Hacking A new method for spoofing e-shop 007-2404 on <10.0 emuNAND

[MelonGx]

The method is discovered by fwc2618 & contributed by this thread's everyone.

1) DL the latest "tiger" and "NVer" with 3DNUS.
(If you don't know what is tiger / NVer, please search it on 3dbrew.org's Title List page)
2) Install "tiger" and "NVer" with BigBlueMenu in GW emuNAND.
3) Launch FreeMultiPatcher.
Done.

It has been tested worked on GW 3.4.1 N3DS emuNAND 9.5.
No more bothering with HANS!

Warning: It's GW 3.4.1 only!
rxTools, CakesFW, ReiNAND can't use it!
They are still required to bother with HANS (+NVer).

 

[Syphurith]

Warning: It's GW 3.4.1 only!
rxTools, CakesFW, ReiNAND and GW <3.4 can't use it!

Why they can't use it? Have you tested already?

 

[xdaniel]

Did something similar on O3DS 9.9 EmuNAND, booted via rxTools a few days ago - and yes, I could've just updated the whole thing to 10.2, but I felt like experimenting. Downloaded the latest eShop and mint eShop applet CIAs, installed them via sysUpdater, and I could browse and download from from the eShop again (edit: still using Free Multi Patcher). Haven't tested buying content or adding funds or anything like that, but I don't see a reason why that should fail... tho I'm not a "professional" at this at all, so I don't know. I mean, I wasn't even sure if this would work in the first place, sooo... yeah.

 

[MelonGx]

Why they can't use it? Have you tested already?

It freezes at 3DS logo.

 

[Sonansune]

It freezes at 3DS logo.

aha... need crypto fix?

 

[MelonGx]

aha... need crypto fix?

It should be called as firmware spoofing. Maybe.

(crypto-fix = decrypt SEED and repack != firmware spoofing)

 

[Sonansune]

It should be called as firmware spoofing. Maybe.

eh.....

 

[bache]

For what it's worth, it worked fine with GW3.4 for me.
I was about to try and create a firmware spoofed CIA, but it dawned on me that I don't know how to create exheaders for system titles that don't install data to the SD:\Nintendo 3ds\<ID1>\<ID2> folder. Can anybody point me in the right direction?

 

[Ninoh-FOX]

In new 3ds dont work for crypto, cryptofix dont work

 

[Aroth]

For what it's worth, it worked fine with GW3.4 for me.
I was about to try and create a firmware spoofed CIA, but it dawned on me that I don't know how to create exheaders for system titles that don't install data to the SD:\Nintendo 3ds\<ID1>\<ID2> folder. Can anybody point me in the right direction?

I imagine it would involve using something like rxTools to dump system titles from the nand, but beyond that I do not know.

 

[Syphurith]

It freezes at 3DS logo.

Yes you are right.
1. Any unsigned copy of this APP would not work. So you lose the modifications.
2. Without modification you can not spoof firmware or even more, and with a legacy system version, the new eShop would refuse to run.
Oh.. That would be good if CFW embed a internal firm spoofing, or even patch this sig check.
Yeah i don't really care about this.. I could get patches somewhere else, and mine is a o3ds, so i can use the latest version.
Another sig check, oh damn it ninty!

 

[Aroth]

Yes you are right.
1. Any unsigned copy of this APP would not work. So you lose the modifications.
2. Without modification you can not spoof firmware or even more, and with a legacy system version, the new eShop would refuse to run.
Oh.. That would be good if CFW embed a internal firm spoofing, or even patch this sig check.
Yeah i don't really care about this.. I could get patches somewhere else, and mine is a o3ds, so i can use the latest version.
Another sig check, oh damn it ninty!

Unsigned copies only do not work in sysnand without sig checks patched.

If you are running any CFW that does patch signature checks (rxTools, Reinand, Pasta, GW, etc) then you can modify it all you want and it WILL still run.

The reason GW users can install and use the latest versions of tiger and mint while other CFW users get an infinite loading screen is because of the way GW patches the firmware check that every app runs on launch. Afaik the other CFWs do not do that yet, and any attempt to run a title that requires X firmware when you are on a lower one will result in an infinite loading screen.

Note that this is different than the "update check" that is ran on attempting to sign into your NNID. FreeMultiPatcher was designed to get around the update check, but not actual firmware checks.

