Hacking [PoC] 3DS Region Changing + proof

[sneef]

(TM)

roflmao GW inside jokes ftw

 

[SolidSnail55]

it's just information, not dead, i'm just busy. soon

can I create a NNID on the other region to download demos?

 

[Wowfunhappy]

Still anxiously awaiting this!

 

[andre104623]

This will be the biggest hack since downgrading. Now people like me that have a jpn New 3ds can have USA emunand words can't explain how cool this is. Thank you cherp and everyone else helping making this

 

[Kieran]

Hypothetically, If you were to insert the region-changing to the sysNAND of a Japanese n3DS and change the region to North America, would you be able to system transfer from another North American 3DS to the changed system? If so this is quite possibly the greatest thing ever!

 

[gamesquest1]

Hypothetically, If you were to insert the region-changing to the sysNAND of a Japanese n3DS and change the region to North America, would you be able to system transfer from another North American 3DS to the changed system? If so this is quite possibly the greatest thing ever!

pretty sure there was eshop issues......not sure if it was down to NNID or just that there is more to the authentication than whats being edited here, meaning without even more spoofing and stuff system transfers probably wouldn't be possible......also if you did this to sysnand, you would need to update to the latest FW, which would mean its irreversible (at-least until someone plucks up the courage to test if n3ds hardware mod downgrading works)

 

[WulfyStylez]

Yellows8 published a gist detailing a method to change region today. I don't know if it's the same as yours, but here it is: https://gist.github.com/yellows8/f15be7a51c38cea14f2c
I've no clue if GW patches that check yet, but I can verify it works if you do.

 

[cearp]

Yellows8 published a gist detailing a method to change region today. I don't know if it's the same as yours, but here it is: https://gist.github.com/yellows8/f15be7a51c38cea14f2c
I've no clue if GW patches that check yet, but I can verify it works if you do.

ha saves me the effort of making a guide, i have been sick recently and not wanting to put much effort into stuff, i'm sure it is the same method (i can't view it right now)
i will see if he put info on how to get eshop working

-- yes, exactly what i was doing, i emailed gw a while ago to see if they would patch that function, they said they will see...
so, until then, that is why we need to take the file from a legit 3ds, so that the signature patches are intact





--edit again, and here is the little guide i finally found about how to get eshop working, but i have not tested it. (thanks to tanglangxia, he told me this and used online translate to put it into english)

USA eshop work + USA NNID=A SDSD card
USA eshop work+no NNID=B SDSD card（Bridge）
EUR no eshop+EUR NNID=C SDSD card

1.A card is properly identified ESHOP

2.In other B card, run eshop an error number 110

3.Shutdown

4.Run C card, run the eshop EUR
You can log in to work! ! !

 

[boomie0123]

(i can't view it right now) i will see if he put info on how to get eshop working

Here you go!

Spoiler

This gist was created on Sep 9, 2014.
Only do this under nand-redir, it is not possible to modify the RSA-signed CTRNAND SecureInfo file on physnand without causing a brick. eShop won't be accessible with this.

This requires the CTRNAND xorpad for your system, and the RSA sig-check for VerifyRsaSha256(mentioned below) to be patched out. The latter isn't done by GW at the time of writing.

1) Rename the directory under "Nintendo 3DS" for this system, if you don't want to lose it during system-format later(if you do sysformat at all).
2) Install the system titles for the target region. If can you patch NIM, then it's easier to do that, otherwise install those titles via other means then goto #4. If you patch NIM, patch the CountryCode and RegionId which it would normally use, with the region text of the target region.
3) When NIM was patched: start a system-update under system-settings, it will now download+install the target region system titles(even when you're on the latest sysupdate for the original region).
4) Start a system-format under system-settings, once finished the system will reboot. Other options instead of sysformat are: modify the unsigned portion of the keyY in movable.sed stored in CTRNAND, or just delete the CTRNAND directory under /data: http://3dbrew.org/wiki/Flash_Filesystem
5) Here, modify the CTRNAND SecureInfo region value to the target region(requires mounting your plaintext CTRNAND partition). http://3dbrew.org/wiki/Nandrw/sys/SecureInfo_A This of course requires that the RSA sig-check for this to be patched out(specifically, VerifyRsaSha256: http://3dbrew.org/wiki/Process_Services_PXI).
6) Boot the system and do the system-setup.
7) Done, successful region-change.

Looks like there's no info on how to get eshop working.

I gotta go figure out what some of those words mean... (NIM, CTRNAND, RsaSha, etc etc)

 

[cearp]

ok, so basically, just download the system fw cias for the region you want.
if you are on 4.x, i recommend to download the 5.0 cias. you could download the 9.x ones straight away but then you will have to worry about not getting the n3ds fw titles too. with 5.0 you do not need to worry about that.
go to devmenu, install the cias, and turn off.
go inside the nand, replace the SecureInfo_A (sometimes_B) file with the one from the region that you want to change to. (this will change your console id to that console, i guess it would also 'unban' you if you are banned, like you could use the file from a 3ds of your same region, so, jpn-jpn, and it would unban you etc)
you can tidy up the nand by deleting the system fw titles that do not exist in your new region that you changed to. - i made a small python tool to check and find the differences, i could also make it automatically delete them for you, but that would only really work for me on mac since i can mount the fat16 partiton nicely by naming it '.iso', on windows i doubt it is that simple etc. - anyway it is not required to delete the unneeded leftover system titles but you will have duplicated of stuff, like camera, system settings... etc etc. also things behind the scenes as well.
when you boot up you will be in the new region, and you can update to the latest fw if you want.
eshop might work, some people said for them it worked first time, 'lucky', but try the little guide i shared above.
this can be done on sysnand or emunand. (but if we were to get gw to patch the function, or get that done in a CFW, then it would not be possible on sysnand without using a legit file form another 3ds)

i made a tool to dump and inject the SecureInfo_A file from sysnand/emunand, it only works for sysnand 4.x, i can share it soon

 

[guitarheroknight]

This sounds very promising!

