Hacking [How-to] Spoof firmware (to access eShop and more) on New 3DS and Old 3DS

[dkabot]

If someone knows how NIM knows that the title hash isn't the latest one, we could achieve eShop spoofing!

Now, I have no knowledge here either, but some quick looking says...
Nim has a GetSystemTitleHash, might be what we want, if we can find where the hash is?
The hash should be the same for any given version, provided the region matches the system, thus we might be able to search for where our own hash is stored and work from there?
The updater exits if it's given title hash is the latest patching. Thus, if we patch the title hash we may not need to patch update servers?

...of course, this very well be the simplest basics ever, but so far all that's been discussed is checking for updates, so tossing this out there.

 

[motezazer]

Now, I have no knowledge here either, but some quick looking says...
Nim has a GetSystemTitleHash, might be what we want, if we can find where the hash is?
The hash should be the same for any given version, provided the region matches the system, thus we might be able to search for where our own hash is stored and work from there?
The updater exits if it's given title hash is the latest patching. Thus, if we patch the title hash we may not need to patch update servers?

...of course, this very well be the simplest basics ever, but so far all that's been discussed is checking for updates, so tossing this out there.

...I missed that.
However, this function is used to compute the current title hash of the system.
When I fake Nintendo's servers and I send the latest title hash available on NUS, eShop says an update is available.
When I send another title hash, whatever is the title hash sent it says error 007-2999
So it somehow knows that the title hash isn't the latest one. But how? I don't know.

 

[dkabot]

...I missed that.
However, this function is used to compute the current title hash of the system.
When I fake Nintendo's servers and I send the latest title hash available on NUS, eShop says an update is available.
When I send another title hash, whatever is the title hash sent it says error 007-2999
So it somehow knows that the title hash isn't the latest one. But how? I don't know.

"Send" is vague, I don't know what direction that is.
From what I read, the hash and the server need to match for it to exit the update process.
So you need to find how to patch the latest hash into a 3DS, and not fake the update servers (for now, since NUS is on the latest version).

If you make your fake server and put the latest hash on it, the system will try to continue to update.
If you patch your system to have the latest hash in memory, but keep it on your fake 9.2 server, the system will try to continue to update.

 

[motezazer]

"Send" is vague, I don't know what direction that is.
From what I read, the hash and the server need to match for it to exit the update process.
So you need to find how to patch the latest hash into a 3DS, and not fake the update servers (for now, since NUS is on the latest version).

If you make your fake server and put the latest hash on it, the system will try to continue to update.
If you patch your system to have the latest hash in memory, but keep it on your fake 9.2 server, the system will try to continue to update.

You misunderstood.
What I did, was putting the same title hash in my fake server than in my 3DS.
And the update procedure says me that I'm up-to-date.
BUT eShop, System Transfer, etc. know that the title hash I faked isn't the latest one.
How? I don't know.

 

[dkabot]

You misunderstood.
What I did, was putting the same title hash in my fake server than in my 3DS.
And the update procedure says me that I'm up-to-date.
BUT eShop, System Transfer, etc. know that the title hash I faked isn't the latest one.
How? I don't know.

Perhaps the other services check by their own means? Completely unsure there.
I'd try using the latest title hash (on the update report page, on the bottom of the Report page for that update for that region) and checking what happens there.

If other applications are aware that your hash isn't the latest, try feeding them the latest. At least, that's all I got for guessing at the moment.

 

[motezazer]

Perhaps the other services check by their own means? Completely unsure there.
I'd try using the latest title hash (on the update report page, on the bottom of the Report page for that update for that region) and checking what happens there.

If other applications are aware that your hash isn't the latest, try feeding them the latest. At least, that's all I got for guessing at the moment.

If I feed them the latest, of course they know the sytem is not up-to-date.
The only easy solution I see is patch the function GetSystemTitleHash to always reply the latest title hash. It should work.

 

[dkabot]

The only easy solution I see is patch the function GetSystemTitleHash to always reply the latest title hash. It should work.

That's what I'm hoping for.
If that does the trick, you might not even need to patch in a fake update server.

