Posting a follow-up of what happened.
After talking to @PizzaYandere37 in private, he eventually relented to overnight ship his o3DSXL. While the price to mail from France to Florida and back wasn't cheap by any means, he was able to amass payment in a timely fashion.
Debugging his o3DSXL as-is proved unwieldy due to a bulky body case. Safe removal of the case wasn't an option because of it's frail condition... I didn't want to send back his o3DSXL with it broken.
Because I'm a stickler for good form factor when it comes to handheld electronics and to get around this problem, the o3DSXL NAND images [
ctrnand_full.bin,
twln.bin,
twlp.bin, and
essential.exefs ] were dumped and temporarily used on my nephew's o2DS.
After examining the files mentioned from
post #13, the causes of the brick became apparent.
What happened to PizzaYandere37's o3DSXL was very unfortunate. There was a prior attempt at region changing the firmware from native (EUR) to (USA). The
SecureInfo_A shown in that picture found in
[1:] SYSNAND CTRNAND comes from the public CTRTransfer image,
11.5.0-38U_ctrtransfer_o3ds.bin; CW72535537 is not the o3DXL's serial number when compared against the
inspect.log from the
[2:] SYSNAND TWLN. That means the real & original SecureInfo, LFCS, and movable were lost along the way presumably from failed or incomplete CTRTransfer(s). Only the
HWCAL0.DAt and
HWCAL1.DAt were intact.
What made matters worse is that GodMode9 never had the chance to properly backup those three files for the
essential.exefs. To make the situation even more shitty, the o3DSXL's first
[sys
|emu
|red
]nand.bin image backed up when it was first hacked was lost after his old computer died and was sold off last year.
In order to get the o3DSXL in a bootable state, the
movable.sed was replaced with another dummy copy but in functional format.
- This file has the size of 0x120 (288) bytes filled with all zeros (00), except for block 0x00-0x03 having the magic header (53 45 45 44 - SEED).
The replacement
SecureInfo_A was borrowed from the
11.5.0-38E_ctrtransfer_o3ds.bin edited with the o3DSXL's actual serial number. Although this file is no longer signed where uninstalling custom firmware would brick the o3DSXL, it is hoped that Nintendo doesn't notice anything amiss should those first 0x100 (256) bytes are ever checked.
Lastly, the
LocalFriendCodeSeed_B was not replaced in the initial firmware repair.
After updating the firmware to 11.10.0-43E, fixing the TWL system titles, and adding CTRNAND Luma3DS with GodMode9 payload, I took the fixed images from the o2DS,
reflashed them back on the o3DSXL, and
mailed backed his system.
To get around the issue of not being able to access Nintendo eShop or use other online services,
@PizzaYandere37 was tasked to:
- Create an initial dummy user profile.
- Format System Memory in order to make another dummy user profile.
- This converts the movable.sed to 320 bytes with AES-CMAC.
- (Real Nintendo) System Transfer his o3DS profile over to the o3DSXL.
- The o3DS movable.sed gets sent to the o3DSXL. (ie, given a real/valid movable.sed).
- This links the NNID to the o3DSXL. As far as Nintendo server record is concerned, his o3DSXL should be able to visit Nintendo eShop.
- Copy and share the o3DS LocalFriendCodeSeed_B over to the o3DSXL after the System Transfer.
- This allows the o3DSXL to regain access to other online services: game play, Internet.
- However, there's the risk that LFCS_B might get banned/burned if both o3DS and o3DSXL are using it at the same time.
***
I'm glad I got a chance to study this brick as it helped to point out some weaknesses in the current version of the CTRTransfer (Type D9) script. It wouldn't have fixed this brick mainly due to poor handling or distinguishing whether those essential files are valid or good copies. The next planned release of Type D9 will include fixes so bricks like this one won't be a problem to at least allow the 3DS/2DS to boot HOME Menu.