Curious About Something

Discussion in '3DS - Flashcards & Custom Firmwares' started by XxShalevElimelechxX, Jun 2, 2016.

  1. XxShalevElimelechxX
    OP

    XxShalevElimelechxX GBAtemp Regular

    Member
    223
    136
    Mar 30, 2016
    Israel
    Might be a dumb question, but just from curiosity, can I flash the unbricked 2.1 emuNAND to my sysNAND to reobtain my OTPs and keep a9lh?
    I've already have them in various places and backups but again, I'm just curious cause it is an o3DS OS in a n3DS a9lh... (I know there is an option to this in D9 and keep a9lh but idk)...
     
  2. solress

    solress Not a dev

    Member
    579
    306
    May 12, 2016
    Netherlands
    Between here and there
    yes you can, it's just a partition in the FIRM after all
     
  3. XxShalevElimelechxX
    OP

    XxShalevElimelechxX GBAtemp Regular

    Member
    223
    136
    Mar 30, 2016
    Israel
    WOW, what a quick response..!
    well, i already know that, but i thought that maybe because its an o3ds os in a n3ds maybe it changes something...
     
  4. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,335
    5,342
    Mar 17, 2010
    Norway
    Alola
    When flashing 2.1 you have to remove A9LH. CFW is unable to boot 2.1.
     
    Ryccardo likes this.
  5. XxShalevElimelechxX
    OP

    XxShalevElimelechxX GBAtemp Regular

    Member
    223
    136
    Mar 30, 2016
    Israel
    yeah but cant i just flash it through the keep a9lh option..?
     
  6. solress

    solress Not a dev

    Member
    579
    306
    May 12, 2016
    Netherlands
    Between here and there
    but you won't be able to boot without cfw
     
  7. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,386
    1,624
    Feb 13, 2015
    Italy
    Imola
    No, because there's no "non-CFW" arm9 homebrew that just loads the kernel from ctrnand and launches it...
     
  8. Zan'

    Zan' 2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

    Member
    386
    159
    Oct 8, 2015
    Actually if you already have A9LH you don't really need to reflash 2.1 sysNAND (eith keeping A9LH) to reobtain your OTP.
    It's possible doing this by patching the otp locking through cfw and basically gerring the OTP on any firmware version through A9LH cfw patch. (I don't think anyone did this, but it's theoretically possible)
    But except that you are safe either flashing a 2.1 NAND backup via Decrypt9 (Keep A9LH) get OTP and flash back the old one.

    Edit: nvm you may not be able to use Keep A9LH.
     
    Last edited by Zan', Jun 2, 2016
  9. XxShalevElimelechxX
    OP

    XxShalevElimelechxX GBAtemp Regular

    Member
    223
    136
    Mar 30, 2016
    Israel
    oh, thx for the info guys:)
     
  10. mashers

    mashers Stubborn ape

    Member
    3,837
    5,156
    Jun 10, 2015
    Kongo Jungle
    No, I don't believe this is possible. By the time CFW has been launched and had the opportunity to patch anything, the OTP is already locked. The only way to patch it AFAIK would be to hack the bootloader.
     
  11. Zan'

    Zan' 2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

    Member
    386
    159
    Oct 8, 2015
    You are mistaken.
    If that was the case 2.1 FW wouldn't be able to access the OTP.
    A9LH executes before your fw was even loaded. Therefore OTP locking is likely fw based.
    Therefore you could possibly even write an A9LH tool to load up the OTP and dump it.

    Edit: OTP is locked by Arm9, which we have access to. Through exploits on firmwares below 3.0 which didn't protect the OTP region it was possible to acquire the OTP there.
    Therefore it is indeed possibly be either cfw patches (on sysNAND) or directly from Arm9 through A9LH.
     
    Last edited by Zan', Jun 2, 2016
  12. mashers

    mashers Stubborn ape

    Member
    3,837
    5,156
    Jun 10, 2015
    Kongo Jungle
    Good point about it being FW based due to being able to capture it in 2.1. So would CFW patches to capture it from 9.2 need to be written to FIRM?
     
  13. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,493
    6,072
    Apr 20, 2015
    United States
    Tigard, OR
    I'm pretty sure kernel9loader locks the OTP before it jumps to the arm9 binary. so once arm9loaderhax happened, the region has been locked.
     
    astronautlevel likes this.
  14. TheVinAnator

    TheVinAnator GBATemp's Greatest Vin

    Member
    3,606
    2,650
    Jan 10, 2016
    Canada
    NO COFFEI!
    You sure he's able to do that he mentioned he's gonna put it from an o3ds onto a n3ds
     
  15. Zan'

    Zan' 2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

    Member
    386
    159
    Oct 8, 2015
    3dbrew says Arm9 locks the OTP by writing 0x2 to Sysprot. (Source)
    Protection seems to be from Firm though. Therefore you can possibly still read a locked OTP.
    I believe the OTP protection (including Arm9 Locking) is based on the FIRM, which we can manipulate.
    We have everything to everything that locks/protects the OTP, therefore we should be able to read it out even on higher firmwares as long as we bypass the protections, which A9LH should let us do, since it's executed before FIRM is loaded, therefore we can patch OTP protection.
    The OTP being locked should be possible to prevent as well; even though I don't think that matters for this case. (Staying with the way 2.1 FW can access the OTP. At that point the Arm9 should have locked OTP already.)
    I am not a Dev, but this is what I understood from readup and what I am guessing. If this is indeed entirely different please proof your point.
    (Also, at the point of A9LH people would already have their OTP, which makes this method of getting the OTP basically useless since it is required to install the requirement for this way. If it is possible.)

    Edit: FIRM1 may be completely executed before payload is loaded. I guess that was your point. That would mean it would indeed require writing to the actual FIRM1 partition.
    In which case A9LH execution may actually happen after OTP has been locked.
    Which would mean, that you would have to install a 2.1 FIRM with payload.
     
    Last edited by Zan', Jun 2, 2016
  16. cearp

    cearp the ticket master

    Member
    7,550
    4,813
    May 26, 2008
    Tuvalu
    can people please stop with ambiguous thread titles...
    you could at least have said 'curious about restoring 2.1 backup' or something.