27 KiB
title | permalink |
---|---|
DSiWare Downgrade | /dsiware-downgrade.html |
If you are on 11.0.0 or 11.1.0, do NOT update to 11.2.0. A new update will be coming soon that allows for DSiWare NFIRM Downgrading without a second 3DS or hardmod for versions under 11.2.0. {: .notice--primary}
If you are between versions 11.0.0 and 11.2.0, you must follow this guide to downgrade your NATIVE_FIRM using DSiWare and a second 3DS which has already has a Custom Firmware installed on it in order to dump and restore your NAND. {: .notice}
If you are below 11.2.0 on either device, then you should do the ctr-httpwn steps (when prompted) on each device under 11.2.0 to allow you to System Transfer with them. {: .notice--info}
This takes advantage of an oversight which allows DSiWare titles to read and write anywhere in NAND. {: .notice--info}
This is a currently working implementation of the "FIRM partitions known-plaintext" exploit detailed here. {: .notice--info}
This guide will assume the CFW 3DS is running arm9loaderhax and was setup with this guide, but will work (with slight modifications such as doing all SysNAND steps on EmuNAND) on systems running an EmuNAND. Note that the terms EmuNAND and RedNAND refer to slightly different implementations of the same concept. {: .notice--info}
You can skip everything related to Steel Diver: Sub Wars and steelhax if you already have a working primary entrypoint (e.g: OOT3dHax, FreakyHax) for the target 3DS, and use that instead. {: .notice--info}
{% capture notice-4 %} This exploit requires you to System Transfer from a CFW 3DS to a stock 3DS as part of the steps. System Transfers will work in the following directions only:
- New 3DS -> New 3DS
- Old 3DS or 2DS -> Old 3DS or 2DS
- Old 3DS or 2DS -> New 3DS
{% endcapture %}
Both systems MUST be from the same region. {: .notice--warning}
The source 3DS's NNID will be stuck on the target 3DS unless you either system transfer back or call Nintendo! (details in the instructions) {: .notice--danger}
System Transfers can only be performed once a week. {: .notice--danger}
What you need
- A computer to mount the
public.sav
file (for now) - Two 3DS systems
- The source 3DS: the 3DS running some kind of custom firmware (arm9loaderhax or some form of EmuNAND/EmuNAND) on the latest version
- The target 3DS: the 3DS on stock firmware between 11.0.0 and 11.2.0
- Purchase a DSiWare game from the eShop on the source 3DS
- A pirated copy of the game will not work
- The game's
.app
must greater than or equal to3,457,024 bytes
- The game's
public.sav
must greater than or equal to81,920 bytes
- The system transfer will only accept the hacked app and save if they do not increase the overall size of each file
- For a community list of compatible games, see the DSiWare List page
DSiWare_sudokuhax_v0_injection.zip
-- The latest release of 3DSident
- The latest release of FBI {::comment}* The latest release of GodMode9{:/comment}
- The latest release of dgTool
- The Homebrew Starter Kit
- The NFIRM zip corresponding to the device and version of the target 3DS:
- Download a legitimate copy of Steel Diver: Sub Wars (the game is free, but any copy of the game not from the eShop will not work) on the source 3DS
- The previous release of steelhax
- If the target 3DS is below 11.2.0, you will also need the following
- The latest release of ctr-httpwn
Instructions
Section I - Prep Work
Use a save manager to backup any saves you care about on the target 3DS (it will be formatted!) {: .notice--warning}
- Create a folder named
files9
on the root of the source 3DS's SD card if it does not already exist {::comment}2. CopyGodMode9.bin
from the GodMode9 zip to the/luma/payloads
folder on the source 3DS's' SD card and renameGodMode9.bin
in/luma/payloads
toup_GodMode9.bin
{:/comment} - Reinsert the source 3DS's SD card
- On the source 3DS, hold Start on boot to launch Hourglass9
- Go to SysNAND Options, then SysNAND Backup/Restore, then backup (min size) SysNAND to
NANDmin.bin
- Press (Select) on the main menu to eject the source 3DS's SD card, then put it in your computer
- Copy
NANDmin.bin
andNANDmin.bin.sha
from the/files9/
folder on your SD card to a safe location; make backups in multiple locations; this backup will save you from a brick if anything goes wrong in the future (Your backup should match one of the sizes on this page; if it does not, you should delete it and make a new one!) - Put the target 3DS's SD card into your computer
- Backup every file on both 3DS's SD cards to two separate folders on your computer (keep track of which is which)!
