FIRM is stored on a separate partition and encrypted with its own key, so all we need is the xorpad for FIRM, which it gets by comparing the encrypted partition with a decrypted 10.4/10.5 FIRM.
I can confirm this does in deed work, I updated to 10.5, backed up nand, patched nand, wrote nand back, booted into homebrew sysupdater and downgraded back to 9.2 with no issues.
Anyone having issues with the patcher, put this .dll in the same directory as the autofirm files.
Anyone having issues with the patcher, put this .dll in the same directory as the autofirm files.
Last edited by vb_encryption_vb,
Care to make a video of it in action it's not that I dont believe you its just too crazy and the hype train is gonna go full steam ahead @hundshamer you're about to make quite a bit of pocket money.
I have a noobish question... since we are able to decrypt firms, and it is known how to patch out the signature checks, why can't the signature check be physically patched out of the FIRM before installing it? I'm not quite sure at what point during boot that signature checks start being performed, but my mind was blown when people figured out how to get 1 or 2 keys and then use them to figure out other keys (like to decrypt the N3DS 9.6+ FIRM). Why has nobody been able to derive a working signing key?
Both my systems are hard-modded, but I'm not very motivated to play with this. I don't need it, and anybody with a working hard mod to try it doesn't really have much to worry about.
Sure, going to be a long video from start to finish, cause I'm not editing a damn bit of it lol
There are signature checks on FIRM too. That's why we're only able to use unmodified FIRM binaries. And these checks are embedded in the bootrom so they can't be patched out. However, arm9loaderhax does something similar to what you want - we can load a patched FIRM with it and patch/modify anything we want on NAND given that the right signature checks are patched out. But arm9loaderhax is very user unfriendly to install.
Don't have to this is big news for the scene a public downgrade method is insane can you think of how many people will want this service? Hell I might even get a smaller tip for my soldering iron just to cash in.
Nice! A tutorial or just a video?
--------------------- MERGED ---------------------------
ctrtool fails to start on my PC... 0x000007b or something
Video is almost 3 gigs and uploading to youtube now, should be ready in 20 or 30 minutes I guess. youtube says 103 minutes, I sure the hell hope it don't take that long.
To all of GBAtemp
GBAtemp is full of assholes, my son is autistic and you may hear him in the background making random comments, keep your traps shut!
Thanks.
Last edited by vb_encryption_vb,
so, 3dsfirm.exe is something like this
Code:
# Embedded file name: 3DSFirm.py
import os
import sys
import re
import binascii
import argparse
import string
if not sys.version_info[:2] == (2, 7):
print '*****\n!!!!!Warning - Only tested with Python 2.7!!!!!\n*****\n'
parser = argparse.ArgumentParser()
parser.add_argument('nand_file', action='store', help='NAND file (must exist for dumping and injecting)')
parser.add_argument('firm0_file', action='store', help='firm0 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
parser.add_argument('firm1_file', action='store', help='firm1 file (only should exist for injecting, firm file will be written/overwrite when dumping)')
choose = parser.add_mutually_exclusive_group()
choose.add_argument('-d', action='store_true', default=False, dest='dump', help='Dump firm from NAND file')
choose.add_argument('-i', action='store_true', default=False, dest='inject', help='Inject firm into NAND file')
parser.add_argument('-lowmem', action='store_true', default=False, dest='lowmem', help='Use if you have low RAM available')
arguments = parser.parse_args()
if arguments.dump is arguments.inject:
print 'Please choose -d or -i to dump or inject the fat16 partition'
sys.exit(0)
print '*******\n3DSFirmtool\n*******\n'
start = 185794560
size = 4194304
start2 = 189988864
if not os.path.isfile(arguments.nand_file):
print 'NAND file cannot be found'
sys.exit(0)
if arguments.inject:
if not os.path.isfile(arguments.firm0_file):
print 'Firm0 file cannot be found'
sys.exit(0)
if arguments.inject:
if not os.path.isfile(arguments.firm1_file):
print 'Firm1 file cannot be found'
sys.exit(0)
if arguments.dump:
if os.path.isfile(arguments.firm0_file):
print 'Firm0 with this name and path already exists, file will be overwritten'
if os.path.isfile(arguments.firm1_file):
print 'Firm1 with this name and path already exists, file will be overwritten'
with open(arguments.nand_file, 'rb') as r:
with open(arguments.firm0_file, 'wb') as w:
with open(arguments.firm1_file, 'wb') as w2:
print 'Dumping... please wait'
r.seek(start)
firm0 = r.read(size)
w.write(firm0)
r.seek(start2)
firm1 = r.read(size)
w2.write(firm1)
if arguments.inject:
if not os.path.isfile(arguments.firm0_file):
print 'Firm0 file cannot be found'
exit(0)
with open(arguments.nand_file, 'rb+') as r:
with open(arguments.firm0_file, 'rb') as w:
print 'Injecting... please wait'
r.seek(start)
firm0 = w.read(size)
r.write(firm0)
if arguments.inject:
if not os.path.isfile(arguments.firm1_file):
print 'Firm0 file cannot be found'
exit(0)
with open(arguments.nand_file, 'rb+') as r:
with open(arguments.firm1_file, 'rb') as w:
print 'Injecting... please wait'
r.seek(start2)
firm1 = w.read(size)
r.write(firm1)
print ''
print 'Finished'You can change the video audio in the settings on youtube if you want.
Try replacing ctrtool with the one from here: https://github.com/profi200/Project_CTR/releases/download/0.15/makerom_015_ctrtool.zip
I'm no professional, but it's because 10.4 and 10.2 are similiar or something.
Similar threads
