[Tutorial] Restore N3DS from FW 2.1 without NAND Backups

Discussion in '3DS - Tutorials' started by slslasher, Apr 29, 2016.

  1. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    Hi guys, I forgot to do a nand backup and downgrade my n3ds sysnand to 2.1. After getting otp I update my sysnand through system settings resulting in a hardbrick. I know this is user error. I have done many a9lh but this is the first time I forgot. Damned.

    Anyway I have thought of a possible way to unbrick which I do not know if it will work.

    1) Extract out unbricked 2.1 emunand in pc.
    2) Hardmod and flash the unbricked 2.1 emunand to sysnand.
    3) ???

    Lets say the above method works is there anyway to update my sysnand back to 9.2 or 10.7? I am guessing recovery wont work. What about games with update in it?

    Many thanks in advance!

    UPDATE!!! (N3DS is unbricked!!!) *Stuck on 2.1 without any NAND Backups*

    My situation:
    I downgraded to 2.1 on a N3DS without any sysNAND or emuNAND backups totally. So I tried updating though system settings to 10.7 which causes a brick. (I did not know at that point of time).

    So I extracted out the 2.1 from my microSD using 3DS Multi EmuNAND Creator and flashed it back to sysNAND with a hardmod.

    After getting help from @d0k3 & @al3x_10m and many hours of trial and error I managed to update my N3DS from 2.1 without any nand backup.

    So the steps are below, I have splitted it up into 4 sections.

    Links to files needed
    N3DS 10.7 firm0 and firm1 files
    N3DS NCSD Header
    Modded Decrypt9
    OTPHelper-20160502-081624

    1) Setting Up emuNAND
    1) Use OTPHelper to dump your otp.bin and otp0x108.bin
    2) Use OTPHelper to make a backup for 2.1 sysNAND and rename it to sysNAND 2.1 or something. (Incase the gamecart update fails, you still can use a hardmod to unbrick)
    !!!IMPORTANT!!! - I bricked my N3DS a few times during updating to 4.5 using game cart. Steps 3 and 4 is like an insurance, no harm taking extra precaution
    3) Turn off internet settings, format your N3DS, if it is in the format loop just wait around 2 mins or so and off it.
    4) Boot into recovery by holding L + R + Up + A on boot, after that exit
    5) Repeat steps 3 and 4 again
    6) Update the N3DS to 4.5 using a gamecart
    7) Create emuNAND FW 4.5 using gateway by use gateway entrypoint (go.gateway-3ds.com)
    8) Use the modded Decrypt9, it is named as Launcher.dat *Start it using gateway entrypoint (go.gateway-3ds.com) (Slot0x05KeyY.bin needs to be in the root to use the modded Decrypt9)
    9) Dump hs.app for emuNAND 4.5
    10) Use Universal Inject Generator to create sysupdater.app(profi200's one,safesys and plaisys doesn't work)
    11) Unmount SD and put 10.7 N3DS update pack in 'updates' folder, 10.7 firm0.bin and firm 1.bin and NCSD_header_n3ds.bin on root of SD Card
    12) If you have a gateway card, replace the modded Decrypt9 launcher with gateway launcher
    13) Put back your SD and inject sysupdater into h&s then reboot

    2) Updating emuNAND to 10.7
    *Make sure these 3 files are at the root of your SD Card*
    10.7 firm0.bin
    10.7 firm 1.bin
    NCSD_header_n3ds.bin

    1) I used gateway to enter emuNAND for 4.5 since I got a gateway card. If you have no gateway you can try other CFW? If anyone tested it can let me know, I will add it to this guide and put your name in credits :D
    2) Open sysupdater in emuNAND 4.5 and press (A) to update emuNAND to 10.7
    3) After updating it will auto reboot, take out the SD card and replace the Launcher.dat with the one from OTPHelper-20160502-081624
    4) Launch OTPHelper in sysNAND 4.5 *Start it using gateway entrypoint (go.gateway-3ds.com)
    5) Inject the 10.7 firm0.bin and firm1.bin into emuNAND 10.7
    6) Use the Unbrick FW 9.x EmuNAND function (This will take quite some time)
    7) After it is done go to NAND Backup & Restore and select Clone EmuNAND to SysNAND
    8) Make a NAND backup of your 10.7 sysNAND and rename it sysNAND 10.7 or something (This is needed for A9LH installation)
    9) Reboot and your N3DS is now UNBRICKED!!!

