Reading this, I just remembered that something like this happened on the PSP SCENE, and they made to fool the security, there is no way to fool the arm9 procesor changing the name of the firmware to a newer one so it can be installed?
obviously is gonna be a downgrade, maybe it can be a CFW too I dont know, that would be great.
Reading this, I just remembered that something like this happened on the PSP SCENE, and they made to fool the security, there is no way to fool the arm9 procesor changing the name of the firmware to a newer one so it can be installed?
obviously is gonna be a downgrade, maybe it can be a CFW too I dont know, that would be great.
Modifying the software in any way, shape, or form breaks the signature. That's not happening. That would be a cryptography error on Sonys part.
I'm interested, however. I know nothing about the PSP scene, and I love learning. Explain
Reading this, I just remembered that something like this happened on the PSP SCENE, and they made to fool the security, there is no way to fool the arm9 procesor changing the name of the firmware to a newer one so it can be installed?
obviously is gonna be a downgrade, maybe it can be a CFW too I dont know, that would be great.
Modifying the software in any way, shape, or form breaks the signature. That's not happening. That would be a cryptography error on Sonys part.
I'm interested, however. I know something about the PSP scene, and I love learning. Explain
I cant really remember it was like a decade ago.
However, how nintendo make the new firmware updates? Sceners can try to copycat the way they do it to make a CFW, or at least make an exploit that fools the arm9 on thinking that is a signed CIA? that could be helpful I think...
I cant really remember it was like a decade ago.
However, how nintendo make the new firmware updates? Sceners can try to copycat the way they do it to make a CFW, or at least make an exploit that fools the arm9 on thinking that is a signed CIA? that could be helpful I think...
That would be almost impossible afaik. I'm no expert, but from my understanding we would need to get Nintendo's private key in order to sign content. You can't simply edit existing signed data, because that would change the file's hash, and thus break the signature.
That would be almost impossible afaik. I'm no expert, but from my understanding we would need to get Nintendo's private key in order to sign content. You can't simply edit existing signed data, because that would change the file's hash, and thus break the signature.
I doubt an exploit like that will be found. Your best bet would be to get a hardmod, another 3ds thats already hacked, or buy a new one on a lower firmware. Sorry.
I doubt it. That's exactly what happened on the Wii; a bug in the signature checks that meant that unsigned code would be considered signed. (Trucha bug if you want to look it up) I don't think Nintendo would make the same mistake twice.
Hi, GBATemp. So a lot of you newcomers have been wondering why a 3DS on 11.0 can't be downgraded. Perhaps some of you old members are wondering this too. Well, not after today. This thread attempts to document in a very easy to understand yet very comprehensive way why this feature is not possible.
I am not responsible for anything bad that comes out of you reading this thread. If, by gaining this knowledge, your 3DS breaks, you go insane, your hair randomly bursts into flames, or you cause thermonuclear war, and you point at me, I will laugh at you. That being said, if you appreciate this thread, or something good came out of it, leave me a like.
If you do not understand any particular part of this thread, I am doing something wrong. The intent here is for anybody to be able to understand the following material. If there is something you do not understand, please let me know and I will correct it.
All right, enough of this stupid disclaimer crap. Let's get to the good stuff. The Basics
The 3DS has two main processors: an arm11 and an arm9. If you don't know what those are, it doesn't really matter. The arm11 handles everything you see: the games that run, the HOME menu, and so on. The arm9's main use is to serve as a backwards compatibility processor: it's what runs DS games. [The arm11 doesn't run games here: this is the one exception to the above rule] However, in 3DS mode, it's reused as a security processor. It handles integrity [making sure the games that run aren't pirated] filesystem calls [reading and writing to the NAND, basically the hard drive of the 3DS] and a lot of other fun things. With this in mind, let's talk about the security of the 3DS.
arm11 userland: this is what the games run in. Since games won't *ever* need to read/write to the NAND, install stuff [more on that in a minute] or change security checks, it doesn't have access to them. Things like menuhax, browserhax, and game exploits [like ninjhax, oot3dhax, and so on] are what run here, and so does the Homebrew Launcher.
arm11 kernel: this is what handles more sensitive stuff, but is still on the arm11. It's what handles game installation [with the arm9 making sure the game is valid first], but beyond that it's not really that useful for much. Game exploits [userland] need another exploit in the kernel to break into this and use everything it has access to [things like game installation, so long as the arm9 says the games are OK, which they rarely are, more on that in a bit], since the kernel won't just listen to whatever userland tells it to do*. The one thing it is really useful for is breaking into the
arm9: this is what's really interesting in terms of security, as mentioned earlier. We need yet another exploit to break into this, since it won't just listen to what arm11 tells it to do*. Getting an exploit for this is the real meat of 3DS hacking, since it allows for things like CFW, playing backups of your games [oh who am I kidding it means piracy], direct reading/writing to the NAND [useful for very specific things] and decryption of content.
