46
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + + + + − − The 3DS retrieves system [[CommonETicket|tickets]] with SOAP request GetSystemCommonETicket, instead of directly downloading the cetk with HTTPS. The cetk is still accessible via HTTP, however 3DS doesn't use direct HTTP for this. Line 88:
Line 90: − + + + + Line 121:
Line 126: − === Versions ===+ Line 133:
Line 138: − [[Title list|Titles]] installed to the 3DS are installed to either the NAND(System and Application) or SD Card(Application only), and their respective directory locations are:+ − '''[[Flash Filesystem|NAND]]:'''+ − * nand/title - Title Data+ − * nand/data/<ID0>/sysdata - Save Data+ + + + + + + + + + + + − '''[[SD Filesystem|SD Card]]:'''+ − * sdmc/Nintendo 3DS/<ID0>/<ID1>/title - Title Data/Save Data − ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]].+ − − Line 150:
Line 163: − And the title data is contained in this directory structure:+ − '''NAND Directory Structure''':+ − Title Data:+ − + + + + + + Line 163:
Line 181: − + − Save Data: − − <SaveID0> − └── <SaveID1> − └── 00000001.sav − − '''SD Card Directory Structure''': − Title Data/Save Data: − Line 183:
Line 192: − + − The structure differs for [[Title list#0004008C - Add-on Content (DLC)|DLC]] Titles: − Line 191:
Line 198: − + − + − For a list of 3DS titles see the [[Title list]]. + − + − + + + + + + + − + Line 217:
Line 230: − *The above table does not apply to DLC content. − + − + Line 237:
Line 249: − + − + − + − + − + + + + + − + − + − + − |} − − Entries format: − {| class="wikitable" border="1" − ! Start+ − ! Size+ − ! Description+ − + − + − + − + − + − + − '''"00000001.sav"''' - This is the title's encrypted [[Savegames|savegame]]. Renaming these savegames causes home-menu to hang while launching titles, modifying these saves results in the same corruption errors as other savegames.+ + − + + + + + + + − + − + Line 281:
Line 300: − + + + + + +
→Data Structure: update DLC NCCH separation information
The Nintendo 3DS utilizes a similar title-based organization as seen in the Wii and DSi platforms. The update server is located [http://nus.cdn.c.shop.nintendowifi.net/ccs/download/ here]. When using SSL, the update/shop servers must be accessed via SSLv3.
The Nintendo 3DS utilizes a similar title-based organization as seen in the Wii and DSi platforms. The update server is located [http://nus.cdn.c.shop.nintendowifi.net/ccs/download/ here].
For a list of 3DS titles see the [[Title list]].
= Title IDs =
The organization of Title IDs has not been documented fully yet. Region info isn't stored in title IDs however there does appear to be evidence that the regions are sequential, similar to how Wii System Menu Updates are ordered: JPN USA EUR KOR and CHN (introduced with the DSi). 3DS has one additional region: TWN.
The organization of Title IDs has not been documented fully yet. Region info isn't stored in title IDs however there does appear to be evidence that the regions are sequential, similar to how Wii System Menu Updates are ordered: JPN USA EUR KOR and CHN (introduced with the DSi). 3DS has one additional region: TWN.
Note: The terms 'Title ID', 'Partition ID' and 'Media ID' are interchangeable.
Note: The terms 'Title ID', 'Partition ID' and 'Media ID' are interchangeable.
|-
|-
| Evaluation
| Evaluation
| 0xF8000 -0xFFFFF
| 0xF8000 - 0xFEFFF (?)
|-
|-
| Prototype*
| Prototype*
| 0xFF000 - 0xFF3FF
| 0xFF000 - 0xFF3FF
|-
| Developer
| 0xFF400 - 0xFF7FF (?)
|}
|}
<nowiki>*</nowiki>On the home menu, titles with UIDs within the 'Prototype' range, appear on the home menu after install without the gift fanfare.
<nowiki>*</nowiki>On the home menu, titles with UIDs within the 'Prototype' range, appear on the home menu after install without the gift fanfare.
* Title ID variation is ignored for TWL titles, this value is carried over from the original TWL title ID and is used for region lock:
* Title ID variation is ignored for TWL titles, this value is carried over from the original TWL title ID and is used for region lock:
= Versions =
v## = 0xHHHH = 0bBBBBBBBB...
v## = 0xHHHH = 0bBBBBBBBB...
