Homebrew 'ntrcardhax' / downgrading questions

[dark_samus3]

Well, I'm on o3DS... so (appearantly?) I shouldn't worry. Still. I'm still working on getting it to boot...

What kills me is that xerpi's linux loader using memchunkhax2 has a higher bootrate, it only fails occasionally. While this, I've only gotten past pink dots 3 times, it got stuck on 'HAX SUCCESSFUL' twice, and froze during CIA verification the third time. ._.

You should probably just use the other sysupdater... The fact that it isn't stable worries me though, because once the race attack is complete and kernel access is gained then there is no need to do anything more, you've got kernel access, it SHOULD be end of story. But obviously it isn't which leads me to believe something else is wrong...

 

[Kitlith]

RIP. I had my charger yesterday... but now I don't. Got stuck on 'init ->' once more, but it's dying. Need that blasted charger!

I tried setting up ctr boot manager to do faster attempts, but just had problems.

Guess I'll be attempting downgrades another day. ._.

 

[zoogie]

Here's some possibly useful info.
<Normmatt> in case anyone cares... ak2i hw44 gives you control of 0x4000 bytes for the header, ak2i hw81 gives you control of 0x1000 bytes that gets mirrored

Now time to dig out that old acekard.
Any way to tell the hardware revisions apart?
Nvm, Akaio tells you in the menu, forgot.

 

[Kitlith]

Here's some possibly useful info.
<Normmatt> in case anyone cares... ak2i hw44 gives you control of 0x4000 bytes for the header, ak2i hw81 gives you control of 0x1000 bytes that gets mirrored

Now time to dig out that old acekard.
Any way to tell the hardware revisions apart?
Nvm, Akaio tells you in the menu, forgot.

AKA, hw44 'breaks', and hw81 does it according to how gbatek says it should work. Sounds like to me it should work either way, just would need to insert the changed whatever at pos % 0x1000 for hw81, I think. Problem there could be if it overlaps with the regular header... Thank you for putting this here!

And I found my charger again. Woo, more downgrade attempts. ._.
I wasn't intending for downgrading to become the central focus of this thread...

 

[dark_samus3]

AKA, hw44 'breaks', and hw81 does it according to how gbatek says it should work. Sounds like to me it should work either way, just would need to insert the changed whatever at pos % 0x1000 for hw81, I think. Problem there could be if it overlaps with the regular header... Thank you for putting this here!

And I found my charger again. Woo, more downgrade attempts. ._.
I wasn't intending for downgrading to become the central focus of this thread...

If you've verified the files on the card then I urge you to stop using safe sysupdater... ironically it's less safe than the regular version atm

 

[Kitlith]

Alright! Downgraded!

For future reference: If FTBrony crashes when doing L+R+Down+B, it's out of date. If you upgrade and then do that trick, it works a toooooon better.

(Third try after updating FTBrony. The other two tries gpt stuck on 'init ->' instead of pink dots)

 

[EMKBRO]

Alright! Downgraded!

For future reference: If FTBrony crashes when doing L+R+Down+B, it's out of date. If you upgrade and then do that trick, it works a toooooon better.

(Third try after updating FTBrony. The other two tries gpt stuck on 'init ->' instead of pink dots)

What was the version before your downgrade?

 

[dark_samus3]

What was the version before your downgrade?

He was on 9.9

 

[cpasjuste]

If you've verified the files on the card then I urge you to stop using safe sysupdater... ironically it's less safe than the regular version atm

Well I don't think it's less safe. Steive added mainly two things : sort title order (which is added in safesysupdater) and safe_mode titles first which is not needed in our case since safe_mode titles are the same version between 9.2 and 9.2+.
Also there's nothing wrong with the code, its the hack itself which is unstable. It's not just execute and "voila", I guess there's some memory corruption going on.

