Hardware nand flash dump (3ds xl)

[eggsample]

Nobody reads gbatemp blogs so I rewrite the discovery here

According to description on the 2DS mobo and current nand pinout for 3ds/3dsXL I think 2DS nand backup should work.

Is there any volunteer to solder some cables to the newest Ninn child?

 

[Myski]

Looks to me I got it read and dumped at last..

942MB .img file, Toshiba nand, bootrom error "400" as mentioned few posts back.

Got it working by disconnecting and reconnecting the sd apater for a few times with the bluescreen on 3ds, and pc running. Looks like the laptop's internal reader refuses to identify the device on first plugin.

4.2 system nand, reading at ~6MB/s, Toshiba chip, 3ds xl "pikachu edition" PAL (european) console, old bucket-ass hp nc6120 laptop kept for diagnostic purposes and giggles (parallel and serial ports on board) with windows 7 32-bit, for anyone specs-obsessed.

Did a few dumps (with no reboots between them), all identical. Not tried writing yet, though.

 

[eggsample]

[..]
Got it working by disconnecting and reconnecting the sd apater for a few times with the bluescreen on 3ds, and pc running. Looks like the laptop's internal reader refuses to identify the device on first plugin.[..]
Did a few dumps (with no reboots between them), all identical. Not tried writing yet, though.

17cm long cables are not bad but in this situation shorter = better
I remoded my XL thinking some cables are faulty or too long. After doing microUSB mod and changing to SD reader to laptop's internal reader, everything works again. My shitty reader connected to PC is useless. Conclusion: check the cables and connect to other readers.

 

[gamesquest1]

good to hear you got it sorted atleast you have a reader you know is compatible now as well.

 

[Myski]

Yes, I could trim those cables a little neater when I make the actual case mod with connector installed neatly, it is now just hanging loose but whatever, that's a cosmetic thing.

The dumps seem to be of identical size but md5 checksums are all different. Are they supposed to be strictly identical on a checksum level or is there something stored into nand that makes is vary every time (timestamp or something possibly)..?

Found this one thread here claiming they are not supposed to match but read something opposite in this thread few days ago and now I can't find it .. claiming the md5 has to be same on every image. Won't try writing the img before I get this sorted out.

 

[eggsample]

nice one.

but checksums should be the same no matter running tools or account

just keep in mind that the 3DS writes to the NAND on each boot, therefore the dumps differ after each boot.

 

[Myski]

Well I haven't booted the console between dumps so it seems it's still not reading correctly.. ugh

Differences between .img files can be seen with hex editor, could not get the rom tool to open files for inspection, said the file is corrupt.

Maybe it's not grounding properly or still something wrong with the sd reader, have to try another one.

E: I am basing my suspicion about bad grounding on the fact that when I tested the wires for continuity from PCB end to SD card end all other wires passed without any sign of bad joints or short circuits but...

...when testing the GND wire, my multimeter gives a beep for proper circuit from GND pad on PCB to GND pin on SD card, but it also gives some "noise" reading when testing between GND pad (on PCB) and non-GND pins (on SD card) (!). Not a proper circuit reading (~2ohms and a beep) but something between 50-100 ohms and open circuit (no reading), constantly fluctuating like there is something bad about that wire.

Just a guess, but if anyone who knows more about electronics can confirm if this is some sort of known error behaviour, please let me know.

E2: Fairly sure the error comes down to the sd reader. I trimmed the sd adapter -part of the wires to a mere 5 cm (2 inches) so the whole wiring is now only a bit over 10 cm (4 inches) of length and at least the continuity test results are excellent.

Now I get an "error 1117: I/0 device error" and a application crash in windiskimager32 when attempting to read.

Placed an order for a new usb-sd reader, hopefully some better results with it.

 

[Myski]

Yay, 5 identical dumps, hopefully legit this time. At least the md5 hashes match now.

Was a reader problem after all. Transcend TS-RDP5 9-in-1 (mentioned earlier in this thread and found at local store) did the job, laptop internal reader did not.

