Homebrew ARM9Loader -- Technical Details and Discussion

[Zyrmkel]

So, is this the currently accepted and canon O3DS downgrade-to-2.1 procedure?

1. Make a sysNAND backup with Decrypt9 or Gateway.
2. Install the good ol' 4.x mset pasta in mset.
3. Use Gateway launcher to downgrade to 4.x.
4. Clone sysNAND to a new emuNAND.
5. Use sysUpdater to downgrade to 2.1 on the emuNAND.
6. If the downgrade succeeded, write the emuNAND to sysNAND (after stitching the NCSD header back in). Else, rewrite the emuNAND and retry until you no longer have a partial.
7. Use ARM9 stuff (Cubic Ninja is public, apparently the cakes guys are working on something based on 2.1 spider with no success) to dump the OTP region to SD card.
8. Use ARM9 stuff to restore a sysNAND backup to get back to the original firmware. Alternatively, use ARM9 stuff to implement minipasta on 2.1 and run sysUpdater to get back (which must be recompiled to have matching kernel version stuff, and even then it's dubious whether ctrulib things really will work on 2.1).

Did I miss anything?

SHA-256(buf=0x10012000, size=0x90). So if you wanna brute-force 0x90 bytes of stuff to get the right SHA-256 hash, be my guest. (Pro tip: 16 bytes are currently only feasible with quantum computers, 32 bytes is considered quantum-proof right now)

Naw, you don't have to downgrade emunand it will not load even it is successful. As for downgrading to 2.1 I pasta and sysupdater from 9.x to 4.x to 2.1. The downgrade failed on the 2.1 install somewhere in the middle just remove the ad and boot, it should load.then pasta and sysupdater again.

 

[dark_samus3]

I shouldn't try this without a hardmod, right?

RIght

 

[Zyrmkel]

I shouldn't try this without a hardmod, right?

Yup, unless you're real ballsy and have a ton of luck

 

[dark_samus3]

Naw, you don't have to downgrade emunand it will not load even it is successful. As for downgrading to 2.1 I pasta and sysupdater from 9.x to 4.x to 2.1. The downgrade failed on the 2.1 install somewhere in the middle just remove the ad and boot, it should load.

your downgrade is still incomplete and you'll not be able to run the spider exploit or the cubic ninja exploit... if you've got sysupdater installed as a CIA, boot rxTools 2.5.2 through the browser and boot into devmode, start the downgrade again, this time it should finish properly

 

[Vappy]

to firmlaunch, you have to write A11 kernel @ 0x1FFFFFF8

Afact that's exactly what ReiNAND (and CakeHax) does.

 

[dark_samus3]

Afact that's exactly what ReiNAND (and CakeHax) does.

We aren't using cakehax though, so that may be the problem... hrm

 

[ketal]

We aren't using cakehax though, so that may be the problem... hrm

What are you trying to achieve, exactly?

 

[Xenon Hacks]

I shouldn't try this without a hardmod, right?

Correct

 

[dark_samus3]

What are you trying to achieve, exactly?

ehh, firmlaunch from a9lh....

 

[TVL]

Correct

One could try without and get the hardmod done if/when it gets messed up though(?), that's what I'm thinking once this becomes useful to me.

 

[Zyrmkel]

your downgrade is still incomplete and you'll not be able to run the spider exploit or the cubic ninja exploit... if you've got sysupdater installed as a CIA, boot rxTools 2.5.2 through the browser and boot into devmode, start the downgrade again, this time it should finish properly

Right, even though I took that step to finish the downgrade myself, seems like I forgot to include that in the post. Fixed and thanks

 

[ketal]

One could try without and get the hardmod done if/when it gets messed up though(?), that's what I'm thinking once this becomes useful to me.

yes, that's what I did. the process is trivial on o3ds.

 

[Psi-hate]

One could try without and get the hardmod done if/when it gets messed up though(?), that's what I'm thinking once this becomes useful to me.

I didn't have a hardmod and I did it. It is really risky, though.

 

[Zyrmkel]

One could try without and get the hardmod done if/when it gets messed up though(?), that's what I'm thinking once this becomes useful to me.

If you make a nand backup with d9 then yeah you could but would you want to?

 

[mungry]

Yeah I bricked my o3DS trying to downgrade to 4.5 lol. I have a nand backup, so if I hardmod it I can save it. Thing is a piece of trash so. I'm not really concerned about it tbh.

 

[nistushin]

Hi, I signed up basically only for this.
I've downgraded my o3ds to 4.5 and now I'll attempt to downgrade to 1.0. I didn't get how I'll be able to run any custom code or go back to the latest exploitable firmware since there's no ninjhax payload for 1.0 (I have no hard-mod, but this is a spare console, so I'm not afraid of bricking)

 

[Xenon Hacks]

Hi, I signed up basically only for this.
I've downgraded my o3ds to 4.5 and now I'll attempt to downgrade to 1.0. I didn't get how I'll be able to run any custom code or go back to the latest exploitable firmware since there's no ninjhax payload for 1.0 (I have no hard-mod, but this is a spare console, so I'm not afraid of bricking)

Don't bother doing this then you have little to nothing to gain.

 

[nistushin]

Don't bother doing this then you have little to nothing to gain.

The OTP data is not "little to nothing" at all

 

[dark_samus3]

Hi, I signed up basically only for this.
I've downgraded my o3ds to 4.5 and now I'll attempt to downgrade to 1.0. I didn't get how I'll be able to run any custom code or go back to the latest exploitable firmware since there's no ninjhax payload for 1.0 (I have no hard-mod, but this is a spare console, so I'm not afraid of bricking)

Run code from Cubic Ninja (there's files and QR codes somewhere in this thread) to dump OTP... from there we can probably restore a NAND backup (if you made one before downgrading) otherwise updating with a cart is currently all there is, but we have the ability (and by we I mean Normmatt) to make a NAND restore from Cubic Ninja as well... also I'd recommend 2.x since they have browsers and a little something is being developed as we speak to take advantage of that fact

 

[Vappy]

Hi, I signed up basically only for this.
I've downgraded my o3ds to 4.5 and now I'll attempt to downgrade to 1.0. I didn't get how I'll be able to run any custom code or go back to the latest exploitable firmware since there's no ninjhax payload for 1.0 (I have no hard-mod, but this is a spare console, so I'm not afraid of bricking)

There are Cubic Ninja payloads for 1.0, but only for dumping NAND and OTP. You could also use a game cart to update?
Currently a few devs are researching getting ARM9 payloads running via 2.1.0-4 browser, so if you don't have Cubic Ninja, you could downgrade to there instead once they've got it working.