Hacking Old 3ds device Demo

d0k3 · May 27, 2016

CrispyYoshi said:
I am currently examining the NAND with someone, and won't be able to give you further instructions until we find out more about your situation. Please continue to keep your system on: Sorry for the inconvenience!

Okay, one more hint before I'm off for a while. You absolutely need to get the OTP.bin, but @Normmatt should have you covered. Iirc, there's a 1.0 OTP dumper made by him (why didn't you search for this in the first place, btw?). This one may help you, too:
https://github.com/al3x10m/A9LH-Injector
It was tested by @al3x_10m, and I gave advice in the development of it, too. It works fine, but all the warnings in the readme apply. Don't let any inexperienced user handle this!

Also, the way it is now, it is possible that a hardmod will be required sooner or later. If you pay attention and do everything in the correct way, as I described it, I'd say your chances of doing this without a hardmod are roughly ~80%.

CrispyYoshi · May 27, 2016

d0k3 said:
Okay, one more hint before I'm off for a while. You absolutely need to get the OTP.bin, but @Normmatt should have you covered. Iirc, there's a 1.0 OTP dumper made by him (why didn't you search for this in the first place, btw?). This one may help you, too:
https://github.com/al3x10m/A9LH-Injector
It was tested by @al3x_10m, and I gave advice in the development of it, too. It works fine, but all the warnings in the readme apply. Don't let any inexperienced user handle this!

Also, the way it is now, it is possible that a hardmod will be required sooner or later. If you pay attention and do everything in the correct way, as I described it, I'd say your chances of doing this without a hardmod are roughly ~80%.

Hey sorry to both you and @enes eyibil: I ended up going to bed.

We've actually already tried using that OTP dumper around Page 3 or so of this thread, but it somehow resulted in a black screen that didn't seem to do anything. Thank you very much for the pointers, and I'll see what I can do.

Razor83 · May 27, 2016

I dont understand why this demo unit was updated to 6.x without confirming the 1.0 NAND dump was valid first?

CrispyYoshi · May 27, 2016

d0k3 said:
Okay. I'll explain to you what this means, and your options. What you got here is not a full NAND backup, but rather the decrypted CTRNAND partition only. See here (also called the CTR-NAND file system). This does not mean the FW 1.0.0 state is lost, but it will make things difficult. What you don't have at this point is the contents of the TWLN partition (which is not critical) and the FIRM0 / FIRM1.

If you want to try to go back, try this, but keep in mind there's a bricking risk with this:

Use the valid 6.x NAND backup as base

Inject the 1.0.0 NAND.img as FAT16 partition, using 3DSFAT16tool

Get the 1.0.0 FIRM from somewhere (it is identical over all regions)

Inject the FIRM to both, FIRM0 / FIRM1 via either 3DSFAT16tool or 3DSFIRMtool. Latter one is recommended

Ignore TWLN for now (you may fix this at a later point by injecting another same region 1.0.0 3DS' TWLN)

Restore via D9

If you do this, keep in mind, bricking risk. Also, if you do this, make sure you don't lose the XORpads, you may need them at a later point, too.

Oh also some things: @enes eyibil shared some other files he had (which I assume were also dumped with the CN 1.0 NAND dumper): http://puu.sh/p6ZdR/718ecc01cb.png
I am not sure if these are already decrypted but judging from what @Suiginou has confirmed about the decrypted CTRNAND, the rest is probably decrypted too.

I could easily get a 1.0.0 firm from another non-Demo 1.0.0U NAND dump I have (I also have the xorpads for that one), but somehow I suspect this dump could be something else entirely, especially from what @Urbanshadow said here.

If I put the NAND.img dump we have along with those files in that puush image, the entire folder happens to be 940 MB (986,363,904 bytes). The 6.x SysNAND.bin dump is 954 MB (1,000,341,504 bytes). Should I still do your suggestion, or is there a way I can combine these files back into a single NAND image? Encrypted or not, I am in possession of:
- firm0firm1.xorpad
- nand.fat16.xorpad
- twlnand.fat16.xorpad

Razor83 said:
I dont understand why this demo unit was updated to 6.x without confirming the NAND dump was valid first?

