Hacking [Question] Restoring save backup from before CFW

StageProps · Nov 11, 2018

So, I hacked my N3DS about two years ago using a method where I injected a compromised DSiWare game into an O3DS on older firmware and then system transferred to the N3DS. That's pretty much all I remember of the process. Before this, I made save data backups of my ACNL and Fantasy Life saves. I didn't realize till after hacking my N3DS that these saves are encrypted and tied to the 3DS that made them, so the system transfer I did made them unusable. I'm now trying to figure out whether there's any way to salvage them. Here's what I have:

The hacked N3DS
A NAND backup from the N3DS and O3DS that I made during the hacking process
An SD card backup of the N3DS before I did the system transfer, including the save data backup files themselves

I've read in some threads made by people with similar problems that I might have luck creating an emuNAND out of the old NAND backup I have, installing a save data manager, and backing up the save data through that. However, I think the fact that I have this NAND backup means that I had already hacked the 3DS (right?), so I'm not sure this will work. It's also almost impossible to find an up-to-date guide on how to set up emuNAND, so I'm not sure how to do it.

I don't know, I think I might be out of luck, but if anyone sees any way forward for me to restore these save backups, I'd appreciate it.

TurdPooCharger · Nov 11, 2018

Take an SD card with a capacity that's bigger than your total SD card backup (ie, Nintendo 3DS folder, etc), and copy everything off it onto a computer.
Reformat the SD card as FAT32 + 32 KB cluster size using either Windows File Explorer or guiformat.
(Recommended) While it's empty, run a Full Write + Verify Test with H2testw.
If the card passes, delete the *.h2w test files.
- If an error was reported, stop the test and replace the fake/faulty (non-fixable) card. Go back to step 1 or 2.
With your NAND *.bin, create an EmuNAND with 3DS Multi EmuNAND Creator.
Copy your SD card backup onto the card. Make sure you have either Checkpoint or JKSM save manager installed.
- The *.3dsx version will require Homebrew Launcher. See video tutorial of how to use Rosalina Menu injection here.
- The *.cia version will require FBI to install on HOME Menu.
Update the custom firmware to the latest Luma3DS v9.1, boot9strap v1.3, and GodMode9 v1.7.1 on both the SD card and CTRNAND.
- If you have Luma3DS v7.1 - v9.0 and/or boot9strap v1.0 - v1.2: Updating B9S
- If you have Luma3DS v7.0.5 or older using arm9loaderhax: A9LH to B9S
Boot the 3DS and hold the (Select) button to access Luma3DS v9.1 configuration menu. Select these two settings:
- (x) Autoboot EmuNAND
- (x) Show NAND or user string in System Settings
Press (Start) to boot to HOME Menu. Go to System Settings and check if you're in EmuNAND.
- For example: Emu 11.8.0-41U
Exit back and launch your save manager of choice. Back up all your game saves and extdata.
- JKSM data will be found at smdc:/JKSV folder.
- Checkpoint data will be found at smdc:/3ds/Checkpoint folder.
(Optional) If you require dumping up your titles [games / DLCs / updates] as *.cia, go to GodMode9 by holding (Start) when booting the 3DS.
- GodMode9 Usage - Dumping a Title
- For EmuNAND, this would be [B:] EMUNAND SD instead of [A:] SYSNAND SD.
Once all saves, extdata, and/or titles have been backed up, delete the no longer required EmuNAND off the SD card.
- Use MiniTool Partition Wizard (free edition) to delete and recombine partitions.
- The SD card must be:
  - Format: FAT32
  - Cluster Size: 32 KB *
    - * You may use 64 KB cluster size if your card capacity is 128 GB or larger.
  - Disk: MBR
  - Partition: Primary

StageProps · Nov 12, 2018

Thanks so much for the thorough walkthrough. I'll try this when I have access to my 3DS tomorrow. Here's hoping it works.

