Why the 3DS can't be downgraded on 11.4 "For Dummies" (A simple explanation for the rest of us)

Discussion in '3DS - Flashcards & Custom Firmwares' started by Swiftloke, Sep 11, 2016.

  1. Swiftloke

    Swiftloke Hwaaaa!

    Jan 26, 2015
    United States
    Foreword: A history of hax
    When Smealum, derrek, and plutoo spoke at the 32c3 hacking conference in December 2015, they disclosed a type of exploit, known as an "arm11 kernel exploit" (the main body provides a detailed explanation of this) that enabled users to "downgrade" their consoles- go down to a lower system version to open up old full system control exploits (The last public of which was on 9.2 at the time). This "arm11 kernel" exploit worked on the latest version at the time- 10.3- and spurred on a rush of new users able to install CFW. Nintendo promptly blocked this exploit in January 2016 with version 10.4. However, in March 2016 aliaspider proved that they did not, in fact, properly patch this exploit, and once again opened up downgrading to the masses.
    Then, everything changed when the Nintendo nation attacked. (again)
    With version 11.0 in May 2016, Nintendo was pissed and bringing in the cavalry this time. They not only properly patched the "arm11 kernel" exploit, they added new strong security mechanisms that made downgrading very difficult (and pointless- read the main body for details). New users who had missed out were dismayed, and many asked- why can't I just downgrade like those on <=10.7 did?
    On a consistent, almost daily basis, new users joined GBATemp and posted new threads asking this very question. (I particularly remember 3 threads, with minimal difference in the names, asking the exact same question right next to each other. I, being an active member of GBATemp at the time, continued to see this question asked over, and over, and over, and over again. Gradually growing my knowledge of the 3DS' security system at the time, I had the idea to not only explain to people that they weren't getting their hax, but also explain why they weren't getting it. (I'm a particular fan of this analogy, and this)
    As of today, boot9strap makes the topic of downgrading largely irrelevant, since with a compatible flashcart you can instantly install CFW on any firmware, bypassing the need for downgrading entirely. (It's still possible to install CFW without any extra hardware on v11.3 and below, where a full system control exploit is known, however, this still makes downgrading pointless. (see the body)) However, this post still provides a lot of insight into the 3DS' security system, and a look into the scene's history. So if you hunger for knowledge, read on.

