Homebrew 'ntrcardhax' / downgrading questions

[Kitlith]

Yes, I'm new. I'm sorry. I'm also a n00b when it comes to lower-level programming and exploits. And I'm about to ask questions that seem to have already been asked a few times, but not really answered. I'm sorry for that too. But I'm pairing that with a documentation attempt. Soo.... Hi!

I'm a random person looking into 'ntrcardhax'. I've been documenting what I can at this gist of mine. I think I've covered most everything I can that happens from ARM11 side. Please don't trust this, however. Do your own research, correct me, anything. Please. Anybody who knows more about 'ntrcardhax' would be beneficial. Treat this as a 'Request for Comment'.

One thing you may notice is missing is details on what needs to be done to get actual execution of code, rather than just a crash. This is because I have not downgraded: I have a o3DS w/ 9.9. I hope to keep it that way, due to the risks I keep finding in my searches. Anybody who has <9.2, I would appreciate any help that could be given.

But, on the off chance that I still want/need to downgrade to investigate myself, here's my questions about downgrading safety:

• I keep seeing that we should be on 10.3 before downgrading to 9.2. (I've also seen several posts from people who reportedly soft-bricked from downgrading from 9.9.) Therefore, should I upgrade to 10.3 (using a variant of sysUpdater) and then downgrade?
• Which version of sysUpdater should I use? There seems to be a nice debate over this in another thread, with it going back and forth (does julian20 have his own version?) mentioning multiple versions modified by different people. I'll probably end up using safeSysUpdater unless I get an overwhelming complaint against it.
• According to 3dbrew, there is indeed a way to downgrade from 10.4, at least, if you get a hardmod. I haven't looked into this enough, but I'd definitely want to if I do soft-brick. (Though, a quick google search turns up nothing relevant. Next documentation attempt? xD)

UPDATE: I have since downgraded, I have dumps of everything I should need. Just... need to struggle with disassemblers/debuggers.

Last note: I made a repository on github that currently contains an untested homebrew for causing the ntrcardhax crash.
Don't use it. It's untested and probably horribly wrong. Just don't.
It also doesn't set up an area for ARM9 code to run once crashed. (I assume this would be necessary in the final version.)
Though, people who know what I'm doing wrong (such as me once I take a closer look at 3dbrew documentation ) are welcome to help. I welcome it in fact. Please also treat this as a 'Request for Comment'.

UPDATE: There is at least one major flaw with the way this is currently presented: The particular IO register we need isn't mapped by default, apparently. There are also... other flaws.

I think that about covers it. Thank you for your time, and I'm sorry for bothering you. Any help is very much appreciated.

UPDATE:
@Normmatt had been working on it on his own. Upon me saying I didn't know his status:

I got it working since then

And in irc:
<Kitlith> Normmatt, so, what all did you get working? The
whole thing?
<Normmatt> whole thing

 

[Vappy]

• I keep seeing that we should be on 10.3 before downgrading to 9.2. (I've also seen several posts from people who reportedly soft-bricked from downgrading from 9.9.) Therefore, should I upgrade to 10.3 (using a variant of sysUpdater) and then downgrade?

My experience with this is that memchunkhax2 kept failing (with several hours of attempts for each) for two N3DSes I tried downgrading, on on 9.9, other on 9.8. Upgrading to 10.3 had it working within a few tries. I've seen a few other people mention similar experiences. From what I've seen, it's not necessary, but if you can't get it working from 9.9, upgrading might help.

• Which version of sysUpdater should I use? There seems to be a nice debate over this in another thread, with it going back and forth (does julian20 have his own version?) mentioning multiple versions modified by different people. I'll probably end up using safeSysUpdater unless I get an overwhelming complaint against it.

I used one of julian20's versions (this one I believe https://gbatemp.net/threads/simple-guide-to-downgrading-your-3ds.407888/page-95#post-5923820) but seems like SafeSysUpdater is the least risky currently.

Also, @173210 has been working on ntrcardhax, and posting about it on twitter. You might have some luck asking him about it.

