Hacking Possible leadway to downgrade 10.5.0.30u

[fuducker81]

Hello! I found this on the forums (posted by Apache Thunder):

Check https://www.3dbrew.org/wiki/3DS_System_Flaws. Read carefully about the section in "Hardware Flaws". The last entry:


FIRM partitions are encrypted with AES-CTR. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.

This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).

This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
If you get your console nand modded, you can have someone give you the decrypted FIRM0/FIRM1 of a 10.3 console and use that to downgrade your own FIRM partitions using that attack. Memchunkhax2 should then work correctly again allowing a full downgrade of the system.

As it has stated, don't attempt to downgrade FIRM to 9.5 or less. 10.2 FIRM (10.3 itself did not have a firm update) is what you want to use. Then you can downgrade to 9.2 with sysupdater (or the "safe" build. What ever the cool kids are using these days. )

So it's still possible to downgrade a 10.4/10.5 system. But you will need a nand mod to do so. Note that if you have a n3DS, you must use the n3DS version of the FIRM partition. If o3DS (this attack will work on both hardware versions) is to be downgraded, then use decrypted 10.2 FIRM partition from o3DS. (2DS uses same firmware, so one from that will work too so treat it the same as o3DS/o3DS XL FIRM). Do not try and mix and match them. That should be obvious though.

Could this be the clue to downgrading 10.5.0.30u? If I'm comprehending this, you could get a Nand.bin of another ds that has 10.3.0.28u or 10.2.0.28u (same firmware), decrypt it, and overwrite the firmware partitions of another ds's 10.5.0.30u to downgrade it just to use sysupdate?

Would overwriting the firmware partitions from another Nand.bin dump of another 3ds's theorettically work, or are the firmware partitions tied to the console? If so, is there a way to bypass this? I have a hardmodded 3ds in which I can directly write to and from nand with, so I could try this out, all I would need is another persons dump of their 10.3.0.28u or 10.2.0.28u.

Sorry if this makes no sense, I've been up all night trying to figure this out. If anything needs clarification, or you have any information that could help this be achievable, let me know by replying in the thread. Thank you!

 

[Wuigi]

I think this was already mentioned by the KARL3DS team, good thing they finally wrote it into 3dbrew.
This is a thread related to the 3DS firmware that for a change isn't totally useless, really great contribution, wouldn't have seen this otherwise.
I already planned on doing a hardmod on the Pokémon red 2DS that i've ordered and now it's downgradeable with any firmware, that's good to hear.

 

[fuducker81]

I will have to look into KARL3DS's statement, as that might be very helpful into cracking this. Thanks!

 

[OctopusRift]

Hello! I found this on the forums (posted by Apache Thunder):


Could this be the clue to downgrading 10.5.0.30u? If I'm comprehending this, you could get a Nand.bin of another ds that has 10.3.0.28u or 10.2.0.28u (same firmware), decrypt it, and overwrite the firmware partitions of another ds's 10.5.0.30u to downgrade it just to use sysupdate?

Would overwriting the firmware partitions from another Nand.bin dump of another 3ds's theorettically work, or are the firmware partitions tied to the console? If so, is there a way to bypass this? I have a hardmodded 3ds in which I can directly write to and from nand with, so I could try this out, all I would need is another persons dump of their 10.3.0.28u or 10.2.0.28u.

Sorry if this makes no sense, I've been up all night trying to figure this out. If anything needs clarification, let me know in the thread. Thank you!

Well... all you need now is a Kernel exploit to write to nand! Or a hard mod!

 

[fuducker81]

I have a 3ds with a hard mod that allows you to directly write to the nand, so this would at least be semi effective. My problem is I don't have a copy of a nand dump of 10.3.0.28u (I would ask, but I'm not sure on the legal stance pertaining to it) or have a source to get one.

If this works, then we would look into kernal exploits.

