Downloading 3DS System Modules and Extracting Their Contents

September 5, 2023 · 2 min · 229 words

This post is part of the series Reverse Engineering Pokemon Mystery Gifts.

As part of my journey to reverse engineer Pokemon Mystery Gifts, I needed to be able to patch a 3DS System Module. This post will cover how I downloaded official binaries from Nintendo and extracted them for patching.

Download

To download a CIA you can use my download-cia tool that can download a given title id and version from Nintendo’s servers. Full instructions are in the project README.

But as an example. Running:

./download-cia.py 0004013000002F02 9217

Will download the 3DS SSL Module CIA and place it in the output folder.

Decrypt

You may need to decrypt the CIA. You can do this with a physical 3DS and Godmode9.

Extract

To extract the contents of this decrypted cia - we can use Project_CTR. Simply clone and compile using make.

The tool we care about will be built and placed at ./ctrtool/bin/ctrtool. This tool will be used to extract the sections of the cia that we need.

Extract NCCH (content) from CIA

ctrtool --contents=contents <cia file name>

This will produce one or more files in the current directory beginning with contents. The following actions can be done on any of them

Extract NCCH

ctrtool --exheader exheader.bin --logo logo.bin --plainrgn plainrgn.bin --exefs exefs.bin --romfs romfs.bin <contents.file_name>

This will produce a exefs.bin in the current directory.

Extract code.bin from exefs.bin

ctrtool -x --exefsdir=exefs -t exefs --decompresscode exefs.bin

This will extract code.bin to exefs/code.bin