[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

Discussion in '3DS - Flashcards & Custom Firmwares' started by motezazer, Apr 12, 2015.

Page 1 of 54
  1. motezazer
    OP

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    PLEASE STOP ASK IF THIS METHOD WORKS ON X.X, CURRENTLY IT IS ONLY AVAILABLE BETWEEN 9.0 AND 9.2 (lower firmwares may be supported one day, but, without a new kernel exploit, there is no chances for 9.3+)


    NEW 3DS METHOD

    Its's very simple.
    Launch NTR CFW on a New 3DS.
    Enable the debugger.
    Connect the debugger with the command : connect('your3dsip', 8000)
    And now the magic command UPDATED (may not work on 8.1J) : write(0x10DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
    Done !

    OLD 3DS METHOD

    Download the code.bin
    Copy it to the root of your SD card
    Launch the web browser
    Clear cookies and history
    Go to loadcode.projectpokemon.org
    Wait for the load bar and the message "failed to load" to disappear
    Press Home
    Done !

    Do you want emuNAND support?
    Of course... never.
    We have two possibilities for emuNAND support :
    -Gateway add support for patching NIM directly in their firmware
    -You swap tickets, and install with a CIA.

    Credits to yifanlu for the offset and the nop slide.

    LIMITATIONS :

    It's now stable.
    Set your internet connection BEFORE and make sure it's valid.
    Access the service you want after you see "finish" in the debugger.
    Tested with :
    -eShop
    -eShop in games (update of Mii Plaza, DLCs, etc.)
    -System Transfer (but the source and the target need to have a firmware in the compatiblity list) ---> a whole system transfer has been tested and it work!
    -Theme Shop

    TROUBLESHOOTING :

    Question : The browser method doesn't work. What can I do?
    Answer : Install the right version of the browser (see below).

    Question : When I select my target 3DS in the System Transfer, it fails! What can I do?
    Answer : Install the right version of CARDBROAD on BOTH 3DS (see below).

    Compatibility list :
    Warning: Spoilers inside!

    Browser versions :
    Warning: Spoilers inside!

    CARDBROAD versions :
    Warning: Spoilers inside!
     

    Attached Files:

    • code.rar
      File size:
      6.5 KB
      Views:
      5,218
    Emenaria, lancealittle, AtlasFontaine and 26 others like this.
    #1 Apr 12, 2015


  2. LinkmstrYT

    LinkmstrYT ( ͡° ͜ʖ ͡°)

    Member
    1,462
    801
    Dec 16, 2013
    United States
    You wanted to see where I live? You stalker...
    >support of 9.6 emuNAND will probably never happen on New 3DS.

    Here we go again.
     
    The9thBit, Herobroski, 2Hack and 5 others like this.
    #2 Apr 12, 2015
  3. Subtle Demise

    Subtle Demise h

    Member
    1,377
    1,429
    Sep 17, 2009
    United States
    Will probably never happen on old3ds either
     
    netovsk likes this.
    #3 Apr 12, 2015
  4. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,102
    4,033
    Oct 7, 2007
    United States
    Levelland, Texas
    Wrong! rxTools already has emunand working for 9.6 and soon will have homebrew CIA support (with some checks to prevent piracy). Gateway is just slow on old 3DS 9.6 support. They need to give up on trying to get 9.6 working on both n3DS and 3DS at the same time and just get old 3DS support working while they still work on n3DS. But that's off topic here so that's the last I'll mention of that. :P
     
    WhoAmI?, genericuser, Osmosis and 6 others like this.
    #4 Apr 12, 2015
  5. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    rxTools did this after 1 day of the release of 9.6....
     
    WhoAmI?, Dartz150 and Margen67 like this.
    #5 Apr 12, 2015
  6. Subtle Demise

    Subtle Demise h

    Member
    1,377
    1,429
    Sep 17, 2009
    United States
    I know, I'm just talking from a gateway owner's perspective. By the time they release 9.6 for any console, we'll probably be well into the 10s.
     
    #6 Apr 12, 2015
  7. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,488
    1,517
    May 9, 2014
    Hervey Bay, Queensland
    Well i just tried this out on my n3ds 9.0.0-20 (EUR) and no dice, still says there's a system update available when opening eshop.
     
    genericuser likes this.
    #7 Apr 12, 2015
  8. Oishikatta

    Oishikatta GBAtemp Advanced Fan

    Member
    971
    545
    Oct 30, 2014
    United States
    If this worked, it would be trivial to setup a server that simply reflects the sender's titlehash.

    But I'm fairly certain there is another function that needs to be patched.
     