 

[motezazer]

That's what I'm hoping for.
If that does the trick, you might not even need to patch in a fake update server.

No, you won't have to do that.
Now we must find where is this function in NIM and how to patch it.

 

[alkar]

An easy way to trick the eShop would be to be able to edit version sent to the server via a proxy (like Charles proxy).
Sadly it's more than likely to be using SSL so you'd need to push in Charles certificate to the 3DS itself.
I bet you that the console file system have Nintendo certificates somewhere that we could replace (or if they are smart, hidden in a binary), probably in the NAND.
If so, then we can just replace it and then sniff 3DS trafic in real time, then that's really easy to spoof the version.

 

[motezazer]

An easy way to trick the eShop would be to be able to edit version sent to the server via a proxy (like Charles proxy).
Sadly it's more than likely to be using SSL so you'd need to push in Charles certificate to the 3DS itself.
I bet you that the console file system have Nintendo certificates somewhere that we could replace (or if they are smart, hidden in a binary), probably in the NAND.
If so, then we can just replace it and then sniff 3DS trafic in real time, then that's really easy to spoof the version.

If we replace the cert, eShop won't work (how it would communicate with Nintendo's server to check the status of your account if the cert it send is not signed by your cert?)

 

[Wowfunhappy]

I have been told that this code contains the offsets you'd need to patch with NTR: https://github.com/yifanlu/service-patch/blob/master/source/main.c

Haven't been able to make it work myself, however.

 

[motezazer]

I have been told that this code contains the offsets you'd need to patch with NTR: https://github.com/yifanlu/service-patch/blob/master/source/main.c

Haven't been able to make it work myself, however.

I don't know the origin of this nop slide, but it freezes my console whenever NIM is called.

EDIT : These offsets were for 9.2 USA and I tried with an EU 9.0, it might be the problem.
But at least three offsets (of four) are good.

 

[Wowfunhappy]

EDIT : These offsets were for 9.2 USA and I tried with an EU 9.0, it might be the problem.
But at least three offsets (of four) are good.

Can you give me the exact commands you put into NTR? Fairly sure I know what the last three are (essentially the same as what you use to patch the updater) but not sure about the first.

 

[drfsupercenter]

Somewhat related question: Has anyone made .cia files of the eShop firmware? As in, the difference between 4.5.0-9U and 4.5.0-10U? The part after the dash. I wonder what would happen if you installed the newest online update but still had, for example, 9.2.0.

 

[dkabot]

Somewhat related question: Has anyone made .cia files of the eShop firmware? As in, the difference between 4.5.0-9U and 4.5.0-10U? The part after the dash. I wonder what would happen if you installed the newest online update but still had, for example, 9.2.0.

If I recall that would be the browser version.
In any case, if you install a part manually your title hash still doesn't match, thus tries to update.

If you mean actually updating the eShop title, look earlier; the 9.6 one requires 9.6 NAIVE_FIRM.

 

[motezazer]

I DID IT!!!
Thanks yifanlu

 

[drfsupercenter]

If I recall that would be the browser version.
In any case, if you install a part manually your title hash still doesn't match, thus tries to update.

If you mean actually updating the eShop title, look earlier; the 9.6 one requires 9.6 NAIVE_FIRM.

It's ONLY the browser, not the eShop too? In that case it would be somewhat amusing to install the newest browser version to my N3DSXL which is on 9.2, since they finally added the Breakout easter egg to international consoles

So again, is it possible to make a .cia that only installs that portion of the firmware, and if so, how?

 

[Wowfunhappy]

I DID IT!!!
Thanks yifanlu

NTR commands used?

 

[motezazer]

THE command, to access eShop, System transfer, etc. on a lower firmware than the latest one (must be the only write command used!) : write(0x10DD28, (0x00, 0x20, 0x70, 0x47), pid=0x25)
I beg someone to convert this command to a CIA homebrew.

 

[dkabot]

THE command, to access eShop, System transfer, etc. on a lower firmware than the latest one (must be the only write command used!) : write(0x10DD28, (0x00, 0x20, 0x70, 0x47), pid=0x25)
I beg someone to convert this command to a CIA homebrew.

Damn, YifanLu just gets all the things done!