Hacking Please Help regarding downgrade korean 3ds

[Kyouma27]

rxTools 3.0 Web-boot for entering Pasta Mode.
BigBlueMenu for installing System CIA to SysNAND Pasta Mode.
FBI for deleting NAND titles which don't match.

Personally I recommend the same version number.
i used qrcode from rxtools 3.0 beta 2 no luck

You must keep 9.0 KOR SysNAND safely because it also contains KOR Secureinfo_A and ticket.db.

you can use spider rop chain with browser, it support rxtool, reinand, and gateway; http://dukesrg.github.io


he suggest, region change sysnand to jap, usa, or eur, then upgrade to 9.2, downgrade 2.1 and dump OTP.
if you just need emunand feature, it not need this work
but, if you want to use a9lh, you require legit SecureInfo_A for region change, if not, device will brick.
always backup your device sysnand before do this action.

btw, i think, actually you don't need downgrade to 4.x, maybe can region change direct in the 9.0. @MelonGx 's method show this.

how exactly to use spider for example if i want to use gateway i enter http://dukesrg.github.io/?launcher.dat is this right? i tried this but no luck
you mean from 9.0 to 9.2? if i want to downgrade to 2.1 to get otp did i must create emunand just like plailects guide and use otp helper?

 

[d3m3vilurr]

how exactly to use spider for example if i want to use gateway i enter http://dukesrg.github.io/?launcher.dat is this right? i tried this but no luck
you mean from 9.0 to 9.2? if i want to downgrade to 2.1 to get otp did i must create emunand just like plailects guide and use otp helper?

1. yes. dat file copy to sdcard root, then open to browser. (actually i'm not tested this. if still not work, try to change another cakehax support application)
2. if you want to downgrade to 2.1, you must do region change before downgrade. kor 3ds not exists < 4.x firms.

 

[Kyouma27]

1. yes. dat file copy to sdcard root, then open to browser. (actually i'm not tested this. if still not work, try to change another cakehax support application)
2. if you want to downgrade to 2.1, you must do region change before downgrade. kor 3ds not exists < 4.x firms.

so far i can only use cakesfw decrypt9 emunand9 tried laucher.dat/gateway rxtools reinand luma but no luck>_< is there any way to go to homebrew launcher?

 

[d3m3vilurr]

so far i can only use cakesfw decrypt9 emunand9 tried laucher.dat/gateway rxtools reinand luma but no luck>_< is there any way to go to homebrew launcher?

no. hbl only can launch in higher version emunand. if you work decrypt9 and emunand9 well, also can work rxtools, reinand and luma3ds. maybe you something missing

 

[Kyouma27]

no. hbl only can launch in higher version emunand. if you work decrypt9 and emunand9 well, also can work rxtools, reinand and luma3ds. maybe you something missing

i dont know but i tried many times but still no luck for me if i change region on my emunand inject secure info a after that i clone/restore emunand to sysnand will be brick?

 

[d3m3vilurr]

i dont know but i tried many times but still no luck for me if i change region on my emunand inject secure info a after that i clone/restore emunand to sysnand will be brick?

i don't know that. i heard two differ reports in korean forum, @OnMir said it work, but other one said got a brick.
it maybe cause invalid secureinfo, but i don't know real reason.

 

[leerz]

If you are able to run a cfw in 4xK
Run pastamode/devmode in rxtools, install 9.2U cias
Then inject a secureinfoa of Us region
You can opt to install 4xU then then the secureinfo inject then upgrade to 9.2u
The secure info inject must be done AFTER INSTALL OF THE fw files or you will 100% brick
You need your xorpad to inject your secureinfo via pc, but you can do this directly in rxtools and or d9
I suggest you do this in emunand first, if all goes well, flash it back to your sysnand.
But you can do it directly technically if you know what uou are doing.

Good luck!

 

[Kyouma27]

yes i did it installing a9lh thanks @d3m3vilurr @MelonGx @leerz i really appreciate it for you guide and advice

 

[kamesenin888]

wow gratz, who knew korean 3ds would be so troublesome

 

[Ketchup901]

Btw I'm pretty sure you can use ntrcardhax to get your OTP.

 

[Kyouma27]

wow gratz, who knew korean 3ds would be so troublesome

yeah in fw 9.0 kor i cant use hbl rxtool but i can only use cakeshax emunand9 and decrypt9 only

Btw I'm pretty sure you can use ntrcardhax to get your OTP.

what is that?

 

[Tenshi_Okami]

Btw I'm pretty sure you can use ntrcardhax to get your OTP.

Ntrcardhax is pretty much dead anyways(I haven't heard anything new from it for months now)

 

[leerz]

Great!

 

[d3m3vilurr]

Btw I'm pretty sure you can use ntrcardhax to get your OTP.

actually, ntrcardhax just support arm9 code execution; it not mean `can dump otp data`.

