See https://github.com/Plailect/Guide/wiki/Hardmod-Downgrade

 

[Lightyose]

New 3DS U 10.5 to 10.2 and finally 9.2 whit safeSysUpdater

Spoiler

Congrats!

--------------------- MERGED ---------------------------

CONGRATS! to every1 who succeded

 

[mjdiaz54]

This is crossposted from reddit.

This is a summary / compilation of the information from this thread. Please don't follow any random instructions you find on that thread, there is quite a lot of misinformation going around. This is very much untested and a hardmod is necessary.

Do not ask if you can achieve this without a hardmod, you can't.

This is an apparently working implementation of the "FIRM partitions known-plaintext" exploit detailed here. Reports of successful downgrades are sparse or unconfirmed, but seeing as anyone who tries this has a hardmod and a NAND backup (hopefully multiple backups kept in multiple locations), there isn't really much that can go wrong.

This should work on both a New and Old 3DS.

Keep in mind throughout this that 10.4 and 10.5 use the same NATIVE_FIRM. Also keep in mind that 10.3 does not have a unique NATIVE_FIRM, and we will be using the 10.2 NATIVE_FIRM.

~

What you need:

• Your 10.4 or 10.5 NAND extracted using your hardmod
• Raugo's autofirm pack (Mirror)
• msvcr120d.dll (Mirror)
  
• The appropriate decrypted NATIVE_FIRM CIAs which can be found on my Github page.

Instructions

1. Extract the autofirm pack to a folder of your choice
2. Place a copy of your NAND file (named "nand.bin") in the autofirm folder
3. Download the appropriate decrypted 10.4/10.5 NATIVE_FIRM and the decrypted 10.2 NATIVE_FIRM as CIA files
4. Rename the 10.4/10.5 NATIVE_FIRM file to "firmoriginal.cia" then put it in the autofirm folder
5. Rename the 10.2 NATIVE_FIRM file to "firmnuevo.cia" then put it in the autofirm folder
6. Place the msvcr120d.dll file in the autofirm folder
7. Run "start.bat"
8. If everything worked, then you will have a modified "nand.bin" containing 10.2 NATIVE_FIRM on 10.4/10.5
9. Flash this "nand.bin"

Where can I get the Nand.bin after running start.bat? Is this nand.bin the same nand.bin I paste inside the autofirm and this one now contain the native firm?

sorry for the noob question...

 

[vb_encryption_vb]

Where can I get the Nand.bin after running start.bat? Is this nand.bin the same nand.bin I paste inside the autofirm and this one now contain the native firm?

sorry for the noob question...

Yes, it's the same one. Compare the patched one and your back up. There should be a difference between the 2. If not, the patch didn't go correctly.

 

[mjdiaz54]

Yes, it's the same one. Compare the patched one and your back up. There should be a difference between the 2. If not, the patch didn't go correctly.

Thanks for the info.

What seems to be the problem if the READ and WRITE button from the disk manager is not available?

could it be the card reader or the lock key on the SD card??

 

[vb_encryption_vb]

Thanks for the info.

What seems to be the problem if the READ and WRITE button from the disk manager is not available?

could it be the card reader or the lock key on the SD card??

If reading give it a name for it to appear. If writing make sure the extension is img not bin

 

[mjdiaz54]

Just a sec? Should dump with .img or .bin??? Help!!

--------------------- MERGED ---------------------------

If reading give it a name for it to appear. If writing make sure the extension is img not bin

Then why on the tutorial use the Nand.bin not Nand.img? Should I rename it though?

 

[vb_encryption_vb]

Just a sec? Should dump with .img or .bin??? Help!!

--------------------- MERGED ---------------------------


Then why on the tutorial use the Nand.bin not Nand.img? Should I rename it though?

The patcher requires .bin , win32 requires. Img just rename it and win32 will see it.

 

[mjdiaz54]

Congrats!

--------------------- MERGED ---------------------------

CONGRATS! to every1 who succeded

Same here!!! Cheers!!

