[FAQ] How to prevent updating the SysNAND

Discussion in '3DS - Tutorials' started by d0k3, Mar 24, 2015.

Mar 24, 2015
  1. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    [​IMG]

    Your shiny brand new 3DS console just arrived, it is on a good FW version, and maybe it's even your first 3DS console ever. Now, one of the biggest fears of new users is accidentialy updating the SysNAND, rendering their 3DS incapable of running exploits needed for homebrew, CFWs or flashcarts. That fear is not completely irrational, judging from the sheer number of "Am I screwed?" threads here. But, don't worry, I'm here to help. I'll explain how FW updates find their ways to your system and how you can be as safe as possible, even if you let someone else access you N3DS console. By now, I assume you know why SysNAND updates are bad and what the difference between SysNAND and EmuNAND is. Let me add to this that updating your FW also hurts its resale value and shouldn't ever be done without consideration., no matter what flashcart you're using now.

    This FAQ is for FW version 9.0...9.2, but it should also be applicable to earlier versions and most probably even to later ones. Thanks go to GBAtemp members who provided most of the information in my earlier thread found here.


    First of all, calm down!

    As a matter of fact, Nintendo will never update the FW of your 3DS console without first asking you (or the current user) for confirmation. No, that thing won't update itself from turning it on, looking at it or accidentially pushing a button on the backside. You are specifically asked, and usually it requires multiple button presses to confirm. Even if somehow you already have the dreaded update nag at system startup, there's a way to get rid of that.

    So, how can it 'accidentially' be updated then?

    Now, Big N does ask for confirmation before updating your precious console, but they absolutely make sure that they do so at every opportunity they get. These are the ways you'll may get asked to update your 3DS:
    • Automatic Download: if you leave your 3DS connected to a WiFi hotspot and put it in standby, the update will be downloaded, but not installed. This will lead to the dreaded update nag at startup.
    • Internet enabled system apps: before using the eShop you are asked to do a system update. You're not even able to use it unless you are on the most recent update. Before you da a system transfer (from old to new 3DS), you are also asked to do an update on both consoles. This applies to other system apps as well, especially those that require internet.
    • Retail cartridges: Each and every retail cartridge comes with their own system update on the cart. If you're below the update provided on the cart, you're asked to update.
    • Manual updating: of course you can also update manually from the configuration menu.
    Given these possibilities to update your 3DS FW, the most common ways 3DS consoles are 'accidentially' updated are the following:
    1. Others (children, f.e.) using your 3DS and being impatient / updating deliberately / fiddling around with stuff they don't know about.
    2. You not paying attention and confirming something you shouldn't have confirmed.
    3. You being uninformed and doing it deliberately / without knowing what you're doing.
    The following paragraphs will show you how to minimize the risk from 1. and 2. As for 3., you're already reading this, so you're also working on reducing the risk from that. 2. very often comes from users actually wanting to update their EmuNAND, but I'll have you covered on this as well.


    Enough of that, tell me how to prevent updates!

    The basic strategy of preventing unwanted SysNAND updates is not to be asked to do an update in the first place. To achieve that, there are several strategies, some of which might seem to be overkill to you. You don't need to follow all of these strategies and, depending on how you want to use your 3DS, you may also not want to follow all of them. In fact, some of these strategies may even borderline on paranoia. So, just pick the strategies you want to use. Anyways, without further ado, here's the list, sorted roughly by protection factor:
    • Don't ever confirm anything update related - That should go without saying, but don't ever confirm anything that wants to update your system. No, that update is not only for the eShop. No, that update doesn't only apply to the game you're just playing. In summary, actually read the stuff your 3DS shows you and react accordingly.
    • Don't confirm the Nintendo Network license agreement - this has to be confirmed once and, until confirmed, turns up everytime you try something internet related. Simply put, don't confirm it, and you should be perfectly safe. This will mean you will be excluded from most internet / wireless related stuff. It will also keep you from access to the Cubic Ninja exploit, so it may be not for you.
    • Leave the wireless setting off at all times - this is found in the upper left at the home screen. Turn it off once and leave it that way, and you're completely safe from internet updates.
    • Don't use standby - turn it completely off at all times. If WiFi is enabled, your console will try to download a local update and nag you to update every time you turn it on. Take note that this and the above will also disable Streetpass functionality.
    • ... or alternative to the above, use EmuNAND. Just make sure you don't get back to SysNAND without noticing. Also know that standby, especially in conjunction with WiFi will drain your battery.
    • If you have the update nag, get rid of it as fast as possible - it is easy to do.
    • Use the TubeHax DNS on all your Wifi connections. This will block updates, but also leave the Youtube app defunct, Instructions, directly from @smealum: "On your 3DS, open the System Settings app, then go to Internet Settings and Connection Settings. From there, select your favorite Connection, tap the Change Settings button, and on the second page head over to the DNS section. Once there, select "No" for "Auto-obtain DNS", and under Detailed Setup, enter the following address : 107.211.140.065."
    • Leave the three WiFi slots empty or fill them with fake data - Be aware that the 3DS will connect to some Nintendo partners hotspots without asking, even if you did fill all slots with fake data. So, this on itself is not enough protection. Such hotspots are, for example, found in McDonald's Restaurants. Filling with fake data (vs. leaving empty) is recommended if you use an EmuNAND alongside your SysNAND.
    • Remove system updates from game backups - you may use romtool to do so. This can also do regular trimming and by removing the update you'll get even smaller files. More safety plus space for free, yay! Actually, scratch that. The Sky3DS won't load these roms anymore and the Gateway has protection inbuilt anyways. If you want to save space and own a Gateway, go ahead of course.
    • (Instead of the above) be extra careful when running recent retail cartridges and / or game backups - they may contain unwanted update data, and you will be asked every time you start them up.
    • Organize your start menu - move the stuff that may ask you for a license agreement or a system update such as the eShop, system settings or Miiverse out of sight and into a folder. Name this folder something boring, so your kids / friends won't take extra interest in it.
    • Block access to Nintendo updates via Firewall / personal DNS server / Router - that is for experienced users wanting to play online. It will only help you in your own Wifi network and it might be a bit difficult to set up. I made a tutorial for setting up such a hotspot using stuff almost everyone owns. There are also other tutorials, using various other hardware on this site.
    • Use parental control to limit access to stuff - No, this won't actually block system updates, but you can limit access to internet enabled stuff, which will in fact reduce the risk, especially if you let others play. You should especially block access to internet settings. Note that this is a thin layer of protection at best.
    • Disable Spotpass - the setting is found in internet settings. Turn it off and leave it that way. It's not completely sure that this will do anything to prevent the automatic update download, though.
    • Create a backup of your SysNAND if you have the possibility - you'll need a Gateway card for that, and this backup is really your last resort solution, as restoring it will require a NAND hardmod to your 3DS console (will additionally void your warranty).
    In short, you shouldn't ever use your SysNAND to access the internet. Take a pass on wireless functionality (yes, that includes Streetpass) or get a Gateway and do everything wireless related on EmuNAND. If you must use internet and don't have access to EmuNAND, at least don't use standby, and enable WiFi only when needed.


