NAND Flash Dump (3DS)

Discussion in '3DS - Console, Accessories and Hardware' started by mordos79, Aug 20, 2013.

  1. mordos79
    OP

    mordos79 Member

    Newcomer
    12
    20
    Aug 13, 2013
    Serbia, Republic of
    OK
    have the same topic but for XL model and my message in it look like off topic
    decide make this thread (close or delete if u decide that i wrong)

    some info from http://www.ps3-tools.de/board.php?boardid=125&sid=f738ea48e958398fedc8478e2df593b2

    points needed for dump (for CLK need desolder 3 legs of card reader and carefully bend it to reach point)
    for GND use one point you like
    [​IMG]

    point CLK (card reader removed for better view)
    [​IMG]


    or use alternative CLK from other side of MB
    [​IMG]

    points on sd card
    [​IMG]

    dont plug it to PC, turn on 3DS - screen must display blue screen with error message
    BOOTROM 8046
    ERRCODE: 00F800FE
    00000000 00000000
    00000002 00000000

    now plug to PC
    windows recognize drive and offer to format it (press NO, maybe only win7 ask for format), just remember drive letter

    use program win32diskimager, choose drive letter that 3DS use and choose location and name file for dump. Press READ button.
    Read several dumps and compare it in Hex editors or other programs that show md5 hash. It must be the same in files.

    Remember all points very small (CLK for example) use flux for good soldering (any shorts and 3DS dont boot)

    if you plan to write to nand optional use SAFE EJECT option in windows after write
     


  2. mordos79
    OP

    mordos79 Member

    Newcomer
    12
    20
    Aug 13, 2013
    Serbia, Republic of
    and now my findings

    just see interesting thing have 2 3ds and both dumping and both write with success
    but size of dump is different 965 632 kb and 976 896 kb

    and empty space in nand in one file with 00 (976 896 kb) and second FF (965 632 kb)



    965 632 kb file
    Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

    00000100 4E 43 53 44 00 00 20 00 00 00 00 00 00 00 00 00 NCSD.. .........
    00000110 01 04 03 03 01 00 00 00 01 02 02 02 02 00 00 00 ................
    00000120 00 00 00 00 00 88 05 00 00 88 05 00 80 01 00 00 .....ˆ...ˆ..€...
    00000130 80 89 05 00 00 20 00 00 80 A9 05 00 00 20 00 00 €‰... ..€©... ..
    00000140 80 C9 05 00 80 AE 17 00 00 00 00 00 00 00 00 00 ۃ..ۨ..........
    00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000180 00 00 00 00 00 04 00 00 00 00 00 00 01 00 00 00 ................
    00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 30 ...............0
    000001C0 41 D4 2B 3D 84 02 EB 22 B7 48 67 B7 93 A1 13 77 AÔ+=„.ë"·Hg·“¡.w
    000001D0 35 6F 66 2D 0F 3C 96 07 24 59 3A AC C4 EB 21 F1 5of-.<–.$Y:¬Äë!ñ
    000001E0 31 50 F9 14 A4 15 48 77 65 24 35 11 90 B1 C2 52 1Pù.¤.Hwe$5..±ÂR
    000001F0 68 D2 AA 35 16 67 D6 4D CE 0D 77 14 18 92 BE 92 hÒª5.gÖMÎ.w..’¾’
    00000200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    00000210 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    00000220 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    00000230 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ



    976 896 kb file
    Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

    00000100 4E 43 53 44 00 00 20 00 00 00 00 00 00 00 00 00 NCSD.. .........
    00000110 01 04 03 03 01 00 00 00 01 02 02 02 02 00 00 00 ................
    00000120 00 00 00 00 00 88 05 00 00 88 05 00 80 01 00 00 .....ˆ...ˆ..€...
    00000130 80 89 05 00 00 20 00 00 80 A9 05 00 00 20 00 00 €‰... ..€©... ..
    00000140 80 C9 05 00 80 AE 17 00 00 00 00 00 00 00 00 00 ۃ..ۨ..........
    00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000180 00 00 00 00 00 04 00 00 00 00 00 00 01 00 00 00 ................
    00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 C8 ...............È
    000001C0 DF 23 88 C5 DF 23 38 C2 6B 78 85 2A 37 E5 5F B8 ß#ˆÅß#8Âkx…*7å_¸
    000001D0 95 45 56 F6 1D E1 8C B5 85 82 29 B8 3F C2 36 76 •EVö.ጵ…‚)¸?Â6v
    000001E0 87 6D E1 D4 D8 8F B9 DE DB D7 A6 64 7C 25 7E F1 ‡máÔØ.¹ÞÛצd|%~ñ
    000001F0 F8 3A 33 7D AC 7A CD A1 8C 35 0B B4 E4 35 6C 14 ø:3}¬zÍ¡Œ5.´ä5l.
    00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................




    someone with standard USA 3ds can make 6.2 nand (without users info etc... format nand before dump, SD card not inserted) and share for compare
    i think my nands not the same in every block because the different size of nand

    goal: try find unique info in dump

    another little findings
    in small file 965 632 kb make 2 dumps on 6.2 firmware one with user info and one with formated nand
    in this file user info in nand locate here
    start 0E361000
    end 0E361FFF

    and several more blocs
    need time to research
     
    nero99, Margen67, titegtnodI and 3 others like this.
  3. linuxares

    linuxares GBAtemp Psycho!