= Data Structure =
= Data Structure =
Titles are installed to either the NAND (System and Application) or to the SD Card (Application only), and their respective directory locations are:
{| class="wikitable" border="1" style="margin: auto;"
|-
|
! scope="col"| [[Flash Filesystem|NAND]]
! scope="col"| [[SD Filesystem|SD]]
|-
! scope="row"| Title Data
| nand/title
| rowspan="2" | sdmc/Nintendo 3DS/<ID0>/<ID1>/title
|-
! scope="row"| Save Data
| nand/data/<ID0>/sysdata
|-
|}
ID0 is the first 0x10-bytes from a SHA256 [[nand/private/movable.sed|hash]] and ID1 is generated from the SD card CID.
Title data stored on the SD Card is encrypted with the console-unique [[nand/private/movable.sed|keyslots]], whereas NAND title data is stored as cleartext.
Title data stored on the SD Card is encrypted with the console-unique [[nand/private/movable.sed|keyslots]], however the NAND title data is stored as cleartext.
The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and filename. The base CTR never changes after creation of each file.
The base CTR for files stored under /title is likely based on the /title path, similar to extdata. This base CTR is unique per titleID and filename. The base CTR never changes after creation of each file.
When a newer version of a title is installed, the new .app content, .tmd, and .cmd(and .ctx for NAND titles) are written to the /title directory, however the old files here are not yet deleted. Once installation of the title is [[AMNet:InstallTitlesFinish|finalized]], the info from [[Title_Database|import.db]] is moved to [[Title_Database|title.db]] so that the system uses the newer files instead, then the old /title files are deleted.
When a newer version of a title is installed, the new .app content, .tmd, and .cmd(and .ctx for NAND titles) are written to the /title directory, however the old files here are not yet deleted. Once installation of the title is [[AMNet:InstallTitlesFinish|finalized]], the info from [[Title_Database|import.db]] is moved to [[Title_Database|title.db]] so that the system uses the newer files instead, then the old /title files are deleted.
The title data is contained in this directory structure (note that [[Title list#0004008C - Add-on Content (DLC)|DLC]] titles are stored in a different way):
{| class="wikitable" border="1" style="margin: auto;"
!
! scope="col"| NAND
! scope="col"| SD (non-DLC)
! scope="col"| SD (DLC)
|-
! scope="row"| Title Data:
|
<Title ID High>
<Title ID High>
└── <Title ID Low>
└── <Title ID Low>
└── cmd
└── cmd
└── <ContentID>.cmd
└── <ContentID>.cmd
| rowspan="2" |
<Title ID High>
<Title ID High>
└── <Title ID Low>
└── <Title ID Low>
└── data
└── data
└── 00000001.sav
└── 00000001.sav
| rowspan="2" |
0004008C
0004008C
└── <Title ID Low>
└── <Title ID Low>
└── content
└── content
├── <ContentID>.tmd
├── <ContentID>.tmd
├── 00000000
├── <IndexSeparator>
│ └── <ContentID>.app
│ └── <ContentID>.app
└── cmd
└── cmd
└── <ContentID>.cmd
└── <ContentID>.cmd
|-
! scope="row"| Save Data:
"'''<ContentID>.tmd'''" - (The Content ID is a u32, initially: '''00000000''' when the title is first installed. Changing by an increment of +'''0x1''' for each title update the 3DS installs) This is the Title Metadata associated with the title, it is encrypted with a console-unique [[AES|keyslot]]. The decrypted TMD is available on Nintendo's CDN server at "http://nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleIDhere/tmd". Though CDN version of the title TMD has a certificate chain attached at the end of the TMD, so removing it will give you the 1:1 decrypted TMD. After installation the "<ContentID>.tmd" is redundant, because important title data is extracted and imported into the [[Title Database|title.db]] and ".cmd" files, but is however kept as a reference.
|
<SaveID0>
└── <SaveID1>
└── 00000001.sav
|}
"'''<ContentID>.tmd'''" - (The Content ID is a u32, initially: '''00000000''' when the title is first installed. Changing by an increment of +'''0x1''' for each title update the 3DS installs) This is the [[Title metadata]] associated with the title. The decrypted TMD is available on Nintendo's CDN server at "http://nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleIDhere/tmd.OptionallyTitleVersionHere". Though CDN version of the title TMD has a certificate chain attached at the end of the TMD, so removing it will give you the 1:1 decrypted TMD. After installation the "<ContentID>.tmd" is redundant, because important title data is extracted and imported into the [[Title Database|title.db]] and ".cmd" files, but is however kept as a reference.
