Hacking 4.2.0-9U sysNAND, PBT-CFW and region swapped 9.6.0-24E emuNAND without GW on single SD

[CravingCritic]

After spending a couple of hours, I've finally gotten my O3DSXL to run 4.2.0-9U sysNAND, PBT-CFW and a region swapped 9.6.0-24E emuNAND all running off of a single SD card, using only my DS flash card and my PC.

It's pretty much a mashup of a bunch of different tutorials, but I put it all together and it seems to be working flawlessly outside of Smash refusing to load because of the soft-reset it does on boot.

In short, the process goes like this:

1. Set up PBT-CFW (installing BRM/DevMenu/BBM, as per usual)
1.5. Install any legit CIA files you want to use in emuNAND
2. Backup your "Nintendo3DS" folder from your SD card
3. Format your emuNAND using the GW launcher
3.5. Copy the Nintendo3DS folder back to your SD card, along with the launcher files
4. Install the 4.5.0-10E system CIA's using 3DNUS (change the region accordingly to what you want)
5. Extract the emuNAND from your SD card
6. Inject your new region SecureInfo_A file
7. Inject the emuNAND backup to your SD card
8. Boot into rxTools emuNAND and update

For my method of switching between PBT, GW launcher and rxTools, I use the multiROP installer and rxTools MSET installer and install the respective MSET ROP chain (MSETforBoss.dat for CFW, Launcher.dat for GW launcher and rxTools.bat for rxTools emuNAND).

I'd link all of the files I've listed, buuuut it's after 2AM and I'm extremely tired. Check back sometime soon and I might have it all linked, but until then, enjoy this video showing the final product working.

Oh, thumbs up to Hot Pockets for fueling me during this endeavor. They even made an appearance in the video.

 

[mid-kid]

Why not using the dual emunand method? I know it costs 1GB, but it's worth it in case you might brick your NAND by fucking around.

 

[StriderVM]

So is the whole idea is to run legit CIA no matter what region those legit CIA's are? Sorry if I'm a little dense....

 

[CravingCritic]

Why not using the dual emunand method? I know it costs 1GB, but it's worth it in case you might brick your NAND by fucking around.

I started on this a couple of days ago, but only really got into it tonight. Didn't even know Dual emuNAND was a thing until I made this post. In any case, you still need to use PBT-CFW to change your emuNAND region as GW emuNAND is built using sysNAND files.

So is the whole idea is to run legit CIA no matter what region those legit CIA's are? Sorry if I'm a little dense....

At the moment, I've only got it set up to use one region changed emuNAND (US->EUR). Ideally, the dual emuNAND thing would allow you to set up multiple emuNANDs, each with a specific region to use.

 

[abrahamkei]

how do you install the 4.5E cias without converting emunand into palantines CFW?

 

[Ronhero]

It's funny I have been guiding someone through this same exact thing over at MC for the past week. Glad to see it is starting to catch on since it seems to be the only way to play 7.x key games without a flash cart

 

[Loaffy]

1. Set up PBT-CFW (installing BRM/DevMenu/BBM, as per usual)
1.5. Install any legit CIA files you want to use in emuNAND
2. Backup your "Nintendo3DS" folder from your SD card
3. Format your emuNAND using the GW launcher
3.5. Copy the Nintendo3DS folder back to your SD card, along with the launcher files
4. Install the 4.5.0-10E system CIA's using 3DNUS (change the region accordingly to what you want)
5. Extract the emuNAND from your SD card
6. Inject your new region SecureInfo_A file
7. Inject the emuNAND backup to your SD card
8. Boot into rxTools emuNAND and update

How are you going to do step 4 if you got rid of your cfw emunand and therefore can't boot into cfw any more? I'm not asking seriously because I've already done all this. But your steps don't seem to be in the right order or complete.

Better steps (still not 100% detailed, but if you know how to set up cfw and you know where to get a secureinfo_A file from you should be able to follow along);

