Hacking Creating a North American, non-XL New 3DS

[Oishikatta]

Sorry, but what's the CA? Common Authority?

To have the 3DS connect through Charles, set up a proxy server in settings. It's essentially the same as Charles's instructions for the iPhone: http://www.charlesproxy.com/documentation/faqs/using-charles-from-an-iphone/

Yeah, the public cert of that. It's right in there with the others. Not actually sure it's necessary to include that in the pkcs12 format now though.

 

[Ichii Giki]

Not to derail this thread because it looks like everyone is making great progress on the final method for eShop/System Transfer on a region-changed N3DS, but I wanted to get some opinions before I proceed with one of my 2 apparently available options (moving O3DS stuff to N3DS):

Option 1:
Now that I have figured out how to move the save data of system titles like Mii Plaza (thankfully received instructions on how to manually transfer a moveable.sed file to another system, and if anyone knows how I might be able to merge the tickets from my old ticket.db onto the ticket.db of the N3DS, that would make this option even easier), I can manually extract and inject the saves for these titles from my O3DS EmuNAND to my N3DS EmuNAND. Then with Gateway, I can install all the rest of my purchased titles as CIAs. O3DS becomes a purchase gateway for legit eShop purchases which I can then also install on N3DS with CIAs (I also understand this method would lock me out of using my NNID on N3DS as it would still be officially on the O3DS).

Option 2:
Once all the steps for eShop/System Transfer access on non-up-to-date, region-changed N3DS are finalized, I can simply do an official System Transfer from my O3DS to my N3DS and of course all my content and settings will come over as normal. Then for any future purchases, I would have to do the aforementioned patching steps to purchase anything new from the eShop on the N3DS. This however would get me official access to my NNID on my N3DS. (This would also involve the process of me moving all my saves and ticket.db from my O3DS 9.6/7 EmuNAND to 9.2 SysNAND before doing the System Transfer to the N3DS.)

Both options have their pros and cons, but given my situation, which option would you choose?

 

[yifan_lu]

For those who care: https://github.com/yifanlu/3DSSystemTools/tree/master/3DSTransferDevice

I removed 3DSSwapConsole and added the SecureInfo functionality to 3DSImportExportSeed and renamed that to 3DSTransferDevice. Since this uses libkhax which is much more reliable, it should work pretty much 100% of the time.

(Can someone test it for me? I literally just moved the code over and didn't get to test it)

 

[yifan_lu]

Also, here's a couple more patches (9.2U) that may help people doing region swaps:

Set Serial in NNID and ACT
write(0xfffffd5,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x7)
write(0x0013E74C,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x22)
The purpose of this is to get your console to make requests with your N3DS serial and not the O3DS serial from your SecureInfo

Block Update Requests
write(0x0010DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
Better patch than what's found in the other thread. The other patch may fail once in a while. This should always work.

Patch Country to US
write(0x001314F8, (0x06, 0x9A, 0x03, 0x20, 0x90, 0x47, 0x55, 0x21, 0x01, 0x70, 0x53, 0x21, 0x41, 0x70, 0x00, 0x21, 0x81, 0x70, 0x60, 0x61, 0x00, 0x20), pid=0x25)
Make RETURN requests respond with US instead of JP. This is needed AFTER you complete a NNID transfer to your japanese console since SOAP will still say your country is "JP" even though your account works in US eshop.
If you want to modify this to work with other region, here's the (lovingly) hand crafted assembly code

  0:    9a06          ldr    r2, [sp, #24]
  2:    2003          movs    r0, #3
  4:    4790          blx    r2
  6:    2155          movs    r1, #85    ; 0x55
  8:    7001          strb    r1, [r0, #0]
  a:    2153          movs    r1, #83    ; 0x53
  c:    7041          strb    r1, [r0, #1]
  e:    2100          movs    r1, #0
  10:    7081          strb    r1, [r0, #2]
  12:    6160          str    r0, [r4, #20]
  14:    2000          movs    r0, #0

(Note that your code is at MAX 0x16 bytes or you'll overwrite important stuff. Hence why I wrote this in assembly)

After a successful NNID transfer to your other region console, you must run those commands every time you want to access the eshop.


Also, can someone try to do these patches and create a new NNID. Then reboot, do the patches, and open eshop? I think it may allow eshop to work.