I don't know if it's obvious by now but the bootrom error codes seem to be dependant on the card reader used, too, and not only signs of soldering errors.

00F800FE
00000000 00000000
00000400 00000000

I had with internal reader (along with corrupted dumps and no dumps at all with short wires) got replaced with

00F800EF
FFFFFFFF FFFFFFFF
00000003 00000000

with the Transcend usb reader.

 

[eggsample]

Here are some bootrom errors with causes, so you may be able to diagnose bad soldering:

CMD is connected to DAT0. Or CLK is getting signal from one of the DAT lines.

00F800FE
00000000 00000000
00000200 00000000

CMD is connected to CLK. (Other DAT lines may be connected to this aswell, no way to tell)

00F800FE
00000000 00000000
00000400 00000000

etc

Spoiler

CMD is connected to DAT1

00F800EF
FFFFFFFF FFFFFFFF
00000003 00000000

CMD is connected to DAT2

00F800EF
FFFFFFFF FFFFFFFF
00000007 00000000

DAT lines are connected to other DAT lines

00F800EF
FFFFFFFF FFFFFFFF
00000022 00000000

DAT line(s) are connected to GND

00F800EF
FFFFFFFF FFFFFFFF
00000024 00000000

(CMD is connected to CLK) AND (DAT lines are connected to other DAT lines). But the CMD/CLK connection and DAT/DAT connection are not connected to each other.

00F800EF
FFFFFFFF FFFFFFFF
00000005 00C00000

I think I have seen two different "good" Errorcodes (maybe Samsung/Toshiba NAND).

One of it is:

00F800FF
DFDFFFFF FFFFFFFF
 
[SIZE=12px][FONT=Verdana][COLOR=#2c455b]00000005 00000000

I'm not sure those codes are correct.
I'm sure this is correct

00F800FE
00000000 00000000
00000400 00000000

I've got this one no matter what usb reader or OS i used.

 

[Myski]

I see. Maybe it depends on something else then, probably several contributing factors.

I just thought the reader might have some effect on the outcome since it generates some sort of clock signal of its own and - at least in theory - has the ability to greatly affect the outcome..

After all this is an exploit based on a glitch in booting process, being able to temporarily brick the console to set it in a readable state, and I think that it can't be very exact science without some serious lab grade measuring equipment .. when having to tweak the cable length etc to get the signal levels within tolerances that it glitches in some way, just getting it readable being only thing that matters.

I'll get my other external reader in a few days and will see if anything changes with that. Different model, some generic chinese one.

I wished I could update to 6.1 to play pokemon, but probably not the best idea to update to anything higher than 4.5 until 100% sure it will be able to write back, too.

And there I have a question.

After this hw mod I should be able to update to any higher-than-current firmware with any generic (not from own dump) update, right? Say like 4.2 (own dump) > 6.1 (retail game cartridge) > 4.2 (own dump) > 4.5 (retail game cartridge) > 6.1 (retail game cartridge or own dump)

Because I would like to have a copy of that infamous 4.5 fw backed up, too, at some point but I'm not going to get it any time soon (don't own any retail games that come with that, browsing ebay at the moment), and IF I want to get dangerous and want to update to 6.1 as soon as the 4.2 dump I have has been proven legit, before that 4.5 game arrives, this should work in theory (although not being very wise).

And hey, big thanks to everyone that has helped me to this point, with direct help or writing to the wiki page and other threads I've been lurking quite heavily, too!

​

 

[junn]

Nobody reads gbatemp blogs so I rewrite the discovery here

According to description on the 2DS mobo and current nand pinout for 3ds/3dsXL I think 2DS nand backup should work.
Is there any volunteer to solder some cables to the newest Ninn child?

here ya go.

Spoiler

has the same error as my other 3dses:
BOOTROM 8046
ERRCODE: 00F800FE
00000000 00000000
00000400 00000000
except my pc couldnt detect the 2ds and no format warning either when i plugged it in.
voltage and resistance readings on the 3 pins are close match [+/-.1] with my other 3ds,
there's just no drive to select in win32diskimager or in usb image tool.
also tried 3 different sd card readers, nothing.
going to relocate the ground wire on the mobo and see.