 

[dark_samus3]

Yes, I'm new. I'm sorry. I'm also a n00b when it comes to lower-level programming and exploits. And I'm about to ask questions that seem to have already been asked a few times, but not really answered. I'm sorry for that too. But I'm pairing that with a documentation attempt. Soo.... Hi!

I'm a random person looking into 'ntrcardhax'. I've been documenting what I can at this gist of mine. I think I've covered most everything I can that happens from ARM11 side. Please don't trust this, however. Do your own research, correct me, anything. Please. Anybody who knows more about 'ntrcardhax' would be beneficial. Treat this as a 'Request for Comment'.

One thing you may notice is missing is details on what needs to be done to get actual execution of code, rather than just a crash. This is because I have not downgraded: I have a o3DS w/ 9.9. I hope to keep it that way, due to the risks I keep finding in my searches. Anybody who has <9.2, I would appreciate any help that could be given.

But, on the off chance that I still want/need to downgrade to investigate myself, here's my questions about downgrading safety:

• I keep seeing that we should be on 10.3 before downgrading to 9.2. (I've also seen several posts from people who reportedly soft-bricked from downgrading from 9.9.) Therefore, should I upgrade to 10.3 (using a variant of sysUpdater) and then downgrade?
• Which version of sysUpdater should I use? There seems to be a nice debate over this in another thread, with it going back and forth (does julian20 have his own version?) mentioning multiple versions modified by different people. I'll probably end up using safeSysUpdater unless I get an overwhelming complaint against it.
• According to 3dbrew, there is indeed a way to downgrade from 10.4, at least, if you get a hardmod. I haven't looked into this enough, but I'd definitely want to if I do soft-brick. (Though, a quick google search turns up nothing relevant. Next documentation attempt? xD)

Last note: I made a repository on github that currently contains an untested homebrew for causing the ntrcardhax crash.
Don't use it. It's untested and probably horribly wrong. Just don't.
It also doesn't set up an area for ARM9 code to run once crashed. (I assume this would be necessary in the final version.)
Though, people who know what I'm doing wrong (such as me once I take a closer look at 3dbrew documentation ) are welcome to help. I welcome it in fact. Please also treat this as a 'Request for Comment'.

I think that about covers it. Thank you for your time, and I'm sorry for bothering you. Any help is very much appreciated.

Alright, I'll help clear some stuff about downgrading up. Downgrading is fairly safe, what most users miss (and doesn't seem to be in any guides) is clearing the update nag BEFORE attempting the downgrade, the update actually puts the new titles in NAND but doesn't actually install them and they need to be cleared to properly downgrade... On the downgrading from 10.4/10.5 it is theoretically possible, since Ninty is nice enough to give us NATIVE_FIRMs to download right from their site you simply get the unencrypted (read: the not console specifically encrypted, the actual firmware is still encrypted though... Confusing I know) version of the firm you currently have installed and XOR it with the firm0 partition to generate an XORpad and then get the 10.2 firm and encrypt it with the XORpad that was generated and slap it back into the firm0 slot, you now have the, exploitable, 10.2 NATIVE_FIRM installed and can downgrade from that point on... Combine that with arm9loaderhax and we now have an unpatchable exploit since we can load whatever firmware we want from there. Good luck on your research

 

[Kitlith]

... On the downgrading from 10.4/10.5 it is theoretically possible, since Ninty is nice enough to give us NATIVE_FIRMs to download right from their site you simply get the unencrypted (read: the not console specifically encrypted, the actual firmware is still encrypted though...

And where is this available? On their update servers, I presume... (I'll be downloading copies as soon as I know where to find them... xD)

Combine that with arm9loaderhax and we now have an unpatchable exploit since we can load whatever firmware we want from there.

Uhm, isn't arm9loaderhax N3DS only? I'm an o3DS.

 

[Psi-hate]

Yes, I'm new. I'm sorry. I'm also a n00b when it comes to lower-level programming and exploits. And I'm about to ask questions that seem to have already been asked a few times, but not really answered. I'm sorry for that too. But I'm pairing that with a documentation attempt. Soo.... Hi!

