Hacking How can I hack 1.0.0-0U 3ds?

joex11

Well-Known Member
Member
Joined
Dec 2, 2013
Messages
185
Trophies
0
Age
31
XP
232
Country
San Marino
wouldn't it be much easier to lend a gateway, update to 4.x and then install emunand, install rxtools and have fun with mset?
 

Suiginou

(null)
Member
Joined
Jun 26, 2012
Messages
565
Trophies
0
Location
pc + 8
XP
738
Country
Gambia, The
wouldn't it be much easier to lend a gateway, update to 4.x and then install emunand, install rxtools and have fun with mset?
All that's really needed is someone fixing up https://github.com/Myriachan/libkhax for 1.0 to allow FBI to run (pray it actually will run), install sysUpdater (pray that it actually will run) and upgrade that way. OP has Cubic Ninja, after all.
 

Suiginou

(null)
Member
Joined
Jun 26, 2012
Messages
565
Trophies
0
Location
pc + 8
XP
738
Country
Gambia, The
I am just wondering could i change the nand to .bin and get fat16.xorpad?
You can rename img to bin to whatever you want, it really doesn't matter; most tools for 3DS stuff give no damn about the file extension.

As far as I can tell, Normmatt's tool already has the FAT16 partition decrypted. Please make a backup copy of your NAND backup before mounting it as a volume, as that may destroy factory title information through modifying metadata.
 

zoogie

playing around in the end of life
Developer
Joined
Nov 30, 2014
Messages
8,560
Trophies
2
XP
14,998
Country
Micronesia, Federated States of
I would say 8.1 U, E, or especially J as this firm has no browser.

The unique thing about this method is that it loads arm9 code without needing a browser for 5.0+
Useful for people with firm 8.1.0.0 E/U as well.
 

Normmatt

Former AKAIO Programmer
Member
Joined
Dec 14, 2004
Messages
2,161
Trophies
1
Age
33
Website
normmatt.com
XP
2,162
Country
New Zealand
I would say 8.1 U, E, or especially J as this firm has no browser.

The unique thing about this method is that it loads arm9 code without needing a browser for 5.0+
Useful for people with firm 8.1.0.0 E/U as well.
Not going to happen... at least not from me as that'd require internet access to download a larger payload (I don't have to do that on 4.x and below as the exploit is small but 5.x and above requires much more code).
 
  • Like
Reactions: zoogie

cokacommando

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
282
Trophies
0
Age
33
Location
Yorktown, New York
XP
427
Country
United States
You can use cubic ninja to exploit 1.0.0E its not very stable but its enough to get basic arm9 control (after a few retries). Scan http://i.imgur.com/7Q35Tuy.png and it will load the file load.bin into fcram at 0x23F00000 and start execution (size is limited to 0x3000 bytes)

This is how to retrieve the framebuffer addresses:
*(volatile uint32_t*)0x80FFFEC = *(volatile uint32_t*)0x23FFFF18;
*(volatile uint32_t*)0x80FFFC0 = *(volatile uint32_t*)0x23FFFE00; // framebuffer 1 top left
*(volatile uint32_t*)0x80FFFC4 = *(volatile uint32_t*)0x23FFFE04; // framebuffer 2 top left
*(volatile uint32_t*)0x80FFFC8 = *(volatile uint32_t*)0x23FFFE08; // framebuffer 1 top right
*(volatile uint32_t*)0x80FFFCC = *(volatile uint32_t*)0x23FFFE0C; // framebuffer 2 top right
*(volatile uint32_t*)0x80FFFD0 = *(volatile uint32_t*)0x23FFFE10; // framebuffer 1 bottom
*(volatile uint32_t*)0x80FFFD4 = *(volatile uint32_t*)0x23FFFE14; // framebuffer 2 bottom
*(volatile uint32_t*)0x80FFFD8 = *(volatile uint32_t*)0x23FFFE18; // framebuffer select top
*(volatile uint32_t*)0x80FFFDC = *(volatile uint32_t*)0x23FFFE1C; // framebuffer select bottom

uint32_t topScreenSelect = *(volatile uint32_t*)0x080FFFD8;
uint8_t* topScreen_left = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC0 + 4*(topScreenSelect&1)));
uint8_t* topScreen_right = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC8 + 4*(topScreenSelect&1)));

uint32_t bottomScreenSelect = *(volatile uint32_t*)0x080FFFDC;
uint8_t* bottomScreen = (uint8_t*)(*(uint32_t*)0x080FFFD0 + 4*(bottomScreenSelect&1));



Would this ever be able to run on 7.2.0-0U?
 
  • Like
Reactions: Margen67

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • A @ anotherthing:
    Online was free on the 3DS as well, and it worked well.
    +1
  • S @ salazarcosplay:
    I can't help but think nintendo switch online is the reason we did not get a gameboy/n64/gamecube
    mini classic edition
    +1
  • Xdqwerty @ Xdqwerty:
    @salazarcosplay, i think it would have been impossible to see anything in a gameboy mini
  • S @ salazarcosplay:
    well I meant that as a figure of speech
  • S @ salazarcosplay:
    they could just rerelease a modern gameboy
  • S @ salazarcosplay:
    like the pocket analogue
  • S @ salazarcosplay:
    but nintendo licensed
  • LeoTCK @ LeoTCK:
    dammit that thread got moved from offtopic to edge, well since that happened
  • Xdqwerty @ Xdqwerty:
    @LeoTCK, atleast it's still avaliable
  • LeoTCK @ LeoTCK:
    yes but it wasn't meant to be a comedy thread
  • LeoTCK @ LeoTCK:
    and edge of the forum is mostly comedy and games
  • LeoTCK @ LeoTCK:
    so I don't get why it got moved at all
  • Xdqwerty @ Xdqwerty:
    @LeoTCK, mods are probably hating you
  • LeoTCK @ LeoTCK:
    on most sites mods hated me, sooner or later, but usually over time I get either banned or the mods get used to me
  • LeoTCK @ LeoTCK:
    sometimes to the point of thanking me for my quick actions etc against spam and other stuff, but yea...its either they come to respect me or outright hate me
    +1
  • BigOnYa @ BigOnYa:
    If it's not game related, it will be moved to the Egde of the forum. Mods have moved a few of my threads also.
  • Xdqwerty @ Xdqwerty:
    @BigOnYa, it was in the off topic chat forum
  • BigOnYa @ BigOnYa:
    Well atleast they didn't delete it completely.
  • LeoTCK @ LeoTCK:
    hmm
  • Xdqwerty @ Xdqwerty:
    uoiea
  • LeoTCK @ LeoTCK:
    huh?
  • Xdqwerty @ Xdqwerty:
    Aeiou backwards
    Xdqwerty @ Xdqwerty: Aeiou backwards