 

[eggsample]

Great job Junn.
I think the Golden Square near headphone jack should do GND job.

 

[junn]

thanks, eggsample and your discovery.
anyway, i used the sd card metal housing for the ground, shortened the
wires and it's still not detected, turns out the problem was the sd card reader.
my usual sd card reader doesn't work on the 2ds.
of all my readers, only the Transcend 15-in-1 works.
2ds nand dump has the same size as the regular 3ds.

 

[tyons]

the problem is ALWAYS the sd card reader. lolz

 

[Myski]

the problem is ALWAYS the sd card reader. lolz

Sort of.

Got my cheap generic reader today, that booted my 3ds with error code:

CFCFFFFF FFFFFFFF 00000005 00000000

(mkay, haven't seen that one before, that's total of 3 different error codes now with 3 different sd readers and no changes to wiring between them, do the math...), dumped at same speed than before, ~5MB/s and matched the file sizes and MD5 hashes with Transcend dumps and the sizes mentioned in wiki page for Toshiba chips, too.

Toshiba NAND:
1931264 sectors
988.807.168 bytes = 943 MB

Now I am finally positive that I've got good dumps.

 

[dekuleon]

I never soldered anything, I just bought a Kit and got an old motherboard to try and practice.
How hard it to solder on the XL?
Any tips?
Thanks!

 

[Myski]

There are plenty of beginner's soldering guides on the web covering the basics and I don't know how much you already know so I don't explain it all..

But some tips are that use a temperature controlled iron or some 10-15W iron max if the temp controlled station is really not an option (would not recommend for beginners though), leaded tin, liquid flux applied to solder points and wires, pretin wires (melt some tin at the bare copper end first, possibly a small drop on the mobo solder pad, too and let it cool so you basically don't have to add tin when doing the soldering, just apply heat) and you're good to go.

Don't use too much heat, bit over 300 celsius should be enough for leaded solder and don't heat the mobo pads for more than 2-3 seconds so you don't accidentally melt the resistor joints near the pads like someone did earlier in this thread.

I make my own liquid flux with colophony rosin and isopropyl alcohol but it can be bought ready, too. Most fluxes are corrosive so you want to wipe them off the motherboard after soldering with isopropyl alcohol if there is an excessive amount.

And practice board is a good idea at first.

 

[ghormoon]

hi, just tried the solderless (pogopin) method, four bit mode, sometimes managed to do 19-20MB/s, sometimes 2.3MB/s (bad contact on some line, I'm sure ) anyway, dumps same on both speeds (988 807 168b)
I've been backing up 6.2 (PAL), dunno if it matters, but I've NEVER had a blue screen with error. sometimes I got black screen telling me to reboot the 3DS (maybe they changed the BSOD for this?) but once I've managed to make dump on live 3DS, not able to confirm that one, first attempt and rebooted between another ... but it has quite few differences in the image (dunno how to count exactly, but it's like 95-98% same image)
anyone else had the black screen instead of blue?

 

[eggsample]

Transmition speed sould be constant.
3DS FW version doesn't matter. You can dump nand even on the newest OS.
Blue screen should appear on boot. If you see other errors like BLACK screen than something is wrong. Check soldering points / pogo pins to SD connection when is not connected to the console and USB reader.

 

[ghormoon]

speed should be constant ... unless you hold the pogopin board in place by hand I'll have to find out how to hold them in place securely. pogopin to sd is ok, but keeping them in place is a bit more difficult
managed to get speeds like 20MB/s, 2.3MB/s and sometimes even 0.6MB/s, but gave up that attempts ... anyway I think the 20MB/s dump should be ok and it matches the 2.3MB/s ones ....

anyway, the dumps seem like it is ok, at least it was same on different speeds ... btw maybe I didn't get the BSOD because the 3ds managed to fully boot before dump attempt?