Hacking Dissecting a downgraded 2ds NAND [Advanced,Witchhunt]

[Urbanshadow]

Hi guys, I'm still wondering what's with my downgraded 2ds unit. A little situation first: I downgraded it using TuxSH downgrader with the corresponding 9.2.0-20E full update set. The downgrade was done from 10.3.0-28E. An emunand of the downgraded system was made, and then updated to 10.3.0-28E. Downgrade-check homebrew says sysnand it's ok so NATIVE_FIRM appears to be running in the desired version but still I don't think everything is allright.

Main issue appears to be coming in two fronts, all in emunand:
1. There seems impossible for apps to gain kernel execution in Homebrew Launcher. Injected apps in Health and Safety are gaining kernel execution fine.
2. My DS mode flashcart makes a blackscreen to death. Every. Single. Time.

The two issues are not happening in sysnand.

So I've decided to dwelve in the inner halls of my nand and I came back with detailed info of whats going in there, hoping a 2ds user with a native (no downgraded) 9.2 firm can compare nands with me.

Spoiler: Urbanshadow's 2ds NAND

Spoiler: Title ID's starting with 00040130:

Title UID   Version     Category   Product Code
00002703   0     System     0107builder
00001a03   0     System     0107builder
00001b03   0     System     0107builder
00001c03   0     System     0107builder
00001d03   0     System     0107builder
00001e03   0     System     0107builder
00001f03   0     System     0107builder
00002103   0     System     0107builder
00002203   0     System     0107builder
00002303   0     System     0107builder
00002403   0     System     0107builder
00001803   0     System     0107builder
00002903   0     System     0107builder
00002a03   0     System     0107builder
00002c03   0     System     0107builder
00002e03   0     System     0107builder
00002f03   0     System     0107builder
00003103   0     System     0107builder
00003203   0     System     0107builder
00003303   0     System     0107builder
00008003   0     System     0107builder
00001503   0     System     0107builder
00001703   0     System     0107builder
00001f02   2000     System     0328builder
00002002   800     System     0328builder
00001b02   800     System     0328builder
00002a02   800     System     0328builder
00002302   c00     System     0328builder
00002d03   1400     System     0417builder
00001a02   1400     System     0430builder
00002102   800     System     0430builder
00001e02   c04     System     0609builder
00002202   2403     System     0609builder
00002402   2000     System     0710builder
00001802   1c00     System     0710builder
00003702   1400     System     0710builder
00002d02   2800     System     0710builder
00003202   2000     System     0710builder
00002802   1801     System     0716builder
00004002   1801     System     0812builder
00002602   2800     System     0828builder
00002702   1400     System     0828builder
00002e02   1c00     System     0828builder
00003102   1400     System     0828builder
00003802   1800     System     0828builder
00008002   3800     System     0828builder
00001502   2000     System     0828builder
00001602   2400     System     0828builder
00003302   2000     System     0828builder
00002f02   1c00     System     0828builder
00001c02   2800     System     0828builder
00002902   3000     System     0828builder
00001d02   2400     System     0828builder
00001702   3002     System     0908builder
00002b02   1c01     System     0908builder
00003402   2c02     System     0908builder
00003502   1803     System     0908builder
00002c02   2809     System     0922builder

Spoiler: Title ID's starting with 0004009b:

Title UID   Version     Category   Product Code
00014302   400     System     (N/A)
00014202   400     System     (N/A)
00014102   400     System     (N/A)
00014002   0     System     (N/A)
00011d02   0     System     (N/A)
00011c02   0     System     (N/A)
00011b02   0     System     (N/A)
00011802   0     System     (N/A)
00011702   0     System     (N/A)
00011502   0     System     (N/A)
00011302   0     System     (N/A)
00011202   0     System     (N/A)
00010602   2     System     (N/A)
00010202   0     System     (N/A)
00015102   800     System     (N/A)
00010402   1002     System     (N/A)
00013102   1400     System     (N/A)
00012102   2404     System     (N/A)

Spoiler: Title ID's starting with 0004001b:

Title UID   Version     Category   Product Code
00018202   802     System     (N/A)
00010702   1000     System     (N/A)
00010002   0     System     (N/A)
00010802   0     System     (N/A)
00018102   401     System     (N/A)
00019002   402     System     (N/A)
00018002   c06     System     (N/A)

Spoiler: Title ID's starting with 0004800f:

Title UID   Version     Category   Product Code
484e4841   2c00     TWL     (N/A)
484e4c41   0     TWL     0

Spoiler: Title ID starting with 000400db:

Title UID   Version     Category   Product Code
00017102   2420     System     (N/A)
00016102   140     System     (N/A)
00010502   3800     System     (N/A)
00010302   1800     System     (N/A)

