[Tutorial] Hardmod - downgrade New 3DS to 2.1 for OTP dumping

Discussion in '3DS - Tutorials' started by mashers, Feb 18, 2016.

  1. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,143
    Jun 10, 2015
    Kongo Jungle
    Hi all

    After trying the emunand 2.1 downgrade method last night unsuccessfully, I have just succeeded in downgrading my hard modded New 3DS from 9.2 to 2.1 in order to dump the OTP. It was fairly straightforward, but I thought I would post the method I used so others can follow it. Just to be clear, if you have a hard mod you don't have to use the emunand method for downgrading to 2.1 which makes things much more straightforward.

    This tutorial assumes the following:
    • You have a hard mod installed on your 3DS and know how to use it to read and write the NAND
    • You know how to verify a SysNAND backup using md5
    • You know how to back up your sysnand, emunand and SD card
    • You know how to access hax to get to the Homebrew Launcher
    • You know how to install homebrew apps on your 3DS
    • You know how to install CIAs using FBI
    • You know how to use the command prompt or terminal on the OS you are running on your computer
    • You know how to use a hex editor
    I won’t explain how to do all of these as this guide is intended to be an overview of the downgrade process I used. If you do not meet all of the assumptions above then do not follow this guide. To be perfectly clear:

    If you follow this guide and do not have both a hardmod and a valid sysnand backup, you will hardbrick your console and this will not be recoverable.

    I tested this using the following configuration:
    • EUR New 3DS (non-XL)
    • Hard mod
    • 9.2 SysNAND
    • Cubic Ninja as Homebrew entrypoint
    I make no guarantees that this will work for anybody else, either the same or different hardware. If you want to give this a try please take precautions and feel free to post in this thread if you need any help!

    Ok, technicalities out of the way. Lets get started.

    Part 1: Prepare your SD card

    You need the following homebrew apps on your SD card:
    In addition, you will need the following on your SD card:

    Once all of this is copied over, your SD card should look like this:
    SD contents.png


    You will also need the following on your computer:

    Part 2: Dump your console’s xorpads
    1. Launch hax and run Decrypt9
    2. Select “XORpad Generator Options”
    3. Select “CTRNAND Padgen” and follow the instructions to dump to nand.fat16.xorpad
    4. Press B to go back to the main menu, and the press SELECT to unmount your SD card
    5. Put your SD card in your computer and copy nand.fat16.xorpad from the SD card to your computer
    6. Rename nand.fat16.xorpad to nand.fat16_0x5_.xorpad on your computer
    7. Delete nand.fat16.xorpad from the SD card
    8. Put the SD card back in your console, press B and then choose “CTRNAND Padgen 0x4” to dump nand.fat16.xorpad
    9. Press B to go back to the main menu, and the press SELECT to unmount your SD card
    10. Put your SD card in your computer and copy nand.fat16.xorpad from the SD card to your computer
    11. Rename nand.fat16.xorpad to nand.fat16_0x4_.xorpad on your computer
    12. Delete nand.fat16.xorpad from the SD card
    13. Put the SD card back in your console, press B and then quit Decrypt9 back to HBL


    Part 3: Downgrade to 2.1
    1. From HBL, run TinyFormat, and format SysNAND
    2. Reboot the console and complete the initial setup without linking NNID
    3. Launch hax and run MiniPasta
    4. Launch hax and run FBI
    5. Install FBI.cia and sysupdater.cia to SysNAND (SD as the destination)
    6. Press START to exit FBI
    7. Launch MiniPasta
    8. If your 3DS hangs while launching MiniPasta at this point, just power cycle, launch hax, and run MiniPasta again
    9. Unwrap SysUpdater and open it
    10. Press Y to downgrade
    11. Wait for the CIAs to be install and for the console to boot
    12. SysNAND is now downgraded to 2.1, but is bricked (you will be stuck on a black screen)
    13. Power off your console
    14. Remove the SD card from your console, connect it to your computer, delete the “Nintendo 3DS” folder, and place it back in your console


    Part 4: Unbrick SysNAND
    1. Connect your hard mod adapter cable to the 3DS and computer
    2. Take two backups of SysNAND, one called 2.1.bin and another called 2.1a.bin
    3. Compare the md5sums of the two images. They should be identical. If they are not, then something is wrong with your hard mod
    4. If the two md5sums match, you have a good 2.1 SysNAND backup and can delete 2.1a.bin as you will now be working on 2.1.bin
    5. Move 2.1.bin, nand.fat16_0x4_.xorpad, nand.fat16_0x5_.xorpad and 3DSFAT16tool into the same directory
    6. Open up a command prompt, cd to the directory containing the files you moved in step 5
    7. Enter the following commands:

      Mac/Linux users:

      Code:
      ./3DSFAT16tool -d -n 2.1.bin ctr.bin nand.fat16_0x5_.xorpad
      ./3DSFAT16tool -i -o 2.1.bin ctr.bin nand.fat16_0x4_.xorpad
      Windows users:

