• Hey, guest user. Hope you're enjoying GameParadise! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Hacking (4.x only) CIA CFW Complete Guide

 
 

admin

Chad
Staff member
85%
Joined
Jan 25, 2024
Messages
11,610
Points
38
Age
39
Location
USA
Website
gameparadise.org
Credits
192,434
Kore wa desu? p.s. pragma gay -calypso

Features:
-Open source arm9_code.bin with improved reliability
-Removed Govanify's network calls.
-Includes ctrclient customcmds (see customcmds.txt for details)
-Includes Gateway and Homebrew Launchers

As of now this guide requires a 3ds flashcart that allows eShop access, or an eShop game to already be installed on your SD card. I will assume ownership of a Gateway cart, but the steps should be very similar regardless of what cart you own.

Disclaimer: I take no responsibility for any damage caused by attempting this mod. Although there have been no reported problems so far, this is cutting edge stuff that has been only lightly tested. Continue at your own risk.

Downloads
Rop MultiLoader
Hex Workshop
Win32DiskImager
Palantine CFW v1.0
DevMenu Cia - not legal to link. Use Google :)


  1. Make sure your 3DS is configured to connect to the internet properly before going any further. Write down the LAN IP of your 3ds for later.
  2. Copy the Rop Multiloader to your DS mode flashcart. Launch the Rop Multiloader rom from your cart and select "Gateway 4x"
  3. Copy the Gateway Launcher.dat to your SD card, and load it with the usual exploit. Select "Nand Backup".
  4. When it finishes, copy the nand.bin from your SD card to your computer.
  5. If you have not already done so, boot the Gateway Launcher and select "Format Emunand". Be careful, as this will erase all the files on your SD card.
  6. On your SD card navigate to "sdmc:/Nintendo 3DS/<id0>/<id1>/dbs/". Create two files in this folder named title.db and import.db . Put the SD card back in your 3ds and go to System Settings, and attempt to manage the SD software. Let the 3DS do its repair process.
  7. Mount your SD card on your computer. Make a backup of the card with Win32DiskImager.
  8. Open Hex Workshop as administrator. Select Disk-> Open Drive. Choose "All" from the drop down menu and select the disk with the size matching your SD card. Once opened, the very beginning should say "GATEWAYNAND"
  9. Choose Disk->Restore Sectors and select your saved nand.bin. Change "Starting Sector" to be "1".
  10. Now that that is finished, your SD is ready to launch the CFW. Copy the contents of the folder "SD Card" folder to your SD card.
  11. Launch the "Rop Multiloader" from your DS cart again. This time select "Homebrew 4x".
  12. Finally launch the exploit the usual way, and make sure to hold down the L Button. it may take as many as 10 tries to work, but don't give up. You will know it worked when the screen flashes white then black for a second.
  13. Download "DevMenu_2x.cia" and put it in the "Palantine CFW" folder.
  14. On your computer, in the CFW files, edit run.bat and replace "IPTOMODIFY" with the IP of your 3DS, and then run it by double clicking it. This will try to install the DevMenu onto your device.
  15. Reboot your 3DS and launch the CFW again. If it worked you will see a present on the homescreen.
  16. Congrats! You have installed a CFW to your 3DS!
Let me know if I have made any mistakes, or if there is need for clarification.

Win32DiskImager is used to make a backup of your emunand which you can restore to your SD card to revert back to Gateway. If you have 2 SD cards like I do then this is unnecessary.

Thanks to idunoe for the db trick!


ctrclient commands

I have reverse engineered most of the ctrclient commands and have exposed some very interesting functionality. These commands are for developers only. You run a very real risk of doing permanent damage to your device if you try to play around with these.

Code:
ctrclient.exe --serveradr=<3ds ip> --customcmd="<custom cmd>"

installcia:<cia name>

readmem:<mem type> <offset> <size>    @<optional output file name>
    memtypes: 11kern, 11usr=, 9
    11usr=<process name> (i.e. pxi, pm)

writemem:<mem type> <offset> <size> @<input hex file>
    memtypes: 11kern, 11usr=, 9
    11usr=<process name> (i.e. pxi, pm)

getservhandle <service name> (i.e. ir:u )

sendservicecmd <service handle> <header code> <arg1>,<arg2>…

getprocinfo:addrconv <arm11 procname>  <vaddr>  (i.e. pxi 0x100000)
getprocinfo:kprocess <arm11 procname>  (i.e. pxi)
getprocinfo:mmutable <arm11 procname>  (i.e. pxi)

ROM to CIA Guide

This guide requires makerom and ctrtool.

Step1: decrypt the .3ds rom.
I will not explain it in this tutorial, as it is explained a couple of times around the forum. (https://gameparadise.org/threads/release-3ds_ctr_decryptor-void.922/)

If you end up with a decrypted romfs.bin, exheader.bin, code.bin (decompressed), icon.bin and banner.bin you did everything correct.

Step2: creating an .rsf file
The .rsf file is a little bit different then the one for .3ds roms. Anyway here is the proper one, make sure you fill in the XXXX the right way. Just copy the text in the codebox underneath in a text editor and save it as cia.rsf in the folder with the other stuff.

• you can open the exheader or original rom in a hex editor to look up the right values for the companycode, producttyp and productcode
•For the correct UniqueID you can check ctrtool and the official rom. Just remove the last 2 0 and write the 4 digits before that in the .rsf file:

Code:
BasicInfo:
  Title                  : "Custom Title"
  CompanyCode            : "00"
  ProductCode            : "CTR-P-DERP"
  ContentType            : Application # Application / SystemUpdate / Manual / Child / Trial
  Logo                    : Nintendo # Nintendo / Licensed / Distributed / iQue / iQueForSystem

TitleInfo:
  UniqueId                : 0x7850
  Category                : Application

Option:
  UseOnSD                : true # true if App is to be #installed to SD
  EnableCompress          : true # Compresses exefs code
  FreeProductCode        : true # Removes limitations on ProductCode
  EnableCrypt            : true # Enables encryption for NCCH and CIA
  MediaFootPadding        : true # If true CCI files are created with padding

AccessControlInfo:
  ExtSaveDataId: 0xb7850 # same as UniqueId
  SystemSaveDataId1: 0x00000000 # plaintext exheader
  SystemSaveDataId2: 0x00000000 # plaintext exheader
  OtherUserSaveDataId1: 0x00000 # plaintext exheader
  OtherUserSaveDataId2: 0x00000 # plaintext exheader
  OtherUserSaveDataId3: 0x00000 # plaintext exheader
  UseOtherVariationSaveData : false

SystemControlInfo:
  SaveDataSize: 1M # plaintext exheader
  RemasterVersion: 0 # plaintext exheader
  StackSize: 0x00040000 # plaintext exheader
  JumpId: 0x000400000b000000L # plaintext exheader (<full UniqueID>L)

step 3: creating the .cia
Open the command window in the folder with the exefs.bin, exheader.bin, romfs.bin, icon.bin, code.bin, banner.bin, cia.rsf and makerom. Now run the following command:

makerom -f cia -target t -desc app:4 -icon icon.bin -banner banner.bin -exefslogo -code code.bin -exheader exh.bin -romfs romfs.bin -rsf cia.rsf -o Install.cia

this will output an .cia file which you can install with the DevMenu and then run.

If you encounter an error saying "[ROMFS ERROR] Invalid RomFS Binary.", then remove the "-romfs romfs.bin" from the command.
 
 

Recent Content

Newest Downloads

Tutorials

Back
Top