nand flash dump (3ds xl)

Discussion in '3DS - Console, Accessories and Hardware' started by lightenup, Jul 4, 2013.

Jul 4, 2013

nand flash dump (3ds xl) by lightenup at 1:58 PM (447,831 Views / 6 Likes) 1,971 replies

  1. lightenup
    OP

    Newcomer lightenup Member

    Joined:
    Jul 4, 2013
    Messages:
    43
    Country:
    Russia
    Hi!
    I have a 3ds XL version which has (of course a) different pcb board layout and also uses slightly different components than the base version of the 3ds (http://www.3dbrew.org/w/images/a/a5/CTR_NAND_pinout.png).
    Is there any information about the pinout to actually access the flash on the xl version?

    Specifically, the NAND flash used is a: KLM2G1HE3F
    The pcb board around this chip: http://img.gawkerassets.com/img/17uht7wozjkmmjpg/ku-medium.jpg
    Interestingly, the testpoints TP249-TP253 are also in close vicinity -- including TP260 which could be a more conveniently reachable CLK signal.

    Finally - if you are able to dump your nand flash at a specific firmware version, can you go back to this state at a later point in time - say after one or more upgrades?

    Thanks for any input!
     
    Margen67, Venseer, RICARDO_DX and 3 others like this.


  2. Syphurith

    Member Syphurith Beginner

    Joined:
    Mar 8, 2013
    Messages:
    641
    Location:
    Xi'an, Shaanxi Province
    Country:
    China
    I don't know if there is possibility. but i hope so.
    you can just paste out your current fw version, and let other find a game with not too much later fw version.
    since playing a game would force you to install its fw (if you got a older version), you would not goes too long - if you don't think keeping 3ds away from newest updates is essential, you can just connect to 3ds eshop and let it download the update (not a good suggestion, if you got interested in hacking it after then). anyways iirc there seems to be no one tried that before (oh well you can try contact someone on efnet.org #3dsdev to see if such a method can been tried already).
    if you have the proper ability you can try it, though.
     
    Ray Lewis likes this.
  3. lightenup
    OP

    Newcomer lightenup Member

    Joined:
    Jul 4, 2013
    Messages:
    43
    Country:
    Russia
    Thanks!

    Yes - the ppl on #3dsdev have been most helpful: I have an idea how to read/write the flash now. Unfortunately, the pinout for nand access on the XL is still unknown. Also no one seemed to have tried my idea before - but I am probably fine if there is no other persistent storage (e.g. in the SoC) so that something (e.g. the boot rom) is able to check whether the firmware version on the nand has stayed the same or at least not decreased since the last 'normal' upgrade.

    I'll play a bit around - would be nice to preserve older firmware versions...

    fyi (and thanks to Neimod, profi200 and a 'friend' of him): both my problems have already been solved:

    -) the NAND flash pinout for the XL has been uploaded here:
    http://www.3dbrew.org/wiki/Hardware
    -) downgrading to previously dumped NAND flashes works
     
    Margen67, zfreeman, B4rtj4h and 8 others like this.
  4. reprep

    Member reprep GBAtemp Advanced Fan

    Joined:
    Jul 5, 2012
    Messages:
    840
    Country:
    Turkey
    wow, a possible way to downgrade. even though it is hardware only, it is still great news.
     
    Margen67 likes this.
  5. Super.Nova

    Member Super.Nova GBAtemp Regular

    Joined:
    Dec 20, 2009
    Messages:
    242
    Location:
    Under Government Suppression
    Country:
    Saudi Arabia
    *clap*...... *clap*...... *clap*...... *clap*...... *clap*...... *clap*
     
    filfat and nukeboy95 like this.
  6. Ericthegreat

    Member Ericthegreat Not New Member

    Joined:
    Nov 8, 2008
    Messages:
    1,781
    Location:
    Vana'diel
    Country:
    United States
    Very nice, but could someone implant a custom firmware like this or no? Also it seems you had to quite a bit of desoldering huh?
     
