Hacking NTRCardHax Progress?

[seb5049]

So I assume this way to get emunand on 10.3 sysnand that Gateway is teasing probably involves ntrcardhax. I have a few questions about it:


1. Is anybody other than the gateway team working with ntrcardhax? Since gateway is closed source, you would probably have to use a gateway card unless somebody else makes it open source.

2. When is the exploit triggered? If I have to load a ds game every time I want to go to emunand, it would get quite annoying.

3. What "Special DS hardware" will ntrcardhax work on? Is it all DS flashcards or something more specific?

 

[Mazamin]

I think that this was already achieved by privates, and it will not be used as an entry point, but only to dump bootrom or I don't know, keys. I think that it's like a gateway card, where you can flash some codes. Don't quote me on that.

 

[Woody8275]

when did gateway say they would have CFW on 10.3
I thought they were working on a safer downgrade method

 

[seb5049]

when did gateway say they would have CFW on 10.3
I thought they were working on a safer downgrade method

http://imgur.com/BvJXB0X That's what was there last time I checked the website, but now they've updated it saying they are making a safer way to downgrade, perhaps using ntrcardhax instead of memchunkhax2?

 

[Deleted member 361703]

-snip-

With the new firmware update we would like to STRONGLY ADVISE AGAINST UPDATING yoursysnand to any version higher than 10.3 (i.e. 10.4 or higher), as we will not be able to support sysnand firmware version 10.4 or higher anytime soon.

 

[andre104623]

Gateway said this is one of the things there working on. I do believe there will be native 10.3 support as well but only time will tell

 

[Vappy]

1. Is anybody other than the gateway team working with ntrcardhax? Since gateway is closed source, you would probably have to use a gateway card unless somebody else makes it open source.

@Kitlith and @173210 are both posting some progress, here http://gbatemp.net/threads/ntrcardhax-downgrading-questions.412717/ and here http://twitter.com/173210/with_replies respectively.

2. When is the exploit triggered? If I have to load a ds game every time I want to go to emunand, it would get quite annoying.

That's why plutoo said in the talk that he wouldn't recommend it, because of the inconvenience. Still, once you've got ARM9 execution, you can safely downgrade, or (less safely) set up arm9loaderhax.

3. What "Special DS hardware" will ntrcardhax work on? Is it all DS flashcards or something more specific?

Any flashcart that can be updated with a header that can be modified. So far, the AK2i and SuperCard DSTwo are all but confirmed to work for it.

 

[ShadowOne333]

What is this NTR Card hax that many people seem to be bringing up lately?
Anyone could please explain it?

 

[Vappy]

What is this NTR Card hax that many people seem to be bringing up lately?
Anyone could please explain it?

 

[Suiginou]

Sure would be nice if @smealum were to follow up on his promise and throw the slides out there so people can link to them.

 

[Kitlith]

Any flashcart that can be updated with a header that can be modified. So far, the AK2i and SuperCard DSTwo are all but confirmed to work for it.

I'd like to clarify on that. The AK2i is all but confirmed *in theory* because we can manipulate the header however we want. In practice, we'll see what we'll need. Unless there's some weirdness where stuff can change, and we can tell based on what the 3DS sends to the cartridge, this *should* be enough. Please don't hype or quote.

The DSTWO is all but confirmed for an entirely different reason. The DSTWO has a built-in processor/FPGA that apparently can be modified. This is the vein that @173210 is working in. I know nothing else about this. Ask him if you want more details.

Finally, the first statement is too general for my tastes at the moment. This may be true, it may not be. It may end up being different for different cards. But, if we can only access 0x200 bytes, where the normal header is located, and no more, then it is likely that it cannot be used. Again, there may be cases where we can work around this. I don't know yet. Also, in order to modify the header, we have to know how to write to the header of the flashcart. So even if it would work in theory, if we haven't figured out how to modify the header (even though the card updates may do so) we cannot use it.

Also, don't credit me. I just wanted to document this little mentioned exploit. It just so happens that to document it, one needs to put the pieces together to actually exploit it. Funny how that works.

 

[shinyquagsire23]

That's why plutoo said in the talk that he wouldn't recommend it, because of the inconvenience. Still, once you've got ARM9 execution, you can safely downgrade, or (less safely) set up arm9loaderhax

K9lhax needs ARM9, but it still basically requires a hardmod to do anyhow. So it's either collecting some pieces of info and saving an extra downgrade or gathering a safe NAND backup and setting up for a buffered k9lhax to get the hash.

 

[Toiry921]

Sure would be nice if @smealum were to follow up on his promise and throw the slides out there so people can link to them.

Did you even Google Search? https://imgur.com/a/ONPoa

 

[Normmatt]

So I looked into the AK2i code I have and apparently (based on some code comments) AK2i's protect writes to the area of flash that the header is. Old AK2's however don't. I'll have to have a play and see if i can actually write to that area or not on AK2i's.

 

[173210]

There's no progress since I lost my DSTWO :/

 

[Zidapi]

So I looked into the AK2i code I have and apparently (based on some code comments) AK2i's protect writes to the area of flash that the header is. Old AK2's however don't. I'll have to have a play and see if i can actually write to that area or not on AK2i's.

But Acekard 2.1 won't run on a 3DS without using @Apache Thunder's Slot-1 Launcher. Wouldn't that pose a problem?

 

[Normmatt]

There's no progress since I lost my DSTWO :/

That probably wouldn't work anyway as you don't control the first program the DSTWO's mips processor starts with. Ejecting the cart would cause the cart to reboot and lose the custom cart emulation...

But Acekard 2.1 won't run on a 3DS without using @Apache Thunder's Slot-1 Launcher. Wouldn't that pose a problem?

Doesn't matter... the header is read long before the cart is blocked in sysmenu...

 

[173210]

That probably wouldn't work anyway as you don't control the first program the DSTWO's mips processor starts with. Ejecting the cart would cause the cart to reboot and lose the custom cart emulation...

Why should I eject the cart? Anyway, switching from TWL_FIRM to NATIVE_FIRM may trigger reboot. That's the problem, I think.

 

[Zidapi]

Doesn't matter... the header is read long before the cart is blocked in sysmenu...

Good to know. Red Face standing by.

 

[Normmatt]

Why should I eject the cart? Anyway, switching from TWL_FIRM to NATIVE_FIRM may trigger reboot. That's the problem, I think.

Because you need to in order to trigger ntrcardhax.....