Homebrew 'ntrcardhax' / downgrading questions

dark_samus3 · Feb 2, 2016

Kitlith said:
Well, I'm on o3DS... so (appearantly?) I shouldn't worry. Still. I'm still working on getting it to boot...

What kills me is that xerpi's linux loader using memchunkhax2 has a higher bootrate, it only fails occasionally. While this, I've only gotten past pink dots 3 times, it got stuck on 'HAX SUCCESSFUL' twice, and froze during CIA verification the third time. ._.

You should probably just use the other sysupdater... The fact that it isn't stable worries me though, because once the race attack is complete and kernel access is gained then there is no need to do anything more, you've got kernel access, it SHOULD be end of story. But obviously it isn't which leads me to believe something else is wrong...

Kitlith · Feb 2, 2016

RIP. I had my charger yesterday... but now I don't. Got stuck on 'init ->' once more, but it's dying. Need that blasted charger!

I tried setting up ctr boot manager to do faster attempts, but just had problems.

Guess I'll be attempting downgrades another day. ._.

zoogie · Feb 4, 2016

Here's some possibly useful info.
<Normmatt> in case anyone cares... ak2i hw44 gives you control of 0x4000 bytes for the header, ak2i hw81 gives you control of 0x1000 bytes that gets mirrored

Now time to dig out that old acekard.

~~Any way to tell the hardware revisions apart?~~
Nvm, Akaio tells you in the menu, forgot.

Kitlith · Feb 4, 2016

zoogie said:
Here's some possibly useful info.
<Normmatt> in case anyone cares... ak2i hw44 gives you control of 0x4000 bytes for the header, ak2i hw81 gives you control of 0x1000 bytes that gets mirrored

Now time to dig out that old acekard.
~~Any way to tell the hardware revisions apart?~~
Nvm, Akaio tells you in the menu, forgot.

AKA, hw44 'breaks', and hw81 does it according to how gbatek says it should work. Sounds like to me it should work either way, just would need to insert the changed whatever at pos % 0x1000 for hw81, I think. Problem there could be if it overlaps with the regular header... Thank you for putting this here!

And I found my charger again. Woo, more downgrade attempts. ._.
I wasn't intending for downgrading to become the central focus of this thread...

dark_samus3 · Feb 4, 2016

Kitlith said:
AKA, hw44 'breaks', and hw81 does it according to how gbatek says it should work. Sounds like to me it should work either way, just would need to insert the changed whatever at pos % 0x1000 for hw81, I think. Problem there could be if it overlaps with the regular header... Thank you for putting this here!

And I found my charger again. Woo, more downgrade attempts. ._.
I wasn't intending for downgrading to become the central focus of this thread...

If you've verified the files on the card then I urge you to stop using safe sysupdater... ironically it's less safe than the regular version atm

Kitlith · Feb 4, 2016

Alright! Downgraded!

For future reference: If FTBrony crashes when doing L+R+Down+B, it's out of date. If you upgrade and then do that trick, it works a toooooon better.

(Third try after updating FTBrony. The other two tries gpt stuck on 'init ->' instead of pink dots)

EMKBRO · Feb 5, 2016

Kitlith said:
Alright! Downgraded!

For future reference: If FTBrony crashes when doing L+R+Down+B, it's out of date. If you upgrade and then do that trick, it works a toooooon better.

(Third try after updating FTBrony. The other two tries gpt stuck on 'init ->' instead of pink dots)

What was the version before your downgrade?

dark_samus3 · Feb 5, 2016

EMKBRO said:
What was the version before your downgrade?

He was on 9.9

cpasjuste · Feb 5, 2016

dark_samus3 said:
If you've verified the files on the card then I urge you to stop using safe sysupdater... ironically it's less safe than the regular version atm

Well I don't think it's less safe. Steive added mainly two things : sort title order (which is added in safesysupdater) and safe_mode titles first which is not needed in our case since safe_mode titles are the same version between 9.2 and 9.2+.
Also there's nothing wrong with the code, its the hack itself which is unstable. It's not just execute and "voila", I guess there's some memory corruption going on.

dark_samus3 · Feb 5, 2016

cpasjuste said:
Well I don't think it's less safe. Steive added mainly two things : sort title order (which is added in safesysupdater) and safe_mode titles first which is not needed in our case since safe_mode titles are the same version between 9.2 and 9.2+.

