A new method for spoofing e-shop 007-2404 on <10.0 emuNAND

Discussion in '3DS - Flashcards & Custom Firmwares' started by MelonGx, Nov 5, 2015.

  1. MelonGx
    OP

    MelonGx GBAtemp Advanced Maniac

    Member
    1,634
    439
    Jan 8, 2009
    China
    The method is discovered by fwc2618 & contributed by this thread's everyone.

    1) DL the latest "tiger" and "NVer" with 3DNUS.
    (If you don't know what is tiger / NVer, please search it on 3dbrew.org's Title List page)
    2) Install "tiger" and "NVer" with BigBlueMenu in GW emuNAND.
    3) Launch FreeMultiPatcher.
    Done.

    It has been tested worked on GW 3.4.1 N3DS emuNAND 9.5.
    No more bothering with HANS!

    Warning: It's GW 3.4.1 only!
    rxTools, CakesFW, ReiNAND can't use it!
    They are still required to bother with HANS (+NVer).
     
    Last edited by MelonGx, Nov 16, 2015
  2. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Why they can't use it? Have you tested already?
     
    peteruk likes this.
  3. xdaniel

    xdaniel Advanced Member

    Newcomer
    53
    31
    Sep 14, 2015
    Gambia, The
    Did something similar on O3DS 9.9 EmuNAND, booted via rxTools a few days ago - and yes, I could've just updated the whole thing to 10.2, but I felt like experimenting. Downloaded the latest eShop and mint eShop applet CIAs, installed them via sysUpdater, and I could browse and download from from the eShop again (edit: still using Free Multi Patcher). Haven't tested buying content or adding funds or anything like that, but I don't see a reason why that should fail... tho I'm not a "professional" at this at all, so I don't know. I mean, I wasn't even sure if this would work in the first place, sooo... yeah.
     
    Last edited by xdaniel, Nov 5, 2015
    MelonGx likes this.
  4. MelonGx
    OP

    MelonGx GBAtemp Advanced Maniac

    Member
    1,634
    439
    Jan 8, 2009
    China
    It freezes at 3DS logo.
     
    Ninoh-FOX likes this.
  5. Ericjwg

    Ericjwg GBAtemp Psycho!

    Member
    3,045
    807
    Jul 2, 2015
    Canada
    aha... need crypto fix?
     
  6. MelonGx
    OP

    MelonGx GBAtemp Advanced Maniac

    Member
    1,634
    439
    Jan 8, 2009
    China
    It should be called as firmware spoofing. Maybe.

    (crypto-fix = decrypt SEED and repack != firmware spoofing)
     
    Last edited by MelonGx, Nov 5, 2015
  7. Ericjwg

    Ericjwg GBAtemp Psycho!

    Member
    3,045
    807
    Jul 2, 2015
    Canada
    eh.....
     
  8. bache

    bache GBAtemp Advanced Fan

    Member
    694
    292
    Sep 28, 2009
    For what it's worth, it worked fine with GW3.4 for me.
    I was about to try and create a firmware spoofed CIA, but it dawned on me that I don't know how to create exheaders for system titles that don't install data to the SD:\Nintendo 3ds\<ID1>\<ID2> folder. Can anybody point me in the right direction?
     
    Last edited by bache, Nov 5, 2015
    hippy dave likes this.
  9. Ninoh-FOX

    Ninoh-FOX Otaku Gamer!!

    Member
    459
    62
    Jan 22, 2015
    Military base.
    In new 3ds dont work for crypto, cryptofix dont work
     
  10. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    I imagine it would involve using something like rxTools to dump system titles from the nand, but beyond that I do not know.
     
  11. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Yes you are right.
    1. Any unsigned copy of this APP would not work. So you lose the modifications.
    2. Without modification you can not spoof firmware or even more, and with a legacy system version, the new eShop would refuse to run.
    Oh.. That would be good if CFW embed a internal firm spoofing, or even patch this sig check.
    Yeah i don't really care about this.. I could get patches somewhere else, and mine is a o3ds, so i can use the latest version.
    Another sig check, oh damn it ninty!
     
  12. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    Unsigned copies only do not work in sysnand without sig checks patched.

    If you are running any CFW that does patch signature checks (rxTools, Reinand, Pasta, GW, etc) then you can modify it all you want and it WILL still run.

    The reason GW users can install and use the latest versions of tiger and mint while other CFW users get an infinite loading screen is because of the way GW patches the firmware check that every app runs on launch. Afaik the other CFWs do not do that yet, and any attempt to run a title that requires X firmware when you are on a lower one will result in an infinite loading screen.

    Note that this is different than the "update check" that is ran on attempting to sign into your NNID. FreeMultiPatcher was designed to get around the update check, but not actual firmware checks.
     
    MelonGx likes this.
  13. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Yes it might be the firmware check.
    Since it have a Bit 21 in its Exheader descriptor which is documented on 3dbrew as a 9.6.0 FIRM mark.
    So yeah what stopped me is not the sig check (with rxtools).
    Well hope this could be solved - even i do not go to eshop.
     
