Hacking 3DS unbricking progress

[mitroux]

hhh , weren't those used to flash phones? i used one of those to rip games from dreamcast , and still have some , besides i think it's the best bet since all the I/O of arduino due are just 3.3v
another idea for testers : isn't replacing the embeded 3ds nand with an external mmc card work? using it on a slot , i wonder if there is any limitations , also it would be helpfull for those who want to change firmware versions by just unpliging mmcs

 

[mitroux]

how to dump the entire chip then?

 

[boyjkp]

Thank you very much! bkifft
My 3ds (small) Brick Come back Work from code you

 

[bkifft]

Thank you very much! bkifft
My 3ds (small) Brick Come back Work from code you

Glad to hear and very welcome.

(Oh, and please don't forget step 18 from the guide. *nudge nudge wink wink*)

 

[greyneon]

hhh , weren't those used to flash phones? i used one of those to rip games from dreamcast , and still have some , besides i think it's the best bet since all the I/O of arduino due are just 3.3v
another idea for testers : isn't replacing the embeded 3ds nand with an external mmc card work? using it on a slot , i wonder if there is any limitations , also it would be helpfull for those who want to change firmware versions by just unpliging mmcs

The eMMC and Sd cards work Only at 3.3v hence why thé max232 wont work. Which is an old and still used serial protocol. About the idea of having an Sd card or similar as te nand is theoretically doable if you can make a microcontroller speak thé Language of thé 3ds. Practically i dont know. Working on it atm acctually (on paper atm)

 

[mitroux]

i doubt an SD card will work , but the idea is to remove the onbard 3ds emmc , and root wires (most of them are easy to solde) to an mmc adaptor , have different backups of the emmc to different mmxc cards, if you need to switch bios , just swith mmc cards(just unplug and plug)
what can be a problem is the size of the mmc (2gb , but just 1gb is showing)..maybe the hidden or unpartioned left space is used for other tasks , or a futur options

 

[bkifft]

do you happen to have a source for the 2GB? as the two nand types i've seen logs for (which should be all that are used in the 3DS) report themselves to be 1GB-ish.

And as far as i know (warning: hearsay, as i haven't done any reverse engineering on the 3DS system software) it checks the eMMC's CID (the unique serial number) on boot. So one would need an replacement (e)MMC with a writeable CID, which would go against the specifications (although I've seen some offers for those on aliexpress, I wouldn't trust the reliability of those devices).

 

[krisztian1997]

do you happen to have a source for the 2GB? as the two nand types i've seen logs for (which should be all that are used in the 3DS) report themselves to be 1GB-ish.

And as far as i know (warning: hearsay, as i haven't done any reverse engineering on the 3DS system software) it checks the eMMC's CID (the unique serial number) on boot. So one would need an replacement (e)MMC with a writeable CID, which would go against the specifications (although I've seen some offers for those on aliexpress, I wouldn't trust the reliability of those devices).

They are 1gb but samsung doesnt wants to share the datasheet with us, so we used the datasheet from a 2gb nand chip with the same controller just different size

 

[mitroux]

bkift , just chek the datasheet , it has been posted many times , here is a link to datasheet
http://web3032.sh1.magic2008.cn.m1.magic2008.cn/uFile/3032/201144131450191.pdf
2GB KLM2G1DEHE-B101 16Gb MLC x 1

 

[Moquedami]

check the conversation, I believe the 0xFF is the awake from idle (CS high) from the SPI_OUTemmc pin. It may be currently waiting for activity from the controller's SPI_OUTarduino

(the first 0xFF that appears right after 11 * 8 bits = 88 cycles on CS high while emmc controller is idle)

Anyone have an idea about this? I think may be on the way to something.
Now two different 3ds with different eMMCs are responding the same way to the code.

 

[mitroux]

They are 1gb but samsung doesnt wants to share the datasheet with us, so we used the datasheet from a 2gb nand chip with the same controller just different size

how couldn't you get the datasheet , it was so easy to find it using google

 

[bkifft]

bkift , just chek the datasheet , it has been posted many times , here is a link to datasheet
http://web3032.sh1.magic2008.cn.m1.magic2008.cn/uFile/3032/201144131450191.pdf
2GB KLM2G1DEHE-B101 16Gb MLC x 1

CSD: 00904700320F5903AEFFFFFFE1824010, the size calculation is a bit finicky (see JEDEC Standard No. 84-A441 page 120).

It's 1GB(ish).

how couldn't you get the datasheet , it was so easy to find it using google

because the datasheet you linked isn't the datasheet of the used chip, but one for a sibling of it (same chip family, different size)

 

[mitroux]

so you are saying that this datasheet is fake?for me it looks real , and reading it it states clearly it's a 2gb , maybe it's something reated to boot area partitions (see page 10 of the datasheet)

 

[kyogre123]

so you are saying that this datasheet is fake?for me it looks real , and reading it it states clearly it's a 2gb , maybe it's something reated to boot area partitions (see page 10 of the datasheet)

lol at "saying it is fake"... not even remotely related to what he said.

The NAND of the 3DS is about 1Giga-Byte (1x10^9) or a bit less than that.

 

[mitroux]

bkifft , my 3ds have this chip KLM2G1DEHE-B101 bundled in it and my 3dsxl has the toshiba THGBM4G3P1HBAIR , both chips are 2gb , if you don't believe me , i can post picsof both boards , and maybe that explains why some people got success with erasing their mmc while others can't

 

[mitroux]

http://www.datasheetarchive.com/dl/Datasheets-UD7/DSARS0015839.pdf

 

[bkifft]

bkifft , my 3ds have this chip KLM2G1DEHE-B101 bundled in it and my 3dsxl has the toshiba THGBM4G3P1HBAIR , both chips are 2gb , if you don't believe me , i can post picsof both boards , and maybe that explains why some people got success with erasing their mmc while others can't

if you are able to take good enough high res pictures to read the chip imprint i'd love those (not that i don't trust you, all the pics i always come up with are to low res to read shit).

but the fact remains: the chips report themselves to be 1GB. In case you don't want to do the calculation by hand (and by god i don't want to do it again) just check the linux kernel output (dmesg) when you plug your 3DS (XL) in a regular SD reader and run linux.

 

[Elusivo]

If a hidden partition existed, the force erase would reveal it (the extra space available) no? as it would delete everything and any volume in it.

 

[ASUS]

When I put the SD adapter into the reader.

 

[bkifft]

If a hidden partition existed, the force erase would reveal it no? as it would delete everything and any volume in it.

in fact there are "hidden partitions" (at least they don't show up on windows): 2 1MB boot partitions and one 512kB replay attack proof storage. But they are all unused (the BOOTs are 0xF, the RAsomethingsomething is 0x0). And in the context SD/(e)MMC the word partition is a bit misleading: it's not like a regular HD partition (one physical drive chopped up) but are seen from the outside as physically independent data areas (kinda like a PC can have a HD and a floppy drive).