Hacking [Release] 3DSafe: In-NAND PIN lock for 3DS

[GerbilSoft]

I tried it in upper case, but it wouldn't find the file. I think fatfs uses string comparison to check if files exist or something, so if the case doesn't match it thinks the file doesn't exist.

FatFS isn't case-sensitive. (The cmp_lfn() function, which is used to compare long filenames, uses ff_wtoupper() when comparing, which converts characters to uppercase.)

...though after taking a closer look, if the filename doesn't have an LFN (which might be the case with "otp.bin"), it does a memcmp(), which is case-sensitive. Maybe try searching for "OTP.BIN" instead of "otp.bin". (This should be reported as a bug to the FatFS dev.)

 

[mashers]

FatFS isn't case-sensitive. (The cmp_lfn() function, which is used to compare long filenames, uses ff_wtoupper() when comparing, which converts characters to uppercase.)

...though after taking a closer look, if the filename doesn't have an LFN (which might be the case with "otp.bin"), it does a memcmp(), which is case-sensitive. Maybe try searching for "OTP.BIN" instead of "otp.bin". (This should be reported as a bug to the FatFS dev.)

Ahh, that worked! Thanks! The version of fatfs I'm using (the one which comes with SafeA9LHInstaller) doesn't use memcmp() which I assume is why it works. Weirdly, I also can't see a reference to ff_wtoupper() either, but in any case it's working no matter what case the file is in as long as I check for OTP.BIN instead of otp.bin. Thanks again!

 

[Demnyx]

Thanks! It will change your A9LH payload (the part in NAND) to 3DSafe which is based (loosely now) on ShadowNAND, but whatever payload you have at /arm9loaderhax.bin on your SD card will be booted after entering the PIN. So if you are using Luma or any other CFW, it will still be your CFW.

oh ok thanks

 

[capito27]

@mashers could you add in the next update, somewhere in the GUI, a version string ?

 

[GerbilSoft]

Ahh, that worked! Thanks! The version of fatfs I'm using (the one which comes with SafeA9LHInstaller) doesn't use memcmp() which I assume is why it works. Weirdly, I also can't see a reference to ff_wtoupper() either, but in any case it's working no matter what case the file is in as long as I check for OTP.BIN instead of otp.bin. Thanks again!

Here's the relevant lines:

ExFAT (LFN only): https://github.com/mashers/3DSafe/b...d00e1c/payload_stage2/source/fatfs/ff.c#L2577 [uses ff_wtoupper()]
FAT32, LFN build and an LFN is found: https://github.com/mashers/3DSafe/b...d00e1c/payload_stage2/source/fatfs/ff.c#L2606 [calls cmp_lfn()]
FAT32, LFN build and no LFN is found: https://github.com/mashers/3DSafe/b...d00e1c/payload_stage2/source/fatfs/ff.c#L2610 [calls mem_cmp()]
FAT32, non-LFN build: https://github.com/mashers/3DSafe/b...d00e1c/payload_stage2/source/fatfs/ff.c#L2616 [calls mem_cmp()]
cmp_lfn(): https://github.com/mashers/3DSafe/b...d00e1c/payload_stage2/source/fatfs/ff.c#L2038 [calls ff_wtoupper()]

The exFAT version isn't important, since exFAT is disabled. The important one is FAT32 with LFN build and no LFN, since that's the code path that's being hit here.

Also, FatFS actually uses its own version of memcmp() called mem_cmp(). This could probably be replaced with regular memcmp() for better performance, but I'm not sure.

 

[mashers]

@mashers could you add in the next update, somewhere in the GUI, a version string ?

Good thinking. I forgot about that. I'll add it in.

@GerbilSoft
Thanks, I'll take a look

 

[Pokem]

Wow, awesome tool.
I'll check back when the contact info function is released

 

[mashers]

Release 0.5 has just been pushed to GitHub! This is a big update which adds the following:

• Optionally uses graphical interface instead of text. To use this, copy the 3dsafe folder from the zip file to the root of your SD card, and the graphics will be used automatically.
• Bottom screen can be customised using 'lost.bin'. You can put here any image you like, but I suggest using it to display your contact details in case your 3DS is lost. Please see the readme for details on how to create the lost.bin image
• Added an 'About' page with version number display
• It is no longer possible to enter an empty PIN when setting the PIN for the first time or when changing it
• If a valid otp.bin is found in the root of the SD card, it will be copied to your NAND so it can be accessed by SafeA9LHInstaller even if it's no longer on the SD card
• In the unlikely event that 3DSafe cannot access your NAND on startup, you will be given the option of running SafeA9LHInstaller so that you can recover by flashing a different A9LH payload

I reiterate that this is a pre-release version. There may be bugs which could prevent you from accessing your device. You should make sure you have a working otp.bin for your device and use the OTP bypass feature at least once to make sure it works. This will also make sure the otp.bin is copied to NAND in case you need it to run SafeA9LHInstaller at a later date.

