gamesquest1

gamesquest1

Nabnut
Former Staff
Level 22
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
Selver said:
Actually, it's possible (although troublesome) to do more than this, simply because of a weakness in the 3DS encryption scheme.
  • NAND is divided into well-known partitions
  • Each sector of each partition will have a constant XorPad
  • The data stored in that sector is OLDDATA ^ XORPAD
  • If you want to store new data in that sector, result will be NEWDATA ^ XORPAD
Thus, if you can predict BOTH the sector where information is stored, and can cause the 3DS to store known values there (or otherwise know the expected data), you can update it. Here's why (just XOR'ing both sides by the same value to get to next lines):
  • X ^ X == 0
  • oldEncryptedSector ^ UpdateXor == newEncryptedSector
  • OldData ^ XorPad ^ UpdateXor == NewData ^ XorPad
  • OldData ^ UpdateXor == NewData
  • UpdateXor == NewData ^ OldData (no XorPad value needed)
Put another way, the XORPAD is exposed when the sector and expected data are known:
  • OldEncryptedData ^ XorPad == ClearData
  • OldEncryptedData == ClearData ^ XorPad
  • OldEncryptedData ^ ClearData == XorPad
Thus, if you know post the sector number where the information is stored, and the cleartext data, you can trivially update it. Since the firmware partitions store everything at a known offset, the XorPad can be reconstructed.

In contrast, the CtrNand partition uses a FAT16 file system, allowing files to be stored in nearly any sector. Thus, it's much harder to RE the xorpad using only the encrypted data (+ analytics on expected data + which bits change when), especially where the file system operations are not easily controlled from user-mode apps.
Click to expand...
yeah thats pretty much what i said , if you have the plaintext of the specific offset off the file you intend to fix then you can make an xorpad but for most people who brick they almost certainly wouldn't know exactly what it was they flashed to brick nor where the 3DS would have stored it on the nand, plus with some bricks being caused by the installation of o3ds titles on a n3ds or vise versa i doubt anyone truely could be bothered trying to map out/predict where exactly a bunch of system titles would be stored, basically as a theoretical thing sure there is a certain level of possibility, but practically for the kinds of people who screw up their sysnand and haven't even made a nand backup i would take a leap and say it would be way too much effort with no promise of results
 
  • Like
Reactions: Tescowiec
S

suhaib10

Active Member
Newcomer
Level 1
Joined
Jan 15, 2016
Messages
32
Trophies
0
XP
60
Country
Canada
Hey guys I need some help, my friend's n3ds is on 10.6 if he hardmods it and change the native_firm to 10.2.
Will this allow browserhax use on 10.6 or will he still need an alternate method, like OOT or CN do access homebrew to downgrade.
 
Robert McCoy

Robert McCoy

Well-Known Member
Member
Level 6
Joined
Apr 9, 2015
Messages
445
Trophies
0
Age
30
XP
929
Country
United States
It's reported to work with the 10.6 but has anyone here tried it? Can you make a video demonstrating it works with the latest update i.e. 10.6? In your free time of course.
 
HoloryTV

HoloryTV

Well-Known Member
Member
Level 2
Joined
Feb 25, 2016
Messages
163
Trophies
0
Age
26
XP
146
Country
France
Little question please, my old 3ds is in 10.3.0-28 so when I try to use browser it asking to update the console.

If I refuse I can't use it, how to do ?
Thanks !
 
Last edited by HoloryTV,
tvall

tvall

Well-Known Member
Member
Level 3
Joined
May 12, 2014
Messages
276
Trophies
0
Age
29
XP
348
Country
United States
if i uploaded my nand backup somewhere, could someone do this for me? wine and winxp dont like the ctrtool.exe in that autofirm archive

edit: nvm. set up a win7 vm.

btw, 10.5 o3dsxl -> 9.2 -> 2.1 -> back to 9.2 -> 10.6 w/ a9lh :)
 
Last edited by tvall,
S

samurayjp

Active Member
Newcomer
Level 2
Joined
Jul 3, 2008
Messages
29
Trophies
0
XP
201
Country
Brazil
I have a bicked 3ds wich I don't know what firmware. When I turn it on the blue light flashes, but no screen and no sound.

Could I use this to modify a early firmware?
Probably 2.+
 
S

Spore2

Well-Known Member
Member
Level 3
Joined
Jan 12, 2016
Messages
221
Trophies
0
Age
45
XP
246
Country
samurayjp said:
I have a bicked 3ds wich I don't know what firmware. When I turn it on the blue light flashes, but no screen and no sound.

Could I use this to modify a early firmware?
Probably 2.+
Click to expand...

AFAIK this method can't be used to unbrick a 3DS. It only works to patch 10.4 up fw so that it works like a 10.3 fw restoring memchunkhax2
 
S

samurayjp

Active Member
Newcomer
Level 2
Joined
Jul 3, 2008
Messages
29
Trophies
0
XP
201
Country
Brazil
I have access and can dump and inject nand through hardmod.
Does anyone know if you can change (restore ou update) this nand (possibly damaged) and reinject?
 
Arubaro

Arubaro

Soulspace Guardian
Member
Level 5
Joined
Sep 4, 2015
Messages
1,669
Trophies
0
Age
32
XP
586
Country
(Necrobump, sorry)
Would be in theory possible to use this method to "downgrade" from 11.0 to 10.7 and then use the regular method?
 
Deleted member 370671

Deleted member 370671

Ball of Kawaiiness
Member
Level 9
Joined
Aug 23, 2015
Messages
1,435
Trophies
1
Location
Lowee
XP
1,601
Country
Korea, North
  • Like
Reactions: Arubaro

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

General chit-chat
Help Users
  • No one is chatting at the moment.
    I @ idonthave: :)