Why the 3DS can't be downgraded on 11.4 "For Dummies" (A simple explanation for the rest of us)

Discussion in '3DS - Flashcards & Custom Firmwares' started by Swiftloke, Sep 11, 2016.

  1. Swiftloke
    OP

    Swiftloke Hwaaaa!

    Member
    1,769
    1,495
    Jan 26, 2015
    United States
    Nowhere
    Hi, GBATemp. So a lot of you newcomers have been wondering why a 3DS on 11.4 can't be downgraded. Perhaps some of you old members are wondering this too. Well, not after today. This thread attempts to document in a very easy to understand yet very comprehensive way why this feature is not possible.
    A disclaimer
    Another disclaimer
    All right, enough of this stupid disclaimer crap. Let's get to the good stuff.
    Note: I highly recommend you check out my glossary of 3DS hacking terms before reading this.
    The Basics
    The 3DS has two main processors: an arm11 and an arm9. If you don't know what those are, it doesn't really matter. The arm11 handles everything you see: the games that run, the HOME menu, and so on. The arm9's main use is to serve as a backwards compatibility processor: it's what runs DS games. [The arm11 doesn't run games here: this is the one exception to the above rule] However, in 3DS mode, it's reused as a security processor. It handles integrity [making sure the games that run aren't pirated] filesystem calls [reading and writing to the NAND, basically the hard drive of the 3DS] and a lot of other fun things. With this in mind, let's talk about the security of the 3DS.
    1. arm11 userland: this is what the games run in. Since games won't *ever* need to read/write to the NAND, install stuff [more on that in a minute] or change security checks, it doesn't have access to them. Things like menuhax, browserhax, and game exploits [like ninjhax, oot3dhax, and so on] are what run here, and so does the Homebrew Launcher.
    2. arm11 kernel: this is what handles more sensitive stuff, but is still on the arm11. It has access to anything the arm11 can do, including game installation [with the arm9 making sure the game is valid first], but beyond that it's not really that useful for much (except abusing other functions in specific cases, see "Single System DSiWareHax"). Game exploits [userland] need another exploit in the kernel to break into this and use everything it has access to [things like game installation, so long as the arm9 says the games are OK, which they rarely are, more on that in a bit], since the kernel won't just listen to whatever userland tells it to do*. The one thing it is really useful for is breaking into the
    3. arm9: this is what's really interesting in terms of security, as mentioned earlier. We need yet another exploit to break into this, since it won't just listen to what arm11 tells it to do*. Getting an exploit for this is the real meat of 3DS hacking, since it allows for things like CFW, playing backups of your games [oh who am I kidding it means piracy], direct reading/writing to the NAND [useful for very specific things] and decryption of content.
    Hopefully, now you have a [very] basic idea of the 3DS security. With that in mind, let's talk downgrading.
    The past [<11.0]
    Downgrading before 11.0 was pretty simple: it meant an arm11 kernel exploit. Let's talk about what that "arm9 says it's OK" meant from earlier.
    Legit stuff
    With an arm11 kernel exploit, game installation is possible. This comes with one major catch- the game must be signed by Nintendo. What does "signed" mean? Well, signatures are little things in a file that say that someone made this, and it has their approval. On the 3DS, signatures are given by Nintendo. With an arm11 kernel exploit, we can install things that are signed by Nintendo. The not fun part here is that for games, the signatures for digital versions [games you install to the SD card, not a cartridge] are console specific. With very few exceptions [they're called "legit CIAs", we'll talk about it in a moment] this means that game installation is not possible with a mere arm11 kernel exploit.
    Legit CIAs
    Legit CIA files [the file format for 3DS games] are files that have good signatures for every console. This means that when attempting to install them with an arm11 kernel exploit, the arm9 will approve of it. Now here's the fun part that relates to downgrading- system updates are legit CIAs. Furthermore, the arm9 doesn't check to see if it's an earlier version. [Technically not true, but it's so easy to get around that it's not worth mentioning**] Therefore, to downgrade we perform an arm11 kernel exploit and install the earlier versions of the legit system updates. This reintroduces the last known arm9 exploit to the system, on version 9.2, which we can then use.
    The present [11.4]
    arm9 gets in the way
    Starting on 11.0, this is no longer true. When using an arm11 kernel exploit to install particular titles [system updates] arm9 checks against a list introduced in 11.0 that says what versions of system updates are valid. If the title version is older than 11.4, arm9 tells arm11 to stop installing the title. Due to the way the security system works* the arm11 will obey and stop installing.
    Downgrading on 11.0-11.3
    So all this stuff was introduced on 11.0. But we still downgraded. Let's talk about the various holes that got us there.
    Hardmod & DSiWareHax
    These are both methods of dumping/restoring the NAND without an arm9 exploit. Usually, this isn't helpful at all- the NAND is encrypted, and decrypting it would require an arm9 exploit. However, due to the way encryption works, in a nutshell we can derive the main part of the OS [and only the main part of the OS] from an encrypted NAND dump. This was abused by decrypting the main part of the OS [dubbed NATIVE_FIRM], inserting an older version into it, then re-encrypting it and writing it back. By doing this, the version will be on 10.7, and arm9 would no longer use the list. (Note that if this still worked, we would just downgrade to 11.2 so we could use the arm9 exploit there. Technically we would downgrade both NATIVE_FIRM and SAFE_FIRM due to how the exploit works)
    How did single system DSiWareHax work?
    These were patched on 11.3. By having the "sysmodules" (every part of the OS that isn't NATIVE_FIRM) require the latest NFIRM, it's no longer possible to downgrade it.