 

[Wuigi]

Searching for the KARL3DS statement won't be really helpful, WulfyStylez just said to dump our NAND and they think they have found a crazy vulnerability.

 

[fuducker81]

ah. is it legal to share dumps of nand online?

 

[Xenon Hacks]

ah. is it legal to share dumps of nand online?

Here unfortunately no, this site is out of US territory but is scared for some reason.

 

[James310]

ah. is it legal to share dumps of nand online?

Here ? No , Iso sites, yes

 

[fuducker81]

would it be illegal for someone to pm me with a link towards one (nobody would know) or email me at [email protected] with a link of a nand dump of 10.3.0.28u? I would continue looking, but I'm on my way home from work and haven't had sleep for about 2 days.

 

[Xenon Hacks]

What gets me is this bit "If you get your console nand modded, you can have someone give you the decrypted FIRM0/FIRM1 of a 10.3 console and use that to downgrade your own FIRM partitions using that attack. Memchunkhax2 should then work correctly again allowing a full downgrade of the system." This implies you can use any FIRM dump but I can only assume this is a typo and you need your own that was signed by your own console.

 

[fuducker81]

Would you be able to decrypt said nand dump of other persons' dump and decrypt your own, and only flash the firmware partitions of each? would there be an issue? If so, I propose a hypothesis of there being a key on the firmware partition. I will try to find another dump of 10.5.0.30u and compare it to mine with a hex compare tool. I will then try to overwrite different data of theirs to mine and try to reflash it. If that works, then I can try to write a key to said firmware.

 

[Xenon Hacks]

@Apache Thunder I know your busy most of the time on the other site but can you clarify the bit I underlined?

 

[Apache Thunder]

From what I understand this is what I believe you must do.

You have to xor a decrypted 10.4 FIRM0/FIRM1 file with the encrypted version from the target console you are downgrading. (there may be a tool that does this. Otherwise you can extract the combined FIRM0/FIRM1 partition from the NAND image of the console your downgrading using a hex editor)

The result is a xorpad that can be used to encrypt a 10.2 FIRM0/FIRM1.bin file. So you infact need both 10.4 decrypted FIRM0/FIRM1 and 10.2 decrypted FIRM0/FIRM1 before you can correctly downgrade your FIRM partitions of the console you need to restore memchunkhax2 on. Of coarse you must use an exploitable console to obtain a decrypted 10.2 and 10.4 FIRM partitions needed for this. Decrypt9 I believe has support for generating the xorpads/decrypted bin files. (though I think they are generated as separate files. You may need to merge them to one file. It will make the xoring process easier and more likely to work as intended) If Decrypt9 can dump them decrypted, you don't need xorpads for the 10.4/10.2 firm partitions. Any method that gets a correct dump of decrypted versions of those FIRMs should suffice.

So to summarize, the decrypted version of 10.4 FIRM is used to generate the xorpad of the console you are downgrading by xoring it with the encrypted version of it from the 10.4 version already encrypted on the console being downgraded. From there, you use that xorpad to encrypt a decrypted 10.2 FIRM to your console. Thus this should correctly downgrade FIRM to 10.2 and allow memchunkhax2 to work again.

 

[Kioku]

I can see downgrade services coming in the near future..

 

[OctopusRift]

"Discovered by:

Everybody"

What???

 

[fuducker81]

Amazing! That is amazing detail apache. If I can get a 10.3.0.28u/10.2.0.28u nand dump I'll attempt it tomorrow. If it works the next step is finding a kernal exploit we could use.

 

[loco365]

ah. is it legal to share dumps of nand online?

I wouldn't share them online. If the dump gets into the wrong hands, you could be issued a console ban because your serial number is also stored in the NAND, if memory serves.

 

[fuducker81]

would anybody have an idea besides iso sites to where I could get one? I can't get one physically; all my friends updated too.

 

[OctopusRift]

would anybody have an idea besides iso sites to where I could get one? I can't get one physically; all my friends updated too.

haha nope but ask some devs.