See https://github.com/Plailect/Guide/wiki/Hardmod-Downgrade

 

[The Real Jdbye]

Got a hardmod.I'm trying this
-- I'm just wondering how this can patch an encrypted nand.bin

FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.

 

[hundshamer]

Can I do this without a hardmod?

Spoiler

NO

 

[Spore2]

FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.

That makes sense. Thanks.
Just waiting to finish updating to 10.5. Internet speeds here in the Philippines are crap.

 

[vb_encryption_vb]

I can confirm this does in deed work, I updated to 10.5, backed up nand, patched nand, wrote nand back, booted into homebrew sysupdater and downgraded back to 9.2 with no issues.

Anyone having issues with the patcher, put this .dll in the same directory as the autofirm files.

 

[Xenon Hacks]

I can confirm this does in deed work, I updated to 10.5, backed up nand, patched nand, wrote nand back, booted into homebrew sysupdater and downgraded back to 9.2 with no issues.

Care to make a video of it in action it's not that I dont believe you its just too crazy and the hype train is gonna go full steam ahead @hundshamer you're about to make quite a bit of pocket money.

 

[urherenow]

FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.

I have a noobish question... since we are able to decrypt firms, and it is known how to patch out the signature checks, why can't the signature check be physically patched out of the FIRM before installing it? I'm not quite sure at what point during boot that signature checks start being performed, but my mind was blown when people figured out how to get 1 or 2 keys and then use them to figure out other keys (like to decrypt the N3DS 9.6+ FIRM). Why has nobody been able to derive a working signing key?

Both my systems are hard-modded, but I'm not very motivated to play with this. I don't need it, and anybody with a working hard mod to try it doesn't really have much to worry about.

 

[vb_encryption_vb]

Care to make a video of it in action it's not that I dont believe you its just too crazy and the hype train is gonna go full steam ahead @hundshamer you're about to make quite a bit of pocket money.

Sure, going to be a long video from start to finish, cause I'm not editing a damn bit of it lol

 

[The Real Jdbye]

I have a noobish question... since we are able to decrypt firms, and it is known how to patch out the signature checks, why can't the signature check be physically patched out of the FIRM before installing it? I'm not quite sure at what point during boot that signature checks start being performed, but my mind was blown when people figured out how to get 1 or 2 keys and then use them to figure out other keys (like to decrypt the N3DS 9.6+ FIRM). Why has nobody been able to derive a working signing key?

Both my systems are hard-modded, but I'm not very motivated to play with this. I don't need it, and anybody with a working hard mod to try it doesn't really have much to worry about.

There are signature checks on FIRM too. That's why we're only able to use unmodified FIRM binaries. And these checks are embedded in the bootrom so they can't be patched out. However, arm9loaderhax does something similar to what you want - we can load a patched FIRM with it and patch/modify anything we want on NAND given that the right signature checks are patched out. But arm9loaderhax is very user unfriendly to install.

 

[DarkFlare69]

Got a hardmod.I'm trying this
-- I'm just wondering how this can patch an encrypted nand.bin

Good luck

I haven't read through other pages, has anyone confirmed success?

 

[Xenon Hacks]

Sure, going to be a long video from start to finish, cause I'm not editing a damn bit of it lol

Don't have to this is big news for the scene a public downgrade method is insane can you think of how many people will want this service? Hell I might even get a smaller tip for my soldering iron just to cash in.

 

[vb_encryption_vb]

Good luck

I haven't read through other pages, has anyone confirmed success?

I just did it, making a video.

 

[DarkFlare69]

I just did it, making a video.

Nice! A tutorial or just a video?

--------------------- MERGED ---------------------------

ctrtool fails to start on my PC... 0x000007b or something

 

[vb_encryption_vb]

Video / tutorial I guess, tutorial is on first page.

 

[vb_encryption_vb]

Don't have to this is big news for the scene a public downgrade method is insane can you think of how many people will want this service? Hell I might even get a smaller tip for my soldering iron just to cash in.

Video is almost 3 gigs and uploading to youtube now, should be ready in 20 or 30 minutes I guess. youtube says 103 minutes, I sure the hell hope it don't take that long.


To all of GBAtemp
GBAtemp is full of assholes, my son is autistic and you may hear him in the background making random comments, keep your traps shut!

