Hacking The status of Gateway and A9LH
- Thread starter CreAtor135
- Start date
- Views 194,623
- Replies 1,476
- Likes 9
Are you going to do this on a Samsung NAND N3DS? I was going to do that this weekend on one of my hard modded N3DS that has the Samsung NAND.
I assumed that the GW payload that is installed must be different for the different sized NAND's.
Is that what your trying to find out?
Yes. But somehow I don't think it's an entirely different payload. Not even sure how to find out... binary diff? But much more will be different on the nand between what I'm doing now and the last backup I have from before trying the payloads in this thread, than just the payload (street passes, date, time, etc...)...
I succesfull install the payload con muy toshiba nand (new3dsXl) so i can use lumas's arm9loaderhax.bin for update my new3ds without losing a9lh and gateway's payload arm9loaderhax.bin for my gateway's red card?
Last edited by angelus kun,
The GW a9HL is so cumbersome/time consuming when you have limited time.. otherwise I would have already done it. I know very little about 3DS a9hl under the hood.. but I was going to take a backup of my 1.2 GB N3DS before GW A9HL, and after and just diff to start seeing differences. And try to find the payload in the diff that looks like the GW_Stage2.bin, but is slightly different. (assuming the payload must be different with the smaller NAND's) Isn't that how the GW_Stage2 was found to begin with on the 1.8 GB NANDs? Again I know very little of how a9hl works under the hood, I was just going to play around if someone had not found a solution yet..
Last edited by crimpshrine,
Dunno what I was thinking about the multiple differences in nand. Just made a backup of my current nand (post-install of the payloads here) and I'll use that for my nand.bin during my a9lh install. Almost forgot about that already... it yelled at me for not having nand.bin on my mSD 
EDIT: so... if I can easily see where the block is, should I decrypt my nand dump first then copy and paste that portion into a new .bin file? Or should I be decrypting the nand dumps before even doing the .diff? My instincts tell me to decrypt first before looking at anything...
Edit2: Crap. How do I do this again? My xorpad is a good bit smaller than my dump. I think it's just a ctrnand xorpad, but we're interested in firm0 and firm1, right? How to I get those from GW a9lh without being able to run Decrypt9?
Edit3: Whoa... there is definitely something different about the n3ds GW a9lh. It seems to do its thing so early on that it's hard to trigger the blue screen with my hard mod in order to flash it back! I had to remove the mSD card, and turn it on twice really fast (the first time, showing the red screen then turning off because the payload can't be found). My o3ds with a Toshiba nand does not behave that way. But... I'm still not all that closer to getting what we want. I need to sleep, then I'm going on a trip for a couple of days so I won't be able to do this so soon. Can someone tell me how to get what we need? How to I dump and decrypt the firm0 and firm1 (I have the full nand dump but I guess only the ctrnand xorpad)?
EDIT: so... if I can easily see where the block is, should I decrypt my nand dump first then copy and paste that portion into a new .bin file? Or should I be decrypting the nand dumps before even doing the .diff? My instincts tell me to decrypt first before looking at anything...
Edit2: Crap. How do I do this again? My xorpad is a good bit smaller than my dump. I think it's just a ctrnand xorpad, but we're interested in firm0 and firm1, right? How to I get those from GW a9lh without being able to run Decrypt9?
Edit3: Whoa... there is definitely something different about the n3ds GW a9lh. It seems to do its thing so early on that it's hard to trigger the blue screen with my hard mod in order to flash it back! I had to remove the mSD card, and turn it on twice really fast (the first time, showing the red screen then turning off because the payload can't be found). My o3ds with a Toshiba nand does not behave that way. But... I'm still not all that closer to getting what we want. I need to sleep, then I'm going on a trip for a couple of days so I won't be able to do this so soon. Can someone tell me how to get what we need? How to I dump and decrypt the firm0 and firm1 (I have the full nand dump but I guess only the ctrnand xorpad)?
Last edited by urherenow,
My real big question is will Gateway still support users like us who'd rather have a separate SysNAND and EmuNAND? All this A9LH stuff seems to risky to brick my N3DS.
A9LH doesn't imply sysNAND only...
And on the contrary, GW supports emuNAND and doesn't like the idea of updated sysNAND, according to an email they sent to someone (I don't remember who).
- Joined
- Jun 11, 2007
- Messages
- 207
- Trophies
- 1
- Age
- 30
- Location
- Charlotte, North Carolina
- XP
- 1,676
- Country
I was wanting to try this on one of my N3ds's that i have but after looking through my USB drive. I found out my files I used to install a9lh are gone off my drive. how would i go about dumping the OTP again if its already on a9lh? is it possible to downgrade back to 2.1 to dump it again?