Installation instructions have been updated on the GitHub repo to reflect the changes which have been made in this update.

 

[ghostpotato]

I'm a little confused. Does this launch another payload once I enter the correct PIN? If so, is it possible to have this launch @Aurora Wright's fork of A9LH once I enter the correct PIN?

 

[mashers]

I'm a little confused. Does this launch another payload once I enter the correct PIN? If so, is it possible to have this launch @Aurora Wright's fork of A9LH once I enter the correct PIN?

As it says in the OP, after entering the correct PIN it will boot the arm9loaderhax.bin payload from your SD card. It doesn't matter what that is, so yes it will work with Luma.

 

[dpad_5678]

this is a stuipd idea forget the pin and your 3ds is like a brick

Then don't forget your pin. Just because you yourself can't remember 4 digits doesn't mean it's a stupid idea.

 

[mashers]

this is a stuipd idea forget the pin and your 3ds is like a brick

Then don't forget your pin. Just because you yourself can't remember 4 digits doesn't mean it's a stupid idea.

Also, with the otp.bin bypass, forgetting the pin is not really an issue

 

[Billy Acuña]

Hello @mashers, I wanted to tell you that I finally unbricked my 3ds and successfully installed the lastest 3DSafe, however I encountered that these screeninit issue is still there and brokes BootCtr9, so I wanted to suggest to use the merged no/screeninit from Aurora's fork, which gives no-screeninit if you use "arm9loaderhax.bin" and "arm9loaderhax_si.bin" for screeninit.

 

[Shadowhand]

Hello @mashers, I wanted to tell you that I finally unbricked my 3ds and successfully installed the lastest 3DSafe, however I encountered that these screeninit issue is still there and brokes BootCtr9, so I wanted to suggest to use the merged no/screeninit from Aurora's fork, which gives no-screeninit if you use "arm9loaderhax.bin" and "arm9loaderhax_si.bin" for screeninit.

ShadowNAND will be getting a similar thing soon, stay tuned. [/shill]

 

[mashers]

Hello @mashers, I wanted to tell you that I finally unbricked my 3ds and successfully installed the lastest 3DSafe, however I encountered that these screeninit issue is still there and brokes BootCtr9, so I wanted to suggest to use the merged no/screeninit from Aurora's fork, which gives no-screeninit if you use "arm9loaderhax.bin" and "arm9loaderhax_si.bin" for screeninit.

Can you describe the issue to me so I can investigate? Thanks

 

[Billy Acuña]

Can you describe the issue to me so I can investigate? Thanks

BootCtr9 refuses to turn-on the backlight, if I'm no wrong, 3DSafe always keeps the screeninit on, just turns on/off the backlight.

 

[mashers]

BootCtr9 refuses to turn-on the backlight, if I'm no wrong, 3DSafe always keeps the screeninit on, just turns on/off the backlight.

Ok, I'll have a look into it. I have never used bootctr9 so I wasn't aware of this. Should I perhaps try to de-init the screen before booting the payload?

 

[Billy Acuña]

Ok, I'll have a look into it. I have never used bootctr9 so I wasn't aware of this. Should I perhaps try to de-init the screen before booting the payload?

Or make it optional renaming the payload to "arm9loaderhax_si.bin" ("si" means "screeninit".

 

[mashers]

Or make it optional renaming the payload to "arm9loaderhax_si.bin" ("si" means "screeninit".

Ok, so in that situation would arm9loaderhax_si.bin be a payload which allows for the screen to already be inited?

 

[Billy Acuña]

Ok, so in that situation would arm9loaderhax_si.bin be a payload which allows for the screen to already be inited?

Yeah, that is how Aurora's fork handhelds both screeninit and no-screeninit.