Hacking [Q] N3DS/O3DS firmware downgrade -- earliest versions possible?

[Selver]

This is a relatively straightforward question.
Answers with details highly preferred (rather than yes/no). If no, please explain why?

It's now possible to downgrade either O3DS or N3DS to 9.2.0-X, but how far?

Let's presume that the SYSNAND has nothing of value (OK to format), there are no save games (OK to re-initialize), and no commercial games are of interest (no upgrade required).

Q1. What's the earliest version of firmware that can be downgraded to?

The O3DS obviously has much older firmware available than N3DS. If we presume that the user is fine losing all the N3DS features, including the extra memory:

Q2. What (if anything) would prevent loading an O3DS firmware onto N3DS (presuming OK to lose N3DS features, including the extra memory)?

Really, can v1.x or v2.x firmware (O3DS obviously) load on N3DS?

e.g., does the N3DS BOOTROM validating firmware signatures against a different certificate / cert chain than the O3DS BOOTROM?
e.g., does the O3DS firmware itself do some sort of hardware check that fails on N3DS?
e.g., does the O3DS require a section of the OTP area to contain specific values (after decryption)?

Thanks!

 

[jscjml]

9.3+ down to 9.2, then Gateway has their Downgrade from 9.2 to 4.5 (only for Old3DS obviously) you dont need to use the GW Red Card to do the downgrade itself though.

Although i dont see the point anymore (unless noone made a 9.2 .xorpad generator) since theres HomeMenuHax which imo is superior to the MSET exploit.

 

[Elveman]

There's a 2.0 firmware pack on the ISO site. Can it be used to downgrade 3DS to 2.0?
Should kinda try it on EmuNAND (although I have some doubts...)

 

[Urbanshadow]

There's a 2.0 firmware pack on the ISO site. Can it be used to downgrade 3DS to 2.0?
Should kinda try it on EmuNAND (although I have some doubts...)

What we are trying to tell you is if you don't have a reasonable objective in a firm that low there's no point in staying below 9.0-9.2 as most current exploits won't work.

 

[Elveman]

What we are trying to tell you is if you don't have a reasonable objective in a firm that low there's no point in staying below 9.0-9.2 as most current exploits won't work.

That's true but some things can be done just for fun
Yesterday I changed my EmuNAND region to Japan without any apparent reason so... why not?

 

[cearp]

downgrading isn't new, i showed it off a year ago, but now it is popular because it's useful for piracy

 

[Urbanshadow]

That's true but some things can be done just for fun
Yestertay I changed my EmuNAND region to Japan with no apparent reason so... why not?

So the "reasonably objective" is screwing around with your system for fun. Fair enough. I don't know if cfw could boot a firmware that low. Maybe cakes if you provide a firmware.bin and a cetk low enough but I don't even know where you can find those as NUSDown won't get you these.

 

[Syphurith]

What we are trying to tell you is if you don't have a reasonable objective in a firm that low there's no point in staying below 9.0-9.2 as most current exploits won't work.

If you want O3DS OTP dumped, and have proper ROP entrypoint from CN, Only 2.x and 1.x is for that. For most people this means nothing, cause the ROP isn't public. (Doubtful)

downgrading isn't new, i showed it off a year ago, but now it is popular because it's useful for piracy

Oh yes like what fail0verflow said on their "PS3 Epic Fall" talk. "Downgrading leads to more piracy." lol

Just have fun with it. If yours is hard-moded, you can play with those versions easily and freely. Even i doubt if there is downgrading blocking mechiasm inside FIRM after 10.4.

 

[Urbanshadow]

If you want O3DS OTP dumped, and have proper ROP entrypoint from CN, Only 2.x and 1.x is for that. For most people this means nothing, cause the ROP isn't public.

Yeah this is in fact the main of the reasonable objectives I was refering to.

 

[DjoeN]

The only reason to go down to 4.5/4.3 i think (i could be wrong on every point, but it's from my experience)

The downgrader for 10.3 to 9.2 is different then the Gateway downgrader, i think downgrading from 10.3 with sysupdater, it keeps all your stuff and nnid
I have the feeling it lefts you in some way with a frankenstein firmware, since only a few cia's get installed (most obvious, only those that changed from 9.2 to 10.3, still, we don't know)

If you downgrade from 9.2 then to 4.5 with the gateway downgrader (only for O3DS) everything gets wiped as far as i know, you have to set everything up again etc...
Then upgrading to 9.2, gives me the feeling the 9.2 is more stable then the 9.2 downgraded from 10.3
(yes i have 2 O3DSXL systems on 9.2, one downgraded to 9.2, then 4.5 with gateway, then upgraded back to 9.2 with sysupdater, the other one i kept on 9.2 from 10.3 downgrade.)

I have a few cia installed games problems and wierd settings problems on the 9.2 (10.3->9.2) but had not any problems with the 9.2 (10.3->9.2>4.5>9.2) with the same setup of games.

Stupid phone, wasn't finnished yet:
Note:

Yes i downgraded the other system afterwards also to 4.5 with gateway and upgraded again, all problems where gone!

 

[Urbanshadow]

If you downgrade from 9.2 then to 4.5 with the gateway downgrader (only for O3DS) everything gets wiped as far as i know, you have to set everything up again etc...