1. Set up Palantine-CFW (installing BRM/BBM, as per usual)
2. Install the 4.5.0-10E system CIA's using 3DNUS and BBM [do not use devmenu] (change the region accordingly to what you want)
3. Convert your cfw emunand into a gw emunand (can use a hex editor to do this manually by copying the bytes from offset 200 to the end of your NAND [NAND length can be determined by checking the NAND dump you should have already made] to a new file which you will save as NAND.bin and inject with emunand tool, or you can do this automatically using some program I don't have [something like rednand to emunand, maybe somebody knows the name of this program])
4. Inject your new region SecureInfo_A file using cearp's 4.x secureinfo dumper/injector tool (may take a few tries)
5. Convert emunand back to rednand (emunand tool to extract, then drag_emunand_here.bat. justl ike the first time you set up cfw) and reinject with emunand tool
6. Boot into your now region changed cfw
7. (optional) format emunand twice (why twice? I don't know, I just read this somewhere and it can't hurt that much to do it twice) in system settings, you will have to reinstall the DS profile exploit each time. This will unlink your emunand from sysnand, which seems to make SSB4 and MH4U work, but will seemingly break eShop access for your emunand. I am currently testing a method of fixing eShop access but cannot verify if it works just yet eShop CAN be fixed, by following these steps: https://gbatemp.net/threads/poc-3ds-region-changing-proof.378110/page-17#post-5402737
Note: it's very important that if your'e trying to fix eShop using those steps, you MUST turn your 3DS off right after getting the error in step 2 otherwise you will have to start all the steps over again.
7.5 (only necessary if you did step 7) reinstall BBM using the "hold L button" and ctrclient/run.bat stuff you did when you first set up cfw
8. Install the legit .cias you wish to use
9. Convert rednand/cfw emunand back to gw emunand/regular emunand.
10. Boot into rxTools emuNAND and update

These might not be the most efficient steps, but they will work. I still don't know if it's specifically unlinking emunand from sysnand that made SSB4/MH4U work for me, or if it was the system format in emunand after region changing that makes the difference. If you are not planning on playing SSB4/MH4U then you can probably install the legit .cias as step 1.5 and then you don't have to convert back from emunand to rednand just to install the legit .cias. But I know these steps definitely work, so it's not that bad to spend an extra ~30 minutes on them.

P.S. after some testing, if you don't unlink your emunand from your sysnand it seems that even after region changing you will still be connecting to the eShop of your original region. At least this is the case for me. This means that you won't actually be able to update titles that are not of your original region/region free, because you will be downloading the wrong region's updates. If anyone has a different experience with the eShop, I'd be interested to hear about it.

 

[CravingCritic]

How are you going to do step 4 if you got rid of your cfw emunand and therefore can't boot into cfw any more? I'm not asking seriously because I've already done all this. But your steps don't seem to be in the right order or complete.

You don't get rid of your CFW emuNAND because there is no CFW emuNAND. PBT doesn't use redNAND, it installs CIA files directly to sysNAND, eliminating the need to mess with emuNAND sectors.

 

[Loaffy]

You don't get rid of your CFW emuNAND because there is no CFW emuNAND. PBT doesn't use redNAND, it installs CIA files directly to sysNAND, eliminating the need to mess with emuNAND sectors.

I still don't get it. We're not trying to region change our sysNAND, are we? So wouldn't using PBT to install the 4.5.0-10E system CIA install them to sysNAND, and not emuNAND? Or will it install to both if they are linked? Maybe I'm missing something, since I don't bother with PBT and just use palantine which works fine for installing legit .cias to emunand and installing alternate region firmware update .cias.

 

[jhiean]

How are you going to do step 4 if you got rid of your cfw emunand and therefore can't boot into cfw any more? I'm not asking seriously because I've already done all this. But your steps don't seem to be in the right order or complete.

Better steps (still not 100% detailed, but if you know how to set up cfw and you know where to get a secureinfo_A file from you should be able to follow along);

1. Set up Palantine-CFW (installing BRM/BBM, as per usual)
2. Install the 4.5.0-10E system CIA's using 3DNUS and BBM [do not use devmenu] (change the region accordingly to what you want)
3. Convert your cfw emunand into a gw emunand (can use a hex editor to do this manually by copying the bytes from offset 200 to the end of your NAND [NAND length can be determined by checking the NAND dump you should have already made] to a new file which you will save as NAND.bin and inject with emunand tool, or you can do this automatically using some program I don't have [something like rednand to emunand, maybe somebody knows the name of this program])
4. Inject your new region SecureInfo_A file using cearp's 4.x secureinfo dumper/injector tool (may take a few tries)
5. Convert emunand back to rednand (emunand tool to extract, then drag_emunand_here.bat. justl ike the first time you set up cfw) and reinject with emunand tool
6. Boot into your now region changed cfw
7. (optional) format emunand twice (why twice? I don't know, I just read this somewhere and it can't hurt that much to do it twice) in system settings, you will have to reinstall the DS profile exploit each time. This will unlink your emunand from sysnand, which seems to make SSB4 and MH4U work, but will seemingly break eShop access for your emunand. I am currently testing a method of fixing eShop access but cannot verify if it works just yet eShop CAN be fixed, by following these steps: https://gbatemp.net/threads/poc-3ds-region-changing-proof.378110/page-17#post-5402737
Note: it's very important that if your'e trying to fix eShop using those steps, you MUST turn your 3DS off right after getting the error in step 2 otherwise you will have to start all the steps over again.
7.5 (only necessary if you did step 7) reinstall BBM using the "hold L button" and ctrclient/run.bat stuff you did when you first set up cfw
8. Install the legit .cias you wish to use
9. Convert rednand/cfw emunand back to gw emunand/regular emunand.
10. Boot into rxTools emuNAND and update

