Hacking Downgraded emuNAND

[Slashmolder]

Really I never found any bricking code in the 2.1 firm. Mind giving me a memory address or something?

 

[dubbz82]

I k

well in there 2.0 b2 there was one check that triggered the brick code in the firm code also there is a way to trigger that brick code in the menu in 2.1 (it is now better obfuscated in 2.1). There are also checks in the firm in 2.1 but I don't know where it ends as it is better obfuscated but I think it end up in the brick install.

add Better safe than sorry

If it did check NAND checksums, every time a new update came out, EmuNAND would break...

 

[ichichfly]

I k


If it did check NAND checksums, every time a new update came out, EmuNAND would break...

Well I have no idea why but a part of the checksum was in an array that depends on data that gets loaded from the NAND it is not much but well it looks like that one part is always the same currently I don't know if it stay the same in Data before 4.X also some patches break when the plates are not found (using any other menu Version).

also the NATIVE_FIRM is always loaded form the Launcher.dat

 

[dubbz82]

My guess is still worst case scenario, the emuNAND breaks...either way though, it should be an interesting experiment

 

[Bond697]

well in there 2.0 b2 there was one check that triggered the brick code in the firm code also there is a way to trigger that brick code in the menu in 2.1 (it is now better obfuscated in 2.1). There are also checks in the firm in 2.1 but I don't know where it ends as it is better obfuscated but I think it end up in the brick install.

add Better safe than sorry

where in their firm code/patches/payloads is there brick code? an address is fine. we found it in the launcher, but i don't recall seeing it in their supplied firm0.

 

[Apache Thunder]

Does the mmset exploit even exist in the old 1.1 firmware? Some exploits show up as a result of a firmware update, and not necessarily something that crops up on a launch console at release.

There's two stages to the current exploit I believe. Even if the msett exploit exists in 1.1, the ROP chain exploit used later to load custom code might not work in that old a firmware. You'd basically be back at square one and have to search for a new exploit all over again. You're better off updating to 4.5 using a retail cart that requires it.

The current 4.5 exploit gives us pretty much all access to the console. Having an older firmware wouldn't give you more unless there's an exploit in the non-rewritable bootrom area (the area that probably stores the private encryption key). But even then, if a method is found to get that key, it could probably be done from 4.5 or newer exploit anyways...

 

[loco365]

Does the mmset exploit even exist in the old 1.1 firmware? Some exploits show up as a result of a firmware update, and not necessarily something that crops up on a launch console at release.

There's two stages to the current exploit I believe. Even if the msett exploit exists in 1.1, the ROP chain exploit used later to load custom code might not work in that old a firmware. You'd basically be back at square one and have to search for a new exploit all over again. You're better off updating to 4.5 using a retail cart that requires it.

The current 4.5 exploit gives us pretty much all access to the console. Having an older firmware wouldn't give you more unless there's an exploit in the non-rewritable bootrom area (the area that probably stores the private encryption key). But even then, if a method is found to get that key, it could probably be done from 4.5 or newer exploit anyways...

I know that it probably won't work on 1.1. I plan to back up 1.1 and upgrade to 4.X, then install an emuNAND with 1.1.

 

[The Real Jdbye]

So I managed to score a 1.1.0 3DS on Kijiji the other day, and I'm going to be paying for it next week. I'm thinking on doing the SD NAND mod to back up the 1.1 NAND so I can downgrade to it whenever, however, I'd like to try doing something different as a workaround, if that's possible. What I'd like to do, is set up an emuNAND, then take the emuNAND that the Gateway launcher made (That would have 4.X), and replace it with the 1.1 NAND (Mostly for the OK GO video) I made manually.

Has anyone tried this, and would something like this work properly? Or would the emuNAND break catastrophically?

I don't think anyone has tried it, but it's plausible. I doubt anyone has even thought to try it, as it's not terribly useful.
Some things will definitely be broken, and the emuNAND may not work at all. Gateway's patches most definitely won't work but if you can do without the things those enable (and it doesn't completely break the firmware when they are not working) then it could work for your purposes.

As you would have a hardware NAND dumping setup anyway recovering from a brick caused by Gateway's code like ichfly explained would only be an inconvenience.

But the question is, why? Why would you go through all tha trouble just to watch a video that you can watch right now without any of that hassle? The video's not that great that it's worth keeping and watching over and over.

 

[loco365]

I don't think anyone has tried it, but it's plausible. I doubt anyone has even thought to try it, as it's not terribly useful.
Some things will definitely be broken, and the emuNAND may not work at all. Gateway's patches most definitely won't work but if you can do without the things those enable (and it doesn't completely break the firmware when they are not working) then it could work for your purposes.

As you would have a hardware NAND dumping setup anyway recovering from a brick caused by Gateway's code like ichfly explained would only be an inconvenience.

But the question is, why? Why would you go through all tha trouble just to watch a video that you can watch right now without any of that hassle? The video's not that great that it's worth keeping and watching over and over.

Well, it'd probably be more than just the video, since from there, I can use any firmware for various flashcards as well.

 

[gamesquest1]

Well, it'd probably be more than just the video, since from there, I can use any firmware for various flashcards as well.

if you mean NDS flashcards, they don't work in emunand

 

[Apache Thunder]

Yeah I think you have to be in "Classic Mode" for retail carts (that includes other flashcarts) to work correctly. I don't know if that mode will work on a 1.1 firmware and I don't know if you can use it in emunand or not.

 

[loco365]

Well, I guess with all the hassle that is setting up this emuNAND, I'm just going to stick to keeping an emunand of 4.1. I just picked up the 3DS and I've so far updated it to 2.2U, I don't have any 4.X games besides Animal Crossing, which has 4.5 and won't work with my AK2i.

 

[zhdarkstar]

Well, I guess with all the hassle that is setting up this emuNAND, I'm just going to stick to keeping an emunand of 4.1. I just picked up the 3DS and I've so far updated it to 2.2U, I don't have any 4.X games besides Animal Crossing, which has 4.5 and won't work with my AK2i.

I just checked http://3ds.essh.co/ and found a bunch of games that come with 4.1 on them. If you don't have any of those games, then you can go to your local used game store and use a little social engineering to get your 2.2 3DS updated if they have any of the games on the list. All you gotta do is ask them if you could test the cartridge out to make sure that it works properly. Insert cart, update to 4.1, hand cart back to clerk with excuse that you didn't want the game after all.

 

[loco365]

I just checked http://3ds.essh.co/ and found a bunch of games that come with 4.1 on them. If you don't have any of those games, then you can go to your local used game store and use a little social engineering to get your 2.2 3DS updated if they have any of the games on the list. All you gotta do is ask them if you could test the cartridge out to make sure that it works properly. Insert cart, update to 4.1, hand cart back to clerk with excuse that you didn't want the game after all.

I have friends that have 4.1 games, so I'll probably bug them tomorrow.