I'm a random person looking into 'ntrcardhax'. I've been documenting what I can at this gist of mine. I think I've covered most everything I can that happens from ARM11 side. Please don't trust this, however. Do your own research, correct me, anything. Please. Anybody who knows more about 'ntrcardhax' would be beneficial. Treat this as a 'Request for Comment'.

One thing you may notice is missing is details on what needs to be done to get actual execution of code, rather than just a crash. This is because I have not downgraded: I have a o3DS w/ 9.9. I hope to keep it that way, due to the risks I keep finding in my searches. Anybody who has <9.2, I would appreciate any help that could be given.

But, on the off chance that I still want/need to downgrade to investigate myself, here's my questions about downgrading safety:

• I keep seeing that we should be on 10.3 before downgrading to 9.2. (I've also seen several posts from people who reportedly soft-bricked from downgrading from 9.9.) Therefore, should I upgrade to 10.3 (using a variant of sysUpdater) and then downgrade?
• Which version of sysUpdater should I use? There seems to be a nice debate over this in another thread, with it going back and forth (does julian20 have his own version?) mentioning multiple versions modified by different people. I'll probably end up using safeSysUpdater unless I get an overwhelming complaint against it.
• According to 3dbrew, there is indeed a way to downgrade from 10.4, at least, if you get a hardmod. I haven't looked into this enough, but I'd definitely want to if I do soft-brick. (Though, a quick google search turns up nothing relevant. Next documentation attempt? xD)

Last note: I made a repository on github that currently contains an untested homebrew for causing the ntrcardhax crash.
Don't use it. It's untested and probably horribly wrong. Just don't.
It also doesn't set up an area for ARM9 code to run once crashed. (I assume this would be necessary in the final version.)
Though, people who know what I'm doing wrong (such as me once I take a closer look at 3dbrew documentation ) are welcome to help. I welcome it in fact. Please also treat this as a 'Request for Comment'.

I think that about covers it. Thank you for your time, and I'm sorry for bothering you. Any help is very much appreciated.

I saw you and @173210 working on this and I'm pretty impressed. Anyway, you said you got some of the things figured out, but does it by chance matter what flashcard you use? I know you can upgrade the firmware of many flashcarts but I only have heard that it could be done on a DSTwo. Could any other flashcart work or is it restricted?

 

[Kitlith]

I saw you and @173210 working on this and I'm pretty impressed. Anyway, you said you got some of the things figured out, but does it by chance matter what flashcard you use? I know you can upgrade the firmware of many flashcarts but I only have heard that it could be done on a DSTwo. Could any other flashcart work or is it restricted?

I don't know enough about this, however, I'll say what I can.

The card I specifically mentioned we can use because we already know how we can write to the area where the header is stored. And, in particular, I believe it was Normatt in IRC was the one who pulled out his flashcard and noticed he could write to that particular area. In *theory*, if we know how to write, we can. In practice, we'll see.

EDIT: It looks like @173210 is going down a completely different path than I am, focusing more on FPGAs inside of a card. So, I can't speak for him. That particular path may only work on DSTWO. *shrugs*

 

[dark_samus3]

And where is this available? On their update servers, I presume... (I'll be downloading copies as soon as I know where to find them... xD)

Yep, the firmware.bins we use for CFW are the FIRM images also btw I read your gist yesterday (thanks for posting that @Psi-hate ) and I totally think using an arduino (really any of the atmega series micro controllers) could easily be used, there's these things called neopixels which have similar timing requirements and they're not the easiest to work with but it's possible to use them, though the nice teensy that syncs the clock rate nicely looks promising, but a little expensive to me

 

[Kitlith]

... though the nice teensy that syncs the clock rate nicely looks promising, but a little expensive to me

Was I looking at the wrong place? Because from my memory and places I looked, the Teensy actually happened to be cheaper than the Arduino...? I'm probably remembering wrong.

Also, to the rest of that, I'm not going to be working on the stuff for Arduino because of the possibilities having to do with the flashcard, but...

Heh, I think the reason I actually finally signed up for an account and made this thread was because I was browsing a thread and *someone* had posted links to my stuff there. xD

 

[Vappy]

And where is this available? On their update servers, I presume... (I'll be downloading copies as soon as I know where to find them... xD)



Uhm, isn't arm9loaderhax N3DS only? I'm an o3DS.

