Homebrew Has anyone managed to unbrick a system using B9S and a hardmod?

[Valery0p]

Little OT: where can we follow the bootrom reversing process?
Any irc/discord channels?

--------------------- MERGED ---------------------------

Also: the bootrom can only read a payload from an NTR card, or can also write things on it? This can be used to dump the otp, the mpu, the firm partitions or the entire nand to the flascard's micro sd card...

 

[gamesquest1]

Little OT: where can we follow the bootrom reversing process?
Any irc/discord channels?

--------------------- MERGED ---------------------------

Also: the bootrom can only read a payload from an NTR card, or can also write things on it? This can be used to dump the otp, the mpu, the firm partitions or the entire nand to the flascard's micro sd card...

I doubt it has the need to dump to ntr card, it just loads a firm from the ntr spi, I'm assuming this payload could be something like decrypt9 or even just the normal boot9strap which will load any firm from the sd card

So then you can just dump your nand/otp etc to the normal 3ds sd card, even if it was possible to write stuff from the system to the ntr card it would probably involve a lot more work for devs to do when it makes much more sense to just dump stuff to the sd

 

[Spore2]

Well it's possible with a hardmod, I just unbricked a n3ds that had been updated from 2.1 to latest while still on o3ds FW,

But I did run into a issue, for some reason the tool used for the hardmod sighax causes a blue screen if you restore both firm0 and firm1 so I finally just manually restored a sighax firm0 and brought it back to life, maybe there is a firm mismatch on the system or something, but I would have thought a valid firm0 would have trumped a corrupt firm1

But either way, sighax saved a 3ds

Just to be clear. Using the sighax firm 0 we can use any nand dump on any other 3ds, particularly, bricked 3ds?

 

[Starzcream]

Just to be clear. Using the sighax firm 0 we can use any nand dump on any other 3ds, particularly, bricked 3ds?

I would also like to know I'm trying to unbrick a failed 2.1.0 ctr transfe but all the firms I'm sighaxing just bsod

 

[GerbilSoft]

I doubt it has the need to dump to ntr card, it just loads a firm from the ntr spi

Hold on a second. It loads FIRM from SPI flash, not the regular ROM area?

If that's the case, then any DS game card with enough save memory could theoretically be used for this.

Also, for the Gateway brick case: IIRC, it's caused by Gateway setting an eMMC password. Since Boot9 checks the NTR cartridge first, and we have low-level sdmmc access, I'm pretty sure it would be possible to write a Gateway unbricker using ntrboothax (or whatever it's going to be called). You'd just need to know the right commands, which can be ported over from the raspi tutorial.

 

[Olmectron]

Hold on a second. It loads FIRM from SPI flash, not the regular ROM area?

If that's the case, then any DS game card with enough save memory could theoretically be used for this.

Also, for the Gateway brick case: IIRC, it's caused by Gateway setting an eMMC password. Since Boot9 checks the NTR cartridge first, and we have low-level sdmmc access, I'm pretty sure it would be possible to write a Gateway unbricker using ntrboothax (or whatever it's going to be called). You'd just need to know the right commands, which can be ported over from the raspi tutorial.

I know nothing about these technical meanings, nor am I a knowledge person on the inners of hardware nor software, but did I understand well what you're saying? Like in injecting a modified save to any DS game and make it boot and run the unbricker app?

 

[GerbilSoft]

I know nothing about these technical meanings, nor am I a knowledge person on the inners of hardware nor software, but did I understand well what you're saying? Like in injecting a modified save to any DS game and make it boot and run the unbricker app?

If it does load from the NTR SPI flash instead of the NTR ROM, yes. I don't know of the actual details, since I haven't seen a detailed listing of what boot9 does to check for a FIRM cartridge.

Keep in mind that this is all theoretical until someone posts a proof of concept.

 

[pepepotamo]

OMG!

 

[gamesquest1]

If it does load from the NTR SPI flash instead of the NTR ROM, yes. I don't know of the actual details, since I haven't seen a detailed listing of what boot9 does to check for a FIRM cartridge.

Keep in mind that this is all theoretical until someone posts a proof of concept.

Sorry I'm not sure I remember someone mentioning that the 3ds had a secret recovery mode that looks for a specific ntr cart then around the same time the spi flash chip was mentioned (from around the time sighax was discovered originally) so I assume it was in relation to the same recovery mode but it's just based on random talks on here, it may have been people guessing, I am not qualified to say how/where it attempts to boot from it may indeed be the rom chip instead, I think either way it looks for a specific cart so it would still need to be identified as the recovery cart so even if it is the spi save chip you still couldn't just write it to a random nds game

But again Idk the real devs will let us know what exactly we need if/when they figure it out

 

[TheDarkGreninja]

NTRboothax sounds really interesting, might need it if I ever brick my 3ds.