It wasn't a very smart move, really: The user updated to 6.x using a Pokemon Y cart before we got the OTP, but it was perhaps the way they interpreted a post I made earlier (There have been a couple of miscommunications that make this a bit more difficult to work with)

d0k3 · May 27, 2016

CrispyYoshi said:
Oh also some things: @enes eyibil shared some other files he had (which I assume were also dumped with the CN 1.0 NAND dumper): http://puu.sh/p6ZdR/718ecc01cb.png
I am not sure if these are already decrypted but judging from what @Suiginou has confirmed about the decrypted CTRNAND, the rest is probably decrypted too.

I could easily get a 1.0.0 firm from another non-Demo 1.0.0U NAND dump I have (I also have the xorpads for that one), but somehow I suspect this dump could be something else entirely, especially from what @Urbanshadow said here.

If I put the NAND.img dump we have along with those files in that puush image, the entire folder happens to be 940 MB (986,363,904 bytes). The 6.x SysNAND.bin dump is 954 MB (1,000,341,504 bytes). Should I still do your suggestion, or is there a way I can combine these files back into a single NAND image? Encrypted or not, I am in possession of:
- firm0firm1.xorpad
- nand.fat16.xorpad
- twlnand.fat16.xorpad

It wasn't a very smart move, really: The user updated to 6.x using a Pokemon Y cart before we got the OTP, but it was perhaps the way they interpreted a post I made earlier (There have been a couple of miscommunications that make this a bit more difficult to work with)

Oh. Well, then you have everything to put it back together. You can just use the files from there. TWLN and FIRM0 / FIRM1 and NAND.img. You can check if they are decrypted in a hex editor. Decrypted firms have "FIRM" at the beginning, decrypted TWLNs have a FAT16 filesystem and can be mounted in OSFmount. Ignore the rest and use the valid NAND dump as base. If you do anything wrong - D9 won't allow you to restore a bad one anyways.

CrispyYoshi · May 27, 2016

d0k3 said:
Oh. Well, then you have everything to put it back together. You can just use the files from there. TWLN and FIRM0 / FIRM1. You can check if they are decrypted in a hex editor. Decrypted firms have "FIRM" at the beginning, decrypted TWLNs have a FAT16 filesystem and can be mounted in OSFmount. Ignore the rest and use the valid NAND dump as base. If you do anything wrong - D9 won't allow you to restore a bad one anyways.

Ah perfect. Thanks for the pointers, I'll verify them right now.

enes eyibil · May 27, 2016

d0k3 said:
Oh. Well, then you have everything to put it back together. You can just use the files from there. TWLN and FIRM0 / FIRM1 and NAND.img. You can check if they are decrypted in a hex editor. Decrypted firms have "FIRM" at the beginning, decrypted TWLNs have a FAT16 filesystem and can be mounted in OSFmount. Ignore the rest and use the valid NAND dump as base. If you do anything wrong - D9 won't allow you to restore a bad one anyways.

CrispyYoshi said:
Ah perfect. Thanks for the pointers, I'll verify them right now.

do you have good news ?

I don't understand you

CrispyYoshi · May 27, 2016

enes eyibil said:
do you have good news ?

I don't understand you

There is good news, but I'm working on it! I am modifying your 6.x SysNand.bin so it contains the 1.0.0 NAND dump you made at the beginning of the thread. It is possible we might be able to recover your old data this way.

enes eyibil · May 27, 2016

CrispyYoshi said:
There is good news, but I'm working on it! I am modifying your 6.x SysNand.bin so it contains the 1.0.0 NAND dump you made at the beginning of the thread. It is possible we might be able to recover your old data this way.

when do we start ?

CrispyYoshi · May 27, 2016

enes eyibil said:
when do we start ?

As soon as I can fix this NAND dump and upload it, I'll give you more instructions!

@d0k3 I successfully injected the initial dump's TWLN and FAT16 to the 6.x SysNand.bin, but I am concerned that the provided FIRM0.img and FIRM1.img are invalid: Dumping them from the 6.x produces a FIRM0 and FIRM1 that are both 928 KB (950,784 bytes) each. The FIRM0.img and FIRM1.img I have are 4.00 MB (4,194,304 bytes) each, and I don't think they will inject properly. Is this a big deal? Should I just take the FIRM0 and FIRM1 from my other 1.0.0U dump?

