Homebrew [RELEASE] OTPHelper - OTP dumping & downgrade helper

  • Thread starter d0k3
  • Start date
  • Views 128,119
  • Replies 801
  • Likes 61

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
OTPHelper is a small tool designed for helping with the downgrade and OTP dumping processing. OTPHelper won't handle the process alone (that's not even possible), but it will help to make downgrading and OTP dumping simpler, more streamlined and more safe. Use this tool in conjunction with @Plailect's guide.

snap069.png
snap071.png


Source code: https://github.com/d0k3/OTPHelper
Binaries: https://github.com/d0k3/OTPHelper/releases
Last Stable Version: https://github.com/d0k3/OTPHelper/releases/tag/v0.85



FEATURES:

OTPHelper aims to simplify these processes, as described in Plailects guide.
  • Actual dumping of the OTP.bin (0x100 or 0x108, only on FW < 3.0) included for convenience. Not shown in the screenshots, this is in the ARM9.bin.
  • Generate OTP0x108.bin from OTP.bin (on FW 9.0+), if you forgot getting that file the first time around.
  • Unbricking the FW 2.1 EmuNAND (N3DS only). This does, in one step, what would otherwise require: two NAND XORpads, the emuNAND_bricked.bin backup on your PC, 3DSFAT16Tool, hex-editing the header of the emuNAND_bricked.bin and writing back the fixed emuNAND_bricked.bin backup via Decrypt9WIP. So, much faster.
  • Includes EmuNAND/SysNAND Backup&Restore, CTRNAND Dump&Inject, FIRM Dump&Inject and Padgen features from Decrypt9WIP for convenience.
  • Multiple safety clamps in place to make this as safe as possible.
  • Various options to restore your SysNAND to working order in case something goes wrong.
If you're going to try this, make sure you read everything below, give us feedback, and also vote here!


WARNING:

No use in beating around the bush, stuff like this is dangerous by nature and there will never be complete safety. There are bricked consoles, and you may even encounter one if you did nothing wrong. I am not responsible for any problems caused by this and I'm still recommending a NANDmod to everyone doing the whole downgrade process. Keep in mind that this is based on bugs and holes in Nintendos own FW and that nobody is perfect.


HOW SAFE IS THIS?
You read the warning above? Good! As of now, there are no known issues with 0.71 (I'll update if anything comes up) and we get only positive feedback. Furthermore, v0.71 (compared to v0.5) adds multiple safety checks that prevent typical user mistakes, so this version protects you from yourself, too. This is safer than it ever was and has been tested succesfully by several people, but, regardless of OTPHelper version and/or downgrading method: Bricks are still not impossible. This gist of this: If you cannot afford or do a hardmod yourself and/or if a brick of your 3DS would be your absolute worst nightmare - don't do it, it is not worth it for you. Everyone who can live with the risk (which *might* be pretty small by now), go ahead.


TESTER CREDITS:
Thank these fearless people:
 
Last edited by d0k3,

Februarysn0w

Well-Known Member
Member
Joined
Oct 31, 2014
Messages
1,205
Trophies
0
Age
34
XP
797
Country
Japan
thank you for your NICE releae. This is useful to install arm9haxloader to new console.

by the way you looks professional about nand and emunand, so I really want to ask you this question.
Can I restore emunand backup to sysnand? Are there any difference bfw both nand dump image?
 
Last edited by Februarysn0w,

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
Great job, if only I had waited til today I could try this on my n3ds. But I have two o3ds that I will test this on and let you know how it goes.
This is amazing, I'll tag this for when I get my O3DS XL back from hardmodding and attempt to dump my OTP.
Let me know how it goes. This tool will be a lot more helpful for N3DS, though, as it streamlines some stuff that would otherwise be a pain to do manually.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
thank you for your NICE releae. This is useful to install arm9haxloader to new console.

by the way you looks professional about nand and emunand, so I really want to ask you this question.
Can I restore emunand backup to sysnand? Are there any difference bfw both nand dump image?
I can't give you a 100% safe reply for that, that depends on what you did with your EmuNAND before. Normally, if you didn't do any modifications to it, it should be safe to inject a EmuNAND dump over SysNAND. Don't do this if you have no other means of going back (NANDmod, A9LH) though.
 

