Hacking [HELP] I made a huge mistake while installing a9lh again

[Miguel Gomez]

So as you can see on this thread, I successfully installed arm9loaderhax on the o3DSXL.
Now, I got myself another 3DS with 9.9.0 and I tried installing a9lh again. However, during the process of downgrading to 2.1.0, I noticed that the downgrade can't proceed because of lack of space(the SD Card is 2GB which is a bad memory). I accidentally press continue and it proceeds. Since I panicked, I forced shutdown the 3DS. Afterwards, the 3DS no longer respond. It feels like Black Screen of Death with no display and has blue light(red if low battery).

While searching for answers, it seems that no one mentioned this issue during downgrading. The only solution is to open the insides of the 3DS console and unplug/plug the WiFi chip. I did that but no results.

I'm afraid that there's no answers to fix it and I wasted cash just to buy another one. So to save the 3DS that I spent P11K, can you help me fix it?

If no solution, I really had no choice but to buy another one instead.

 

[Aletron9000]

Wait, you forced turned it off in the middle of the transfer? It is bricked. If you have a nand backup, then you can get a hardmod and restore the backup. If you don't have a nand backup, then you have a brick that cannot be repaired.

 

[dark_samus3]

Wait, you forced turned it off in the middle of the transfer? It is bricked. If you have a nand backup, then you can get a hardmod and restore the backup. If you don't have a nand backup, then you have a brick that cannot be repaired.

Until sighax comes out, at least

 

[Aletron9000]

Until sighax comes out, at least

How would sighax help with this?

 

[pre10c]

2GB which is a bad memory)

Wait what ?? You tried a downgrade with a bad memory card??

 

[Gnarmagon]

How did you got all the Files on a 2GB Card ???
Ctransfer ≈ 1GB
Backup of SysNand ≈1.2GB....

 

[pre10c]

How did you got all the Files on a 2GB Card ???
Ctransfer ≈ 1GB
Backup of SysNand ≈1.2GB....

Well from the looks off it he didn't make a backup

 

[Miguel Gomez]

Well from the looks off it he didn't make a backup

Yeah. You're right. I didn't make a backup. Welp, what a waste.
Might as well sell it and if someone had hardmod he/she might fix it.

 

[pre10c]

Yeah. You're right. I didn't make a backup. Welp, what a waste.
Might as well sell it and if someone had hardmod he/she might fix it.

If there's no backup then there's no way of fixing it, even with a hardmode. And to be rude, this is what you get when not taking backups and using a wanky SD card.

 

[Gnarmagon]

You can just swap the Board

 

[Astral_]

This is not recoverable. You could still sell it as bricked for spare parts...

 

[Urbanshadow]

How would sighax help with this?

Manually injecting via hardmod another console's manually encripted nand using sighax's magic signature. It would bypass bootrom sig and size checks, get successfully decrypted and executed as in a vanilla system. Heaven, my friend.

 

[dark_samus3]

Manually injecting via hardmod another console's manually encripted nand using sighax's magic signature. It would bypass bootrom sig and size checks, get successfully decrypted and executed as in a vanilla system. Heaven, my friend.

EDIT: Theoretically, sighax can generate an universal 3ds nand image. With a hardmod, this image can be recovered in any system able to boot with a healthy nand chip.

Not entirely correct. It cannot create a universal NAND image, console unique encryption is actually based on the OTP. What we can do, however, is use the known plaintext attack on one of the firm partitions to generate an xorpad, which we use to encrypt a sighax firm for injection back in, the injected firm can just be a payload like decrypt9, which can simply do a ctrtransfer to recover the system from there... Still, pretty simple method

 

[Urbanshadow]

Not entirely correct. It cannot create a universal NAND image, console unique encryption is actually based on the OTP. What we can do, however, is use the known plaintext attack on one of the firm partitions to generate an xorpad, which we use to encrypt a sighax firm for injection back in, the injected firm can just be a payload like decrypt9, which can simply do a ctrtransfer to recover the system from there... Still, pretty simple method

I stand corrected then. I have to admit it's hard to me to undestand derrek sometimes.

For this to work with op without a nand backup, you are hoping to have a clean firm0 or firm1 in op's nand, then dump it encrypted to disk with a hardmod. To perform the plaintext, that is.

 

[dark_samus3]

I stand corrected then. I have to admit it's hard to me to undestand derrek sometimes.

For this to work with op without a nand backup, you are hoping to have a clean firm0 or firm1 in op's nand, then dump it encrypted to disk with a hardmod. To perform the plaintext, that is.

Yeah, they should be clean, they aren't touched until the end, so the firm partitions will be OK

 

[Urbanshadow]

Yeah, they should be clean, they aren't touched until the end, so the firm partitions will be OK

Question: From that point, the ctrtransfer will be done using op's real signature or sighax one?

 

[Miguel Gomez]

In short, the 3DS is fully bricked and cannot restored without backups.
RIP

I wonder if the Nintendo Switch might have an exploit to access Homebrew. We'll see that on March.
Hopefully, the Switch might have 3DS Compatibility.

 

[dark_samus3]

Question: From that point, the ctrtransfer will be done using op's real signature or sighax one?

Huh? This question doesn't really make sense... Let me break it down a bit. It seems you're getting signatures and encryption mixed up. Sighax only applies to a decrypted version of the firmware. We can basically "replace" the signature with one that simply verifies as correct always. From there, we load a payload. The main reason we must do this is because ctrnand (the thing we're trying to recover) is encrypted with console unique keys as well, and is too unpredictable to reliably decrypt (we don't have plaintext) so, we need to gain arm9 code execution to use the AES engine, which has the keys set properly for us, then we can encrypt a new ctrnand partition for the OP and install a new firm in place, once that's done they should be good to go

--------------------- MERGED ---------------------------

In short, the 3DS is fully bricked and cannot restored without backups.
RIP

I wonder if the Nintendo Switch might have an exploit to access Homebrew. We'll see that on March.
Hopefully, the Switch might have 3DS Compatibility.

It can be restored without backups once we have a correct sighax signature. It will need to be hard modded, however

 

[ArviDroid]

How did you got all the Files on a 2GB Card ???
Ctransfer ≈ 1GB
Backup of SysNand ≈1.2GB....

I did A9LH with a 2GB Sd card. It worket out nicely with ~80mb of free space left. I didn't have about anything on it. Or are the NAND backups bigger on a new 3DS for example?

 

[Miguel Gomez]

Huh? This question doesn't really make sense... Let me break it down a bit. It seems you're getting signatures and encryption mixed up. Sighax only applies to a decrypted version of the firmware. We can basically "replace" the signature with one that simply verifies as correct always. From there, we load a payload. The main reason we must do this is because ctrnand (the thing we're trying to recover) is encrypted with console unique keys as well, and is too unpredictable to reliably decrypt (we don't have plaintext) so, we need to gain arm9 code execution to use the AES engine, which has the keys set properly for us, then we can encrypt a new ctrnand partition for the OP and install a new firm in place, once that's done they should be good to go

--------------------- MERGED ---------------------------


It can be restored without backups once we have a correct sighax signature. It will need to be hard modded, however

Great. I might as well give the brick 3DS to someone with Hardmod experience.