Hacking NTRCardHax Progress?

[metroid maniac]

People may be asking why do we need this when there's already a9 sploits on 9.2. Because, with this, we can use dgtool potentially to downgrade nfirm to 10.3 and just use ntrcardhax right there on firmware 11.x to install a9lh. In short, we can avoid the risk and trouble of ctrnand downgrades to 9.2 completely.

Is that really possible?
When does NTRcardhax trigger? As far as I understand things, NTRcardhax would need to gain arm9 code execution before kernel9 finishes initializing, because that's when the register containing the OTP hash is cleared.

 

[zoogie]

Is that really possible?
When does NTRcardhax trigger? As far as I understand things, NTRcardhax would need to gain arm9 code execution before kernel9 finishes initializing, because that's when the register containing the OTP hash is cleared.

I would assume we just go straight to ctrnand transfer to 2.1, skipping the downgrade to 9.2 step, considering that otpless was removed from the guide and all.

The bigger issue of ntrcardhax at the moment is that it relies on having an ak2i. We can only hope the flasher can be ported to other DS flashcards. I think it would be a great selling point. @tranfeer , you listening man?

 

[Wolfvak]

Is that really possible?
When does NTRcardhax trigger? As far as I understand things, NTRcardhax would need to gain arm9 code execution before kernel9 finishes initializing, because that's when the register containing the OTP hash is cleared.

You can do OTPLess with ARM9 access though... and ARM9 access is gained when the buffer is overflown, so you have to insert the card to trigger P9 to read it.

--------------------- MERGED ---------------------------

The bigger issue of ntrcardhax at the moment is that it relies on having an ak2i. We can only hope the flasher can be ported to other DS flashcards.

There was some work being done by @Kitlith with a RPi https://github.com/kitling/NTRPi/
Not sure how far it has gone though.

 

[metroid maniac]

I would assume we just go straight to ctrnand transfer to 2.1, skipping the downgrade to 9.2 step, considering that otpless was removed from the guide and all.

The bigger issue of ntrcardhax at the moment is that it relies on having an ak2i. We can only hope the flasher can be ported to other DS flashcards. I think it would be a great selling point. @tranfeer , you listening man?

;

That makes more sense, the way it was worded makes it seem as though NTRcardhax would expose OTP data without 2.1 downgrade being necessary.

You can do OTPLess with ARM9 access though... and ARM9 access is gained when the buffer is overflown, so you have to insert the card to trigger P9 to read it.

"OTPless", the key-rearranging method, is pretty dangerous and N3DS exclusive. Better not to do things that way.

 

[Wolfvak]

is pretty dangerous

AFAIK no developer has been able to replicate the issue, and no bricked NAND dumps were sent... so I'll just disregard it. There's no verifiable source that it actually even happened, just the word of a bunch of people

and N3DS exclusive

Yeah, I'm expecting this method to be used mostly for consoles that have no other exploitable firmwares, like KOR/CHN/TWN N3DS'.

 

[metroid maniac]

Yeah, I'm expecting this method to be used mostly for consoles that have no other exploitable firmwares, like KOR/CHN/TWN N3DS'.

I guess 9.2 downgrades aren't possible for those consoles.

 

[Goombi]

AFAIK no developer has been able to replicate the issue, and no bricked NAND dumps were sent... so I'll just disregard it. There's no verifiable source that it actually even happened, just the word of a bunch of people

This. I'll keep doing it.

 

[RyDog]

inb4 system update 11.3/12.0 that prevents NFIRM from being downgraged to 10.4

 

[d3m3vilurr]

Hi.

I already installed a9lh to my kor n3ds using ntrcardhax at yesterday. https://twitter.com/d3m3vilurr/status/809078062209867776
so. yes it can. in before explained, if you get arm9 exploit, you not need any extra steps(like sys downgrade). just do ctr transfer & otpless a9lh install.(and i used ctr transfer)

1. if you can downgrade to 9.2, ntrcardhax not need and maybe useless, ntrcardhax still need extra device ( currently )
2. but some other regions(yes actually korea version), cannot choice dg, because they not exists <= 9.6 firms.
3. so these devices only have one option, ntrcardhax.

