[Q] N3DS/O3DS firmware downgrade -- earliest versions possible?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Selver, Jan 8, 2016.

  1. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    211
    277
    Dec 22, 2015
    This is a relatively straightforward question.
    Answers with details highly preferred (rather than yes/no). If no, please explain why?

    It's now possible to downgrade either O3DS or N3DS to 9.2.0-X, but how far?

    Let's presume that the SYSNAND has nothing of value (OK to format), there are no save games (OK to re-initialize), and no commercial games are of interest (no upgrade required).

    Q1. What's the earliest version of firmware that can be downgraded to?

    The O3DS obviously has much older firmware available than N3DS. If we presume that the user is fine losing all the N3DS features, including the extra memory:

    Q2. What (if anything) would prevent loading an O3DS firmware onto N3DS (presuming OK to lose N3DS features, including the extra memory)?

    Really, can v1.x or v2.x firmware (O3DS obviously) load on N3DS?

    e.g., does the N3DS BOOTROM validating firmware signatures against a different certificate / cert chain than the O3DS BOOTROM?
    e.g., does the O3DS firmware itself do some sort of hardware check that fails on N3DS?
    e.g., does the O3DS require a section of the OTP area to contain specific values (after decryption)?

    Thanks!
     
  2. jscjml

    jscjml Monster Hunter

    Member
    244
    89
    Jan 4, 2015
    United States
    Las Vegas
    9.3+ down to 9.2, then Gateway has their Downgrade from 9.2 to 4.5 (only for Old3DS obviously) you dont need to use the GW Red Card to do the downgrade itself though.

    Although i dont see the point anymore (unless noone made a 9.2 .xorpad generator) since theres HomeMenuHax which imo is superior to the MSET exploit.
     
  3. Elveman

    Elveman B9S Shitpost Race Smogonite

    Member
    GBAtemp Patron
    Elveman is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    444
    261
    Feb 1, 2015
    Russia
    Moscow city
    There's a 2.0 firmware pack on the ISO site. Can it be used to downgrade 3DS to 2.0?
    Should kinda try it on EmuNAND (although I have some doubts...)
     
  4. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    What we are trying to tell you is if you don't have a reasonable objective in a firm that low there's no point in staying below 9.0-9.2 as most current exploits won't work.
     
  5. Elveman

    Elveman B9S Shitpost Race Smogonite

    Member
    GBAtemp Patron
    Elveman is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    444
    261
    Feb 1, 2015
    Russia
    Moscow city
    That's true but some things can be done just for fun
    Yesterday I changed my EmuNAND region to Japan without any apparent reason so... why not?
     
    Last edited by Elveman, Jan 8, 2016
  6. cearp

    cearp the ticket master

    Member
    7,554
    4,819
    May 26, 2008
    Tuvalu
    downgrading isn't new, i showed it off a year ago, but now it is popular because it's useful for piracy :)
     
  7. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    So the "reasonably objective" is screwing around with your system for fun. Fair enough. I don't know if cfw could boot a firmware that low. Maybe cakes if you provide a firmware.bin and a cetk low enough but I don't even know where you can find those as NUSDown won't get you these.
     
  8. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    If you want O3DS OTP dumped, and have proper ROP entrypoint from CN, Only 2.x and 1.x is for that. For most people this means nothing, cause the ROP isn't public. (Doubtful)
    Oh yes like what fail0verflow said on their "PS3 Epic Fall" talk. "Downgrading leads to more piracy." lol

    Just have fun with it. If yours is hard-moded, you can play with those versions easily and freely. Even i doubt if there is downgrading blocking mechiasm inside FIRM after 10.4.
     
    Last edited by Syphurith, Jan 8, 2016
    Selver and cearp like this.
  9. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Yeah this is in fact the main of the reasonable objectives I was refering to.
     
    Syphurith likes this.
  10. DjoeN

    DjoeN Captain Haddock!

    Member
    5,207
    1,503
    Oct 21, 2005
    Belgium
    Somewhere in this potatoland!
    The only reason to go down to 4.5/4.3 i think (i could be wrong on every point, but it's from my experience)

    The downgrader for 10.3 to 9.2 is different then the Gateway downgrader, i think downgrading from 10.3 with sysupdater, it keeps all your stuff and nnid
    I have the feeling it lefts you in some way with a frankenstein firmware, since only a few cia's get installed (most obvious, only those that changed from 9.2 to 10.3, still, we don't know)

    If you downgrade from 9.2 then to 4.5 with the gateway downgrader (only for O3DS) everything gets wiped as far as i know, you have to set everything up again etc...
    Then upgrading to 9.2, gives me the feeling the 9.2 is more stable then the 9.2 downgraded from 10.3
    (yes i have 2 O3DSXL systems on 9.2, one downgraded to 9.2, then 4.5 with gateway, then upgraded back to 9.2 with sysupdater, the other one i kept on 9.2 from 10.3 downgrade.)