 

[jefffisher]

well see afaik the pre-installed games shouldn't be registered to the server at least until you connect to eshop for the first time, else nintnedo just made generic signed tickets for no reason if they then link the games to their server, not all consoles include the tomodachi life demo, but the AUS consoles came with the 3D visual experience preview app.....but again afaik pre-installed stuff wouldnt actually be the cause of the issue, theoretically i think it wouls all work out if you used a brand new EU/JPN and a brand new US n3DS and before ever accessing any online features swap over the ticket.db and the secureinfo_A file, then upon first ever connect the consoles will have a title list only composed of EU/US/JPN content depending on region and never of been used on any other region

tried that can confirm %100 does not work error 005-5602 same as always

 

[Ichii Giki]

Also, here's a couple more patches (9.2U) that may help people doing region swaps:

Set Serial in NNID and ACT
write(0xfffffd5,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x7)
write(0x0013E74C,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x22)
The purpose of this is to get your console to make requests with your N3DS serial and not the O3DS serial from your SecureInfo

Given the fact that I got my SecureInfo_A from a US New 3DS XL specifically purchased for the purpose of being a donor console for my Japanese regular-sized New 3DS, could/should I forgo these steps?

Furthermore, if I already have an NNID that was created before we had the Serial for NNID/ACT and Return Only US Region patches, is that NNID no good for trying this with these patches now? It's a throwaway, so I can create another one...

 

[yifan_lu]

Given the fact that I got my SecureInfo_A from a US New 3DS XL specifically purchased for the purpose of being a donor console for my Japanese regular-sized New 3DS, could/should I forgo these steps?

Furthermore, if I already have an NNID that was created before we had the Serial for NNID/ACT and Return Only US Region patches, is that NNID no good for trying this with these patches now? It's a throwaway, so I can create another one...

The serial is there for consistency. I don't know if nintendo will complain if your serial and device id don't match up. You can always try. For me, I had to use a new serial since my NNID was tied to my o3ds and I transferred it to my n3ds (the request asked for both serials).

 

[Ichii Giki]

The serial is there for consistency. I don't know if nintendo will complain if your serial and device id don't match up. You can always try. For me, I had to use a new serial since my NNID was tied to my o3ds and I transferred it to my n3ds (the request asked for both serials).

Silly, little question, but I want to be sure I'm entering it correctly: the "N3DS" serial number is just the number under the top coverplate/on the box, correct? Also should we include the final digit that is slightly separated by a little space on the barcode? (Example: YJF12345678 9 on barcode, do we enter "YJF12345678" or "YJF123456789"?)

 

[yifan_lu]

Silly, little question, but I want to be sure I'm entering it correctly: the "N3DS" serial number is just the number under the top coverplate/on the box, correct? Also should we include the final digit that is slightly separated by a little space on the barcode? (Example: YJF12345678 9 on barcode, do we enter "YJF12345678" or "YJF123456789"?)

Just use whatever was in your original SecureInfo (remember to end with \0)

 

[cearp]

if it would be at all possible to spoof console id + eshop id to zero, so we can make some nice universal legit purchases, that would be lovely.
but maybe not possible, i would assume nintendo's servers would not accept it, even if we patch it in memory.

 

[michyprima]

Also, here's a couple more patches (9.2U) that may help people doing region swaps:

Set Serial in NNID and ACT
write(0xfffffd5,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x7)
write(0x0013E74C,tuple(map(ord, "N3DS_SERIAL_HERE\0")),pid=0x22)
The purpose of this is to get your console to make requests with your N3DS serial and not the O3DS serial from your SecureInfo

Block Update Requests
write(0x0010DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
Better patch than what's found in the other thread. The other patch may fail once in a while. This should always work.

Patch Country to US
write(0x001314F8, (0x06, 0x9A, 0x03, 0x20, 0x90, 0x47, 0x55, 0x21, 0x01, 0x70, 0x53, 0x21, 0x41, 0x70, 0x00, 0x21, 0x81, 0x70, 0x60, 0x61, 0x00, 0x20), pid=0x25)
Make RETURN requests respond with US instead of JP. This is needed AFTER you complete a NNID transfer to your japanese console since SOAP will still say your country is "JP" even though your account works in US eshop.
If you want to modify this to work with other region, here's the (lovingly) hand crafted assembly code

  0:    9a06          ldr    r2, [sp, #24]
  2:    2003          movs    r0, #3
  4:    4790          blx    r2
  6:    2155          movs    r1, #85    ; 0x55
  8:    7001          strb    r1, [r0, #0]
  a:    2153          movs    r1, #83    ; 0x53
  c:    7041          strb    r1, [r0, #1]
  e:    2100          movs    r1, #0
  10:    7081          strb    r1, [r0, #2]
  12:    6160          str    r0, [r4, #20]
  14:    2000          movs    r0, #0

(Note that your code is at MAX 0x16 bytes or you'll overwrite important stuff. Hence why I wrote this in assembly)

After a successful NNID transfer to your other region console, you must run those commands every time you want to access the eshop.


