Animal Crossing Arbitrary Code Execution Maker
The official home of the Animal Crossing series. Create a home, interact with cute animal villagers, and just enjoy life in these charming games from Nintendo. Now that we have control of the execution of the application, it's time to add custom shellcode to our script. This will allow us to execute arbitrary code within the application. This means that if our application is running as an administrator on the machine, our code will have the same privileges.
This page describes the format and encryption of extdata, 'extra data' stored on SD card and NAND, at:
nand/data/<ID>/extdata/<ExtdataID-High>sdmc/Nintendo 3DS/<ID0>/<ID1>/extdata/<ExtdataID-High>
ExtdataID-High is always 00000000 for SD, and always 00048000 for NAND. Regular apps can only mount SD extdata using the same extdataID which is stored in the CXI exheader. Therefore, regular apps which have the exheader extdataID set to zero can't use extdata. This restriction doesn't apply for shared extdata with extdataID high bitmask 0x48000 stored on NAND. System apps with a certain access right can mount arbitrary extdata. All NAND extdata is shared extdata, while all SD extdata is normal extdata.
All data in this page is little-endian. All 'unused / padding' fields can contain uninitialized data unless otherwise specified.
- 1Format
- 1.6NAND Shared Extdata
To avoid confusion, the terms device directory / file and virtual directory / file are used with the following meanings:
Arbitrary Code Execution Oot
- Device directory / file are the real directory / file stored on SD / NAND that can be seen under path
nand/data/<ID>/extdata/orsdmc/Nintendo 3DS/<ID0>/<ID1>/extdata/. - Virtual directory / file are directory / file stored inside extdata virtual file system, which can be seen by applications in the mounted extdata archives.
An extdata consists of several device directories and files, which forms a file system consisting of multiple virtual directories and files.
An extdata with ID ExtdataId has the following device files:
.../extdata/<ExtdataID-High>/<ExtdataId-Low>/Quota.dat(optional).../extdata/<ExtdataID-High>/<ExtdataId-Low>/<SubDirID>/<SubFileID>
Note:
- All device files are DIFF containers. All format description below is about the inner content of the containers. Please unwrap these files first according to the DIFF format description before reading them using the extdata format description below.
Quota.datis only observed existing for NAND shared extdata.<SubDirID>and<SubFileID>are 8-digit hex strings.- Device file with
SubDirID = SubFileID = 00000000doesn't exist. Other ID combinations can exists. - Device file with
SubDirID = 00000000andSubFileID = 00000001is the VSXE metadata file and must exist. - Other files, besides
Quota.datand00000000/00000001, are normal sub files, are these device files one-to-one correspond to virtual files. They contain raw virtual file data in the DIFF inner content. SubDirID = 00000000is usually the only one device directory that can be seen. See #Device Directory Capacity for more information.
Quota File[edit]
The inner data of Quota.dat is 0x48 bytes with the following format. The file seems to limit the extdata total size.
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Magic 'QUOT' |
| 0x04 | 4 | Magic 0x30000 |
| 0x08 | 4 | 0x1000, block size |
| 0x0C | 4 | Always 126. Probably device directory capacity. See the #Device Directory Capacity more information. |
| 0x10 | 4 | Always 0? |
| 0x14 | 4 | Max number of blocks |
| 0x18 | 4 | Always 0? |
| 0x1C | 4 | Free blocks remained |
| 0x20 | 4 | Always 0? |
| 0x24 | 4 | Always 0? |
| 0x28 | 4 | Free blocks remained + (blocks occupied by the recently mounted file, specified by the ID below (0 if recently deleted)) |
| 0x2C | 4 | Always 0? |
| 0x30 | 4 | ID of most recently mounted file. Same as the one in Inner_FAT#Filesystem Header |
| 0x34 | 4 | Always 0? |
| 0x38 | 4 | Always 0? |
| 0x3C | 4 | Always 0? |
| 0x40 | 4 | Size in bytes of most recently mounted file (device file size). 0 if recently deleted |
| 0x44 | 4 | Always 0? |
Device Directory Capacity[edit]
A device directory in an extdata (a <SubDirID> directory) seems to have a maximum number of device files it can contain. For SD extdata, this maximum number seems to be hard-coded as 126. For NAND extdata, the number is probably indicated by a field in Quota.dat, which is, again, always 126 as observed. 3DS FS tries to put all device files in the device directory 00000000 if possible, and only when more than 126 files needed to add, a second device directory 00000001 and so on are created. However, few extdata have such amount of files to store, so the behavior lacks of use cases to confirm.