But How can I do the CFW now? Will the browserhax work on its browser?

 

[Chips98]

Same here!!! Cheers!!

But How can I do the CFW now? Will the browserhax work on its browser?

yes, if you get errors running your browser on 9.2 then you need to start over from a back up nand(personal experience). but if all is running then yes all browser hax will work for you

 

[mjdiaz54]

Most modders like myself also give you options as to where you want the mod installed as well. Here are a few example of my work.

How do you call those connector you installed and where can I buy those??

 

[vb_encryption_vb]

How do you call those connector you installed and where can I buy those??

4 post JST connector. Ebay. Amazon, etc.

 

[Bocki64]

Is there a video tutorial for the hard mod? Preferably not in Spanish. All I can find on youtube.

 

[TheToaster]

Is there a video tutorial for the hard mod? Preferably not in Spanish. All I can find on youtube.

If you read my hardmod guide, you will find a video tutorial at the bottom.

 

[Tescowiec]

Sorry if that question is stupid or has been asked already before, but would it be possible to unbrick a 3ds by altering corrupted files that prevent the console from booting just as we can downgrade the NATIVE_FIRM?

 

[gamesquest1]

Sorry if that question is stupid or has been asked already before, but would it be possible to unbrick a 3ds by altering corrupted files that prevent the console from booting just as we can downgrade the NATIVE_FIRM?

the thing is native firm is stored at a specific offset and its easy to obtain a plaintext version of it to create a xorpad, without knowing exactly where in the nand the corrupt file is and the exact plaintext of the corrupt file its pretty much impossible

 

[A_Bricked_Guy]

the thing is native firm is stored at a specific offset and its easy to obtain a plaintext version of it to create a xorpad, without knowing exactly where in the nand the corrupt file is and the exact plaintext of the corrupt file its pretty much impossible

I think he means if only changing the Native_firm would allow him to boot into Recovery and repair its broken titles.

EDIT: Misread, sorry.

 

[Plailect]

So Nintendo done goofed, this will still work on 10.6.

 

[Gingerbread Crumb]

Nice I thought it was all over glad they fucked up.

 

[daxtsu]

Anyone with a hardmod but no A9LH brave enough to try it on 10.6 (not that it really needs confirmation, but eh, it never hurts)?

 

[Selver]

the thing is native firm is stored at a specific offset and its easy to obtain a plaintext version of it to create a xorpad, without knowing exactly where in the nand the corrupt file is and the exact plaintext of the corrupt file its pretty much impossible

Actually, it's possible (although troublesome) to do more than this, simply because of a weakness in the 3DS encryption scheme.

• NAND is divided into well-known partitions
• Each sector of each partition will have a constant XorPad
• The data stored in that sector is OLDDATA ^ XORPAD
• If you want to store new data in that sector, result will be NEWDATA ^ XORPAD

Thus, if you can predict BOTH the sector where information is stored, and can cause the 3DS to store known values there (or otherwise know the expected data), you can update it. Here's why (just XOR'ing both sides by the same value to get to next lines):

• X ^ X == 0
• oldEncryptedSector ^ UpdateXor == newEncryptedSector
• OldData ^ XorPad ^ UpdateXor == NewData ^ XorPad
• OldData ^ UpdateXor == NewData
• UpdateXor == NewData ^ OldData (no XorPad value needed)

Put another way, the XORPAD is exposed when the sector and expected data are known:

• OldEncryptedData ^ XorPad == ClearData
• OldEncryptedData == ClearData ^ XorPad
• OldEncryptedData ^ ClearData == XorPad

Thus, if you know post the sector number where the information is stored, and the cleartext data, you can trivially update it. Since the firmware partitions store everything at a known offset, the XorPad can be reconstructed.

In contrast, the CtrNand partition uses a FAT16 file system, allowing files to be stored in nearly any sector. Thus, it's much harder to RE the xorpad using only the encrypted data (+ analytics on expected data + which bits change when), especially where the file system operations are not easily controlled from user-mode apps.