Kwyjor · Nov 12, 2018

All you want is save data on your SD card, right? There's a simple solution – use Fuse-3DS and 3ds-save-tool on your Windows PC. No mucking with emuNAND or Godmode required – all you need is your old movable.sed. (And boot9.bin, but you can find that anywhere.) There's a little tutorial at https://gbatemp.net/threads/tutoria...backups-and-sd-contents-with-fuse-3ds.499994/ .

Once your data is decrypted and unpacked (for Animal Crossing, you'll have garden_plus.dat and a bunch of other files), you can restore it on your other 3DS using JKSM or Checkpoint.

StageProps · Nov 13, 2018

Aaaaaah thank you! I'll give this a shot! Just to clarify, I extract movable.sed from my NAND backup, yeah?

Kwyjor · Nov 14, 2018

StageProps said:
Just to clarify, I extract movable.sed from my NAND backup, yeah?

If you don't already have it (i.e. from Steelminer), then yes, you can use fuse-3ds to extract it from either your NAND backup or from essential.exefs. (In either case it might be called movable.bin instead of movable.sed.)

StageProps · Nov 14, 2018

@Kwyjor I managed to get my movable.sed from the NAND backup using fuse-3ds, but, as I've kind of suspected would happen, I encountered an error when trying to mount the old SD card. It looks like I'm out of luck...The fact that I even HAVE this old NAND backup means I must have finished the system transfer in order to make it. So, I don't think there's any way to retrieve these save files from my pre-system transfer N3DS. Oh well. My ACNL town will be forever frozen in time. Thanks both of you for trying to help! I really appreciate it.

Kwyjor · Nov 14, 2018

StageProps said:
but, as I've kind of suspected would happen, I encountered an error when trying to mount the old SD card.

Well, let's not give up too quickly. What error did you get?

So, I don't think there's any way to retrieve these save files from my pre-system transfer N3DS.

I'm not sure what's going on, but you can also generate your movable.sed if you have another 3DS that was "friends" with the 3DS when the save file was made.

TurdPooCharger · Nov 14, 2018

@StageProps, try the movable.sed from the other 3DS that took part in the System Transfer.

StageProps · Nov 14, 2018

Thanks, both of you, for sticking with this.

TurdPooCharger said:
@StageProps, try the movable.sed from the other 3DS that took part in the System Transfer.

Just tried this, and I'm encountering the exact same error. @Kwyjor, in the command prompt that opens with fuse-3ds, attempting to open the SD card backup with the movable.sed from either NAND backup gives this error: "Failed to find [long string of letters and numbers] in the SD dir." I assume that string is a titleID. This folder is present in an SD card backup I made after hacking the N3DS and in an SD card backup I made of the O3DS during the hacking process. I can mount these SD card backups with this movable.sed, but neither one has the save files I want to salvage.

Here's what I think the problem is: The N3DS NAND backup was made AFTER the system transfer, so it was AFTER a new movable.sed was generated for the system, right? So the movable.sed that could decrypt these save files is not in either NAND backup. I did have friends on the 3DS when the save files were made, but they're also my friends now. I also assume this requires these "friends" to have hacked 3DSes, which I don't think they do.

Kwyjor · Nov 15, 2018

StageProps said:
in the command prompt that opens with fuse-3ds, attempting to open the SD card backup with the movable.sed from either NAND backup gives this error: "Failed to find [long string of letters and numbers] in the SD dir."

Your SD card backup has a Nintendo 3DS directory, right? Are you dragging and dropping the folder named "Nintendo 3DS" on the fuse-3DS window, or something else?

Here's what I think the problem is: The N3DS NAND backup was made AFTER the system transfer, so it was AFTER a new movable.sed was generated for the system, right?

Let's be clear: you had save games on this system, and then you did a system transfer to this system, overwriting whatever was there initially?

I also assume this requires these "friends" to have hacked 3DSes, which I don't think they do.

You can do with just steelhax, so you don't have to install anything persistent like b9s. (You can even do it with stickerhax, oot3dhax, ninjhax, or freakyhax if you have the cartridges handy.)

