Hacking 3DS unbricking progress

[cy2u5]

So, here is the update. I changed the pinout and have no errors anymore.
But the MMC is still locked

(D)edication | (S)afe run (Querry only) | (U)nlock (Safe) | (F)orce erase (Dangerous!) | (Q)uit
U

EMMC: resetting controller
CMD0: idle
CMD1(0) : init and querry OCR
CMD1(0x00FF8080) : repeat untill ready
CMD2: CID and id mode

Warning! The CID is an unique serialnumber which might be traceable. Do not publish it in any way!
CID: XXXXXXXXXXXXXXXXXXXXXXX

CMD3: assign RCA and standby mode
CMD9: get CSD

CSD: XXXXXXXXXXXXXXXXXXXXXXX

CMD7: switch to transfer mode
CMD13: get status register
MMC status: 0x02000900

MMC is locked.

CMD16: setting blocklength to 16
CMD42: unlock and clear password
CMD13: get status register
MMC status: 0x03000900

MMC is locked.


(D)edication | (S)afe run (Querry only) | (U)nlock (Safe) | (F)orce erase (Dangerous!) | (Q)uit

 

[hundshamer]

Could he be missing his lock tab on the SD card?

 

[cy2u5]

Could he be missing his lock tab on the SD card?

You were right, dude!
I am an idiot, the write protection lock tab was on "LOCK". I moved it up but unfortunately still MMC locked message

I always use "U" for unbricking. Because I don't own a NAND Backup, I don't want to use (F)orce Erase. Am I right?

 

[hundshamer]

You were right, dude!
I am an idiot, the write protection lock tab was on "LOCK". I moved it up but unfortunately still MMC locked message

I always use "U" for unbricking. Because I don't own a NAND Backup, I don't want to use (F)orce Erase. Am I right?

Correct. You do not want to force erase without a NAND backup.

 

[n3o33]

so now i used the actual script here the output for safe run

EMMC: resetting controller
EMMC: control0: 00000000, control1: 00000000, control2: 00000000
EMMC: capabilities: 0000000000000000
EMMC: checking for an inserted card
EMMC: status: 01ff0000
EMMC: setting clock rate
EMMC: control0: 00000000, control1: 000f03c7
EMMC: enabling SD clock
CMD0: idle
sd_issue_command: issuing command CMD0
CMD1(0) : init and querry OCR
sd_issue_command: issuing command CMD1
CMD1(0x00FF8080) : repeat untill ready
sd_issue_command: issuing command CMD1
iteration 1
sd_issue_command: issuing command CMD1
iteration 2
CMD2: CID and id mode
sd_issue_command: issuing command CMD2

Warning! The CID is an unique serialnumber which might be traceable. Do not publish it in any way!
        CID:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

CMD3: assign RCA and standby mode
sd_issue_command: issuing command CMD3
SD_init: CMD3 response: 02000500
SD_init: RCA: beef
CMD9: get CSD
sd_issue_command: issuing command CMD9

        CSD: 00D02701320F5903B9F6DBFFE78A4040

CMD7: switch to transfer mode
sd_issue_command: issuing command CMD7
CMD13: get status register
sd_issue_command: issuing command CMD13
MMC status: 0x02000900

        MMC is locked.

and heres the out trying to unlock the emmc

EMMC: resetting controller
EMMC: control0: 00000000, control1: 00000000, control2: 00000000
EMMC: capabilities: 0000000000000000
EMMC: checking for an inserted card
EMMC: status: 01ff0000
EMMC: setting clock rate
EMMC: control0: 00000000, control1: 000f03c7
EMMC: enabling SD clock
CMD0: idle
sd_issue_command: issuing command CMD0
CMD1(0) : init and querry OCR
sd_issue_command: issuing command CMD1
CMD1(0x00FF8080) : repeat untill ready
sd_issue_command: issuing command CMD1
iteration 1
sd_issue_command: issuing command CMD1
iteration 2
CMD2: CID and id mode
sd_issue_command: issuing command CMD2

Warning! The CID is an unique serialnumber which might be traceable. Do not publish it in any way!
        CID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

CMD3: assign RCA and standby mode
sd_issue_command: issuing command CMD3
SD_init: CMD3 response: 02000500
SD_init: RCA: beef
CMD9: get CSD
sd_issue_command: issuing command CMD9

        CSD: 00D02701320F5903B9F6DBFFE78A4040

CMD7: switch to transfer mode
sd_issue_command: issuing command CMD7
CMD13: get status register
sd_issue_command: issuing command CMD13
MMC status: 0x02000900

        MMC is locked.