      Code:
      3DSFAT16tool.exe -d -n 2.1.bin ctr.bin nand.fat16_0x5_.xorpad
      3DSFAT16tool.exe -i -o 2.1.bin ctr.bin nand.fat16_0x4_.xorpad
    8. Open 2.1.bin and NCSD_header_o3ds.bin into your hex editor
    9. Copy all of NCSD_header_o3ds.bin
    10. In 2.1.bin, select everything from offset 0x200 to the beginning of the file. If your hex editor displays the offsets in decimal, this is the first 512 bytes
    11. Paste to replace this selection with the contents of NCSD_header_o3ds.bin
    12. Save the file and exit
    13. Using your hard mod, flash 2.1.bin to your console’s sysnand


    If everything went according to plan, when you power on your console you will be running 2.1. You can now dump the OTP, and when you have it you can re-flash your 9.2 sysnand and go back to normal.
     
    Last edited by mashers, Feb 19, 2016


  2. iAqua

    iAqua Proud Follower of Skiddon't-ism

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,265
    1,538
    Dec 7, 2015
    Canada
    Nice job! Might try this.
     
  3. Plailect

    Plailect GBAtemp Advanced Fan

    Member
    514
    1,217
    Jan 30, 2016
    United States
    You should make this line way bigger
     
  4. JacksonS

    JacksonS GBAtemp Fan

    Member
    367
    106
    Feb 13, 2016
    United States
    Georgia
    Shouldn't this be "nand.fat16_0x5_.xorpad", not "nand.fat16_0x5_xorpad"?
     
  5. Plailect

    Plailect GBAtemp Advanced Fan

    Member
    514
    1,217
    Jan 30, 2016
    United States
    ~
     
    Last edited by Plailect, Feb 19, 2016 - Reason: image too large
  6. runetoonxx2

    runetoonxx2 GBATemp's Cancer

    Member
    1,345
    176
    Jan 15, 2014
    United States
    The GBATemp
    How soon is this new guide I am aching to get my hands on dat otp.bin
     
  7. Halo249

    Halo249 Banned

    Banned
    35
    3
    Feb 17, 2016
    United States
    Without a hardmod can we still get a game that has 4.0-9.2? I have luigi's mansion o3ds...
     
  8. JacksonS

    JacksonS GBAtemp Fan

    Member
    367
    106
    Feb 13, 2016
    United States
    Georgia
    I think if you try to update with any firmware below 9.0.0-20, it will brick, because those firmwares do not normally run on a New 3DS.
     
  9. Halo249

    Halo249 Banned

    Banned
    35
    3
    Feb 17, 2016
    United States
    Well I am just here to know how to downgrade to 2.1. I have a o3ds sorry for not making that clear.
     
  10. Just Passing By

    Just Passing By GBAtemp Advanced Maniac

    Member
    1,562
    594
    Jan 3, 2016
    United States
    http://gbatemp.net/threads/otp-guide.415140/

    I'd wait a little though. V2 of the guide is coming out which they claim will lower the chance of a brick.
     
  11. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,143
    Jun 10, 2015
    Kongo Jungle
    Done.

    — Posts automatically merged - Please don't double post! —

    Fixed - thank you!
     
  12. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,693
    360
    May 3, 2006
    France
    What's the point of downgrading to 2.1? And what is otp?
     
  13. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,143
    Jun 10, 2015
    Kongo Jungle
    The OTP is an encryption key which can be used to get early access to arm9, for example to cold boot directly to CFW. You have to downgrade to 2.1 in order to retrieve the OTP.
     
    Last edited by mashers, Feb 19, 2016
    Codename and Keylogger like this.
  14. artur3004

    artur3004 GBAtemp Fan

    Member
    486
    124
    Mar 31, 2015
    Gambia, The
    why isn't it posible to dump otp through 2.1 emunand? would be much safer and people without hardmod could do this
     
  15. JacksonS

    JacksonS GBAtemp Fan

    Member
    367
    106
    Feb 13, 2016
    United States
    Georgia
    You would have to be able to boot the 2.1 emuNAND, and there is no no CFW that supports that.
     
  16. artur3004

    artur3004 GBAtemp Fan

    Member
    486
    124
    Mar 31, 2015
    Gambia, The
    But is it technically possible to make a compatible cfw?
     
  17. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,143
    Jun 10, 2015
    Kongo Jungle
    No. OTP is locked by sysnand very soon after booting and way before CFW launches to get to emunand. It is not possible at all to extract OTP from Emunand. Downgrading to 2.1 is the only way.
     
  18. ThomasRobertWade

    ThomasRobertWade GBAtemp Regular

    Member
    163
    20
    Oct 13, 2012
    Why would I want to dump my OTP? It would be heartbreaking to see them apart.
     
  19. Mansi95

    Mansi95 Newbie

    Newcomer
    2
    0
    Mar 11, 2016
    links for eur pack down
     
  20. Plailect

    Plailect GBAtemp Advanced Fan

    Member
    514
    1,217
    Jan 30, 2016
    United States