    Hi, GBATemp. So a lot of you newcomers have been wondering why a 3DS on 11.4 can't be downgraded. Perhaps some of you old members are wondering this too. Well, not after today. This thread attempts to document in a very easy to understand yet very comprehensive way why this feature is not possible.
    A disclaimer
    Another disclaimer
    All right, enough of this stupid disclaimer crap. Let's get to the good stuff.
    Note: I highly recommend you check out my glossary of 3DS hacking terms before reading this.
    The Basics
    The 3DS has two main processors: an arm11 and an arm9. If you don't know what those are, it doesn't really matter. The arm11 handles everything you see: the games that run, the HOME menu, and so on. The arm9's main use is to serve as a backwards compatibility processor: it's what runs DS games. [The arm11 doesn't run games here: this is the one exception to the above rule] However, in 3DS mode, it's reused as a security processor. It handles integrity [making sure the games that run aren't pirated] filesystem calls [reading and writing to the NAND, basically the hard drive of the 3DS] and a lot of other fun things. With this in mind, let's talk about the security of the 3DS.
    1. arm11 userland: this is what the games run in. Since games won't *ever* need to read/write to the NAND, install stuff [more on that in a minute] or change security checks, it doesn't have access to them. Things like menuhax, browserhax, and game exploits [like ninjhax, oot3dhax, and so on] are what run here, and so does the Homebrew Launcher.
    2. arm11 kernel: this is what handles more sensitive stuff, but is still on the arm11. It has access to anything the arm11 can do, including game installation [with the arm9 making sure the game is valid first], but beyond that it's not really that useful for much (except abusing other functions in specific cases, see "Single System DSiWareHax"). Game exploits [userland] need another exploit in the kernel to break into this and use everything it has access to [things like game installation, so long as the arm9 says the games are OK, which they rarely are, more on that in a bit], since the kernel won't just listen to whatever userland tells it to do*. The one thing it is really useful for is breaking into the
    3. arm9: this is what's really interesting in terms of security, as mentioned earlier. We need yet another exploit to break into this, since it won't just listen to what arm11 tells it to do*. Getting an exploit for this is the real meat of 3DS hacking, since it allows for things like CFW, playing backups of your games [oh who am I kidding it means piracy], direct reading/writing to the NAND [useful for very specific things] and decryption of content.
    Hopefully, now you have a [very] basic idea of the 3DS security. With that in mind, let's talk downgrading.
    The past [<11.0]
    Downgrading before 11.0 was pretty simple: it meant an arm11 kernel exploit. Let's talk about what that "arm9 says it's OK" meant from earlier.
    Legit stuff
    With an arm11 kernel exploit, game installation is possible. This comes with one major catch- the game must be signed by Nintendo. What does "signed" mean? Well, signatures are little things in a file that say that someone made this, and it has their approval. On the 3DS, signatures are given by Nintendo. With an arm11 kernel exploit, we can install things that are signed by Nintendo. The not fun part here is that for games, the signatures for digital versions [games you install to the SD card, not a cartridge] are console specific. With very few exceptions [they're called "legit CIAs", we'll talk about it in a moment] this means that game installation is not possible with a mere arm11 kernel exploit.
    Legit CIAs
    Legit CIA files [the file format for 3DS games] are files that have good signatures for every console. This means that when attempting to install them with an arm11 kernel exploit, the arm9 will approve of it. Now here's the fun part that relates to downgrading- system updates are legit CIAs. Furthermore, the arm9 doesn't check to see if it's an earlier version. [Technically not true, but it's so easy to get around that it's not worth mentioning**] Therefore, to downgrade we perform an arm11 kernel exploit and install the earlier versions of the legit system updates. This reintroduces the last known arm9 exploit to the system, on version 9.2, which we can then use.
    The present [11.4]
    arm9 gets in the way
    Starting on 11.0, this is no longer true. When using an arm11 kernel exploit to install particular titles [system updates] arm9 checks against a list introduced in 11.0 that says what versions of system updates are valid. If the title version is older than 11.4, arm9 tells arm11 to stop installing the title. Due to the way the security system works* the arm11 will obey and stop installing.
    Downgrading on 11.0-11.3
    So all this stuff was introduced on 11.0. But we still downgraded. Let's talk about the various holes that got us there.
    Hardmod & DSiWareHax
    These are both methods of dumping/restoring the NAND without an arm9 exploit. Usually, this isn't helpful at all- the NAND is encrypted, and decrypting it would require an arm9 exploit. However, due to the way encryption works, in a nutshell we can derive the main part of the OS [and only the main part of the OS] from an encrypted NAND dump. This was abused by decrypting the main part of the OS [dubbed NATIVE_FIRM], inserting an older version into it, then re-encrypting it and writing it back. By doing this, the version will be on 10.7, and arm9 would no longer use the list. (Note that if this still worked, we would just downgrade to 11.2 so we could use the arm9 exploit there. Technically we would downgrade both NATIVE_FIRM and SAFE_FIRM due to how the exploit works)
    How did single system DSiWareHax work?
    These were patched on 11.3. By having the "sysmodules" (every part of the OS that isn't NATIVE_FIRM) require the latest NFIRM, it's no longer possible to downgrade it.

    True downgrading

    On 11.2, an arm9 exploit called "safehax" (details here) was released. With this control, we are able to stop arm9 from using the downgrade check. And with arm9 control, there was no reason to downgrade from 11.2 to 9.2.
    This was patched on 11.3. However, a bypass was disclosed after 11.4 was released and patched said bypass. Details are also in the above linked thread.
    The future [what could be done for 11.4]
    Well, put simply, to downgrade on 11.4, we need an arm9 exploit. Without being able to tell arm9 to not use the list, there's no way to downgrade via normal software. And if we have an arm9 exploit, there would be no reason to downgrade to 11.2 from 11.4.
    I hope this explanation helped you in your understanding of the 3DS, and the particular topic at hand, 11.4 downgrading. Again, if there's anything I missed, or you don't understand, let me know and I'll fix it. Have a nice day :)

    *It's a system of permissions. Think of it like this: there's a child, a parent, and a grandparent. The grandparent tells both the parent and the child what to do. The parent tells the child what to do, but not the grandparent, and the child tells neither of them what to do. arm9 is the grandparent, arm11 kernel is the parent, and arm11 userland is the child. The child must trick the parent into doing what he wants, who needs to then trick the grandparent into doing what he wants.
    **arm9 checks if the title to install is older than a title currently installed, and blocks installation if it is. However, we just uninstall the title before installing the new one. Pretty stupid on Nintendo's part.
    Last edited by Swiftloke, Sep 15, 2017
    NoNAND, MUDD_BR, espurri and 141 others like this.
  2. MadMageKefka

    MadMageKefka GBAtemp Advanced Maniac

    Apr 28, 2016
    United States
    World of ruin
    ...this needs to be stickied.

    Also, first!
  3. Temarile

    Temarile (ノ◕ヮ◕)ノ*:・゚✧ A9LH ✧゚・: *ヽ(◕ヮ◕ヽ)

    Jan 7, 2016
    This either needs to be stickied and / or posted in the tutorial section too!
    The_Smash_N00b, hurrz and Davidosky99 like this.
  4. Davidosky99

    Davidosky99 Eevee :3

    Jun 7, 2015
    Needs to be stickied!
    Thanks @Swiftloke this is gods work.
    Now anyone can just link this to noobs "CAN I DOWNGRADE 11.0 threads " instead of creating flame wars :D
    Thanks for this!
    Last edited by Davidosky99, Sep 11, 2016
    hurrz and Swiftloke like this.
  5. AyanamiRei0

    AyanamiRei0 GBATemp's Resident Evangelion fanboy.

