safehax streamlining many various fixes
24 KiB
title | permalink |
---|---|
DSiWare Downgrade (App Injection and Second 3DS) | /dsiware-downgrade-(app-injection-and-second-3ds).html |
If you are between versions 11.0.0 and 11.2.0, you can follow this guide to downgrade your NATIVE_FIRM using DSiWare and a second 3DS which has already has a Custom Firmware installed on it in order to dump and restore your NAND. {: .notice}
If you are below 11.2.0 on either device, then you should do the ctr-httpwn steps (when prompted) on each device under 11.2.0 to allow you to System Transfer with them. {: .notice--info}
This takes advantage of an oversight which allows DSiWare titles to read and write anywhere in NAND. {: .notice--info}
This is a currently working implementation of the "FIRM partitions known-plaintext" exploit detailed here. {: .notice--info}
This guide will assume the CFW 3DS is running arm9loaderhax and was setup with this guide, but will work (with slight modifications such as doing all SysNAND steps on EmuNAND) on systems running an EmuNAND. Note that the terms EmuNAND and RedNAND refer to slightly different implementations of the same concept. {: .notice--info}
Your DSiWare's save will be backed up before getting replaced by the hacked save. {: .notice--info}
{% capture notice-4 %} This exploit requires you to System Transfer from a CFW 3DS to a stock 3DS as part of the steps. System Transfers will work in the following directions only:
- New 3DS -> New 3DS
- Old 3DS or 2DS -> Old 3DS or 2DS
- Old 3DS or 2DS -> New 3DS
{% endcapture %}
Both systems MUST be from the same region. {: .notice--warning}
The target 3DS will have all of its data erased! {: .notice--danger}
The source 3DS's NNID will be stuck on the target 3DS unless you either system transfer back or call Nintendo! (details in the instructions) {: .notice--danger}
System Transfers can only be performed once a week. {: .notice--danger}
What you need
- Two 3DS systems
- The source 3DS: the 3DS running some kind of custom firmware (arm9loaderhax or some form of EmuNAND/RedNAND) on the latest version
- The target 3DS: the 3DS on stock firmware (between 11.0.0 and 11.2.0)
- Purchase (or already own) and install a compatible DSiWare game from the eShop on the source 3DS
- A pirated copy of the game will not work
- For a list of compatible games, see the DSiWare List page
- An entrypoint from Homebrew Launcher (SoundHax) or Homebrew Launcher (No Browser)
- The sudokuhax injection
.zip
corresponding to your region - The latest release of GodMode9
- The latest release of 3DSident
- The latest release of dgTool
- The Homebrew Starter Kit
- The NFIRM
.zip
corresponding to the device and version of the target 3DS - If the target 3DS is below 11.2.0, you will also need the following
- The latest release of ctr-httpwn
Instructions
Section I - Prep Work
Use a save manager to backup any saves you care about on the target 3DS (it will be formatted!) {: .notice--warning}
- Create a folder named
files9
on the root of the source 3DS's SD card if it does not already exist - Copy
GodMode9.bin
from the GodMode9.zip
to the/luma/payloads
folder on the source 3DS's' SD card and renameGodMode9.bin
in/luma/payloads
toup_GodMode9.bin
- Copy the
.app
from DSiWare injection.zip
to the root of the source 3DS's SD card - Copy
savedata
folder from DSiWare injection.zip
to the root of the source 3DS's SD card - Reinsert the source 3DS's SD card
- On the source 3DS, hold Start on boot to launch Hourglass9
- Go to SysNAND Options, then SysNAND Backup/Restore, then backup (min size) SysNAND to
NANDmin.bin
- Press (Select) on the main menu to eject the source 3DS's SD card, then put it in your computer
- Copy
NANDmin.bin
andNANDmin.bin.sha
from the/files9/
folder on your SD card to a safe location
- Make backups in multiple locations
- This backup will save you from a brick if anything goes wrong in the future
- Your backup should match one of the sizes on this page; if it does not, you should delete it and make a new one!
- Put the target 3DS's SD card into your computer
- Backup every file on both 3DS's SD cards to two separate folders on your computer (keep track of which is which)!