Ok, nobody helped me fast enough so I did everything manually. I now have a decrypted firm0/1 from when I tried the payloads here, and from a GW a9lh install.
There are 3 chunks of data that differ between the two. Keep in mind that these offsets are from examining just the 8,192KB (8,388,608 bytes) that make up the firm0 & Firm1 combined)
000f0760-000f0f64 (yes, it stops being different in the middle of a row)
006D0000-006d24F0
006d2800-006D4000
Edit: and I learned 2 things by looking at the stage2_2.bin from here.
1) I didn't even need to decrypt the firms
2) That particular payload isn't one of those 3 above. It starts at 002D0000.
I hope this is enough information, because I need to sleep. Or do I need to up those 3 sections somewhere for use (from my encrypted firm0/1, now that I know better)? But surely I can't link to them from here, can I?
Edit: The last bit is unimportant (I think). On the GW a9lh, it's zeroed out. It's not on my pre-GW dump.
Edit2: Here are the 2 sections that are different. Hope this helps. If it's not allowed, please have a mod edit the post as I am going to sleep for real now and won't be on tomorrow...
https://dl.dropboxusercontent.com/u/24345169/NewN3ds_GW_payloads.zip
@liomajor
There are 3 chunks of data that differ between the two. Keep in mind that these offsets are from examining just the 8,192KB (8,388,608 bytes) that make up the firm0 & Firm1 combined)
000f0760-000f0f64 (yes, it stops being different in the middle of a row)
006D0000-006d24F0
006d2800-006D4000
Edit: and I learned 2 things by looking at the stage2_2.bin from here.
1) I didn't even need to decrypt the firms
2) That particular payload isn't one of those 3 above. It starts at 002D0000.
I hope this is enough information, because I need to sleep. Or do I need to up those 3 sections somewhere for use (from my encrypted firm0/1, now that I know better)? But surely I can't link to them from here, can I?
Edit: The last bit is unimportant (I think). On the GW a9lh, it's zeroed out. It's not on my pre-GW dump.
Edit2: Here are the 2 sections that are different. Hope this helps. If it's not allowed, please have a mod edit the post as I am going to sleep for real now and won't be on tomorrow...
https://dl.dropboxusercontent.com/u/24345169/NewN3ds_GW_payloads.zip
@liomajor
Last edited by urherenow,
I need someone with Samsung NAND who had red screen + pwr off and owns a hardwaremod to test my files.
I have an old 3ds with Samsung nand. I haven't tried installing it on this one. I've have set up new 3ds booting gateway fine. I'm just backing up a fresh up to date NAND backup now to test. Yes it's hardmodded.
This is what I did:
Install A9LH /w Luma -> Keep 11.0 EmuNAND and 9.2 NAND -> Install MenuHax on NAND
No button - boots to Luma CFW
L button - boots MenuHax -> GW.3dsx
D-Pad Down - boots SysNAND
Think I'll wait to see what Gateway goes, as it sounds like their methods are becoming WAY to similar to the glorious A9LH guide by Plailect.
Install A9LH /w Luma -> Keep 11.0 EmuNAND and 9.2 NAND -> Install MenuHax on NAND
No button - boots to Luma CFW
L button - boots MenuHax -> GW.3dsx
D-Pad Down - boots SysNAND
Think I'll wait to see what Gateway goes, as it sounds like their methods are becoming WAY to similar to the glorious A9LH guide by Plailect.
Similar threads
-
Psionic Roshambo
-
BakerMan
I rather enjoy a life of taking it easy. I haven't reached that life yet though.
-
-
-
@
BigOnYa:
I feel like gbatemp should make t-shirts or memorabilia to remember the lost ones. I bet the Polly shirts would sell out quick. -
-
-
-
@
BigOnYa:
Your correct, Somebody would be guilty and there would be riots, then they storm the gbatemp capitol,
-
@
K3Nv2:
Online or not there are still certain rights that judges would have no issue handing out a warrant over -
-
@
BigOnYa:
Honestly I'm scared to, from you, but ok, lemme turn on vpn, virtual machine, private browser first
-
-
-
@
BigOnYa:
That robot is here somewhere, I hear it moving around at night, but I haven't seen it for months.
-
@
BigOnYa:
Oh that laptop I give to ancientboi, so you been watching him for months, and he's been watching you
-
-
-
-
-
-
-
-
-
-
-