    GBAtemp Patron
    AyanamiRei0 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jan 4, 2016
    United Kingdom
    England I guess
    this does need stickying I'm getting tired of people asking 11.0 downgrade this 11.0 downgrade that.

    Edit Also this might stop the attack of newer users that joined this site asking about 11.0 downgrade then getting attacked because they asked.
    Last edited by AyanamiRei0, Sep 11, 2016
    The_Smash_N00b, hurrz, Amani and 3 others like this.
  6. Autz

    Autz GBAtemp Advanced Fan

    Feb 18, 2016

    And BTW, can i downgrade being on 11.0 no-hardmod, no-DSiWare???
    Last edited by Autz, Sep 11, 2016
    The_Smash_N00b, hurrz, Amani and 5 others like this.
  7. DeslotlCL

    DeslotlCL GBAtemp's official lewd scalie trash

    Oct 28, 2015
    United States
    wasnt the guy who made musichax working on a arm11/9 kernel for 11.0?
  8. GilgameshArcher

    GilgameshArcher GBAtemp Advanced Fan

    Jul 1, 2012
    São Paulo
  9. ih8ih8sn0w

    ih8ih8sn0w Koreaboo

    Aug 22, 2015
    United States
    Sadly noobs will still probably ask about 11.x downgrading even with this in their face :(
  10. JCCG1989

    JCCG1989 GBAtemp Fan

    Jul 16, 2016
    Thanks for this excellent bit of knowedge.
    hurrz and Amani like this.
  11. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Legend

    May 27, 2016
    United States
    New York
    So if everyone keep saying the stuff they are saying, then ask a mod to do it and lock it to prevent unnecessary responses.:mellow:
  12. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Nov 21, 2015
    United States
    Acworth, GA
    What's a hardmod?
    Amani, AniTracks, .44 Magnum and 5 others like this.
  13. Lilith Valentine

    Lilith Valentine GBATemp's Wolf-husky™ Marina is best waifu

    Sep 13, 2009
    Many moons away
    This needs to be stickied for noobs to continue to ignore it and make a thread anyways! ^_^
    But I agree, this actually should be stickied...in every section in the 3DS section.
    The_Smash_N00b, hurrz, Amani and 2 others like this.
  14. hobbledehoy899

    hobbledehoy899 GBAtemp Addict

    Nov 13, 2015
    Hardware modification.
    vb_encryption_vb likes this.
  15. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Nov 21, 2015
    United States
    Acworth, GA
    In all reality, new members should be automatically directed to it when they click on anything 3ds related.
    The_Smash_N00b and Shadowfied like this.
  16. Lilith Valentine

    Lilith Valentine GBATemp's Wolf-husky™ Marina is best waifu

    Sep 13, 2009
    Many moons away
    I still agree with the idea that that iso site has. Making all posts done by newbies be approved until they hit at least 10 posts. I mean sure it's more work, but that's something that be solved by bringing the Mod team back to help the GM team.
    Last edited by Lilith Valentine, Sep 12, 2016
    hurrz, VinsCool and MushGuy like this.
  17. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Nov 21, 2015
    United States
    Acworth, GA
    Thats too much work on the admins behalf. The new member don't see their thread which results in them posting over n over again.
    Quantumcat likes this.
  18. Lilith Valentine

    Lilith Valentine GBATemp's Wolf-husky™ Marina is best waifu

    Sep 13, 2009
    Many moons away
    That's why we bring back the mod team. The staff used to be A LOT bigger when I first joined and there used to rarely be time without a member of the staff being online. Sadly new members don't know what the site's real floods used to look like. You guys think it's bad now with the "Can I downgrade 11?" picture that, but 50X worse and in one hour.
    If the old Staff team could handle the Pokefloods of the past, I think a new team would be able to handle thread approval. And IIRC, that iso site doesn't allow users to spam the same thread during their approval period. But been a long time since I needed my posts approved on that site, so I could be wrong.
    hurrz and Ryccardo like this.
  19. SirBeethoven

    SirBeethoven Do good, be good. Let's fight injustice together.

    Nov 26, 2015
    United States
    Hoi! Good read! ;)
    Swiftloke likes this.
  20. Skyshadow101

    Skyshadow101 The Sky Is The Limit!

    May 22, 2016
    United States
    The Underground
    This should be stickied! Like, ASAP! It may help to reduce the amount of people asking if they can downgrade from 11.0 with DSIwarehax and a hardmod.
    hurrz, Swiftloke and SirBeethoven like this.