Spoiler: Detected CTR-N titles:

HA3P
HAAP
HACP
HADA
HAEP
HAFP
HAGA
HAHP
HARP
HASP
HBRP
HCBP
HCCP
HCHP
HCRP
HCSP
HDLP
HEDP
HEEA (00040030 0000c502)
HEEA (00040030 0000c503)
HEPP
HESP
HFRP
HGMP
HGRP
HKYP (00040030 0000d002)
HKYP (00040030 0000d003)
HMAP
HMCP
HMEP
HMKP
HMMP
HMSP
HMVP
HSHP

Spoiler: Detected CTR-P titles:

CTAP (00040138 00000002)
CTAP (00040138 00000003)
CTAP (00040138 00000102)
CTAP (00040010 00025000)
CTAP (00040030 00008a03)
CTAP (00040030 00008a02)

Spoiler: Other titles:

dlplay (00048005 484e4441) 400 TWL
DS INTERNET (00048005 42383841) 800 TWL

You can help either checking each title with yours by using FBI in delete title mode with destination NAND (Don't erase anything!) and checking the list, or already knowing/detecting a problem in the nand. Any help is apreciated.

Could be better to run standart sysUpdater downgrade to 9.2 in sysnand? What could be causing my emunand issues?

I would like to get it something as close as a no downgraded system as possible.

Thanks in advance.

 

[Urbanshadow]

I'm checking my things right now with this. Please let me know if you find anything.

 

[Spaqin]

1. There seems impossible for apps to gain kernel execution in Homebrew Launcher. Injected apps in Health and Safety are gaining kernel execution fine.

Uhh, yeah. You're running an updated version of the system in the emunand, obviously, they won't have kernel access in HBL. Because it's updated, and exploits used there - patched. Apps not injected, but installed w/ FBI/BBM/whatever (which you can inject) should have no problems.

2. My DS mode flashcart makes a blackscreen to death. Every. Single. Time.

Known emuNAND issue - DS games don't work.

 

[Urbanshadow]

Uhh, yeah. You're running an updated version of the system in the emunand, obviously, they won't have kernel access in HBL. Because it's updated, and exploits used there - patched. Apps not injected, but installed w/ FBI/BBM/whatever (which you can inject) should have no problems.


Known emuNAND issue - DS games don't work.

Thing is, FBI 3dsx did not work in emunand 9.2 being that the main reason why I updated the emunand. So something is definetly wrong there. (please don't go into the dbs fbi problem). Error found is the same on 9.2 and 10.3 emunand.

DS Mode flascarts run just fine on my n3ds 9.5 emunand.

 

[MassExplosion213]

Thing is, FBI 3dsx did not work in emunand 9.2 being that the main reason why I updated the emunand. So something is definetly wrong there. (please don't go into the dbs fbi problem). Error found is the same on 9.2 and 10.3 emunand.

DS Mode flascarts run just fine on my n3ds 9.5 emunand.

It's because emunand is launched with 9.6 NATIVE_FIRM.

 

[Urbanshadow]

It's because emunand is launched with 9.6 NATIVE_FIRM.

Ok. Is this 9.6 native_firm the one residing in the firmware.bin of the cfw or exists in the nand itself? Should I do anything to sysnand then?

 

[MassExplosion213]

Ok. Is this 9.6 native_firm the one residing in the firmware.bin of the cfw or exists in the nand itself? Should I do anything to sysnand then?

It's in the firmware.bin. unless you use cakes, there's nothing you can do to get hb to get kernel. 9.6 fixed the original memchunkhax, which most of them use. ( Well, memchunkhax was patched in 9.3, but you get the point.)

 

[Urbanshadow]

It's in the firmware.bin. unless you use cakes, there's nothing you can do to get hb to get kernel. 9.6 fixed the original memchunkhax, which most of them use. ( Well, memchunkhax was patched in 9.3, but you get the point.)

Thing is i'm using cakes all time. Can I fix this then?

 

[Aroth]

@Urbanshadow

The info you posted in your OP, is that from your emunand or sysnand?

Asking because if its your emunand then all of those "Known Useless 10.3 titles for 9.2:" titles should be there. If its your sysnand then its a slightly different story (though most of them should still be there near as I can tell)

edit:

A cursory inspection of the installed versions of certain titles suggests that it is your sysnand, but I will wait for a confirmation before continuing

 

[Urbanshadow]

@Urbanshadow

The info you posted in your OP, is that from your emunand or sysnand?