EDIT: Actually, it appears 3dbrew says my FIRM0.img and FIRM1.img are correct in size, but I'm not sure if I can just directly copy/paste the data back into the NAND image, especially not without taking into consideration the xorpad.
Scratch that, I'm dumb. I'm uploading the NAND image for @enes eyibil now.

CrispyYoshi · May 27, 2016

Posting another update: NAND image is 75% uploaded and, using the 6.x base with everything injected, I was able to use Reisyukaku's "Fast Finder of Fuck" tool to dump a bunch of NCCH factory titles. Here's the entire log of what it found:

b930000 1
Found factory NCCH 0004000100002702 (csnd) at block 0x1851 offset 0x100.
Wrote 0004000100002702.ncch.
Found factory NCCH 0004000100002802 (dlp) at block 0x1859 offset 0x100.
Wrote 0004000100002802.ncch.
Found factory NCCH 0004000100003102 (ps) at block 0x1867 offset 0x100.
Wrote 0004000100003102.ncch.
Found factory NCCH 0004000100003202 (friends) at block 0x186d offset 0x100.
Wrote 0004000100003202.ncch.
Found factory NCCH 0004000100002b02 (ndm) at block 0x1c9f offset 0x100.
Wrote 0004000100002b02.ncch.
Found factory NCCH 0004000100002c02 (nim) at block 0x1ca9 offset 0x100.
Wrote 0004000100002c02.ncch.
Found factory NCCH 0004000100003302 (ir) at block 0x1ccb offset 0x100.
Wrote 0004000100003302.ncch.
Found factory NCCH 0004000100002a02 (mp) at block 0x1cd3 offset 0x100.
Wrote 0004000100002a02.ncch.
Found factory NCCH 0004000100003402 (boss) at block 0x1ce3 offset 0x100.
Wrote 0004000100003402.ncch.
Found factory NCCH 0004000100008002 (ns) at block 0x1efb offset 0x100.
Wrote 0004000100008002.ncch.
Found factory NCCH 0004000100008102 (TestMenu) at block 0x1f07 offset 0x100.
Wrote 0004000100008102.ncch.
Found factory NCCH 0004000100008a02 (DevErrDi) at block 0x1f1d offset 0x100.
Wrote 0004000100008a02.ncch.
Found factory NCCH 0004000100000002 (f_native) at block 0x1f31 offset 0x100.
Wrote 0004000100000002.ncch.
Found factory NCCH 0004000100000102 (f_twl) at block 0x1fd9 offset 0x100.
Wrote 0004000100000102.ncch.
Found factory NCCH 0004000100000202 (f_agb) at block 0x20fb offset 0x100.
Wrote 0004000100000202.ncch.
Found factory NCCH 000400000f980000 (CTRAging) at block 0x222b offset 0x100.
Wrote 000400000f980000.ncch.
Found factory NCCH 0004000100001902 (dmnt) at block 0x4b75 offset 0x100.
Wrote 0004000100001902.ncch.
Found factory NCCH 0004000100001b02 (gpio) at block 0x4b8d offset 0x100.
Wrote 0004000100001b02.ncch.
Found factory NCCH 0004000100001f02 (mcu) at block 0x4b93 offset 0x100.
Wrote 0004000100001f02.ncch.
Found factory NCCH 0004000100001e02 (i2c) at block 0x4b9d offset 0x100.
Wrote 0004000100001e02.ncch.
Found factory NCCH 0004000100002102 (pdn) at block 0x4bab offset 0x100.
Wrote 0004000100002102.ncch.
Found factory NCCH 0004000100002302 (spi) at block 0x4bb1 offset 0x100.
Wrote 0004000100002302.ncch.
Found factory NCCH 0004000100001d02 (hid) at block 0x4bb7 offset 0x100.
Wrote 0004000100001d02.ncch.
Found factory NCCH 0004000100002e02 (soc) at block 0x4bc7 offset 0x100.
Wrote 0004000100002e02.ncch.
Found factory NCCH 0004000100002d02 (nwm) at block 0x4bdd offset 0x100.
Wrote 0004000100002d02.ncch.

