[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

motezazer · Apr 12, 2015

PLEASE STOP ASK IF THIS METHOD WORKS ON X.X, CURRENTLY IT IS ONLY AVAILABLE BETWEEN 9.0 AND 9.2 (lower firmwares may be supported one day, but, without a new kernel exploit, there is no chances for 9.3+)

NEW 3DS METHOD

Its's very simple.
Launch NTR CFW on a New 3DS.
Enable the debugger.
Connect the debugger with the command : connect('your3dsip', 8000)
And now the magic command UPDATED (may not work on 8.1J) : write(0x10DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
Done !

OLD 3DS METHOD

Download the code.bin
Copy it to the root of your SD card
Launch the web browser
Clear cookies and history
Go to loadcode.projectpokemon.org
Wait for the load bar and the message "failed to load" to disappear
Press Home
Done !

Do you want emuNAND support?
Of course... never.
We have two possibilities for emuNAND support :
-Gateway add support for patching NIM directly in their firmware
-You swap tickets, and install with a CIA.

Credits to yifanlu for the offset and the nop slide.

LIMITATIONS :

It's now stable.
Set your internet connection BEFORE and make sure it's valid.
Access the service you want after you see "finish" in the debugger.
Tested with :
-eShop
-eShop in games (update of Mii Plaza, DLCs, etc.)
-System Transfer (but the source and the target need to have a firmware in the compatiblity list) ---> a whole system transfer has been tested and it work!
-Theme Shop

TROUBLESHOOTING :

Question : The browser method doesn't work. What can I do?
Answer : Install the right version of the browser (see below).

Question : When I select my target 3DS in the System Transfer, it fails! What can I do?
Answer : Install the right version of CARDBROAD on BOTH 3DS (see below).

Compatibility list :

Warning: Spoilers inside!
Source : 3.0 <---> Target : 3.0
Source : 4.0-4.5 <---> Target : 4.0-4.5
Source : 5.0-6.3 <---> Target : 5.0-6.3
Source : 7.0-8.1 <---> Target : 7.0-8.1
Source : 9.0-9.5 <---> Target : 9.0-9.5
Source : 9.6-9.7 <---> Target : 9.6-9.7
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

Browser versions :

Warning: Spoilers inside!
JAP Title ID : 0004003000008802
NA Title ID : 0004003000009402
EUR Title ID : 0004003000009D02
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 4096
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

CARDBROAD versions :

Warning: Spoilers inside!
JAP Title ID : 0004001000020A00
NA Title ID : 0004001000021A00
EUR Title ID : 0004001000022A00
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 5130(JAP)/5131(EUR/NA)
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

LinkmstrYT · Apr 12, 2015

>support of 9.6 emuNAND will probably never happen on New 3DS.

Here we go again.

Subtle Demise · Apr 12, 2015

Will probably never happen on old3ds either

Apache Thunder · Apr 12, 2015

Subtle Demise said: ↑

Will probably never happen on old3ds either
Click to expand...

Wrong! rxTools already has emunand working for 9.6 and soon will have homebrew CIA support (with some checks to prevent piracy). Gateway is just slow on old 3DS 9.6 support. They need to give up on trying to get 9.6 working on both n3DS and 3DS at the same time and just get old 3DS support working while they still work on n3DS. But that's off topic here so that's the last I'll mention of that.

Tjessx · Apr 12, 2015

Subtle Demise said: ↑

Will probably never happen on old3ds either
Click to expand...

rxTools did this after 1 day of the release of 9.6....

Subtle Demise · Apr 12, 2015

Tjessx said: ↑

rxTools did this after 1 day of the release of 9.6....
Click to expand...

I know, I'm just talking from a gateway owner's perspective. By the time they release 9.6 for any console, we'll probably be well into the 10s.

Shadowtrance · Apr 12, 2015

Well i just tried this out on my n3ds 9.0.0-20 (EUR) and no dice, still says there's a system update available when opening eshop.

Oishikatta · Apr 12, 2015

If this worked, it would be trivial to setup a server that simply reflects the sender's titlehash.

But I'm fairly certain there is another function that needs to be patched.

motezazer · Apr 12, 2015

Shadowtrance said: ↑

Well i just tried this out on my n3ds 9.0.0-20 (EUR) and no dice, still says there's a system update available when opening eshop.
Click to expand...

Thanks for the feedback.
It's probably a wrong offset. Please dump your NIM process with the following command : data(0x00000000, 0x200000, filename='NIM.bin', pid=your NIM pid), then PM me the NIM.bin that will be created on the SD.

Oishikatta said: ↑

If this worked, it would be trivial to setup a server that simply reflects the sender's titlehash.

But I'm fairly certain there is another function that needs to be patched.
Click to expand...

As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.

Oishikatta · Apr 12, 2015

motezazer said: ↑

As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.
Click to expand...

That's probably the simplest, right. For some reason I thought it was sent in the first request.

But couldn't you still just do...

Update Check ---> Server responds with invalid title hash
Version compare --> Server responds with title hash matching requester's CVer

Assuming the server has a list of title hashes for all the possible requesting versions, which is very limited -- E/U 9.0, 9.2 (cart), 9.2 (web); J 8.1, 9.0, 9.1, 9.2.

Anyways I can check when my sd card reader gets here.

Ra1d · Apr 12, 2015

Subtle Demise said: ↑

I know, I'm just talking from a gateway owner's perspective. By the time they release 9.6 for any console, we'll probably be well into the 10s.
Click to expand...

Which is what everyone says until gateway releases an actual update.

