Dissecting a downgraded 2ds NAND [Advanced,Witchhunt]

Discussion in '3DS - Flashcards & Custom Firmwares' started by Urbanshadow, Jan 13, 2016.

  1. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Hi guys, I'm still wondering what's with my downgraded 2ds unit. A little situation first: I downgraded it using TuxSH downgrader with the corresponding 9.2.0-20E full update set. The downgrade was done from 10.3.0-28E. An emunand of the downgraded system was made, and then updated to 10.3.0-28E. Downgrade-check homebrew says sysnand it's ok so NATIVE_FIRM appears to be running in the desired version but still I don't think everything is allright.

    Main issue appears to be coming in two fronts, all in emunand:
    1. There seems impossible for apps to gain kernel execution in Homebrew Launcher. Injected apps in Health and Safety are gaining kernel execution fine.
    2. My DS mode flashcart makes a blackscreen to death. Every. Single. Time.

    The two issues are not happening in sysnand.

    So I've decided to dwelve in the inner halls of my nand and I came back with detailed info of whats going in there, hoping a 2ds user with a native (no downgraded) 9.2 firm can compare nands with me.

    Urbanshadow's 2ds NAND

    You can help either checking each title with yours by using FBI in delete title mode with destination NAND (Don't erase anything!) and checking the list, or already knowing/detecting a problem in the nand. Any help is apreciated.

    Could be better to run standart sysUpdater downgrade to 9.2 in sysnand? What could be causing my emunand issues?

    I would like to get it something as close as a no downgraded system as possible.

    Thanks in advance.
     
    Last edited by Urbanshadow, Jan 13, 2016


  2. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    I'm checking my things right now with this. Please let me know if you find anything.
     
  3. Spaqin

    Spaqin GBAtemp Regular

    Member
    122
    69
    Feb 17, 2015
    Poland
    Uhh, yeah. You're running an updated version of the system in the emunand, obviously, they won't have kernel access in HBL. Because it's updated, and exploits used there - patched. Apps not injected, but installed w/ FBI/BBM/whatever (which you can inject) should have no problems.

    Known emuNAND issue - DS games don't work.
     
  4. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Thing is, FBI 3dsx did not work in emunand 9.2 being that the main reason why I updated the emunand. So something is definetly wrong there. (please don't go into the dbs fbi problem). Error found is the same on 9.2 and 10.3 emunand.

    DS Mode flascarts run just fine on my n3ds 9.5 emunand.
     
    Last edited by Urbanshadow, Jan 13, 2016
  5. MassExplosion213

    MassExplosion213 .

    Member
    1,409
    953
    Feb 15, 2015
    United States
    It's because emunand is launched with 9.6 NATIVE_FIRM.
     
    PokeAcer likes this.
  6. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Ok. Is this 9.6 native_firm the one residing in the firmware.bin of the cfw or exists in the nand itself? Should I do anything to sysnand then?
     
    Last edited by Urbanshadow, Jan 13, 2016
  7. MassExplosion213

    MassExplosion213 .

    Member
    1,409
    953
    Feb 15, 2015
    United States
    It's in the firmware.bin. unless you use cakes, there's nothing you can do to get hb to get kernel. 9.6 fixed the original memchunkhax, which most of them use. ( Well, memchunkhax was patched in 9.3, but you get the point.)
     
  8. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Thing is i'm using cakes all time. Can I fix this then?
     
  9. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    @Urbanshadow

    The info you posted in your OP, is that from your emunand or sysnand?

    Asking because if its your emunand then all of those "Known Useless 10.3 titles for 9.2:" titles should be there. If its your sysnand then its a slightly different story (though most of them should still be there near as I can tell)

    edit:

    A cursory inspection of the installed versions of certain titles suggests that it is your sysnand, but I will wait for a confirmation before continuing
     
    Last edited by Aroth, Jan 13, 2016
  10. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    It's sysnand of course. It's no use I went that down into emunand. If you need any more info (like CTR titles versions and id's) or think there's some mistake copying just say it.
     
  11. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    I think you covered all the needed info in your OP. That was masterfully written dude.

    I can tell you what the following titles are, and most are not useless and need to be there even on 9.2 for things to work right)

    00048005 484E4441 - Download Play application for DS mode, present since 2.0.0 and never updated.
    00048005 484E4841 - DS Cart Whitelist, last updated in 7.0.0 (unless you installed bluecardfix.cia, in which case that overwrote this.
    00040130 00001A02 - DSP system-module (required for some sound stuff)
    00040130 00001B02 - GPIO system-module (required for something im sure, sounds graphics or maybe sound related)
    00040130 00004002 - Old3DS nfc system-module (added with 9.3, not present on 9.2 and below)
    00040030 00009E02 - USA amiibo Settings (included with 9.3, not present on 9.2 and below, also how in the hell did you end up with this on a EUR system?)
    00040030 00009502 - JPN amiibo settings (introduced with 9.3, not present beforehand. Again, how did you get this??)
    0004001B 00019002 - Fangate_updater (no idea what this is, but it appears to have been introduced in 9.3)
    0004009B 00010402 - Not sure what this is, but it has been present since 2.0.0, so I would leave it.
    0004001B 00010802 - No idea, but it was introduced in 6.3.0 so I would leave it alone.
    00040030 0000B902 - EUR amiibo Settings (introduced in 9.3 so feel free to purge it from sysnand)

    To summarize the following were all introduced with 9.3 and can PROBABLY be safely purged from your 9.2 sysnand (do not remove them from your emunand)

    00040030000B902
    000400300009502
    000400300009E02
    000401300004002
    0004001B0019002

    The quick glance I took at your other titles showed at least one that did not get downgraded when you went from 10.3 to 9.2, so I will probably need to thoroughly go over them all to find which ones need downgrading and which ones need to be deleted. To make matters worse, the ones needing downgrading will likely need to be pulled from multiple sources.

