Homebrew Did anyone find out why... (Downgrade softbrick)

[pofer]

Did anyone find out why some people always softbricked their consoles while downgrading without formatting first ?


As some of us experienced it , while downgrading everything seemed to install just fine using sysupdate but you always ended up with a softbrick no matter what you tried

In my case I had 5 softbricks (using 3 different entry points) before I finally was able to downgrade it

And it all was fixed by formatting the console ! I had mine downgrade on the first try after doing it

So did anyone find out why some people were experiencing that ? I know it's not too common but it's worth the try to know why it happened

 

[A_Random_Guy]

Some people reported including me that when you already installed a Legit CIA using memchunkhax2 FBI, after downgrading you will be meet with a softbrick. After formatting, it fixes the softbrick. Some people suggest that FBI corrupts enough the ticket so that you will be able to install Legit CIA making the system softbrick

 

[pofer]

Oh but I never installed any legit cia games on my 3ds , how odd

 

[yacepi15]

I downgraded two consoles,both with legit CIA installed and no softbrick. (O3DSes XL,10.3,one with the first sysUpdater with a N3DS brick probability over 9000,and the another with SafeSysUpdater)

 

[Noelemahc]

Downgraded two O3DSs which had legal CIAs on them, but all installs were through NASA. No softbricks.

 

[mashers]

It's a good question, but I think if we really understood why it happens then we would have a downgrade method which was safer by now.

 

[ihaveahax]

this might not mean anything, but after accidentally bricking a console messing with movable.sed, I found out this file in NAND also deals with encryption with some files in the NAND (not just SD files). this gets changed when you format or transfer, which could be connected to why formatting fixes soft-bricks if a console has been getting them.

https://3dbrew.org/wiki/Nand/private/movable.sed

 

[mashers]

this might not mean anything, but after accidentally bricking a console messing with movable.sed, I found out this file in NAND also deals with encryption with some files in the NAND (not just SD files). this gets changed when you format or transfer, which could be connected to why formatting fixes soft-bricks if a console has been getting them.

https://3dbrew.org/wiki/Nand/private/movable.sed

Interesting. Do you know what actually happens to the file when you format the NAND? This is an interesting quote from that 3dbrew page:

Movable.sed always exists on retail and development units(written to NAND at the factory), however if reading this file fails(svcBreak would be executed if the file-readcode-path return value is 0xC8804464) the system will fall-back to using a console-unique keyY already in memory

I wonder whether it's the use of the fall-back key which allows the downgrade to succeed, and if deleting Movable.sed is sufficient to cause this to happen. If so, could sysupdater have an option to remove Movable.sed?

 

[ihaveahax]

Interesting. Do you know what actually happens to the file when you format the NAND?

not really...all I know is that it's changed at format/transfer.

I wonder whether it's the use of the fall-back key which allows the downgrade to succeed, and if deleting Movable.sed is sufficient to cause this to happen. If so, could sysupdater have an option to remove Movable.sed?

what we did was try moving movable.sed from one console to another. neither of us did our research, and so this caused a hard brick that can only be fixed by restoring a NAND dump (which we have, thankfully). the backlight wouldn't even turn on.

I suppose you could try making an emunand backup, then delete it somehow (dump emunand and use xorpads? or dump pre-decrypted?) and see what happens.

 

[mashers]

not really...all I know is that it's changed at format/transfer.

what we did was try moving movable.sed from one console to another. this caused a hard brick that can only be fixed by restoring a NAND dump (which we have, thankfully). the backlight wouldn't even turn on.

I suppose you could try making an emunand backup, then delete it somehow (dump emunand and use xorpads? or dump pre-decrypted?) and see what happens.

Is it possible to delete files from sysnand? I've got a hard mod now so I can try this safely... though I don't know how to test the effects even if the 3DS boots, since I've got a clean 9.2 sysnand so would presumably be able to downgrade from 10.3 cleanly even if I updated.

 

[ihaveahax]

Is it possible to delete files from sysnand? I've got a hard mod now so I can try this safely... though I don't know how to test the effects even if the 3DS boots, since I've got a clean 9.2 sysnand so would presumably be able to downgrade from 10.3 cleanly even if I updated.

if you have a NAND dump, you can generate an xorpad using Decrypt9 (XORpad Generator Options -> CTRNAND Padgen). then use this xorpad with 3DSFAT16tool.