    3) Downgrade sysNAND to 9.2
    *Remember to delete the 10.7 updates folder from root of your SD Card*

    1st we need to downgrade to 9.2, you can use Plailect's downgrading guide to downgrade
    I used cubic ninja as the entry point for 10.7 to boot into homebrew launcher

    When you boot into 9.2 it will show "An error has occured." message, don't worry this is normal.
    For some reason it will crash around 3-4 seconds when you boot your N3DS because of the homemenu being loaded I think?

    4) Installing A9LH (LumA Version)
    We need to install menuhax so just grab the files from here, you should know how to use it by now.

    1) Do the Preparatory Work from Plailect's Guide
    2) Now we got a 3-4 seconds window before the N3DS will crash when we boot it
    3) After you on the N3DS quickly tap the top left corner of your touchscreen to go into HOME Menu Settings
    4) Tap Change Theme (This is needed to install menuhax)
    5) After exiting it will crash again don't worry
    6) After you on your N3DS again, quickly tap on the internet browser icon
    7) Go to http://yls8.mtheall.com/3dsbrowserhax_auto.php to launch homebrew launcher
    8) Install menuhax, configure it to type 2 (Auto Boot)
    9) Exit menuhax manager and launch miniPasta, it will auto reboot into homebrew launcher again
    10) Launch Safe A9LH Installer and press Select *Redo steps 9-10 if it hangs*
    11) Power on your N3DS, it will auto reboot into homebrew launcher again, now uninstall menuhax
    12) A9LH is installed in your N3DS but the error will still show up when it is on 9.2 so now we gonna update it to 10.7 while keeping the A9LH
    13) If you have followed the Preparatory Work from Plailect Guide, you will be able to launch Decrypt 9 by holding Start button on boot
    14) Launch Decrypt9, go to SysNAND Options > SysNAND Backup/Restore... > NAND Restore (keep a9lh) > Select the sysNAND 10.7 backup you made earlier on
    15) After restoring you will have a A9LH 10.7 sysNAND
    16) Use Decrypt 9 to inject fbi to the h&s
    17) Now make a NAND dump of the 10.7 A9LH sysNAND


    Pros:
    N3DS is unbricked!

    Cons:
    You can't use any app or stuffs related to DSIware
    BigBlueMenu is not working, but there are other .cia installers to replace that.
    I can't format my N3DS too but hey its unbricked, who cares

    Credits:
    @d0k3 For helping me throughout the whole journey and providing the OTPHelper-20160502-081624 test build
    @al3x_10m For helping me throughout the whole journey and providing the N3DS NCSD Header & Modded Decrypt9 files
    yellows8 for menuhax and browserhax
    @Plailect for the A9LH guide
    @smealum for ninjhax
    @DarkMatterCore for 3DS Multi EmuNAND Creator
     
    Last edited by slslasher, May 8, 2016
  2. 4gionz

    4gionz GBAtemp Advanced Fan

    Member
    786
    307
    Aug 16, 2014
    Canada
    How did you end up on 2.1 without a 9.2 NAND backup? Damn even if you flash the 2.1 emunand with a hardmod (which would actually work I think) you'll still be left on 2.1 with no way to get back to 9.2...hopefully someone here has a way out
     
  3. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    U wont need a 9.2 backup to downgrade to 2.1. Coz I memorized the a9lh steps so I did nt read the guide now. So I missed out the backup part.

    Works on old3ds but bricked on new 3ds
     
  4. 4gionz

    4gionz GBAtemp Advanced Fan

    Member
    786
    307
    Aug 16, 2014
    Canada
    No I know you don't need a 9.2 backup to downgrade but you absolutely need one to get back to your original firmware..it's a crucial part of the guide and literally step one once on 9.2 even when NOT trying to install a9lh. I'm sorry but I really think it's permabricked...wish I could be more help.

    pm me if you can't do anything with it and want to sell it tho. If it's decent condition I may take it if the price is cheap just for the parts (although I doubt it since just the shipping from you to me would cost an arm and a leg)
     
  5. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    I am actually selling quite cheap. 125sgd. Its in really good condition n I have 2 of it. Maybe I will try to recover my partition using some software to get it to 10.7 pre-downgraded emunand n extract it out which I doubt it will work. I will try it tonight. I am very good at soldering, used to do psp mods but might not help in this case.
     
  6. mathieulh

    mathieulh GBAtemp Fan

    Member
    335
    394
    Feb 28, 2008
    France
    The keyslot used to decrypt/encrypt CTRNAND changed from 0x04 on o3ds to 0x05 on n3ds, when you downgraded to 2.1.0 which uses an o3ds firm, you re-encrypted your CTRNAND using the 0x04 keyslot, but using a card or system settings to update your console will write a n3ds FIRM (after all, your console is a n3ds) which needs CTRNAND to be encrypted with keyslot 0x05, because it's not encrypted with the right key, it will fail to boot.
     