  7. profi200

    Banned profi200 Banned

    Joined:
    Sep 3, 2011
    Messages:
    330
    Country:
    Germany
    Nope, that requires a bootrom flaw to bypass the RSA signature checking of the FIRM partitions.


    Some infos:

    The NAND and console IDs are stored in the encrypted NAND. A NAND image does only work on the 3DS, on that it was made. Each 3DS uses his own keys for NAND en-/decryption. So no NAND sharing. Only up- and dowgrading currently.

    But be aware. The 3DS deletes all contents on the SD card with missing tickets in the NAND. Downloading a new game on the latest firmware and dowgrading results in the 3DS deletes it!
     
  8. Ray Lewis

    Banned Ray Lewis Banned

    Joined:
    Dec 30, 2012
    Messages:
    1,518
    Country:
    United States
    THIS is my type of info, hmmmm what a fix. Thanks for the share. To share as I have not seen it, sort of related, deadlyfoes pointed out the Wii U nand (eMMC) can be read like an SD card. It is on wiiubrew. I have not found anyone who will admit to trying it. This is great for the 3ds scene.
     
    Margen67 and yuyuyup like this.
  9. Parasite X

    Banned Parasite X Banned

    Joined:
    Jul 6, 2009
    Messages:
    637
    Location:
    Katy Tx
    Country:
    United States
    We're finally starting to see progress in cracking the 3DS wide open Cfw,Downgrades,Custom Emulators :-)
     
    Margen67 likes this.
  10. lightenup
    OP

    Newcomer lightenup Member

    Joined:
    Jul 4, 2013
    Messages:
    43
    Country:
    Russia
    not at all - they might removed the flash from a broken unit to easier trace the signals. The testpoints where you need to solder to are very convenienlty reachable -- its not even required to take the mainboard out. Interestingly, my assumption proved correct: the testpoints 249 to 253 have the same functionality in the XL as in the normal version of the 3ds. Someone might want to look for and try TP 260 on the normal 3ds version (CLK signal), because it could be easier to solder to than the other pin on the back of the board.
     
  11. ichichfly

    Member ichichfly GBAtemp Advanced Fan

    Joined:
    Sep 23, 2009
    Messages:
    618
    Country:
    Germany
    no the NAND is encrypted with an key that is different for each 3DS.
    Someone on gulli had this "hardware mod" for some time http://board.gulli.com/thread/1722015-angeblich-erste-flashkarte-die-3ds-roms-abspielen-kann/8/ (German) there is also a picture of the mod somewhere
    http://board.gulli.com/thread/1656020-ot-thread-aka-die-laberecke/ (somewhere in the first 300 Pages)

    add: why is there no link to http://www.3dbrew.org/wiki/Flash_Filesystem in the news on the front page?
     
  12. profi200

    Banned profi200 Banned

    Joined:
    Sep 3, 2011
    Messages:
    330
    Country:
    Germany
    Why not sharing the pics directly? This is no problem.

    My mod: http://s.gullipics.com/image/3/3/o/udht0w-krp61m-ud9q/1370975084359.jpeg
    My mod in action (currently i don't own male/male jumper wires): http://s.gullipics.com/image/2/6/x/udhkak-ksyl7g-qm2c/PicsArt1373047662585.png
    NAND as removable drive in Windows (german): http://s.gullipics.com/image/n/e/l/udhkak-ksym2a-2j42/3DSNAND.png


    @lightenup:

    I will look at it. I don't think, that TP260 is CLK on the 3DS, but we will see.


    €:

    On the 3DS TP260 doesn't exist.
     