--

running step.
0. require ak2i, arm9 executable 3ds(not made dsi version installer yet, also @Kitlith try to make powersaves version), <= 10.3 n3ds (currently not add o3ds entrypoints) and little linux skill
1. download https://github.com/d3m3vilurr/Decrypt9WIP/releases/tag/20161113-ak2i
2. run mod decrypt9wip, you can find dump and inject menu in `Gamecart Dumper options`
3. dump ak2i
4. you can find `ak2i_flash.bin` in sdcard (maybe files9, decrypt9, or ...), copy to pc
5. you need build https://github.com/d3m3vilurr/ntrcardhax/tree/more
```
git clone https://github.com/d3m3vilurr/ntrcardhax
cd ntrcardhax
git checkout more
cd auto_ntrcardhax
make
```
6. patch
```
python scripts/split.py ak2i_flash.bin
cp ak2i_flash.bin.out ak2i_flash81_ntrcardhax_template.bin # in my case this file's md5 checksum is a7c3ec29a2282981ba7946d608b8675d
./auto_ntrcardhax n 21288 # currently only support n3ds system, and 2nd argument is target 3ds nand version. only support 9.0 ~ 10.3
```
7. copy ak2i_flash81_ntrcardhax.bin to sdcard
8. inject ak2i
10. unzip https://github.com/d3m3vilurr/ntrcardhax/releases/tag/0.0-pre to target 3ds
11. rename any arm9 payload(like decrypt9wip.bin) to load.bin and copy target 3ds's sdcard root.
12. launch hbl & launch ntrcardhax_arm11
13. ak2i cartridge insert, if system stuck, just retry step 12~13

--

next plan,
1. remove auto_ntrcardhax and feature merge to flasher.
2. make flasher for nds & ndsi

--

@Normmatt made all works, I just do code cleanup.

 

[Kitlith]

There was some work being done by @Kitlith with a RPi https://github.com/kitling/NTRPi/
Not sure how far it has gone though.

So, This is the exact testcase I had in mind when I stopped implementing 'features' in NTRPi after I tried to implement reading the header. The only issue: The Pi may or may not be too slow. If the current varient of NTRPi doesn't work, I'm sure something could be hacked together for this case, but it won't be as versitile as originally intended. (would be doing nothing else but pushing data out from a big, specially constructed buffer to the time of CLK)

Maybe I should go work on a 'dumb' version of NTRPi that does exactly that, along with a build system to facilitate it, just in case.

I guess 9.2 downgrades aren't possible for those consoles.

No, indeed, KOR/CHN/TWN N3ds' does no have a 9.2 to downgrade to. @d3m3vilurr has been working on getting NTRCardHax working for a while so that these consoles could, indeed, have a way to access arm9 and CFW/arm9loaderhax.

EDIT: And, right, I'm working on adapting Powerslaves, to be able to do the required ak2i stuff to get ntrcardhax up/running. I've got the dumping code down, I believe, so now the flashing code needs to be done. Hurrah.

 

[pbanj]

AFAIK no developer has been able to replicate the issue, and no bricked NAND dumps were sent... so I'll just disregard it. There's no verifiable source that it actually even happened, just the word of a bunch of people


Yeah, I'm expecting this method to be used mostly for consoles that have no other exploitable firmwares, like KOR/CHN/TWN N3DS'.

I sent @Aurora Wright bricked nand dumps and xorpads

 

[Zidapi]

People may be asking why do we need this when there's already a9 sploits on 9.2. Because, with this, we can use dgtool potentially to downgrade nfirm to 10.3 and just use ntrcardhax right there on firmware 11.x to install a9lh. In short, we can avoid the risk and trouble of ctrnand downgrades to 9.2 completely.

AFAIK there's no pre-9.6 N3DS firmwares for KOR/CHN/TWN as well, so it'll come in handy for them.

No, indeed, KOR/CHN/TWN N3ds' does no have a 9.2 to downgrade to

Well, this is great news for our friends in The East. Congrats to all involved in getting this far!

