Hacking [How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

motezazer

Well-Known Member
OP
Member
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
PLEASE STOP ASK IF THIS METHOD WORKS ON X.X, CURRENTLY IT IS ONLY AVAILABLE BETWEEN 9.0 AND 9.2 (lower firmwares may be supported one day, but, without a new kernel exploit, there is no chances for 9.3+)


NEW 3DS METHOD

Its's very simple.
Launch NTR CFW on a New 3DS.
Enable the debugger.
Connect the debugger with the command : connect('your3dsip', 8000)
And now the magic command UPDATED (may not work on 8.1J) : write(0x10DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
Done !

OLD 3DS METHOD

Download the code.bin
Copy it to the root of your SD card
Launch the web browser
Clear cookies and history
Go to loadcode.projectpokemon.org
Wait for the load bar and the message "failed to load" to disappear
Press Home
Done !

Do you want emuNAND support?
Of course... never.
We have two possibilities for emuNAND support :
-Gateway add support for patching NIM directly in their firmware
-You swap tickets, and install with a CIA.

Credits to yifanlu for the offset and the nop slide.

LIMITATIONS :

It's now stable.
Set your internet connection BEFORE and make sure it's valid.
Access the service you want after you see "finish" in the debugger.
Tested with :
-eShop
-eShop in games (update of Mii Plaza, DLCs, etc.)
-System Transfer (but the source and the target need to have a firmware in the compatiblity list) ---> a whole system transfer has been tested and it work!
-Theme Shop

TROUBLESHOOTING :

Question : The browser method doesn't work. What can I do?
Answer : Install the right version of the browser (see below).

Question : When I select my target 3DS in the System Transfer, it fails! What can I do?
Answer : Install the right version of CARDBROAD on BOTH 3DS (see below).

Compatibility list :
Source : 3.0 <---> Target : 3.0
Source : 4.0-4.5 <---> Target : 4.0-4.5
Source : 5.0-6.3 <---> Target : 5.0-6.3
Source : 7.0-8.1 <---> Target : 7.0-8.1
Source : 9.0-9.5 <---> Target : 9.0-9.5
Source : 9.6-9.7 <---> Target : 9.6-9.7
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

Browser versions :
JAP Title ID : 0004003000008802
NA Title ID : 0004003000009402
EUR Title ID : 0004003000009D02
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 4096
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

CARDBROAD versions :
JAP Title ID : 0004001000020A00
NA Title ID : 0004001000021A00
EUR Title ID : 0004001000022A00
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 5130(JAP)/5131(EUR/NA)
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!
 

Attachments

  • code.rar
    6.5 KB · Views: 5,790

Apache Thunder

I have cameras in your head!
Member
Joined
Oct 7, 2007
Messages
4,402
Trophies
3
Age
36
Location
Levelland, Texas
Website
www.mariopc.co.nr
XP
6,744
Country
United States
Will probably never happen on old3ds either

Wrong! rxTools already has emunand working for 9.6 and soon will have homebrew CIA support (with some checks to prevent piracy). Gateway is just slow on old 3DS 9.6 support. They need to give up on trying to get 9.6 working on both n3DS and 3DS at the same time and just get old 3DS support working while they still work on n3DS. But that's off topic here so that's the last I'll mention of that. :P
 

Oishikatta

Well-Known Member
Member
Joined
Oct 30, 2014
Messages
971
Trophies
0
XP
603
Country
United States
If this worked, it would be trivial to setup a server that simply reflects the sender's titlehash.

But I'm fairly certain there is another function that needs to be patched.
 
  • Like
Reactions: Margen67

motezazer

Well-Known Member
OP
Member
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
Well i just tried this out on my n3ds 9.0.0-20 (EUR) and no dice, still says there's a system update available when opening eshop.

Thanks for the feedback.
It's probably a wrong offset. Please dump your NIM process with the following command : data(0x00000000, 0x200000, filename='NIM.bin', pid=your NIM pid), then PM me the NIM.bin that will be created on the SD.

If this worked, it would be trivial to setup a server that simply reflects the sender's titlehash.

But I'm fairly certain there is another function that needs to be patched.

As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.
 

Oishikatta

Well-Known Member
Member
Joined
Oct 30, 2014
Messages
971
Trophies
0
XP
603
Country
United States
As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.


That's probably the simplest, right. For some reason I thought it was sent in the first request.

But couldn't you still just do...