These might not be the most efficient steps, but they will work. I still don't know if it's specifically unlinking emunand from sysnand that made SSB4/MH4U work for me, or if it was the system format in emunand after region changing that makes the difference. If you are not planning on playing SSB4/MH4U then you can probably install the legit .cias as step 1.5 and then you don't have to convert back from emunand to rednand just to install the legit .cias. But I know these steps definitely work, so it's not that bad to spend an extra ~30 minutes on them.

P.S. after some testing, if you don't unlink your emunand from your sysnand it seems that even after region changing you will still be connecting to the eShop of your original region. At least this is the case for me. This means that you won't actually be able to update titles that are not of your original region/region free, because you will be downloading the wrong region's updates. If anyone has a different experience with the eShop, I'd be interested to hear about it.

did you setup redNAND on the step#1? and why not installing DevMenu? because some CIA's required for region changing don't install on BBM

 

[Loaffy]

did you setup redNAND on the step#1? and why not installing DevMenu? because some CIA's required for region changing don't install on BBM

Yes, I consider setting up redNAND part of step #1, though I know that the steps I listed are not fully detailed.

The reason I don't like DevMenu is because it will stop installing .cias if it finds one that already exists. When you download a firmware update with 3DNUS, it will download everything up to the selected firmware, meaning there will be lots of .cias that you don't actually need.

BBM just skips these files, which is why I recommend it. I haven't had any issues with it, but I guess if for some reason it was failing to install .cias then you would have to manually go through the .cias that 3DNUS downloads, compare the titleID's with a list (such as the titlelist.csv that 3DNUS downloads), remove the unnecessary ones, and then install them with DevMenu.

I just find it a pain trying to manually remove unwanted .cias and comparing them to the titlelsit.csv, and I've actually bricked my emuNAND by doing so (I guess I must have deleted something I wasn't supposed to).

 

[jhiean]

3. Convert your cfw emunand into a gw emunand (can use a hex editor to do this manually by copying the bytes from offset 200 to the end of your NAND [NAND length can be determined by checking the NAND dump you should have already made] to a new file which you will save as NAND.bin and inject with emunand tool, or you can do this automatically using some program I don't have [something like rednand to emunand, maybe somebody knows the name of this program])

what program you use to extract the redNAND??

 

[Loaffy]

what program you use to extract the redNAND??

I use hXD for this. Basically you need to copy everything from offset 200 up until the end of your emunand - the length of your emunand can be determined by doing a nand dump with gw launcher (you probably already have a nand dump if you've set up a rednand) and then entering the size into a decimal to hex converter such as this: http://www.binaryhexconverter.com/decimal-to-hex-converter

Specifically I open hXd (make sure to run as administrator!) and in the "extras" tab at the top I choose "open disk" and select my SD card.

Then I go to "edit" and choose "select block". For "start-offset" I put 200 and for "end-offset" I put 3BA001FF (which corresponds with my NAND size of 3BA00000 or 1,000,341,504 bytes).

If your NAND.bin is a different size than mine, you will need to add 1FF to the end of its length in hex (this compensates for the 200 Bytes of dummy data at the beginning of the file - 1FF is 1 less than 200 in hexadecimal).

Once I have selected the blocks that correspond to my emuNAND, I choose copy (ctrl +c) then make a new file (ctrl + n) then paste into that file (ctrl + v) and save the file as emuNAND.bin and then flash it to my SD using emuNAND tool.

Note: there is apparently a much easier way to do this, I just haven't tested it. This is a post I found on another forum which describes an easier way to do this;

It's way easier if you do it with 3ds-dualnand, since it automatically detects which logical drive contains the EmuNAND.
Run the following commands:
3ds-dualnand -1 -o RedNAND.bin
3ds-dualnand -1 -i RedNAND.bin
This will write the RedNAND as an EmuNAND, by using the "-i" parameter (if you use "-cfw" instead of "-i", it gets written as a RedNAND).

