Hacking Sys-trans'd NAND injected into GW2.0b1 EmuNAND

PanCyan

Well-Known Member
Newcomer
Joined
Oct 3, 2013
Messages
51
Trophies
0
Age
36
XP
252
Country
United States
SO I have Hex Workshop with my personal 6.3 nand dump and the emuNand SD card. Can someone explain how to
move first sector data to end of dump and how to inject the rearranged dump. I would love the help, this is my first time looking at hex. I kinda understand what to do but its difficult for me to do it.​
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,645
Country
France
Which version of HexWorkshop did you use to backup/restore a file to sectors?
I have a very old one, I guess it's not possible (v3.11)

Are you using Direct write access mode? (while working with big files I think it's better, even if dangerous)
Or maybe it's not an option and it's always using direct editing mode when opening a drive.
 

5rg

Member
Newcomer
Joined
Jul 2, 2009
Messages
20
Trophies
0
XP
240
Country
Russia
I used HexWorkshop 6.7. There was not any Direct write access mode option. Just opened physical disk and write "prepared" nand backup starting from sector 1 (second sector).
The HomePass works on emuNand, at least in the classic mode. That's the only reason I injected my own 6.3 firmware into emuNand to have my actual street plaza.
I'm going to test new Zelda on save's problem between emuNand and ordinary 3ds as soon as I receive a retail cartridge.
 

elcravo

Well-Known Member
Newcomer
Joined
Feb 25, 2013
Messages
58
Trophies
0
Age
37
XP
133
Country
Gambia, The
AES is unbreakable. Forget about permanent CFW. Jeez.


I'm not saying that we'll see cfw any time soon or that this has anything to do with it but that's just plain wrong. AES isn't unbreakable.

See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks for possible attack scenarios.

BTW you don't really have to attack the cipher itself. You could mess with the cipher's implementation on the system using so called side-channel attacks.

See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Side-channel_attacks for side-channel attacks.
 

PanCyan

Well-Known Member
Newcomer
Joined
Oct 3, 2013
Messages
51
Trophies
0
Age
36
XP
252
Country
United States
I couldn't get this to work with the actual nand and sd card backup files. I had to use the Hex workshop drive copy function with the sd card and ds connected to my computer.​
I started from sector 1 of the nand and copied that to the sd card also starting at sector 1.​
Then I copied sector 0 from the nand to the end of what i copied previously (Hex Workshop tells you the total number of sectors so its easy)​
 

justinkb

Well-Known Member
Member
Joined
Oct 7, 2012
Messages
625
Trophies
1
XP
347
Country
Netherlands
I'm not saying that we'll see cfw any time soon or that this has anything to do with it but that's just plain wrong. AES isn't unbreakable.

See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks for possible attack scenarios.

BTW you don't really have to attack the cipher itself. You could mess with the cipher's implementation on the system using so called side-channel attacks.

See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Side-channel_attacks for side-channel attacks.
I'm well aware of all this... the best "attack" on the algorithm is 4 times faster than bruteforce, still takes longer than the universe will remain (even using technology from the distant future). Why did you even post this? :-P Also, you see side channels attacks as feasable for mass production? How do you envision that? Some ultra-advanced device one affixes to their 3DS? lol.
 

moosehunter

Well-Known Member
Member
Joined
Nov 26, 2008
Messages
219
Trophies
0
XP
342
Country
United States
Someone please make a tool for dd and chopping the nand. :yay:

Just do this to copy the emunand from the sd card:
dd if=/dev/sdX of=dummy.bin count=1
dd if=/dev/sdX of=nand.bin count=1 skip=1931264
dd if=/dev/sdX of=nand.bin count=1931263 skip=1 seek=1

And this to write to it:
dd if=dummy.bin of=sd_tmp.bin count=1
dd if=nand.bin of=sd_tmp.bin skip=1 seek=1
dd if=nand.bin of=sd_tmp.bin count=1 seek=1931264
dd if=sd_tmp.bin of=/dev/sdX bs=8M
rm sd_tmp.bin
Be sure to change the /dev/sdX to match your SD card. This will make a nand.bin and dummy.bin. The dummy.bin is simply the first sector of the sd card, and nand.bin is your unsplit nand.
The byte counts here were based of my nand dumps. I don't know if it's different for other 3DS's.
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,645
Country
France
There are two different NAND size.
I have the same size than you (Launch day 3DS).

dd is very useful, too bad windows doesn't have the same command.
Someone said he will create a tool/gui to do the EmuNAND backup/restore in windows, but I don't remember who it was.
 

n1ghty

Well-Known Member
Member
Joined
Aug 8, 2013
Messages
273
Trophies
0
XP
606
Country
Saint Kitts and Nevis
Someone said he will create a tool/gui to do the EmuNAND backup/restore in windows, but I don't remember who it was.
I am sorry, I didn't have time to finish it yet.

The features will be:
- Finding the Gateway SD automatically (to prevent writing to the wrong device :blink:)
- Extracting of the emuNAND => File will be flashable to the real NAND.
- Injecting of a NAND backup to the Gateway SD (emuNAND backup & sysNAND backup)

It's already working with different NAND sizes, but I have to test it a bit more to make sure everything works as expected.

