Open source decryption tools for the Nintendo 3DS console
This is a work in progress fork of Archshifts original Decrypt9, including bleeding edge new features. Note that the names of the exectuable files for this are Decrypt9WIP.* instead of Decrypt9.*. New features introduced in this will eventually get pulled into Archshifts repo.
You may discuss this work in progress version, help testing, participate in the development and on GBAtemp.
There are at the present time, three main versions of Decrypt9 available:
- Decrypt9 by Archshift: This is the original version of Decrypt9 by Archshift. New features are pulled into this once they are thoroughly tested. This is as stable as it gets, but may also miss some of the newer features.
- Decrypt9 WIP by d0k3: This is the work in progress fork of Archshifts original Decrypt9. It contains the newest features and is always up to date. Releases in here can be considered tested beta versions.
- Decrypt9 UI by Shadowtrance: This is a themed version of Decrypt9 WIP created by Shadowtrance. It contains a nice graphical user interface (instead of text only as the other two versions), but may not be up to date at all times
See this incomplete list, more detailed descriptions are found further below.
- Create XORpads for decryption of NCCH ('.3DS') files
- Create XORpads for decryption of files in the '/Nintendo 3DS' folder
- Create XORpads for decryption of the TWLN and CTRNAND partitions
- Decrypt Titlekeys, either from a file or directly from SysNAND / EmuNAND
- Backup & restore your SysNAND and EmuNAND
- Dump & Inject any partition from your SysNAND and EmuNAND
- Dump & Inject a number of files (ticket.db, ..) from your SysNAND and EmuNAND
- Inject any app into the Health & Safety app
- Create and update the SeedDB file
- Directly decrypt (cryptofix) NCCH ('.3DS') and CIA files
- Directly decrypt files from the '/Nintendo 3DS/' folder
Decrypt9 can be built to run from a number of entry points, descriptions are below. Note that you need to be on or below 3DS firmware version v9.2 for any of these to work.
- Gateway Browser Exploit: Copy Launcher.dat to your SD card root and run this via http://go.gateway-3ds.com/ from your 3DS browser. Build this with
make gateway
. - A9LH, Brahma & Bootstrap: Copy Decrypt9.bin to somewhere on your SD card and run it via either Brahma or Bootstrap. Brahma derivatives / loaders such as BrahmaLoader, BootCTR and CTR Boot Manager will also work with this. Build this with
make bootstrap
. - Homebrew Launcher: Copy Decrypt9.3dsx & Decrypt9.smdh into /3DS/Decrypt9 on your SD card. Run this via Smealums Homebrew Launcher, Mashers Grid Launcher or any other compatible software. Build this with
make brahma
. - CakeHax Browser: Copy Decrypt9.dat to the root of your SD card. For MSET also copy Decrypt9.nds to your SD card. You can then run it via http://dukesrg.github.io/?Decrypt9.dat from your 3DS browser. Build this via
make cakehax
. - CakeHax MSET: Copy Decrypt9.dat to the root of your SD card and Decrypt9.nds to anywhere on the SD card. You can then run it either via MSET and Decrypt9.nds. Build this via
make cakerop
.
If you are a developer and you are building this, you may also just run make release
to build all files at once. If you are a user, all files are already included in the release archive.
Basically every input file for Decrypt9 can be placed into the SD card root and output files can be written there, too. Working folders are mostly optional. However, using them is recommended and even required for some of the Decrypt9 features to work. These two folders (on the root of your SD card) are used:
/D9Game/
: NCCH (.3DS), CIA, BOSS, SD card files (from the '/Nintendo 3DS/' folder) go here and are decrypted in place by the respective features./Decrypt9/
: Everything that doesn't go into/D9Game/
goes here, and this is also the standard output folder. If/D9Game/
does not exist, NCCH, CIA, BOSS and SD card files are also processed in this folder.
Decryption of game files (NCCH, CIA, BOSS, SD) needs at least one of these two folders to exist. Input files are first searched in /Decrypt9/
and (if not found) then in the SD card root.
