Difference between revisions of "SD Filesystem"

From 3dbrew
Jump to navigation Jump to search
 
(40 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The 3DS uses an SD Card for general storage of additional game data, music and photos taken with the 3DS.
+
== Overview ==
 +
The 3DS uses an SD Card for general storage of game data, music, photos and videos taken with the 3DS.
  
  /DCIM - Photos and images downloaded with the Internet Browser.
+
  sdmc
  /Music - Music Files
+
├── DCIM
  /Nintendo 3DS - Game Data
+
  ├── Nintendo 3DS
 +
│  ├── <ID0>
 +
│  │  └── <ID1>
 +
│  │      ├── [[SD Savedata Backups|backups]]
 +
│  │      ├── [[Title Database|dbs]]
 +
│  │      ├── [[extdata]]
 +
│  │      ├── [[Title Data Structure|title]]
 +
  │  │      └── [[DSiWare_Exports|Nintendo DSiWare]]
 +
│  └── [[SD Filesystem#Private|Private]]
 +
└── [[SD Filesystem#Other Private Data|private]]
 +
    └── Nintendo 3DS
 +
        └── app
  
/DCIM with [[3.0.0-5]] also stores .avi 3D videos from the camera title, video frames use MJPG.
 
  
== Extdata ==
+
* Everything stored under sdmc/Nintendo 3DS/<ID0>/<ID1> is encrypted by 128 bit AES-CTR with console-unique [[AES|keyslots]]. The keyslot is initialized by [[nand/private/movable.sed]].
Additional game data is stored here:
+
* The crypto IV/CTR for each file is generated as follows: take the UTF-16 path relative to sdmc/Nintendo 3DS/<ID0>/<ID1> (the path it self begins with "/") and hash it with SHA-256, including the null null-terminator. Then calculate CTR as CTRbyte[i] = Hashbyte[i] ^ Hashbyte[16+i] for i = 0 to 15.
: /Nintendo 3DS/<SomeID>/<SomeID>/extdata/00000000
+
* The base CTR is fixed for each file, therefore the CTR never changes after each write. Thus it is possible to obtain some cleartext by XORing one file(like newly created extdata) with a newer file, where the newer file overwrote zeros in the original file with non-zero data.
 +
* Files stored under [[Flash Filesystem|nand/data/<ID0>]] also use the same keyslot, but it is only used for MACs.
 +
* ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]].
 +
* ID1 is the scrambled SD card CID from the SD card which this directory was originally created on. To generate this directory name from the original CID, first the CID is rotated 8-bits to the left. Then, each u16 is moved as described in the below table:
  
See the [[extdata]] page for more extdata info and the extdataIDs list.
+
{| class="wikitable" border="1"
 +
|-
 +
!  Input rotated CID u16 index
 +
!  Output CID u16 index
 +
|-
 +
|  6
 +
|  0
 +
|-
 +
|  7
 +
|  1
 +
|-
 +
|  4
 +
|  2
 +
|-
 +
|  5
 +
|  3
 +
|-
 +
|  2
 +
|  4
 +
|-
 +
|  3
 +
|  5
 +
|-
 +
|  0
 +
|  6
 +
|-
 +
|  1
 +
|  7
 +
|}
  
All "extra data" under [[extdata]] is encrypted. Extdata can't be decrypted with the xorpad fail used for old FLASH saves. All "extra data" files can't be copied to other 3DS SD cards, they are locked to the console.
+
'''DCIM''' - Photos and Videos taken by the [[Nintendo 3DS Camera]] application are stored in this directory. Internet Browser image downloads are stored here too.  
  
== import.db and title.db ==
+
Note: Playing/Recording (3D) Videos was introduced with update [[3.0.0-5]]. The 3D videos are in .avi format and the video frames use MJPG.
With the introduction of the June update the folder structure changed slightly. You will now find "dbs" and "title" folders located in  /Nintendo 3DS/<SomeID>/<SomeID>/ along with the extdata folder. "dbs" contains two files, import.db and title.db - usage currently unknown. import.db seems to contain data from DSiWare SRLs.
 
