Hacking [GUIDE] Upgrading 8.1.0-0J to 9.2.0-20J

[Syphurith]

Question: do you need to unblock nintendo update servers in order to use this update method? I keep on getting error and I don't want to accidentally update somebody's 3DS.
This is what I put in the NTR debugger:

write(0x15E424, tuple(map(ord, "http://192.168.2.2:8000/ss.php\0")), pid=0x25)
write(0x15E0EC, tuple(map(ord, "http://192.168.2.2:8000/GASR.xml\0")), pid=0x25)
write(0x15E463, tuple(map(ord, "http://192.168.2.2:8000/GASR.xml\0")), pid=0x25)

Update process seems to hit GetSystemTitleHash, then error appear on the n3ds:

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><GetSystemTitleHashResponse xmlns="urn:nus.wsapi.broadon.com"><Version>$Version</Version><DeviceId>$DeviceID</DeviceId><MessageId>$MessageID</MessageId><TimeStamp>$TimeStamp</TimeStamp><ErrorCode>0</ErrorCode><TitleHash>7E745F7B67D553BEA847859404790C94</TitleHash></GetSystemTitleHashResponse></soapenv:Body></soapenv:Envelope>

(yes, $variables were replaced with identifying information)

The archive below contains every file I'm using, except the update files extracted with UnpackCdnCia (those are copyrighted..)

You may have to rename all those tmd.x to tmd in case the update fetches those. Or yes you can simply change the source code to let it extract it to "tmd".
You may have to re-calculate the hash if the package is different from the original complete package. That's what i don't know.
Also, i doubt if someone can find out the calculation with IDA and proper module.
And yes, the XML is likely to need the modification, like ronhero said.

 

[uyjulian]

I think I know what went wrong, I was using 9.2.0U response not 9.2.0J response.

 

[Ronhero]

I think I know what went wrong, I was using 9.2.0U response not 9.2.0J response.

You still requesting it from the ninja server and not from your server

 

[Syphurith]

I think I know what went wrong, I was using 9.2.0U response not 9.2.0J response.

Also i suggest to write a SOAP crafter program to make your valid SOAP response after the test succeeded.
That may help you to update part of the whole package. However you would need to fetch a complete package to find out how to calculate the hash.
And to note. There is an amusing issue with the TMD, since it may affect something more i wouldn't tell you in text about it.
@JustPingo @Mrrraou come to find something here. And how about your next exploit? Yes I'm thinking of inviting you two to my conversation with @d0k3.

 

[uyjulian]

"An error occurred" error with no explanation whatsoever... quite annoying to debug.

 

[Syphurith]

"An error occurred" error with no explanation whatsoever... quite annoying to debug.

I suggest you to read the whole blog article of how yifanlu did this, on his blog. yifan.lu/2015/03/23/nintendo-3ds-system-updater/
Then you would grab the correct SOAP GetSystemUpdateResponse response so you might need to craft the other two.
This response can be found on yellows8 server: yls8.mtheall.com/ninupdates/reports.php
And you would have to get the correct package according to the reponse. You might use "ctrtool" to check all those CIA TitleVersion.
Once the package is complete and SOAP responses are crafted, you build the server for yourself.
I personally suggest always to dump your SysNand first before updating it.
And with NTR you modified the URL, and connect to your server. Hope you can succeed this time.

 

[uyjulian]

Would installing bluecardfix and 4.5 MSET on sysnand break things?

 

[Ronhero]

Also i suggest to write a SOAP crafter program to make your valid SOAP response after the test succeeded.
That may help you to update part of the whole package. However you would need to fetch a complete package to find out how to calculate the hash.
And to note. There is an amusing issue with the TMD, since it may affect something more i wouldn't tell you in text about it.

I already have working scripts and a temporary host if you know of a anonymous hosting sites.

As I mentioned before your scripts are pointing at the old ninja server and not to yours

 

[uyjulian]

I already have working scripts and a temporary host if you know of a anonymous hosting sites.

As I mentioned before your scripts are pointing at the old ninja server and not to yours

What is the "old ninja server"? I replaced all the URLs to my server, and I still get "an error occurred" error. All I see on the server-side is the hit on
GetSystemTitleHash.

 

[enarky]

Is the upgrade process documented somewhere? I assume all we have to do is to get the original update files, change the XML response to point it to our own server, follow the process from post 1 in this thread and we're set? I don't assume it's that easy, is it?

 

[Ronhero]

Is the upgrade process documented somewhere? I assume all we have to do is to get the original update files, change the XML response to point it to our own server, follow the process from post 1 in this thread and we're set? I don't assume it's that easy, is it?

It's that easy

 

[Syphurith]

It's that easy

It is really appreciate if you know how to calculate the hash correctly and manually...
Or a detailed tutorial for the noobs to build the server.
Nevermind, if that's out of your knowledge or you are too busy to do so.
Thanks for the info that this method still works for them.

 

[Ronhero]

It is really appreciate if you know how to calculate the hash correctly and manually...
Or a detailed tutorial for the noobs to build the server.
Nevermind, if that's out of your knowledge or you are too busy to do so.
Thanks for the info that this method still works for them.

I already have the server built and coded, just about everything you need is on the first page all you need to do is redirect away from NUS.

 

[uyjulian]

Okay, I still can't figure out how to make this work, I still get the "an error has occurred" error.

Here's an updated version of my script archive without update files (because those are copyrighted)

I run the php server with this command:

cd /path/to/script/folder
php -S 192.168.2.2:8000 -t .

 

[MelonGx]

I suggest you to read the whole blog article of how yifanlu did this, on his blog

Yifan Lu is female

 

[cultopi]

Yifan Lu is female

really ? 陸一凡 looks like a male name.

 

[Syphurith]

Okay, I still can't figure out how to make this work, I still get the "an error has occurred" error.

Here's an updated version of my script archive without update files (because those are copyrighted)

I run the php server with this command:

cd /path/to/script/folder
php -S 192.168.2.2:8000 -t .

Thanks for showing me the script. I did make a PKCS#12 pfx cert and its PEM format one to use with curl.
1.You have to modify the deviceId and other, but that's so easy, just reply the same deviceId it gave.
2.Those case sensitive. ?xml version="1.0" encoding="UTF-8"?
3.You might want to log the request and response so you can know if your response is really good. Not hard, yup.
And, right Let me show you some SOAP request and response. Cause the cert is copyrighted you have to create it your own.
You can decrypt the ClCertA CFA and use ccrypt to decrypt the bin, and follow the TXT included to make the cert.
You would need OpenSSL, and you have to get the Nintendo-G3 cert as CRT. For this try access the Original NUS with firefox and save the cert.

 

[Ronhero]

The cert is the same as it always was on the nus server and the old soap should still point to that.

If anyone wants to host the files pm me I'll give you my working request soap files

 

[Tokiopop]

The cert is the same as it always was on the nus server and the old soap should still point to that.

If anyone wants to host the files pm me I'll give you my working request soap files

I have a web server

The cert is the same as it always was on the nus server and the old soap should still point to that.

If anyone wants to host the files pm me I'll give you my working request soap files

Host publicly, or for us to use personally? I'd like them to save my self the trouble, but if you meant to host publicly I'm not comfortable with hosting on my site due to the legality of sharing the firmware files.

 

[cearp]

ron have you tried adding in a tmd+content files of a legit cia in the xml, and see if we could install something like that? i guess it would work, and not really important since to be able to do use this method we can install cias anyway... well, actually ntr does not let you install cias, but sure in most use cases we can. just for fun.

Yifan Lu is female

huh interesting, always surprising since most seem to be guys!