Hacking Possible leadway to downgrade 10.5.0.30u
- Thread starter fuducker81
- Start date
- Views 39,346
- Replies 160
- Likes 7
- Joined
- Jan 3, 2014
- Messages
- 5,256
- Trophies
- 2
- Age
- 38
- Location
- behind a parental advisory sticker
- XP
- 4,193
- Country
For now it won't Work with normal N3DS or N3DSXL 10.4 or 10.5, Only Works with Hard Modded Devices. Do wait and have hope till when someone finds a exploit.
Seems to me there is some confusion and misinformation going on in this thread. After looking back over it, there is ZERO work that can be done without a hardmod. Decrypt9 can only dump the contents of the nand chip (CTRNAND, TWLNAND, or other partitions) with a sysnand and 9.2 or lower so it (and any other method that involves cfw or homebrew) is out of the question. The ONLY way to get dumps of the 10.2 and 10.4 firm0/firm1 partitions is with a hardmod.
From what @Apache Thunder has said, it sounds like you need to compare a decrypted 10.4 firm0/firm1 partition to the encrypted dump of your own 10.4 firm0/firm1. Using the two you would create a xorpad that can be used to encrypt any decrpyted firm0/firm1 partition with the console-unique key for your console. Allowing you to flash said firm0/firm1 to your console with minimal brick chance. As long as your current firm and target firm share major/minor versions (10.4 is 2.50-11, 10.2 is 2.50-9) you can safely flash the newly encrypted target firm0/firm1 to your console using a hardmod. In fact, since the major/minor version has not changed since 9.6, you could theoretically flash a 9.6 firm0/firm1 to your console.
Whether this will magically allow memchuckhax2 to work again, I do not know. In theory though, it sounds like you could use the same process to encrypt a 10.3 fat16 partition dump to work on your own console, but idk how unique things like the secureinfo_a, movable_sed and the various .db files would affect this.
Has anyone confirmed n3ds only?
I can hard mod with no issues and have 2 o3ds to use for experiment. So i should update one to the latest 10.5, use my older 9.2 to use decrypt9 to decrypt files. Than run them through your bat file with the 10.5 sysnand correct. Than flash patched nand to 3ds and it should boot to 10.3, where i can proceed to downgrade?
- Joined
- Oct 7, 2007
- Messages
- 4,457
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,887
- Country
You can't swap CTR_NANDs around even if you managed to encrypt it right. The first thing that will break things is movable.sed as there's console unique stuff at the end of the file and a few bytes in the header that prevent it from being used on a different console. CTR_NAND changes too often to be able to encrypt to a console that isn't exploitable. FIRM partitions can be downgraded because the data in them is known. It doesn't change very often so we have reliable results when decrypting/encrypting them with xorpads.
Also this will work with n3DSs and o3DSs alike. They use the same encryption method for the FIRM partitions.
Also this will work with n3DSs and o3DSs alike. They use the same encryption method for the FIRM partitions.
I do not know for sure that decrypt9 will be able to generate xorpads for or decrypt the firm partitions.
--------------------- MERGED ---------------------------
That's about what I expected.
When you reinject the nand.bin after use my bat the firmware of your 3ds still remain in 10.5 but the memchunkhax2 work and you can downgrade to 9.2.
- Joined
- Oct 7, 2007
- Messages
- 4,457
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,887
- Country
Also the big reason aside from movable.sed that you can't encrypt a CTR_NAND from a different console to a different console that isn't exploitable is because the CTR_NAND contents of two 3DSes on the same FW version and region aren't the same. Thus as a result, the console you would try to replace the CTR_NAND on will be different and the changes can't be predicted without first decrypting it. (which can't be done without exploiting the console).
So a xorpad can't be made for CTR_NAND in the same manner. We can do with with FIRM0/FIRM1 because the contents of FIRM0/FIRM1 are the same for all consoles. CTR_NAND is not. CTR_NAND contains console unique stuff like tickets, movable.sed, system save data, etc. So a xorpad can't be made for that without knowing what the differences are and that requires decrypting it to do that.
So a xorpad can't be made for CTR_NAND in the same manner. We can do with with FIRM0/FIRM1 because the contents of FIRM0/FIRM1 are the same for all consoles. CTR_NAND is not. CTR_NAND contains console unique stuff like tickets, movable.sed, system save data, etc. So a xorpad can't be made for that without knowing what the differences are and that requires decrypting it to do that.
Last edited by Apache Thunder,
Also the big reason aside from movable.sed that you can't encrypt a CTR_NAND from a different console to a different console that isn't exploitable is because the CTR_NAND contents of two 3DSes on the same FW version and region aren't the same. Thus as a result, the console you would try to replace the CTR_NAND on will be different and the changes can't be predicted without first decrypting it. (which can't be done without exploiting the console).
So a xorpad can't be made for CTR_NAND in the same manner. We can do with with FIRM0/FIRM1 because the contents of FIRM0/FIRM1 are the same for all consoles. CTR_NAND is not. CTR_NAND contains console unique stuff like tickets, movable.sed, system save data, etc. So a xorpad can't be made for that without knowing what the differences are and that requires decrypting it to do that.