 

[Syphurith]

Note that this is different than the "update check" that is ran on attempting to sign into your NNID. FreeMultiPatcher was designed to get around the update check, but not actual firmware checks.

Yes it might be the firmware check.
Since it have a Bit 21 in its Exheader descriptor which is documented on 3dbrew as a 9.6.0 FIRM mark.
So yeah what stopped me is not the sig check (with rxtools).
Well hope this could be solved - even i do not go to eshop.

 

[Aroth]

Yes it might be the firmware check.
Since it have a Bit 21 in its Exheader descriptor which is documented on 3dbrew as a 9.6.0 FIRM mark.
So yeah what stopped me is not the sig check (with rxtools).
Well hope this could be solved - even i do not go to eshop.

Well, we can build cias for games with altered firmware checks, so I assume we can do the same for system titles. If someone were to build a spoofed cia for the latest eshop then in theory we would b able to install that and it would run as long as you are attempting to run it on a CFW with signature checks patched.

I am currently working on that atm, but most of the tools and tutorials for decrypting and rebuilding titles is specifically for games/dlc stored on the SD card, and system titles like tiger and mint are in the NAND itself.

 

[Syphurith]

Well, we can build cias for games with altered firmware checks, so I assume we can do the same for system titles. If someone were to build a spoofed cia for the latest eshop then in theory we would b able to install that and it would run as long as you are attempting to run it on a CFW with signature checks patched.

I am currently working on that atm, but most of the tools and tutorials for decrypting and rebuilding titles is specifically for games/dlc stored on the SD card, and system titles like tiger and mint are in the NAND itself.

You can decrypt it with Decrypt9. However even install a decrypted CIA would not let you run the eshop.
Eh.. If you want to try, just try it. I ever merged the newest contents into older one, and rebuilt CIA. However it didn't let me pass. Orz

 

[Aroth]

You can decrypt it with Decrypt9. However even install a decrypted CIA would not let you run the eshop.
Eh.. If you want to try, just try it. I ever merged the newest contents into older one, and rebuilt CIA. However it didn't let me pass. Orz

Can't decrypt it without xorpads and I haven't found a way to generate valid xorpads for a system title that is installed to the nand. I think with rxTools you can dump/decrypt system titles, but you end up with a titleid.app file that I have no idea what to do with. The tutorial I found for unpacking and repacking cia files appears to apply only to games and their updates, or at the very least only to titles installed on the SD card itself rather than the nand.

Either way the "fix" won't be a matter of simply decrypting the cia and/or merging contents or anything like that. The exheader for the title contains a piece of data that tells the system what the minimum required firmware is. This data is a set of 4 hex values (0x####) that needs to be altered. For example a title that requires 9.5 has 3102 in that address. A title that requires 9.2 would have 2E02. I am not sure what it would read for a title that requires 10.0 like the latest tiger probably does, but it is in the same place for all titles. It simply needs to be changed to something like 2E02 so that the title will launch and pass the check.

Now it may very will still crash because of compatibility issues with other older titles in the nand, idk. It is a risk that always accompanies a frankenstein firmware like we are talking about making. Which is why you never attempt such a think on sysnand without a hardware mod and a valid nand backup.

Basically any fix we come up with here will ONLY work for users on 9.2 or lower and should never be attempted on sysnand directly. Before anyone complains, if you have a sysnand in that range and don't want to update you should be using emunand, and if you are 9.3 or higher you should just go ahead and update to 10.0. At this point there is very, VERY, littlechance of a kernel exploit showing up for 9.3-9.9

 

[gudenau]

Hrm, I installed the latest "tiger" and it hangs on the 3ds screen. Oh well.

 

[Syphurith]

Can't decrypt it without xorpads and I haven't found a way to generate valid xorpads for a system title that is installed to the nand. I think with rxTools you can dump/decrypt system titles, but you end up with a titleid.app file that I have no idea what to do with. The tutorial I found for unpacking and repacking cia files appears to apply only to games and their updates, or at the very least only to titles installed on the SD card itself rather than the nand.

