Got a question that I'm not sure has been asked before.
I know we can use VOiD's multi-decrypter to create a xorpad of the NAND FAT16 partition, and decrypt that portion of it using xor.
What I'd like to do is to try to modify the contents of my NAND from the computer and flash it back to the 3DS. I've got a NAND flash port installed so corrupting it isn't a big concern.
Here's what I tried.
Using just the VOiD software, I did a NAND dump and made a xorpad. I then followed the steps to xor the FAT16 partition (by chopping off the first bit of the NAND dump)
On my system, I had the profile name set to "lol"
So I extracted the file at /data/[id]/sysdata/00010017
Searching around in hex showed that the username was in there twice. Since re-injecting the file adds a bunch of metadata, I tried searching in the decrypted FAT16 .img itself, and it was also only in there twice.
FWIW, I searched for "6c006f006c" in hex. The 3DS uses UCS-2 meaning there's a 0x00 between each letter, "lol" would have just been 6c 6f 6c. So anyway, I changed the lol to kek, leaving the zeroes between each letter. Basically I changed 6 bytes in the entire file.
Saved it, ran xor again - comparing to the original encrypted file, only 6 bytes were different... as I would have expected. But what about that header?? I can't flash it back to the 3DS without that.
So I took the original one from my original NAND dump and appended it to the edited-and-reencrypted file. I also padded the end of it to match the right size (seems that xoring it removes a bunch of 0x00s at the end)
Flashed it to the 3DS and rather than being bricked... it started up as if I had just done a system format, asking me to fill in the profile information.
Huh???
So I'm assuming that bit of data before the FAT16 partition is some sort of sanity check. Meaning you can't just edit the FAT16 and expect it to work. Am I correct in thinking that?
And if so... is there a way to create a xorpad of the *entire* NAND so I can edit it like I described?
I know we can use VOiD's multi-decrypter to create a xorpad of the NAND FAT16 partition, and decrypt that portion of it using xor.
What I'd like to do is to try to modify the contents of my NAND from the computer and flash it back to the 3DS. I've got a NAND flash port installed so corrupting it isn't a big concern.
Here's what I tried.
Using just the VOiD software, I did a NAND dump and made a xorpad. I then followed the steps to xor the FAT16 partition (by chopping off the first bit of the NAND dump)
On my system, I had the profile name set to "lol"
So I extracted the file at /data/[id]/sysdata/00010017
Searching around in hex showed that the username was in there twice. Since re-injecting the file adds a bunch of metadata, I tried searching in the decrypted FAT16 .img itself, and it was also only in there twice.
FWIW, I searched for "6c006f006c" in hex. The 3DS uses UCS-2 meaning there's a 0x00 between each letter, "lol" would have just been 6c 6f 6c. So anyway, I changed the lol to kek, leaving the zeroes between each letter. Basically I changed 6 bytes in the entire file.
Saved it, ran xor again - comparing to the original encrypted file, only 6 bytes were different... as I would have expected. But what about that header?? I can't flash it back to the 3DS without that.
So I took the original one from my original NAND dump and appended it to the edited-and-reencrypted file. I also padded the end of it to match the right size (seems that xoring it removes a bunch of 0x00s at the end)
Flashed it to the 3DS and rather than being bricked... it started up as if I had just done a system format, asking me to fill in the profile information.
Huh???
So I'm assuming that bit of data before the FAT16 partition is some sort of sanity check. Meaning you can't just edit the FAT16 and expect it to work. Am I correct in thinking that?
And if so... is there a way to create a xorpad of the *entire* NAND so I can edit it like I described?