Asking because if its your emunand then all of those "Known Useless 10.3 titles for 9.2:" titles should be there. If its your sysnand then its a slightly different story (though most of them should still be there near as I can tell)

edit:

A cursory inspection of the installed versions of certain titles suggests that it is your sysnand, but I will wait for a confirmation before continuing

It's sysnand of course. It's no use I went that down into emunand. If you need any more info (like CTR titles versions and id's) or think there's some mistake copying just say it.

 

[Aroth]

It's sysnand of course. It's no use I went that down into emunand. If you need any more info (like CTR titles versions and id's) just ask.

I think you covered all the needed info in your OP. That was masterfully written dude.

Known Useless 10.3 titles for 9.2:
0004009B 00010402 - Found in System
0004001B 00019002 - Found in System
0004001B 00010802 - Found in System
00040030 0000B902 - Found as CTR-N-HA3P
00040030 00009502 - Not Found
00040030 00009E02 - Not Found
00040130 00004002 - Not Found
00040130 00001A02 - Not Found
00040130 00001B02 - Not Found
00048005 42383841 - Found as DS INTERNET in TWL
00048005 484E4441 - Found as dlplay in TWL
0004800F 484E4841 - Found in TWL

I can tell you what the following titles are, and most are not useless and need to be there even on 9.2 for things to work right)

00048005 484E4441 - Download Play application for DS mode, present since 2.0.0 and never updated.
00048005 484E4841 - DS Cart Whitelist, last updated in 7.0.0 (unless you installed bluecardfix.cia, in which case that overwrote this.
00040130 00001A02 - DSP system-module (required for some sound stuff)
00040130 00001B02 - GPIO system-module (required for something im sure, sounds graphics or maybe sound related)
00040130 00004002 - Old3DS nfc system-module (added with 9.3, not present on 9.2 and below)
00040030 00009E02 - USA amiibo Settings (included with 9.3, not present on 9.2 and below, also how in the hell did you end up with this on a EUR system?)
00040030 00009502 - JPN amiibo settings (introduced with 9.3, not present beforehand. Again, how did you get this??)
0004001B 00019002 - Fangate_updater (no idea what this is, but it appears to have been introduced in 9.3)
0004009B 00010402 - Not sure what this is, but it has been present since 2.0.0, so I would leave it.
0004001B 00010802 - No idea, but it was introduced in 6.3.0 so I would leave it alone.
00040030 0000B902 - EUR amiibo Settings (introduced in 9.3 so feel free to purge it from sysnand)

To summarize the following were all introduced with 9.3 and can PROBABLY be safely purged from your 9.2 sysnand (do not remove them from your emunand)

00040030000B902
000400300009502
000400300009E02
000401300004002
0004001B0019002

The quick glance I took at your other titles showed at least one that did not get downgraded when you went from 10.3 to 9.2, so I will probably need to thoroughly go over them all to find which ones need downgrading and which ones need to be deleted. To make matters worse, the ones needing downgrading will likely need to be pulled from multiple sources.

BTW, this is the very reason N3DS users have so many semi-bricks and random glitches after downgrading. The 9.2 SOAP reply didn't include entries for titles updated between 2.x and 8.x but not updated on 9.0 because those titles were already present on the system from the factory. Basically Nintendo culled them from N3DS SOAP replies to save on bandwidth (why have the system download titles that EVERY unit already has, makes sense)

 

[Urbanshadow]

I think you covered all the needed info in your OP. That was masterfully written dude.

Thanks! Mastering bbcode takes a while!

To summarize the following were all introduced with 9.3 and can PROBABLY be safely purged from your 9.2 sysnand (do not remove them from your emunand since)

00040030000B902
000400300009502
000400300009E02
000401300004002
0004001B0019002

It's ok to use FBI in sysnand (with pasta) and remove one by one? Should I expect any boot problems afterwards?

The quick glance I took at your other titles showed at least one that did not get downgraded when you went from 10.3 to 9.2, so I will probably need to thoroughly go over them all to find which ones need downgrading and which ones need to be deleted. To make matters worse, the ones needing downgrading will likely need to be pulled from multiple sources.

Now I'm worried.
Will my o3ds on native 9.2 work for that? I could perhaps dump some titles from it with decrypt9 and replace the 2ds ones with them?

Oh and the titles that state "Not Found" are not in my system (I have just the eur amiibo settings). The "useless" titles where borrowed from a source code.

Update: Just deleted 00040030000B902 and 0004001B0019002. Sysnand boots ok. Waiting for instructions.

 

[Aroth]

Thanks! Mastering bbcode takes a while!

It's ok to use FBI in sysnand (with pasta) and remove one by one? Should I expect any boot problems afterwards?

Now I'm worried.
Will my o3ds on native 9.2 work for that? I could perhaps dump some titles from it with decrypt9 and replace the 2ds ones with them?