enes eyibil · May 27, 2016

CrispyYoshi said:
Posting another update: NAND image is 75% uploaded and, using the 6.x base with everything injected, I was able to use Reisyukaku's "Fast Finder of Fuck" tool to dump a bunch of NCCH factory titles. Here's the entire log of what it found

uccessfully downgraded your system back to 1.0

everbody thanks

now should ı do install cfw ?

spy hunter buy , game ship cargo

CrispyYoshi · May 27, 2016

enes eyibil said:
uccessfully downgraded your system back to 1.0

everbody thanks

now should ı do install cfw ?

spy hunter buy , game ship cargo

I think we first need to find out how to dump your OTP.bin

Additionally, we need to find out if there's anything else worth dumping from your console. Can someone confirm that we're not missing anything? Reminder that we have the following, decrypted files:

- FAT16
- Everything in this pic: http://puu.sh/p6ZdR/718ecc01cb.png
- firm0firm1.xorpad
- nand.fat16.xorpad
- twlnand.fat16.xorpad

We still need the OTP.bin, but we've already tried Normatt's tool earlier.

Perhaps we could get the system to 2.1 somehow and use OTPHelper via the web browser, but I'm not sure if that would be advisable until we know we've dumped everything from 1.0.

Urbanshadow · May 27, 2016

CrispyYoshi said:
I think we first need to find out how to dump your OTP.bin

Additionally, we need to find out if there's anything else worth dumping from your console. Can someone confirm that we're not missing anything? (Reminder that we have the following, decrypted files:

- FAT16
- Everything in this pic: http://puu.sh/p6ZdR/718ecc01cb.png
- firm0firm1.xorpad
- nand.fat16.xorpad
- twlnand.fat16.xorpad

We still need the OTP.bin, but we've already tried Normatt's tool earlier.

Without browser 2xrsa won't make it. Just saying. But yeah, it could be useful for the guy to have A9LH setted up already.

CrispyYoshi · May 27, 2016

Urbanshadow said:
Without browser 2xrsa won't make it. Just saying. But yeah, it could be useful for the guy to have A9LH setted up already.

What if we decrypted a 2.1 NAND and injected it to the system? Alternatively, we could just update to 6.x again, update to 9.2, downgrade to 2.1, and dump it like everyone else. (So convoluted..!)

But again: Have we truly dumped everything from 1.0.0 before we update it?

Urbanshadow · May 27, 2016

CrispyYoshi said:
What if we decrypted a 2.1 NAND and injected it to the system? Alternatively, we could just update to 6.x again, update to 9.2, downgrade to 2.1, and dump it like everyone else. (So convoluted..!)

But again: Have we truly dumped everything from 1.0.0 before we update it?

In that scenario you can pave your way to 9.2 directly. I believe you have only browser cias for 9.2 on that site. He would need some other entrypoint, so instead of squishing 2.1 in there, go trough 6.X mset again and install the browser as a cia. update to 9.2 and pray the browser gets updated (it genuinely should!). Then go figure.

But yeah, grab everything you can from there first.

CrispyYoshi · May 27, 2016

Urbanshadow said:
But yeah, grab everything you can from there first.

I'll first need someone to confirm that we have everything we need (besides the OTP). Although to be fair, we technically already updated to 6.x and used it as the base to downgrade.... Either we have everything we need already or it was lost the moment we updated to 6.x... Right?

Urbanshadow · May 27, 2016

CrispyYoshi said:
I'll first need someone to confirm that we have everything we need (besides the OTP). Although to be fair, we technically already updated to 6.x and used it as the base to downgrade.... Either we have everything we need already or it was lost the moment we updated to 6.x... Right?

I'm tagging @d0k3 for him to check, but you may have a point.

Clector · May 27, 2016

Good to hear that the dump were restored, also, any of the Factory Titles are completes?

Urbanshadow · May 27, 2016

Clector said:
Good to hear that the dump were restored, also, any of the Factory Titles are completes?

Quite a few. None of them new I believe.

Hacking Old 3ds device Demo

3DS Homebrew Legend

Well-Known Member

Well-Known Member

Well-Known Member

3DS Homebrew Legend

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum