nand flash dump (3ds xl)

Discussion in '3DS - Console, Accessories and Hardware' started by lightenup, Jul 4, 2013.

  1. lightenup
    OP

    lightenup Member

    Newcomer
    43
    60
    Jul 4, 2013
    Serbia, Republic of
    Hi!
    I have a 3ds XL version which has (of course a) different pcb board layout and also uses slightly different components than the base version of the 3ds (http://www.3dbrew.org/w/images/a/a5/CTR_NAND_pinout.png).
    Is there any information about the pinout to actually access the flash on the xl version?

    Specifically, the NAND flash used is a: KLM2G1HE3F
    The pcb board around this chip: http://img.gawkerassets.com/img/17uht7wozjkmmjpg/ku-medium.jpg
    Interestingly, the testpoints TP249-TP253 are also in close vicinity -- including TP260 which could be a more conveniently reachable CLK signal.

    Finally - if you are able to dump your nand flash at a specific firmware version, can you go back to this state at a later point in time - say after one or more upgrades?

    Thanks for any input!
     
    Margen67, Venseer, RICARDO_DX and 3 others like this.


  2. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    I don't know if there is possibility. but i hope so.
    you can just paste out your current fw version, and let other find a game with not too much later fw version.
    since playing a game would force you to install its fw (if you got a older version), you would not goes too long - if you don't think keeping 3ds away from newest updates is essential, you can just connect to 3ds eshop and let it download the update (not a good suggestion, if you got interested in hacking it after then). anyways iirc there seems to be no one tried that before (oh well you can try contact someone on efnet.org #3dsdev to see if such a method can been tried already).
    if you have the proper ability you can try it, though.
     
    Ray Lewis likes this.
  3. lightenup
    OP

    lightenup Member

    Newcomer
    43
    60
    Jul 4, 2013
    Serbia, Republic of
    Thanks!

    Yes - the ppl on #3dsdev have been most helpful: I have an idea how to read/write the flash now. Unfortunately, the pinout for nand access on the XL is still unknown. Also no one seemed to have tried my idea before - but I am probably fine if there is no other persistent storage (e.g. in the SoC) so that something (e.g. the boot rom) is able to check whether the firmware version on the nand has stayed the same or at least not decreased since the last 'normal' upgrade.

    I'll play a bit around - would be nice to preserve older firmware versions...

    fyi (and thanks to Neimod, profi200 and a 'friend' of him): both my problems have already been solved:

    -) the NAND flash pinout for the XL has been uploaded here:
    http://www.3dbrew.org/wiki/Hardware
    -) downgrading to previously dumped NAND flashes works
     
    Margen67, zfreeman, B4rtj4h and 8 others like this.
  4. reprep

    reprep GBAtemp Advanced Fan

    Member
    911
    271
    Jul 5, 2012
    wow, a possible way to downgrade. even though it is hardware only, it is still great news.
     
    Margen67 likes this.
  5. Super.Nova

    Super.Nova GBAtemp Regular

    Member
    242
    49
    Dec 20, 2009
    Saudi Arabia
    Under Government Suppression
    *clap*...... *clap*...... *clap*...... *clap*...... *clap*...... *clap*
     
    filfat and nukeboy95 like this.
  6. Ericthegreat

    Ericthegreat Not New Member

    Member
    1,798
    313
    Nov 8, 2008
    United States
    Vana'diel
    Very nice, but could someone implant a custom firmware like this or no? Also it seems you had to quite a bit of desoldering huh?
     
  7. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    Nope, that requires a bootrom flaw to bypass the RSA signature checking of the FIRM partitions.


    Some infos:

    The NAND and console IDs are stored in the encrypted NAND. A NAND image does only work on the 3DS, on that it was made. Each 3DS uses his own keys for NAND en-/decryption. So no NAND sharing. Only up- and dowgrading currently.

    But be aware. The 3DS deletes all contents on the SD card with missing tickets in the NAND. Downloading a new game on the latest firmware and dowgrading results in the 3DS deletes it!
     
  8. Ray Lewis

    Ray Lewis Banned

    Banned
    1,518
    386
    Dec 30, 2012
    United States
    THIS is my type of info, hmmmm what a fix. Thanks for the share. To share as I have not seen it, sort of related, deadlyfoes pointed out the Wii U nand (eMMC) can be read like an SD card. It is on wiiubrew. I have not found anyone who will admit to trying it. This is great for the 3ds scene.
     
    Margen67 and yuyuyup like this.
  9. Parasite X

    Parasite X Banned

    Banned
    637
    75
    Jul 6, 2009
    United States
    Katy Tx
    We're finally starting to see progress in cracking the 3DS wide open Cfw,Downgrades,Custom Emulators :-)
     
    Margen67 likes this.
  10. lightenup
    OP

    lightenup Member

    Newcomer
    43
    60
    Jul 4, 2013
    Serbia, Republic of
    not at all - they might removed the flash from a broken unit to easier trace the signals. The testpoints where you need to solder to are very convenienlty reachable -- its not even required to take the mainboard out. Interestingly, my assumption proved correct: the testpoints 249 to 253 have the same functionality in the XL as in the normal version of the 3ds. Someone might want to look for and try TP 260 on the normal 3ds version (CLK signal), because it could be easier to solder to than the other pin on the back of the board.
     