    Member
    3,160
    1,294
    Aug 5, 2007
    Lovely work! Looking forward to follow this thread :grog:
     
    Margen67 likes this.
  4. williamcesar2

    williamcesar2 GBAtemp Advanced Fan

    Member
    673
    328
    Jun 21, 2013
    United States
    New York City
    very good thread !
     
    Margen67 likes this.
  5. Gonzo

    Gonzo Member

    Newcomer
    31
    28
    Aug 4, 2013
    Gambia, The
    My European 3DS dump has a size of 976.896 kByte (1.000.341.504 Bytes) and this size was reported from others as well. Also it was mentioned on 3dBrew that the unused areas in NAND can either be 0x00 or 0xFF.

    This is interesting. That means that the user settings are located in the CTR-NAND FAT16 File System.

    But I suggest to not post any dumps or part of dumps to the public - it is restricted content.
     
    Margen67 likes this.
  6. mordos79
    OP

    mordos79 Member

    Newcomer
    12
    20
    Aug 13, 2013
    Serbia, Republic of
    if someone have dump for my compare (usa 6.2, w/o user info)
    plz pm me link (promise dont publish it or it part to public)
    winrar or zip and dump size about 300mb
     
    Margen67 likes this.
  7. mordos79
    OP

    mordos79 Member

    Newcomer
    12
    20
    Aug 13, 2013
    Serbia, Republic of
    understand that maybe do monkey business, but have some time and some interest. maybe someone find useful info
    my future research
    1. find all data block in one 3ds with different firmware (long process)
    2. start compare and mark blocks that have differences

    first step
    * region - USA
    * firmware - 6.2
    * file size - 976.896 kByte (1.000.341.504 Bytes)
    * no user info and settings (in 3ds first launch screen)

    in progress about 112 000 pages from 448 000 pages (remember maybe i made mistakes!!!)

    data block locations
    0 - 1f0
    12e00 - 44dff
    240000 - 250bff
    254000 - 2545ff
    258000 - 2c5bbf
    2c8000 - 2d8bff
    2dc000 - 2dd3ff
    2e0000 - 32f3ef
    330000 - 33cbff
    340000 - 3405ff
    344000 - 345b4f
    348000 - 349b4f
    34c000 - 358bff
    35c000 - 35c5ff
    360000 - 4ecfff
    4f0000 - 5c2dff
    5c4000 - 5c4026
    5c8000 - 5c8027
    5cc000 - 5cc027
    5d0000 - 5d0027
    5d4000 - 712bff
    714000 - 7145ff
    718000 - 774027

    9011A01 - 902DF5F

    B130000 - B218FFF
    B530000 - B618FFF
    B9301BE - B9301FF
    B95CA00 - B9C445B
    B9C4600 - B9C4707
    B9C4801 - B9C4A5F
    B9C4C00 - B9C4DFF
    B9C7400 - B9C83FF
    B9CC000 - B9CC32A
    B9CC430 - B9CC65A
    B9CC800 - B9CEC0F
    B9CEE01 - B9CEFFF
    B9D0000 - B9D01FF
    B9D0400 - B9D05FF
    B9D0A00 - B9D0BFF
    B9E0C00 - B9E15FF
    B9E5401 - B9E57FF
    B9EAC02 - B9ECBFF
    BAEB000 - BAEE1FF
    BAEE400 - BAF0BFF
    BAF1200 - BAF13FE
    BAF1C02 - BAF1FFF
    BAF2200 - BAF31FF
    BAF4600 - BAF4FFF
    BB34600 - BB35FFF
    BB8CC00 - BB96FFF

    CB8D200 - CB8D3FE
    CB8E400 - CB8E5FE
    CB8E800 - CB8E9FD
    CB8EE00 - CB8EFFE
    CB9F001 - CB9F9FF
    CBA3800 - CBA3BFF
    CBA9000 - CBAAFFF
    CCA9400 - CCB15FE
    CCB2A01 - CCB33FF
    CCF2A01 - CCF43FF
    CD4B000 - CD683FF

