How can I hack 1.0.0-0U 3ds?

Discussion in '3DS - Flashcards & Custom Firmwares' started by xdrz, Aug 14, 2015.

  1. xdrz
    OP

    xdrz Member

    Newcomer
    45
    3
    Aug 8, 2015
    Hong Kong
    I recently got a 1.0.0-0U O3DS
    And i found that even i update my firmeare by retail cart, there won't be browser installed
    so i am thinking how to upgrade and hack it?

    This is the way i am thinking:
    -upgade to 2.1 by retail cart(fifa12)(that's only cart i see which's cheap in price now)
    (necessary version for rxtool)
    -Use gw menu by nds flashcard
    -format emunand
    -install rxtool by nds flashcard
    -inject fbi into 3ds sysnand by rxtool
    -install and use sysupdater cia by fbi to install 4.5 firmware downloaded from internet

    Now i have 3ds with browser and on firmware 4.5?
    the problem i concern is that
    can i install gw menu in 2.1ver?
    can i use sysupdater in 2.1ver?

    If it is possible, i am going to buy a nds flashcard from internet's shop,
    so i would like to ask if it's possible before buying it?

    Or is it possible to use download play by my 4.4j o3ds with 9.5u emunand for the system upgrade on my 1.0u 3ds?
     
    marc00077 likes this.


  2. MelonGx

    MelonGx GBAtemp Advanced Maniac

    Member
    1,634
    439
    Jan 8, 2009
    China
     
    Margen67 and thaikhoa like this.
  3. xdarkmario

    xdarkmario Philosopher

    Member
    1,331
    310
    Dec 30, 2010
    United States
    Mushroom Kingdom
    sorry to be off topic but where the hell did you get a Launch 3ds 0__0
     
    NoNAND, Skylar-, Ricken and 6 others like this.
  4. Normmatt

    Normmatt Former AKAIO Programmer

    Member
    2,142
    544
    Dec 14, 2004
    New Zealand
    You can use cubic ninja to exploit 1.0.0E its not very stable but its enough to get basic arm9 control (after a few retries). Scan http://i.imgur.com/7Q35Tuy.png and it will load the file load.bin into fcram at 0x23F00000 and start execution (size is limited to 0x3000 bytes)

    This is how to retrieve the framebuffer addresses:
    *(volatile uint32_t*)0x80FFFEC = *(volatile uint32_t*)0x23FFFF18;
    *(volatile uint32_t*)0x80FFFC0 = *(volatile uint32_t*)0x23FFFE00; // framebuffer 1 top left
    *(volatile uint32_t*)0x80FFFC4 = *(volatile uint32_t*)0x23FFFE04; // framebuffer 2 top left
    *(volatile uint32_t*)0x80FFFC8 = *(volatile uint32_t*)0x23FFFE08; // framebuffer 1 top right
    *(volatile uint32_t*)0x80FFFCC = *(volatile uint32_t*)0x23FFFE0C; // framebuffer 2 top right
    *(volatile uint32_t*)0x80FFFD0 = *(volatile uint32_t*)0x23FFFE10; // framebuffer 1 bottom
    *(volatile uint32_t*)0x80FFFD4 = *(volatile uint32_t*)0x23FFFE14; // framebuffer 2 bottom
    *(volatile uint32_t*)0x80FFFD8 = *(volatile uint32_t*)0x23FFFE18; // framebuffer select top
    *(volatile uint32_t*)0x80FFFDC = *(volatile uint32_t*)0x23FFFE1C; // framebuffer select bottom

    uint32_t topScreenSelect = *(volatile uint32_t*)0x080FFFD8;
    uint8_t* topScreen_left = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC0 + 4*(topScreenSelect&1)));
    uint8_t* topScreen_right = (uint8_t*)(*(uint32_t*)((uint32_t)0x080FFFC8 + 4*(topScreenSelect&1)));

    uint32_t bottomScreenSelect = *(volatile uint32_t*)0x080FFFDC;
    uint8_t* bottomScreen = (uint8_t*)(*(uint32_t*)0x080FFFD0 + 4*(bottomScreenSelect&1));
     
    Last edited by Normmatt, Aug 16, 2015
  5. zoogie

    zoogie simple pimp tool

    Member
    6,341
    8,027
    Nov 30, 2014
    United States
    That would be really useful for those stuck without a browser on higher firmwares. Could you provide the source or maybe a version that will work 5.0-9.2? (i have a hunch this uses a simpler arm9 exploit to fit < 6K but I though i'd try to ask anyway)
     
  6. Asia81

    Asia81 In my Ecchi World <3

    Member
    5,046
    2,491
    Nov 15, 2014
    France
    Albi
    1.0 oO?

    You bought it the first day and never opened xD?
     