The number 126 is probably from some kind of other capacity of 128 with '.' and '..' entries reserved. It is theorized that this is to keep a FAT directory table, with 0x20 bytes for each entry, in one 0x1000 cluster. The motivation is unclear.
VSXE Filesystem[edit]
This is one variant of the FAT filesystem. Please refer to its page for the description of the filesystem. In general, device file 00000000/00000001 contains the metadata of the filesystem, while other device files (except for the Quota file) contains normal sub-files
Each non-dummy file entry corresponds to a device file. The path to the device file is generated by the following computation:
When mounting extdata, the unique identifier is used to match the ID stored in subfile's DIFF header. If the ID doesn't match, mounting will fail.
Virtual File System Structure[edit]
When extdata is created, these are always created regardless of whether the title actually uses them.
/iconThis virtual file contains the extdata icon displayed in data management. This icon can only be written to by titles when creating extdata, titles would have to recreate extdata to change the icon. This file can't be read directly, instead it is read via FS:ReadExtSaveDataIcon./user/This virtual directory contains the title's actual extdata files./boss/This virtual directory can contain SpotPass content. SpotPass content can only be downloaded to this/bossvirtual directory.
User extdata and SpotPass extdata use separate mount points at /user and /boss. Therefore one mount can't access the other virtual directory, and also can't access /icon.(The title's SpotPass extdata can be mounted by the title itself, if it uses SpotPass)
Other optional but notable directories include:
/user/ExBannerThis virtual directory can optionally store extended banners. When this is available, this banner is displayed instead of the CXI ExeFS banner.COMMON.binstores the common exbanner, while<regionlang_code>.binstores an optional separate region/language specific banner.(regionlang_code can be 'JPN_JP', 'USA_EN', etc)
SD Extdata[edit]
Usually the ExtdataID low is in the format '00<Unique ID>'
| JPN ExtdataID | USA ExtdataID | EUR ExtdataID | Description | Extdata images |
|---|---|---|---|---|
| 00000082 | 0000008f | 00000098 | Home Menu extdata, this contains home-menu savedata and cached icons for applications. | |
| 00000200 | 00000210 | 00000220 | System Settings extdata added with 2.0.0-2. | |
| 00000207 | 00000217 | 00000227 | Mii Maker, contains an ExBanner | cleartext |
| 00000208 | 00000218 | 00000228 | Streetpass Mii Plaza | 11 mb big! |
| 00000209 | 00000219 | 00000229 | eShop, contains store music in AAC format. | |
| 0000020b | 0000021b | 0000022b | Nintendo Zone | |
| 0000020d | 0000021d | 0000022d | Face Raiders, likely contains an ExBanner | |
| 000002cc | 000002cd | 000002ce | Home Menu theme | |
| ? | 000004aa | 000004ab | Nintendo Video Extra Data This is where the video files are stored, and includes the thumbnail, the description, and possibly some checksum info in each video file stored in the extdata images. There are always 9 files within the subdirectory '00000000' of this folder, even without any videos downloaded. The files are '00000001' - '00000009', and '00000003' - '00000008' have the same filesize of 50.7 MB. It is possible to restore the older videos by overwriting all the files within this directory. Provided of course you have made a backup of the files before hand, by copying all the files within this directory to your computer. As far I'm aware its not possible to mix and match the files in order to get certain videos in one grouping, ie. having all 3 Zelda orchestral recordings in one group of 4 Nintendo videos. | |
| 00000306 | 00000308 | 00000307 | Mario Kart 7 | |
| 0000030b | 0000030d | 0000030c | Nintendogs + Cats | |
| 00000326 | 00000326 | 00000326 | Pokédex 3D | |
| 00000305 | 0000032d | 0000033c | Super Street Fighter IV 3D | |
| 00000328 | 00000358 | 0000033b | Ridge Racer 3D | |
| ? | 0000034d | 00000402 | Samurai Warriors Chronicles | |
| ? | 0000034f | 0000038a | Dead or Alive Dimensions | |