    DD4C000 - DD4C45B
    DD4C600 - DD4C707
    DD4C800 - DD4C99F
    DD4CA00 - DD4CDFF
    DD4D000 - DD4D5FF
    DD4E200 - DD4EBFF
    DD4F000 - DD4F5FE
    DD50000 - DD515FF
    DD55A00 - DD58FFF
    DD65A00 - DD65FFF
    DD66200 - DD667FF
    DD67400 - DD67DFF
    DD68200 - DD687FF
    DD69200 - DD6A7FF
    DD6EC02 - DD721FF
    DD80000 - DD8045B
    DD80600 - DD80707
    DD80800 - DD80A3F
    DD80C01 - DD811FF
    DD81A00 - DD81FFF
     
    Margen67 likes this.
  8. greyneon

    greyneon Advanced Member

    Newcomer
    74
    15
    Sep 5, 2013
    Hidden Nuclear Base
    So this is the only downgrading that's possible(if you got a NAND dump from the same 3DS of a lower FW)?

    Can this be software locked? Meaning can Nintendo block this attempt?
     
  9. Queno138

    Queno138 Ravens

    Member
    2,412
    782
    Sep 18, 2010
    Senegal
    Luigi's Dark Mansion
    Laziness in me is screaming: "Create a program that will check if nand dumps follow nand dump formats"

    (basically, after we worked out the "format", create a program to check if one's dump is a bad dump.)
     
    Margen67 and pelago like this.
  10. spett

    spett Newbie

    Newcomer
    8
    0
    Apr 9, 2012
    Norway
    Did som testing today. I backed up my 5.1 firmware, updated to latest, 6.3 firmware via system update, did a backup of this too and then restored my 5.1 backup.
    Here's the weird thing;
    I then upgraded to 6.3 again via system update and did a second backup of the 6.3 firmware.
    My two 6.3 firmwares are both valid dumps but do not match att all! Weird..
    Does anyone have a theory about what's going on here?
     
  11. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,511
    9,327
    Nov 21, 2005
    When you say "do not match at all" did you run a proper differences check or just look at things

    Occasionally NAND gets remapped/randomised at the sector level as a kind of reverse engineering protection/security check, I have no idea if Nintendo have employed it in the 3ds but it is far from a new technique and used by several other security systems on consoles and embedded hardware. Similarly depending upon your dumping method you might instead be encountering the write randomisation/wear levelling in action.
    There are some software things but they are less likely and/or kind of similar to the more hardware level things already discussed.
     
  12. spett

    spett Newbie

    Newcomer
    8
    0
    Apr 9, 2012
    Norway
    I did a simple file compare in hex editor neo. There where similarities between the two 6.3 dumps but by the look of it they looked as different as 5.1 and 6.3.
    Of course, both 6.3 dumps have to contain the same content somehow..
    It could just be because the wear leveling..
    I'm using the SD card method to backup.
     
  13. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,922
    257
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    The encryption is made up of 3 things; 2 keys and a random number. (This is a very over simplified explanation of encryption.)

    You just learned that the encryption is applied every time you update.
     
  14. spett

    spett Newbie

    Newcomer
    8
    0
    Apr 9, 2012
    Norway
    Ahh Okey, a random number is used too. That explains it.. Thank you!
     
  15. LuCa1988

    LuCa1988 Newbie

    Newcomer
    6
    1
    Mar 15, 2009
    United States
    Ok now my mod works fine :lol:

    Under the battery cover are the Micro SD Adapter and if i use this with a Cardreader it changes automatically to the Blue Screen.


    [​IMG]
    I have made a Backup and it works fine :yaysp:



    I have a idea for a Downgrade Mod but i dont have a Old Backup from version 4.5 or lower.. :cry:
    Can anyone Help me? Give me a older Backup? Please? Thanks!
     
  16. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,511
    9,327
    Nov 21, 2005
    How do you propose to work around what I presume are per device signed dumps, and likely encrypted ones at that?
     
  17. mr. fancypants

    mr. fancypants that´s ´Sir´ for you!

    Member
    605
    88
    Jul 16, 2013
    Netherlands
    right here, right now
    well if he want to brick is 3ds he can doe that but he *can* downgrade his 3ds with a not-original NAND dump would it be a great (if its not the biggest) step
     
  18. Yepi69

    Yepi69 Vivid and busy gamer

    Member
    2,421
    1,018
    Nov 29, 2010
    Portugal
    Behind you
    InterestingTemp
     
  19. 5rg

    5rg Member

    Newcomer
    19
    6
    Jul 2, 2009
    Serbia, Republic of
    I'll tell you more. Try to back up firmware, doesn't matter which version. Power up your console, wait couple seconds, shut down and make another back up. And you'll see that dumps will be different.
     
    pelago likes this.
  20. Quincy

    Quincy Your own personal guitarist :3

    Member
    1,436
    66
    Nov 13, 2008
    Netherlands
    Your house, robbing your stuff
    VERY late reaction, but could you please inform me (us) how you've done this mod?