Yeah I figured as much. Was more of a "i wonder if" than a "this should work".
As for the firm0/firm1 downgrade, am I still unsure how one would go about decrypting it since I don't see any options in decrypt9 for decrypting things other than games or system titles (cias/apps, not things like firm partitions).
- Joined
- Oct 7, 2007
- Messages
- 4,457
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,887
- Country
Which build of Decrypt9 are you using? I think ShadowTrances and d0k3's version has NAND dumping features. I don't know if the original build has it or not.
I prefer d0k3's. (because of it's super awesome encryption features. )
There's a partition dump menu where you can jump individual partitions. Use that to dump FIRM0 and FIRM1. (It even lets you dump them from an emunand. Assuming emunand was updated correctly to 10.2 via system settings or you injected a sysnand as emunand, you can dump your 10.2 FIRM0/FIRM1 from there so you don't have to write it to sysnand first)
I prefer d0k3's. (because of it's super awesome encryption features.
)There's a partition dump menu where you can jump individual partitions. Use that to dump FIRM0 and FIRM1.
(It even lets you dump them from an emunand. Assuming emunand was updated correctly to 10.2 via system settings or you injected a sysnand as emunand, you can dump your 10.2 FIRM0/FIRM1 from there so you don't have to write it to sysnand first)
Last edited by Apache Thunder,
Which build of Decrypt9 are you using. I think ShadowTrances and d0k3's version has NAND dumping features. I prefer d0k3's. There's a partition dump menu where you can jump individual partitions. Use that to dump FIRM0 and FIRM1.
Not sure which version I have but it only works when I load it from sysnand, and the dump options for sysnand are "NAND Backup" "All partitions dump", "CTRNAND partition dump" and " TWLNAND partition dump". It has no options for dumping/injecting partitions in regards to emunand. Also I was under the impression that Raugo was right about that much at least and that firm0/firm1 partitions themselves are not touched when updating with firm_launch enabled. Assuming that the emunand partition actually copies the firm0/firm1 partition from the nand chip during creation, which I thought it did not.
I have a question to you because of the professionalism that aparentais have on this topic, Do you think that without hard-mod in the future may downgrade one 10.5.0-30E / U / J console through some kind of xploit or something? Thank you for all, seriously...
- Joined
- Oct 7, 2007
- Messages
- 4,457
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,887
- Country
Well usually updates from system settings can update emunand correctly. CFWs that firm launch an newer FIRM prevent users running on older FIRMs from updating. But not sure about CFWs firm launching older firms. If you have a nand mod, you can just use a non firmlaunch cfw like rxTool's devmode (or pasta mode as they now call it) to update native_firm on sysnand to 10.2. (you don't really have to update everything else. You'll be replacing it with a nand backup afterwords anyway).
Then take that resulting sysnand you updated firm to 10.2 on and use that as your emunand partition. Decrypt9WIP can grab the firm partition from it. You can do the same for 10.4 if you feel the one on your emunand isn't correct.
No. If another exploit in Arm11 is found it's probably going to be well over another year before it happens if at all. You are going to need a NAND mod if you want to downgrade anytime in the near future.
Then take that resulting sysnand you updated firm to 10.2 on and use that as your emunand partition. Decrypt9WIP can grab the firm partition from it. You can do the same for 10.4 if you feel the one on your emunand isn't correct.
I have a question to you because of the professionalism that aparentais have on this topic, Do you think that without hard-mod in the future may downgrade one 10.5.0-30E / U / J console through some kind of xploit or something? Thank you for all, seriously...
No. If another exploit in Arm11 is found it's probably going to be well over another year before it happens if at all. You are going to need a NAND mod if you want to downgrade anytime in the near future.
Last edited by Apache Thunder,
So, i must do the hard-mod on mi 3ds or i wont downgrade it? Bad news... u_uWell usually updates from system settings can update emunand correctly. CFWs that firm launch an newer FIRM prevent users running on older FIRMs from updating. But not sure about CFWs firm launching older firms. If you have a nand mod, you can just use a non firmlaunch cfw like rxTool's devmode (or pasta mode as they now call it) to update native_firm on sysnand to 10.2. (you don't really have to update everything else. You'll be replacing it with a nand backup afterwords anyway).
Then take that resulting sysnand you updated firm to 10.2 on and use that as your emunand partition. Decrypt9WIP can grab the firm partition from it. You can do the same for 10.4 if you feel the one on your emunand isn't correct.
No. If another exploit in Arm11 is found it's probably going to be well over another year before it happens if at all. You are going to need a NAND mod if you want to downgrade anytime in the near future.
From what has been stated yes. No proof yet. Ill attempt this today and provide proof if it actually works.
You will 100% NOT be downgrading using this process without a hardmod. Period.
Similar threads
- Question
-
-
-
-
-
-
-
@
NormalCatelol:
i know that there is a forum for this question but, what would you guys name the switch successor? -
-
-
-
-
-
@
The Real Jdbye:
don't mind me, just liking all of SDIO's posts, they deserve it for https://gbatemp.net/threads/usb-partition-use-partitioned-usb-hdds-with-the-wii-u.656209/ -
-
-
-
-
-
-
-
-
-
-
-