"'''<ContentID>.app'''" - (The Content ID is a u32, taken from the title's [[TMD]]) These files are [[NCCH]] files, where the entire file is encrypted with a console-unique [[AES|keyslot]](this is on top of the encryption of the NCCH contents). There can be more than one NCCH in this directory, as seen with .[[CCI]] files, the game executable ([[CXI]]) can be accompanied with additional non-executable NCCH files ([[NCCH#CFA|CFA]]) such as the electronic manual and DLP Child containers. Determining the function of the encrypted NCCH, is done by finding the Content Index of the "XXXXXXXX.app" file in the title's TMD(see above for retrieving decrypted TMD), interpreting the Content Index is as follows*:
"'''<ContentID>.app'''" - (The Content ID is a u32, taken from the title's [[TMD]]) These files are [[NCCH]] files. There can be more than one NCCH in this directory, as seen with .[[CCI]] files, the game executable ([[CXI]]) can be accompanied with additional non-executable NCCH files ([[NCCH#CFA|CFA]]) such as the electronic manual and DLP Child containers. Determining the function of the NCCH, is done by finding the Content Index of the "XXXXXXXX.app" file in the title's TMD(see above for retrieving decrypted TMD), interpreting the Content Index is as follows (does not apply to DLC content):
{| class="wikitable" border="1"
{| class="wikitable" border="1"
| DLP Child Container (.[[NCCH#CFA|CFA]])
| DLP Child Container (.[[NCCH#CFA|CFA]])
|}
|}
Unlike the TMD, a decrypted version of the NCCH files cannot be retrieved from Nintendo's CDN, the NCCH files do exist on Nintendo's CDN but are [[AES|encrypted]]. Decrypting CDN versions of content, requires the title's [[CommonETicket|ticket]], and the common key specified by an index in the [[CommonETicket|ticket]]. Of course editing/deleting ".app" files will have an effect. Deleting/renaming the manual ".app' will cause the manual not to load when clicked on. And deleting/renaming the executable ".app" will cause the application to not load, and the 3D Banner does not show(The banner is loaded each time from the game's executable NCCH when the home menu loads, it is not cached like the icon and name).
Unlike the TMD, a decrypted version of the NCCH files cannot be retrieved from Nintendo's CDN, the NCCH files do exist on Nintendo's CDN but are [[AES|encrypted]]. Decrypting CDN versions of content, requires the title's [[CommonETicket|ticket]], and the common key specified by an index in the [[CommonETicket|ticket]]. Of course editing/deleting ".app" files will have an effect. Deleting/renaming the manual ".app' will cause the manual not to load when clicked on. And deleting/renaming the executable ".app" will cause the application to not load, and the 3D Banner does not show(The banner is loaded each time from the game's executable NCCH when the home menu loads, it is not cached like the icon and name).
"'''<ContentID>.cmd'''" - (The Content ID is a u32, initially: '''00000001''' when the title is first installed. Changing by an increment of +'''0x1''' for each time the 3DS adds/removes '.app' files) This file contains data taken from the title's [[TMD]]. See the below table for the format of the cleartext .cmd file. The [[Title Database|Title.db]] contains the Content ID for the '.cmd' file, but does not contain a hash of the '.cmd' file. In addition it is also encrypted with a console-unique [[AES|keyslot]]. This acts as part of the DRM for installed titles, along with the [[Title Database|title.db]].
"'''<ContentID>.cmd'''" - (The Content ID is a u32, initially: '''00000001''' when the title is first installed. Changing by an increment of +'''0x1''' for each time the 3DS adds/removes '.app' files) This file contains data taken from the title's [[TMD]]. See the below table for the format of the cleartext .cmd file. The [[Title Database|Title.db]] contains the Content ID for the '.cmd' file, but does not contain a hash of the '.cmd' file. This acts as part of the DRM for installed titles, along with the [[Title Database|title.db]].
The below AES-MACs(including the last 0x10-bytes of the header) are only used for SD titles, and for NAND [[Title_list|download-play]] titles. For other titles, these MACs are set to all-zero.