| 00000481 | N/A | N/A | Monster Hunter Tri G (Download-Quests) | |
| ? | 00000517 | 00000518 | Swapnote | |
| 0000055d | 0000055d | 0000055d | Pokémon X Pokémon Y | |
| ? | 00000725 | 00000724 | Ambassador Certificate | |
| ? | ? | 000007af | New Super Mario Bros. 2 | |
| ? | 00000863 | 00000864 | Animal Crossing: New Leaf | |
| ? | 00000a85 | 00000a86 | Professor Layton and the Miracle Mask Professor Layton and the Azran Legacy German Version ExtdataID is 00000a87 | |
| ? | ? | 00000b4f | Fullblox / Crashmo | |
| ? | ? | 00000ba9 | Pokémon Mystery Dungeon: Gates to Infinity | |
| ? | ? | 00000c24 | Denpa men | |
| 00000c73 | 00000c73 | 00000c73 | Save Data Transfer Tool | |
| ? | ? | 00000d9a | Donkey Kong Country™ Returns 3D: Trailer | |
| ? | ? | 00000ea6 | Etrian Odyssey IV | |
| ? | 00000edf | 00000ee0 | Super Smash Bros. for Nintendo 3DS | |
| ? | 00000f14 | 00000f1e | Phoenix Wright: Ace Attorney - Dual Destinies | |
| ? | 00001007 | 00001005 | Professor Layton vs Phoenix Wright: Ace Attorney | |
| ? | ? | 00001062 | Nintendo Pocket Football Club | |
| ? | ? | 0000111c | Yoshi's New Island | |
| ? | ? | 00001131 | Fantasy Life | |
| 000011c5 | 000011c5 | 000011c5 | Pokémon Omega Ruby Pokémon Alpha Sapphire | |
| ? | ? | 000012ca | Mario vs. Donkey Kong: Tipping Stars | |
| ? | ? | 00001499 | Korg DSN-12 | |
| ? | ? | 000014f2 | Animal Crossing: Happy Home Designer | |
| 000014d1 | 000014d1 | 000014d1 | Home Menu badge | |
| ? | ? | 00001632 | Fullblox / Stretchmo | |
| ? | ? | 00001646 | Pokémon Rumble World | |
| 00001648 | 00001648 | 00001648 | Pokémon Sun Pokémon Moon | |
| 0000165c | 0000165c | 0000165c | Home Menu saved theme layouts | |
| ? | ? | 00001678 | Yo-kai Watch | |
| ? | ? | 000018fa | Phoenix Wright: Ace Attorney - Spirit of Justice | |
| ? | ? | 0000198f | Animal Crossing: New Leaf - Welcome amiibo | |
| ? | ? | 00001a05 | Super Mario Maker | |
| ? | ? | 00001a2e | Swapdoodle |
NAND Shared Extdata[edit]
| ExtdataID | Description |
|---|---|
| 0xe0000000 | Home Menu attempts to open this archive during boot, if FS:OpenArchive doesn't return an error Home Menu seems to then launch the System Transfer application. Home Menu doesn't actually use this archive at all except for checking whether it exists. |
| 0xf0000001 | NAND JPEG/MPO files and phtcache.bin from the camera application are stored here. This also contains UploadData.dat. |
| 0xf0000002 | NAND M4A files from the sound application are stored here |
| 0xf0000009 | Used for SpotPass content storage for notifications. |
| 0xf000000b | Contains idb.dat, idbt.dat, gamecoin.dat, ubll.lst, CFL_DB.dat, and CFL_OldDB.dat. These files contain cleartext Miis and some data relating (including cached ICN data) to Play/Usage Records. |
| 0xf000000c | Contains bashotorya.dat and bashotorya2.dat. |
| 0xf000000d | Home Menu SpotPass content data storage. |
| 0xf000000e | Contains versionlist.dat, used by Home Menu for the software update notification added with 7.0.0-13. |
Shared Extdata 0xf000000b gamecoin.dat[edit]
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Magic number: 0x4F00 |
| 0x4 | 0x2 | Total Play Coins |
| 0x6 | 0x2 | Total Play Coins obtained on the date stored below. When the below date does not match the current date, this field is reset to zero, then the date(and other fields) are updated. Once this value is >=10, no more Play Coins can be obtained until the current date changes. |
| 0x8 | 0x4 | Total step count at the time a new Play Coin was obtained. |
| 0xC | 0x4 | Step count for the day the last Play Coin was obtained, for that day's step count(same as the step count displayed by home-menu when this file was updated). |
| 0x10 | 0x2 | Year |
| 0x12 | 0x1 | Month |
| 0x13 | 0x1 | Day |
The above date stores the last time new Play Coin(s) were obtained. The contents of this file is updated by home-menu. PTM:GetTotalStepCount is not checked constantly, after home-menu boot this is only checked when waking from sleep-mode. Each time home-menu updates the contents of this file, home-menu will set the Play Coin total to 300 if it's higher than the 300 Play Coin limit.
