I do wish XDS had more documentation, though, telling us what it does. It apparently can't run commercial games, so I kind of doubt that it could boot from an encrypted NAND dump. I could certainly be wrong, though. That would be exciting.
Well, derp then. Seems a *bit* more likely. Still don't know anything about it. Not opposed to finding out, especially if it would work for this. xDDEcrypted, not ENcrypted
EDIT: It looks like XDS does a high-ish level emulation of Process9. *shrugs*
AGAIN: Yeah, it looks like XDS only simulates arm11. So...
Last edited by Kitlith,
Guys, a quick offtopic question; up to what firmware does browserhax work without the browser nag? And is there any way to bypass the nag?
The nag was added with 10.0.0-27, however game carts that contain 9.9 also contain a stubbed browser that requires you to update the console via the internet (aka system settings) in order for it to work again.
If I remember correctly, there was a way to bypass it as long as you haven't already tried to open the browser yet (might be possible even with the browser already nagging, idk).
That said, this should only really be a problem for you if you are on 10.4 because if you are on 10.3 or lower you should just downgrade to 9.2 and switch to cfw/emunand. If you are already on 10.4 you should probably just update to 10.5.
--------------------- MERGED ---------------------------
Keep in mind that even on 10.4 or 10.5 you can still downgrade to 9.2 if you have a hard mod to use for dumping/flashing the nand chip.
A wild idea just popped up. Kinds of weird. The original image that produced the special commands 'B/BL/..' for us is not broken if decrypted correctly. After it gets execution, it re-encrypt and re-decrypt it to good, patch it on the fly, and it gets launched. It would also probably produces some holes for dumps that can be touched after re-exploit.
173210 merely comes here. You can find him at twitter. He tried to use DSTWO+ SDK to create the 'hardware' which reacts to wrong request as 0x4000 when ARM11 boom. However his one is lost, thus stopping him from going further with it, currently.
I do wonder if someone replace the encrypted FIRM0/FIRM1 with the older exploitable version (<10.4) and with 10.5 Title in CTRNAND, would it be exploitable?
173210 merely comes here. You can find him at twitter. He tried to use DSTWO+ SDK to create the 'hardware' which reacts to wrong request as 0x4000 when ARM11 boom. However his one is lost, thus stopping him from going further with it, currently.
I do wonder if someone replace the encrypted FIRM0/FIRM1 with the older exploitable version (<10.4) and with 10.5 Title in CTRNAND, would it be exploitable?
I assume you mean flashing an encrypted 10.2 firm0/firm1 partition to the nand chip?
This can and HAS been done by several people over the last 36 hours in another thread. It requires a hardmod and I think access to an exploited 3ds on 9.2 that can generate xorpads for the firm partition, but the general gist is that you take an the encrypted 10.4 firm0/firm1 from your console, xor it against a decrypted 10.4 firm0/firm1, then use the result to encrypt a decrypted firm0/firm1 with your console's key. You then patch the encrypted 10.2 firm0/firm1 into the clean nand.bin you dumped from your 10.4/10.5 system, then flash the entire thing back to your nand chip.
The result is a 10.4 or 10.5 system software running on top of a 10.2 firm, making the entire system vulnerable to mch2 again and allowing you to downgrade to 9.2.
The big hurdle is that it requires a hard mod to dump/flash the nand, and it is only useful for us because Nintendo fucked up and only iterated the revision number when they patched mch2. If they had iterated the version number and updated the home menu to check for the iterated version number then the entire process would fail and result in a brick.
I wanna multiple people dump his own FIRM0/FIRM1 parition in both encrypted/decrypted form. The decrypted form of those could be the same as other that having the same FIRM version. Although i don't know how that decrypted FIRM0/FIRM1 is generated when FIRM is updated. If this is true, just dump the original, and have the same FIRM in decrypted form - you can then get your own FIRM0/FIRM1 xorpad. Also, the kernel launched in FIRM. Not much ways to brick it legally (orz).
--------------------- MERGED ---------------------------
@Apache Thunder I wonder if we should also stock the decrypted form of FIRM..
--------------------- MERGED ---------------------------
Last edited by Syphurith,
Well, I'm downgrading from 9.9 to 9.2 today. I've removed the update nag, it currently has wifi turned off, I've verified the sha1sum and md5sum of the downgrade pack. I've checked that it's the right region and version of 3DS. Just need to use FTBrony to transfer safeSysUpdater and the downgrade pack, and then I'm clear to go.
Why on earth would you transfer the downgrade cia pack which is 100+ Mb over dodgy FTP instead of taking the card out and plugging it into the pc and copying?
Anyways, good luck.
Because my SD card reader is even more dodgy. Seriously, I can barely get it working sometimes. Anyway, I transferred it all, it's all good according to safeSysUpdater. Blasted pink dots...Why on earth would you transfer the downgrade cia pack which is 100+ Mb over dodgy FTP instead of taking the card out and plugging it into the pc and copying?
Anyways, good luck.
Yeah, safesysupdater is an ass. I downgraded my friend's N3DS and his brother's O3DS a couple days ago. N3DS took like 5 tries to get passed the pink dots and the O3DS went first try.
You should link us to this thread
https://gbatemp.net/threads/wip-har...of-native_firm-from-10-4-10-5-to-10-2.412836/
It took several more times than that.Yeah, safesysupdater is an ass. I downgraded my friend's N3DS and his brother's O3DS a couple days ago. N3DS took like 5 tries to get passed the pink dots and the O3DS went first try.
So, I got past the pink dots... and now it seems to be stuck during 'Checking update integrity...' on '/updates/0004001000021B00.cia'
Am I safe to reboot/reset or am I doomed? I don't think so, because it's checking the update integrity right now, but... I don't want to reset just yet just in case...
As long as it hasn't installed anything, it's alright. Go ahead and reset it but hope that it doesn't freeze on the installation part. (It's very unlikely for it to freeze anyway so don't be too afraid as it's quite rare that sysupdater freezes). If it softbricks if it screws up, you should be able to update to 10.5 via the recovery menu and downgrade from there via a hardmod by injecting a 10.2 NATIVE_FIRM into your 10.5 nand-dump. Don't worry, no matter the result, you will be able to downgrade one way or another (unless you got the unfortunate event of a full brick which is very unlikely as most full bricks from sysupdater are from corrupted or wrong files).
Last edited by Psi-hate,
Well, it hasn't been bricked in any form... yet... I just need to get it working again. So, if I don't get it working before I get home, I'm going to download the version of sysUpdater from the simple downgrading thread and use that: hopefully it has a better launch rate. ._.
I'm sure both has the same launch rate. SafeSysupdater is literally just the normal memchunkhax2 with checks and all that extra stuff so using the first version wouldn't do anything else but result in a worse chance of success.
Similar threads
- No one is chatting at the moment.
-
-
@
Psionic Roshambo:
I really need to dig out my USB Wii sensor bar and experiment with Wii emulation and synching Wii remotes with BT lol -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