- Reinsert each SD card back into their corresponding 3DS
- Press (Start) to reboot
- Purchase any DSiWare game from the eShop (a pirated copy of the game will not work) on the source 3DS
- Go to System Settings, then "Data Management", then "DSiWare", then "Nintendo DS Profile" on the source 3DS
- Copy any DSiWare games that are already on the SD Card back to the System Memory
- Copy the DSiWare game you intend to use to the SD Card
- Power off the source 3DS, then put its SD card into your computer
- Navigate to
/Nintendo 3DS/(32 Character ID)/(32 Character ID)/Nintendo DSiWare/
- Make a note of the 8 Character ID in the file name of the
.bin
file in this folder
- For example, if you see
4B4C4545.bin
, remember the ID4B4C4545
- Reinsert your SD card into the source 3DS and boot it back up
- Go to System Settings, then "Data Management", then "DSiWare", then "Nintendo DS Profile" on the source 3DS
- Delete the DSiWare game from the SD Card (do not delete it from the System Memory)
Section II - Injecting the game and save
- Launch FBI on the source 3DS
- Navigate to
TWL NAND
->title
->00030004
->(8 Character ID)
- The 8 Character ID will be the one you got from the
.bin
file earlier
- Navigate to the
content
folder - Make a note of the
.app
file name in this folder
- For example, if you see
00000000.app
, remember the file name00000000.app
- Power off the source 3DS, then put its SD card into your computer
- Copy
sudoku.app
to the root of the source 3DS's SD card fromDSiWare_sudokuhax_v0_injection.zip
- On the source 3DS's SD card, rename
sudoku.app
to the name of the.app
file you noted earlier - Reinsert your SD card into the source 3DS and boot it back up
- Launch FBI on the source 3DS
- Navigate to
SD
- Press (A) on the renamed sudoku
.app
and copy it - Press (B) to get back to the main menu
- Navigate to
TWL NAND
->title
->00030004
->(8 Character ID)
- The 8 Character ID will be the one you got from the
.bin
file earlier
- Navigate to the
content
folder - Press (A) on the current directory and paste the renamed sudoku
.app
- This will overwrite the existing one
- Press (B) to get back to
TWL NAND
->title
->00030004
->(8 Character ID)
- Navigate to the
data
folder - Press (A) on
public.sav
and copy it - Press (B) to get back to the main menu
- Navigate to
SD
- Press (A) on the current directory and paste
public.sav
- Press (Start) to exit
- Power off the source 3DS, then put its SD card into your computer
- Copy
public.sav
to your computer - Mount
public.sav
so it can be edited
- In the future this will be done on device, but for now a computer is needed
- Windows users can use something like OSFMount
- Ensure the mounted image is not Read Only
- Copy
savedata.bin
fromDSiWare_sudokuhax_v0_injection.zip
to the mountedpublic.sav
, replacing the existing one - Dismount
public.sav
- Copy the modified
public.sav
to the the source 3DS's SD card - Reinsert your SD card into the source 3DS and boot it back up
- Launch FBI on the source 3DS
- Navigate to
SD
- Press (A) on
public.sav
and copy it - Press (B) to get back to the main menu
- Navigate to
TWL NAND
->title
->00030004
- Navigate to the
data
folder - Press (A) on the current directory and paste
public.sav
- This will overwrite the existing one
- Press (B) to get back to the main menu
- Launch your DSiWare game on the source 3DS
- Tap the screen or press any button to start the game and test if the save is functional
- If your game has an error about
boot.nds
, then the exploit has been successful - If your game behaves normally and does not give you this error, then you should stop and figure out what went wrong
- If you get a black screen, follow this troubleshooting guide
Section III - steelhax
This will allow you to enter the homebrew launcher after the System Transfer.
- Copy the
steelhax-installer
folder from the steelhax zip to the/3ds/
folder on the source 3DS's SD card - Reinsert your SD card into your 3DS
- Ensure that Steel Diver: Sub Wars does not have any updates installed using System Settings:
- Go to "Data Management", then "Nintendo 3DS", then "Downloadable Content"
- Select Steel Diver: Sub Wars, then select "delete"
- Exit the System Settings
- Launch Steel Diver: Sub Wars
- Do not update the game
- Press (A) to continue, then create / select a Mii
- Exit the game
- Launch the homebrew launcher on the source 3DS
- If it is an arm9loaderhax installed device, you can do that with hblauncher_loader
- Launch steelhax installer
- Press (A) to continue
- Press (A) to confirm Steel Diver: Sub Wars's version
- Press (A) to confirm the source 3DS's system version
- Press (Start) to exit the installer
- Press (Start) to open the homebrew launcher exit menu
- Press (X) to Return to Home Menu (no reboot)
- You may get an "Error has occurred" message with the option to continue. This is fine, just hit (A)
- Launch Steel Diver: Sub Wars to test the exploit
- Do not update the game
- The save game may be corrupted
- Do not press "ok" to delete the corrupted save data, just exit with the home button
- If you do press "ok" by mistake, you will have to recreate the Mii
- Redo the installation starting with the homebrew launcher
- This can take many tries
- Do not press "ok" to delete the corrupted save data, just exit with the home button
- If it is successful, the device will boot into the homebrew launcher
- Once you are in the homebrew launcher successfully, launch steelhax installer
- Press (A) to continue
- Press (A) to confirm Steel Diver: Sub Wars's version
- This time, change the version to match the target 3DS's system version
- Even though you will be downgrading its NFIRM, you should still select the system version it is on now
- Copy the contents of the
starter.zip
to the root of the target 3DS's SD card, then put the SD card back into the target 3DS
Section IV - ctr-httpwn
This section is only required if the target 3DS is under 11.2.0.
This will allow you to system transfer on versions other than the latest.