It's quite the opposite. Gateway downgrader is in fact known for not cleaning unused system titles when going from 9.2 to 4.5 while sysUpdater performs clean downgrades. The system extdata can be cleared at any time with a format.

 

[DjoeN]

It's quite the opposite. Gateway downgrader is in fact known for not cleaning unused system titles when going from 9.2 to 4.5 while sysUpdater performs clean downgrades. The system extdata can be cleared at any time with a format.

Well it's wierd, cause after downgrading the other system to 4.5 and then also back to 9.2 the problems where gone (well i'm sure it got fixed by doing that, cause 9.2 gets reinstalled again)

[EDIT]
Ow, and i find it a nice thing everything is kept after the 10.3 to 9.2 downgrade

 

[Urbanshadow]

Well it's wierd, cause after downgrading the other system to 4.5 and then also back to 9.2 the problems where gone (well i'm sure it got fixed by doing that, cause 9.2 gets reinstalled again)

Yeah it's obvious that you fixed it, but you were brave running gateway downgrade after a sysupdater half-downgrade. That could have went very wrong and it's even possible the dirty downgrade method used by gateway helped you on this feat. And then you made a clean update with normal sysupdater, fixing everything.

 

[DjoeN]

Yeah it's obvious that you fixed it, but you were brave running gateway downgrade after a sysupdater half-downgrade. That could have went very wrong and it's even possible the dirty downgrade method used by gateway helped you on this feat. And then you made a clean update with normal sysupdater, fixing everything.

Brave, not i did it on the system that was hardmodded and having a 10.3 and 9.2 NAND backup (yes i was smart enough doing a NAND bacup after every downgrade) helped alot to decide doing that (ow and the benefit is i now also have a 4.5 NAND backup

[EDIT]
But thank you @Urbanshadow for the explanation it's always fun to hear something i didn't know yet

 

[Urbanshadow]

Brave, not i did it on the system that was hardmodded and having a 10.3 and 9.2 NAND backup (yes i was smart enough doing a NAND bacup after every downgrade) helped alot to decide doing that (ow and the benefit is i now also have a 4.5 NAND backup

Haha you cheater . I wouldn't rely too much on that 4.5 NAND backup as could be in a working but very messed state, and if were you I would redo the 9.2 sysnand backup now that is fully working.

 

[DjoeN]

Haha you cheater . I wouldn't rely too much on that 4.5 NAND backup as could be in a working but very messed state, and if were you I would redo the 9.2 sysnand backup now that is fully working.

Yeah, i have done that to i keep all my nand backup stored by date on a seperate HDD just for 3DS nand backups and SD image backups
(got 7 systems to maintain, 1 O3DS 2 O3DS XL, 1 2DS, 1 N3DS and 2 N3DS XL)(some i aquired from ppl for cheap (€20-€50 each) and managed to get 1 new system out of 2 broken, but i bought 4 myself (for me and my kids) 3 systems i keep on latest FW (kids systems) they play online and don't want free pirated games, (but the're always happy when they get a free game (bought by somebody else) and somehow they don't want eShop games if there available as cartridge)

 

[MassExplosion213]

If you want O3DS OTP dumped, and have proper ROP entrypoint from CN, Only 2.x and 1.x is for that. For most people this means nothing, cause the ROP isn't public.

Oh yes like what fail0verflow said on their "PS3 Epic Fall" talk. "Downgrading leads to more piracy." lol

Just have fun with it. If yours is hard-moded, you can play with those versions easily and freely. Even i doubt if there is downgrading blocking mechiasm inside FIRM after 10.4.

There is a ROP for CN that is public that works.

 

[Selver]

If you want O3DS OTP dumped, and have proper ROP entrypoint from CN, Only 2.x and 1.x is for that.

There is a ROP for CN that is public that works.

Yes, I am interested in understanding what's in the OTP, and even what is in the bootrom.

So is the ROP only for CN firmware(?!) or is it from CN?
Is there anything in the 2.x firmware (or N3DS bootrom) that would prevent the successful use of 2.x firmware on a N3DS?
Has the bootrom code itself become public?

Thank you!

 

[Syphurith]

Yes, I am interested in understanding what's in the OTP, and even what is in the bootrom.
So is the ROP only for CN firmware(?!) or is it from CN?
Is there anything in the 2.x firmware (or N3DS bootrom) that would prevent the successful use of 2.x firmware on a N3DS?
Has the bootrom code itself become public?
Thank you!

Unfortunately I don't know much about it. You have to find or tag Normatt for it. Do not forget to ask politely, he is a good man (yes sdmmc.c in most CFW is his work).
The only thing i can tell is that, CubicNinja(SKY) provides a entrypoint in ROP(its QR level) for every firmware that can run it - and it only askes for 1.0.0+ (wtf).
Not saying 2.x firmware, but that flaw (not locking up OTP section) is fixed in FIRM 3.0+. So you have to get your system version lower than that.
This only works for O3DS, since it can not be this low for N3DS. Yup i don't know how they did that, or they just dumped the key but no OTP.
If you can contact Normatt don't forget to ask if there is some other things (such as your console-unique keys, maybe) you can dump on that version. Good luck.