Hello! I found this on the forums (posted by Apache Thunder):
Could this be the clue to downgrading 10.5.0.30u? If I'm comprehending this, you could get a Nand.bin of another ds that has 10.3.0.28u or 10.2.0.28u (same firmware), decrypt it, and overwrite the firmware partitions of another ds's 10.5.0.30u to downgrade it just to use sysupdate?
Would overwriting the firmware partitions from another Nand.bin dump of another 3ds's theorettically work, or are the firmware partitions tied to the console? If so, is there a way to bypass this? I have a hardmodded 3ds in which I can directly write to and from nand with, so I could try this out, all I would need is another persons dump of their 10.3.0.28u or 10.2.0.28u.
Sorry if this makes no sense, I've been up all night trying to figure this out. If anything needs clarification, or you have any information that could help this be achievable, let me know by replying in the thread. Thank you!
Check https://www.3dbrew.org/wiki/3DS_System_Flaws. Read carefully about the section in "Hardware Flaws". The last entry:
FIRM partitions are encrypted with AES-CTR. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
If you get your console nand modded, you can have someone give you the decrypted FIRM0/FIRM1 of a 10.3 console and use that to downgrade your own FIRM partitions using that attack. Memchunkhax2 should then work correctly again allowing a full downgrade of the system.
As it has stated, don't attempt to downgrade FIRM to 9.5 or less. 10.2 FIRM (10.3 itself did not have a firm update) is what you want to use. Then you can downgrade to 9.2 with sysupdater (or the "safe" build. What ever the cool kids are using these days. )
So it's still possible to downgrade a 10.4/10.5 system. But you will need a nand mod to do so. Note that if you have a n3DS, you must use the n3DS version of the FIRM partition. If o3DS (this attack will work on both hardware versions) is to be downgraded, then use decrypted 10.2 FIRM partition from o3DS. (2DS uses same firmware, so one from that will work too so treat it the same as o3DS/o3DS XL FIRM). Do not try and mix and match them. That should be obvious though.
Could this be the clue to downgrading 10.5.0.30u? If I'm comprehending this, you could get a Nand.bin of another ds that has 10.3.0.28u or 10.2.0.28u (same firmware), decrypt it, and overwrite the firmware partitions of another ds's 10.5.0.30u to downgrade it just to use sysupdate?
Would overwriting the firmware partitions from another Nand.bin dump of another 3ds's theorettically work, or are the firmware partitions tied to the console? If so, is there a way to bypass this? I have a hardmodded 3ds in which I can directly write to and from nand with, so I could try this out, all I would need is another persons dump of their 10.3.0.28u or 10.2.0.28u.
Sorry if this makes no sense, I've been up all night trying to figure this out. If anything needs clarification, or you have any information that could help this be achievable, let me know by replying in the thread. Thank you!
Last edited by fuducker81,