All that's really needed is someone fixing up https://github.com/Myriachan/libkhax for 1.0 to allow FBI to run (pray it actually will run), install sysUpdater (pray that it actually will run) and upgrade that way. OP has Cubic Ninja, after all.wouldn't it be much easier to lend a gateway, update to 4.x and then install emunand, install rxtools and have fun with mset?
It was deleted because you posted something off topic as in my deleted post I said it probably would... Start your own thread instead of hijacking this one as it has nothing to do with your 4.x 3dswhat the hell got into my post?
You can rename img to bin to whatever you want, it really doesn't matter; most tools for 3DS stuff give no damn about the file extension.I am just wondering could i change the nand to .bin and get fat16.xorpad?
Does this work on any firmware?Yes my tool dumps the decrypted fat16 partition as "NAND.img" if you chose the "Decrypt NAND Partitions" option otherwise that file will be the raw encrypted NAND dump.
What firmware are you after?Does this work on any firmware?
You'll need to be more specific as 2.0 and 2.1 are quite different. I assume its a U/E unit not J.Right now? 2.x.
Yea. Either or. I forgot about the differences. I'm working on a crazy idea right now.You'll need to be more specific as 2.0 and 2.1 are quite different. I assume its a U/E unit not J.
Not going to happen... at least not from me as that'd require internet access to download a larger payload (I don't have to do that on 4.x and below as the exploit is small but 5.x and above requires much more code).I would say 8.1 U, E, or especially J as this firm has no browser.
The unique thing about this method is that it loads arm9 code without needing a browser for 5.0+
Useful for people with firm 8.1.0.0 E/U as well.
Could you PM me the source code for it?Not going to happen... at least not from me as that'd require internet access to download a larger payload (I don't have to do that on 4.x and below as the exploit is small but 5.x and above requires much more code).
Have fun getting this to work (you need a functioning ninjhax setup, this goes in "cn_qr_initial_loader\WEST\cn_initial\source")Could you PM me the source code for it?
Cool. I'm working on dumping the OTP. Only problem is the actual downgrade.Have fun getting this to work (you need a functioning ninjhax setup, this goes in "cn_qr_initial_loader\WEST\cn_initial\source")
You can use cubic ninja to exploit 1.0.0E its not very stable but its enough to get basic arm9 control (after a few retries). Scan http://i.imgur.com/7Q35Tuy.png and it will load the file load.bin into fcram at 0x23F00000 and start execution (size is limited to 0x3000 bytes)
This is how to retrieve the framebuffer addresses:
*(volatile uint32_t*)0x80FFFEC = *(volatile uint32_t*)0x23FFFF18;
*(volatile uint32_t*)0x80FFFC0 = *(volatile uint32_t*)0x23FFFE00; // framebuffer 1 top left
*(volatile uint32_t*)0x80FFFC4 = *(volatile uint32_t*)0x23FFFE04; // framebuffer 2 top left
*(volatile uint32_t*)0x80FFFC8 = *(volatile uint32_t*)0x23FFFE08; // framebuffer 1 top right
*(volatile uint32_t*)0x80FFFCC = *(volatile uint32_t*)0x23FFFE0C; // framebuffer 2 top right
*(volatile uint32_t*)0x80FFFD0 = *(volatile uint32_t*)0x23FFFE10; // framebuffer 1 bottom
*(volatile uint32_t*)0x80FFFD4 = *(volatile uint32_t*)0x23FFFE14; // framebuffer 2 bottom
*(volatile uint32_t*)0x80FFFD8 = *(volatile uint32_t*)0x23FFFE18; // framebuffer select top
*(volatile uint32_t*)0x80FFFDC = *(volatile uint32_t*)0x23FFFE1C; // framebuffer select bottom
uint32_t topScreenSelect = *(volatile uint32_t*)0x080FFFD8;
uint8_t* topScreen_left = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC0 + 4*(topScreenSelect&1)));
uint8_t* topScreen_right = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC8 + 4*(topScreenSelect&1)));
uint32_t bottomScreenSelect = *(volatile uint32_t*)0x080FFFDC;
uint8_t* bottomScreen = (uint8_t*)(*(uint32_t*)0x080FFFD0 + 4*(bottomScreenSelect&1));