StageProps · Nov 15, 2018

You're being so patient, and I appreciate it. I'm sorry if I haven't been clear. I'll say now that I've FOUND a 3DS that is friends with my N3DS before hacking, so I have my old friend code. If that's all we need at this point, you can skip most of this post! Let me see if I can answer your questions.

Kwyjor said:
Your SD card backup has a Nintendo 3DS directory, right? Are you dragging and dropping the folder named "Nintendo 3DS" on the fuse-3DS window, or something else?

Yes. I have SD card backups with the Nintendo 3DS folders for the following:

My O3DS, post-hacking
My N3DS, pre-system transfer (this is where the save files are)
My N3DS, post-system transfer, made at a later date, same ID0 as O3DS

Kwyjor said:
Let's be clear: you had save games on this system, and then you did a system transfer to this system, overwriting whatever was there initially?

Yes. I'm sorry I'm not being totally clear about the process--I barely remember it--but if I remember correctly, in order to hack the firmware my N3DS had at the time, I basically needed to system transfer from an already-hacked 3DS on a lower firmware.

Kwyjor said:
You can do with just steelhax, so you don't have to install anything persistent like b9s. (You can even do it with stickerhax, oot3dhax, ninjhax, or freakyhax if you have the cartridges handy.)

OKAY. I have actually managed to dig up a 3DS that is "friends" with my pre-system transfer N3DS. I have my friend old friend code. I also have an OOT3D cartridge. This looks like a steelminer thing, which I'm not really familiar with at all. I can probably figure it out, but any further guidance would be very much appreciated. This "friend" 3DS is on firmware 11.6.0-39U, if that helps.

TurdPooCharger · Nov 15, 2018

If you have your original:

Friend Code: #### - #### - ####
<ID0>: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- smdc:/Nintendo 3DS/<ID0>/<ID1>/...

You can get your movable.sed recreated through brute-force.

3DS Guide for Seedminer - Getting your movable.sed

Once you have that, you should be able to decrypt and recover the contents of the Nintendo 3DS folder.

Edit 1 - I'm not familiar if a working 3DS with that intact movable.sed is required to obtain both parts 1 and 2.

***

Edit 2 - Hey, I think there's a way to obtain the exact two halves of the encryption keyY from your current o3DS and n3DS two (2) movable.sed files.

https://3dbrew.org/wiki/Nand/private/movable.sed

You'll need a hex editor. I'll post an update what you can try once I photo edit some images.

StageProps · Nov 15, 2018

@TurdPooCharger My understanding is that the movable.sed files for both my current N3DS and the O3DS are the same. I'll wait for your instructions though. Thanks!

EDIT: Update: I've fumbled my way through seedminer and found a post on reddit (here) that says I should be able to retrieve my movable.sed. I've followed some steps I found in that post (ran seedstarter.3dsx on my CURRENT N3DS to get movable_part1.sed, inserted my old ID0 as I started the brute force generation). I'm brute-forcing the movable.sed right now, so we'll see if that works.

The only thing I'm nervous about is that my old friend code didn't come into this process at all, so I'm worried I might not get a working movable.sed. We'll see. If this doesn't work, I can try to run seedstarter on the "friend" 3DS I mentioned earlier, but I'm not sure which exploit I can use that will only minimally impact this system, as it belongs to someone else. Basically, I just want to be able to run seedstarter and nothing else.

UPDATE 2: So the brute-forcer has been running for almost four hours. I have a GTX 1070Ti. I don't think it should be taking this long. I think I might be right about the issue above: my old friend code was not involved in this process at all, so seedminer isn't going to be able to brute-force the movable.sed. I need my GPU in a little bit, so I'm close to suspending this program. @Kwyjor, is there any way for me to just get into the HBL on my friend's 3DS without permanently hacking the system? I thought oot3dhax looked promising, but I can't seem to get it to install onto my cart (on my hacked N3DS). The sploit-installer won't work.

