Hacking Nand Dump - Downgrader / File Changer

[Super.Nova]

At the risk or sounding stupid, how exactly can you people connect a 3DS to a computer???
I've noticed he did so via the SD card reader but where do I get one of these (just wondering) and how exactly does a unit appear as?

 

[how_do_i_do_that]

At the risk or sounding stupid, how exactly can you people connect a 3DS to a computer???
I've noticed he did so via the SD card reader but where do I get one of these (just wondering) and how exactly does a unit appear as?

3DSXL/LL: http://gbatemp.net/threads/nand-flash-dump-3ds-xl.350668/
3DS: http://gbatemp.net/threads/nand-flash-dump-3ds.353263/

 

[mr. fancypants]

do u have succeeded?

 

[profi200]

My guess is, that he corrupts some data with the format and then he restores 1 MB. The most of the data after 1 MB are untouched, if it is a quick format, so this have nothing to do with a real downgrade without a NAND image. If he can bypass the console unique encryption with that, then i eat my pants.

 

[Vengenceonu]

My guess is, that he corrupts some data with the format and then he restores 1 MB. The most of the data after 1 MB are untouched, if it is a quick format, so this have nothing to do with a real downgrade without a NAND image. If he can bypass the console unique encryption with that, then i eat my pants.

ill hold you to that

 

[Lucard]

My idea is that we split the nand in more parts and recover it back to one file...
Then we flash the nand back to the n3ds

It goes with the program : DFileSplitter



Its working / for example
i can delet download games and recover it back!

but it hacks at the system data...






what I have found:


The Systemdata is from file 150mb - 500mb - we can not replace it with different nand files!
Files before and after we can edit and replace - we can replace it with different nand files!
With this method i can delet and recover games what i buy at the store.




We format the nand quick with NTFS:

- Split the nand from Original in 1mb files and recovery the 1mb file - WORKS but Error in systemsettings




We format the nand complete:
Not quick format!


- We can split the NAND in a 500mb file and flash it back
It Works the 3ds launch - play games working - errors in the Camera and?

- We have the Original nand from 6.3 and a different nand from 4.4
- We split the nand from the two and we can replace in the 6.3 nand the first 150mb with the 4.4 nand - its Working no errors





I have hard work to find out.
i think that this is though a big move in towards.

I post it in my first post and edit it when we find more and i hope you all help
Thanks

 

[shattacrew]

Hmmm... interesting indeed. What if you try this with a 4.1 filesystem. Then use a cartridge to upgrade legit to 4.5. Chances are it would load the files properly and the system should be good.

 

[vini9157]

- We have the Original nand from 6.3 and a different nand from 4.4
- We split the nand from the two and we can replace in the 6.3 nand the first 150mb with the 4.4 nand - its Working no errors

So u did the downgrade and it worked, even with different 3ds nands.

Can someone with a modded 3ds try this too?

 

[Yepi69]

Sounds fake.

 

[how_do_i_do_that]

It is not fake, it is just theorycraft by a nontech with too many bad assumptions.

 

[Oxybelis]

We format the nand quick with NTFS:

Nice one.

 

[Cyan]

I'm surprised this went only two pages long in two days.
Usually theory threads are full of flames and trolls in no time, the users don't care anymore now that they can play with gateway?


The NAND is encrypted and I don't think you can mix NAND dump with different encryption keys.
even with the same NAND dump/encryption, you don't know where files are stored on the NAND so you can't replace what you want. splitting the dump in 1Mb chunks and replacing only one chunk will swap only part of a single file.
At best the replaced/swapped file is not used or loaded and the console doesn't check full NAND integrity on boot (maybe it's decrypting the NAND by blocks), at worst you corrupt some files required in boot process.

It's not a file changer, but a blind dump mixer. it will only ends as corrupted system unless you can decrypt, browse and change NAND's content on computer, re-encrypt it and restore it back on console.
You try to find different size where to split/restore your dump, but your size will not match other user's position.

I'm curious at what you can find by swapping raw NAND dump parts so I'll keep it open for the moment, but I'll close this thread if it become troll fest.

 

[Lucard]

I'm surprised this went only two pages long in two days.
Usually theory threads are full of flames and trolls in no time, the users don't care anymore now that they can play with gateway?


The NAND is encrypted and I don't think you can mix NAND dump with different encryption keys.
even with the same NAND dump/encryption, you don't know where files are stored on the NAND so you can't replace what you want. splitting the dump in 1Mb chunks and replacing only one chunk will swap only part of a single file.
At best the replaced/swapped file is not used or loaded and the console doesn't check full NAND integrity on boot (maybe it's decrypting the NAND by blocks), at worst you corrupt some files required in boot process.

