[How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

PLEASE STOP ASK IF THIS METHOD WORKS ON X.X, CURRENTLY IT IS ONLY AVAILABLE BETWEEN 9.0 AND 9.2 (lower firmwares may be supported one day, but, without a new kernel exploit, there is no chances for 9.3+)


NEW 3DS METHOD

Its's very simple.
Launch NTR CFW on a New 3DS.
Enable the debugger.
Connect the debugger with the command : connect('your3dsip', 8000)
And now the magic command UPDATED (may not work on 8.1J) : write(0x10DD28, (0x00, 0x20, 0x08, 0x60, 0x70, 0x47), pid=0x25)
Done !

OLD 3DS METHOD

Download the code.bin
Copy it to the root of your SD card
Launch the web browser
Clear cookies and history
Go to loadcode.projectpokemon.org
Wait for the load bar and the message "failed to load" to disappear
Press Home
Done !

Do you want emuNAND support?
Of course... never.
We have two possibilities for emuNAND support :
-Gateway add support for patching NIM directly in their firmware
-You swap tickets, and install with a CIA.

Credits to yifanlu for the offset and the nop slide.

LIMITATIONS :

It's now stable.
Set your internet connection BEFORE and make sure it's valid.
Access the service you want after you see "finish" in the debugger.
Tested with :
-eShop
-eShop in games (update of Mii Plaza, DLCs, etc.)
-System Transfer (but the source and the target need to have a firmware in the compatiblity list) ---> a whole system transfer has been tested and it work!
-Theme Shop

TROUBLESHOOTING :

Question : The browser method doesn't work. What can I do?
Answer : Install the right version of the browser (see below).

Question : When I select my target 3DS in the System Transfer, it fails! What can I do?
Answer : Install the right version of CARDBROAD on BOTH 3DS (see below).

Compatibility list :

Spoiler

Source : 3.0 <---> Target : 3.0
Source : 4.0-4.5 <---> Target : 4.0-4.5
Source : 5.0-6.3 <---> Target : 5.0-6.3
Source : 7.0-8.1 <---> Target : 7.0-8.1
Source : 9.0-9.5 <---> Target : 9.0-9.5
Source : 9.6-9.7 <---> Target : 9.6-9.7
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

Browser versions :

Spoiler

JAP Title ID : 0004003000008802
NA Title ID : 0004003000009402
EUR Title ID : 0004003000009D02
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 4096
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

CARDBROAD versions :

Spoiler

JAP Title ID : 0004001000020A00
NA Title ID : 0004001000021A00
EUR Title ID : 0004001000022A00
Firmware : 9.0-9.2 (the only compatible version for the moment) ---> Version : 5130(JAP)/5131(EUR/NA)
REMEMBER THAT THE EXPLOIT TO SPOOF FIRMWARE DOESN'T WORK ON HIGHER FIRMWARES THAN 9.2!

 

Thanks for the feedback.
It's probably a wrong offset. Please dump your NIM process with the following command : data(0x00000000, 0x200000, filename='NIM.bin', pid=your NIM pid), then PM me the NIM.bin that will be created on the SD.

As the server, you can't know the target title hash. So, when patching the URL, you would have to send the title hash via GET to the server, so it can craft a response.

 

No, because 9.0.0-5 is not the same as 9.0.0-6 (if we think about O3DS support). The server doesn't know CVer too, it just know your deviceID, your region and your country.
And we don't know title hash of any update that was not on nintendo servers (New 8.1, for example).
My wish would be a CIA homebrew that compute your local title hash and patch NIM with in the URL your local title hash via GET.
The end user would just have to install the homebrew, launch it and enjoy.

 

They are speaking about O3DS 9.6 emuNAND support, that is already achieved by others...
Anyway, it's off-topic

 

Does someone know how to compute title hash?
Please, we are very near...
IT'S THE LAST THING WE NEED TO ACHIEVE eShop SPOOF!