Sys-trans'd NAND injected into GW2.0b1 EmuNAND

Discussion in '3DS - Flashcards & Custom Firmwares' started by damysteryman, Dec 2, 2013.

  1. PanCyan

    PanCyan Advanced Member

    Newcomer
    2
    Oct 3, 2013
    United States
    SO I have Hex Workshop with my personal 6.3 nand dump and the emuNand SD card. Can someone explain how to
    move first sector data to end of dump and how to inject the rearranged dump. I would love the help, this is my first time looking at hex. I kinda understand what to do but its difficult for me to do it.​
     
  2. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    22
    Oct 27, 2002
    France
    Engine room, learning
    Which version of HexWorkshop did you use to backup/restore a file to sectors?
    I have a very old one, I guess it's not possible (v3.11)

    Are you using Direct write access mode? (while working with big files I think it's better, even if dangerous)
    Or maybe it's not an option and it's always using direct editing mode when opening a drive.
     
  3. 5rg

    5rg Member

    Newcomer
    2
    Jul 2, 2009
    Russia
    I used HexWorkshop 6.7. There was not any Direct write access mode option. Just opened physical disk and write "prepared" nand backup starting from sector 1 (second sector).
    The HomePass works on emuNand, at least in the classic mode. That's the only reason I injected my own 6.3 firmware into emuNand to have my actual street plaza.
    I'm going to test new Zelda on save's problem between emuNand and ordinary 3ds as soon as I receive a retail cartridge.
     
  4. elcravo

    elcravo Advanced Member

    Newcomer
    1
    Feb 25, 2013
    Gambia, The

    I'm not saying that we'll see cfw any time soon or that this has anything to do with it but that's just plain wrong. AES isn't unbreakable.

    See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks for possible attack scenarios.

    BTW you don't really have to attack the cipher itself. You could mess with the cipher's implementation on the system using so called side-channel attacks.

    See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Side-channel_attacks for side-channel attacks.
     
  5. PanCyan

    PanCyan Advanced Member

    Newcomer
    2
    Oct 3, 2013
    United States
    I couldn't get this to work with the actual nand and sd card backup files. I had to use the Hex workshop drive copy function with the sd card and ds connected to my computer.​
    I started from sector 1 of the nand and copied that to the sd card also starting at sector 1.​
    Then I copied sector 0 from the nand to the end of what i copied previously (Hex Workshop tells you the total number of sectors so its easy)​
     
  6. justinkb

    justinkb GBAtemp Advanced Fan

    Member
    3
    Oct 7, 2012
    Netherlands
    I'm well aware of all this... the best "attack" on the algorithm is 4 times faster than bruteforce, still takes longer than the universe will remain (even using technology from the distant future). Why did you even post this? :-P Also, you see side channels attacks as feasable for mass production? How do you envision that? Some ultra-advanced device one affixes to their 3DS? lol.
     
  7. moosehunter

    moosehunter GBAtemp Regular

    Member
    3
    Nov 26, 2008
    United States
    Just do this to copy the emunand from the sd card:
    dd if=/dev/sdX of=dummy.bin count=1
    dd if=/dev/sdX of=nand.bin count=1 skip=1931264
    dd if=/dev/sdX of=nand.bin count=1931263 skip=1 seek=1

    And this to write to it:
    dd if=dummy.bin of=sd_tmp.bin count=1
    dd if=nand.bin of=sd_tmp.bin skip=1 seek=1
    dd if=nand.bin of=sd_tmp.bin count=1 seek=1931264
    dd if=sd_tmp.bin of=/dev/sdX bs=8M
    rm sd_tmp.bin
    Be sure to change the /dev/sdX to match your SD card. This will make a nand.bin and dummy.bin. The dummy.bin is simply the first sector of the sd card, and nand.bin is your unsplit nand.
    The byte counts here were based of my nand dumps. I don't know if it's different for other 3DS's.
     
  8. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    22
    Oct 27, 2002
    France
    Engine room, learning
    There are two different NAND size.
    I have the same size than you (Launch day 3DS).

    dd is very useful, too bad windows doesn't have the same command.
    Someone said he will create a tool/gui to do the EmuNAND backup/restore in windows, but I don't remember who it was.
     
  9. n1ghty

    n1ghty GBAtemp Regular

    Member
    5
    Aug 8, 2013
    Saint Kitts and Nevis
    I am sorry, I didn't have time to finish it yet.

    The features will be:
    - Finding the Gateway SD automatically (to prevent writing to the wrong device :blink:)
    - Extracting of the emuNAND => File will be flashable to the real NAND.
    - Injecting of a NAND backup to the Gateway SD (emuNAND backup & sysNAND backup)

    It's already working with different NAND sizes, but I have to test it a bit more to make sure everything works as expected.

    Nothing big and just a simple gui, but it's a lot more comfortable than a hex editor ;)

    Possible future features: (only if demanded after the first release...)
    - Building a Gateway emuNAND SD from ground without the use of the gateway.
    It also creates the FAT Partition.
    - Backup current SD content and move it back onto the SD after building the Gateway SD.
     
    Schizoanalysis, damysteryman and Cyan like this.
  10. Duo8

    Duo8 GBAtemp Psycho!