capito27

Well-Known Member
Member
Joined
Jan 19, 2015
Messages
874
Trophies
0
XP
1,210
Country
Swaziland
(N3DS only) According to the above, upgrade your system to a version >= 9.x and switch back to slot 0x5 (upgrade might not work though).
well, you get a softbrick from going to O3DS 7.X home menu on N3DS (simply the menu asks you to discover miiverse but fails miserably and prevents you to start any application, a reboot doesn't fix it) and going any higher than 8.0 O3DS included produces a hardbrick on N3DS, so you can't even run the arm9 payload to switch keyslot crypto at all. hope this helps
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
well, you get a softbrick from going to O3DS 7.X home menu on N3DS (simply the menu asks you to discover miiverse but fails miserably and prevents you to start any application, a reboot doesn't fix it) and going any higher than 8.0 O3DS included produces a hardbrick on N3DS, so you can't even run the arm9 payload to switch keyslot crypto at all. hope this helps
Understood, that means the option to switch back the crypto to slot 0x5 is useless, and so is the option to inject the N3DS header. Will think about removing these two. They might still be useful for fixing mistakes, though.
 

dark_samus3

Well-Known Member
Member
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,021
Country
United States
I can't give you a 100% safe reply for that, that depends on what you did with your EmuNAND before. Normally, if you didn't do any modifications to it, it should be safe to inject a EmuNAND dump over SysNAND. Don't do this if you have no other means of going back (NANDmod, A9LH) though.
So, I'm going back down to 2.1 to test, but looking through the repo, it seems the framebuffer addresses are incompatible with the browser exploit for 2.1... it'd probably be a good idea to check somehow (maybe check crypto stuff since it doesn't work on 2.x) which version the person is on, and adapt the framebuffer to there... if you need the addresses

#define TOP_SCREEN0 (u8*)(0x181E6000)
#define TOP_SCREEN1 (u8*)(0x18273000)
#define BOT_SCREEN0 (u8*)(0x1848F000)
#define BOT_SCREEN1 (u8*)(0x184C7800)

otherwise the otp dump options are kinda useless
 
Last edited by dark_samus3,

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
So, I'm going back down to 2.1 to test, but looking through the repo, it seems the framebuffer addresses are incompatible with the browser exploit for 2.1... it'd probably be a good idea to check somehow (maybe check crypto stuff since it doesn't work on 2.x) which version the person is on, and adapt the framebuffer to there... if you need the addresses

#define TOP_SCREEN0 (u8*)(0x181E6000)
#define TOP_SCREEN1 (u8*)(0x18273000)
#define BOT_SCREEN0 (u8*)(0x1848F000)
#define BOT_SCREEN1 (u8*)(0x184C7800)

otherwise the otp dump options are kinda useless
Alright, thanks. I'm unsure about how to test crypto stuff, though.... Any other ideas on how to find out safely if we're on 2.1?
Another idea would be to use these framebuffers for the GW Launcher.dat only. As I understand, the GW Launcher.dat is the only payload working on 2.1 & the GW Launcher.dat is also pretty much useless on more recent FW versions. Correct?
 

dark_samus3

Well-Known Member
Member
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,021
Country
United States
Alright, thanks. I'm unsure about how to test crypto stuff, though.... Any other ideas on how to find out safely if we're on 2.1?
Another idea would be to use these framebuffers for the GW Launcher.dat only. As I understand, the GW Launcher.dat is the only payload working on 2.1 & the GW Launcher.dat is also pretty much useless on more recent FW versions. Correct?
actually the gateway.dat doesn't work from 2.1 (I had some bad info from someone else) but there is a spider exploit for 2.x called 2xrsa: https://github.com/b1l1s/2xrsa which needs those framebuffers to work...
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,770
Trophies
0
Location
Nowhere
XP
1,324
Country
United States
Saw this in github, was wondering when I'd come out, features etc. Good job! I'll test the OTP dumper on my o3ds.
Wait, what's the emuNAND header got to do with al9h on o3ds?
 
Last edited by Swiftloke,

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,861
Country
Germany
actually the gateway.dat doesn't work from 2.1 (I had some bad info from someone else) but there is a spider exploit for 2.x called 2xrsa: https://github.com/b1l1s/2xrsa which needs those framebuffers to work...
Does that load the .bin or the .dat? I will find some way of correctly setting the framebuffers, will need to think it over, though.
 
General chit-chat
Help Users
    KenniesNewName @ KenniesNewName: I wouldn't walk naked in a church but their might be shouting if a priest tries to do anything to me