the OTHER part he added (which I don't see in your source) is instead of uninstalling all of the titles initially (yes every title that needed downgrading was uninstalled before any CIAs were installed, all at once), each title is now uninstalled just before each title gets installed... so if I were to use your version and interrupt a downgrade then there's a HIGH chance that it was something needed to boot into a state where anything is recoverable that was uninstalled and (since everything was uninstalled initially) wasn't ever reinstalled... whereas we had someone interrupt 3 downgrades which resulted in a recoverable state and one that was not (to be fair he was actually trying really hard to get it to brick since he had a hardmod) with Steveice's changes. THAT'S the feature we're talking about

cpasjuste · Feb 5, 2016

dark_samus3 said:
the OTHER part he added (which I don't see in your source) is instead of uninstalling all of the titles initially (yes every title that needed downgrading was uninstalled before any CIAs were installed, all at once), each title is now uninstalled just before each title gets installed... so if I were to use your version and interrupt a downgrade then there's a HIGH chance that it was something needed to boot into a state where anything is recoverable that was uninstalled and (since everything was uninstalled initially) wasn't ever reinstalled... whereas we had someone interrupt 3 downgrades which resulted in a recoverable state and one that was not (to be fair he was actually trying really hard to get it to brick since he had a hardmod) with Steveice's changes. THAT'S the feature we're talking about

Then you're not so good at coding

, take a closer look at this loop.
https://github.com/Cpasjuste/SafeSysUpdater/blob/master/source/Main.cpp#L169

dark_samus3 · Feb 5, 2016

cpasjuste said:
Then you're not so good at coding , take a closer look at this loop.
https://github.com/Cpasjuste/SafeSysUpdater/blob/master/source/Main.cpp#L169

Well then... not sure how I missed that, sorry about that. I hereby retract my former statements lol.

Kitlith · Feb 9, 2016

@Normmatt has apparently done his own RE work and figured out a possible payload. He won't be releasing this unless it works on actual hardware (he did it using his 3dmoo9 which isn't public), which means either I do useless work to find a possible payload again, or I try to work on the arm11 kernel side. Where I'm also useless, because I don't know enough, though I'd like to try.

The main issue is that the address we have is the physical address. Appearantly, sometimes that section of IO may be mapped, and we can access it, but it isn't always mapped. So the options are to find out if we can map the IO region somewhere, or disable the MMU and use the physical address. Time to do research~...

I'm going to update the gist now.

Thunder Hawk · Feb 14, 2016

I believe that this thread needs to be at the top again. Any news on ntrcardhax?

Kitlith · Feb 15, 2016

Thunder Hawk said:
I believe that this thread needs to be at the top again. Any news on ntrcardhax?

Not really. Been busy (school), and i can't speak for what @Normmatt is up to, though I know he is working on stuff. Last I heard, his personal emulator, 3dmoo9, differs enough from actual hardware that it makes it hard to test 'ntrcardhax'.

I also don't know whether he has got around mapping that address yet? This is all I know:
<Kitlith> Still trying to map that IO region?
<Normmatt> yes and no

Normmatt · Feb 15, 2016

Kitlith said:
Not really. Been busy (school), and i can't speak for what @Normmatt is up to, though I know he is working on stuff. Last I heard, his personal emulator, 3dmoo9, differs enough from actual hardware that it makes it hard to test 'ntrcardhax'.

I also don't know whether he has got around mapping that address yet? This is all I know:
<Kitlith> Still trying to map that IO region?
<Normmatt> yes and no

I got it working since then

Pikasack · Feb 25, 2016

Normmatt said:
I got it working since then

Sorry to bump an old thread but, I actually have a few questions about this exploit in general.

1. Does this exploit work on 10.6?

2. Is this exploit possible with something simple like just an R4?

Normmatt · Feb 25, 2016

Pikasack said:
Sorry to bump an old thread but, I actually have a few questions about this exploit in general.

1. Does this exploit on 10.6?

2. Is this exploit possible with something simple like just an R4?

1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

Pikasack · Feb 25, 2016

Normmatt said:
1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

Wow, thanks for the quick reply.
Although that is a bummer, I still would like to acknowledge the hard work that has been put in to figure out how this exploit works.

Thunder Hawk · Feb 25, 2016

Normmatt said:
1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

What could this exploit actually get us? Does it currently work for both 44 and 81? Would the AK2i be useless as a flashcard/cart after it's installed? Would an older DS/DSi system be needed to fix/uninstall it?

Homebrew 'ntrcardhax' / downgrading questions

Well-Known Member

Well-Known Member

playing around in the end of life

Well-Known Member

Well-Known Member

Well-Known Member

Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Firefox Master Race

Well-Known Member

Former AKAIO Programmer

What is a title

Former AKAIO Programmer

What is a title

Firefox Master Race

Similar threads

Popular threads in this forum