Thanks.

 

[piratesephiroth]

so, 3dsfirm.exe is something like this

# Embedded file name: 3DSFirm.py
import os
import sys
import re
import binascii
import argparse
import string
if not sys.version_info[:2] == (2, 7):
  print '*****\n!!!!!Warning - Only tested with Python 2.7!!!!!\n*****\n'
parser = argparse.ArgumentParser()
parser.add_argument('nand_file', action='store', help='NAND file (must exist for dumping and injecting)')
parser.add_argument('firm0_file', action='store', help='firm0 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
parser.add_argument('firm1_file', action='store', help='firm1 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
choose = parser.add_mutually_exclusive_group()
choose.add_argument('-d', action='store_true', default=False, dest='dump', help='Dump firm from NAND file')
choose.add_argument('-i', action='store_true', default=False, dest='inject', help='Inject firm into NAND file')
parser.add_argument('-lowmem', action='store_true', default=False, dest='lowmem', help='Use if you have low RAM available')
arguments = parser.parse_args()
if arguments.dump is arguments.inject:
  print 'Please choose -d or -i to dump or inject the fat16 partition'
  sys.exit(0)
print '*******\n3DSFirmtool\n*******\n'
start = 185794560
size = 4194304
start2 = 189988864
if not os.path.isfile(arguments.nand_file):
  print 'NAND file cannot be found'
  sys.exit(0)
if arguments.inject:
  if not os.path.isfile(arguments.firm0_file):
  print 'Firm0 file cannot be found'
  sys.exit(0)
if arguments.inject:
  if not os.path.isfile(arguments.firm1_file):
  print 'Firm1 file cannot be found'
  sys.exit(0)
if arguments.dump:
  if os.path.isfile(arguments.firm0_file):
  print 'Firm0 with this name and path already exists, file will be overwritten'
  if os.path.isfile(arguments.firm1_file):
  print 'Firm1 with this name and path already exists, file will be overwritten'
  with open(arguments.nand_file, 'rb') as r:
  with open(arguments.firm0_file, 'wb') as w:
  with open(arguments.firm1_file, 'wb') as w2:
  print 'Dumping... please wait'
  r.seek(start)
  firm0 = r.read(size)
  w.write(firm0)
  r.seek(start2)
  firm1 = r.read(size)
  w2.write(firm1)
if arguments.inject:
  if not os.path.isfile(arguments.firm0_file):
  print 'Firm0 file cannot be found'
  exit(0)
  with open(arguments.nand_file, 'rb+') as r:
  with open(arguments.firm0_file, 'rb') as w:
  print 'Injecting... please wait'
  r.seek(start)
  firm0 = w.read(size)
  r.write(firm0)
if arguments.inject:
  if not os.path.isfile(arguments.firm1_file):
  print 'Firm0 file cannot be found'
  exit(0)
  with open(arguments.nand_file, 'rb+') as r:
  with open(arguments.firm1_file, 'rb') as w:
  print 'Injecting... please wait'
  r.seek(start2)
  firm1 = w.read(size)
  r.write(firm1)
print ''
print 'Finished'

 

[vb_encryption_vb]

What's the purpose in posting all that? Anyone that downloads it can see all that.

 

[Xenon Hacks]

Video is almost 3 gigs and uploading to youtube now, should be ready in 20 or 30 minutes I guess. youtube says 103 minutes, I sure the hell hope it don't take that long.


To all of GBAtemp
GBAtemp is full of assholes, my son is autistic and you may hear him in the background making random comments, keep your traps shut!

Thanks.

You can change the video audio in the settings on youtube if you want.

 

[Plailect]

Nice! A tutorial or just a video?

--------------------- MERGED ---------------------------

ctrtool fails to start on my PC... 0x000007b or something

Try replacing ctrtool with the one from here: https://github.com/profi200/Project_CTR/releases/download/0.15/makerom_015_ctrtool.zip

 

[dankzegriefer]

Why use 10.2 NATIVE FIRM?
Why not cut out the middle man and use 9.2 NATIVE FIRM?

 

[DarkFlare69]

Why use 10.2 NATIVE FIRM?
Why not cut out the middle man and use 9.2 NATIVE FIRM?

I'm no professional, but it's because 10.4 and 10.2 are similiar or something.