Title Database: Difference between revisions

From 3dbrew
Jump to navigation Jump to search
No edit summary
Ihaveamac (talk | contribs)
Title Info Entry: tickets may be larger than 0x350
 
(33 intermediate revisions by 9 users not shown)
Line 4: Line 4:
* sdmc/Nintendo 3DS/<ID0>/<ID1>/dbs
* sdmc/Nintendo 3DS/<ID0>/<ID1>/dbs


ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]]. The installation of [[SD Filesystem|SD Card]] titles was introduced in the [[2.0.0-2]] update and the SD dbs files are encrypted. These files are [[extdata]] images. The NAND extdata images are cleartext, however some of the images contain console-unique encrypted data.
ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]]. The installation of [[SD Filesystem|SD Card]] titles was introduced in the [[2.0.0-2]] update and the SD dbs files are encrypted by [[SD Filesystem|the general SD filesystem encryption rule]]. These files are [[DISA and DIFF|DIFF containers]]. These DIFF files do not use external IVFC level 4, so all database data is duplicated in the container. In this page only the inner content of the container is described.


There are only two files in this directory, for SD card:
These files are only created on SD (via [[Application_Manager_Services|AM]]) if they don't exist when the [[eShop]] application is starting up, during network init etc (prior to showing the "system update required" dialog).
/import.db
/title.db


"'''title.db'''" - This file (among other things perhaps), archives data about titles installed on the 3DS which includes their [[Serials#Product Code|Product Code]], whether the title uses an [[NCCH#CFA|electronic manual]], Title ID, Title size and Title Version(the title version determines the name of the [[Title Data Structure|.cmd]] file which contains data from the title TMD used for anti-tampering purposes).  
These files are stored under this directory:
{| class="wikitable" border="1"
|-
!  Stored on SD card
!  Stored in CTR-NAND
!  Filename
!  [[DISA and DIFF#CTR-9DB0|CTR-9DB0]] ID
!  Description
|-
| No
| Yes
| ticket.db
| 0x0
| This contains the installed tickets (NAND and SD).
|-
| No
| Yes
| certs.db
| 0x1
| This contains the certificate chain used to verify TMDs and other certificates.
|-
| Yes
| Yes
| title.db
| 0x2
| Title database, this contains entries for all installed titles (TWL & CTR) on the 3DS (Each database is responsible for titles installed on its medium).
|-
| Yes
| Yes
| import.db
| 0x3
| This is an Import Database, it contains entries for titles (or versions of titles) not yet installed, ready for transferring to the title.db. (Automatic Update uses this, so completing the update takes seconds.)
|-
| No
| Yes
| tmp_t.db
| 0x4
| This is the temporary Title database containing one entry for the currently installed [[Download Play]] Child.
|-
| No
| Yes
| tmp_i.db
| 0x5
| Similar to import.db, except it's used in conjunction with tmp_t.db, for installing [[Download Play]] Children.
|}


*This data is taken from the title's [[Title Data Structure|TMD]] and [[NCCH#CXI|executable NCCH]] during install, this is also partly why the encrypted TMD found in each title directory is redundant, as the important information is moved to the ".db" and ".cmd" files during title installation.
The inner content of the container consists of a pre-header with size of 0x80 identifying the Database Type, followed by a BDRI container. The offsets in the BDRI header are usually relative to the offset to the start of the BDRI header (0x80 in the file)
*This file '''does not''' store a hash of the [[Title Data Structure|.cmd]] file for each given title, but the title.db expects to find a [[Title Data Structure|.cmd]] with a name specific to the title version, and the nature of the [[Title Data Structure|.cmd]] file makes re-naming/editing or using under a different title ID(by the end user) detectable (users of retail consoles are not going to have more than one .cmd file for a given titleID/title version).  
*Since this file controls what titles are accessible to the 3DS, it is possible to move between different versions of a title if you have the title.db and title data for each version of that specific title.
*This file isn't updated when downloading a title, until installation is complete. So if the download is un-expectedly interrupted/canceled this prevents title rights from being written to the title.db. If the title rights are erroneously written, the [[Application Manager Services PXI|AM]] would mistake the title for being installed, and not allow the title to be re-downloaded(of course erroneous title rights can be deleted from system settings, however this is only possible with titles installed to the SD Card). Also in the case of title updates, this has the added benefit of allowing the user to revert to the version of the title before the update, if the download of the update is canceled before completion.
* IMPORTANT - turning off power while the title.db is edited(the final stage of installing titles), will most likely corrupt your 3DS' title.db. Which will make installed titles inaccessible. While this creates no permanent damage for SD Card titles and can be easily fixed using a backup title.db, or just re-downloading titles from the [[eShop]]. Corrupting the NAND title.db, will most likely result in a brick.


"'''import.db'''" - The function of the file is not well understood. It appears to be related to the download/install of titles, as in the progress of downloading titles this file will have changed but the title.db will not be modified until the title has been properly downloaded.
== Pre Header ==
*This file doesn't contain any title specific data which the [[Application Manager Services PXI|AM]] has been noted to use in relation to installed titles, even though this file is modified when titles are installed/deleted. In fact, no matter what titles you install, if you use an old copy of the "import.db" with a recent copy of the "title.db", this creates no noticeable issues.


