CIA
Overview
CIA stands for CTR Importable Archive. This format allows the installation titles to the 3DS. CIA files can compile NCCH files for installation to either the SDMC or CTR NAND. CIA files can also compile .SRL files (format for DS(i) executable images) for installation to the TWL NAND of the 3DS.
An example .CIA can be downloaded here Credit: Jl12. It includes a .cia file, the result of installation, some screenshots. Everything is decrypted/extracted for convenience sake.
Download Play child CFAs contain a CIA, which contains the Download Play child title. System Update CFAs from gamecards and Download Play also contain CIAs. On retail, CIAs are only used with Download Play child CFAs and System Update CFAs.
Development Units, are capable of manually installing CIA files via the Dev Menu.
Format
The CIA format has a similar structure to the WAD format.
The file is represented in little-endian.
The data is aligned in 64 byte blocks (if a content ends at the middle of the block, the next content will begin from a new block).
The CIA format is capable of containing more then one NCCH in the APP data, the TMD specifies the size of each NCCH contained in the APP data. Generally it will only contain additional NCCH files (.CFA format, such as the Manual and DLP Child) related to the main executable NCCH (.CXI format). The CIA format could be interpreted as an installable variant of the CCI format.
CIA Header
START | SIZE | DESCRIPTION |
---|---|---|
0x00 | 0x04 | Archive Header Size (Usually = 0x2020 bytes) |
0x04 | 0x02 | Type |
0x06 | 0x02 | Version |
0x08 | 0x04 | Certificate chain size |
0x0C | 0x04 | Ticket size |
0x10 | 0x04 | TMD file size |
0x14 | 0x04 | Meta size (0 if no Meta data is present) |
0x18 | 0x08 | Content size |
0x20 | 0x01 | Magic? Must be = 0x80 |
0x21 | 0x1FFF | Magic? Must be Zero Filled |
The order of the sections in the CIA file:
- certificate chain
- Ticket
- TMD file data
- APP file data
- Meta file data
The APP data (NCCH/SRL) is encrypted, using 128-bit AES-CBC. The encryption uses the decrypted titlekey of the ticket, and the titleid padded with zeros as the IV. To get the decrypted titlekey, the titlekey stored in the ticket must be decrypted using 128-bit AES-CBC with the 3DS common key, and the same IV as mentioned previously.
Meta
The structure of this data is as follows:
START | SIZE | DESCRIPTION |
---|---|---|
0x00 | 0x180 | Title ID dependency list - Taken from the application's ExHeader |
0x180 | 0x280 | Reserved/Unused |
0x400 | 0x36C0 | Icon Data(.ICN) - Taken from the application's ExeFS |
Obviously this section is not present in TWL CIA files, or any other CIA file which does not contain a CXI.
Tools
- ctrtool - Reading/Extraction of CIA files. This can only decrypt the title-key for development CIAs, since retail CIAs use the AES hardware key-scrambler for the common-key keyslot.
Title Key Encryption
The unencrypted Title Key is used to encrypt the data in a CIA. The encrypted Title Key of a CIA can be found at offset 0x1BF in a CIA's Ticket. Each Title Key is encrypted with AES-CBC to get the encrypted Title Key.
To encrypt an unencrypted title key, you need:
- Common key (as byte array)
- Title ID (as ulong)
- (and of course the unencrypted title key you want to encrypt) (as byte array)
The title key encryption process starts by converting the ulong (Title ID) into a byte array using by retrieving the bytes of the Title ID using BitConverter.GetBytes(). If the converted bytes (title ID) are in Little Endian, reverse those bytes. (in C# it would be Array.Reverse(byte_array_from_bitconverter)) This process makes the Title Key encryption IV.
Next, after you've gotten your Title Key's IV, you can start your cryptography transformation. Using AESManaged, where:
Key = Common Key
IV = the byte array found in the conversion process above
Mode = CipherMode.CBC
Create the encryptor (AesManaged.CreateEncryptor(key, iv)) where the key and IV are both the same as above.
Then, create a CryptoStream and a MemoryStream. The Crypto stream should start with the arguments (memorystream, aes_transform_from_above, CryptoStreamMode.Write).
Write to the CryptoStream where buffer=unencrypted_titlekey, offset=0, and count=the length of the unencrypted title key.
Use FlushFinalBlock() on the CryptoStream.
Finally, then, the encrypted title key will be available from your memory stream. (to output the calculated encrypted title key as a byte array, you can use memorystream.ToArray(), for example)
Example function: (C#)
public static byte[] EncryptMyTitleKey(byte[] commonKey, byte[] titleKey, ulong titleId) { // Make encryption IV byte[] titleidasbytes = new byte[0x10]; for (int i = 0; i < 0x10; i++) { titleidasbytes[i] = 0; } byte[] bitBytes = BitConverter.GetBytes(titleId); if (BitConverter.IsLittleEndian) { Array.Reverse(bitBytes); } bitBytes.CopyTo(titleidasbytes, 0); // Encrypt ICryptoTransform transform = new AesManaged { Key = commonKey, IV = titleidasbytes, Mode = CipherMode.CBC }.CreateEncryptor(commonKey, titleidasbytes); MemoryStream memstream = new MemoryStream(); CryptoStream cryptostream = new CryptoStream(memstream, transform, CryptoStreamMode.Write); cryptostream.Write(titleKey, 0, titleKey.Length); cryptostream.FlushFinalBlock(); return memstream.ToArray(); }