Examples :

Gateway 9.2 will never happen!!
N3DS update will never happen!!
9.5 emuNAND on N3DS will never happen!!

Can we just stop with the conspiracy theories and wait ?

motezazer · Apr 12, 2015

Oishikatta said: ↑

That's probably the simplest, right. For some reason I thought it was sent in the first request.

But couldn't you still just do...

Update Check ---> Server responds with invalid title hash
Version compare --> Server responds with title hash matching requester's CVer

Assuming the server has a list of title hashes for all the possible requesting versions, which is very limited -- E/U 9.0, 9.2 (cart), 9.2 (web); J 8.1, 9.0, 9.1, 9.2.

Anyways I can check when my sd card reader gets here.
Click to expand...

No, because 9.0.0-5 is not the same as 9.0.0-6 (if we think about O3DS support). The server doesn't know CVer too, it just know your deviceID, your region and your country.
And we don't know title hash of any update that was not on nintendo servers (New 8.1, for example).
My wish would be a CIA homebrew that compute your local title hash and patch NIM with in the URL your local title hash via GET.
The end user would just have to install the homebrew, launch it and enjoy.

Fatalanus · Apr 12, 2015

Guys, GW are playing the wait, you should have learnt it...
The more they wait for the release of their new exploit, the more it'll still be available in the next FW released by the Big N. It's just so easy to understand.

motezazer · Apr 12, 2015

Fatalanus said: ↑

Guys, GW are playing the wait, you should have learnt it...
The more they wait for the release of their new exploit, the more it'll still be available in the next FW released by the Big N. It's just so easy to understand.
Click to expand...

They are speaking about O3DS 9.6 emuNAND support, that is already achieved by others...
Anyway, it's off-topic

Fatalanus · Apr 12, 2015

yeah, Off topic, you're right.
Let's hope you'll get something for N3DS with your idea, man. Good luck.

motezazer · Apr 12, 2015

Does someone know how to compute title hash?
Please, we are very near...
IT'S THE LAST THING WE NEED TO ACHIEVE eShop SPOOF!

Subtle Demise · Apr 12, 2015

You have to remember that the same thing was done during the ps3 days when cfw wasn't updated as quickly as it is now. Sony had the proxy blocked within a day of a new firmware release.

Wowfunhappy · Apr 12, 2015

I know that people HAVE patched NIM to make the eShop work on older firmwares, it's just that no one has made the method public.

But, in theory, this really should be possible! People have done it. I'm not sure if NTR was used specifically, but I don't see why it couldn't be.

dkabot · Apr 12, 2015

Subtle Demise said: ↑

You have to remember that the same thing was done during the ps3 days when cfw wasn't updated as quickly as it is now. Sony had the proxy blocked within a day of a new firmware release.
Click to expand...

The concept isn't to proxy the shop, but to make the system think it's updated so it will access it.
...at least, if I understand their means correctly.

Wowfunhappy · Apr 12, 2015

Relevant: http://3dbrew.org/wiki/EShop

While eShop is loading, eShop will use command NIMS:CheckSysupdateAvailableSOAP. If a system update is available where title installation for system titles still needs finalized (or when the updated titles were not downloaded at all), eShop will then display the "system update is available" message.
Click to expand...

So, the function that needs to be patched isn't necessarily NetUpdateSOAP, but CheckSysupdateAvailableSOAP.

(Or maybe they're the same thing. Or maybe they both need to be patched. I don't actually know; just thought it was worth mentioning)

Log in or Sign up

[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

motezazer GBAtemp Maniac

Attached Files:

code.rar

LinkmstrYT ( ͡° ͜ʖ ͡°)

Subtle Demise h

Apache Thunder I have cameras in your head!

Tjessx GBAtemp Maniac

Subtle Demise h

Shadowtrance GBAtemp Addict

Oishikatta GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Oishikatta GBAtemp Advanced Fan

Ra1d GBAtemp Maniac

motezazer GBAtemp Maniac

Fatalanus GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Fatalanus GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Subtle Demise h

Wowfunhappy GBAtemp Advanced Fan

dkabot Better With Others' Systems Than Their Own

Wowfunhappy GBAtemp Advanced Fan

Question Is there a firmware spoofer to access eShop?

Is there a way to spoof the vita firmware so that I can access the PSN store?

Can I use firmware spoof to access eShop on 6.3?

Is really QQ3DS working on spoof firmware to access eshop on 3ds 9.1?

Can Gateway firmware spoofing let me access the eShop?

E3 2019 Live Show Floor Coverage - Day 2

TurboGrafx-16 mini announced

Nintendo confirms online play with friends for Super Mario Maker 2

E3 2019 Live Show Floor Coverage

Spine, a new PS4 emulator, can already run two commercial games

Nintendo E3 2019 Press Conference live coverage

Useful Searches

[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

Share This Page

motezazer GBAtemp Maniac

Attached Files:

LinkmstrYT ( ͡° ͜ʖ ͡°)

Subtle Demise h

Apache Thunder I have cameras in your head!

Tjessx GBAtemp Maniac

Subtle Demise h

Shadowtrance GBAtemp Addict

Oishikatta GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Oishikatta GBAtemp Advanced Fan

Ra1d GBAtemp Maniac

motezazer GBAtemp Maniac

Fatalanus GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Fatalanus GBAtemp Advanced Fan

motezazer GBAtemp Maniac

Subtle Demise h

Wowfunhappy GBAtemp Advanced Fan

dkabot Better With Others' Systems Than Their Own

Wowfunhappy GBAtemp Advanced Fan

Question Is there a firmware spoofer to access eShop?