3DS Unbricking Possible!
- Thread starter YoshiInAVoid
- Start date
- Views 46,820
- Replies 78
- Likes 24
- Status
- Joined
- Dec 9, 2013
- Messages
- 879
- Reaction score
- 82
- Trophies
- 0
- Age
- 40
- Location
- Boston, MA
- XP
- 363
- Country
There is no good place for the micro USB, I would have to cut a hole in the plastic.
Thank you!
- Joined
- Oct 27, 2002
- Messages
- 23,745
- Solutions
- 14
- Reaction score
- 13,764
- Trophies
- 4
- Age
- 48
- Location
- Engine room, learning
- XP
- 15,713
- Country
I have done backup for my 4.3 sysNAND and the 7.1 emuNAND.I think it is better to keep every version of the emuNAND you use.Who knows what will happen in the future
- Joined
- Jan 24, 2014
- Messages
- 6
- Reaction score
- 0
- Trophies
- 0
- Age
- 82
- Location
- My private plane
- XP
- 71
- Country
Or maybe someone should make a commercial product that stops people from being total pirate scum.
Official release of the Raspberry Pi 3DS unbricker, guide at https://github.com/bkifft/RPU/blob/master/RPU_guide.txt.
Good luck.
Good luck.
- Joined
- Nov 25, 2012
- Messages
- 338
- Reaction score
- 163
- Trophies
- 1
- Location
- The United States of America
- XP
- 1,656
- Country
- Joined
- Oct 27, 2002
- Messages
- 23,745
- Solutions
- 14
- Reaction score
- 13,764
- Trophies
- 4
- Age
- 48
- Location
- Engine room, learning
- XP
- 15,713
- Country
There's a solderless solution for 3DSXL only, but you need to solder the pogo pins and RasPi together. Only the console's side is solderless.
For normal 3DS, you need to solder at least 1 very tiny point (the CLK) which is located at the back of the mother board.
For normal 3DS, you need to solder at least 1 very tiny point (the CLK) which is located at the back of the mother board.
Update: RPU can now unlock the eMMC.
The usual header: this will neither enable a downgrade nor running pirated porkemon [sic] on >4.5.
An anonymous source gave me the key required to generate the console specific eMMC lock/unlock password in exchange for posting his/her following statement in my initial release posts and the tool itself:
The good news: this makes it possible to unbrick even if you don't have a prior NAND backup.
The bad news: for now it has to be done in a quite roundabout way: unlock the eMMC/NAND -> dump it -> relock the eMMC/NAND -> force erase -> flash the NAND image -> unbricked.
The reason for this detour is that besides being locked, the eMMC also gets write protected (just like some people had already stated) and I wasn't able to remove said write protection yet (in this context: if anyone got any idea how on earth i could get the Pi to do CMD27 like it's supposed to work please let me know).
But said write protection gets wiped by a force erase too, thus offering a working solution for now (although I'd have preferred a single keypress unlock and will keep working on that).
I just pushed the changes to github, either do the online or offline update as described in the guide to get the new version.
As i believe not everyone to be interested in the technical details I'll put them in a spoiler:
This is another piece of evidence that the bricking doesn't happen random, as (on the most objective level) the locking occurs using a deterministic (not random) console specific password. I don't want to and will not make any claims beyond that (even though personally I do believe it happens with intent as a clone deterrent gone horribly wrong, this IMHO still isn't decisive damning evidence).
Feasibility of the unlock -> dump -> lock -> force erase -> flash approach was proven by gamesquest1 (using the unmodified 2.0b2) and Inaki (using the region patched 2.0b2). Thanks for testing dudes.
Also thanks to krisztian1997, khalaan and of course the anonymous source. Love you guys (no homo).
p.s. I'll use this opportunity to once again draw attention to step 18 of the guide *nudge nudge wink wink know what i mean*
The usual header: this will neither enable a downgrade nor running pirated porkemon [sic] on >4.5.
An anonymous source gave me the key required to generate the console specific eMMC lock/unlock password in exchange for posting his/her following statement in my initial release posts and the tool itself:
The good news: this makes it possible to unbrick even if you don't have a prior NAND backup.
