Possible leadway to downgrade 10.5.0.30u

Discussion in '3DS - Flashcards & Custom Firmwares' started by fuducker81, Jan 30, 2016.

  1. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    Hello! I found this on the forums (posted by Apache Thunder):
    Could this be the clue to downgrading 10.5.0.30u? If I'm comprehending this, you could get a Nand.bin of another ds that has 10.3.0.28u or 10.2.0.28u (same firmware), decrypt it, and overwrite the firmware partitions of another ds's 10.5.0.30u to downgrade it just to use sysupdate?

    Would overwriting the firmware partitions from another Nand.bin dump of another 3ds's theorettically work, or are the firmware partitions tied to the console? If so, is there a way to bypass this? I have a hardmodded 3ds in which I can directly write to and from nand with, so I could try this out, all I would need is another persons dump of their 10.3.0.28u or 10.2.0.28u.

    Sorry if this makes no sense, I've been up all night trying to figure this out. If anything needs clarification, or you have any information that could help this be achievable, let me know by replying in the thread. Thank you!
     
    Last edited by fuducker81, Jan 30, 2016
    CeeDee, LarBob, fr3quency and 4 others like this.


  2. Wuigi

    Wuigi GBAtemp Fan

    Member
    305
    104
    Sep 14, 2012
    United States
    I think this was already mentioned by the KARL3DS team, good thing they finally wrote it into 3dbrew.
    This is a thread related to the 3DS firmware that for a change isn't totally useless, really great contribution, wouldn't have seen this otherwise.
    I already planned on doing a hardmod on the Pokémon red 2DS that i've ordered and now it's downgradeable with any firmware, that's good to hear.
     
    Last edited by Wuigi, Jan 30, 2016
  3. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    I will have to look into KARL3DS's statement, as that might be very helpful into cracking this. Thanks!
     
  4. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    Well... all you need now is a Kernel exploit to write to nand! Or a hard mod!
     
  5. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    I have a 3ds with a hard mod that allows you to directly write to the nand, so this would at least be semi effective. My problem is I don't have a copy of a nand dump of 10.3.0.28u (I would ask, but I'm not sure on the legal stance pertaining to it) or have a source to get one.

    If this works, then we would look into kernal exploits.
     
    Last edited by fuducker81, Jan 30, 2016
  6. Wuigi

    Wuigi GBAtemp Fan

    Member
    305
    104
    Sep 14, 2012
    United States
    Searching for the KARL3DS statement won't be really helpful, WulfyStylez just said to dump our NAND and they think they have found a crazy vulnerability.
     
  7. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    ah. is it legal to share dumps of nand online?
     
  8. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,050
    3,367
    Nov 13, 2014
    United States
    Here unfortunately no, this site is out of US territory but is scared for some reason.
     
    DesuIsSparta, CeeDee, Hoppy and 3 others like this.
  9. James310

    James310 GBAtemp Advanced Fan

    Member
    879
    319
    Oct 4, 2015
    United States
    Somewhere in California
    Here ? No , Iso sites, yes
     
    Bubsy Bobcat and nonamejohn like this.
  10. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    would it be illegal for someone to pm me with a link towards one (nobody would know) or email me at fuducker81@gmail.com with a link of a nand dump of 10.3.0.28u? I would continue looking, but I'm on my way home from work and haven't had sleep for about 2 days.
     
  11. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,050
    3,367
    Nov 13, 2014
    United States
    What gets me is this bit "If you get your console nand modded, you can have someone give you the decrypted FIRM0/FIRM1 of a 10.3 console and use that to downgrade your own FIRM partitions using that attack. Memchunkhax2 should then work correctly again allowing a full downgrade of the system." This implies you can use any FIRM dump but I can only assume this is a typo and you need your own that was signed by your own console.
     
  12. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    Would you be able to decrypt said nand dump of other persons' dump and decrypt your own, and only flash the firmware partitions of each? would there be an issue? If so, I propose a hypothesis of there being a key on the firmware partition. I will try to find another dump of 10.5.0.30u and compare it to mine with a hex compare tool. I will then try to overwrite different data of theirs to mine and try to reflash it. If that works, then I can try to write a key to said firmware.
     
    Last edited by fuducker81, Jan 30, 2016
  13. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,050
    3,367
    Nov 13, 2014
    United States
    @Apache Thunder I know your busy most of the time on the other site but can you clarify the bit I underlined?
     
    peteruk likes this.
  14. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,101
    4,022
    Oct 7, 2007
    United States
    Levelland, Texas
    From what I understand this is what I believe you must do.

    You have to xor a decrypted 10.4 FIRM0/FIRM1 file with the encrypted version from the target console you are downgrading. (there may be a tool that does this. Otherwise you can extract the combined FIRM0/FIRM1 partition from the NAND image of the console your downgrading using a hex editor)

    The result is a xorpad that can be used to encrypt a 10.2 FIRM0/FIRM1.bin file. So you infact need both 10.4 decrypted FIRM0/FIRM1 and 10.2 decrypted FIRM0/FIRM1 before you can correctly downgrade your FIRM partitions of the console you need to restore memchunkhax2 on. Of coarse you must use an exploitable console to obtain a decrypted 10.2 and 10.4 FIRM partitions needed for this. Decrypt9 I believe has support for generating the xorpads/decrypted bin files. (though I think they are generated as separate files. You may need to merge them to one file. It will make the xoring process easier and more likely to work as intended) If Decrypt9 can dump them decrypted, you don't need xorpads for the 10.4/10.2 firm partitions. Any method that gets a correct dump of decrypted versions of those FIRMs should suffice.

    So to summarize, the decrypted version of 10.4 FIRM is used to generate the xorpad of the console you are downgrading by xoring it with the encrypted version of it from the 10.4 version already encrypted on the console being downgraded. From there, you use that xorpad to encrypt a decrypted 10.2 FIRM to your console. Thus this should correctly downgrade FIRM to 10.2 and allow memchunkhax2 to work again.
     
    Last edited by Apache Thunder, Jan 30, 2016
    -Xin-, DarkFlare69, Rohul1997 and 5 others like this.
  15. Memoir

    Memoir A Hero to Zero

    Member
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,698
    4,306
    Jun 24, 2007
    United States
    Wyoming
    I can see downgrade services coming in the near future..
     
  16. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    "Discovered by:

    Everybody"

    What???
     
    DarkFlare69 and TheKawaiiDesu like this.
  17. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    Amazing! That is amazing detail apache. If I can get a 10.3.0.28u/10.2.0.28u nand dump I'll attempt it tomorrow. If it works the next step is finding a kernal exploit we could use.
     
  18. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,674
    Sep 1, 2010
    I wouldn't share them online. If the dump gets into the wrong hands, you could be issued a console ban because your serial number is also stored in the NAND, if memory serves.
     
  19. fuducker81
    OP

    fuducker81 Member

    Newcomer
    24
    8
    Jan 30, 2016
    United States
    Inwood, Wv
    would anybody have an idea besides iso sites to where I could get one? I can't get one physically; all my friends updated too.
     
  20. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    haha nope but ask some devs.