You will have to use FBI to do it, probably in a mode without Firmlaunch active (think pasta/dev mode for rxTools). I can't be 100% certain but since the titles I listed are all related to amiibo or nfc (which was introduced in 9.3), you SHOULD be fine. The usual disclaimers and warnings about fucking with sysnand apply. Make sure you have a clean backup (obviously you do) and preferably a hard-mod or the ability to get one.

If you have an O3DS on 9.2 then you actually should just be able to compare the nands and any titles on the 2DS 9.2 nand that are not present on the O3DS 9.2 nand can likely be safely deleted (usual disclaimer, etc.), assuming that both systems are the same region. Finding the ones that should be there but didn't get downgraded properly is a bit harder.

Essentially you will need compare the installed version of each title installed with the 9.0 SOAP reply and see if the installed version is higher than the version listed on the reply. If it is, then you need to download the most recent version (as of 9.0/9.2) and install it, probably using sysupdater. Since you got far enough to use CFW, you can PROBABLY use the official version of sysupdater to handle this, but I make no promises.

Use this SOAP reply to compare versions:
http://yls8.mtheall.com/ninupdates/titlelist.php?date=10-06-14_08-25-03&sys=ctr&reg=P&soap=1

This is obviously a 9.0 reply and you are comparing against 9.2, but that is ok. The 9.2 reply was bugged and didn't get generated properly for any region but JPN, so it can't be used. However, there are only two titles updated in 9.2 so if you keep that in mind the reply is still good. The first title is CVer (000400DB00017102) , which I can confirm is the 9.2 version (you can too because it shows up as 9.2 in system settings). The other is the HomeMenu (0004003000009802), which oddly enough I do not see in your list of titles, so I'm not sure whats up there. I can tell you the version you see should be between 2C08 (9.0) and 3412 (9.3).

Also keep in mind that the title version listed in your post is in hexadecimal, the versions on the SOAP reply are in decimal. It's a straight conversion, nothing funny.

 

[Urbanshadow]

The other is the HomeMenu (0004003000009802), which oddly enough I do not see in your list of titles, so I'm not sure whats up there. I can tell you the version you see should be between 2C08 (9.0) and 3412 (9.3).

That is because is detected as CTR-N-HMMP and I did not post the titleid's from them. I do have 0004003000009802 and the reported version is 3000, which is indeed between 2C08 and 3412. I'll start the soap version comparison now, it will take a while.

 

[Aroth]

That is because is detected as CTR-N-HMMP and I did not post the titleid's from them. I do have 0004003000009802 and the reported version is 3000, which is indeed between 2C08 and 3412. I'll start the soap version comparison now, it will take a while.

That's great. It means you can effectively just compare to the 9.0 SOAP and ignore CVer and the Home Menu.

 

[Urbanshadow]

That's great. It means you can effectively just compare to the 9.0 SOAP and ignore CVer and the Home Menu.

Perhaps I overlook something, but after the first pass every title looks like its in the correct version. (Except the two ones you mentioned). What was the title not properly downgraded you saw? Perhaps there's more titles than needed? They really looked fine to me.

 

[Aroth]

Perhaps I overlook something, but after the first pass every title looks like its in the correct version. (Except the two ones you mentioned). What was the title not properly downgraded you saw?

I misread it I think. I was looking at the DS Cart Whitelist and noticed it was the latest version, and for some reason thought it had been updated in 9.7 so I assumed it must not have gotten downgraded. Needless to say the last update to that title was in 7.0.

Sounds like if you delete the titles I mentioned originally you should be good. Still have no idea how you ended up with the USA and JPN versions of the amiibo settings application.

 

[Urbanshadow]

Sounds like if you delete the titles I mentioned originally you should be good. Still have no idea how you ended up with the USA and JPN versions of the amiibo settings application.

No, don't had those titles in my system ever. I just stepped into that list on the net (that I have already removed) and checked every title on it.

I deleted 00040030000B902 and 0004001B0019002. Sysnand boots ok. Thank you very much for your help. Now I plan to move on onto the native_firm thing on emunand. Not sure what to do, though.

 

[Aroth]

No, don't had those titles in my system ever. I just stepped into that list on the net (that I have already removed) and checked every title on it.

I deleted 00040030000B902 and 0004001B0019002. Sysnand boots ok. Thank you very much for your help. Now I plan to move on onto the native_firm thing on emunand. Not sure what to do, though.

You can probably remove 000401300004002 (o3ds nfc sytem-module) as well since it was introduced with 9.3 and didn't exist on 9.2 systems.

 

[Urbanshadow]

You can probably remove 000401300004002 (o3ds nfc sytem-module) as well since it was introduced with 9.3 and didn't exist on 9.2 systems.

Ok, did it and sysnand works. Any help on the emunand issues?