The bad news: for now it has to be done in a quite roundabout way: unlock the eMMC/NAND -> dump it -> relock the eMMC/NAND -> force erase -> flash the NAND image -> unbricked.
The reason for this detour is that besides being locked, the eMMC also gets write protected (just like some people had already stated) and I wasn't able to remove said write protection yet (in this context: if anyone got any idea how on earth i could get the Pi to do CMD27 like it's supposed to work please let me know).
But said write protection gets wiped by a force erase too, thus offering a working solution for now (although I'd have preferred a single keypress unlock and will keep working on that).
I just pushed the changes to github, either do the online or offline update as described in the guide to get the new version.
As i believe not everyone to be interested in the technical details I'll put them in a spoiler:
The lock/unlock password is generated by encrypting the console specific CID (the unique serialnumber of the eMMC) with GW's master AES key (which I don't and don't want to have) using the 3DS AES engine in CTR mode. I had to look that one up as I only ever use CBC and XTS: CTR uses the block cipher to generate a keystream to be xored to the plaintext with no cleartext or cyphertext feedback whatsoever. In other words: this keystream is constant for all 3DSes, thus enabling an unlock without using a working 3DS to generate the password. To get this keystream one has just to encrypt 16 bytes of 0x00, which my source did.
Lock/Unlock mechanism (in pseudocode, those functions are named differently and have different signatures on the 3DS as well as in RPU):
Thanks GW for choosing the one AES mode which made this approach possible.
Lock/Unlock mechanism (in pseudocode, those functions are named differently and have different signatures on the 3DS as well as in RPU):
Code:
uint8_t CID_buffer[CID_length];
CID_buffer = read_CID(eMMC);
CID = AES_encrypt(CTR , GW_MASTERKEY, CID, CID_length ); //this is equivalent to CID = CID xor AES_encrypt(CTR , GW_MASTERKEY, 0x0, CID_length);
CID[0] = 5; //bit 0 and 2 set, meaning "set password" and "lock eMMC", for the unlock it's CID[0] = 2; //bit 1 set meaning "clear password" (unlock happens implicit)
CID[1] = 14; //next 14 bytes are the password
SD_command(eMMC, 42, CID, CID_length); //command 42 (lock/unlock) on the eMMC sending 16 bytes starting from &CID as data payloadThanks GW for choosing the one AES mode which made this approach possible.
This is another piece of evidence that the bricking doesn't happen random, as (on the most objective level) the locking occurs using a deterministic (not random) console specific password. I don't want to and will not make any claims beyond that (even though personally I do believe it happens with intent as a clone deterrent gone horribly wrong, this IMHO still isn't decisive damning evidence).
Feasibility of the unlock -> dump -> lock -> force erase -> flash approach was proven by gamesquest1 (using the unmodified 2.0b2) and Inaki (using the region patched 2.0b2). Thanks for testing dudes.
Also thanks to krisztian1997, khalaan and of course the anonymous source. Love you guys (no homo).
p.s. I'll use this opportunity to once again draw attention to step 18 of the guide *nudge nudge wink wink know what i mean*
- Joined
- Sep 13, 2009
- Messages
- 31,471
- Solutions
- 2
- Reaction score
- 32,200
- Trophies
- 3
- Location
- Gaming Grotto
- XP
- 31,008
- Country
This thread is essentially a dupe of: http://gbatemp.net/threads/3ds-unbricking-progress.361171/
As such, I'll report this thread for locking - please follow the link above for any and all discussions regarding 3DS unbricking.
As such, I'll report this thread for locking - please follow the link above for any and all discussions regarding 3DS unbricking.
- Joined
- Dec 2, 2007
- Messages
- 13,265
- Solutions
- 1
- Reaction score
- 21,572
- Trophies
- 5
- Age
- 36
- Location
- Pittsburgh
- XP
- 17,057
- Country
We have enough Gateway threads around here, lets try to consolodate at least a few of them. For updates and discussions about 3DS unbricking, please use this topic.