Decrypt9 can also dump NAND partitions already decrypted (SysNAND/EmuNAND Options -> Partition Dump... -> Dump CTRNAND Partition), though I haven't tested it myself. you'll probably need to add ".iso" to the end or something to easily mount it on OSX.

(oh and don't be silly like me and overwrite your NAND dump trying to use a xorpad)

 

[mashers]

if you have a NAND dump, you can generate an xorpad using Decrypt9 (XORpad Generator Options -> CTRNAND Padgen). then use this xorpad with 3DSFAT16tool.

Decrypt9 can also dump NAND partitions already decrypted (SysNAND/EmuNAND Options -> Partition Dump... -> Dump CTRNAND Partition), though I haven't tested it myself. you'll probably need to add ".iso" to the end or something to easily mount it on OSX.

(oh and don't be silly like me and overwrite your NAND dump trying to use a xorpad)

Can you do it on the device directly? Modifying and rewriting a NAND dump is clearly not going to be an option for potential downgraders, but I'm wondering whether there's a way of doing it in software the way sysupdater or NASA do it. In other words, use one of these tools to remove or overwrite movable.sed before initiating the downgrade. Again, this is all predicated on the assumption that it will even make a difference, let alone that removing the file won't brick the console...

 

[ihaveahax]

Can you do it on the device directly? Modifying and rewriting a NAND dump is clearly not going to be an option for potential downgraders, but I'm wondering whether there's a way of doing it in software the way sysupdater or NASA do it. In other words, use one of these tools to remove or overwrite movable.sed before initiating the downgrade. Again, this is all predicated on the assumption that it will even make a difference, let alone that removing the file won't brick the console...

overwriting movable.sed is probably a bad idea since it deals with SD encryption, so most people don't want to lose their digital saves and stuff. also this could be totally wrong but I think you would need direct NAND access to arbitrarily delete any file in it (like movable.sed), and that requires an ARM9 kexploit.

 

[mashers]

overwriting movable.sed is probably a bad idea since it deals with SD encryption, so most people don't want to lose their digital saves and stuff. also this could be totally wrong but I think you would need direct NAND access to arbitrarily delete any file in it (like movable.sed), and that requires an ARM9 kexploit.

Ahh, catch 22 then. Ahh well, it was a nice idea. TBH I think anyone who wants kernel access that badly would be better off getting a hardmod installed. It's not expensive to get someone else to do it, and it means your NAND is safe forever

 

[ihaveahax]

Ahh, catch 22 then. Ahh well, it was a nice idea. TBH I think anyone who wants kernel access that badly would be better off getting a hardmod installed. It's not expensive to get someone else to do it, and it means your NAND is safe forever

kind of expensive for us to get a hard mod in the US, and I don't think we trust our soldering skills to do it ourselves. but we're doing it anyway since we have to.

I'm interested in seeing what Gateway is going to bring in terms of downgrading. in my experience, if the console came with 9.6+, or was formatted/transferred to some time after being updated to 9.6, then it won't soft-brick when downgrading.

 

[mashers]

kind of expensive for us to get a hard mod in the US,

Really? Why's that?

I'm interested in seeing what Gateway is going to bring in terms of downgrading.

Would that require a Gateway card though?

 

[ihaveahax]

Really? Why's that?

sorry but I don't know if I can/should answer this at the moment. we are using hundshamer's service though soon.

Would that require a Gateway card though?

Gateway's downgrader to 4.x doesn't require a card, so probably not.

 

[mashers]

sorry but I don't know if I can/should answer this at the moment.

Intriguing.

Gateway's downgrader to 4.x doesn't require a card, so probably not.

Also intriguing

 

[Uziskull]

When I downgraded my 9.5 O3DS, I'd installed a legit CIA beforehand and it downgraded at first try, so I believe legit CIAs aren't an issue. I used that very unstable first build of FBI to downgrade.

 

[dotarice]

hi! i had six legit cia games installed on my n3ds xl 10.3.0-28 before downgrading. everything worked well after a good number of tries. i used safesysupdater. hopefully that helps!