Hacking Has anyone with a brick been able to recover?
- Thread starter Quicksilver88
- Start date
- Views 40,102
- Replies 202
both eMMC and SD are extensions upon original Multimediacard standard.
so they have a shared origin, that's why a subset of the commands are shared among them.
thus ended the history lesson. ;-) for anyone who cares.
I'm sure the government could crack it in less than a minute if they wanted to.
They'll probably be about as successful as the obamacare website.
I dont think that its posible to do that using an sd card adapter. Maybe it would be posible to comunicate with the controller directly using a serial port (or lpt one, IIRC that can do the same as an serial one)
There's no reason why those systems couldn't be recovered. The problem with them is that it's not just the NAND that's been wiped - the eMMC Master Controller's firmware is gone, hence the FLASH memory is not detected.
If you recover the controller firmware, you should be able to flash the NAND as if nothing happened. The problem here is reprogramming the controller, which naturally isn't as easy as shoving it into a reader like it's the case with the memory itself.
I'm confident that with the right documentation as well as a working dump of the controller's firmware the systems could be repaired.
If you recover the controller firmware, you should be able to flash the NAND as if nothing happened. The problem here is reprogramming the controller, which naturally isn't as easy as shoving it into a reader like it's the case with the memory itself.
I'm confident that with the right documentation as well as a working dump of the controller's firmware the systems could be repaired.
If the flash memory isn't detected, how do you know that the eMMC Master Controller's firmware is gone?
Did anyone ran some low level eMMC communication on it to confirm this?
I agree upon the fact that Samsung has manufacturer specific commands to update the eMMC firmware, but it's the firmware that controls the communication with the chip.
If you fubar that, it's game over. There is no such thing as a JTAG or serial console port to establish communication and restore the firmware.
Some 3ds have a Toshiba eMMC instead of a Samsung. It would really suprise me if it would use the same manufacturer commands to manipulate the firmware, unless it would contain the same samsung controller inside the housing.
Let's just say that my asumption that they might have password locked the eMMC is still an option until proven wrong.
Did anyone ran some low level eMMC communication on it to confirm this?
I agree upon the fact that Samsung has manufacturer specific commands to update the eMMC firmware, but it's the firmware that controls the communication with the chip.
If you fubar that, it's game over. There is no such thing as a JTAG or serial console port to establish communication and restore the firmware.
Some 3ds have a Toshiba eMMC instead of a Samsung. It would really suprise me if it would use the same manufacturer commands to manipulate the firmware, unless it would contain the same samsung controller inside the housing.
Let's just say that my asumption that they might have password locked the eMMC is still an option until proven wrong.
The flash memory is detected, it reports the correct size, its serial number, another user posted this http://gbatemp.net/threads/nand-flash-dump-3ds-xl.350668/page-45#post-4889972
I think Fox means it's unlikely that this software brick couldn't be repaired fairly simply with the right software, since we know that the interface for the eMMC is very simply exposed via 4 easily reachable pads on the mobo.
Can you link to any datasheets which specify the controller is lockable via a password theoretically?
In any case, based on what we have heard from those who initially reported this business, we have reason to believe all that was done is reconfiguring one controller register, making it report 0 size.
edit: reading krisztian's post now, it seems those initial reports were at least wrong about the incorrect size being reported...
Well the gateway guys are offering to fix bricked 3ds's so they must have a way to fix it. Im curious as to how and what method they will use.
Yeah, that with the size was wrong. It was more a initial guess, but some users here already have good ideas.
I know now, what exactly they do, but the solution was already posted somewhere here. Good luck with restoring the bricks.
I know now, what exactly they do, but the solution was already posted somewhere here. Good luck with restoring the bricks.
We have to reset the eMMC's pasword, but so far we dont have any ways to talk with the controller directly (some ideas would be to try with an arduino and an already made library to communicate with the controller) so we can send the erase command to it
If someone here has an arduino, then we could test some stuffs on a test eMMC and maybe even unbrick a console. I talked with someone who had an arduino and if he still has it, then I can get one to test some stuffs
just take care: arduinos operate on 5V logic, while the eMMC only can handle 3.3ishV -> logic level converter (or at least resistor based voltage dividers). raspberry pis use 3.3V by default.
also for anyone interested check out the tinyFAT lib, written for arduino but seems easily portable to all microcontrollers (you only need to change the GPIO handling code), got nice functions for the whole handshake stuff ("hello card, are you ok?" blablabla) and can then be used to send arbitrary commands (here its command 0x2A (always with those 42s...) with an argument 0x8, see already posted jedec standard, page 63 ff.).
edit: found an even smaller implementation that only does the force erase, written for avr: http://pastebin.com/jLXknkNk
edit the second: nice short writeup on CMD42 http://www.seanet.com/~karllunt/sdlocker2.html
I already looked into tinyFAT and its pretty ok, there are some other libraries which can send low level commands and are much smaller than tinyfat
Arduino can work with AVR code, so with some small modification that code would be perfect for an arduino, and the 2nd code uses an ATmega328, the same microprocessor like in the Arduino, so that code would work too, but instead of lock/unlock it can be changed to erase, also to check if the eMMC is really locked with a password, its posible to send a CMD 13 (send_status) and if the 8th bit is set, that means it locked, if its 0 that means its unlocked and gateway did something else to the card.
If there is people who feel confident enough and have the resources for testing this out but not a bricked 3DS to test it on.....maybe they could just try setting the lock status on a working 3DS and see if you get the same BSOD error code
Also I'm pretty sure on the old symbian Nokia phones you could lock the mmc card so you had to put the password in to unlock....but I think you could format without it if I remember correctly...maybe wiring the nand up to an old phone you could use the format option to remove the password and lock code idk tbh but just an idea but you would still need to restore the original dump afterwards this is assuming Nokia was using the same locking method on the card
Could this be of any help?
http://forum.dailymobile.net/index.php?PHPSESSID=0l6sfckmnd0576lit8rbpe5ks3&/topic,1220.0.html
Also I'm pretty sure on the old symbian Nokia phones you could lock the mmc card so you had to put the password in to unlock....but I think you could format without it if I remember correctly...maybe wiring the nand up to an old phone you could use the format option to remove the password and lock code idk tbh but just an idea but you would still need to restore the original dump afterwards this is assuming Nokia was using the same locking method on the card
Could this be of any help?
http://forum.dailymobile.net/index.php?PHPSESSID=0l6sfckmnd0576lit8rbpe5ks3&/topic,1220.0.html
I looked at that program and the links, but looks like thats a different method to lock the cards, there were some hidden files on the card which blocked it, and what that program does is to delete them.
Yeah I saw something about the card password being stored on the phones internal memory, but that program apparently formats the actual card without access to the original password
From what people are saying when looking over it, the card would act similar to what's happening with the 3DS I.e not being accessible on a computer unless unlocked on the phone, but that app just removes the lock and formats....idk might not work but would be cool if someone atleast gave it a try
From what people are saying when looking over it, the card would act similar to what's happening with the 3DS I.e not being accessible on a computer unless unlocked on the phone, but that app just removes the lock and formats....idk might not work but would be cool if someone atleast gave it a try
Similar threads
- Solved