 

[dark_samus3]

Well I don't think it's less safe. Steive added mainly two things : sort title order (which is added in safesysupdater) and safe_mode titles first which is not needed in our case since safe_mode titles are the same version between 9.2 and 9.2+.

the OTHER part he added (which I don't see in your source) is instead of uninstalling all of the titles initially (yes every title that needed downgrading was uninstalled before any CIAs were installed, all at once), each title is now uninstalled just before each title gets installed... so if I were to use your version and interrupt a downgrade then there's a HIGH chance that it was something needed to boot into a state where anything is recoverable that was uninstalled and (since everything was uninstalled initially) wasn't ever reinstalled... whereas we had someone interrupt 3 downgrades which resulted in a recoverable state and one that was not (to be fair he was actually trying really hard to get it to brick since he had a hardmod) with Steveice's changes. THAT'S the feature we're talking about

 

[cpasjuste]

the OTHER part he added (which I don't see in your source) is instead of uninstalling all of the titles initially (yes every title that needed downgrading was uninstalled before any CIAs were installed, all at once), each title is now uninstalled just before each title gets installed... so if I were to use your version and interrupt a downgrade then there's a HIGH chance that it was something needed to boot into a state where anything is recoverable that was uninstalled and (since everything was uninstalled initially) wasn't ever reinstalled... whereas we had someone interrupt 3 downgrades which resulted in a recoverable state and one that was not (to be fair he was actually trying really hard to get it to brick since he had a hardmod) with Steveice's changes. THAT'S the feature we're talking about

Then you're not so good at coding , take a closer look at this loop.
https://github.com/Cpasjuste/SafeSysUpdater/blob/master/source/Main.cpp#L169

 

[dark_samus3]

Then you're not so good at coding , take a closer look at this loop.
https://github.com/Cpasjuste/SafeSysUpdater/blob/master/source/Main.cpp#L169

Well then... not sure how I missed that, sorry about that. I hereby retract my former statements lol.

 

[Kitlith]

@Normmatt has apparently done his own RE work and figured out a possible payload. He won't be releasing this unless it works on actual hardware (he did it using his 3dmoo9 which isn't public), which means either I do useless work to find a possible payload again, or I try to work on the arm11 kernel side. Where I'm also useless, because I don't know enough, though I'd like to try.

The main issue is that the address we have is the physical address. Appearantly, sometimes that section of IO may be mapped, and we can access it, but it isn't always mapped. So the options are to find out if we can map the IO region somewhere, or disable the MMU and use the physical address. Time to do research~...

I'm going to update the gist now.

 

[Thunder Hawk]

I believe that this thread needs to be at the top again. Any news on ntrcardhax?

 

[Kitlith]

I believe that this thread needs to be at the top again. Any news on ntrcardhax?

Not really. Been busy (school), and i can't speak for what @Normmatt is up to, though I know he is working on stuff. Last I heard, his personal emulator, 3dmoo9, differs enough from actual hardware that it makes it hard to test 'ntrcardhax'.

I also don't know whether he has got around mapping that address yet? This is all I know:
<Kitlith> Still trying to map that IO region?
<Normmatt> yes and no

 

[Normmatt]

Not really. Been busy (school), and i can't speak for what @Normmatt is up to, though I know he is working on stuff. Last I heard, his personal emulator, 3dmoo9, differs enough from actual hardware that it makes it hard to test 'ntrcardhax'.

I also don't know whether he has got around mapping that address yet? This is all I know:
<Kitlith> Still trying to map that IO region?
<Normmatt> yes and no

I got it working since then

 

[Pikasack]

I got it working since then

Sorry to bump an old thread but, I actually have a few questions about this exploit in general.

1. Does this exploit work on 10.6?

2. Is this exploit possible with something simple like just an R4?

 

[Normmatt]

Sorry to bump an old thread but, I actually have a few questions about this exploit in general.

1. Does this exploit on 10.6?

2. Is this exploit possible with something simple like just an R4?

1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

 

[Pikasack]

1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

Wow, thanks for the quick reply.
Although that is a bummer, I still would like to acknowledge the hard work that has been put in to figure out how this exploit works.

 

[Thunder Hawk]

1. No it was patched in 10.4

2. No... I will only be supporting AK2i's

What could this exploit actually get us? Does it currently work for both 44 and 81? Would the AK2i be useless as a flashcard/cart after it's installed? Would an older DS/DSi system be needed to fix/uninstall it?