Homebrew How can fieldrunhax restore/backup NAND's in versions after 9.2?

Ev1lbl0w

Well-Known Member
OP
Member
Joined
Dec 19, 2014
Messages
279
Trophies
0
Age
32
XP
1,859
Country
Portugal
I'm quite curious. AFAIK 9.2 is the latest system version to have an arm9 exploit which let us backup/restore NAND's. So, how can a DSiWare game do this in the latest version?

Does it exploit TWL_FIRM or something like that?

Thanks in advance,
Ev1lbl0w
 

Ev1lbl0w

Well-Known Member
OP
Member
Joined
Dec 19, 2014
Messages
279
Trophies
0
Age
32
XP
1,859
Country
Portugal
  • Like
Reactions: Deleted User

gnmmarechal

Well-Known Member
Member
GBAtemp Patron
Joined
Jul 13, 2014
Messages
5,986
Trophies
2
Age
24
Location
https://gs2012.xyz
Website
gs2012.xyz
XP
5,591
Country
Portugal
It doesn't restore nand back ups, it lets us downgrade (a bit different from nand backups). Even if we could make nand backups, it would be extermly unstable
Very wrong. It dumps/restores the NAND.

You can then use a known-plaintext attack to inject an older NATIVE_FIRM, and restore the modified backup.


It's exactly the same as the hardmod method, except for the way of backing up/restoring.


Aaand, as such, it can be easily patched.
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,770
Trophies
0
Location
Nowhere
XP
1,335
Country
United States
It doesn't restore nand back ups, it lets us downgrade (a bit different from nand backups). Even if we could make nand backups, it would be extermly unstable
This guy talking out of his ass -_-
Anyway, I don't know much about why, but TWL_FIRM has access to the whole NAND. So if we take it over with dsiwarehax, we can dump the NAND. Might you know why, @MarcusD?
 
Last edited by Swiftloke,

coder65535

Member
Newcomer
Joined
Jun 7, 2016
Messages
9
Trophies
0
Age
33
XP
57
Country
United States
This guy talking out of his ass -_-
Anyway, I don't know much about why, but TWL_FIRM has access to the whole NAND. So if we take it over with dsiwarehax, we can dump the NAND. Might you know why, @MarcusD?

From what I've read, TWL_FIRM has whole-NAND access because that's how the DSi operated, and TWL_FIRM is basically a clone of a good portion of the DSi's OS.

I may be wrong, though.
 

Ryccardo

watching Thames TV from London
Member
Joined
Feb 13, 2015
Messages
7,403
Trophies
0
Age
27
Location
Imola
XP
6,390
Country
Italy
As you may know, arm11 (3ds application processor) doesn't have access to storage, arm9 (3ds kernel processor) does.

In DS/i mode, applications run on both arm9 and arm7 - with no 3ds-mode kernel enforcing any protection: that's it!

As for why it can access the full chip, combine the fact that on a real DSi the full nand was used (with a mbr -also on 3ds for compatibility- pointing to the DSi partitions, that's why software isn't fooled by the different size) + nintendo's laziness in developing agbfirm and twlfirm
 

KapuDaKoopa

That One Splatoon Dataminer
Member
Joined
Mar 12, 2016
Messages
474
Trophies
0
XP
974
Country
United States
I just now realized something, although it might also just be me being an idiot because I don't know a whole bunch about how the 3DS actually works, especially the TWL_Firm

But doesn't the 3DS' DS WiFi setup run under TWL as well?

Or does Fieldrunners already have an exploit and this is why this works?
 

Ev1lbl0w

Well-Known Member
OP
Member
Joined
Dec 19, 2014
Messages
279
Trophies
0
Age
32
XP
1,859
Country
Portugal
As you may know, arm11 (3ds application processor) doesn't have access to storage, arm9 (3ds kernel processor) does.

In DS/i mode, applications run on both arm9 and arm7 - with no 3ds-mode kernel enforcing any protection: that's it!

As for why it can access the full chip, combine the fact that on a real DSi the full nand was used (with a mbr -also on 3ds for compatibility- pointing to the DSi partitions, that's why software isn't fooled by the different size) + nintendo's laziness in developing agbfirm and twlfirm

So, that means TWL_Firm is running without arm11, only arm7 and arm9, and thus is unprotected enough to be able to do backups/restore NAND's.

So, is the exploit running on arm7 or arm9 btw?

--------------------- MERGED ---------------------------

Cartridge games doesn't have access to the nand, only installed games (dsiware) have access.

But even if we install Fieldrunners as a DSiWare CIA (if there is one actually), doesn't it have access to the NAND, just like any other DSiWare app?
 

N7Kopper

Lest we forget... what Nazi stood for.
Member
Joined
Aug 24, 2014
Messages
929
Trophies
0
Age
29
XP
1,193
Country
United Kingdom
So, that means TWL_Firm is running without arm11, only arm7 and arm9, and thus is unprotected enough to be able to do backups/restore NAND's.

So, is the exploit running on arm7 or arm9 btw?

ARM9 is the processor with all the access privileges, so smart money says ARM9. Even if ARM7 is used, it's just as a stepping stone.

But even if we install Fieldrunners as a DSiWare CIA (if there is one actually), doesn't it have access to the NAND, just like any other DSiWare app?
Yes, it does. That's the basis of the existing exploit - you buy Fieldrunners from the eShop on the unhacked system, which ensures that both the installed CIA (provided you installed it using the eShop itself) and the hacked save that you install will transfer back to the unhacked console when you're done with them.
Of course, you can't System Transfer from a New 3DS to an old one, so you would have to find some way of getting the transfer to work while running a patched O3DS firm on RedNAND if you absolutely needed to do it that way.
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
    Veho @ Veho: https://www.youtube.com/watch?v=1zsbXosf5FM