Hardware Nintendo starts producing N3DS XL on 11.0.0-33

[astrangeone]

I mostly buy used n3DS XLes here. And it's getting bad - I haven't seen a 10.7 in the wild in a while.

 

[nl255]

Oh? How's that?

That's the first i've heard of it. Can you give more info?

I think this is it (quoted from Plailect's guide). There are apparently a couple of people on here that have done it that way but I don't remember any of their names. Note that a standard NAND only hardmod is not sufficient.

There is, however, a method to dump the hash of the OTP on version 9.6.0-X. Because Kernel9Loader does not clear the SHA_HASH register after it has been used, dumping the SHA_HASH will give the hash of the OTP which was handed over to Kernel9 from Kernel9Loader. In addition, there is a long standing vulnerability where an MCU reboot caused by the i2c will not clear RAM like it's supposed to.

This allows for a hardware based attack where arbitrary data is written to nand_sector96+0x10 in a SysNAND backup and flashed to the device. Afterwards we wire the i2c to MCU reboot on our command, write a payload (which will write 0x1000A040 - 0x1000A060 to a file on the SD card) to arm9 memory somewhere, fill all memory with a NOP sled followed by a JMP instruction pointing to the payload. We can then MCU reboot repeatedly (incrementing nand_sector96+0x10 by 1 each time) until the Kernel9Loader jumps to the payload by random chance.

 

[Tenshi_Okami]

I think this is it (quoted from Plailect's guide). There are apparently a couple of people on here that have done it that way but I don't remember any of their names. Note that a standard NAND only hardmod is not sufficient.

That's still for 9.6

And IIRC, this is NTRCardhax and I think it was patched on 10.4 but idk

 

[Swiftloke]

I think this is it (quoted from Plailect's guide). There are apparently a couple of people on here that have done it that way but I don't remember any of their names. Note that a standard NAND only hardmod is not sufficient.

That was fixed in newer versions of the arm9loader. Also, it only allows for OTP dumping, not actual a9lh installing which needs arm9 control.
In fact, don't quote me on this, but I think this is what lead to the arm9loader update, which lead to a9lh.

 

[Clector]

@Tenshi_Okami You are right NTRCardHax was fixed in 10.4.0-x

 

[Tenshi_Okami]

@Tenshi_Okami You are right NTRCardHax was fixed in 10.4.0-x

Quote from the one that hinted the dsiwarehax(this quote is a bit old, but still useful)

Needs FPGA aka hardware.

NTRCardHax might not be patched on 10.4 > no but it needs arm11 kernel access to cause the arm9 buff overflow

Does memchunkhax 2 enables enough arm11 kernel access for this? I don't think so

 

[Clector]

Process9 updated some functions that involve NTRCARD and because that NTRCardHax is actually fixed in 10.4.0-29.

 

[Swiftloke]

Quote from the one that hinted the dsiwarehax(this quote is a bit old, but still useful)



Does memchunkhax 2 enables enough arm11 kernel access for this? I don't think so

Wtf? Arm11 kernel access = FULL ARM11 CONTROL. What are you on about?

 

[Tenshi_Okami]

Ok so
i just remembered this
Yellows8 was doing an app for Homebrew where you could install an DSI exploited Saves
But it never went to something...

But it means that's possible...so this could mean that they could do DSIwarehax without the need of an A9LH 3DS

But this project is RIP like i said before...But at least this could be helpful for someone who knows

--------------------- MERGED ---------------------------

Wtf? Arm11 kernel access = FULL ARM11 CONTROL. What are you on about?

Spoiler: This is what im "on" about

 

[astrangeone]

Ok so
i just remembered this
Yellows8 was doing an app for Homebrew where you could install an DSI exploited Saves
But it never went to something...

But it means that's possible...so this could mean that they could do DSIwarehax without the need of an A9LH 3DS

But this project is RIP like i said before...But at least this could be helpful for someone who knows

--------------------- MERGED ---------------------------

Spoiler: This is what im "on" about

View attachment 58227

Hope this gets worked on further - right now I'm just using a throwaway NNID (deleting it after the full install) and then reinstalling sysnand a9lh (no NNID) onto my system.

 

[Tenshi_Okami]

Hope this gets worked on further - right now I'm just using a throwaway NNID (deleting it after the full install) and then reinstalling sysnand a9lh (no NNID) onto my system.

I dont think it would, but hey, There was a new commit 3 days ago. So who knows..

 

[SonicCloud]

I bought a black n3DS earlier this week at Wal-Mart, it came on 9.6U firmware. Granted I asked the staff how they stocked the products(newer in front, oldest in the back) and got the furthest back n3DS. All you really have to do is to double check how the company stocks and play the game from there like I did.

What if they put it in horizontal? :c

 

[Clector]

Well even if it get worked it needs another way to get access for 11.0 as it shouldn"t be able to get access to svcBackdoor as svcBackdoor was removed for ARM11.

 

[Tenshi_Okami]

Well even if it get worked it needs another way to get access for 11.0 as it shouldn"t be able to get access to svcBackdoor as svcBackdoor was removed for ARM11.

Yeah i was just going to type that lol

 

[icecreamcake]

We all knew this would happen eventually. What's the chance they will patch hardmod in future updates?

 

[nl255]

@Tenshi_Okami You are right NTRCardHax was fixed in 10.4.0-x

The thing I posted regarding the brute force method does not require the use of a DS/3DS card so I don't see what it has to do with NTRCardHax since it is based on rewriting the NAND over and over via hardmod and then doing a hardware reset.

That was fixed in newer versions of the arm9loader. Also, it only allows for OTP dumping, not actual a9lh installing which needs arm9 control.
In fact, don't quote me on this, but I think this is what lead to the arm9loader update, which lead to a9lh.

Are you sure on that because I wonder why it is still in the guide if it no longer works. Also, if you have the OTP then can't you install a9lh via hardmod? I could have sworn there was someone on here who had their OTP and a hardmod but no pre-11.0 backup who accidentally updated to stock 11.0 and was able to install a9lh without needing to downgrade.

 

[Clector]

I don"t know what it have to do with NTRCardHax, I think that nothing I only noted that NTCardHax is fixed 10.4.0-x since it was metioned, that it"s a different thing by the way also anyways.

 

[Tenshi_Okami]

The thing I posted regarding the brute force method does not require the use of a DS/3DS card so I don't see what it has to do with NTRCardHax since it is based on rewriting the NAND over and over via hardmod and then doing a hardware reset.

But like I said, this was for 9.6.0(guide doesn't say it was patched...)

So it's a bit useless, plus it's not very reliable... I think..