Hacking [How To] Remove the 022-2812 ban error with a CFW

Joom · Nov 23, 2016

spkuja said:
If that's the case, why don't you share the method with everyone else?

You have to have two systems with A9LH, SDless A9LH that takes precedence of the NAND over the SD on the banned system (so get to forking fellas), Linux (or any other UNIX-like OS), Godmode9, Decrypt9, and...I think that's it. Oh, you also need a CXI that changes your device ID. This ARM9 binary everyone is using won't work. You're on your own here as I don't have the source and the CXI I use has a unique ID, so I'm not gonna share it.

--------------------- MERGED ---------------------------

Queno138 said:
But what's the point with dumping the CICertA, CTCert doesn't reside in it right

Nope. It's in the OTP.

Retroarcade2003 · Nov 23, 2016

Joom said:
You have to have two systems with A9LH, SDless A9LH that takes precedence of the NAND over the SD on the banned system (so get to forking fellas), Linux (or any other UNIX-like OS), Godmode9, Decrypt9, and...I think that's it. Oh, you also need a CXI that changes your device ID. This ARM9 binary everyone is using won't work. You're on your own here as I don't have the source and the CXI I use has a unique ID, so I'm not gonna share it.

--------------------- MERGED ---------------------------

Nope. It's in the OTP.

Sorry... I don't understand...I am italian... So, i have extract CiCertA with a .cia app, if i modified it with a random Ccert id... How i can reinject this file in the 3ds? The console can brik? I lose A9LH because i modified the otp? And... There is the error 11-6901? Sorry for my bad english... Thanks in advance

spkuja · Nov 23, 2016

Joom said:
You have to have two systems with A9LH, SDless A9LH that takes precedence of the NAND over the SD on the banned system (so get to forking fellas), Linux (or any other UNIX-like OS), Godmode9, Decrypt9, and...I think that's it. Oh, you also need a CXI that changes your device ID. This ARM9 binary everyone is using won't work. You're on your own here as I don't have the source and the CXI I use has a unique ID, so I'm not gonna share it.

--------------------- MERGED ---------------------------

Nope. It's in the OTP.

That still doesn't really answer any questions.

Where did you get this unique CXI from? What is a CXI? Is it possible to make our own? What were the exact steps if we had our own?

Seems a bit odd that you'd hold some thing of this magnitude back?

Deleted member 355359 · Nov 23, 2016

Arck said:
where is located this file ?
I can't find it with godmod9

It's either in OTP or just encrypted there. You can find it Base64 encoded in process 21 @0x0013F7A0 if you dump it.

Afterwards, convert it to hex and then back to Base64 with these sites:
http://tomeko.net/online_tools/base64.php?lang=en
http://tomeko.net/online_tools/hex_to_base64.php?lang=en

Once you're done, you could modify it in RAM by using this NTR Debugger code:
write(0x0013FAA4, tuple(map(ord, "Insert device cert here")),pid=0x21)

Joom said:
That's easy to patch. Dump the ITCM and manipulate CTRCert as you see fit and go from there. I've already completely unbanned myself. Linked a new NNID and everything. And yes, this gets past 011-6901.

The server won't accept modified CTCerts, they use the same signature types used to protect Bitcoins.
You're probably just getting a CTCert from one system and using it on another, and boom, problem solved.
If you're even being serious, that is.
I could do that by dumping anyone's process 21 and then extracting its DeviceID.

If you're just modifying it in ITCM according to the DeviceID you want to use and then modifying the DeviceID using your own binary, that means the 3DS can sign CTCerts, apparently.

Queno138 · Nov 23, 2016

ariankordi said:
You're probably just getting a CTCert from one system and using it on another, and boom, problem solved.
If you're even being serious, that is.
I could do that by dumping anyone's process 21 and then extracting its DeviceID.

If you're just modifying it in ITCM according to the DeviceID you want to use and then modifying the DeviceID using your own binary, that means the 3DS can sign CTCerts, apparently.

If it's that, I'm interested to do that; I wanna use my 2DS data on my N3ds.

Joom · Nov 23, 2016

spkuja said:
That still doesn't really answer any questions.

Where did you get this unique CXI from? What is a CXI? Is it possible to make our own? What were the exact steps if we had our own?

Seems a bit odd that you'd hold some thing of this magnitude back?

It's a unique system module loaded by Luma that does the exact same thing as the payload everyone is using. It's unique in the regard that nobody else is using the ID it uses. I got it from a developer that wishes to remain unnamed. If you had your own then you'd just put it in SD://luma/sysmodules and enable module loading in Luma. Without the source to this though, there's really no point in me giving a bunch of information. And no, you can't use the patched payload due to the nature of the 011 patch.

mrmiguebass · Nov 23, 2016

My friend let me use his 3ds secureinfo_A and LocalFriendCodeSeed_B. Can we both go online at the same time? Because it'd be really lame if we couldn't and I got him banned

Joom · Nov 23, 2016

mrmiguebass said:
My friend let me use his 3ds secureinfo_A and LocalFriendCodeSeed_B. Can we both go online at the same time? Because it'd be really lame if we couldn't and I got him banned

We don't really know if it's safe yet or not. Sure is a shame that enMTW hyped seed generation and never delivered (again) as far as I know. Oh well.

spkuja · Nov 23, 2016

I'm still very sceptical about this. Vague processes and un-named developers. It's all a bit fishy. I think we can say for sure at the moment there is no credible and permanent fix to the bans.