CMD16: setting blocklength to 16
sd_issue_command: issuing command CMD16
CMD42: unlock and clear password
sd_issue_command: issuing command CMD42
SD_send_int: block 0 transfer complete
CMD27: write CSD
sd_issue_command: issuing command CMD27
SD_send_int: error occured whilst waiting for command complete interrupt
INTERRUPT:--------------------------------------
ACMD_ERR:       0
DEND_ERR:       0
DCRC_ERR:       0
DTO_ERR:        0
CBAD_ERR:       0
CEND_ERR:       0
CCRC_ERR:       0
CTO_ERR:        1
ERR:            1
ENDBOOT:        0
BOOTACK:        0
RETUNE:         0
CARD:           0
READ_RDY:       0
WRITE_RDY:      0
BLOCK_GATE:     0
DATA_DONE:      0
CMD_DONE:       0
SD_init: error sending CMD27, error = 00010000. Giving up.

so would could i try to get this scrap running again ?

 

[cy2u5]

Correct. You do not want to force erase without a NAND backup.

Thank you!

Still no luck

(D)edication | (S)afe run (Querry only) | (U)nlock (Safe) | (F)orce erase (Dangerous!) | (Q)uit
U

EMMC: resetting controller
CMD0: idle
CMD1(0) : init and querry OCR
CMD1(0x00FF8080) : repeat untill ready
CMD2: CID and id mode

Warning! The CID is an unique serialnumber which might be traceable. Do not publish it in any way!
CID: XXXXXX

CMD3: assign RCA and standby mode
CMD9: get CSD

CSD: XXXXXX

CMD7: switch to transfer mode
CMD13: get status register
MMC status: 0x02000900

MMC is locked.

CMD16: setting blocklength to 16
CMD42: unlock and clear password
CMD13: get status register
MMC status: 0x03000900

MMC is locked.


(D)edication | (S)afe run (Querry only) | (U)nlock (Safe) | (F)orce erase (Dangerous!) | (Q)uit

 

[bkifft]

Thank you!

Still no luck

thing is, there shouldn't be a force erase option in the latest version. I've just checked again to be sure....
you seem to be running the interim version that allowed to unlock, dump, force erase. the one our resident brickophile made the howto video for.

but doesn't matter, it seems they did indeed change the unlock key.
so you (and all other who got bricked) can either do the force erase, aka completely wiping the NAND, thereby unlocking it and enabling you to restore a NAND backup or an emunand dump from the 3DS in question, or wait and pray to the gods that someone is willing to reverse engineer the latest gateway launcher to extract the NAND lock key generation (which is way beyond my skills as I hate assembler).

edit: i've re-enabled the force erase. just to reiterate: this will empty the NAND, turning the 3DS into a paper weight or door stop if there is no good NAND dump of this specific 3DS.

(i don't know if one could be generated with the console keys, but i suppose someone who doesn#t have a NAND dump will not have the keys dumped as well).

 

[Slashmolder]

thing is, there shouldn't be a force erase option in the latest version. I've just checked again to be sure....
you seem to be running the interim version that allowed to unlock, dump, force erase. the one our resident brickophile made the howto video for.

but doesn't matter, it seems they did indeed change the unlock key.
so you (and all other who got bricked) can either do the force erase, aka completely wiping the NAND, thereby unlocking it and enabling you to restore a NAND backup or an emunand dump from the 3DS in question, or wait and pray to the gods that someone is willing to reverse engineer the latest gateway launcher to extract the NAND lock key generation (which is way beyond my skills as I hate assembler).

edit: i've re-enabled the force erase. just to reiterate: this will empty the NAND, turning the 3DS into a paper weight or door stop if there is no good NAND dump of this specific 3DS.