- Reinsert each SD card back into their corresponding 3DS
- Press (Start) to reboot
Section II - Backup DSiWare
After completing the entire guide, you can use this backup to restore your DSiWare saves by deleting the DSiWare from your System Memory and copying it from your SD Card. {: .notice--info}
This backup can only be used on this NAND. If you format your 3DS or restore another NAND (specifically if movable.sed
is ever modified), it will become unusable.
{: .notice--info}
- Go to System Settings, then "Data Management", then "DSiWare" on the source 3DS
- Copy any DSiWare games that are already on the SD Card back to the System Memory
- Copy the DSiWare game you intend to use to the SD Card
- Exit System Settings
Section III - Injecting the game and save
- Open GodMode9 from arm9loaderhax by holding (Up) during boot
- Navigate to
SDCARD
- Press (Y) on the DSiWare injection
.app
to copy it - Press (B) to go back to the main menu
- Navigate to
SYSNAND TWLN
->title
->00030004
->(8 Character ID)
- The 8 Character ID will be the one from the DSiWare List page
- Navigate to
content
- Press (A) on the
.app
file in the folder - Select "Inject data @offset"
- Press (A) to select the offset
00000000
- Press (A) to unlock SysNAND writing, then input the key combo given
- Press (B) to go back to the main menu
- Navigate to
SYSNAND TWLN
->title
->00030004
->(8 Character ID)
- The 8 Character ID will be the one from the DSiWare List page
- Navigate to
data
- Press (A) on
public.sav
- Select "Mount as FAT image"
- If you do not see this option, ensure you are running the latest GodMode9 commit rather than the latest release
- If you still do not see this option, please report this bug
- This will have moved you back to the main menu
- Navigate to
SDCARD
- Press (Y) on the file(s) in the
savedata
folder to copy them
- If there is a
savedata
folder inside of thesavedata
folder, it is not by mistake. You should copy the secondsavedata
folder, not the files inside of that.
- Press (B) to go back to the main menu
- Navigate to
FAT IMAGE
- Use the (X) button to delete everything inside of
FAT IMAGE
- Press (Y) to paste a copy of the contents of the
savedata
folder toFAT IMAGE
- Select "Copy path(s)"
- Press (A) to unlock image writing, then input the key combo given
- Press (Start) to reboot
- Launch your DSiWare game on the source 3DS
- Tap the screen or press any button to start the game and test if the save is functional
- If you are using the EUR files (Legends of Exidia), after pressing (A) or (Start) at the two title screens, select the first save slot and press continue
- If your game has an error about
boot.nds
or a white screen, then the exploit has been successful - If your game has an error about corrupted or inaccessible save data, confirm that you copied the contents of the
savedata
folder and not thesavedata
folder itself - If your game behaves normally and does not give you an error about
boot.nds
or a white screen, then you should stop and figure out what went wrong - If you get a black screen, follow this troubleshooting guide
- If the game is missing from the target 3DS or has an error about corrupted or inaccessible save data, follow this troubleshooting guide
Section IV - ctr-httpwn
This section is only required if the target 3DS is under 11.2.0.
This will allow you to system transfer on versions other than the latest.
- Copy and merge the
3ds
folder from the ctr-httpwn.zip
to the target 3DS's SD card - Reinsert your SD card into the target 3DS
- Launch the homebrew launcher on the device using Homebrew Launcher (No Browser)
- New 3DSs on versions 10.7.0 and 11.0.0 can use Homebrew Launcher (Browser) instead
- Ensure menuhax is not installed, or you won't be able to return to Home Menu from the homebrew launcher
- Launch ctr-httpwn on the target 3DS
- Press (A) to continue
- Press (Start) to exit ctr-httpwn
- Press (Start) to open the homebrew launcher exit menu
- Press (X) to Return to Home Menu (no reboot)
- You may get an "Error has occurred" message with the option to continue. This is fine, just hit (A)
- Continue to the next section without rebooting
- the target 3DS has been temporarily patched to allow network functions (such as System Transfer) without running the latest system version
- Keep in mind that exiting the System Settings will reboot the system
- If the system is rebooted, you'll have to re-run ctr-httpwn before System Transfer will work
Section V - System Transfer
- Backup every file on both 3DS's SD cards to two separate folders on your computer (keep track of which is which)!