TurdPooCharger · Nov 16, 2018

@StageProps, I went back over and read this thread more carefully. My apologies, but I should have been more observant in the details of the what, when, why, and how.

Before System Transfer

o3DS - movable.sed
n3DS - movable.sed
- n3DS encrypted save files

o3DS is the source.
n3DS is the target.

o3DS is hacked.
n3DS is NOT hacked.

o3DS has a NAND backup made with the movable.sed.
n3DS does NOT have a NAND backup.

↓↓↓

Preparation Work
The n3DS undergoes Format System Memory.

This is to allow the n3DS to receive (orange) movable.sed.
However, this action inadvertently changes the (green) movable.sed → (teal) movable.sed.
- Format System Memory will increase the *.sed value at 0x118 offset by one hex (1).
- This changes the 0x10 bytes KeyY encryption from 0x110 - 0x11F.
- There's a SHA-256 mathematical formula from KeyY that relates to <ID0>.

↓↓↓

o3DS - movable.sed
n3DS - movable.sed

↓↓↓

After System Transfer

o3DS - movable.sed
n3DS - movable.sed

n3DS encrypted save files (located on a computer)

o3DS is hacked.
n3DS is hacked (due to DSiWare exploit).

o3DS has another NAND backup made with movable.sed.
n3DS has a NAND backup made with movable.sed.

***

???
The question is whether (pink) movable.sed is the (teal) movable.sed with another slight value change.

StageProps · Nov 16, 2018

@TurdPooCharger Yes, that's an accurate summary of my situation. Though I'm still not sure what I can do with the movable.sed files I currently have access to. This is such a mess. Here's where I'm at right now:

According to this and this, I can retrieve my movable.sed by running seedminer. I think I need to run seedstarter.3dsx (first step of seedminer, which yields movable_part1.sed) on my friend's 3DS, because that is the 3DS that has my old friend code. My friend's 3DS is not hacked.

In order to run seedstarter.3dsx, I just need access to the Homebrew Launcher. It looks like I can access it through oot3dhax. However, the sploit-installer for oot3dhax doesn't seem to work anymore in Luma, so I can't run it on my hacked N3DS to prepare my oot3d cartridge. I've found different people saying that sploit-installer WILL work in Rei-Six.

However, when I boot Rei-Six on my hacked N3DS, I can no longer open the Homebrew Launcher Loader to run the sploit-installer. I get an error about downloading the payload. I don't know how else to run HBL in Rei-Six, so I'm stuck.

Kwyjor · Nov 16, 2018

Yes, that's what I was thinking of – running Seedstarter on your friend's 3DS.

I wasn't aware that sploit-installer wouldn't work with Luma. Are you sure about that? The exploit itself will not run with Luma, but the expoit and the exploit installer are two very different things.

The sploit-installer itself has to be launched from the Homebrew Launcher, but you can also get to the Homebrew Launcher without using any exploits once Luma is installed – you just have to bring up the Rosalina menu and use the "Switch the hb. title to the current app" option. (I'm a little ignorant on the specifics on that particular point.)

The next complication is that I'm still not sure the sploit-installer has been updated – it might try to download the 11.6 payload even if you specify that you want the 11.7/11.8 payload. But it's "easy" to fix.

[FWIW, I'm very impressed by your patience and willingness to follow instructions this far.

]

I've also speculated that following a system transfer, it might be possible to recover old data from a NAND backup by mounting the CTR FAT partition in Windows using fuse-3DS and then using an ordinary Windows Unerase utility – but no one has done something like that before, so let's not go there yet.

StageProps · Nov 16, 2018

I'm at work right now, but I'll do my best to address your post.

I'm fairly certain the sploit-installer itself doesn't work with Luma. See here:

KunoichiZ said:
You can't use the sploit installer (any of them) on b9s systems. Give up.