(i don't know if one could be generated with the console keys, but i suppose someone who doesn#t have a NAND dump will not have the keys dumped as well).

When I had my brick last year they were already using a different key. I'm pretty sure they were using AES CBC mode so you can't just use an XOR pad to unbrick anymore. If someone manages to get the key they'll have to run some 3DS homebrew with the CID to get the unlock key.

 

[cy2u5]

I show the white flag and give up that sh*t. It won't unbrick. Let's wait for a wonder...

 

[n3o33]

hi all,

a short update. i got unlock the emmc via the force erase option.
i want to use an old emunand backup to restore the 3ds nand. but when i insert the sd mod in my integrated card reader i got the next problems -.- . sometimes the 3ds is recognized, sometimes not. if its recognized i want to flash the backup via win32 disk imager but after selecting the image and hit the write button nothing happens. after time i got no response from the tool.
what i doing wrong ? maybe because i used an integrated sd card reader from my laptop ? its better to use an extern reader ?

sometime i can play games on my 3ds again ^^

 

[gamesquest1]

hi all,

a short update. i got unlock the emmc via the force erase option.
i want to use an old emunand backup to restore the 3ds nand. but when i insert the sd mod in my integrated card reader i got the next problems -.- . sometimes the 3ds is recognized, sometimes not. if its recognized i want to flash the backup via win32 disk imager but after selecting the image and hit the write button nothing happens. after time i got no response from the tool.
what i doing wrong ? maybe because i used an integrated sd card reader from my laptop ? its better to use an extern reader ?

sometime i can play games on my 3ds again ^^

you probably have a incompatible SD reader, try a different one, it doesn't matter if its internal or external it all just depends on if it can read the 3DS properly, if you want to buy one you know for sure will work then check out the n3DS nand mod thread, but tbh a guesstimate i would say probably around 70% of SD readers are good enough for reading a standard o3DS/o3DS XL nand you were probably just unlucky and had a incompatible model

 

[n3o33]

ok thanks for the hint, i will try different readers...

omg hacking the xbox360 was much easier then this stuff

 

[n3o33]

so finally i got my 3ds back to life.
but the old emunand backup has version 9.9 and now i want to n´know if its possible to downgrade back to version 4.5

finally i can confirm thats possible to unbrick the new brick system from gateway.

 

[gamesquest1]

so finally i got my 3ds back to life.
but the old emunand backup has version 9.9 and now i want to n´know if its possible to downgrade back to version 4.5

finally i can confirm thats possible to unbrick the new brick system from gateway.

nope you can only downgrade if you have a nand dump from when you were on the older FW, that's why your always advised to make a nand backup as the first step when setting up any cfw/Gw, so without any further developments you will be stuck on 9.9+

 

[Deleted-236924]

At least it's still better to have a working 9.9 3DS than a non-working one.

 

[cy2u5]

....
finally i can confirm thats possible to unbrick the new brick system from gateway.

Unfortunately not for me.
My 3DS was at 4.4 and I had used the latest GW Plugin.

No chance

 

[n3o33]

@cy2u5 im sorry to hear that.
you also have never setup an emunand correctly ?

a stupid and long term way would be to brute force the 3ds till you find the correct unlocker key.

 

[krisztian1997]

@cy2u5
a stupid and long term way would be to brute force the 3ds till you find the correct unlocker key.

There are only 2^128 possible combinations... by the time you finish brute forcing to find the correct password, Nintendo won't exist anymore.

 

[cy2u5]

@cy2u5 im sorry to hear that.
you also have never setup an emunand correctly ?

No, unfortunately not. When I got the DSTWO+, I didn't knew anyting anbout emunand, bricks and undbricks by 3DS handhelds
I could kick into my ass when I think about how I ignored creating a backup of the NAND when I was in the Gateway menu. I started it and after few seconds it said "insufficent space on SD Card"
Never did a backup again.....

 

[cy2u5]

Got now a used 3DS with broken charging port and Firmware 8.1.0-4E
Will do a NAND Dump first ^^