Also, can someone try to do these patches and create a new NNID. Then reboot, do the patches, and open eshop? I think it may allow eshop to work.

error 011-3001

but I used this to patch to EU instead of US:
write(0x001314F8, (0x06, 0x9A, 0x03, 0x20, 0x90, 0x47, 0x45, 0x21, 0x01, 0x70, 0x55, 0x21, 0x41, 0x70, 0x00, 0x21, 0x81, 0x70, 0x60, 0x61, 0x00, 0x20), pid=0x25)

 

[yifan_lu]

if it would be at all possible to spoof console id + eshop id to zero, so we can make some nice universal legit purchases, that would be lovely.
but maybe not possible, i would assume nintendo's servers would not accept it, even if we patch it in memory.

i mean in theory you can share a ctcert with everyone and Nintendo can't tell the difference. But if one guy decides to link their nnid to it, then they keep all the purchases and nobody else can use it.

But no, you can't generate new ctcerts. Nintendo has a database of valid certs (since they're able to infer region info from just the cert)

 

[Ichii Giki]

Also, can someone try to do these patches and create a new NNID. Then reboot, do the patches, and open eshop? I think it may allow eshop to work.

Reporting in, reverted to my NAND backup after region changing but before setting up an NNID, so no NNID present. (9.2.0-20U)
Ran 4 patches (including serial number ones using the serial number from my original SecureInfo_A file for this console)
Created NEW NNID (hope Ninty doesn't care I'm registering all these test NNIDs to the same email address...)
Rebooted, ran 4 patches again
Attempted to enter eShop and...Error Code: 005-5602 again, so no go so far for me.

I still have hope for a possible legit system transfer, I'll give it a little longer. And in the mean time I'll continue working on my manual system transfer from my O3DS to N3DS (yay manually copying saves from NAND image to NAND image!)

 

[kalibar]

I suppose I'll write up the procedure I did to successfully region swap EmuNAND from JP -> US. I'm not responsible if you somehow brick your 3DS. It's highly unlikely since this is only messing with EmuNAND, but you never know.

[...]

1. On your target system use a compiled .3dsx of Decrypt9 (precompiled here) and launch it in the homebrew menu on ninjhax. It may take a few tries but eventually you'll be presented with a white screen with options that will allow you to dump your NAND xorpads. Once it's done take the resulting fat16 xorpad and save it for later.

Am I missing something obvious here? Don't I need a copy of Cubic to get into ninjhax, or is there some way to get to it from emuNAND? I use retail Ocarina as my entry point and I've got a JP N3DS on 9.2 sysNAND and 9.2 emuNAND trying to boot Ninjhax using a Cubic ROM from the multi-ROM menu. The N3DS crashes as soon as the QR code scans, and some research suggests that isn't the way to do it. Is there a .CIA for Homebrew Channel that would let me use decrypt9.3dsx?

 

[Oishikatta]

Am I missing something obvious here? Don't I need a copy of Cubic to get into ninjhax, or is there some way to get to it from emuNAND? I use retail Ocarina as my entry point and I've got a JP N3DS on 9.2 sysNAND and 9.2 emuNAND trying to boot Ninjhax using a Cubic ROM from the multi-ROM menu. The N3DS crashes as soon as the QR code scans, and some research suggests that isn't the way to do it. Is there a .CIA for Homebrew Channel that would let me use decrypt9.3dsx?

A physical Cubic Ninja is required. Gateway mode doesn't allow kernel access even through known exploits.

 

[kalibar]

fuck

 

[Wowfunhappy]

Odd that this isn't working for people. It sounds like we're close though.

yifan_lu, in theory, could we patch these requests via a proxy server instead of in memory, so as to make it work after updating to 9.6+

Edit: On an unrelated note, I still can't figure out why CharlesProxy wants a password.

 

[yifan_lu]

Reporting in, reverted to my NAND backup after region changing but before setting up an NNID, so no NNID present. (9.2.0-20U)
Ran 4 patches (including serial number ones using the serial number from my original SecureInfo_A file for this console)
Created NEW NNID (hope Ninty doesn't care I'm registering all these test NNIDs to the same email address...)
Rebooted, ran 4 patches again
Attempted to enter eShop and...Error Code: 005-5602 again, so no go so far for me.

I still have hope for a possible legit system transfer, I'll give it a little longer. And in the mean time I'll continue working on my manual system transfer from my O3DS to N3DS (yay manually copying saves from NAND image to NAND image!)

That's because your console doesn't have a legacy account attached to it. Either patch NIM to use your original region in making the ivs Register request or swap back to your original region, get shop working, and swap back.

 

[yifan_lu]

Odd that this isn't working for people. It sounds like we're close though.

yifan_lu, in theory, could we patch these requests via a proxy server instead of in memory, so as to make it work after updating to 9.6+

Edit: On an unrelated note, I still can't figure out why CharlesProxy wants a password.

No, SSL remember. Password is the one you set when making the p12 file.

 

[Wowfunhappy]

Alright, I was generating the certificate completely incorrectly.

It looks like I need the 3DS's root certificate as well though.