I think this post is referring to this program: https://gbatemp.net/threads/release-3ds-dual-emunand-creator.381603/

 

[jhiean]

I use hXD for this. Basically you need to copy everything from offset 200 up until the end of your emunand - the length of your emunand can be determined by doing a nand dump with gw launcher (you probably already have a nand dump if you've set up a rednand) and then entering the size into a decimal to hex converter such as this:http://www.binaryhexconverter.com/decimal-to-hex-converter

Specifically I open hXd (make sure to run as administrator!) and in the "extras" tab at the top I choose "open disk" and select my SD card.

Then I go to "edit" and choose "select block". For "start-offset" I put 200 and for "end-offset" I put 3BA001FF (which corresponds with my NAND size of 3BA00000 or 1,000,341,504 bytes).

If your NAND.bin is a different size than mine, you will need to add 1FF to the end of its length in hex (this compensates for the 200 Bytes of dummy data at the beginning of the file - 1FF is 1 less than 200 in hexadecimal).

Once I have selected the blocks that correspond to my emuNAND, I choose copy (ctrl +c) then make a new file (ctrl + n) then paste into that file (ctrl + v) and save the file as emuNAND.bin and then flash it to my SD using emuNAND tool.

Note: there is apparently a much easier way to do this, I just haven't tested it. This is a post I found on another forum which describes an easier way to do this;

It's way easier if you do it with 3ds-dualnand, since it automatically detects which logical drive contains the EmuNAND.
Run the following commands:
3ds-dualnand -1 -o RedNAND.bin
3ds-dualnand -1 -i RedNAND.bin
This will write the RedNAND as an EmuNAND, by using the "-i" parameter (if you use "-cfw" instead of "-i", it gets written as a RedNAND).​

I think this post is referring to this program: https://gbatemp.net/threads/release-3ds-dual-emunand-creator.381603/

what i mean is after setup palantine CFW and instal the desired CIA's for region change, take off you SD card then insert on PC then you will use the 3ds-dualnand tool?

 

[VerseHell]

I use hXD for this. Basically you need to copy everything from offset 200 up until the end of your emunand - the length of your emunand can be determined by doing a nand dump with gw launcher (you probably already have a nand dump if you've set up a rednand) and then entering the size into a decimal to hex converter such as this: http://www.binaryhexconverter.com/decimal-to-hex-converter

Specifically I open hXd (make sure to run as administrator!) and in the "extras" tab at the top I choose "open disk" and select my SD card.

Then I go to "edit" and choose "select block". For "start-offset" I put 200 and for "end-offset" I put 3BA001FF (which corresponds with my NAND size of 3BA00000 or 1,000,341,504 bytes).

If your NAND.bin is a different size than mine, you will need to add 1FF to the end of its length in hex (this compensates for the 200 Bytes of dummy data at the beginning of the file - 1FF is 1 less than 200 in hexadecimal).

Once I have selected the blocks that correspond to my emuNAND, I choose copy (ctrl +c) then make a new file (ctrl + n) then paste into that file (ctrl + v) and save the file as emuNAND.bin and then flash it to my SD using emuNAND tool.

Note: there is apparently a much easier way to do this, I just haven't tested it. This is a post I found on another forum which describes an easier way to do this;



I think this post is referring to this program: https://gbatemp.net/threads/release-3ds-dual-emunand-creator.381603/

Yes it's much easier to use 3ds dual nand creator. I made a pack for this.
http://www.jheberg.net/captcha/3ds-dualnand-v05-3/
- Use "Extract emuNAND 1.bat" to extract your emunand/cfw rednand
- Use "Inject EmuNAND 1.bat" to inject your extracted emunand.
- Use "Inject RedNAND 1.bat" to inject your extracted emunand, but as a RedNAND (to use it with palentine CFW).
- Use "Inject RedNAND 2.bat" to create a second emunand as a RedNAND (for exemple if you want to use a region swapped emunand with rxTools, a region swapped rednand with Palantine cfw, and the PBT-CFW on your sysnand). This will format your sd card the first time, so backup it first. After that (and not before), replace your current boot.bin with the one in the pack.
- Use "Extract emuNAND 2.bat" to extract your second emunand.

 

[jhiean]

i've successfully changed my console region from jpn to eur thanks to you all

and also save this in .bat file so that you will not type at cmd prompt

redNand to emuNAND
3ds-dualnand -1 -o RedNAND.bin
3ds-dualnand -1 -i RedNAND.bin

emuNAND to redNAND
3ds-dualnand -1 -o EmuNAND.bin
3ds-dualnand -1 -cfw EmuNAND.bin