It's not a file changer, but a blind dump mixer. it will only ends as corrupted system unless you can decrypt, browse and change NAND's content on computer, re-encrypt it and restore it back on console.
You try to find different size where to split/restore your dump, but your size will not match other user's position.

I'm curious at what you can find by swapping NAND parts so I'll keep it open for the moment, but I'll close this thread if it become troll fest.

Im not a troll..
The data with the 1mb file is only an example which is possible..




The interessting is this:

what I have found:


The Systemdata is from file 150mb - 500mb - we can not replace it with different nand files!
Files before and after we can edit and replace - we can replace it with different nand files!
With this method i can delet and recover games what i buy at the store.



Yes i don't know where files are stored on the NAND but i know where the system data.
And with try i found my 2 download games on the first 150mb that i can replay it and works with no problems.

I can replace the data before and after with a diferent users NAND from version 4.4 or 3.6 with no problems
I think the problem is that systemdata on the nand dont the samelocation! Found we it with a Hex and replace it corectly it boot eventual.


my method may perhaps not be the best ...
but that these works shows but at least I can delete games and play back.

I never said that it works.
it's just my theory is driven by the what i have found.

 

[Cyan]

I didn't call "you" a troll. The trolls are other users who bash what you explain. I was just surprise that not a lot of users came here only to tell you that you were wrong and that it was fake etc.

Can you "add" a game from another dump that wasn't there on the original dump and launch that game? I doubt it would work.

I don't know how you can find the "system data" start and end position and replace it with a hex editor as it's encrypted. encryption doesn't keep sectors position, it's encrypted by size block not sector by sector.
to replace a dump chunk that will be correctly decrypted you need to split it at the exact encryption block size, and an encryption block can contains different files which could replace wrong/partial data from adjacent sectors.

 

[TheBlueSky]

snip

I am trying to understand you but it's difficult. If English is not your native language, could you please summarize it in your native language. Maybe Spanish?


Edit: It's okay, I re-read it a few times and understood your theory.

 

[obcd]

It's a common practice for embedded devices to split their eMMC into several areas (usually also called partitions.)
There usually is a boot partition that never is touched. The idea is that the device only needs that one to run some code that can place a new firmware on the firmware partition of the device. Finally, there are one or more user partitions that contain the user data like downloaded stuff and gamesaves. Altough Ninty always advices not to turn the unit off during saves, the option exists that such a situation happens and corrupts the user area. I assume this is basically what is done here. The user partition is corrupted by fast or full ntfs formatting it's area. After this, downloaded stuff and gamesaves are no longer seen, but the unit still starts up.
It's interesting to hear that the user area likely can be transferred from the nand image of firmware x to the nand image of firmware y. Due to the console specific encryption of the nand, those 2 likely need to come from the same console.

All I am writing here are mind passing theories that might make sense from a technical point of view. Feel free to interact upon it, but only with some technical supported arguments.

These findings could mean that we only need to backup and hopefully restore the firmware part of our eMMC nand to change from one firmware to another. This would make that proces faster.

 

[Lucard]

I didn't call "you" a troll. The trolls are other users who bash what you explain. I was just surprise that not a lot of users came here only to tell you that you were wrong and that it was fake etc.

Can you "add" a game from another dump that wasn't there on the original dump and launch that game? I doubt it would work.

I don't know how you can find the "system data" start and end position and replace it with a hex editor as it's encrypted. encryption doesn't keep sectors position, it's encrypted by size block not sector by sector.
to replace a dump chunk that will be correctly decrypted you need to split it at the exact encryption block size, and an encryption block can contains different files which could replace wrong/partial data from adjacent sectors.

Okay Sorry
my English is not the best. But i do my best.

Can you "add" a game from another dump that wasn't there on the original dump and launch that game? I doubt it would work.
I do not know... i dont have two 3ds to test it.
But i can from a difficult nand from a user here (with no game and nand are from a format system - and nand is 4.4 or 6.3)
replace the first 150mb and the games are delet and when i recover the 150mb from original nand the games are back.

and the systems are work with no problems.

the most important data to boot is on file 150mb - 500mb.
Files before and after are the download games, Channels ...

 

[TheBlueSky]

As you posted a video before, you already have the setup. Could you demonstrate your findings in a video?

 

[Lucard]

As you posted a video before, you already have the setup. Could you demonstrate your findings in a video?

Have edit post one with the video

 

[bandicoot37]

I'm trying some thing in same way just for fun this dump are from my console
1 dump 4.4 with gateway patch apply
1 dump 6.3 without gateway patch apply
i cut my two dump in 150 mb files and swap files finally just the second part of 150mb in a 4.4 firm is need to have gateway expoit on a 6.3 firmw ( but after you can't launch the gateway blue card and your console says 4.4 )
Trying launching Monster Hunter 4 same result black screen
In conclusion the second part of 150 of a dump and a little more are for system