If we have access to PXIDEV:ReadCTRCARD_Cmd40, we might be able to dump the raw cartridge even from userspace (assuming that the unknown 0x10 bytes are a raw cart command like Normmatt suggested). The largest part of the dump would still be encrypted, but the (unencrypted) NCCH header could be extracted.
If we have access to PXIDEV:ReadCTRCARD_Cmd40, we might be able to dump the raw cartridge even from userspace (assuming that the unknown 0x10 bytes are a raw cart command like Normmatt suggested). The largest part of the dump would still be encrypted, but the (unencrypted) NCCH header could be extracted.