    So, how to safely update my EmuNAND?

    As I wrote earlier, people sometimes accidentially update their SysNAND when they actually wanted to update their EmuNAND. About how to actually set up and unlink your GW / EmuNAND you'll need to find out somewhere, but on the update process I'll have you covered.
    • Update the EmuNAND from system settings only - yes, by now the GW has some very good security measures of it's own in place, and updates of the EmuNAND may work from anywhere, but I suggest you still heed my advice. Only update from Other Settings -> System Updates. Before doing so, make sure it says 'GW3D' in front of the version number, which is found at the bottom left of the top screen in settings. Don't exit settings after checking the version number. Only exit after updating.
    • Make sure EmuNAND ist still compatible with the new FW version beforehand. If the new FW version is pretty new, chances are it is not. The friendly folks at GBAtemp will keep you updated and you may also check the Gateway site.
    • Not required, but helpful: Use different themes for EmuNAND and SysNAND. That way you'll always have a visual reminder of which system you are currently in.
    • An additional hint from @Wekker: Set different times / dates for EmuNAND and SysNAND. This way you have another way of telling you're on the right /wrong system when updating.
    There's also a good guide on MaxConsole. Some of it may be outdated by now, though.


    But I need / want to access the internet...

    In that case, you of course don't have any other choice but to actually accept the Nintendo Network license agreement. There are still ways to be safe, though. Use a FW update blocking connection such as the one I described here. Use parental controls to make sure no one accesses hotspots other than the ones you defined. Try to avoid standby and disable wireless connections if you are not using them.


    But, I actually want to update my SysNAND (and I know what I'm doing)

    But only up to a specific version, I take it? Online, you may only upgrade to the latest version. Rent / borrow a retail cart that has the update you want and update from there. Or, you may also use a Sky3DS to do this, but don't try it via Gateway. You may find out which cartridge / backup you want from this list. If you actually meant you still want to upgrade to the latest version, then, why are you reading this in the first place? ;)
     
    Last edited by d0k3, Jan 25, 2016


  2. Ryccardo

    Member Ryccardo WiiUaboo

    Joined:
    Feb 13, 2015
    Messages:
    2,266
    Location:
    Imola
    Country:
    Italy

    The browser doesn't require accepting the license (but Mii Plaza does, wow)
    Unfortunately for this example, the password for "3DS shopping services" is only asked at the "this software requires X blocks and Y monies" step, not to launch the eShop :s
     
    d0k3 likes this.
  3. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    Thank you! Setting up internet connections requires accepting the license for me, so the Browser is not accessible anyways. And that other, yup, that was a bad example. Already fixed it.
     
  4. xdarkmario

    Member xdarkmario Philosopher

    Joined:
    Dec 30, 2010
    Messages:
    1,280
    Location:
    Mushroom Kingdom
    Country:
    United States
  5. Styx1

    Newcomer Styx1 Newbie

    Joined:
    Mar 25, 2015
    Messages:
    3
    Country:
    United States
    So does this mean that typing in WiFi settings and going online in SysNAND to do the Cubic Ninja Exploit may lead to an SysNAND Update or am I safe if i execute the Exploit once and then erase all my internetsettings in SysNAND?
    This is confusing me.