When I try to run sploit-installer under Luma, I get the same error that the OP in that topic got: "00000002 The title this sploit_installer is running under is not supported." However, later in that same topic, someone recommends this, and the OP said it worked:

nl255 said:
I would just get Rei6 from here, put the .firm in sd:/luma/payloads, put the rei folder in the root of your sd card, and then chainload it from Luma. Then the sploit installer should work.

I tried this, but when I go to open HBL through the Homebrew Launcher Loader .cia I installed, I get an error about downloading the payload.

Kwyjor said:
you can also get to the Homebrew Launcher without using any exploits once Luma is installed – you just have to bring up the Rosalina menu and use the "Switch the hb. title to the current app" option. (I'm a little ignorant on the specifics on that particular point.)

I've tried using the Luma menu to inject HBL into the Sound app. It works under Luma--if I open Sound, I get the HBL. But as soon as I boot Rei-Six, the injection seems to revert. Maybe I'd have better luck if I didn't use a system app? I can't really test anything until I get home later.

Kwyjor said:
The next complication is that I'm still not sure the sploit-installer has been updated – it might try to download the 11.6 payload even if you specify that you want the 11.7/11.8 payload. But it's "easy" to fix.

We'll burn this bridge if we can manage to get to it, I guess. At this point it seems pretty appealing to just buy a cheap flashcart and do NTRboot on my friend's 3DS, but I don't want to spend money if I can manage it for free.

Kwyjor said:
[FWIW, I'm very impressed by your patience and willingness to follow instructions this far. ]

This, more than anything, is a testament to how badly I don't want to lose my ACNL town with Stitches, Ribbot, Julian, and O'Hare.

Kwyjor · Nov 17, 2018

StageProps said:
I tried this, but when I go to open HBL through the Homebrew Launcher Loader .cia I installed, I get an error about downloading the payload.

Hmm. What does the error say, specifically?

The offline-installer version might be worth a try (especially since with that, you know you're getting the right payload).
https://gbatemp.net/threads/install-oot3dhax-offline.446390/

If you get an error message about "This homebrew exploit does not have support for launching applications under target titles", then try renaming (or deleting) oot3dhax_installer.xml .

I've tried using the Luma menu to inject HBL into the Sound app. It works under Luma--if I open Sound, I get the HBL. But as soon as I boot Rei-Six, the injection seems to revert.

Yes, I think it's supposed to do that. There's a setting to make it persistent somewhere, though I'm not sure you want to mess with that.

At this point it seems pretty appealing to just buy a cheap flashcart and do NTRboot on my friend's 3DS, but I don't want to spend money if I can manage it for free.

Well, I suggested oot3dhax strictly as a matter of convenience. If there's no way to install the exploit on your oot3d cartridge, then you can always use Steelminer to install steelhax on your friend's DS, and then use steelhax to launch HBL and then SeedStarter.

StageProps · Nov 17, 2018

Real quick update before I go to sleep:

The error I get in HBL Loader is documented here, and it doesn't look like there's a fix. Yellows8 closed the issue and told people to use Luma's built-in HBL, which doesn't help much for someone trying to use Rei-Six in order to launch an out of date and unsupported exploit. But I digress.

I had no idea there was an oot3dhax offline installer, so thanks for that. I think I've followed the directions correctly (they're a little unclear), and it actually launches when I delete the xml file, but I get the following error: "Failed to install /save00.bin. Error code: FFFFFFFF." It's weird, because the directions specifically tell me to rename the save file to save01/02/03.bin. I even tried renaming the save to save00.bin, but I still get the error.

I'm going to try to keep working on this in the morning. If anyone has a solution, that'd be great. Otherwise I'll just keep trying.

Hacking [Question] Restoring save backup from before CFW

Active Member

Meh.

Active Member

Well-Known Member

Active Member

Well-Known Member

Active Member

Well-Known Member

Meh.

Active Member

Well-Known Member

Active Member

Meh.

Active Member

Meh.

Active Member

Well-Known Member

Active Member

Well-Known Member

Active Member

Similar threads

Popular threads in this forum