FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.Got a hardmod.I'm trying this
-- I'm just wondering how this can patch an encrypted nand.bin
FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.
Care to make a video of it in action it's not that I dont believe you its just too crazy and the hype train is gonna go full steam ahead @hundshamer you're about to make quite a bit of pocket money.I can confirm this does in deed work, I updated to 10.5, backed up nand, patched nand, wrote nand back, booted into homebrew sysupdater and downgraded back to 9.2 with no issues.
I have a noobish question... since we are able to decrypt firms, and it is known how to patch out the signature checks, why can't the signature check be physically patched out of the FIRM before installing it? I'm not quite sure at what point during boot that signature checks start being performed, but my mind was blown when people figured out how to get 1 or 2 keys and then use them to figure out other keys (like to decrypt the N3DS 9.6+ FIRM). Why has nobody been able to derive a working signing key?FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.
Care to make a video of it in action it's not that I dont believe you its just too crazy and the hype train is gonna go full steam ahead @hundshamer you're about to make quite a bit of pocket money.
There are signature checks on FIRM too. That's why we're only able to use unmodified FIRM binaries. And these checks are embedded in the bootrom so they can't be patched out. However, arm9loaderhax does something similar to what you want - we can load a patched FIRM with it and patch/modify anything we want on NAND given that the right signature checks are patched out. But arm9loaderhax is very user unfriendly to install.I have a noobish question... since we are able to decrypt firms, and it is known how to patch out the signature checks, why can't the signature check be physically patched out of the FIRM before installing it? I'm not quite sure at what point during boot that signature checks start being performed, but my mind was blown when people figured out how to get 1 or 2 keys and then use them to figure out other keys (like to decrypt the N3DS 9.6+ FIRM). Why has nobody been able to derive a working signing key?
Both my systems are hard-modded, but I'm not very motivated to play with this. I don't need it, and anybody with a working hard mod to try it doesn't really have much to worry about.
Good luckGot a hardmod.I'm trying this
-- I'm just wondering how this can patch an encrypted nand.bin
Don't have to this is big news for the scene a public downgrade method is insane can you think of how many people will want this service? Hell I might even get a smaller tip for my soldering iron just to cash in.Sure, going to be a long video from start to finish, cause I'm not editing a damn bit of it lol
Good luck
I haven't read through other pages, has anyone confirmed success?
Nice! A tutorial or just a video?I just did it, making a video.
Video is almost 3 gigs and uploading to youtube now, should be ready in 20 or 30 minutes I guess. youtube says 103 minutes, I sure the hell hope it don't take that long.Don't have to this is big news for the scene a public downgrade method is insane can you think of how many people will want this service? Hell I might even get a smaller tip for my soldering iron just to cash in.
# Embedded file name: 3DSFirm.py
import os
import sys
import re
import binascii
import argparse
import string
if not sys.version_info[:2] == (2, 7):
print '*****\n!!!!!Warning - Only tested with Python 2.7!!!!!\n*****\n'
parser = argparse.ArgumentParser()
parser.add_argument('nand_file', action='store', help='NAND file (must exist for dumping and injecting)')
parser.add_argument('firm0_file', action='store', help='firm0 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
parser.add_argument('firm1_file', action='store', help='firm1 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
choose = parser.add_mutually_exclusive_group()
choose.add_argument('-d', action='store_true', default=False, dest='dump', help='Dump firm from NAND file')
choose.add_argument('-i', action='store_true', default=False, dest='inject', help='Inject firm into NAND file')
parser.add_argument('-lowmem', action='store_true', default=False, dest='lowmem', help='Use if you have low RAM available')
arguments = parser.parse_args()
if arguments.dump is arguments.inject:
print 'Please choose -d or -i to dump or inject the fat16 partition'
sys.exit(0)
print '*******\n3DSFirmtool\n*******\n'
start = 185794560
size = 4194304
start2 = 189988864
if not os.path.isfile(arguments.nand_file):
print 'NAND file cannot be found'
sys.exit(0)
if arguments.inject:
if not os.path.isfile(arguments.firm0_file):
print 'Firm0 file cannot be found'
sys.exit(0)
if arguments.inject:
if not os.path.isfile(arguments.firm1_file):
print 'Firm1 file cannot be found'
sys.exit(0)
if arguments.dump:
if os.path.isfile(arguments.firm0_file):
print 'Firm0 with this name and path already exists, file will be overwritten'
if os.path.isfile(arguments.firm1_file):
print 'Firm1 with this name and path already exists, file will be overwritten'
with open(arguments.nand_file, 'rb') as r:
with open(arguments.firm0_file, 'wb') as w:
with open(arguments.firm1_file, 'wb') as w2:
print 'Dumping... please wait'
r.seek(start)
firm0 = r.read(size)
w.write(firm0)
r.seek(start2)
firm1 = r.read(size)
w2.write(firm1)
if arguments.inject:
if not os.path.isfile(arguments.firm0_file):
print 'Firm0 file cannot be found'
exit(0)
with open(arguments.nand_file, 'rb+') as r:
with open(arguments.firm0_file, 'rb') as w:
print 'Injecting... please wait'
r.seek(start)
firm0 = w.read(size)
r.write(firm0)
if arguments.inject:
if not os.path.isfile(arguments.firm1_file):
print 'Firm0 file cannot be found'
exit(0)
with open(arguments.nand_file, 'rb+') as r:
with open(arguments.firm1_file, 'rb') as w:
print 'Injecting... please wait'
r.seek(start2)
firm1 = w.read(size)
r.write(firm1)
print ''
print 'Finished'
You can change the video audio in the settings on youtube if you want.Video is almost 3 gigs and uploading to youtube now, should be ready in 20 or 30 minutes I guess. youtube says 103 minutes, I sure the hell hope it don't take that long.
To all of GBAtemp
GBAtemp is full of assholes, my son is autistic and you may hear him in the background making random comments, keep your traps shut!
Thanks.
Nice! A tutorial or just a video?
--------------------- MERGED ---------------------------
ctrtool fails to start on my PC... 0x000007b or something
I'm no professional, but it's because 10.4 and 10.2 are similiar or something.Why use 10.2 NATIVE FIRM?
Why not cut out the middle man and use 9.2 NATIVE FIRM?