{| class="wikitable"
|-
! Start
! Length
! Description
|-
| 0x00
| 8
| Database Type "Magic" (see below)
|-
| 0x08
| 0x78
| Reserved
|}


Note: It is quite unlikely that the either the import.db or title.db contain the cached icon and names of installed titles. The amount of data which changes in those two file when a title installed/deleted is not sufficient to contain the size of data required for the icons and names of the application, they are most likely cached in the [[Flash Filesystem|NAND]].
For ticket.db different pre header is used:


* [https://gist.github.com/1113cbe10f124e5a2c72 Old and new import.db and title.db xored, revealing some plaintext].
{| class="wikitable"
|-
! Start
! Length
! Description
|-
| 0x00
| 4
| Database Type "Magic" (see below)
|-
| 0x04
| 0x04
| Unknown (always 0x00000001 ?)
|-
| 0x08
| 0x04
| Unknown
|-
| 0x0C
| 0x04
| Unknown (0x30 smaller than previous one)
|}
 
=== Database Magic ===
 
{| class="wikitable"
|-
! Database Type
! Magic
|-
| CTR-NAND ticket.db
| TICK
|-
| CTR-NAND import.db
| NANDIDB
|-
| CTR-NAND title.db
| NANDTDB
|-
| CTR-NAND tmp_i.db
| TEMPIDB
|-
| CTR-NAND tmp_t.db
| TEMPIDB
|-
| SD Card import.db
| TEMPTDB
|-
| SD Card title.db
| TEMPTDB
|}
 
== BDRI ==
 
This is a variant of [[Inner FAT|FAT filesystem]]. It consists one "root" directory and multiple "files". Each "file" is one title info entry described below.
 
== Title Info Entry ==
 
An entry contains information taken from both the application NCCH file(s) and TMD.
 
{| class="wikitable"
|-
! Start
! Length
! Description
|-
| 0x0
| 8
| Title Size
|-
| 0x8
| 4
| Title Type(usually 0x40)
|-
| 0xC
| 4
| Title Version
|-
| 0x10
| 4
| Flags_0
|-
| 0x14
| 4
| TMD Content ID
|-
| 0x18
| 4
| CMD Content ID
|-
| 0x1c
| 4
| Flags_1
|-
| 0x20
| 4
| ExtdataID low (zero if title doesn't use Extdata)
|-
| 0x24
| 4
| Reserved
|-
| 0x28
| 8
| Flags_2
|-
| 0x30
| 0x10
| Product Code
|-
| 0x40
| 0x10
| Reserved
|-
| 0x50
| 0x4
| Unknown
|-
| 0x54
| 0x2c
| Reserved
|}
 
For ticket.db title info, there is a header indicates ticket count (as a Title ID can have more than one ticket installed). Then each entry contains the size, followed by the actual ticket data.
{| class="wikitable"
|+ Header
|-
! Start
! Length
! Description
|-
| 0x0
| 4
| Amount of tickets X
|-
| 0x4
| X * (size of tickets + 4)
| Ticket entries
|}
{| class="wikitable"
|+ Ticket entry
|-
! Start
! Length
! Description
|-
| 0x0
| 4
| Ticket data size X (often 0x350 but some DLC tickets may be larger)
|-
| 0x4
| X
| [[Ticket|Ticket]] data
|}
 
==== Flags_0 ====
 
{| class="wikitable"
|-
! Index
! Description
|-
| 0
| Electronic Manual
|-
| 1
| ?
|-
| 2
| ?
|-
| 3
| ?
|}
 
==== Flags_1 ====
 
{| class="wikitable"
|-
! Index
! Description
|-
| 0
| SD Save Data
|-
| 1
| ?
|-
| 2
| ?
|-
| 3
| ?
|}
 
==== Flags_2 ====
 
{| class="wikitable"
|-
! Index
! Description
|-
| 0
| DSiWare Related (Visibility on Home Menu/Export Flag?)
|-
| 1
| ?
|-
| 2
| ?
|-
| 3
| ?
|-
| 4
| Found with DSiWare Titles and titles with an 'Application' Title ID
|-
| 5
| DSiWare Related (Visibility on Home Menu/Export Flag?)
|-
| 6
| ?
|-
| 7
| ?
|}
 
'''NOTES:'''
 
It is important to note the database doesn't contain a hash of the [[Title Data Structure|.cmd]]. So if a user has more than one valid set of [[Title Data Structure|application data]] for a given .cmd Content ID they can be manually interchanged without issue. Though renaming a .cmd file to match the Content ID which the title.db is expecting will result in an error, as the CTR for the per-console encryption layer changes depending on the file path, and the MAC of the .cmd is probably generated with the .cmd Content ID in mind.
 
These NAND/SD /dbs images seem to be loaded by the ARM9 while NATIVE_FIRM is booting.
 
Removing ticket.db from a New-3DS with signature checks disabled will not result in an unbootable system, however all icons except Slot-1 will disappear from Home. Applets can however still be used. Recovery can be accomplished via [[Hardware|hardmod]] or [[arm9loaderhax]] plus a known good backup of the file (or the whole partition or disk); Gamecard exploits were not tested, and Browserhax did not work.