    True downgrading

    On 11.2, an arm9 exploit called "safehax" (details here) was released. With this control, we are able to stop arm9 from using the downgrade check. And with arm9 control, there was no reason to downgrade from 11.2 to 9.2.
    This was patched on 11.3. However, a bypass was disclosed after 11.4 was released and patched said bypass. Details are also in the above linked thread.
    The future [what could be done for 11.4]
    Well, put simply, to downgrade on 11.4, we need an arm9 exploit. Without being able to tell arm9 to not use the list, there's no way to downgrade via normal software. And if we have an arm9 exploit, there would be no reason to downgrade to 11.2 from 11.4.
    Conclusion
    I hope this explanation helped you in your understanding of the 3DS, and the particular topic at hand, 11.4 downgrading. Again, if there's anything I missed, or you don't understand, let me know and I'll fix it. Have a nice day :)

    *It's a system of permissions. Think of it like this: there's a child, a parent, and a grandparent. The grandparent tells both the parent and the child what to do. The parent tells the child what to do, but not the grandparent, and the child tells neither of them what to do. arm9 is the grandparent, arm11 kernel is the parent, and arm11 userland is the child. The child must trick the parent into doing what he wants, who needs to then trick the grandparent into doing what he wants.
    **arm9 checks if the title to install is older than a title currently installed, and blocks installation if it is. However, we just uninstall the title before installing the new one. Pretty stupid on Nintendo's part.
     
    Last edited by Swiftloke, May 21, 2017 - Reason: 11.4
    HoroHoro, Matzeus, Zuffle and 124 others like this.


  2. MadMageKefka

    MadMageKefka GBAtemp Maniac

    Member
    1,234
    960
    Apr 28, 2016
    United States
    World of ruin
    ...this needs to be stickied.

    Also, first!
     
    dpad_5678, Amani, NoNAND and 12 others like this.
  3. Temarile

    Temarile (ノ◕ヮ◕)ノ*:・゚✧ A9LH ✧゚・: *ヽ(◕ヮ◕ヽ)

    Member
    1,126
    420
    Jan 7, 2016
    Netherlands
    This either needs to be stickied and / or posted in the tutorial section too!
     
    Davidosky99 likes this.
  4. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,569
    Jun 7, 2015
    Porto
    Needs to be stickied!
    Thanks @Swiftloke this is gods work.
    Now anyone can just link this to noobs "CAN I DOWNGRADE 11.0 threads " instead of creating flame wars :D
    Thanks for this!
     
    Last edited by Davidosky99, Sep 11, 2016
    Swiftloke likes this.
  5. AyanamiRei0

    AyanamiRei0 GBATemp's Resident Evangelion fanboy.

    Member
    GBAtemp Patron
    AyanamiRei0 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,136
    858
    Jan 4, 2016
    United Kingdom
    England I guess
    this does need stickying I'm getting tired of people asking 11.0 downgrade this 11.0 downgrade that.

    Edit Also this might stop the attack of newer users that joined this site asking about 11.0 downgrade then getting attacked because they asked.
     
    Last edited by AyanamiRei0, Sep 11, 2016
  6. Autz

    Autz GBAtemp Advanced Fan

    Member
    564
    257
    Feb 18, 2016
    Venezuela
    Nice.

    And BTW, can i downgrade being on 11.0 no-hardmod, no-DSiWare???
     