Depending on the environment, Decrypt9 is ran from, you may need support files to have full functionality. Support files are placed into either the root folder, or the work folder (/Decrypt9/
). Here's a list of support files used in Decrypt9, when you need them and what they are used for:
slot0x05keyY.bin
: This file is needed for access to CTRNAND features (which is basically everything) on N3DS when running from A9LH.slot0x25keyX.bin
: This file is needed to decrypt 7x crypto NCCHs and CIAs on O3DS < 7.0 and on A9LH.slot0x18keyX.bin
: This file is needed to decrypt Secure 3 crypto NCCHs and CIAs on O3DS and on A9LH.slot0x1BkeyX.bin
: This file is needed to decrypt Secure 4 crypto NCCHs and CIAs in every environment.aeskeydb.bin
: This is an alternative to the fourslot0x??key?.bin
files mentioned above. It can be created in Decrypt9 and can contain multiple key files.seeddb.bin
: This file is needed to decrypt seed crypto NCCHs and CIAs. Note that your seeddb.bin must also contain the seed for the specific game you need to decrypt.movable.sed
: This is dumpable by Decrypt9. It is needed to decrypt SD files from another 3DS, or from another installation on your own 3DS. It is not needed when decrypting your own SysNAND / EmuNAND SD files.
Features in Decrypt9 are categorized into 5 main categories, see the descriptions of each below.
This category includes all features that generate XORpads. XORpads are not useful on their own, but they can be used (with additional tools) to decrypt things on your PC. Most, if not all, of the functionality provided by these features can now be achieved in Decrypt9 in a more comfortable way by newer dump/decrypt features, but these are still useful for following older tutorials and to work with other tools.
- NCCH Padgen: This generates XORpads for NCCH/NCSD files ('.3DS' f.e.) from
ncchinfo.bin
files. Generate thencchinfo.bin
via the included Python scriptncchinfo_gen.py
(orncchinfo_tgen.py
for theme packs) and place it into the/Decrypt9/
work folder. Use Archshift's XORer to apply XORpads to .3DS files. NCCH Padgen is also used in conjunction with Riku's 3DS Simple CIA Converter. Important Note: Depending on you 3DS console type / FW version and the encryption in your NCCH/NCSD files you may need additional filesslot0x??KeyX.bin
and / orseeddb.bin
. You're on your own forslot0x25KeyX.bin
, but forseeddb.bin
this will help you. - SD Padgen (SDinfo.bin): This generates XORpads for files installed into the '/Nintendo 3DS/' folder of your SD card. Use the included Python script
sdinfo_gen.py
and place the the resultingsdinfo.bin
into your/Decrypt9/
work folder. If the SD files to generate XORpads for are from a different NAND (different console, f.e.), you also need the respectivemovable.sed
file (dumpable via Dercrypt9) to generate valid XORpads. By now, this feature should only make sense when decrypting stuff from another 3DS - use one of the two features below or the SD Decryptor instead. Use padXORer by xerpi to apply XORpads. - SD Padgen (SysNAND dir): This is basically an improved version of the above feature. For typical users, there are two folders in '/Nintendo 3DS/' on the SD card, one belonging to the SysNAND, the other to EmuNAND. This feature will generate XORpads for encrypted content inside the folder belonging to the SysNAND. It won't touch your SysNAND, thus it is not a dangerous feature. A folder selection prompt will allow you to specify exactly the XORpads you want to be generated (use the arrow keys to select). Generating all of them at once is not recommended, because this can lead to several GBs of data and very long processing time.
- SD Padgen (EmuNAND dir): This is the same as the above feature, but utilizing the EmuNAND folder below '/Nintendo 3DS/' on the SD card. The EmuNAND folder is typically a lot larger than the SysNAND folder, so be careful when selecting the content for which to generate XORpads for.
- CTRNAND Padgen: This generates a XORpad for the CTRNAND partition inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the CTRNAND partition on PC. This is useful for any modification you might want to do to the main file system of your 3DS.
- TWLNAND Padgen: This generates a XORpad for the TWLNAND partition inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the TWLNAND partition on PC. This can be used, f.e. to set up the SudokuHax exploit.
- FIRM0FIRM1 Padgen: This generates the combined XORpad for the FIRM0 and FIRM1 partitions inside your 3DS console flash memory. Use this with a NAND (SysNAND/EmuNAND) dump from your console and 3DSFAT16Tool to decrypt and re-encrypt the FIRM0 / FIRM1 partition on PC. This is useful f.e. for manual installation of the arm9loaderhax exploit.
