Possible to xorpad ENTIRE NAND?

Discussion in '3DS - Flashcards & Custom Firmwares' started by drfsupercenter, Mar 16, 2015.

  1. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Got a question that I'm not sure has been asked before.

    I know we can use VOiD's multi-decrypter to create a xorpad of the NAND FAT16 partition, and decrypt that portion of it using xor.

    What I'd like to do is to try to modify the contents of my NAND from the computer and flash it back to the 3DS. I've got a NAND flash port installed so corrupting it isn't a big concern.

    Here's what I tried.

    Using just the VOiD software, I did a NAND dump and made a xorpad. I then followed the steps to xor the FAT16 partition (by chopping off the first bit of the NAND dump)

    On my system, I had the profile name set to "lol"
    So I extracted the file at /data/[id]/sysdata/00010017

    Searching around in hex showed that the username was in there twice. Since re-injecting the file adds a bunch of metadata, I tried searching in the decrypted FAT16 .img itself, and it was also only in there twice.

    FWIW, I searched for "6c006f006c" in hex. The 3DS uses UCS-2 meaning there's a 0x00 between each letter, "lol" would have just been 6c 6f 6c. So anyway, I changed the lol to kek, leaving the zeroes between each letter. Basically I changed 6 bytes in the entire file.

    Saved it, ran xor again - comparing to the original encrypted file, only 6 bytes were different... as I would have expected. But what about that header?? I can't flash it back to the 3DS without that.

    So I took the original one from my original NAND dump and appended it to the edited-and-reencrypted file. I also padded the end of it to match the right size (seems that xoring it removes a bunch of 0x00s at the end)

    Flashed it to the 3DS and rather than being bricked... it started up as if I had just done a system format, asking me to fill in the profile information.

    Huh???

    So I'm assuming that bit of data before the FAT16 partition is some sort of sanity check. Meaning you can't just edit the FAT16 and expect it to work. Am I correct in thinking that?

    And if so... is there a way to create a xorpad of the *entire* NAND so I can edit it like I described?
     
  2. motezazer

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    There are checks, yes, but WITHIN the FAT16. There is an AES-MAC for all data within the data folder. No need for decrypting the rest of the NAND (and it's not the same encryption).
     
  3. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States

    Oh, so maybe that's why it didn't work, since I just modified the data without fixing the checks.

    Do you know if it's possible to do that? The problem is that if I use WinImage to overwrite the file with a new file, it puts in all the metadata (date created, date modified etc) which the original FAT16 doesn't have.
     
  4. motezazer

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    You need to recalculate an hash and recrypt this hash with an ARM9 homebrew.
     
  5. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States

    Tell me more, what homebrew is this? :P

    or is this one of those trade secrets that nobody will talk about publicly here
     
  6. motezazer

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    An homebrew that you must code yourself ^^
     
  7. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States

    Nobody has made one yet?

    Somehow I would figure being able to edit your NAND is something lots of people would want the ability to do.
     
    Margen67 likes this.
  8. motezazer

    motezazer GBAtemp Maniac

    Member
    1,214
    1,306
    Feb 6, 2015
    France
    Perhaps some scene core members (like yellows8) made one, but a public way to recalculate AES-MACs is not known (but, as we have access to decrypt9 source code, I don't think it would be difficult).
     
    Margen67 likes this.