Nothing big and just a simple gui, but it's a lot more comfortable than a hex editor ;)

Possible future features: (only if demanded after the first release...)
- Building a Gateway emuNAND SD from ground without the use of the gateway.
It also creates the FAT Partition.
- Backup current SD content and move it back onto the SD after building the Gateway SD.
 

n1ghty

Well-Known Member
Member
Joined
Aug 8, 2013
Messages
273
Trophies
0
XP
606
Country
Saint Kitts and Nevis
What sizes are there? Why are there many sizes anyway? Shouldn't they be the same?

Different NAND chips. the newer ones are from Samsung. A lot of parts change over time in consoles. It's all about the price and availability.
The NANDs are padded at the end, so the size doesn't matter. The partition offsets are the same.

The sizes of my XL NANDs are:
1931264 sectors
988.807.168 bytes

1953792 sectors
1.000.341.504 bytes
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,645
Country
France
The dummy sector is in fact the MBR with the partition table (and a single partition listed as FAT32 ).
I guess it's using a different sector number if using a different SD card, so if you allow users to restore a backup on a different SD size be sure to check how many sectors are free. Don't restore the existing dummy sector.

That's probably why Win32Imager is backing up the entire card, there's only a single partition information in the MBR, not two.
As there's a single partition, it's backing/restoring the entire device's sector instead of the partition's size. (it's just a supposition, I didn't look in WinImager's sources). Or maybe it's always reading/writting the entire device instead of the partition, but it display Windows's partition letters instead of devices in the drop down list.
 

n1ghty

Well-Known Member
Member
Joined
Aug 8, 2013
Messages
273
Trophies
0
XP
606
Country
Saint Kitts and Nevis
The first version won't touch the dummy/MBR sector. If you want to use a different SD, you will have to format it with the gateway and then inject the old backup.
My tool checks for an existing Gateway MBR.
 

DAHU75

Well-Known Member
Newcomer
Joined
Oct 30, 2013
Messages
48
Trophies
0
Age
53
XP
133
Country
France
hello

i have a nand backup 6.2.0.12E make with hardware tool

it is possible to modify it into emunand for gateway , and injected it to SDcard ?

if yes , how can i do that ??

thanks for your help
 

deoFusion

Well-Known Member
Newcomer
Joined
Nov 26, 2005
Messages
48
Trophies
0
Location
London
XP
300
Country
United Kingdom
i have a nand backup 6.2.0.12E make with hardware tool

it is possible to modify it into emunand for gateway , and injected it to SDcard ?
Yes, although you'll still need a 4.x system to use the emuNAND/gateway in the first place.

if yes , how can i do that ??
The OP explained how and the rest of this thread elaborates on the specifics...
 

DAHU75

Well-Known Member
Newcomer
Joined
Oct 30, 2013
Messages
48
Trophies
0
Age
53
XP
133
Country
France
Thanks
yes i have a 4.x systems but i don't have upgraded my emunand.

yes but it' s not clear for me , no tutorial explicit ?
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,645
Country
France
You can only use that NAND 6.2.0-12 backup if it's from the same console.
If you did a Hardware backup from Console A, it will not work in EmuNAND on Console B.

But I suppose your 6.2.0-12 is from the same console, backup 4.5 -> You updated -> backup 6.2 -> downgraded to 4.5
You can use that 6.2 backup as EmuNAND.

You need to write it to your SD card.

1. If not already done, Create EmuNAND partition using Gateway menu to initialize the two partitions.
2. You have now a hidden partition on your SD card (it contains a copy of your NAND 4.5.0) and a FAT32 partition.
3. You need to replace the data from the hidden partition with your 6.2.0-12 NAND.bin

The EmuNAND partition is not a 1:1 copy of your NAND dump, The first sector is moved at the end of the dump:
Sector 0 (512Bytes) ; Nand dump ; Last dump sector +1
|________________________________^

The Sector 0 of the SD card need to be retained as it contains the MBR (Partition table). without the MBR, Windows/3DS would not see the FAT32 partition.

SD structure:
Sector 0 : MBR
Sector 1 : EmuNAND starting at Sector 1 too
Sector x : End of EmuNAND
Sector x+1 : EmuNAND sector 0
Sector 200000 : Start of FAT32 partition


As explained above (post #71), there are two different NAND sizes. But if you have a hardware backup, you already know which one you have.

To write your NAND dump to SD card:
You can use Linux and the dd command (also detailed above, #67)
Or use Hexworkshop in Windows, but you'll have to prepare the file to be written to SD first. You can also wait for n1ghty to release his tool to do it.
 

DAHU75

Well-Known Member
Newcomer
Joined
Oct 30, 2013
Messages
48
Trophies
0
Age
53
XP
133
Country
France
yes it's the same console

with 4.2 backup , upgrade 6.2.0-12 , restore 4.2 with hardware ;)
for the nand size , it' s a 3DS day one ;)

ok i'll do test and post if success

thanks so much for the GREAT HELP :)
 

n1ghty

Well-Known Member
Member
Joined
Aug 8, 2013
Messages
273
Trophies
0
XP
606
Country
Saint Kitts and Nevis
Is there someone who wants to beta test the first version of my tool?

Features in the first version are:
- Finding the Gateway SD automatically (to prevent writing to the wrong device :blink:)
- Extracting of the emuNAND => File will be flashable to the real NAND.
- Injecting of a NAND backup to the Gateway SD (emuNAND backup & sysNAND backup).

There isn't a readme yet, but I think I succeeded in making it noob friendly :rolleyes:

Edit:
Beta test group full. Release soon™
 
  • Like
Reactions: Gildoniel

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Sicklyboy @ Sicklyboy: *teleports behind you* "Nothing personnel, kiddo" +1