fogbank said:
wilsoff said:
giantpune said:
we still dont know exactly how the HBC scam is triggered
Thanks! The scam screen is triggered by consoleID.
At least in part.
It appears that each HBC installation is tied to the console it was installed to by modifying an area of the TMD - two bytes at 0x1B0 and 8 bytes at 0x1C6 in the samples I looked at (probably just the 8 bytes are significant?).
Either way, the bottom line is that you will need some data from a NAND with a properly installed HBC in order to get HBC running without the scam warning. The data in the TMD must (somehow) match the console ID.
The HBC TMD can be "fakesigned" to prevent the scam screen on a virgin SNEEK NAND (well not
truly fakesigned, but...):
1. Hexedit device.cert and change consoleID (0xC6) to
11111111. Make sure device.cert is in sys/
2. Hexedit TMD of HBC and change 8 bytes starting at 0x1C6 to
B2 B8 8B A4 EB 25 19 51
3. (Optional) Pack HBC into a WAD with "Awesomest" TIK and fakesigned TMD using BFGR WADTools (do not use ShowMiiWads).
4. Install WAD using ShowMiiWads
Note: device.cert does not need to contain anything other than
NG11111111 at 0xC4 in order to prevent the scam screen on HBC. The rest of the file can be empty. Creating a device.cert this way, however, may affect anything else that uses ES_GetDeviceCert. Also having your consoleID as 11111111 may affect anything else that requires a valid consoleID (not sure what though?).
Also this will ONLY work with SNEEK, as on a real NAND there would be no way to change the consoleID in the device cert, so HBC would still show the scam screen if you tried to use the "fake signed" TMD.
I have tested this on a bare minimum 3.2U SNEEK NAND. It should work for any SNEEK NAND.