    BTW, this is the very reason N3DS users have so many semi-bricks and random glitches after downgrading. The 9.2 SOAP reply didn't include entries for titles updated between 2.x and 8.x but not updated on 9.0 because those titles were already present on the system from the factory. Basically Nintendo culled them from N3DS SOAP replies to save on bandwidth (why have the system download titles that EVERY unit already has, makes sense)
     
    Last edited by Aroth, Jan 13, 2016
  12. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Thanks! Mastering bbcode takes a while!

    It's ok to use FBI in sysnand (with pasta) and remove one by one? Should I expect any boot problems afterwards?

    Now I'm worried.
    Will my o3ds on native 9.2 work for that? I could perhaps dump some titles from it with decrypt9 and replace the 2ds ones with them?

    Oh and the titles that state "Not Found" are not in my system (I have just the eur amiibo settings). The "useless" titles where borrowed from a source code.

    Update: Just deleted 00040030000B902 and 0004001B0019002. Sysnand boots ok. Waiting for instructions.
     
    Last edited by Urbanshadow, Jan 13, 2016
  13. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    You will have to use FBI to do it, probably in a mode without Firmlaunch active (think pasta/dev mode for rxTools). I can't be 100% certain but since the titles I listed are all related to amiibo or nfc (which was introduced in 9.3), you SHOULD be fine. The usual disclaimers and warnings about fucking with sysnand apply. Make sure you have a clean backup (obviously you do) and preferably a hard-mod or the ability to get one.

    If you have an O3DS on 9.2 then you actually should just be able to compare the nands and any titles on the 2DS 9.2 nand that are not present on the O3DS 9.2 nand can likely be safely deleted (usual disclaimer, etc.), assuming that both systems are the same region. Finding the ones that should be there but didn't get downgraded properly is a bit harder.

    Essentially you will need compare the installed version of each title installed with the 9.0 SOAP reply and see if the installed version is higher than the version listed on the reply. If it is, then you need to download the most recent version (as of 9.0/9.2) and install it, probably using sysupdater. Since you got far enough to use CFW, you can PROBABLY use the official version of sysupdater to handle this, but I make no promises.

    Use this SOAP reply to compare versions:
    http://yls8.mtheall.com/ninupdates/titlelist.php?date=10-06-14_08-25-03&sys=ctr&reg=P&soap=1

    This is obviously a 9.0 reply and you are comparing against 9.2, but that is ok. The 9.2 reply was bugged and didn't get generated properly for any region but JPN, so it can't be used. However, there are only two titles updated in 9.2 so if you keep that in mind the reply is still good. The first title is CVer (000400DB00017102) , which I can confirm is the 9.2 version (you can too because it shows up as 9.2 in system settings). The other is the HomeMenu (0004003000009802), which oddly enough I do not see in your list of titles, so I'm not sure whats up there. I can tell you the version you see should be between 2C08 (9.0) and 3412 (9.3).

    Also keep in mind that the title version listed in your post is in hexadecimal, the versions on the SOAP reply are in decimal. It's a straight conversion, nothing funny.
     
  14. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    That is because is detected as CTR-N-HMMP and I did not post the titleid's from them. I do have 0004003000009802 and the reported version is 3000, which is indeed between 2C08 and 3412. I'll start the soap version comparison now, it will take a while.
     
  15. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    That's great. It means you can effectively just compare to the 9.0 SOAP and ignore CVer and the Home Menu.
     
  16. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Perhaps I overlook something, but after the first pass every title looks like its in the correct version. (Except the two ones you mentioned). What was the title not properly downgraded you saw? Perhaps there's more titles than needed? They really looked fine to me.
     
    Last edited by Urbanshadow, Jan 13, 2016
  17. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    I misread it I think. I was looking at the DS Cart Whitelist and noticed it was the latest version, and for some reason thought it had been updated in 9.7 so I assumed it must not have gotten downgraded. Needless to say the last update to that title was in 7.0.

    Sounds like if you delete the titles I mentioned originally you should be good. Still have no idea how you ended up with the USA and JPN versions of the amiibo settings application.
     
  18. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    No, don't had those titles in my system ever. I just stepped into that list on the net (that I have already removed) and checked every title on it.

    I deleted 00040030000B902 and 0004001B0019002. Sysnand boots ok. Thank you very much for your help. Now I plan to move on onto the native_firm thing on emunand. Not sure what to do, though.
     
  19. Aroth

    Aroth GBAtemp Addict

    Member
    2,066
    745
    Apr 14, 2015
    United States
    You can probably remove 000401300004002 (o3ds nfc sytem-module) as well since it was introduced with 9.3 and didn't exist on 9.2 systems.
     
  20. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Ok, did it and sysnand works. Any help on the emunand issues?