  11. ichichfly

    ichichfly GBAtemp Advanced Fan

    Member
    618
    158
    Sep 23, 2009
    Gambia, The
    no the NAND is encrypted with an key that is different for each 3DS.
    Someone on gulli had this "hardware mod" for some time http://board.gulli.com/thread/1722015-angeblich-erste-flashkarte-die-3ds-roms-abspielen-kann/8/ (German) there is also a picture of the mod somewhere
    http://board.gulli.com/thread/1656020-ot-thread-aka-die-laberecke/ (somewhere in the first 300 Pages)

    add: why is there no link to http://www.3dbrew.org/wiki/Flash_Filesystem in the news on the front page?
     
  12. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    Why not sharing the pics directly? This is no problem.

    My mod: http://s.gullipics.com/image/3/3/o/udht0w-krp61m-ud9q/1370975084359.jpeg
    My mod in action (currently i don't own male/male jumper wires): http://s.gullipics.com/image/2/6/x/udhkak-ksyl7g-qm2c/PicsArt1373047662585.png
    NAND as removable drive in Windows (german): http://s.gullipics.com/image/n/e/l/udhkak-ksym2a-2j42/3DSNAND.png


    @lightenup:

    I will look at it. I don't think, that TP260 is CLK on the 3DS, but we will see.


    €:

    On the 3DS TP260 doesn't exist.
     
  13. lightenup
    OP

    lightenup Member

    Newcomer
    43
    60
    Jul 4, 2013
    Serbia, Republic of
    pitty.. I also couldn't find it on the PCB images, but my eyes started to hurt after a few minutes..
    Anyway: thanks for looking!

    btw: I finally came around to prep my XL for dumping. Might be that the DATA1-DATA3 pins are mixed up, because I couldn't get a valid image (filled up my kernel log with read errors). As you suggested on IRC, I ended up using only DATA0 (and CMD, CLK, GND of course).. not as fast, but fast enough.
    So.. now a workable exploit for 4.5.0-10 would be nice to have/find :)
     
  14. Parasite X

    Parasite X Banned

    Banned
    637
    75
    Jul 6, 2009
    United States
    Katy Tx
    "ichichfly said: ↑,no the NAND is encrypted with an key that is different for each 3DS.Someone on gulli had this "hardware mod" for some time http://board.gulli.com/thread/1722015-angeblich-erste-flashkarte-die-3ds-roms-abspielen-kann/8/ (German) there is also a picture of the mod somewherehttp://board.gulli.com/thread/1656020-ot-thread-aka-die-laberecke/ (somewhere in the first 300 Pages)
    add: why is there no link to http://www.3dbrew.org/wiki/Flash_Filesystem in the news on the front page?

    I was talking about what might happen in the near future but I get it I guess that I let my excitement take over :-)
     
    Shiggitay likes this.
  15. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    With DAT1, DAT2 and DAT3 this is MMC plus and your card reader must support it.

    http://en.wikipedia.org/wiki/Multimedia_Card#MMCplus_and_MMCmobile

    I got 2.7 MB/s read/write speed. This is enough for 1GB.
     
    Syphurith likes this.
  16. Riku

    Riku GBAtemp Regular

    Member
    281
    525
    May 3, 2009
    United States
    Do you need to ground 3DS's internal resonator before dumping nand?

    And what tools you guys using for reading/writing? I think Winhex will do the job, but maybe you can suggest better alternatives?
     
  17. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    No, the SoC generates the clock signal. Connect the card reader and turn the 3DS/XL on. A bootrom error is displayed. At this point the SoC doesn't generate a clock signal, because it isn't needed.

    I use Win32 Disk Imager. dd under Linux or other tools should work too.



    Before i forget. The main work to find the pinouts did the member didi1000. He found the XL pinouts. neimod and i helped him.
     
  18. Gonzo

    Gonzo Member

    Newcomer
    31
    28
    Aug 4, 2013
    Gambia, The
    Hi all,

    I just finished the hardware mod on my 3DS and dumped an image. But how can I verify that it was successful without taking the risk of flashing the image back to the target?

    win32diskimager ended with a successful message, 2 different dumps has equal content and file size is always 1.000.341.504 bytes. Opening it with a hex-editor shows "NCSD" at 0x100, a larger area of 0x00 from 0x200-0x012DFF and another lage area of 0x00 from 0x059400-0x23FFFF.

    Can somebody confirm that, or has other key values in the image?

    BTW: I attached some photos of my solution of the MMC-adapter - perhaps someone find it useful... mmc_adapter.jpg adapter_connected.jpg dump_process.jpg
     
  19. Spzjulien

    Spzjulien GBAtemp Regular

    Member
    296
    66
    Sep 8, 2012
    France
    great job, i will try when i will have my new 3ds xl
     
    LittleHugh likes this.
  20. lightenup
    OP

    lightenup Member

    Newcomer
    43
    60
    Jul 4, 2013
    Serbia, Republic of
    I can confirm those values; the zeroed area going until 0x23ffff starts in my dump already at 0x44e00. That's a 3dsxl, 4.5.
    However, for now I am not aware of any test (beside (upgrading and) writing the dump back) that really guarantees that your flash dump is valid.
     
    Gonzo likes this.