This category includes all titlekey decryption features. Decrypted titlekeys (decTitleKeys.bin
) are used to download software from CDN via the included Python script cdn_download.py
. You may also view the (encrypted or decrypted) titlekeys via print_ticket_keys.py
.
- Titlekey Decrypt (file): First, generate the
encTitleKeys.bin
via the included Python scriptdump_ticket_keys.py
and place it into the/Decrypt9/
work folder. This feature will decrypt the file and generate thedecTitleKeys.bin
, containing the decrypted titlekeys. - Titlekey Decrypt (SysNAND): This will find and decrypt all the titlekeys contained on your SysNAND, without the need for additional tools. The
decTitleKeys.bin
will be generated on your SD card. - Titlekey Decrypt (EmuNAND): This will find and decrypt all the titlekeys contained on your EmuNAND, without the need for additional tools. The
decTitleKeys_emu.bin
will be generated on your SD card.
This is actually two categories in the main menu, but the functionality provided the same (for SysNAND / EmuNAND respectively). These categories include all features that dump, inject, modify or extract information from/to the SysNAND/EmuNAND. For functions that output files to the SD card, the user can choose a filename from a predefined list. For functions that use files from the SD card for input, the user can choose among all candidates existing on the SD card. For an extra layer of safety, critical(!) features - meaning all features that actually introduce change to the NAND - are protected by a warning message and an unlock sequence that the user has to enter. Caution is adviced with these protected features. They should only be used by the informed user.
- (Sys/Emu)NAND Backup & Restore: This contains multiple options to backup or restore your SysNAND or EmuNAND. The submenu contains the following entries:
- NAND Backup: Dumps the
NAND.bin
file from your SysNAND or theÈmuNAND.bin
file from your EmuNAND. This is a full backup of your 3DS System NAND and can be used to restore your 3DS SysNAND / EmuNAND to a previous state or for modifications. - NAND Backup (minsize): Same as the above option, but only dumps the actually used size of the NAND (the remainder is only unused data). Use this instead of the above to save some space on your SD card.
- NAND Restore(!): This fully restores your SysNAND or EmuNAND from the provided
NAND.bin
file (needs to be in the/Decrypt9/
work folder or in the SD card root). Although backups will be checked before restoring, be careful not to restore a corrupted NAND.bin file. Also note that you won't have access to this feature if your SysNAND is too messed up or on a too high FW version to even start Decrypt9 (should be self explanatory). - NAND Restore (forced)(!): Same as the above option, but skips most safety checks. This is not recommended to be used without being properly informed. Keep in mind that, if the above option stops you from restoring a NAND backup, it is normally with good reason and means a prevented brick.
- NAND Restore (keep a9lh)(!): Only available on SysNAND, this is the same as the standard (unforced) restore option, but keeps all your arm9loaderhax files intact. Only use if you actually have arm9loaderhax installed.
- Validate NAND Dump: Use this to check and verify NAND dumps on your SD card. If this check passes on a NAND dump, you will also be able to restore it via the standard restore option.
- NAND Backup: Dumps the
- Partition Dump...: This allows you to dump & decrypt any of the partitions inside your NANDs (TWLN / TWLP / AGBSAVE / FIRM0 / FIRM1 / CTRNAND). Partitions with a file system (TWLN / TWLP / CTRNAND) can easily be mounted, viewed and edited on Windows via OSFMount. These partitions are included in your NAND and can be dumped by this feature:
- TWLN: TWL-NAND FAT16 File System - this is the same as on a Nintendo DSi console. Installed DSiWare titles reside in this partition. This partition can be used, f.e. to set up SudokuHax.
- TWLP: TWL-NAND PHOTO FAT12 File System - this is a Nintendo DSi specific partition for storing photos.
- AGBSAVE: AGB_FIRM GBA savegame - this contains a temporary copy of the current GBA games savegame.
- FIRM0: Firmware partition - this is here for development purposes only and should not be changed by users.
- FIRM1: Firmware partition backup - usually an exact copy of FIRM0.
- CTRNAND: CTR-NAND FAT16 File System - this contains basically you complete 3DS setup. Titles installed to the NAND reside here, and you can extract basically any file of interest from this partition.
