Changes

1,505 bytes added ,  09:50, 28 March 2013
Understand that. and Questions.
Line 69: Line 69:  
@[[User:3dsguy|3dsguy]]: About the [[SHBIN]] in [[RomFS|romfs.bin]]. Have you ever found there is .shbin inside it? Look at which you uploaded to dropbox (''today or yesterday, named "CIA"'') and find that one in folder "CIA\Extracted CIA Content\CXI extract" and check offset 0x10C0. There is [[SHBIN]] name "font_RectDrawerShader.shbin" just above the offset (with 00 padding, also with the length of name 0x3a). There is also some other clear text. you can extract the file in hex to check the shbin (maybe 0x3A0+0x8/0x18, of that file). if you think there is chance to check those shbin, you may have to fetch some different CIA that generated and decrypt and then extract its Romfs. i will be eager to see the ''extracted decrypted romfs''. If there is the proper source code of those files that may be even easier to check the function's ASM. (well best way is ''use dev unit to generate a series of versions of the title and extract all CIAs and decrypt to check those shbins'') --[[User:Syphurith|Syphurith]] 05:07, 28 March 2013 (CET)
 
@[[User:3dsguy|3dsguy]]: About the [[SHBIN]] in [[RomFS|romfs.bin]]. Have you ever found there is .shbin inside it? Look at which you uploaded to dropbox (''today or yesterday, named "CIA"'') and find that one in folder "CIA\Extracted CIA Content\CXI extract" and check offset 0x10C0. There is [[SHBIN]] name "font_RectDrawerShader.shbin" just above the offset (with 00 padding, also with the length of name 0x3a). There is also some other clear text. you can extract the file in hex to check the shbin (maybe 0x3A0+0x8/0x18, of that file). if you think there is chance to check those shbin, you may have to fetch some different CIA that generated and decrypt and then extract its Romfs. i will be eager to see the ''extracted decrypted romfs''. If there is the proper source code of those files that may be even easier to check the function's ASM. (well best way is ''use dev unit to generate a series of versions of the title and extract all CIAs and decrypt to check those shbins'') --[[User:Syphurith|Syphurith]] 05:07, 28 March 2013 (CET)
 
:[[User:Syphurith|Syphurith]], I knew about the .shbin in the RomFS. I've updated the archive to include it. It's not a particularly special file, I've seen it in lots of CXIs. You know you can use ctrtool to extract and view everything in the .CIA file, as it is a debug CIA. If you want the application's executable code, then you should look in the code.bin inside the "exefs_extracted" directory.--[[User:3dsguy|3dsguy]] 07:07, 28 March 2013 (CET)
 
:[[User:Syphurith|Syphurith]], I knew about the .shbin in the RomFS. I've updated the archive to include it. It's not a particularly special file, I've seen it in lots of CXIs. You know you can use ctrtool to extract and view everything in the .CIA file, as it is a debug CIA. If you want the application's executable code, then you should look in the code.bin inside the "exefs_extracted" directory.--[[User:3dsguy|3dsguy]] 07:07, 28 March 2013 (CET)
 +
::@[[User:3dsguy|3dsguy]], thanks for the information. well is there any way to check the relations that between assembly and source code? well i found those in exefs is salted (ie 0x5A03, with 0x00 0x10 0x20 chars. so if there is some source code of that CIA, the analyse can be even easier)(Since it is salted we may find out the salt hex and can make a tool to filter them all out). BTW, please take a look at these below:
 +
::* Generate CIA series with Dev Unit (i mentioned above) and decrypt and try to compare those generated to see the assembly.
 +
::* Decap the chip and try to gain the ''Creator Power'' and we can take down Home Menu then (but there should be lots of work to do).
 +
::* Check all the potential storage media to look for 3ds Common Key, and use that and cetk of firmware on CDN to decrypt the firmware and check if there is any exploits that patched so the devices with lower version would have a chance to break in.
 +
::* Crack the storage chips and use something like a proxy to record all the data streams to a prepared storage (or to PC)
 +
::* Or simply let us wait for some progress?
 +
::I hope you can get some inspiration and find a new way. Well i'm wondering about where could be a 'CTR Common Prod 1' key stored. (if that can be written somehow, we may be able to cheat the system, first replace the cert inside 3ds, then use the true one for proxy, and decrypt all the data). is that still more important finding the way? --[[User:Syphurith|Syphurith]] 09:50, 28 March 2013 (CET)
174

edits