Hacking Emunand 9.6+ on N3DS

D

Deleted-19228

Guest
N3DS support was added wit the 3.0 nightlies. It works the same way as GW and Reinand and all the rest. The only difference is GW patches the kernel version (apparently, not 100% sure how they do it or if this is exactly what they are doing)



Um, yes they do. The newest games "require" 9.9 at the moment. In reality they are all SDK7 games so they only really require whatever update coincides with SDK7 support, but they ship with 9.9 on the cart and if you are lower than that it will prompt to install it. In addition they all have exheaders expecting a newer kernel version than is used with 9.5 so they hang on the 3DS logo unless the exheader is patched or the kernel version is spoofed.

--------------------- MERGED ---------------------------





This ONLY applies to versions downloaded from the eshop. If you are using a CFW and convert a rom ripped from a retail cart (.3ds) to .cia it will install just fine.

That said it will still hang on the 3ds logo if you did not patch the exheader.

I will repeat myself. No new games REQUIRE 9.9. If you can BYPASS it. It's not REQUIRED. They may try to FORCE you but if you can bypass it, it isn't REQUIRED.

The original person I replied to was simply misinformed and you stating that doesn't make it any easier for them to understand.

tldr;

you can run 9.9 on 9.0-9.5 emunands no problem with gateway (or rxtools if you have something patching the version)
 

Aroth

Well-Known Member
Member
Joined
Apr 14, 2015
Messages
2,066
Trophies
0
Age
37
XP
891
Country
United States
I will repeat myself. No new games REQUIRE 9.9. If you can BYPASS it. It's not REQUIRED. They may try to FORCE you but if you can bypass it, it isn't REQUIRED.

The original person I replied to was simply misinformed and you stating that doesn't make it any easier for them to understand.

tldr;

you can run 9.9 on 9.0-9.5 emunands no problem with gateway (or rxtools if you have something patching the version)

Then your statement was still incorrect because no game actually requires anything higher than 7.x (or whenever SDK 7 was introduced.)

Edit:

also for the purposes of the person asking the original question they do require 9.6+ since he was very specifically asking about play retail carts of new games with CFW other than Gateway, and neither rxTools nor reinand (or any other cfw aside from GW) can prevent retail cartridges from trying to update.
 
Last edited by Aroth,

Aroth

Well-Known Member
Member
Joined
Apr 14, 2015
Messages
2,066
Trophies
0
Age
37
XP
891
Country
United States
If emunand for 9.6+ was to happen, how will it work? How does it get "updated" through formatting emunand again or automatically with cfw being updated to support 9.6emu+
Depends on how the new encryption works. If they can recover the keys and decrypt native_firm, then we should just be able to update emunand normally. If they can't recover the keys and emunand support is limited to only those firmwares we can exploit the arm9 kernel on, then we will have to update the system nand to that firmware and then format emunand again. This would also likely require us to reinstall all cias and backup/restore all save data as well.

--------------------- MERGED ---------------------------

Depends on how the new encryption works. If they can recover the keys and decrypt native_firm, then we should just be able to update emunand normally. If they can't recover the keys and emunand support is limited to only those firmwares we can exploit the arm9 kernel on, then we will have to update the system nand to that firmware and then format emunand again. This would also likely require us to reinstall all cias and backup/restore all save data as well.

Keep in mind that the one vulnerability that was announced that MIGHT provide a way to access those keys is also the one that GW will likely be using to provide full 10.3 support. Even if it proves to not be viable for them to use it as a means of exploiting 10.3, they likely have the resources to explore the possibility of using it to recover the new keys for N3DS 9.6+ emunand.
 
  • Like
Reactions: James310

Ailuros27

Well-Known Member
OP
Member
Joined
Apr 7, 2015
Messages
732
Trophies
0
XP
421
Country
United States
For cryptofixing?
Don't really need a tutorial.
Download 3DS Simple CIA Converter v4.3 and extract it to your computer.
Download Decrypt9WIP (i dont have a link for this or the converter) and put in on your sd card in the /3ds/ folder.
Download gateways latest update (3.6.2) and copy the launcher.dat file and /3ds/ folder to the root of your sd card.
Put the game you want to dump in the card slot.
Launch the hbl then gateway from the hbl.
Navigate to "dump game cartridge".
When its done copy the .3ds file from your sd card to the "roms" folder of your sd card and then follow the instructions that come with the converter.
If you are using rxtools you do not need decrypt9

How do you then install those in emunand?
 
Last edited by Ailuros27,

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
So, I think having someone replicating all that successfully from scratch again requires a godly knowledge the average people around here doesn't have...

Oh my. It's hard, but not on godly knowledge tier. I only classify very few things that high. This is a challenging thing to do, but in difficulty is more on the advanced knowledge tier. And after they told you where to find the keyX and keyY, the constant C could be found in pastebin and the key scrambler function is public now, it's a little mess but definetly possible.

They even got you hints on how to get C with KeyX and WiiU normalkey. I'd rather find more interesting how in the hell they thought about a race condition in memory allocation service (aka memchunkhax).
 