    Kibido likes this.
  7. xdrz
    OP

    xdrz Member

    Newcomer
    45
    3
    Aug 8, 2015
    Hong Kong
    May i ask ehat is arm9 ?
    I just bought it from a person who had not played 3ds for few years
     
  8. PandaMayFire

    PandaMayFire GBAtemp Regular

    Member
    287
    86
    Jan 24, 2015
    United States
    You have quite the rarity there
     
  9. xdrz
    OP

    xdrz Member

    Newcomer
    45
    3
    Aug 8, 2015
    Hong Kong
    Haha...It may be valuable if i keep its version and don't play with it >0<
     
    Margen67 likes this.
  10. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Just with a proper set up hard-mod, you can get the 1.0.0-U NAND dump!
    The version is so rare, and i bet there are some devs would like to check your NAND dump with xorpad (see them on efnet, #3dsdev).
    Just after hard mod dumped (you have to dump it several times in order to confirm it working properly)
    You could update it to 4.x with a retail cart (find yourself a name in 3dsdb.com and borrow it) and use rxtools to get your NAND xorpad.
    Then, you could play CIA games with it (don't forget to get a big SD card if you do so).
    Note: Even years ago nintendo CDN didn't contain such a firmware version. Super rare.
     
    Hiccup, nallar, Korma and 1 other person like this.
  11. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,674
    Sep 1, 2010
    Yes, definitely do a NAND dump. 1.0.0 3DS systems do not show up that often and I bet a lot of devs would like to take a peek into the system. If you can find a way to perhaps boot rxTools or another CFW that supports NAND dumping, perhaps you can decrypt it and show the world its secrets.
     
    Hiccup, nallar, Korma and 2 others like this.
  12. zoogie

    zoogie simple pimp tool

    Member
    6,341
    8,027
    Nov 30, 2014
    United States
    If you look a few posts up you can see that normmatt posted a method to dump the nand without a nand mod. Just need cubic ninja.
     
    kactusss, Syphurith and Margen67 like this.
  13. MelonGx

    MelonGx GBAtemp Advanced Maniac

    Member
    1,634
    439
    Jan 8, 2009
    China
    BTW, do not cart-upgrade your 1.X consoles to 7.0 or higher!

    For 4.1-6.3 console, you can use either MSET exploit or Spider hack to boot GW/CFW.
    But for 7.0-9.2 console, you can only use Spider hack.

    Unfortunately, 1.X has NO Browser.
    Cartridge upgrading doesn't build/upgrade browser either.

    So if a console is 7.0.0-0/1 ~ 9.2.0-0/1 (excluding 8.1.0-0J N3DS), it's unhackable & unfixable.
     
  14. MrJason005

    MrJason005 √2

    Member
    2,152
    1,183
    Nov 26, 2014
    Greece
    Κάπου
    Does ninjhax work on that range?
     
  15. EmceeKerser

    EmceeKerser GBAtemp Maniac

    Member
    1,374
    503
    Jun 3, 2014
    The fuckin' Blue Mountains brah
    no. Ninjhax relies on the browser to work
     
    Last edited by EmceeKerser, Aug 15, 2015
    MrJason005 likes this.
  16. xdrz
    OP

    xdrz Member

    Newcomer
    45
    3
    Aug 8, 2015
    Hong Kong
    so can i use cubic ninja to dump nand?
    and how can i dump nand by cubic ninja?(place the GW launcher?)
     
  17. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,095
    5,167
    Mar 17, 2010
    Norway
    Alola
    You'd have to find a NAND dumper that's made to work with that exploit, I kinda doubt one exists.
    Anyway in the end your only option for hacking it is to get a game with 4.x on it and update using that.
     
  18. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    I love creating memes
     
  19. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,071
    3,384
    Nov 13, 2014
    United States
    @capito27 How can this man dump his NAND and would it be of any use to you dev's?
     
  20. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    (Sorry these are misleading, cause Normatt tells me he has ways to run arm9 payload on 1.x. Still i would recommend a hard-mod)
    Do please not think of cubic ninja if you want to have your 1.0.0-U nand dump.
    I don't know any working method for 1.0.0 with MSET, this is really rare so no software method supported currently for nand dumping for such a version.
    Just find yourself a hard-mod guide, or ask for someone to help you with the mod, or even..
    You could ask them if they want the dump first on irc, so some guys may even tell you who is an expert on modding it.
    Any updates applied and your NAND dump would be significantly no special use.
    For CN you would need to launch the game first, which would surely update it, also without updating browser, and that would be above 4.x.
    The only way for you to choose if you want to get it hacked is find yourself a cart with 4.5 update, so you could use MSET.
    Still if you think you would like to keep the special NAND dump, do a hard-mod, there isn't any other known ways.

    EDIT:: If you've already updated it by yourself, hope you do update it to 4.x in order to be able to hack it.
     
    Last edited by Syphurith, Aug 16, 2015
    Margen67 and V3NUS_M1NER like this.