- Reinsert each SD card back into their corresponding 3DS
- If the target 3DS has a Nintendo Network ID on it, you must format the device using System Settings:
- Go to the last page of "Other Settings" and select "Format System Memory", then follow all instructions
- Read the following:
- Your CFW 3DS = the source 3DS = "Source System"
- Your Stock 3DS = the target 3DS = "Target System"
- Move DSiWare titles if prompted!
- Do NOT delete the source system's SD card contents if prompted
- Make sure neither device's battery dies during the transfer
- 2DS/Old 3DS (source) to New 3DS (target) only - if asked which method you wish to use to transfer the SD card data:
- Do NOT choose the "Low-Capacity microSD Card Transfer" or minimal option (option 2), it will only transfer tickets and likely will not transfer the DSiWare save.
- Fast Method: If you have the ability to move the data from the SD card (source) to the microSD card (target), when prompted use the "PC-Based Transfer" option (option 3).
- Slowest Method: If you don't have the ability to move the data on a PC use the full "Wireless Transfer" option (option 1).
- Go to this link and follow Nintendo's official instructions for System Transferring from one system to another while keeping in mind what you just read
Section VI - Restoring the source 3DS
- On the source 3DS, complete initial setup
- Do one of the following
- Do the rest of the sections and then the full guide on the target 3DS, then wait one week, then System Transfer from the target 3DS back to the source 3DS (remember you cannot transfer back from a New 3DS to an Old 3DS)
- Call Nintendo and tell them you no longer have access to the device that your NNID is linked to (which is the target 3DS in this case), and would like it linked to a different device (which is the source 3DS in this case)
- You can also just remove the NNID from the source 3DS if you'd prefer it remain on the target 3DS
- Reboot the source 3DS while holding Start to launch Hourglass9
- Go to SysNAND Backup/Restore and restore SysNAND from
NANDmin.bin
Section VII - Backing up the target 3DS's NFIRM
- Copy the dgTool
boot.nds
to the root of the target 3DS's SD card - Create a folder named
dgTool
on the root of the target 3DS's SD card if it does not already exist - Copy the contents of the NFIRM
.zip
to thedgTool
folder on the root of the target 3DS's SD card - Launch your DSiWare game on the target 3DS
- Launch dgTool by starting your DSiWare game
- If the game does not launch dgTool, follow this troubleshooting guide
- Select "Dump f0f1" to backup the target 3DS's NFIRM
- This will take a while
- Make note of the NFIRM backup's location
- Exit dgTool
- You may have to force power off by holding the power button
- Put your SD card in your computer, then copy
F0F1_N3DS.bin
orF0F1_O3DS.bin
(depending on your device) to a safe location
- Make backups in multiple locations
- This backup will save you from a brick if anything goes wrong in the future
Section VIII - Flashing the target 3DS's NFIRM
Never downgrade with dgTool on a device that already has arm9loaderhax installed or you will BRICK!
- Launch your DSiWare game on the target 3DS
- Launch dgTool by starting your DSiWare game
- Select "Downgrade FIRM to 10.4" and confirm to flash the 10.4.0 NFIRM bin to the target 3DS
- Exit dgTool
- You may have to force power off by holding the power button
- Reboot
Section IX - Exploit verification
- Copy and merge the
3ds
folder from the 3DSident.zip
to the target 3DS's SD card - Reinsert your SD card into the target 3DS
- Launch the homebrew launcher on the target 3DS using your entrypoint
- Launch 3DSident
- Verify that the following:
- Kernel version: 2.50-11
- FIRM version: 2.50-11
- If either of these do not display the versions above, make sure you used the correct NFIRM zip and try flashing NFIRM again
The target 3DS's version number will not have changed in the settings. {: .notice--info}
Continue to Decrypt9 (Homebrew Launcher) {: .notice--primary}