 

[SolidSnail55]

ok, so basically, just download the system fw cias for the region you want.
if you are on 4.x, i recommend to download the 5.0 cias. you could download the 9.x ones straight away but then you will have to worry about not getting the n3ds fw titles too. with 5.0 you do not need to worry about that.
go to devmenu, install the cias, and turn off.
go inside the nand, replace the SecureInfo_A (sometimes_B) file with the one from the region that you want to change to. (this will change your console id to that console, i guess it would also 'unban' you if you are banned, like you could use the file from a 3ds of your same region, so, jpn-jpn, and it would unban you etc)
you can tidy up the nand by deleting the system fw titles that do not exist in your new region that you changed to. - i made a small python tool to check and find the differences, i could also make it automatically delete them for you, but that would only really work for me on mac since i can mount the fat16 partiton nicely by naming it '.iso', on windows i doubt it is that simple etc. - anyway it is not required to delete the unneeded leftover system titles but you will have duplicated of stuff, like camera, system settings... etc etc. also things behind the scenes as well.
when you boot up you will be in the new region, and you can update to the latest fw if you want.
eshop might work, some people said for them it worked first time, 'lucky', but try the little guide i shared above.
this can be done on sysnand or emunand. (but if we were to get gw to patch the function, or get that done in a CFW, then it would not be possible on sysnand without using a legit file form another 3ds)

i made a tool to dump and inject the SecureInfo_A file from sysnand/emunand, it only works for sysnand 4.x, i can share it soon

where do you get system fw cias? or do we have to wait...

 

[WulfyStylez]

where do you get system fw cias? or do we have to wait...

https://gbatemp.net/threads/release...ds-fw-contents-create-installable-cia.375993/

 

[SolidSnail55]

https://gbatemp.net/threads/release...ds-fw-contents-create-installable-cia.375993/

yeah, but I only have one 3ds (US), so I can't get other region fw

 

[WulfyStylez]

yeah, but I only have one 3ds (US), so I can't get other region fw

This works entirely independent of your console.

 

[SolidSnail55]

This works entirely independent of your console.

hmm... So I can get JPN fw cia from a US 3ds?

 

[boomie0123]

anyway it is not required to delete the unneeded leftover system titles but you will have duplicated of stuff, like camera, system settings... etc etc. also things behind the scenes as well.

Could you just remove the duplicate cias with devmenu or a cia manager? Better than having to go through the hassle of making a script to double check it all.

this can be done on sysnand or emunand. (but if we were to get gw to patch the function, or get that done in a CFW, then it would not be possible on sysnand without using a legit file form another 3ds)

And by legit file, you mean actually extracting one from a target region 3DS. So then would getting a 3DS file and putting it on a 3DS XL work? (Or vice versa) And when ever gateway gets N3DS supprt (SOON™)Could you use a 3DS file on a N3DS? Or a N3DSXL file on a N3DS? I know there's not a solid answer for that, but at least a guess would be cool.

Also, thanks a bunch for making that guide a hell of a lot easier to understand! Seems pretty simple out of ten honestly.

 

[WulfyStylez]

Could you just remove the duplicate cias with devmenu or a cia manager? Better than having to go through the hassle of making a script to double check it all.

Pretty sure devmenu doesn't list system titles.

And by legit file, you mean actually extracting one from a target region 3DS. So then would getting a 3DS file and putting it on a 3DS XL work? (Or vice versa) And when ever gateway gets N3DS supprt (SOON™)Could you use a 3DS file on a N3DS? Or a N3DSXL file on a N3DS? I know there's not a solid answer for that, but at least a guess would be cool.

You need to extract one from a target region 3DS, yes. There's currently no public way around that since that file is RSA signed. (Of course, if you've done any exploit dev on 3DS it's pretty easy to patch out)
SecureInfo_A is definitely the same between 3DS and 3DS XL, but I can't say for sure about 3DS vs N3DS. It's likely it'll be the same.
Oh, and even if you did patch out checks, you'd still need a legitimate SecureInfo_A to change the region of sysnand unless you had some mad boothax.

 

[cearp]

Could you just remove the duplicate cias with devmenu or a cia manager? Better than having to go through the hassle of making a script to double check it all.
And by legit file, you mean actually extracting one from a target region 3DS. So then would getting a 3DS file and putting it on a 3DS XL work? (Or vice versa) And when ever gateway gets N3DS supprt (SOON™)Could you use a 3DS file on a N3DS? Or a N3DSXL file on a N3DS? I know there's not a solid answer for that, but at least a guess would be cool.

Also, thanks a bunch for making that guide a hell of a lot easier to understand! Seems pretty simple out of ten honestly.

you cannot remove system titles with devmenu (maybe with that 'bigredmenu' thing? i'm not too sure)
it only takes a few minutes if you have your nand dump and xorpad.
yes if you want to change from EUR to USA, you need a USA 3ds to take the file from. there is no difference between the 3ds/xl/2ds etc, the file will be the same, i am sure the new3ds one would be the same too.
no problem about making the guide easier to understand!

 

[WulfyStylez]

On second thought, patching VerifyRsaSha256 would actually allow people to spoof consoles (and do other things which I won't explicitly outline here since pirates are awful). However, it would also allow perfectly genuine consoles to get banned over as little as showing a serial number on eBay, and thus I'm not planning on publicly releasing anything to do this...