- Copy and merge the
3ds
folder from the ctr-httpwn zip to the target 3DS's SD card - Reinsert your SD card into the target 3DS
- Launch the homebrew launcher on the device using Homebrew Launcher (No Browser)
- New 3DSs on versions 10.7.0 and 11.0.0 can use Homebrew Launcher (Browser) instead
- Ensure menuhax is not installed, or you won't be able to return to Home Menu from the homebrew launcher
- Launch ctr-httpwn on the target 3DS
- Press (A) to continue
- Press (Start) to exit ctr-httpwn
- Press (Start) to open the homebrew launcher exit menu
- Press (X) to Return to Home Menu (no reboot)
- You may get an "Error has occurred" message with the option to continue. This is fine, just hit (A)
- Continue to the next section without rebooting
- the target 3DS has been temporarily patched to allow network functions (such as System Transfer) without running the latest system version
- Keep in mind that exiting the System Settings will reboot the system
- If the system is rebooted, you'll have to re-run ctr-httpwn before System Transfer will work
Section V - System Transfer
- Backup every file on both 3DS's SD cards to two separate folders on your computer (keep track of which is which)!
- Reinsert each SD card back into their corresponding 3DS
- If the target 3DS has a Nintendo Network ID on it, you must format the device using System Settings:
- Go to the last page of "Other Settings" and select "Format System Memory", then follow all instructions
- Read the following:
- Your CFW 3DS = the source 3DS = "Source System"
- Your Stock 3DS = the target 3DS = "Target System"
- Move DSiWare titles if prompted!
- Do NOT delete the source system's SD card contents if prompted
- Make sure neither device's battery dies during the transfer
- 2DS/Old 3DS (source) to New 3DS (target) only - if asked which method you wish to use to transfer the SD card data:
- Do NOT choose the "Low-Capacity microSD Card Transfer" or minimal option (option 2), it will only transfer tickets and likely will not transfer the DSiWare save.
- Fast Method: If you have the ability to move the data from the SD card (source) to the microSD card (target), when prompted use the "PC-Based Transfer" option (option 3).
- Slowest Method: If you don't have the ability to move the data on a PC use the full "Wireless Transfer" option (option 1).
- Go to this link and follow Nintendo's official instructions for System Transferring from one system to another while keeping in mind what you just read
Section VI - Restoring the source 3DS
- On the source 3DS, complete initial setup
- Do one of the following (or neither if you don't mind the source 3DS's NNID being nonfunctional)
- Do the rest of the sections and then the full guide on the target 3DS, then wait one week, then System Transfer from the target 3DS back to the source 3DS (remember you cannot transfer back from a New 3DS to an Old 3DS)
- Call Nintendo and tell them you no longer have access to the device that your NNID is linked to (which is the target 3DS in this case), and would like it linked to a different device (which is the source 3DS in this case)
- Reboot the source 3DS while holding Start to launch Hourglass9
- Go to SysNAND Backup/Restore and restore SysNAND from
NANDmin.bin
Section VII - Backing up the target 3DS's NFIRM
- Copy
boot.nds
to the root of the target 3DS's SD card - Create a folder named
dgTool
on the root of the target 3DS's SD card if it does not already exist - Copy the contents of the NFIRM zip to the
dgTool
folder on the root of the target 3DS's SD card - Launch your DSiWare game on the target 3DS
- Launch dgTool by starting your DSiWare game
- If the game does not launch dgTool, follow this troubleshooting guide
- Select "Dump f0f1" to backup the target 3DS's NFIRM
- Make note of the NFIRM backup's location
- Exit dgTool
- You may have to force power off by holding the power button
- Put your SD card in your computer, then copy
F0F1_N3DS.bin
orF0F1_O3DS.bin
(depending on your device) to a safe location; make backups in multiple locations; this backup will save you from a brick if anything goes wrong
Section VIII - Flashing the target 3DS's NFIRM
Do NOT downgrade with dgTool on a device that already has arm9loaderhax installed or you will BRICK!
- Launch your DSiWare game on the target 3DS
- Launch dgTool by starting your DSiWare game
- Select "Downgrade FIRM to 10.4" and confirm to flash the 10.4.0 NFIRM bin to the target 3DS
- Exit dgTool
- You may have to force power off by holding the power button
- Reboot
Section IX - Exploit verification
- Copy and merge the
3ds
folder from the 3DSident zip to the target 3DS's SD card - Reinsert your SD card into the target 3DS
- Launch the homebrew launcher on the target 3DS using Homebrew Launcher (No Browser)
- Launch 3DSident
- Verify that the following:
- Kernel version: 2.50-11
- FIRM version: 2.50-11
- If either of these do not display the versions above, something has gone wrong and you should try again from the beginning
Continue to Homebrew Launcher (No Browser), using steelhax for your entrypoint instead of one of the ones listed. {: .notice--primary}
You can use another entrypoint if you want to, I just recommend steelhax because it is free. {: .notice--info}
the target 3DS's version number will not have changed in the settings. {: .notice--info}
If, once transfered, steelhax only crashes to a black screen on the target 3DS, follow this troubleshooting guide. {: .notice--warning}