Update Check ---> Server responds with invalid title hash
Version compare --> Server responds with title hash matching requester's CVer

Assuming the server has a list of title hashes for all the possible requesting versions, which is very limited -- E/U 9.0, 9.2 (cart), 9.2 (web); J 8.1, 9.0, 9.1, 9.2.

Anyways I can check when my sd card reader gets here.
 
  • Like
Reactions: Margen67

Ra1d

Well-Known Member
Member
Joined
Jul 31, 2010
Messages
1,362
Trophies
1
Website
Visit site
XP
2,153
Country
Canada
I know, I'm just talking from a gateway owner's perspective. By the time they release 9.6 for any console, we'll probably be well into the 10s.


Which is what everyone says until gateway releases an actual update.

Examples :

Gateway 9.2 will never happen!!
N3DS update will never happen!!
9.5 emuNAND on N3DS will never happen!!


Can we just stop with the conspiracy theories and wait ?
 
  • Like
Reactions: Margen67

motezazer

Well-Known Member
OP
Member
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
That's probably the simplest, right. For some reason I thought it was sent in the first request.

But couldn't you still just do...

Update Check ---> Server responds with invalid title hash
Version compare --> Server responds with title hash matching requester's CVer

Assuming the server has a list of title hashes for all the possible requesting versions, which is very limited -- E/U 9.0, 9.2 (cart), 9.2 (web); J 8.1, 9.0, 9.1, 9.2.

Anyways I can check when my sd card reader gets here.

No, because 9.0.0-5 is not the same as 9.0.0-6 (if we think about O3DS support). The server doesn't know CVer too, it just know your deviceID, your region and your country.
And we don't know title hash of any update that was not on nintendo servers (New 8.1, for example).
My wish would be a CIA homebrew that compute your local title hash and patch NIM with in the URL your local title hash via GET.
The end user would just have to install the homebrew, launch it and enjoy.
 

Fatalanus

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
595
Trophies
0
Age
23
XP
410
Country
Romania
Guys, GW are playing the wait, you should have learnt it...
The more they wait for the release of their new exploit, the more it'll still be available in the next FW released by the Big N. It's just so easy to understand.
 

motezazer

Well-Known Member
OP
Member
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
Guys, GW are playing the wait, you should have learnt it...
The more they wait for the release of their new exploit, the more it'll still be available in the next FW released by the Big N. It's just so easy to understand.

They are speaking about O3DS 9.6 emuNAND support, that is already achieved by others...
Anyway, it's off-topic
 
  • Like
Reactions: Margen67
Joined
Sep 17, 2009
Messages
2,572
Trophies
2
XP
3,770
Country
United States
You have to remember that the same thing was done during the ps3 days when cfw wasn't updated as quickly as it is now. Sony had the proxy blocked within a day of a new firmware release.
 

Wowfunhappy

Well-Known Member
Member
Joined
May 14, 2008
Messages
578
Trophies
0
XP
420
Country
United States
I know that people HAVE patched NIM to make the eShop work on older firmwares, it's just that no one has made the method public.

But, in theory, this really should be possible! People have done it. I'm not sure if NTR was used specifically, but I don't see why it couldn't be.
 
  • Like
Reactions: Margen67

dkabot

Better With Others' Systems Than Their Own
Member
Joined
Sep 9, 2014
Messages
1,042
Trophies
0
XP
626
Country
United States
You have to remember that the same thing was done during the ps3 days when cfw wasn't updated as quickly as it is now. Sony had the proxy blocked within a day of a new firmware release.

The concept isn't to proxy the shop, but to make the system think it's updated so it will access it.
...at least, if I understand their means correctly.
 

Wowfunhappy

Well-Known Member
Member
Joined
May 14, 2008
Messages
578
Trophies
0
XP
420
Country
United States
Relevant: http://3dbrew.org/wiki/EShop

While eShop is loading, eShop will use command NIMS:CheckSysupdateAvailableSOAP. If a system update is available where title installation for system titles still needs finalized (or when the updated titles were not downloaded at all), eShop will then display the "system update is available" message.
So, the function that needs to be patched isn't necessarily NetUpdateSOAP, but CheckSysupdateAvailableSOAP.

(Or maybe they're the same thing. Or maybe they both need to be patched. I don't actually know; just thought it was worth mentioning)
 
  • Like
Reactions: Margen67

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
    Veho @ Veho: @AdRoz78 start a thread and post a photo of the chip. +2