Home Menu loads this file / opens this archive during startup. When accessing this file fails, like when the file/archive is corrupted(or at least on older system-versions), the result is a brick due to Home Menu using svcBreak. Yellows8 bricked a 3DS this way due to corruption via invalid FSFile:Write flush flags. When opening this extdata archive(0xf000000b) fails, Home Menu executes svcBreak.
Shared Extdata 0xf000000b ubll.lst[edit]
List of blocked users.
Empty space is filled with 0xC-long sequences of 00 00 ... 07
Tools[edit]
- 3ds-save-tool - Extract/verifies extdata
Fans of the early-2000s era GameCube version of the original Animal Crossing likely remember the game including a handful of emulated NES titles that could be played by obtaining in-game items for your house. What players back then didn't know is that the NES emulator in Animal Crossing can also be used to play any generic NES ROM stored on a GameCube memory card.
Security researcher James Chambers discovered the previously unused and undocumented feature buried in the original Animal Crossing game code and detailed his methodology and findings in a technically oriented Medium post this week.
The key to opening Animal Crossing's NES emulator is the game's generic 'NES console' item. Usually, this item simply tells players who try to use it that 'I want to play my NES, but I don't have any software' (separate in-game items are used to play the NES ROMs that are included on the Animal Crossing disc).
While searching the Animal Crossing code for access to hidden developer menus, though, Chambers discovered that activating this in-game NES actually causes the game to mount and search the player's memory card for valid NES ROM files, using functions like 'famicom_get_disksystem_titles' and 'memcard_game_list.' After a good deal of debugging through an emulator, Chambers deciphered the specific file format needed to get Animal Crossing to recognize NES ROM files stored on the memory card, which involves inserting specific checksum, file name, and ROM header values in specific locations before the game data itself.
After a bit of metadata and emulator tweaking, Chambers says he was able to load Mega Man, Pinball and Battletoads onto the GameCube through the in-game emulator, as well as a homebrew test ROM created years after Animal Crossing was made.
AdvertisementInterestingly enough, Animal Crossing's memory card access hole also leads to a buffer overflow error that can let users execute arbitrary, user-defined code on the GameCube itself. One Animal Crossing hacker has already demoed how this method can be used to generate infinite items in a stock copy of Animal Crossing, but the same general method could load homebrew code onto the GameCube without the need for hardware mods or external cheat devices like the GameShark.
The best laid plans...
While being able to load NES games onto a GameCube is fun, the most interesting part of this discovery is probably what it suggests about an unexplored branch of potential Nintendo history. Remember that the code to load NES games from a memory card was put into Animal Crossing by Nintendo decades ago, not by some modern-day modification of the original game code. That strongly suggests Nintendo was at some point planning an official way to load additional NES files into Animal Crossing through the memory card.
It's hard to say how this distribution might have worked. Maybe special ROM-packed memory cards would have been included with new editions of the game (Nintendo actually did sell versions of the game packaged with memory cards that unlocked special presents for players). Maybe Nintendo would have given such memory cards away in contests. Or maybe, in an alternate timeline, a machine akin to Japan's Japanese Famicom disk-writer kiosk could have let players load NES games onto their own memory cards.
Regardless, it seems that Nintendo may have been planning ahead for some form of retro-game distribution long before the Wii Virtual Console became a thing in 2006. And if you want to make use of Nintendo's unused GameCube-to-NES emulation features today, Chambers has released GitHub source code that lets you generate your own Animal Crossing-friendly NES ROM files. You can test out those files for yourself using a virtual memory card loaded into the Dolphin emulator or on an actual GameCube using special memory card hardware.