    Last edited by Autz, Sep 11, 2016
    Amani, Seriel, Aristox-0 and 3 others like this.
  7. DespyCL

    DespyCL GBAtemp's Official Axolotl

    Member
    1,837
    1,988
    Oct 28, 2015
    Chile
    under your couch
    wasnt the guy who made musichax working on a arm11/9 kernel for 11.0?
     
  8. GilgameshArcher

    GilgameshArcher GBAtemp Fan

    Member
    454
    160
    Jul 1, 2012
    Brazil
    São Paulo
  9. ih8ih8sn0w

    ih8ih8sn0w Koreaboo

    Member
    1,653
    713
    Aug 22, 2015
    United States
    Hell
    Sadly noobs will still probably ask about 11.x downgrading even with this in their face :(
     
    Amani, Latyana, Valkart and 4 others like this.
  10. JCCG1989

    JCCG1989 GBAtemp Fan

    Member
    427
    176
    Jul 16, 2016
    Mexico
    Thanks for this excellent bit of knowedge.
     
    Amani likes this.
  11. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    8,694
    4,144
    May 27, 2016
    United States
    New York
    So if everyone keep saying the stuff they are saying, then ask a mod to do it and lock it to prevent unnecessary responses.:mellow:
     
  12. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Member
    1,808
    865
    Nov 21, 2015
    United States
    Acworth, GA
    What's a hardmod?
     
    Amani, AniTracks, .44 Magnum and 5 others like this.
  13. Lilith Valentine

    Lilith Valentine GBATemp's Wolfdog™ The saint of all the sinners

    Member
    18,389
    17,956
    Sep 13, 2009
    Antarctica
    Between insane and insecure
    This needs to be stickied for noobs to continue to ignore it and make a thread anyways! ^_^
    But I agree, this actually should be stickied...in every section in the 3DS section.
     
    Amani, ih8ih8sn0w and Swiftloke like this.
  14. hobbledehoy899

    hobbledehoy899 Conniption Master

    Member
    2,453
    3,638
    Nov 13, 2015
    United States
    Linux 4.11.7
    Hardware modification.
     
    vb_encryption_vb likes this.
  15. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Member
    1,808
    865
    Nov 21, 2015
    United States
    Acworth, GA
    In all reality, new members should be automatically directed to it when they click on anything 3ds related.
     
    Shadowfied likes this.
  16. Lilith Valentine

    Lilith Valentine GBATemp's Wolfdog™ The saint of all the sinners

    Member
    18,389
    17,956
    Sep 13, 2009
    Antarctica
    Between insane and insecure
    I still agree with the idea that that iso site has. Making all posts done by newbies be approved until they hit at least 10 posts. I mean sure it's more work, but that's something that be solved by bringing the Mod team back to help the GM team.
     
    Last edited by Lilith Valentine, Sep 12, 2016
    VinsCool and MushGuy like this.
  17. vb_encryption_vb

    vb_encryption_vb That hardmod guy....

    Member
    1,808
    865
    Nov 21, 2015
    United States
    Acworth, GA
    Thats too much work on the admins behalf. The new member don't see their thread which results in them posting over n over again.
     
    Quantumcat likes this.
  18. Lilith Valentine

    Lilith Valentine GBATemp's Wolfdog™ The saint of all the sinners

    Member
    18,389
    17,956
    Sep 13, 2009
    Antarctica
    Between insane and insecure
    That's why we bring back the mod team. The staff used to be A LOT bigger when I first joined and there used to rarely be time without a member of the staff being online. Sadly new members don't know what the site's real floods used to look like. You guys think it's bad now with the "Can I downgrade 11?" picture that, but 50X worse and in one hour.
    If the old Staff team could handle the Pokefloods of the past, I think a new team would be able to handle thread approval. And IIRC, that iso site doesn't allow users to spam the same thread during their approval period. But been a long time since I needed my posts approved on that site, so I could be wrong.
     
    Ryccardo likes this.
  19. SirBeethoven

    SirBeethoven 3.145.... something. E=mc2

    Member
    1,779
    543
    Nov 26, 2015
    United States
    Hoi! Good read! ;)
     
    Swiftloke likes this.
  20. Skyshadow101

    Skyshadow101 The Sky Is The Limit!

    Member
    882
    298
    May 22, 2016
    The Underground
    This should be stickied! Like, ASAP! It may help to reduce the amount of people asking if they can downgrade from 11.0 with DSIwarehax and a hardmod.
     
    Swiftloke and SirBeethoven like this.