The below AES-CMACs(including the last 0x10-bytes of the header) are only used for SD titles, for NAND [[Title_list|download-play]] titles, and non-system DSiWare titles. For other titles, these MACs are set to all-zero.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0x4
| 0x4
| 0x1C
| 0x4
| For NAND titles' .cmd these 2 words are usually value 1, the rest of the header is all-zero. The last 0x10-bytes of this header is an AES MAC?
| Number of AES-CMACs and Content IDs in the first list (X). The method to determine this is explained below.
|-
|-
| 0x20
| 0x8
| 0x8*(No. of entries)
| 0x4
| Entries for each content begin here with size 0x8.
| Number of Content IDs in the second list (Y)
|-
| 0xC
| 0x4
| Unknown, usually (always?) 1.
|-
|-
| 0x20+0x8*(No. of entries)
| 0x10
| 0x10*(No. of entries)
| 0x10
| These are MACs, one for each content.
| AES-CMAC over first 0x10
|-
|-
| 0x20
| 0x4 * X
| List of installed Content IDs in order of Content Index, with missing contents replaced with 0xFFFFFFFF
|-
|-
| 0x0
| 0x20 + 0x4 * X
| 0x4
| 0x4 * Y
| ContentID
| List of installed Content IDs in order of ID name
|-
|-
| 0x4
| 0x20 + 0x4 * (X + Y)
| 0x8
| 0x10 * X
| Unknown
| AES-CMACs for each content in the first list, generated using the process below
|}
|}
The number of AES-CMACs depends on the highest Content Index installed. For example, a title with 5 contents, but only 1 and 3 are installed, will still result in 3 AES-CMACs, with the 2nd one being unused.
For SD contents, each AES-CMAC is generated by combining the NCCH header without the signature (0x100-0x1FF), the Content Index and Content ID at the end, both as u32. Then calculate the SHA256 of the data and generate the AES-CMAC using the [[AES Registers#Keyslots|SD/NAND AES-CMAC key]].
'''"00000000.ctx"''' - This file encrypted with a console-unique [[AES|keyslot]] is temporarily stored on SD card while a title is being downloaded from the eShop, it is deleted after the download is completed. This contains an AP0000000000000000 cert used to sign the data following the cert, this cert is signed by the [[CTCert]].
For TWLNAND contents, the same process is used(even for SRL contents) with the keyslot for NAND dbs.
'''"00000001.sav"''' - This is the title's [[Savegames|savegame]]. Renaming these savegames causes home-menu to hang while launching titles, modifying these saves results in the same corruption errors as other savegames.
'''"00000000.ctx"''' - This file is temporarily stored on SD card while a title is being downloaded from the eShop, it is deleted after the download is completed. This contains an AP0000000000000000 cert used to sign the data following the cert, this cert is signed by the [[CTCert]].
The unknown signed data is likely an ECDSA public key. There's .ctx files stored under the /title directory for NAND CTR/TWL titles, however those use the [[CTXT]] format which is completely different from this SD .ctx format. These .ctx files for NAND/SD titles only exist for titles where installation was not yet finalized(like when a system update install was not yet finalized).
The unknown signed data is likely an ECDSA public key. There's .ctx files stored under the /title directory for NAND CTR/TWL titles, however those use the [[CTXT]] format which is completely different from this SD .ctx format. These .ctx files for NAND/SD titles only exist for titles where installation was not yet finalized(like when a system update install was not yet finalized).
=== DLC Titles ===
=== DLC Titles ===
DLC titles have a different directory structure to most installed titles. This is because all DLC content for a given title is installed under the same Title ID, but DLC add-ons are usually separate purchases, hense the structure altered so any combination of DLC content can be installed. DLC titles can receive 'updates', this is usually in the form of more DLC content and/or DLC bug fixes. Individual DLC content can only be managed from with-in the application using the DLC.
DLC titles have a different directory structure to most installed titles. This is because all DLC content for a given title is installed under the same Title ID, but DLC add-ons are usually separate purchases, hence the structure altered so any combination of DLC content can be installed. DLC titles can receive 'updates', this is usually in the form of more DLC content and/or DLC bug fixes. Individual DLC content can only be managed from with-in the application using the DLC.
'''"00000000"''' - This extra directory only found in DLC titles, contains the DLC [[NCCH]] content.
'''"<IndexSeparator>"''' - DLC [[NCCH]] contents are split across different directories, depending on the Content Index. Starting with 00000000, there is a directory for every 256 contents. All the directories are created upon install, which means some may be empty if the contents within its index range are not installed.
"'''<ContentID>.cmd'''" - This contains entries for all '''installed''' DLC [[NCCH]] content, and is updated(<ContentID> will change) every time DLC content is installed/removed.
"'''<ContentID>.cmd'''" - This contains entries for all '''installed''' DLC [[NCCH]] content, and is updated (<ContentID> will change) every time DLC content is installed/removed.
=Installing other-model system-titles=
When finalizing title-install of already downloaded Old3DS system-titles to a New3DS NAND image with New3DS NATIVE_FIRM, the end result is that the New3DS version (TID-low bitmask 0x20000000) of those titles gets deleted.
It's unknown where this behaviour is implemented (might be NIM, AM, or AMXPXI).