and videos taken with the 3DS.

sdmc
├── DCIM
├── Nintendo 3DS
│   ├── <ID0>
│   │   └── <ID1>
│   │       ├── backups
│   │       ├── dbs
│   │       ├── extdata
│   │       ├── title
│   │       └── Nintendo DSiWare
│   └── Private
└── private
    └── Nintendo 3DS
        └── app


  • Everything stored under sdmc/Nintendo 3DS/<ID0>/<ID1> is encrypted by 128 bit AES-CTR with console-unique keyslots. The keyslot is initialized by nand/private/movable.sed.
  • The crypto IV/CTR for each file is generated as follows: take the UTF-16 path relative to sdmc/Nintendo 3DS/<ID0>/<ID1> (the path it self begins with "/") and hash it with SHA-256, including the null null-terminator. Then calculate CTR as CTRbyte[i] = Hashbyte[i] ^ Hashbyte[16+i] for i = 0 to 15.
  • The base CTR is fixed for each file, therefore the CTR never changes after each write. Thus it is possible to obtain some cleartext by XORing one file(like newly created extdata) with a newer file, where the newer file overwrote zeros in the original file with non-zero data.
  • Files stored under nand/data/<ID0> also use the same keyslot, but it is only used for MACs.
  • ID0 is the first 0x10-bytes from a SHA256 hash.
  • ID1 is the scrambled SD card CID from the SD card which this directory was originally created on. To generate this directory name from the original CID, first the CID is rotated 8-bits to the left. Then, each u16 is moved as described in the below table:
Input rotated CID u16 index Output CID u16 index
6 0
7 1
4 2
5 3
2 4
3 5
0 6
1 7

DCIM - Photos and Videos taken by the Nintendo 3DS Camera application are stored in this directory. Internet Browser image downloads are stored here too.

Note: Playing/Recording (3D) Videos was introduced with update 3.0.0-5. The 3D videos are in .avi format and the video frames use MJPG.

backups - This directory contains SD Title Savedata backups. For more info, see SD Savedata Backups.

dbs - This contains database files relating to the titles installed on the SD Card. These files are encrypted. For more info, see Title Database

title - Title data for titles installed to the SD Card are found here. All data in this directory is encrypted with a console-unique keyslot. For a list of SD Card titles see the Title list. For more info on the title data structure see Title Data Structure.

Nintendo DSiWare - DSiWare titles are exported here.

Private[edit]

"Private" data is stored here as cleartext:

/Nintendo 3DS/Private/<Title ID Low>/
00020400 - Nintendo 3DS Camera 
00020500 - Nintendo 3DS Sound

Under the camera private dir is phtcache.bin. When you want to install and see pictures with 3DS, rename to 8 numbers.mpo and save it on /DCIM. Under the sound private dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.

Other Private Data[edit]

There is also a directory called "private" on the root of the SD card that contains data, in which would otherwise be completely different from what the Nintendo 3DS normally uses, but known to the application itself.

Some apps, such as Flipnote Studio 3D create a directory called "private" on the root of the SD Card, it contains a Nintendo 3DS directory inside it. Inside the app directory contains a directory with the game code of the application (eg. "JKZP" for Flipnote Studio 3D), then its corresponding data, as shown here:

/private/Nintendo 3DS/app/<Game Code>/

In this case of Flipnote Studio 3D, there are multiple files with an ID, then ending with the .kwz extension. There is also a !!.lst file as well.