Either way the "fix" won't be a matter of simply decrypting the cia and/or merging contents or anything like that. The exheader for the title contains a piece of data that tells the system what the minimum required firmware is. This data is a set of 4 hex values (0x####) that needs to be altered. For example a title that requires 9.5 has 3102 in that address. A title that requires 9.2 would have 2E02. I am not sure what it would read for a title that requires 10.0 like the latest tiger probably does, but it is in the same place for all titles. It simply needs to be changed to something like 2E02 so that the title will launch and pass the check.

Now it may very will still crash because of compatibility issues with other older titles in the nand, idk. It is a risk that always accompanies a frankenstein firmware like we are talking about making. Which is why you never attempt such a think on sysnand without a hardware mod and a valid nand backup.

Basically any fix we come up with here will ONLY work for users on 9.2 or lower and should never be attempted on sysnand directly. Before anyone complains, if you have a sysnand in that range and don't want to update you should be using emunand, and if you are 9.3 or higher you should just go ahead and update to 10.0. At this point there is very, VERY, littlechance of a kernel exploit showing up for 9.3-9.9

I said you can decrypt a CDN CIA using decrypt9. that is "Decrypt CIA (deep)" inside Its last menu option "Game decryptor". You need @d0k3 's.
Yes that would never be so easy to just merge them. However even to embed a update CIA into game, you must modify the exheader with tools.
And, before you can do something to it. You can Download the Original with 3DNUS (double encrypted), and copy for a backup and make it decrypted.
You can then try install them to see which one would work. At least i've installed a decrypted CIA to overwrite it before..
Note: It is CTR-N-HGRJ for Japan. If you are in other regions it likely to be CTR-N-HGR[E/U]. If you want to uninstall it from NAND with FBI.

Hrm, I installed the latest "tiger" and it hangs on the 3ds screen. Oh well.

Not surprised. Newest asks in its Exheader for Bit 21 to be set which is done in NATIVE_FIRM 9.6+.
If what you own is an old 3ds there is no actual problem for you to get the latest emunand and access eshop.

I highly doubt if GW simply let the system thought all bits in exheader is valid.. Nevermind, i don't own a GW.

 

[Aroth]

I said you can decrypt a CDN CIA using decrypt9. that is "Decrypt CIA (deep)" inside Its last menu option "Game decryptor". You need @d0k3 's.
Yes that would never be so easy to just merge them. However even to embed a update CIA into game, you must modify the exheader with tools.
And, before you can do something to it. You can Download the Original with 3DNUS (double encrypted), and copy for a backup and make it decrypted.
You can then try install them to see which one would work. At least i've installed a decrypted CIA to overwrite it before..
Note: It is CTR-N-HGRJ for Japan. If you are in other regions it likely to be CTR-N-HGR[E/U]. If you want to uninstall it from NAND with FBI.

Not surprised. Newest asks in its Exheader for Bit 21 to be set which is done in NATIVE_FIRM 9.6+.
If what you own is an old 3ds there is no actual problem for you to get the latest emunand and access eshop.

I highly doubt if GW simply let the system thought all bits in exheader is valid.. Nevermind, i don't own a GW.

Actually that is probably exactly what GW does. Nearest I can tell you never run into an issue with a cia title (game, dlc, update or system) not loading because of a firmware check. Give me a bit and I will even test it.

--------------------- MERGED ---------------------------

Updating "tiger" (0004001000021900) on 9.5.0-23U emunand results in an infinite loading screen on rxTools (10-2 nightly).

Same result for Reinand.

GW has no loading screen hang. Shop loads just fine, even with the latest tiger version.

Clearly GW patches something in the firmware to bypass such checks. This patch (or patches since it is probably more than one) is likely the same reason we cannot use things like sysupdater in GW mode but we can with rxTools, Reinand and Pasta.

Either way it is clear how to fix this for N3DS users who do not have a GW cart. We need to decrypt and repack the latest tiger cia file with the exheader patched to pass the fw check.

edit:

Took the time to find a random free game to download to test things and I keep getting 007-6106 once the download tries to finalize. According to Nintendo this error means "an error occurred while attempting to connect to the Nintendo eShop. Please try again later". Unfortunately at this time I cannot be 100% certain if the issue is because we are doing weird things like installing a new system title on an old firmware, or if it is because of my own internet (or possibly a problem with the eshop itself atm). It is also possible that the problem is because I only updated tiger and not mint.

 

[Kingofknights]

What's the problem with Hans? Is it unstable or smt?