For O3DS, http://nus.cdn.c.shop.nintendowifi.net/ccs/download/0004013800000002/000000XX, where XX is any of the hex title ContentIDs from here https://3dbrew.org/wiki/FIRM#NATIVE_FIRM Although Nintendo have removed any prior to 9.6 from their CDN.

Uhm, isn't arm9loaderhax N3DS only? I'm an o3DS.

arm9loaderhax can work on an O3DS.

 

[Kitlith]

For O3DS, http://nus.cdn.c.shop.nintendowifi.net/ccs/download/0004013800000002/000000XX, where XX is any of the hex title ContentIDs from here https://3dbrew.org/wiki/FIRM#NATIVE_FIRM Although Nintendo have removed any prior to 9.6 from their CDN.

Thank you! I now have copies of everything on their CDN... xD

arm9loaderhax can work on an O3DS.

Right, the hax presented in the talk is actually the 'arm9loaderhax-enhanced' on 3dbrew. Thanks for reminding me about that. Still, for getting it to work on O3DS, looks like you need the plaintext normalkey and OTP hashes, OTP at least requiring a downgrade to >=3.0, right?

 

[FenrirWolf]

Alright, I'll help clear some stuff about downgrading up. Downgrading is fairly safe, what most users miss (and doesn't seem to be in any guides) is clearing the update nag BEFORE attempting the downgrade, the update actually puts the new titles in NAND but doesn't actually install them and they need to be cleared to properly downgrade

Interesting. I have never seen this mentioned before but it does make a lot of sense.

 

[dark_samus3]

Thank you! I now have copies of everything on their CDN... xD

Right, the hax presented in the talk is actually the 'arm9loaderhax-enhanced' on 3dbrew. Thanks for reminding me about that. Still, for getting it to work on O3DS, looks like you need the plaintext normalkey and OTP hashes, OTP at least requiring a downgrade to <=3.0, right?

Ftfy anyways yeah it does require a downgrade, though you should probably have a NAND mod before attempting too much, especially with the research you're doing... If you can solder its only 4 wires and 3 of them are super easy on non XL o3ds (the 4th is annoying, but doable) and XL version is a cakewalk. Up to you though, also not sure how expensive an arduino is but I know a teensy (the ones you were referring to) are at least $20 whereas you can build a small microcontroller circuit for less than that if you know what you're doing

--------------------- MERGED ---------------------------

Interesting. I have never seen this mentioned before but it does make a lot of sense.

The current "solution" circulating is to format the system, which works but isn't the best

 

[Kitlith]

Ftfy anyways yeah it does require a downgrade, though you should probably have a NAND mod before attempting too much, especially with the research you're doing... If you can solder its only 4 wires and 3 of them are super easy on non XL o3ds (the 4th is annoying, but doable) and XL version is a cakewalk. Up to you though, also not sure how expensive an arduino is but I know a teensy (the ones you were referring to) are at least $20 whereas you can build a small microcontroller circuit for less than that if you know what you're doing

I forgot, I was looking at the price of the Teensy-LC. If it can be done with that... (~12$)

Yeah, I would definately want a NAND mod before I attempt an OTP dump. I would end up with a NAND mod if I soft-brick. I don't want to do a NAND mod yet. I want to get on 9.2/ get ntrcardhax working and make a NAND dump from there, if possible.

The current "solution" circulating is to format the system, which works but isn't the best

I saw a solution which involved booting into recovery and hitting 'cancel'. Would that do the trick, or do I really need to format?

 

[dark_samus3]

I forgot, I was looking at the price of the Teensy-LC. If it can be done with that... (~12$)

Yeah, I would definately want a NAND mod before I attempt an OTP dump. I would end up with a NAND mod if I soft-brick. I don't want to do a NAND mod yet. I want to get on 9.2/ get ntrcardhax working and make a NAND dump from there, if possible.


I saw a solution which involved booting into recovery and hitting 'cancel'. Would that do the trick, or do I really need to format?