Hopefully, now you have a [very] basic idea of the 3DS security. With that in mind, let's talk downgrading. The past [<11.0]
Downgrading before 11.0 was pretty simple: it meant an arm11 kernel exploit. Let's talk about what that "arm9 says it's OK" meant from earlier. Legit stuff
With an arm11 kernel exploit, game installation is possible. This comes with one major catch- the game must be signed by Nintendo. What does "signed" mean? Well, signatures are little things in a file that say that someone made this, and it has their approval. On the 3DS, signatures are given by Nintendo. With an arm11 kernel exploit, we can install things that are signed by Nintendo. The not fun part here is that for games, the signatures for digital versions [games you install to the SD card, not a cartridge] are console specific. With very few exceptions [they're called "legit CIAs", we'll talk about it in a moment] this means that game installation is not possible with a mere arm11 kernel exploit. Legit CIAs
Legit CIA files [the file format for 3DS games] are files that have good signatures for every console. This means that when attempting to install them with an arm11 kernel exploit, the arm9 will approve of it. Now here's the fun part that relates to downgrading- system updates are legit CIAs. Furthermore, the arm9 doesn't check to see if it's an earlier version. [Technically not true, but it's so easy to get around that it's not worth mentioning**] Therefore, to downgrade we perform an arm11 kernel exploit and install the earlier versions of the legit system updates. This reintroduces the last known arm9 exploit to the system, on version 9.2, which we can then use. The present [11.0] arm9 gets in the way
On 11.0, this is no longer true. When using an arm11 kernel exploit [which for all intents and purposes was patched out on 11.0***] to install particular titles [system updates] arm9 checks against a list introduced in 11.0 that says what versions of system updates are valid. If the title version is older than 11.0, arm9 tells arm11 to stop installing the title. Due to the way the security system works* the arm11 will obey and stop installing. Sidestepping arm9
But there is a way- hardmod and DSiwarehax. These are both methods of dumping/restoring the NAND without an arm9 exploit. Usually, this isn't helpful at all- the NAND is encrypted, and decrypting it would require an arm9 exploit. However, due to the way encryption works, in a nutshell we can derive the main part of the OS [and only the main part of the OS] from an encrypted NAND dump. This is abused by decrypting the main part of the OS [dubbed NATIVE_FIRM], inserting an older version into it, then re-encrypting it and writing it back. By doing this, the version will be on 10.7, and arm9 will no longer use the list. The future [what could be done for 11.0]
Well, put simply, to downgrade on 11.0 without hardmod or DSiwarehax, we need an arm9 exploit. Without being able to tell arm9 to not use the list, there's no way to downgrade via normal software. And if we have an arm9 exploit, there would be no reason to downgrade to 9.2 from 11.0. Conclusion
I hope this explanation helped you in your understanding of the 3DS, and the particular topic at hand, 11.0 downgrading. Again, if there's anything I missed, or you don't understand, let me know and I'll fix it. Have a nice day
*It's a system of permissions. Think of it like this: there's a child, a parent, and a grandparent. The grandparent tells both the parent and the child what to do. The parent tells the child what to do, but not the grandparent, and the child tells neither of them what to do. arm9 is the grandparent, arm11 kernel is the parent, and arm11 userland is the child. The child must trick the parent into doing what he wants, who needs to then trick the grandparent into doing what he wants.
**arm9 checks if the title to install is older than a title currently installed, and blocks installation if it is. However, we just uninstall the title before installing the new one. Pretty stupid on Nintendo's part.
***The actual vulnerability wasn't fixed, but it was made so hard to exploit that it'd be easier to find and make a new one.
Kind of a mouthful.... I think people will be fine if they actually READ the post. Maybe @Swiftloke could add that information in bold to the top of the post to make it harder to miss? Just a thought.
I doubt it. That's exactly what happened on the Wii; a bug in the signature checks that meant that unsigned code would be considered signed. (Trucha bug if you want to look it up) I don't think Nintendo would make the same mistake twice.
Kind of a mouthful.... I think people will be fine if they actually READ the post. Maybe @Swiftloke could add that information in bold to the top of the post to make it harder to miss? Just a thought.
Nice thread. Very informative. Now I have a question. Currently I'm on 11.0 with arm9loaderhax+luma. Previously I was on rxtools with emunand 11.0 and sysnand 9.2. I switched to this setup cause I heard it was better. Not sure why though. With this set up, isn't my sysnand technically on 11.0? Is that safe? And would updating to 11.1 f*** me up?
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
TheFlow has done it again--a new kernel exploit has been released for PlayStation 4 consoles. This latest exploit is called PPPwn, and works on PlayStation 4 systems...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
While rumors had been floating about rampantly as to the future plans of Nintendo, the President of the company, Shuntaro Furukawa, made a brief statement confirming...
As each year passes, retro games become harder and harder to play, as the physical media begins to fall apart and becomes more difficult and expensive to obtain. The...
Nintendo might just as well be a law firm more than a videogame company at this point in time, since they have yet again issued their now almost trademarked usual...
Another video game prototype has been found and preserved, and this time, it's none other than the game that spawned an entire franchise beloved by many, the very...
Nintendo has officially announced that a successor to the beloved Switch console is on the horizon. As we eagerly anticipate what innovations this new device will...
Anbernic is back with yet another retro handheld device. The upcoming RG28XX is another console sporting the quad-core H700 chip of the company's recent RG35XX 2024...
Two classic titles join the Nintendo Switch Online Expansion Pack game lineup. Available starting April 24th will be the motorcycle racing game Extreme G and another...
Nintendo has officially announced that a successor to the beloved Switch console is on the horizon. As we eagerly anticipate what innovations this new device will...
While rumors had been floating about rampantly as to the future plans of Nintendo, the President of the company, Shuntaro Furukawa, made a brief statement confirming...
Nintendo might just as well be a law firm more than a videogame company at this point in time, since they have yet again issued their now almost trademarked usual...
As each year passes, retro games become harder and harder to play, as the physical media begins to fall apart and becomes more difficult and expensive to obtain. The...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
TheFlow has done it again--a new kernel exploit has been released for PlayStation 4 consoles. This latest exploit is called PPPwn, and works on PlayStation 4 systems...
After rumour got out about an upcoming NES Edition release for the famed Nintendo World Championships, Nintendo has officially unveiled the new game, titled "Nintendo...
DOOM is well-known for being ported to basically every device with some kind of input, and that list now includes the old retro game console in Persona 5 Royal...
The number of layoffs and cuts in the videogame industry sadly continue to grow, with the latest huge layoffs coming from Microsoft, due to what MIcrosoft calls a...