 

[d3m3vilurr]

Hello, I updated my modified applications,

## Inject ntrcardhax to AK2I
https://github.com/d3m3vilurr/Decrypt9WIP/releases

- now support one step action; just choose `Auto NTRCARDHAX to AK2i`, it mean no more need any linux skill and removed step 5~7
- but I still recommend backup your ak2i bootrom
- `auto` is not really, you still need selecting target 3ds device type and nand version
- and now support old 3ds

## ntrcardhax_arm11
https://github.com/d3m3vilurr/ntrcardhax/releases

- now can support 9.0~9.2; original code only work 9.3~10.3 (but anyone need this? )

 

[Cuphat]

I assume you can restore the AK2i back to normal after?

Not super useful unless you have a console that doesn't have a 9.2 to downgrade to, but super useful if you do. Either way, that's neat.

 

[Razor83]

Hello, I updated my modified applications,

## Inject ntrcardhax to AK2I
https://github.com/d3m3vilurr/Decrypt9WIP/releases

- now support one step action; just choose `Auto NTRCARDHAX to AK2i`, it mean no more need any linux skill and removed step 5~7
- but I still recommend backup your ak2i bootrom
- `auto` is not really, you still need selecting target 3ds device type and nand version
- and now support old 3ds

## ntrcardhax_arm11
https://github.com/d3m3vilurr/ntrcardhax/releases

- now can support 9.0~9.2; original code only work 9.3~10.3 (but anyone need this? )

Really nice work!

Might it be possible to fix a bricked AK2i with this?
Also, any chance the code can be ported to the R4i Gold?

I believe the bootloader for both cards is stored on a 16Mbit flash memory chip:-
Acekard 2i - SST39VF1681
R4i Gold - W25Q16BVSIG

 

[proflayton123]

Hello, I updated my modified applications,

## Inject ntrcardhax to AK2I
https://github.com/d3m3vilurr/Decrypt9WIP/releases

- now support one step action; just choose `Auto NTRCARDHAX to AK2i`, it mean no more need any linux skill and removed step 5~7
- but I still recommend backup your ak2i bootrom
- `auto` is not really, you still need selecting target 3ds device type and nand version
- and now support old 3ds

## ntrcardhax_arm11
https://github.com/d3m3vilurr/ntrcardhax/releases

- now can support 9.0~9.2; original code only work 9.3~10.3 (but anyone need this? )

Interesting, nice work

 

[d3m3vilurr]

I assume you can restore the AK2i back to normal after?

Not super useful unless you have a console that doesn't have a 9.2 to downgrade to, but super useful if you do. Either way, that's neat.

yes, you can.
just copy dumped binary(named ak2i_flash.bin) to ak2i_patch.bin, then inject.

but probably, your mod ak2i will work normal without restore.

Really nice work!

Might it be possible to fix a bricked AK2i with this?
Also, any chance the code can be ported to the R4i Gold?

I believe the bootloader for both cards is stored on a 16Mbit flash memory chip:-
Acekard 2i - SST39VF1681
R4i Gold - W25Q16BVSIG

maybe can restore if you have valid bootrom.

 

[VashTS]

yes, you can.
just copy dumped binary(named ak2i_flash.bin) to ak2i_patch.bin, then inject.

but probably, your mod ak2i will work normal without restore.



maybe can restore if you have valid bootrom.

Wait wait wait - does this mean I can launch decrypt9 from an AK2i on 10.3 and downgrade? if so that is friggin just what I needed to fix this frankenstein 3ds i have!

 

[d3m3vilurr]

Wait wait wait - does this mean I can launch decrypt9 from an AK2i on 10.3 and downgrade? if so that is friggin just what I needed to fix this frankenstein 3ds i have!

if you have `injected ak2i` and 9.0~10.3 verison 3ds, you can launch arm9 payloads (like luma3ds, safe a9lh installer, decrypt9wip, ...)

 

[VashTS]

can i downgrade to 9.2 from 10.3 with this?