- Partition Inject...(!): This allows you to reencrypt & inject any of the partitions on your NAND from the respective files (
TWLN.bin
/TWLP.bin
/AGBSAVE.bin
/FIRM0.bin
/FIRM1.bin
/CTRNAND.bin
) (see above). Only use this if you know exactly what you're doing and be careful. While there are some safety clamps in place, they won't protect you from a major messup caused by yourself. - File Dump...: This allows you to directly dump & decrypt various files of interest from your SysNAND and EmuNAND. These files are included in this feature:
- ticket.db: Contains titlekeys for installed titles - use this with Cearps FunkyCIA to download installed (legit, purchased) titles directly to your PCs ard drive.
- title.db: A database of installed titles - apart from informative purposes this doesn't serve a direct purpose for most users at the moment.
- import.db: A database of titles to be installed - this can be used to get rid of the FW update nag at a later time. Read more on it in this GBAtemp thread.
- certs.db: A database of certificates - any practical use for this is unknown at the moment.
- SecureInfo_A: This contains your region and an ASCII serial number - this can be used to temporarily change your 3DS region. The dump / inject options in Decrypt9 simplify the tutorial found here.
- LocalFriendCodeSeed_B: This contains your FriendCodeSeed - in theory this can be used to import your friend list to another 3DS.
- rand_seed: Most likely containing some random data - any practical use for this is unknown at the moment.
- movable.sed: This contains the keyY for decryption of data on the SD card - Decrypt9 itself uses this in the SD Decryptor / Encryptor and in SD padgen.
- seedsave.bin: Contains the seeds for decryption of 9.6x seed encrypted titles - only the seeds for installed (legit, purchased) titles are included in this. Use SEEDconv (recommended) or the included Python script
seeddb_gen.py
to extract the seeds from this into the Decrypt9 readableseeddb.bin
. - nagsave.bin: Contains some data relating to system updates - it is possible to block automatic system updates (ie. the 'update nag') with this file. Research is still in progress. Read this and the posts after it for more information.
- nnidsave.bin: Contains your NNID data - this can be used to reset / remove the NNID from your system, without removing any other data. See here for instructions.
- File Inject...(!): This allows you to directly encrypt & inject various files of interest into the SysNAND and EmuNAND. For more information check out the list above.
- Health&Safety Dump: This allows you to to dump the decrypted Health and Safety system app to your SD card. The dumped H&S app can be used to create injectable files for any homebrew software.
- Health&Safety Inject(!): This is used to inject any app into your Health & Safety system app (as long as it is smaller than the original H&S app). Multiple safety clamps are in place, and this is a pretty safe feature. Users are still adviced to be cautious using this and only use eiter the original hs.app or inject apps created with the Universal Inject Generator. This feature will detect all injectable apps on the SD card and let the user choose which one to inject.
- Update SeedDB: Use this to create or update the ´seeddb.bin´ file on your SD card with the seeds currently installed in your Sys/EmuNAND. Only new seeds will get added to
seeddb.bin
, seeds already in the database stay untouched.
This category includes all features that allow the decryption (and encryption) of external and internal game files. Game files are any files that contain games and other software. Typical game file extensions are .CIA, .3DS and .APP. Game files are directly processed - the encrypted versions are overwritten with the decrypted ones and vice versa, so keep backups. The standard work folder for game files is /D9Game/
, but if that does not exist, game files are processed inside the /Decrypt9/
work folder.
- NCCH/NCSD Decryptor: Use this to fully decrypt all NCCH / NCSD files in the folder. Files with .3DS and .APP extension are typically NCCH / NCSD files. A full decryption of a .3DS file is otherwise also known as cryptofixing. Important Note: Depending on you 3DS console type / FW version and the encryption in your NCCH/NCSD files you may need additional files key files (see 'Support files' above) and / or
seeddb.bin
. - NCCH/NCSD Encryptor: Use this to (re-)encrypt all NCCH / NCSD files in the folder using standard encryption (f.e. after decrypting them). Standard encryption can be processed on any 3DS, starting from the lowest firmware versions. On some hardware, .3DS files might need to be encrypted for compatibility.
- CIA Decryptor (shallow): Use this to decrypt, for all CIA files in the folder, the first layer of CIA decryption. The internal NCCH encryption is left untouched.