Deleted member 355359 · Nov 23, 2016

Joom said:
It's a unique system module loaded by Luma that does the exact same thing as the payload everyone is using. It's unique in the regard that nobody else is using the ID it uses. I got it from a developer that wishes to remain unnamed. If you had your own then you'd just put it in SD://luma/sysmodules and enable module loading in Luma. Without the source to this though, there's really no point in me giving a bunch of information. And no, you can't use the patched payload due to the nature of the 011 patch.

I'm guessing that your end result just modifies the DeviceID sent to the server and the Device-Cert to match the DeviceID, or no?

Joom · Nov 23, 2016

spkuja said:
I'm still very sceptical about this. Vague processes and un-named developers. It's all a bit fishy. I think we can say for sure at the moment there is no credible and permanent fix to the bans.

What more do you want other than for me to literally hand it to you? If you want to do this yourself then all the information is publicly available. @ariankordi is on the right track. Pay attention to him.

--------------------- MERGED ---------------------------

ariankordi said:
I'm guessing that your end result just modifies the DeviceID sent to the server and the Device-Cert to match the DeviceID, or no?

Yep. It does exactly this.

Deleted member 355359 · Nov 23, 2016

Joom said:
Yep. It does exactly this.

So, what you're saying is that the 3DS can sign CTCerts by itself and have the account.nintendo.net server actually accept them??
And this is all via modifying ITCM? I know it contains a lot of console-unique stuff and shares things with the bootrom, but I don't know how to make something like a Luma payload to modify anything in it.

spkuja · Nov 23, 2016

Joom said:
What more do you want other than for me to literally hand it to you? If you want to do this yourself then all the information is publicly available. @ariankordi is on the right track. Pay attention to him.

If it were publically available, everyone would be doing it. If it's as simple as editing two files in the 3DS, why has no one else done this? I could say I've found a cure for cancer, but that doesn't make it true unless there's evidence to back up the claim.

Could you not make a video showing you disabling the modulel and then re-enabling it and thus giving you access to all online features?

Deleted member 355359 · Nov 23, 2016

spkuja said:
If it were publically available, everyone would be doing it.

How come the method to change the DeviceID hasn't been public for a while? The servers have accepted forged DeviceIDs all the way to this point, so it could've been completely possible in even something like April 2015.

And, how come nobody has released the method for circumventing 002-0102 until this point even though it's been a well known error ever since the 3DS game servers were first up?

Joom · Nov 23, 2016

spkuja said:
If it were publically available, everyone would be doing it. If it's as simple as editing two files in the 3DS, why has no one else done this? I could say I've found a cure for cancer, but that doesn't make it true unless there's evidence to back up the claim.

Could you not make a video showing you disabling the modulel and then re-enabling it and thus giving you access to all online features?

It's not as simple as modifying two files. That's the point I'm trying to make. Also, I did have a video but the thread got locked because everyone got butthurt.

Retroarcade2003 · Nov 23, 2016

Then... There is a method to unban Nintendo with error code 22-2812?

Rangnarok · Nov 23, 2016

spkuja said:
If it were publically available, everyone would be doing it. If it's as simple as editing two files in the 3DS, why has no one else done this? I could say I've found a cure for cancer, but that doesn't make it true unless there's evidence to back up the claim.

Could you not make a video showing you disabling the modulel and then re-enabling it and thus giving you access to all online features?

You have been demanding stuff like a bratty child. If someone has found a way and wants to keep it secret, it's their call. You are riding for free from the work of others to have CFW and other good stuff, you are in no place to demand anything.

I am not very technically skilled in hacking the 3DS and certainly won't be able to guess how he is doing it, but I am certainly eager to learn just for experience because I am not affected by these bans.

spkuja · Nov 23, 2016

Rangnarok said:
You have been demanding stuff like a bratty child. If someone has found a way and wants to keep it secret, it's their call. You are riding for free from the work of others to have CFW and other good stuff, you are in no place to demand anything.

I am not very technically skilled in hacking the 3DS and certainly won't be able to guess how he is doing it, but I am certainly eager to learn just for experience because I am not affected by these bans.

Please enlighten me, where have I demanded anything? I've merely requested proof of a concept where there is none and asked questions. I'm trying to fill a gap in my knowledge. You don't get anywhere unless you ask questions. That's how people learn.

Joom · Nov 23, 2016

Well, I've pretty much given all the information that I can. Dump the ITCM with GM9, and do this.

Code:

dd if=itcm.mem of=ctcert.bin bs=1 skip=14340 count=124

Go from there. Though again, without that CXI, this is useless because the rest of the process requires hot swapping ARM9 payloads.

Deleted member 355359 · Nov 23, 2016

Joom said:
Well, I've pretty much given all the information that I can. Dump the ITCM with GM9, and do this.

Code:

dd if=itcm.mem of=ctcert.bin bs=1 skip=14340 count=124

Go from there. Though again, without that CXI, this is useless because the rest of the process requires hot swapping ARM9 payloads.

Is this CXI you're talking about a NATIVE_FIRM patch or something?

Hacking [How To] Remove the 022-2812 ban error with a CFW

❤❤❤

Well-Known Member

Well-Known Member

Well-Known Member

Ravens

❤❤❤

Member

❤❤❤

Well-Known Member

Well-Known Member

❤❤❤

Well-Known Member

Well-Known Member

Well-Known Member

❤❤❤

Well-Known Member

Active Member

Well-Known Member

❤❤❤

Well-Known Member

Similar threads

Popular threads in this forum