- Status
Site & Scene News
New Hot Discussed
-
-
12K views
Nintendo Direct June 9, 2026 roundup - Ocarina of Time remake announced, Kingdom Hearts IV trailer
Nintendo's expected Summer showcase is here, offering up plenty of new announcements and exciting reveals. Let's see what they have in store in the latest Nintendo... -
11K views
Pokémon Crystal gets a PC port titled "suiCune" based on C/C++ language
Continuing with the great news of Pokémon Platinum getting a native unofficial PC port just a few days ago, today, yet another classic title from the franchise has... -
11K views
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
10K views
Steam Machine waiting list goes live, starting at £879 with a 512GB SSD
After much speculation, a lot of which being caused by dbrand's unceremonious reveal of their Companion Cube casing, the Steam Machine is finally available to order... -
9K views
The long awaited EarthBound Beginnings Remake romhack is now available after almost 2 decades in development
What once seemed like a far off dream, and after many, many community restarts throughout the years, the elusive Mother 1 / EarthBound Beginnings Remake, which is a... -
9K views
Low-level 3DS emulator 3Beans released alongside setup tutorial video
When you talk about 3DS emulation, most people would jump to Citra. As the defacto choice since its first release it's seen tremendous success, and even after its... -
8K views
Super Mario 64 gets a brand new port on the Nintendo DS, brings support for full local multiplayer
Since being decompiled Super Mario 64 has seen a considerable amount of interest. We've had multiple PC ports, but the efforts beyond that are really astounding. It's... -
8K views
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
7K views
Nintendo fined 35 million euros by the French government due to Switch 1 Joycon malfunctions
Following an investigation over misleading commercial practices, today Nintendo has been imposed a fine of 35 million euros related to the controller malfunctions... -
7K views
Homebrew Atmosphere v1.11.2 released, adds support for Switch firmware 22.5.0
Happy June 15th! Well, this one was close enough. Atmosphere has been updated to add support for the latest Nintendo Switch firmware, 22.5.0. This means all of you...
-
-
-
224 replies
Steam Machine waiting list goes live, starting at £879 with a 512GB SSD
After much speculation, a lot of which being caused by dbrand's unceremonious reveal of their Companion Cube casing, the Steam Machine is finally available to order... -
142 replies
Nintendo Direct June 9, 2026 roundup - Ocarina of Time remake announced, Kingdom Hearts IV trailer
Nintendo's expected Summer showcase is here, offering up plenty of new announcements and exciting reveals. Let's see what they have in store in the latest Nintendo... -
127 replies
Grand Theft Auto VI pre orders go live tomorrow, physical release limited to code in box
The delays may be behind us, but the news isn't all good for Grand Theft Auto VI. Rockstar have today announced that pre-orders for the game will go live tomorrow, on... -
123 replies
Xbox to increase in price again in August, Series S set to hit $500
Remember when you could get an Xbox Series S for $300? Those were the days. Microsoft has today announced the latest in their console price hikes, seeing their... -
91 replies
What do you want to see in the next Nintendo Direct?
With rumours circulating about a Nintendo Direct in the coming days and weeks, fans are left speculating and hoping as to what might be included. At the centre of all... -
80 replies
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
71 replies
Nintendo Direct to air on the 9th of June, set to feature 50 minutes of Switch and Switch 2 games launching this year
After much speculation and rumour, the fabled Nintendo Direct is upon us. Set to go live tomorrow, the 9th of June, at 3pm in the UK, it'll feature 50 minutes of... -
71 replies
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
65 replies
Nintendo fined 35 million euros by the French government due to Switch 1 Joycon malfunctions
Following an investigation over misleading commercial practices, today Nintendo has been imposed a fine of 35 million euros related to the controller malfunctions... -
63 replies
Call of Duty: Modern Warfare 4 to launch on Nintendo Switch 2 in October
For the first time in 13 years, the Call of Duty series will again return to Nintendo's consoles. Set to launch on the 23rd of October, the latest release, Modern...
-