Latest revision as of 12:16, 13 September 2023

These files contain data relating to install/usage/management of installed 3DS titles. The database files are located at:

  • nand/dbs
  • sdmc/Nintendo 3DS/<ID0>/<ID1>/dbs

ID0 is the first 0x10-bytes from a SHA256 hash. The installation of SD Card titles was introduced in the 2.0.0-2 update and the SD dbs files are encrypted by the general SD filesystem encryption rule. These files are DIFF containers. These DIFF files do not use external IVFC level 4, so all database data is duplicated in the container. In this page only the inner content of the container is described.

These files are only created on SD (via AM) if they don't exist when the eShop application is starting up, during network init etc (prior to showing the "system update required" dialog).

These files are stored under this directory:

Stored on SD card Stored in CTR-NAND Filename CTR-9DB0 ID Description
No Yes ticket.db 0x0 This contains the installed tickets (NAND and SD).
No Yes certs.db 0x1 This contains the certificate chain used to verify TMDs and other certificates.
Yes Yes title.db 0x2 Title database, this contains entries for all installed titles (TWL & CTR) on the 3DS (Each database is responsible for titles installed on its medium).
Yes Yes import.db 0x3 This is an Import Database, it contains entries for titles (or versions of titles) not yet installed, ready for transferring to the title.db. (Automatic Update uses this, so completing the update takes seconds.)
No Yes tmp_t.db 0x4 This is the temporary Title database containing one entry for the currently installed Download Play Child.
No Yes tmp_i.db 0x5 Similar to import.db, except it's used in conjunction with tmp_t.db, for installing Download Play Children.

The inner content of the container consists of a pre-header with size of 0x80 identifying the Database Type, followed by a BDRI container. The offsets in the BDRI header are usually relative to the offset to the start of the BDRI header (0x80 in the file)

Pre Header

Start Length Description
0x00 8 Database Type "Magic" (see below)
0x08 0x78 Reserved

For ticket.db different pre header is used:

Start Length Description
0x00 4 Database Type "Magic" (see below)
0x04 0x04 Unknown (always 0x00000001 ?)
0x08 0x04 Unknown
0x0C 0x04 Unknown (0x30 smaller than previous one)

Database Magic

Database Type Magic
CTR-NAND ticket.db TICK
CTR-NAND import.db NANDIDB
CTR-NAND title.db NANDTDB
CTR-NAND tmp_i.db TEMPIDB
CTR-NAND tmp_t.db TEMPIDB
SD Card import.db TEMPTDB
SD Card title.db TEMPTDB

BDRI

This is a variant of FAT filesystem. It consists one "root" directory and multiple "files". Each "file" is one title info entry described below.

Title Info Entry

An entry contains information taken from both the application NCCH file(s) and TMD.

Start Length Description
0x0 8 Title Size
0x8 4 Title Type(usually 0x40)
0xC 4 Title Version
0x10 4 Flags_0
0x14 4 TMD Content ID
0x18 4 CMD Content ID
0x1c 4 Flags_1
0x20 4 ExtdataID low (zero if title doesn't use Extdata)
0x24 4 Reserved
0x28 8 Flags_2
0x30 0x10 Product Code
0x40 0x10 Reserved
0x50 0x4 Unknown
0x54 0x2c Reserved

For ticket.db title info, there is a header indicates ticket count (as a Title ID can have more than one ticket installed). Then each entry contains the size, followed by the actual ticket data.

Header
Start Length Description
0x0 4 Amount of tickets X
0x4 X * (size of tickets + 4) Ticket entries
Ticket entry
Start Length Description
0x0 4 Ticket data size X (often 0x350 but some DLC tickets may be larger)
0x4 X Ticket data

Flags_0

Index Description
0 Electronic Manual
1 ?
2 ?
3 ?

Flags_1

Index Description
0 SD Save Data
1 ?
2 ?
3 ?

Flags_2

Index Description
0 DSiWare Related (Visibility on Home Menu/Export Flag?)
1 ?
2 ?
3 ?
4 Found with DSiWare Titles and titles with an 'Application' Title ID
5 DSiWare Related (Visibility on Home Menu/Export Flag?)
6 ?
7 ?

NOTES:

It is important to note the database doesn't contain a hash of the .cmd. So if a user has more than one valid set of application data for a given .cmd Content ID they can be manually interchanged without issue. Though renaming a .cmd file to match the Content ID which the title.db is expecting will result in an error, as the CTR for the per-console encryption layer changes depending on the file path, and the MAC of the .cmd is probably generated with the .cmd Content ID in mind.

These NAND/SD /dbs images seem to be loaded by the ARM9 while NATIVE_FIRM is booting.

Removing ticket.db from a New-3DS with signature checks disabled will not result in an unbootable system, however all icons except Slot-1 will disappear from Home. Applets can however still be used. Recovery can be accomplished via hardmod or arm9loaderhax plus a known good backup of the file (or the whole partition or disk); Gamecard exploits were not tested, and Browserhax did not work.