Last edited by Urbanshadow,
  • Like
Reactions: Tony_93

Aroth

Well-Known Member
Member
Joined
Apr 14, 2015
Messages
2,066
Trophies
0
Age
37
XP
891
Country
United States
Oh my. It's hard, but not on godly knowledge tier. I only classify very few things that high. This is a challenging thing to do, but in difficulty is more on the advanced knowledge tier. And after they told you where to find the keyX and keyY, the constant C could be found in pastebin and the key scrambler function is public now, it's a little mess but definetly possible.

They even got you hints on how to get C with KeyX and WiiU normalkey. I'd rather find more interesting how in the hell they thought about a race condition in memory allocation service (aka memchunkhax).

My understanding was nothing they released would directly result in obtaining the new keys? I mean it was suspected that ntrcardhax and that bootrom hack for the N3DS might give us access early enough to dump them, but it was mostly spectulation and no real info or even teasing was done. Just a "it's certainly possible someone might be able to get the keys now, but not without a lot of work."
 

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
My understanding was nothing they released would directly result in obtaining the new keys? I mean it was suspected that ntrcardhax and that bootrom hack for the N3DS might give us access early enough to dump them, but it was mostly spectulation and no real info or even teasing was done. Just a "it's certainly possible someone might be able to get the keys now, but not without a lot of work."

Not exactly what we were talking about but yeah. The part were time goes to exponentially is finding some key that let us bad-decrypt firm1 partition into an special kind of garbage that jumps into the exploit. This is specially hard, as we don't know where in the firm partition the execution starts, and we need right there (or very close after) some piece of bad-decrypted firmware that contains a code jump to the address of the exploit. Think of that as finding a needle in a special haystack in a hay planet full of haystack mountains (lol). And even then, it's not sure if it's early enough to grab the keys.

It's just re-doing the keyscrambler findings to re-check the C constant or the normalkey, more focused on the joy of breaking the security (without final direct/indirect goal).
 
Last edited by Urbanshadow,
  • Like
Reactions: peteruk

Aroth

Well-Known Member
Member
Joined
Apr 14, 2015
Messages
2,066
Trophies
0
Age
37
XP
891
Country
United States
Not exactly what we were talking about but yeah. The part were time goes to exponentially is finding some key that let us bad-decrypt firm1 partition into an special kind of garbage that jumps into the exploit. This is specially hard, as we don't know where in the firm partition the execution starts, and we need right there (or very close after) some piece of bad-decrypted firmware that contains a code jump to the address of the exploit. Think of that as finding a needle in a special haystack in a hay planet full of haystack mountains (lol). And even then, it's not sure if it's early enough to grab the keys.

It's just re-doing the keyscrambler findings to re-check the C constant or the normalkey, more focused on the joy of breaking the security (without final direct/indirect goal).

I wanna say the topic of using the new exploits was hashed and rehashed in that threat that got locked finally, and it was at suggested (if not out right confirmed) that the keys are cleared before it fully loads the firmware partition, and the bootrom exploit would at best give us control halfway through loading the firmware. If this is the case then the bootrom vulnerability wouldn't have much chance of dumping the keys for us at all.
 
  • Like
Reactions: peteruk

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
I wanna say the topic of using the new exploits was hashed and rehashed in that threat that got locked finally, and it was at suggested (if not out right confirmed) that the keys are cleared before it fully loads the firmware partition, and the bootrom exploit would at best give us control halfway through loading the firmware. If this is the case then the bootrom vulnerability wouldn't have much chance of dumping the keys for us at all.

Yeah, that was the "it's not sure if it's early enough to grab the keys" part. If exploited, the bootrom access could let us add very early emunand support at worst.
 
Last edited by Urbanshadow,

Aroth

Well-Known Member
Member
Joined
Apr 14, 2015
Messages
2,066
Trophies
0
Age
37
XP
891
Country
United States
Yeah, that was the "it's not sure if it's early enough to grab the keys" part. If exploited, the bootrom access could let us add very early emunand support at worst.

At least for N3DS users anyways. Though I was under the impression it was considered very unstable and highly likely to cause a brick.
 

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
At least for N3DS users anyways. Though I was under the impression it was considered very unstable and highly likely to cause a brick.

Not sure about the bricks, could be as you kinda of half-brick it on purpose. But not unstable, as each key always decrypt to the same garbage. The problem finding that key is just too large for a thing that could or could not work. Too much effort to end not yielding any value, so it's not being worked on, as far as I know.

For the thread's sake, your best bet here is the gateway team, like another user states on the first page. Don't expect bootrom access anytime soon™.
 

sgtPembry

Well-Known Member
Newcomer
Joined
Nov 21, 2015
Messages
64
Trophies
0
Age
34
XP
94
Country
France
Yesterday we were wondering here if it's possible to run cartridge games on 9.5 emuNAND and how. If someone knows here... :bow:
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: Pump the chocolate into my veins