  13. lightenup
    OP

    Newcomer lightenup Member

    Joined:
    Jul 4, 2013
    Messages:
    43
    Country:
    Russia
    pitty.. I also couldn't find it on the PCB images, but my eyes started to hurt after a few minutes..
    Anyway: thanks for looking!

    btw: I finally came around to prep my XL for dumping. Might be that the DATA1-DATA3 pins are mixed up, because I couldn't get a valid image (filled up my kernel log with read errors). As you suggested on IRC, I ended up using only DATA0 (and CMD, CLK, GND of course).. not as fast, but fast enough.
    So.. now a workable exploit for 4.5.0-10 would be nice to have/find :)
     
  14. Parasite X

    Banned Parasite X Banned

    Joined:
    Jul 6, 2009
    Messages:
    637
    Location:
    Katy Tx
    Country:
    United States
    "ichichfly said: ↑,no the NAND is encrypted with an key that is different for each 3DS.Someone on gulli had this "hardware mod" for some time http://board.gulli.com/thread/1722015-angeblich-erste-flashkarte-die-3ds-roms-abspielen-kann/8/ (German) there is also a picture of the mod somewherehttp://board.gulli.com/thread/1656020-ot-thread-aka-die-laberecke/ (somewhere in the first 300 Pages)
    add: why is there no link to http://www.3dbrew.org/wiki/Flash_Filesystem in the news on the front page?

    I was talking about what might happen in the near future but I get it I guess that I let my excitement take over :-)
     
    Shiggitay likes this.
  15. profi200

    Banned profi200 Banned

    Joined:
    Sep 3, 2011
    Messages:
    330
    Country:
    Germany
    With DAT1, DAT2 and DAT3 this is MMC plus and your card reader must support it.

    http://en.wikipedia.org/wiki/Multimedia_Card#MMCplus_and_MMCmobile

    I got 2.7 MB/s read/write speed. This is enough for 1GB.
     
    Syphurith likes this.
  16. Riku

    Member Riku GBAtemp Regular

    Joined:
    May 3, 2009
    Messages:
    281
    Country:
    United States
    Do you need to ground 3DS's internal resonator before dumping nand?

    And what tools you guys using for reading/writing? I think Winhex will do the job, but maybe you can suggest better alternatives?
     
  17. profi200

    Banned profi200 Banned

    Joined:
    Sep 3, 2011
    Messages:
    330
    Country:
    Germany
    No, the SoC generates the clock signal. Connect the card reader and turn the 3DS/XL on. A bootrom error is displayed. At this point the SoC doesn't generate a clock signal, because it isn't needed.

    I use Win32 Disk Imager. dd under Linux or other tools should work too.



    Before i forget. The main work to find the pinouts did the member didi1000. He found the XL pinouts. neimod and i helped him.
     
  18. Gonzo

    Newcomer Gonzo Member

    Joined:
    Aug 4, 2013
    Messages:
    31
    Country:
    Germany
    Hi all,

    I just finished the hardware mod on my 3DS and dumped an image. But how can I verify that it was successful without taking the risk of flashing the image back to the target?

    win32diskimager ended with a successful message, 2 different dumps has equal content and file size is always 1.000.341.504 bytes. Opening it with a hex-editor shows "NCSD" at 0x100, a larger area of 0x00 from 0x200-0x012DFF and another lage area of 0x00 from 0x059400-0x23FFFF.

    Can somebody confirm that, or has other key values in the image?

    BTW: I attached some photos of my solution of the MMC-adapter - perhaps someone find it useful... mmc_adapter.jpg adapter_connected.jpg dump_process.jpg
     
  19. Spzjulien

    Member Spzjulien GBAtemp Regular

    Joined:
    Sep 8, 2012
    Messages:
    295
    Country:
    France
    great job, i will try when i will have my new 3ds xl
     
    LittleHugh likes this.
  20. lightenup
    OP

    Newcomer lightenup Member

    Joined:
    Jul 4, 2013
    Messages:
    43
    Country:
    Russia
    I can confirm those values; the zeroed area going until 0x23ffff starts in my dump already at 0x44e00. That's a 3dsxl, 4.5.
    However, for now I am not aware of any test (beside (upgrading and) writing the dump back) that really guarantees that your flash dump is valid.
     
    Gonzo likes this.

Share This Page