    I have a few cia installed games problems and wierd settings problems on the 9.2 (10.3->9.2) but had not any problems with the 9.2 (10.3->9.2>4.5>9.2) with the same setup of games.

    Stupid phone, wasn't finnished yet:
    Note:

    Yes i downgraded the other system afterwards also to 4.5 with gateway and upgraded again, all problems where gone!
     
    Last edited by DjoeN, Jan 8, 2016
  11. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    It's quite the opposite. Gateway downgrader is in fact known for not cleaning unused system titles when going from 9.2 to 4.5 while sysUpdater performs clean downgrades. The system extdata can be cleared at any time with a format.
     
  12. DjoeN

    DjoeN Captain Haddock!

    Member
    5,207
    1,503
    Oct 21, 2005
    Belgium
    Somewhere in this potatoland!
    Well it's wierd, cause after downgrading the other system to 4.5 and then also back to 9.2 the problems where gone (well i'm sure it got fixed by doing that, cause 9.2 gets reinstalled again)

    [EDIT]
    Ow, and i find it a nice thing everything is kept after the 10.3 to 9.2 downgrade ;)
     
    Last edited by DjoeN, Jan 8, 2016
  13. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Yeah it's obvious that you fixed it, but you were brave running gateway downgrade after a sysupdater half-downgrade. That could have went very wrong and it's even possible the dirty downgrade method used by gateway helped you on this feat. And then you made a clean update with normal sysupdater, fixing everything.
     
  14. DjoeN

    DjoeN Captain Haddock!

    Member
    5,207
    1,503
    Oct 21, 2005
    Belgium
    Somewhere in this potatoland!
    Brave, not :P i did it on the system that was hardmodded and having a 10.3 and 9.2 NAND backup (yes i was smart enough doing a NAND bacup after every downgrade) helped alot to decide doing that ;) (ow and the benefit is i now also have a 4.5 NAND backup :)

    [EDIT]
    But thank you @Urbanshadow for the explanation :) it's always fun to hear something i didn't know yet :)
     
    Last edited by DjoeN, Jan 8, 2016
  15. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Haha you cheater :P. I wouldn't rely too much on that 4.5 NAND backup as could be in a working but very messed state, and if were you I would redo the 9.2 sysnand backup now that is fully working.
     
  16. DjoeN

    DjoeN Captain Haddock!

    Member
    5,207
    1,503
    Oct 21, 2005
    Belgium
    Somewhere in this potatoland!
    Yeah, i have done that to :) i keep all my nand backup stored by date on a seperate HDD just for 3DS nand backups and SD image backups
    (got 7 systems to maintain, 1 O3DS 2 O3DS XL, 1 2DS, 1 N3DS and 2 N3DS XL)(some i aquired from ppl for cheap (€20-€50 each) and managed to get 1 new system out of 2 broken, but i bought 4 myself (for me and my kids) 3 systems i keep on latest FW (kids systems) they play online and don't want free pirated games, (but the're always happy when they get a free game (bought by somebody else) and somehow they don't want eShop games if there available as cartridge)
     
  17. MassExplosion213

    MassExplosion213 .

    Member
    1,438
    960
    Feb 15, 2015
    United States
    There is a ROP for CN that is public that works.
     
    Selver and Syphurith like this.
  18. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    211
    277
    Dec 22, 2015
    Yes, I am interested in understanding what's in the OTP, and even what is in the bootrom.

    So is the ROP only for CN firmware(?!) or is it from CN?
    Is there anything in the 2.x firmware (or N3DS bootrom) that would prevent the successful use of 2.x firmware on a N3DS?
    Has the bootrom code itself become public?

    Thank you!
     
  19. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Unfortunately I don't know much about it. You have to find or tag Normatt for it. Do not forget to ask politely, he is a good man (yes sdmmc.c in most CFW is his work).
    The only thing i can tell is that, CubicNinja(SKY) provides a entrypoint in ROP(its QR level) for every firmware that can run it - and it only askes for 1.0.0+ (wtf).
    Not saying 2.x firmware, but that flaw (not locking up OTP section) is fixed in FIRM 3.0+. So you have to get your system version lower than that.
    This only works for O3DS, since it can not be this low for N3DS. Yup i don't know how they did that, or they just dumped the key but no OTP.
    If you can contact Normatt don't forget to ask if there is some other things (such as your console-unique keys, maybe) you can dump on that version. Good luck.
     
    Selver likes this.