    Quantumcat likes this.
  7. Bedel

    Bedel The key of the blade

    Member
    999
    347
    Oct 28, 2015
    If you have emunand backup and not sysnand, I think you can use that to recover the N3DS. It will be on 10.7 and need a downgrade again, but since it's the same console, it should be possible to recover from the hardbrick that way.
     
  8. jerrmy12

    jerrmy12 GBAtemp Regular

    Member
    240
    71
    Apr 8, 2016
    United States
    kek, this is what you get for skipping steps
     
  9. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    4gionz likes this.
  10. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    Last edited by slslasher, May 8, 2016
  11. FenrirWolf

    FenrirWolf GBAtemp Psycho!

    Member
    4,347
    329
    Nov 19, 2008
    United States
    Sandy, UT
    So do you have no other nand backups whatsoever for either console? Not even a 10.7 emunand or something?
     
  12. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    Nope, if I had I would have flashed it to sysnand.
     
  13. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    I would talk to @d0k3 and see if he has any ideas on making something sysupdater like that installs New 3DS cias (9.2) then undoes the changes to the NAND to allow 9.2 to boot on New 3DS.

    Other than that, You are stuck.
     
  14. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    is it possible to just undo the changes to NAND then I use recovery to update to 10.7?
     
  15. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    Snip
     
    Last edited by driverdis, Apr 30, 2016
  16. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    Snip
     
    Last edited by driverdis, Apr 30, 2016
  17. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    Snip
     
    Last edited by driverdis, Apr 30, 2016
  18. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    Snip
     
    Last edited by driverdis, Apr 30, 2016
  19. driverdis

    driverdis I am Justice

    Member
    2,452
    940
    Sep 21, 2011
    United States
    1.048596β
    I do not think so as recovery probably would not boot once the NAND changes were reverted. If New 3DS CIAs and firm (from firmware 9.2) could be installed from inside 2.1, undoing the changes to the NAND would probably allow boot on 9.2.

    — Posts automatically merged - Please don't double post! —

    Well, great. Stupid phone's cellular connection made me post multiple times :/
     
  20. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    I saw from youtube there is a way to install .cia through cmd in windows. What abt reverting the nand changes?
     
  21. d0k3

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Oh well... There is no known way out of this problem. With a hardmod, you can try this (I'm only giving you pointers into the right direction here, you need to do the legwork yourself):
    • [Preparations] USe OTPHelper to generate the CTRNAND slot 0x05 and slot 0x04 XORpads, keep them in a safe place
    • Upgrade to v4.5 using a cartridge (everything should be fine, N3DS still working)
    • Using SysUpdater and a N3DS update pack, update your N3DS to an acceptable version >= 9.0
    • The last step will have your SysNAND bricked
    • To unbrick, dump your NAND, then dump your CTRNAND from that with my 3DSFAT16 tool (in my GitHub...) using the slot 0x04 XORpad
    • Inject the CTRNAND back into the NAND dump using the slot 0x05 XORpad
    • Replace the first 512 byte of your NAND dump with the first 512 byte from another (working, >= 9.0) N3DS NAND dump (need help from another user for this).
    • Write your NAND dump back
    If you are really lucky, this will do the job. If it does not, it will be much harder. You'd basically need to install A9LH from 2.1 (there is a possibility, but you will need to hunt it down, also maybe @dark_samus3 knows), then get a N3DS vX.Y CTRNAND from someone else and replace certain files (I can't help you to decide which) with files from your CTRNAND.

    Anyways, I fully expect you let us know how this goes for you. Good luck!


    EDIT: Just added a step that I forgot, recheck the instructions.
     
    Last edited by d0k3, Apr 30, 2016
  22. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    Hi, thanks for the steps. I will try it later. I have got and extra small N3DS for extracting the NAND dump but I don't really get the 2nd last step about the 512 byte.
     
  23. d0k3

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Dump the NAND from the second N3DS as well, get the first 512 byte from that and write to a file. When doing the steps, you need to replace the first 512 bytes of the first N3DS NAND dump with the first 512 byte from the second N3DS NAND dump. Second N3DS needs to be >= 9.0.

    Also, you're the first person to do this, and if it works, or if it fails - please let the others on here know how it turns out for you.
     
  24. slslasher
    OP

    slslasher GBAtemp Regular

    Member
    105
    26
    Mar 17, 2015
    Senegal
    Sure I will let you guys know the results. The 512 bytes do u mean using a hexeditor and copy the values 0x200 (512) bytes. Length in hex editor is 200.