- CIA Decryptor (deep): Use this to fully decrypt all CIA files in the folder. This also processes the internal NCCH encryption. Deep decryption of a CIA file is otherwise known as cryptofixing. This also may need additional key files and / or
seeddb.bin
, see 'Support files' above. - CIA Decryptor (CXI only): This is the same as CIA Decryptor (deep), but it does not process the 'deep' NCCH encryption for anything but the first CXI content. On some hardware, fully deep decrypted CIA files might not be installable, but CIA files processed with feature will work.
- CIA Encryptor (NCCH): Use this to encrypt the NCCH containers inside of the CIA files in the folder. NCCH encryption is required, for example, for system CIA files to be installable.
- BOSS Decryptor: Use this to decrypt BOSS files, which are typically received via Spotpass. This feature will decrypt all encrypted BOSS files (with a valid BOSS header) found in the folder.
- BOSS Encryptor: Use this to encrypt BOSS files. This feature will encrypt all unencrypted BOSS files (with a valid BOSS header) found in the folder.
- SD Decryptor/Encryptor: Use this to decrypt or encrypt 'SD files'. SD files are titles, extdata and databases found inside the
/Nintendo 3DS/<id0>/<id1>/
folder. For this feature to work, you need to manually copy the file(s) you want to process. Copy them with their full folder structure (that's everything after/Nintendo 3DS/<id0>/<id1>/
) to the work / game folder. This feature should by now only be useful to encrypt content, decryption is much easier handled by the two features below. - SD Decryptor (SysNAND dir): An improved version of the feature above. This allows you to select content from '/Nintendo 3DS/' (more specifically from the subfolder belonging to SysNAND) to be directly copied to your work / game folder and then decrypted from there.
- SD Decryptor (EmuNAND dir): This has the same functionality as the feature above, but handles the content of the '/Nintendo 3DS/' subfolder belonging to the EmuNAND instead.
This category includes special features which allow you to test and manage Decrypt9 internal functionality.
- System Info: Displays various information about your 3DS and SD card on screen. Used for informational purposes and to test if information is available.
- Create Selftest Reference: Run this first on a known working entrypoint to generate the selftest reference data. This will create a file called
d9_selftest.ref
inside your SD card root or work folder. - Run Selftest: Run the actual selftest (must have created the reference data before). This will create or update a file called
d9_selftest.lst
on your SD card root or work folder. Note: on O3DS failedncch_sec3_key
,ncch_sec4_key
andnand_ctrn_key
tests are normal and expected. On O3DS <= FW 7.0,ncch_7x_key
may fail. On N3DS and O3DSncch_sec4_key
may fail. With all key files (see 'Support files' available, no test should fail. This is used, for example, to assure that everything works as intended on a new entrypoint. - Build Key Database: This is used to build the
aeskeydb.bin
file from all availableslot0x??key?.bin
files. It will also process files that are not used by Decrypt9. With theaeskeydb.bin
available, Decrypt9 can load keys from it and doesn't need theslot0x??key?.bin
files anymore. - De/Encrypt Key Database: By default, the
aeskeydb.bin
created in Decrypt9 is encrypted, and the keys in it are not readable via a Hex Editor. Use this to either decrypt an encrypted database, or to encrypt a decrypted one. Note that Decrypt9 can load keys from both.
- Roxas75 for the method of ARM9 code injection
- Cha(N), Kane49, and all other FatFS contributors for FatFS
- Normmatt for
sdmmc.c
as well as project infrastructure (Makefile, linker setup, etc) - Relys, sbJFn5r for the decryptor
- Everyone mentioned by Archshift above
- Archshift for starting this project and being a great project maintainer
- b1l1s, Normmatt for their 'behind-the-scenes' work and for making arm9loaderhax support possible
- patois, delebile, SteveIce10 for Brahma and it's updates
- mid-kid for CakeHax and for hosting freenode #Cakey
- Shadowtrance, dark_samus3, Syphurith, AuroraWright for being of great help developing this
- profi200 for helpful hints that first made developing some features possible
- Datalogger, zoogie, atkfromabove, mixups, key1340, k8099, Al3x_10m, Supster131, stbinan, Wolfvak, Gelex and countless others from freenode #Cakey and the GBAtemp forums for testing, feedback and helpful hints
- Everyone I forgot about - if you think you deserve to be mentioned, just contact me