How can fieldrunhax restore/backup NAND's in versions after 9.2?

Discussion in '3DS - Homebrew Development and Emulators' started by Ev1lbl0w, Jul 19, 2016.

  1. Ev1lbl0w
    OP

    Ev1lbl0w GBAtemp Regular

    Member
    237
    55
    Dec 19, 2014
    I'm quite curious. AFAIK 9.2 is the latest system version to have an arm9 exploit which let us backup/restore NAND's. So, how can a DSiWare game do this in the latest version?

    Does it exploit TWL_FIRM or something like that?

    Thanks in advance,
    Ev1lbl0w
     
  2. SirBeethoven

    SirBeethoven Happy holidays!

    Member
    1,809
    556
    Nov 26, 2015
    United States
    I'd like to know more about this as well! :)
     
  3. SimplyFedorable

    SimplyFedorable Evangelion Geek

    Member
    568
    231
    Apr 7, 2016
    United States
    melee hell
    -snip-
     
    Last edited by SimplyFedorable, Jul 20, 2016
  4. Ev1lbl0w
    OP

    Ev1lbl0w GBAtemp Regular

    Member
    237
    55
    Dec 19, 2014
    According to Plailect (https://github.com/Plailect/Guide/wiki/DSiWare-Downgrade), you use this hax to dump the 11.0 NAND, apply the 10.4 NATIVE_FIRM and restore it to the system.
     
    SirBeethoven likes this.
  5. gnmmarechal

    gnmmarechal Seriel's Original Stalker

    Member
    GBAtemp Patron
    gnmmarechal is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,847
    3,004
    Jul 13, 2014
    Portugal
    https://gs2012.xyz
    Very wrong. It dumps/restores the NAND.

    You can then use a known-plaintext attack to inject an older NATIVE_FIRM, and restore the modified backup.


    It's exactly the same as the hardmod method, except for the way of backing up/restoring.


    Aaand, as such, it can be easily patched.
     
    SirBeethoven and Ev1lbl0w like this.
  6. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,525
    Jan 26, 2015
    United States
    Nowhere
    This guy talking out of his ass -_-
    Anyway, I don't know much about why, but TWL_FIRM has access to the whole NAND. So if we take it over with dsiwarehax, we can dump the NAND. Might you know why, @MarcusD?
     
    Last edited by Swiftloke, Jul 19, 2016
  7. coder65535

    coder65535 Newbie

    Newcomer
    9
    5
    Jun 7, 2016
    United States
    From what I've read, TWL_FIRM has whole-NAND access because that's how the DSi operated, and TWL_FIRM is basically a clone of a good portion of the DSi's OS.

    I may be wrong, though.
     
  8. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,562
    1,699
    Feb 13, 2015
    Italy
    Imola
    As you may know, arm11 (3ds application processor) doesn't have access to storage, arm9 (3ds kernel processor) does.

    In DS/i mode, applications run on both arm9 and arm7 - with no 3ds-mode kernel enforcing any protection: that's it!

    As for why it can access the full chip, combine the fact that on a real DSi the full nand was used (with a mbr -also on 3ds for compatibility- pointing to the DSi partitions, that's why software isn't fooled by the different size) + nintendo's laziness in developing agbfirm and twlfirm
     
  9. Billy Acuña

    Billy Acuña GBAtemp Addict

    Member
    2,299
    1,377
    Oct 10, 2015
    Mexico
    So... You can do this with a "sudokuhax" like xploit but cannot with a flashcart. Right?
    Then, why?
     
  10. Raugo

    Raugo GBAtemp Fan

    Member
    304
    118
    Nov 22, 2014
    Cartridge games doesn't have access to the nand, only installed games (dsiware) have access.
     
  11. KapuDaKoopa

    KapuDaKoopa hot kass r34

    Member
    468
    239
    Mar 12, 2016
    United States
    i dunno
    I just now realized something, although it might also just be me being an idiot because I don't know a whole bunch about how the 3DS actually works, especially the TWL_Firm

    But doesn't the 3DS' DS WiFi setup run under TWL as well?

    Or does Fieldrunners already have an exploit and this is why this works?
     
  12. Ev1lbl0w
    OP

    Ev1lbl0w GBAtemp Regular

    Member
    237
    55
    Dec 19, 2014
    So, that means TWL_Firm is running without arm11, only arm7 and arm9, and thus is unprotected enough to be able to do backups/restore NAND's.

    So, is the exploit running on arm7 or arm9 btw?

    — Posts automatically merged - Please don't double post! —

    But even if we install Fieldrunners as a DSiWare CIA (if there is one actually), doesn't it have access to the NAND, just like any other DSiWare app?
     
  13. N7Kopper

    N7Kopper Proud lover of a three-inch girlfriend

    Member
    412
    148
    Aug 24, 2014
    ARM9 is the processor with all the access privileges, so smart money says ARM9. Even if ARM7 is used, it's just as a stepping stone.

    Yes, it does. That's the basis of the existing exploit - you buy Fieldrunners from the eShop on the unhacked system, which ensures that both the installed CIA (provided you installed it using the eShop itself) and the hacked save that you install will transfer back to the unhacked console when you're done with them.
    Of course, you can't System Transfer from a New 3DS to an old one, so you would have to find some way of getting the transfer to work while running a patched O3DS firm on RedNAND if you absolutely needed to do it that way.
     
  14. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,525
    Jan 26, 2015
    United States
    Nowhere
    Well, most ds flashcarts are in ds mode, which means they don't get nand access.
    I'm betting, however, that the few flashcarts compatible with dsi mode could do this.
     
  15. gnmmarechal

    gnmmarechal Seriel's Original Stalker

    Member
    GBAtemp Patron
    gnmmarechal is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,847
    3,004
    Jul 13, 2014
    Portugal
    https://gs2012.xyz
    Arent most if not all DSi-mode carts blocked?

    Sent from my Nokia 3310 using Tapatalk