    Thank you!
     
  6. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    Well, that's why I told you, you don't need to follow everything. These is really just a collection of measurements to be safe against SysNAND updates.

    Alright, you need to get online for the expoit once? So, you have no choice but to accept the agreement (can't setup internet otherwise). Filling the Wifi preferences with fake profiles afterwards is recommended, but on it's own doesn't make you completely safe, as there are certain Hotspots (there's a list somewhere on the Nintendo website) your 3DS will automatically connect to regardless of Wifi preferences. These are found, f.e. in Mc Donalds restaurants in many countries. If you are (1) in SysNAND, (2) your Wifi is on, (3) you put your console in standby and (4) you're near one of the mentioned Hotspots, yes, the FW update may download. If one of the 4 doesn't apply, it won't. Note that the upload being downloaded only means that you'll get the update nag at startup, which you can get rid of, so there several 'defense lines' the FW update has to pass.

    Just use the other recommendations to make your SysNAND as safe as possible, and nothing bad should happen. I also suggest you use different themes for SysNAND and EMuNAND, so you're able to be able to easily distinguish between the two.
     
  7. Lectem

    Newcomer Lectem Member

    Joined:
    Nov 21, 2014
    Messages:
    43
    Country:
    France
  8. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    There already is a link included with instructions on how to get rid of the nag via recovery mode.
    Anyways, I've just revised soem stuff in this guide and included the advice to disable spotpass downloads.
     
  9. Lectem

    Newcomer Lectem Member

    Joined:
    Nov 21, 2014
    Messages:
    43
    Country:
    France
    I actually missed it, sorry !
     
  10. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    I passed some time at a Nintendo Zone Hotspot today (Wifi on & in standby) and I got the update nag. Spotpass was disabled, so It seems Nintendo doesn't consider sneaking an unwanted update onto our 3DS systems an "automatic download" (as we would have to agree to that for Spotpass functionality). Anyways, I easily got rid of it, but that also means that Spotpass doesn't really matter and I put it at the very bottom of the list,
     
  11. thealgorithm

    Member thealgorithm GBAtemp Regular

    Joined:
    Oct 27, 2015
    Messages:
    166
    Country:
    United Kingdom
    One question.. Is it possible to patch any possible system updates from occurring from the sysnand (by writing custom patched firmware to the sysnand?)
     
  12. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    As you know, TubeHax is dead, but the TubeHax DNS (107.211.140.065) is still active. Read up on that here. Use this with all your wifi connections and you should be (almost) safe from updates. Almost, because I'm not entirely sure what would happen at Nintendo Zones. I catched the update nag once from a McDonalds restaurant.
     
  13. thealgorithm

    Member thealgorithm GBAtemp Regular

    Joined:
    Oct 27, 2015
    Messages:
    166
    Country:
    United Kingdom
    I meant patching out everything in relation to system updates (whether that is via cart update, system update in settings, or outside) so that it will not be able to write to nand (e.g routines for this removed from the firmware)
     
  14. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    Then the answer is no - there is no way to be completely sure from updates in SysNAND, unless you never boot to it. The update nag in EmuNAND, btw, might be even worse than the one for SysNAND, as there is no known way to get rid of it.
     
  15. thealgorithm

    Member thealgorithm GBAtemp Regular

    Joined:
    Oct 27, 2015
    Messages:
    166
    Country:
    United Kingdom
    Indeed, and who knows what updating forcing based timebombs there are in firmware 10.2....
     
  16. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    Yup, correct. I advise you to go through my list and decide for yourself which measures are acceptable for you. I myself, for example, never even put wifi on, unless it accesses my own update-blocked wifi network.
     
  17. thealgorithm

    Member thealgorithm GBAtemp Regular

    Joined:
    Oct 27, 2015
    Messages:
    166
    Country:
    United Kingdom
    Hopefully there will at some point be the code for this patched out if at all possible. Wifi is not too important for me. On the sys nand, I have accessed recovery mode and cancelled the update that was pending, but worry sometimes is that some game cia's have their own update in them and worried by accident I may click... :-)
     
  18. lenitao

    Member lenitao GBAtemp Regular

    Joined:
    Sep 23, 2007
    Messages:
    102
    Country:
    United States
    Last edited by lenitao, Nov 3, 2015
  19. d0k3
    OP

    Member d0k3 3DS Homebrew Legend

    Joined:
    Dec 3, 2004
    Messages:
    2,519
    Country:
    Germany
    I never updated from a cartridge myself. I advice you to first check the version here (don't worry, version is also shown when the cart offers you to update). Other than that, carts are just one way to update among others, and afaik the only way to get a specific FW version other than the most recent one. There shouldn't be any unexpected trouble.
     
  20. lenitao

    Member lenitao GBAtemp Regular

    Joined:
    Sep 23, 2007
    Messages:
    102
    Country:
    United States
    thanks man!! updated without any problems

    rxtools wasn't working for some reason though, so I had to format emunand and inject back, not sure if the emunand was affected or the rxtools, better to backup both nands just to be safe
     

Share This Page