    Member
    9
    Jul 16, 2013
    Vietnam
    What sizes are there? Why are there many sizes anyway? Shouldn't they be the same?
     
  11. n1ghty

    n1ghty GBAtemp Regular

    Member
    5
    Aug 8, 2013
    Saint Kitts and Nevis
    Different NAND chips. the newer ones are from Samsung. A lot of parts change over time in consoles. It's all about the price and availability.
    The NANDs are padded at the end, so the size doesn't matter. The partition offsets are the same.

    The sizes of my XL NANDs are:
    1931264 sectors
    988.807.168 bytes

    1953792 sectors
    1.000.341.504 bytes
     
  12. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    22
    Oct 27, 2002
    France
    Engine room, learning
    The dummy sector is in fact the MBR with the partition table (and a single partition listed as FAT32 ).
    I guess it's using a different sector number if using a different SD card, so if you allow users to restore a backup on a different SD size be sure to check how many sectors are free. Don't restore the existing dummy sector.

    That's probably why Win32Imager is backing up the entire card, there's only a single partition information in the MBR, not two.
    As there's a single partition, it's backing/restoring the entire device's sector instead of the partition's size. (it's just a supposition, I didn't look in WinImager's sources). Or maybe it's always reading/writting the entire device instead of the partition, but it display Windows's partition letters instead of devices in the drop down list.
     
  13. n1ghty

    n1ghty GBAtemp Regular

    Member
    5
    Aug 8, 2013
    Saint Kitts and Nevis
    The first version won't touch the dummy/MBR sector. If you want to use a different SD, you will have to format it with the gateway and then inject the old backup.
    My tool checks for an existing Gateway MBR.
     
  14. DAHU75

    DAHU75 Member

    Newcomer
    1
    Oct 30, 2013
    France
    hello

    i have a nand backup 6.2.0.12E make with hardware tool

    it is possible to modify it into emunand for gateway , and injected it to SDcard ?

    if yes , how can i do that ??

    thanks for your help
     
  15. deoFusion

    deoFusion Member

    Newcomer
    3
    Nov 26, 2005
    United Kingdom
    London
    Yes, although you'll still need a 4.x system to use the emuNAND/gateway in the first place.

    The OP explained how and the rest of this thread elaborates on the specifics...
     
  16. DAHU75

    DAHU75 Member

    Newcomer
    1
    Oct 30, 2013
    France
    Thanks
    yes i have a 4.x systems but i don't have upgraded my emunand.

    yes but it' s not clear for me , no tutorial explicit ?
     
  17. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    22
    Oct 27, 2002
    France
    Engine room, learning
    You can only use that NAND 6.2.0-12 backup if it's from the same console.
    If you did a Hardware backup from Console A, it will not work in EmuNAND on Console B.

    But I suppose your 6.2.0-12 is from the same console, backup 4.5 -> You updated -> backup 6.2 -> downgraded to 4.5
    You can use that 6.2 backup as EmuNAND.

    You need to write it to your SD card.

    1. If not already done, Create EmuNAND partition using Gateway menu to initialize the two partitions.
    2. You have now a hidden partition on your SD card (it contains a copy of your NAND 4.5.0) and a FAT32 partition.
    3. You need to replace the data from the hidden partition with your 6.2.0-12 NAND.bin

    The EmuNAND partition is not a 1:1 copy of your NAND dump, The first sector is moved at the end of the dump:
    Sector 0 (512Bytes) ; Nand dump ; Last dump sector +1
    |________________________________^

    The Sector 0 of the SD card need to be retained as it contains the MBR (Partition table). without the MBR, Windows/3DS would not see the FAT32 partition.

    SD structure:
    Sector 0 : MBR
    Sector 1 : EmuNAND starting at Sector 1 too
    Sector x : End of EmuNAND
    Sector x+1 : EmuNAND sector 0
    Sector 200000 : Start of FAT32 partition


    As explained above (post #71), there are two different NAND sizes. But if you have a hardware backup, you already know which one you have.

    To write your NAND dump to SD card:
    You can use Linux and the dd command (also detailed above, #67)
    Or use Hexworkshop in Windows, but you'll have to prepare the file to be written to SD first. You can also wait for n1ghty to release his tool to do it.
     
  18. DAHU75

    DAHU75 Member

    Newcomer
    1
    Oct 30, 2013
    France
    yes it's the same console

    with 4.2 backup , upgrade 6.2.0-12 , restore 4.2 with hardware ;)
    for the nand size , it' s a 3DS day one ;)

    ok i'll do test and post if success

    thanks so much for the GREAT HELP :)
     
  19. n1ghty

    n1ghty GBAtemp Regular

    Member
    5
    Aug 8, 2013
    Saint Kitts and Nevis
    Is there someone who wants to beta test the first version of my tool?

    Features in the first version are:
    There isn't a readme yet, but I think I succeeded in making it noob friendly :rolleyes:

    Edit:
    Beta test group full. Release soon™
     
    Gildoniel likes this.
  20. DAHU75

    DAHU75 Member

    Newcomer
    1
    Oct 30, 2013
    France
    very nice , i pm you
     
Loading...