  
The data at the beginning of the file is encrypted, but the rest is cleartext. This file is always 3.1MB, thus this doesn't contain the whole SRL for most DSiWare. The data stored here is not ordered the same way as the src SRL: ARM7 code, ARM9 code, and data are mixed together. The file can contain data from DSiWare that wasn't installed, only listed on the src DSi for DSiWare transfer. (This file is likely some temporary data storage used for DSiWare install etc).
+
'''backups''' - This directory contains SD Title Savedata backups. For more info, see [[SD Savedata Backups]].
  
title.db seems to be encrypted.
+
'''dbs''' - This contains database files relating to the titles installed on the SD Card. These files are encrypted. For more info, see [[Title Database]]
  
* [https://gist.github.com/1113cbe10f124e5a2c72 Old and new import.db and title.db xored, revealing some plaintext].
+
'''title''' - Title data for titles installed to the SD Card are found here. All data in this directory is encrypted with a console-unique [[AES|keyslot]]. For a list of SD Card titles see the [[Title list]]. For more info on the title data structure see [[Title Data Structure]].
  
== title ==
+
'''Nintendo DSiWare''' - DSiWare titles are [[DSiWare_Exports|exported]] here.
/title/00040000/ Contains eshop downloads (can someone verify these and add for different regions?):
 
00032600 - Pokedex 3D - EUR (verified)
 
00042a00 - Legend of Zelda - Link's Awakening - EUR
 
0004ab00 - Nintendo Video - EUR
 
00052000 - Let's Golf 3D - EUR
 
00054300 - 3D Classics Excitebike - USA
 
00054e00 - 3D Classics Excitebike - EUR (verified)
 
00054300 - 3D Classics Excitebike - USA
 
00045C00 - 3D Classics Excitebike - JPN
 
For more IDs, see the 00040000 titles on the [[Title_list]].
 
 
 
The above title directories contain two dirs: content and data. content contains 00000000.tmd, .app files, and some cmd dir containing 00000001.cmd, all of which are encrypted with a console-unique key. The data dir contains 00000001.sav, this is the title's encrypted savegame. Although these saves look similar to FLASH savegames, these savegames use proper unique CTR for each AES block in the file, and the CTR properly changes for each savegame write. Renaming these savegames causes home-menu to hang while launching titles, modifying saves throws the usual checksum/hash corruption like gamecard flash saves.
 
 
 
When renaming ''any'' of these files/dir under content, the icon in home-menu is still displayed. Modifying any of these files has same result as renaming them. When renaming the cmd dir/cmd file, or 00000000.app, the 3D banner isn't displayed. When renaming the cmd dir or the file contained in that dir, home-menu will refuse to run the title, and the manual will not work.(will display the black screen saying sdcard isn't inserted) Manual won't load when 00000001.app is renamed, so that .app might be the manual? When the main 00000000.app binary is renamed, the title will not launch and in the manual placeholder text is used for the title name/icon. Home-menu doesn't care at all when tmd is renamed.
 
  
 
== Private ==
 
== Private ==
"Private" data is stored here:
+
"Private" data is stored here as cleartext:
  
 
  /Nintendo 3DS/Private/<Title ID Low>/
 
  /Nintendo 3DS/Private/<Title ID Low>/
Line 48: Line 75:
 
  00020500 - Nintendo 3DS Sound
 
  00020500 - Nintendo 3DS Sound
  
 +
Under the camera private dir is [[phtcache.bin]].
 +
When you want to install and see pictures with 3DS, rename to 8 numbers.mpo and save it on /DCIM.
 +
Under the sound private dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.
 +
 +
== Other Private Data ==
 +
 +
There is also a directory called "private" on the root of the SD card that contains data, in which would otherwise be completely different from what the Nintendo 3DS normally uses, but known to the application itself.
 +
 +
Some apps, such as Flipnote Studio 3D create a directory called "private" on the root of the SD Card, it contains a Nintendo 3DS directory inside it. Inside the app directory contains a directory with the game code of the application (eg. "JKZP" for Flipnote Studio 3D), then its corresponding data, as shown here:
 +
 +
/private/Nintendo 3DS/app/<Game Code>/
  
"Private" data for 3DS Sound/Camera are cleartext.
+
In this case of Flipnote Studio 3D, there are multiple files with an ID, then ending with the .kwz extension. There is also a !!.lst file as well.
Under the camera priv dir is [[phtcache.bin]], this seems to list the pictures on SD card?
 