  14. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    Well, we can build cias for games with altered firmware checks, so I assume we can do the same for system titles. If someone were to build a spoofed cia for the latest eshop then in theory we would b able to install that and it would run as long as you are attempting to run it on a CFW with signature checks patched.

    I am currently working on that atm, but most of the tools and tutorials for decrypting and rebuilding titles is specifically for games/dlc stored on the SD card, and system titles like tiger and mint are in the NAND itself.
     
  15. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    You can decrypt it with Decrypt9. However even install a decrypted CIA would not let you run the eshop.
    Eh.. If you want to try, just try it. I ever merged the newest contents into older one, and rebuilt CIA. However it didn't let me pass. Orz
     
  16. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    Can't decrypt it without xorpads and I haven't found a way to generate valid xorpads for a system title that is installed to the nand. I think with rxTools you can dump/decrypt system titles, but you end up with a titleid.app file that I have no idea what to do with. The tutorial I found for unpacking and repacking cia files appears to apply only to games and their updates, or at the very least only to titles installed on the SD card itself rather than the nand.

    Either way the "fix" won't be a matter of simply decrypting the cia and/or merging contents or anything like that. The exheader for the title contains a piece of data that tells the system what the minimum required firmware is. This data is a set of 4 hex values (0x####) that needs to be altered. For example a title that requires 9.5 has 3102 in that address. A title that requires 9.2 would have 2E02. I am not sure what it would read for a title that requires 10.0 like the latest tiger probably does, but it is in the same place for all titles. It simply needs to be changed to something like 2E02 so that the title will launch and pass the check.

    Now it may very will still crash because of compatibility issues with other older titles in the nand, idk. It is a risk that always accompanies a frankenstein firmware like we are talking about making. Which is why you never attempt such a think on sysnand without a hardware mod and a valid nand backup.

    Basically any fix we come up with here will ONLY work for users on 9.2 or lower and should never be attempted on sysnand directly. Before anyone complains, if you have a sysnand in that range and don't want to update you should be using emunand, and if you are 9.3 or higher you should just go ahead and update to 10.0. At this point there is very, VERY, littlechance of a kernel exploit showing up for 9.3-9.9
     
    Last edited by Aroth, Nov 6, 2015
  17. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,285
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Hrm, I installed the latest "tiger" and it hangs on the 3ds screen. Oh well.
     
  18. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    I said you can decrypt a CDN CIA using decrypt9. that is "Decrypt CIA (deep)" inside Its last menu option "Game decryptor". You need @d0k3 's.
    Yes that would never be so easy to just merge them. However even to embed a update CIA into game, you must modify the exheader with tools.
    And, before you can do something to it. You can Download the Original with 3DNUS (double encrypted), and copy for a backup and make it decrypted.
    You can then try install them to see which one would work. At least i've installed a decrypted CIA to overwrite it before..
    Note: It is CTR-N-HGRJ for Japan. If you are in other regions it likely to be CTR-N-HGR[E/U]. If you want to uninstall it from NAND with FBI.
    Not surprised. Newest asks in its Exheader for Bit 21 to be set which is done in NATIVE_FIRM 9.6+.
    If what you own is an old 3ds there is no actual problem for you to get the latest emunand and access eshop.

    I highly doubt if GW simply let the system thought all bits in exheader is valid.. Nevermind, i don't own a GW.
     
    Last edited by Syphurith, Nov 6, 2015
  19. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    Actually that is probably exactly what GW does. Nearest I can tell you never run into an issue with a cia title (game, dlc, update or system) not loading because of a firmware check. Give me a bit and I will even test it.

    — Posts automatically merged - Please don't double post! —

    Updating "tiger" (0004001000021900) on 9.5.0-23U emunand results in an infinite loading screen on rxTools (10-2 nightly).

    Same result for Reinand.

    GW has no loading screen hang. Shop loads just fine, even with the latest tiger version.

    Clearly GW patches something in the firmware to bypass such checks. This patch (or patches since it is probably more than one) is likely the same reason we cannot use things like sysupdater in GW mode but we can with rxTools, Reinand and Pasta.

    Either way it is clear how to fix this for N3DS users who do not have a GW cart. We need to decrypt and repack the latest tiger cia file with the exheader patched to pass the fw check.

    edit:

    Took the time to find a random free game to download to test things and I keep getting 007-6106 once the download tries to finalize. According to Nintendo this error means "an error occurred while attempting to connect to the Nintendo eShop. Please try again later". Unfortunately at this time I cannot be 100% certain if the issue is because we are doing weird things like installing a new system title on an old firmware, or if it is because of my own internet (or possibly a problem with the eshop itself atm). It is also possible that the problem is because I only updated tiger and not mint.
     
    Last edited by Aroth, Nov 6, 2015
    Syphurith likes this.
  20. Kingofknights

    Kingofknights GBAtemp Regular

    Member
    118
    12
    Feb 18, 2014
    What's the problem with Hans? Is it unstable or smt?