 

[vb_encryption_vb]

It DOES NOT boot from SPI, this I can confirm.

 

[GerbilSoft]

It DOES NOT boot from SPI, this I can confirm.

Might have been confusion with booting from Wi-Fi SPI flash, which was mentioned in the original Sighax presentation last year.

 

[gamesquest1]

Might have been confusion with booting from Wi-Fi SPI flash, which was mentioned in the original Sighax presentation last year.

Yeah probably, sorry for the confusion guys XD

Did anyone ever figure out the wifi spi flash booting though, would at least be a start

 

[leerz]

Just a little update with my test. https://gbatemp.net/threads/poc-fixing-ofw-blackscreens-with-boot9strap.471436/#post-7331476

 

[Starzcream]

Ya this doesn't work for me. I have black screen with corrupt movable sed can't install boot9 at all blue screens everytime. How can I get 0 day sed in to nand dump. Also had a native firm .app not found during ctr transfer.

 

[ClickCLK]

Theoretically, is it possible to unbrick a 3ds after physically replacing damaged nand chip to a clean, totally new one without an original backup using b9s and a hardmod?

 

[vb_encryption_vb]

Theoretically, is it possible to unbrick a 3ds after physically replacing damaged nand chip to a clean, totally new one without an original backup using b9s and a hardmod?

No, there is other chips that need to be replaced as well, the time and cost for this procedure, cheaper to get a new 3ds.

 

[ClickCLK]

No, there is other chips that need to be replaced as well, the time and cost for this procedure, cheaper to get a new 3ds.

Sorry, but I don't get your point about replacing another chips when replacing nand. If there is some kind of hardware tethering (like on xbox360, cpu key, dvd key and firmware are tied together on per console basis), than all you need to do is to write original backup to the new chip, as the keys are stored in firmware. This won't work as I there are no backup. If I were to replace nand chip with another one desoldered from another dead 3ds then this may be the case (I mean replacing another chips with it, but again, I don't know much about hardware tethering on 3ds), maybe CPU and wi-fi module must be replace too, but when you swap chips like this you don't need any kind of programming or exploits, hardware wise it will practically become a different 3ds system.

I don't know for sure, but on old PSPs it looks like you can recover even completely formatted console using pandora kit, and completely formatted memory chip is nearly identical to a new one software-wise.
And as far as I understand, boot9strap is as deep as pandora was.

So my question must have been this: is it possible to unbrick a 3ds with completely formatted nand using a hardmod without original backup?

P.S: I highly doubt that a nand chip will cost so much that it will be cheaper to buy a working system, and time needed to replace it is hour and a half at max. Also, I have experience and equipment needed for this kind of job.

 

[vb_encryption_vb]

Sorry, but I don't get your point about replacing another chips when replacing nand. If there is some kind of hardware tethering (like on xbox360, cpu key, dvd key and firmware are tied together on per console basis), than all you need to do is to write original backup to the new chip, as the keys are stored in firmware. If I were to replace nand chip with another one desoldered from another dead 3ds then this may be the case (again, I don't know much about hardware tethering on 3ds), maybe CPU and wi-fi module must be replace too, but when you swap chips like this you don't need any kind of programming or exploits, hardware wise it will practically become a different 3ds system.

I don't know for sure, but on old PSPs it looks like you can recover even completely formatted console using pandora kit, and completely formatted memory chip is nearly identical to a new one software-wise.
And as far as I understand, boot9strap is as deep as pandora was.

So my question must have been this: is it possible to unbrick a 3ds with completely formatted nand using a hardmod without original backup?

P.S: I highly doubt that a nand chip will cost so much, so it will be cheaper to buy a working system, and time needed to replace it is hour and a half at max. Also, I have experience and equipment needed for this kind of job.

There is a thread around here somewhere from when someone did what you want to do. They ended up having to BGA 2 or 3 different CHIPS. To make it work, maybe it was just a MB transfer and they transferred all components I don't recall.

Yes, it's cheaper for you, since you own the proper equipment to do so, not many ppl have the equipment or the skill set, also keep in mind there is no stencil so you will have to play all the ball on your own, good luck.

To my understanding once a 3ds has been formatted by PC via hardmod was hooked up to it, than it cannot be fixed. There is no known way, I don't even think sighax can bring it back to life as last known firm has to be known...

 

[Oleboy555]

Hopefully busy working on it.

Hes working on a new DSi mode exploit

(From what ive heard)