Toggle sidebar

Hacking 3DS unbricking progress

  • Thread starter Thread starter krisztian1997
  • Start date Start date
  • Views Views 376,350
  • Replies Replies 1,233
  • Likes Likes 32
Status
Not open for further replies.
bkifft said:
ryuga93 krisztian1997

isn't the voltage selector switch used to select the incoming signal level? (just asking as i dont know for sure and wasn't able to get any google hits on it and that would make more sense to me as SD's run allways at 3.3V).
Click to expand...

Me and ryuga has a different shield, our one needs both 5v and 3v3 to be connected for some reasons...
 
Little observation about the password for unlocking...
GW wanted users to send their 3DS AND GW card, surely there's a clue here. The password to unlock could likely be system specific and stored on the GW card somewhere...
 
spinal_cord said:
Little observation about the password for unlocking...
GW wanted users to send their 3DS AND GW card, surely there's a clue here. The password to unlock could likely be system specific and stored on the GW card somewhere...
Click to expand...

don't think so, as the region free patch shouldn't be able to trigger the lock then (as the red card doesn't work while using it).

also if i remember correctly they ask to also send in the NAND backup which suggests they prefer to do the force erase instead the individual unlock (which as it stands now seems to need the generation of the console specific password on a working 3DS using the CID of the locked eMMC and is therefore way more complicated).
 
bkifft said:
don't think so, as the region free patch shouldn't be able to trigger the lock then (as the red card doesn't work while using it).

also if i remember correctly they ask to also send in the NAND backup which suggests they prefer to do the force erase instead the individual unlock (which as it stands now seems to need the generation of the console specific password on a working 3DS using the CID of the locked eMMC and is therefore way more complicated).
Click to expand...

Too bad, I had hoped there would be an easy way to determine the password. I don't think there is a limit to the number of attempts you can try, so someone yet might crack the password scheme.
 
Mr_Pichu said:
Too bad, I had hoped there would be an easy way to determine the password. I don't think there is a limit to the number of attempts you can try, so someone yet might crack the password scheme.
Click to expand...
Cracking the password is gonna take forever... its 16 bytes = 128 bits = 2^128 combinations (I think thats how its calculated)
 
Since you guys seem to know a lot about the technical specs of the 3DS, can any of you answer this question; Can the 3DS really update he FPGA of the Pro ASIC chip inside flashcarts, or not?
Ratman9977 says that it can't.

Ratman9977 said:
Gateway can't update the FPGA at all -- it's impossible without a JTAG debugger, which the nintendo 3ds is not. The best they could do -- is if they used a softcore with an external rom containing the code -- is to update that via SPI. In that case, the clones would be able to perform the same action.
Click to expand...
Ratman9977 said:
Gateway can only use those JTAG inputs with an external tool to program the FPGA. The 3DS itself is not a JTAG programmer, therefore the FPGA design cannot be updated on either the Gateway or clones from the 3DS itself.
Click to expand...
 
depends on if they really used the maximal possible key length or just the 4 byte CID. i haven't tried how long an unlock request takes but pulling a number out of thin air let's say 100 per second are possible (eMMC communication is quite slow).

2^32 combinations / 100 per second would still take about a year and a half.

edit: to try all combiantions that is, if i remember my cryptography courses right realisticly one only needs to try 2^31 (birthday paradoxon)

scratch that, the CID is 16 byte -.-
 
spinner09 said:
Since you guys seem to know a lot about the technical specs of the 3DS, can any of you answer this question; Can the 3DS really update he FPGA of the Pro ASIC chip inside flashcarts, or not?
Ratman9977 says that it can't.
Click to expand...

The communication between the card and the 3DS is almost the same like the SD communication, I am not an expert myself but I dont think that the 3DS can reprogram the FPGA, but maybe they will update it in a different way.
 
I'm not an expert too,the only fpga touched so far is the altera cyclone IV chip,and to reprogram the altera chip a "USB blaster" is needed to upload the code,which includes JTAG.so probably they will do the update through the sd card or rom
 
bkifft said:
don't think so, as the region free patch shouldn't be able to trigger the lock then (as the red card doesn't work while using it).

also if i remember correctly they ask to also send in the NAND backup which suggests they prefer to do the force erase instead the individual unlock (which as it stands now seems to need the generation of the console specific password on a working 3DS using the CID of the locked eMMC and is therefore way more complicated).
Click to expand...

A couple of hours before my 3DS bricked, I had some files written to my SD card (SD card in 3ds unit). Any chance these could lead to information or clues to unlocking.

In root folder of SD card the following directory created
Nintendo 3DS\820160a5d3398b6daa15eeee9e5814ac\c19d00ca311097003030303000284245\extdata\00000000\00000098\00000000\

with 5 files (no type extension)
00000001
00000002
00000003
00000004
00000005

Files size range from 17KB to 5024KB.

I'm guessing these are probably game saves but wanted to make sure they weren't anymore useful.
 
helpwith3ds said:
A couple of hours before my 3DS bricked, I had some files written to my SD card (SD card in 3ds unit). Any chance these could lead to information or clues to unlocking.

In root folder of SD card the following directory created
Nintendo 3DS\820160a5d3398b6daa15eeee9e5814ac\c19d00ca311097003030303000284245\extdata\00000000\00000098\00000000\

with 5 files (no type extension)
00000001
00000002
00000003
00000004
00000005

Files size range from 17KB to 5024KB.

I'm guessing these are probably game saves but wanted to make sure they weren't anymore useful.
Click to expand...

Do you have any file on the 3ds card which has a weird date ?
 
bkifft said:
ryuga93 krisztian1997

isn't the voltage selector switch used to select the incoming signal level? (just asking as i dont know for sure and wasn't able to get any google hits on it and that would make more sense to me as SD's run allways at 3.3V).
Click to expand...

What switch? XD the arduino Works with 5v signal levels wich would kill the Sd and the resistor voltage dropper does the Job unsafely. Thats why the logic level shifter is mandatory. You put 3.3v to the ref pin (vcc) then all signals on the A pins are converted down to a stable 3.3v and a stable current onthe B pins
 
greyneon said:
What switch? XD the arduino Works with 5v signal levels wich would kill the Sd and the resistor voltage dropper does the Job unsafely. Thats why the logic level shifter is mandatory. You put 3.3v to the ref pin (vcc) then all signals on the A pins are converted down to a stable 3.3v and a stable current
Click to expand...

Some SD shields have a switch, what you use to select the voltage on + pin on that shield.
 
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

[WIP] SMW 3DS Port - Early Playable Demo by ZalgonEn

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Homebrew  [Progress update] LCE Minecraft 3ds

Gaming  any good rpgs on 3ds?