When you want to install and see pictures with 3DS,rename to 8 numbers.mpo and save it on /DCIM .
 
Under the sound priv dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.
 

Latest revision as of 12:24, 15 November 2017

Overview[edit]

The 3DS uses an SD Card for general storage of game data, music, photos and videos taken with the 3DS.

sdmc
├── DCIM
├── Nintendo 3DS
│   ├── <ID0>
│   │   └── <ID1>
│   │       ├── backups
│   │       ├── dbs
│   │       ├── extdata
│   │       ├── title
│   │       └── Nintendo DSiWare
│   └── Private
└── private
    └── Nintendo 3DS
        └── app


  • Everything stored under sdmc/Nintendo 3DS/<ID0>/<ID1> is encrypted by 128 bit AES-CTR with console-unique keyslots. The keyslot is initialized by nand/private/movable.sed.
  • The crypto IV/CTR for each file is generated as follows: take the UTF-16 path relative to sdmc/Nintendo 3DS/<ID0>/<ID1> (the path it self begins with "/") and hash it with SHA-256, including the null null-terminator. Then calculate CTR as CTRbyte[i] = Hashbyte[i] ^ Hashbyte[16+i] for i = 0 to 15.
  • The base CTR is fixed for each file, therefore the CTR never changes after each write. Thus it is possible to obtain some cleartext by XORing one file(like newly created extdata) with a newer file, where the newer file overwrote zeros in the original file with non-zero data.
  • Files stored under nand/data/<ID0> also use the same keyslot, but it is only used for MACs.
  • ID0 is the first 0x10-bytes from a SHA256 hash.
  • ID1 is the scrambled SD card CID from the SD card which this directory was originally created on. To generate this directory name from the original CID, first the CID is rotated 8-bits to the left. Then, each u16 is moved as described in the below table:
Input rotated CID u16 index Output CID u16 index
6 0
7 1
4 2
5 3
2 4
3 5
0 6
1 7

DCIM - Photos and Videos taken by the Nintendo 3DS Camera application are stored in this directory. Internet Browser image downloads are stored here too.

Note: Playing/Recording (3D) Videos was introduced with update 3.0.0-5. The 3D videos are in .avi format and the video frames use MJPG.

backups - This directory contains SD Title Savedata backups. For more info, see SD Savedata Backups.

dbs - This contains database files relating to the titles installed on the SD Card. These files are encrypted. For more info, see Title Database

title - Title data for titles installed to the SD Card are found here. All data in this directory is encrypted with a console-unique keyslot. For a list of SD Card titles see the Title list. For more info on the title data structure see Title Data Structure.

Nintendo DSiWare - DSiWare titles are exported here.

Private[edit]

"Private" data is stored here as cleartext:

/Nintendo 3DS/Private/<Title ID Low>/
00020400 - Nintendo 3DS Camera 
00020500 - Nintendo 3DS Sound

Under the camera private dir is phtcache.bin. When you want to install and see pictures with 3DS, rename to 8 numbers.mpo and save it on /DCIM. Under the sound private dir is: voice/XX/*.m4a. Where XX is 01-10, with sound saved as .m4a.

Other Private Data[edit]

There is also a directory called "private" on the root of the SD card that contains data, in which would otherwise be completely different from what the Nintendo 3DS normally uses, but known to the application itself.

Some apps, such as Flipnote Studio 3D create a directory called "private" on the root of the SD Card, it contains a Nintendo 3DS directory inside it. Inside the app directory contains a directory with the game code of the application (eg. "JKZP" for Flipnote Studio 3D), then its corresponding data, as shown here:

/private/Nintendo 3DS/app/<Game Code>/

In this case of Flipnote Studio 3D, there are multiple files with an ID, then ending with the .kwz extension. There is also a !!.lst file as well.