That's the solution I was talking about originally, no need to format the system

 

[FenrirWolf]

Is it also possible for preloaded update files to interfere with a downgrade even before you get the nag? Like, supposing you only had the console in sleep mode long enough to download part of the update instead of the whole thing. Just curious because it makes me wonder if that's one of the reasons people sometimes get stuck with partial downgrades.

Either way, it seems like doing the recovery mode thing might be a good just-in-case step to take before a downgrade even if you don't have the nag.

 

[Kitlith]

That's the solution I was talking about originally, no need to format the system

Good to know.

Is it also possible for preloaded update files to interfere with a downgrade even before you get the nag? Like, supposing you only had the console in sleep mode long enough to download part of the update instead of the whole thing. Just curious because it makes me wonder if that's one of the reasons people sometimes get stuck with partial downgrades.

Either way, it seems like doing the recovery mode thing might be a good just-in-case step to take before a downgrade even if you don't have the nag.

That... is a good question. May be better asked in a thread specifically talking about bricks and downgrading, but it's welcome here, too, where someone is trying to figure out whether it's safe or not.

On the thought of actual research, does anyone want to help somehow? I suppose I'd better ask @173210 about any research he has done into the ARM9 side of things...

I mainly need to find out what interesting stuff is in the .bss section of Process9 (I think?) and relative locations that I can overwrite. Then... figure out where to put stuff for ARM9 to jump to... I get the feeling this is where I'm going to break down and be completely useless. ._.

@plutoo suggested in IRC that I should "try spraying and see what crashes" Just need to find a good emulator with debugging functions. (haven't looked yet, due to lack of dump and such.) I know, I know, I'm horrible. I'll do a better job looking sometime soon.

 

[dark_samus3]

Is it also possible for preloaded update files to interfere with a downgrade even before you get the nag? Like, supposing you only had the console in sleep mode long enough to download part of the update instead of the whole thing. Just curious because it makes me wonder if that's one of the reasons people sometimes get stuck with partial downgrades.

Either way, it seems like doing the recovery mode thing might be a good just-in-case step to take before a downgrade even if you don't have the nag.

That's entirely possible and why I suggest attempting to clear the update even if you don't have the nag. The only reason I know this is way back in the early days (before hax 2.x) when FBI injection was first done you had to clear the update nag to properly inject into the H&S application for exactly the same reason

 

[Apache Thunder]

Yep, the firmware.bins we use for CFW are the FIRM images also btw I read your gist yesterday (thanks for posting that @Psi-hate ) and I totally think using an arduino (really any of the atmega series micro controllers) could easily be used, there's these things called neopixels which have similar timing requirements and they're not the easiest to work with but it's possible to use them, though the nice teensy that syncs the clock rate nicely looks promising, but a little expensive to me

Not quite. The FIRM CXI/BIN from CDN are not quite the same as a decrypted FIRM0/FIRM1 partition. They are both essentially the .code of the CXI you download from CDN. But they are not suitable for exploiting the encryption weakness of the FIRM0/FIRM1 partitions. You need a decrypted FIRM0/FIRM1 partition. NOT a firmware.bin or firmware CXI pulled from CDN.

You can only get a decrypted FIRM0/FIRM1 partition by getting one from an exploitable console. Which shouldn't be hard to do because there's a ton of people with exploitable 3DSes now.

 

[dark_samus3]

Not quite. The FIRM partitions on NAND are not quite the same as a decrypted FIRM0/FIRM1 partition. They are both essentially the .code of the CXI you download from CDN. But they are not suitable for exploiting the encryption weakness of the FIRM0/FIRM1 partitions. You need a decrypted FIRM0/FIRM1 partition. NOT a firmware.bin or firmware CXI pulled from CDN.

Ah, thank you for that clarification I didn't know that... Maybe we should start stockpiling those somewhere on "that ISO site" so we can have those for future use

 

[Apache Thunder]

I made a little typo and said "The FIRM partitions on NAND are not quite the same" when I should have said "The FIRM CXI/BIN from CDN are not quite the same". I ninja edited that out after you had quoted me.