Ntrcardhax is pretty much dead anyways(I haven't heard anything new from it for months now)

sysupdater can make to support up or downgrade to 10.3. and below 10.3 versions can work ntrcardhax. (and it will make happy to many korean n3ds users.)
normmatt's repo and kitling's stub repo looks like dead.
but normmatt's repo is just little points missing, someone can make remain parts. best case is normmatt share his fully work, and i'm still waiting this.
anyway i also try another options for ntrcardhax, but still fail my work. :-/

 

[Tenshi_Okami]

actually, ntrcardhax just support arm9 code execution; it not mean `can dump otp data`.

It can, since it can run arm9 execution, and that's just enough to get the OTP(By making some sort of MCU repeat thing(I need to reread the thing, i forgot all about it :c). But like you said, the ntrcardhax repo looks dead, and it doesn't look like it will come back so...

 

[d3m3vilurr]

It can, since it can run arm9 execution, and that's just enough to get the OTP(By making some sort of MCU repeat thing(I need to reread the thing, i forgot all about it :c). But like you said, the ntrcardhax repo looks dead, and it doesn't look like it will come back so...

1. you mean, can dump opt on the 10.3? huh?
if it is real, why we try to downgrade 2.x? in the 3dbrew article(https://www.3dbrew.org/wiki/OTP_Registers), otp section protected since 3.0
maybe you said bruteforce finding(https://gbatemp.net/threads/tool-arm9loaderhax-keyfinder.427095)?
but it is....

2. normmatt already implemented fully work(include ak2i dumper/flasher), he said remain parts can have license issues, so he not opened that.
i naver seen acekard opensource repo, so i don't know original license.
also, cannot contact acekard team

ahezard's woodrpg forwarder(https://github.com/ahezard/woodrpg_forwarder) have acekard's files. they licensed under GPLv3.
if normmatt used file is same that, i think, normmatt's work should be GPLv3. but reversed code from official flasher can have license violation.
but official flasher contains code look same forwarder's.

 

[Tenshi_Okami]

1. you mean, can dump opt on the 10.3? huh?
if it is real, why we try to downgrade 2.x? in the 3dbrew article(https://www.3dbrew.org/wiki/OTP_Registers), otp section protected since 3.0
maybe you said bruteforce finding(https://gbatemp.net/threads/tool-arm9loaderhax-keyfinder.427095)?
but it is....

2. normmatt already implemented fully work(include ak2i dumper/flasher), he said remain parts can have license issues, so he not opened that.
i naver seen acekard opensource repo, so i don't know original license.
also, cannot contact acekard team

ahezard's woodrpg forwarder(https://github.com/ahezard/woodrpg_forwarder) have acekard's files. they licensed under GPLv3.
if normmatt used file is same that, i think, normmatt's work should be GPLv3. but reversed code from official flasher can have license violation.
but official flasher contains code look same forwarder's.

I read that way before, that people could dump OTP on 9.6 by some MCU rebooting but idk if it worked or not..please do not think that this could be another way to get OTP cause i dont remember how it worked and people said it would cost a lot of money to do for something you can do for free by downgrading..so

 

[d3m3vilurr]

I read that way before, that people could dump OTP on 9.6 by some MCU rebooting but idk if it worked or not..please do not think that this could be another way to get OTP cause i dont remember how it worked and people said it would cost a lot of money to do for something you can do for free by downgrading..so

i readed 3dbrew sys flaws page, i think, it look opt hash key and 0x11 key data. but opt.bin is not a hash key, many informations require < 3.0 firms.
also kor n3ds not exists below 9.6 firms. so we just do brutforce.

anyway, if we can execute arm9 exploit, we just do to change region. and it will solve many problems... korean region is s*cks. :-(

 

[Tenshi_Okami]

i readed 3dbrew sys flaws page, i think, it look opt hash key and 0x11 key data. but opt.bin is not a hash key, many informations require < 3.0 firms.
also kor n3ds not exists below 9.6 firms. so we just do brutforce.

anyway, if we can execute arm9 exploit, we just do to change region. and it will solve many problems... korean region is s*cks. :-(

Spoiler: From the Plailect guide

There is, however, a method to dump the hash of the OTP on version 9.6.0-X. Because Kernel9Loader does not clear the SHA_HASH register after it has been used, dumping the SHA_HASH will give the hash of the OTP which was handed over to Kernel9 from Kernel9Loader. In addition, there is a long standing vulnerability where an MCU reboot caused by the i2c will not clear RAM like it's supposed to.

This allows for a hardware based attack where arbitrary data is written to nand_sector96+0x10 in a SysNAND backup and flashed to the device. Afterwards we wire the i2c to MCU reboot on our command, write a payload (which will write 0x1000A040 - 0x1000A060 to a file on the SD card) to arm9 memory somewhere, fill all memory with a NOP sled followed by a JMP instruction pointing to the payload. We can then MCU reboot repeatedly (incrementing nand_sector96+0x10 by 1 each time) until the Kernel9Loader jumps to the payload by random chance.

Because of the complexity and extra hardware involved in the method described above, I have decided to limit the scope of this guide strictly to the software based approach of downgrading to a version below 3.0.0-X. Version 2.1.0-X was selected because it is the only version below 3.0.0-X that contains a fully exploitable browser version (2.0.0-X has a partially exploitable browser, but it won't work for other reasons).