Dumping OTP with A9LH

Discussion in '3DS - Flashcards & Custom Firmwares' started by bobfacemoo, Aug 9, 2016.

  1. bobfacemoo
    OP

    bobfacemoo GBAtemp Fan

    Member
    331
    61
    Feb 21, 2016
    Okay so I know it's not possible but I got thinking a little, this has probably been suggested already. I lost my OTP (out of plain stupidity). I don't want to uninstall, downgrade, etc. I have shadownand installed as well as Luma but well if anything comes out that needs OTP I can't get it. But my point is, could we possibly downgrade to 2.1 on A9LH (I know it won't boot but we'll have it on system firmware 2.1) and then OTPHelper be made into an Arm9 payload? The OTP won't be locked out so could we dump it like this?
     
  2. Just3DS

    Just3DS GBAtemp Fan

    Member
    440
    109
    Jan 31, 2015
    I think it is possible to downgrade and boot 2.1 firmware without any patches using A9LH but that still requires a sort of seperate AL9H payload that can actually boot it. The thing is that I don't think someone will be that motivated to do for free as it is not much in demand.

    PS. It has to boot 2.1 firmware directly so that OTP area access doesn't get disabled.
     
    Last edited by Just3DS, Aug 9, 2016
  3. Sumea

    Sumea Disco Ninja Frog

    Member
    1,463
    266
    Aug 16, 2008
    Finland
    Turku
    Does A9LH boot actually lock out OTP? I mean yeah it is based on 8.1 firm I think so probably but if not, there could be just a a9lh bin for redumping your OTP.

    as it stands for now; it does not seem you need the OTP much after succesfully installing A9LH since any updates can be made without your OTP so...
     
  4. gkoelho

    gkoelho GBAtemp Advanced Fan

    Member
    545
    133
    Apr 16, 2015
    Brazil
    OTP is locked by the bootloader, which runs way before any code can be executed, so no chance. You need to be on 2.x at max to get your otp again, no other way.
     
  5. Goombi

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    Allow me to try a comprehensive explanation of why that won't work.

    The boot sequence is: Power on > Bootrom (> ARM9Loader, New3DS only) > NATIVE_FIRM.
    OTP is locked by setting the CFG_SYSPROT9 bit (which can only be unset by a hardware reboot). Once this bit is set, reading the OTP will give you zeroes.
    On O3DS, this bit is set at the beggining of the ARM9 binary in the NATIVE_FIRM. <2.1 NATIVE_FIRM are not setting the CFG_SYSPROT9 bit.
    On N3DS, it is set by the ARM9 Loader, which is a normal firm viewed from the bootrom (only doing some checks before decrypting and giving code execution to the real firmware). It always sets the CFG_SYSPROT9 bit.

    A9LH is exploiting bad checks in the ARM9 Loader (= only exists for >8.1 firms). But too bad, it is triggered AFTER the CFG_SYSPROT9 bit is set. We have the same problem as with the suggestions of 2.1 emuNAND, once locked, that's over. Loading a 2.1 FIRM from A9LH serves no purpose (and will certainly won't work without many changes).

    What Sumea said is very true: for now (who knows in the future), OTP is only used for *FIRST INSTALL* A9LH and only work for the console it was dumped from. You might want be sure you want to get that OTP, it has no use for A9LH'd consoles today.
     
    olec04 likes this.
  6. thisisallowed

    thisisallowed 中国御宅族

    Member
    487
    114
    Oct 8, 2015
    China
    Jinan, Shandong
    The old firms did set the CFG_SYSPROT9 bit, but only for the ARM9 bootloader.
     
  7. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,516
    Jan 26, 2015
    United States
    Nowhere
  8. Inochi.no.Zenmai

    Inochi.no.Zenmai GBAtemp Regular

    Member
    180
    100
    Jun 1, 2013
    United States
    Ihave a few questions about this

    One of the 3DS on my sig is missing the OTP. I bought it already hacked.

    1. Isn't it possible to just downgrade the console to 2.1, getting the OTP, then flashing a NAND backup of 11.0?

    2. Assuming it is not possible because Luma 3DS doesn't launch older sysNAND firmwares, I read recently Luma got the possibility to boot older firmwares (but I think only >5.0). So, support for 2.x could be added? People who missed their OTP could downgrade and get it anytime, then flash a backup again to the latest firmware with Hourglass9/Decrypt9

    3. If Luma can't do it, maybe another CFW specifically designed for this could work?

    I know OTP is no use for someone with A9LH already installed, but we might want to have this available for the ones who doesn't have the file. We don't what could come later that needs the OTP.
     
  9. TheCyberQuake

    TheCyberQuake Certified Geek

    Member
    3,089
    1,928
    Dec 2, 2014
    United States
    Las Vegas, Nevada
    Fixed xD
     
  10. GothicIII

    GothicIII GBAtemp Fan

    Member
    491
    135
    Jan 4, 2015
    Gambia, The
    You can use safea9lhinstaller to uninstall a9lh and restore a nand-backup from 2.1/downgrade again to get otp. After you dumped it you can restore your current nand backup with a9lh.
     
  11. Goombi

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    I have a pure theorical question. Uninstalling A9LH simply restore FIRM partitions right? But it does not changes other titles. So could updated sysNAND result in a franken firmware with NVer and CVer showing "Ver. 11.0.0-33E" but still have an exploitable firm?
     
  12. SomeGamer

    SomeGamer GBAtemp Guru

    Member
    5,750
    2,703
    Dec 19, 2014
    Hungary
    Wouldn't cryptofixing still be needed if that was the case?
     
  13. gkoelho

    gkoelho GBAtemp Advanced Fan

    Member
    545
    133
    Apr 16, 2015
    Brazil
    I may be worng, but I do believe process9 will check for Native_Firm in that case, which will result on something less than 11.0.
     
    olec04 likes this.