    Margen67 likes this.
    #8 Apr 12, 2015
  9. motezazer
    OP

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    Thanks for the feedback.
    It's probably a wrong offset. Please dump your NIM process with the following command : data(0x00000000, 0x200000, filename='NIM.bin', pid=your NIM pid), then PM me the NIM.bin that will be created on the SD.

    As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.
     
    #9 Apr 12, 2015
  10. Oishikatta

    Oishikatta GBAtemp Advanced Fan

    Member
    971
    545
    Oct 30, 2014
    United States

    That's probably the simplest, right. For some reason I thought it was sent in the first request.

    But couldn't you still just do...

    Update Check ---> Server responds with invalid title hash
    Version compare --> Server responds with title hash matching requester's CVer

    Assuming the server has a list of title hashes for all the possible requesting versions, which is very limited -- E/U 9.0, 9.2 (cart), 9.2 (web); J 8.1, 9.0, 9.1, 9.2.

    Anyways I can check when my sd card reader gets here.
     
    Margen67 likes this.
    #10 Apr 12, 2015
  11. Ra1d

    Ra1d GBAtemp Maniac

    Member
    1,207
    679
    Jul 31, 2010
    Canada

    Which is what everyone says until gateway releases an actual update.

    Examples :

    Gateway 9.2 will never happen!!
    N3DS update will never happen!!
    9.5 emuNAND on N3DS will never happen!!


    Can we just stop with the conspiracy theories and wait ?
     
    Margen67 likes this.
    #11 Apr 12, 2015
  12. motezazer
    OP

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    No, because 9.0.0-5 is not the same as 9.0.0-6 (if we think about O3DS support). The server doesn't know CVer too, it just know your deviceID, your region and your country.
    And we don't know title hash of any update that was not on nintendo servers (New 8.1, for example).
    My wish would be a CIA homebrew that compute your local title hash and patch NIM with in the URL your local title hash via GET.
    The end user would just have to install the homebrew, launch it and enjoy.
     
    #12 Apr 12, 2015
  13. Fatalanus

    Fatalanus GBAtemp Advanced Fan

    Member
    586
    210
    Jan 4, 2015
    Romania
    Guys, GW are playing the wait, you should have learnt it...
    The more they wait for the release of their new exploit, the more it'll still be available in the next FW released by the Big N. It's just so easy to understand.
     
    #13 Apr 12, 2015
  14. motezazer
    OP

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    They are speaking about O3DS 9.6 emuNAND support, that is already achieved by others...
    Anyway, it's off-topic
     
    Margen67 likes this.
    #14 Apr 12, 2015
  15. Fatalanus

    Fatalanus GBAtemp Advanced Fan

    Member
    586
    210
    Jan 4, 2015
    Romania
    yeah, Off topic, you're right.
    Let's hope you'll get something for N3DS with your idea, man. Good luck.
     
    Margen67 likes this.
    #15 Apr 12, 2015
  16. motezazer
    OP

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    Does someone know how to compute title hash?
    Please, we are very near...
    IT'S THE LAST THING WE NEED TO ACHIEVE eShop SPOOF!
     
    Margen67 likes this.
    #16 Apr 12, 2015
  17. Subtle Demise

    Subtle Demise h

    Member
    1,377
    1,429
    Sep 17, 2009
    United States
    You have to remember that the same thing was done during the ps3 days when cfw wasn't updated as quickly as it is now. Sony had the proxy blocked within a day of a new firmware release.
     
    #17 Apr 12, 2015
  18. Wowfunhappy

    Wowfunhappy GBAtemp Advanced Fan

    Member
    568
    158
    May 14, 2008
    United States
    I know that people HAVE patched NIM to make the eShop work on older firmwares, it's just that no one has made the method public.

    But, in theory, this really should be possible! People have done it. I'm not sure if NTR was used specifically, but I don't see why it couldn't be.
     
    Margen67 likes this.
    #18 Apr 12, 2015
  19. dkabot

    dkabot Better With Others' Systems Than Their Own

    Member
    1,000
    349
    Sep 9, 2014
    United States
    The concept isn't to proxy the shop, but to make the system think it's updated so it will access it.
    ...at least, if I understand their means correctly.
     
    #19 Apr 12, 2015
  20. Wowfunhappy

    Wowfunhappy GBAtemp Advanced Fan

    Member
    568
    158
    May 14, 2008
    United States
    Relevant: http://3dbrew.org/wiki/EShop

    So, the function that needs to be patched isn't necessarily NetUpdateSOAP, but CheckSysupdateAvailableSOAP.

    (Or maybe they're the same thing. Or maybe they both need to be patched. I don't actually know; just thought it was worth mentioning)
     
    Margen67 likes this.
    #20 Apr 12, 2015
Page 1 of 54