4dsdev
Views: 616,750 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 12-13-17 03:20 PM
Guest:

0 users reading How Does Version Spoofing Work? | 1 bot

Main - Reverse-engineering - How Does Version Spoofing Work? New reply


gudenau
Posted on 12-23-15 08:16 PM Link | #842
How does version spoofing work on the 3DS, I would like to attempt to implement a version spoofer so n3DS emuNAND users can get intomthe eShop.

Syphurith
Posted on 01-05-16 10:44 AM Link | #853
Posted by gudenau
How does version spoofing work on the 3DS, I would like to attempt to implement a version spoofer so n3DS emuNAND users can get intomthe eShop.

Quite sorry for replying this late.
1.Version Spoofing itself is not hard, just edit the Version inside TMD.
However this would break the TMD signatures so you would need sig-patch environment - except Injected APP that isn't checked for the signature tightly.
2.The main reason you can not access Eshop due to the Service URL changed. Thanks to Smea that already a homebrew based on HANS can give you the access.
Hope you could find something interesting next time.

gudenau
Posted on 01-05-16 09:37 PM Link | #854
Posted by Syphurith
Quite sorry for replying this late.
1.Version Spoofing itself is not hard, just edit the Version inside TMD.
However this would break the TMD signatures so you would need sig-patch environment - except Injected APP that isn't checked for the signature tightly.
2.The main reason you can not access Eshop due to the Service URL changed. Thanks to Smea that already a homebrew based on HANS can give you the access.
Hope you could find something interesting next time.


That does not explain how it is done on the console though.

Syphurith
Posted on 01-06-16 09:33 AM (rev. 4 of 01-06-16 09:36 AM) Link | #855
Posted by gudenau
That does not explain how it is done on the console though.

Okey.. First the eShop changed their server URLs so the eShop spoofing is done by HANS.
In my own understanding the Version itself is only a number checked mostly, that marked in the TMD of the title, to say it is a certain version - not really mean that version, if modified - yes that is it so you can disable some update notice for some certain games that modified.
If you patch a game to make its Version be the same of its update, and the system would think it is updated - well i've done that when i bundled an update to a game and it doesn't pop for update notice for that game.
If without other checks, a title would be regarded as "update" by system if the version is simply higher than the current one. But this won't always work - i tried to downgrade the emunand with spoofed TMDs for the whole system titles and yes failed.
To change a version is easy, but remake a valid signature isn't. And i don't think Ninty would enable fake-sign (as wii) again.
Even you can fake the signature, when the application is so complex that related tightly with other services of the newer system version, or with a newly updated web server, that would not work. And eShop is just this type, so the modification of exefs/romfs is needed for them - and that's the reason why that's HANS enhanced.

Most time for a not that important title, the system would just check if that is updated, compare the current installed version to the latest version.
For System Titles, this isn't handled this way, even the console would only accept higher version except removed first, there are more checks.
And for eShop, this is quite important, and web related. The actual obstacle for them is the changed service urls.

I think the main purpose of dealing with the eShop has already come to an end. Hope my poor speaking can deal with your question this time.

gudenau
Posted on 01-06-16 09:18 PM Link | #856
Posted by Syphurith
Okey.. First the eShop changed their server URLs so the eShop spoofing is done by HANS.
In my own understanding the Version itself is only a number checked mostly, that marked in the TMD of the title, to say it is a certain version - not really mean that version, if modified - yes that is it so you can disable some update notice for some certain games that modified.
If you patch a game to make its Version be the same of its update, and the system would think it is updated - well i've done that when i bundled an update to a game and it doesn't pop for update notice for that game.
If without other checks, a title would be regarded as "update" by system if the version is simply higher than the current one. But this won't always work - i tried to downgrade the emunand with spoofed TMDs for the whole system titles and yes failed.
To change a version is easy, but remake a valid signature isn't. And i don't think Ninty would enable fake-sign (as wii) again.
Even you can fake the signature, when the application is so complex that related tightly with other services of the newer system version, or with a newly updated web server, that would not work. And eShop is just this type, so the modification of exefs/romfs is needed for them - and that's the reason why that's HANS enhanced.

Most time for a not that important title, the system would just check if that is updated, compare the current installed version to the latest version.
For System Titles, this isn't handled this way, even the console would only accept higher version except removed first, there are more checks.
And for eShop, this is quite important, and web related. The actual obstacle for them is the changed service urls.

I think the main purpose of dealing with the eShop has already come to an end. Hope my poor speaking can deal with your question this time.

I would like to know about the firmware version part, not the title version. But that is a good post none the less.

hartie95
Posted on 01-07-16 01:28 PM Link | #860
I means the kernel version check. Don't know if he would like to know it for patching the firmware or to patching the applications itself.

gudenau
Posted on 01-07-16 11:16 PM Link | #864
Posted by hartie95
I means the kernel version check. Don't know if he would like to know it for patching the firmware or to patching the applications itself.

Somehow making the firmware ether change the required firm version or ignore it, so that some newer titles that die when launching would launch just fine.

Syphurith
Posted on 01-08-16 03:29 PM Link | #867
Posted by gudenau
I would like to know about the firmware version part, not the title version. But that is a good post none the less.

The firmware version? This version is inside exheader of CXI of CIA/CCI, telling what minimum version of firmware is needed for running it.
See this page: http://3dbrew.org/wiki/NCCH/Extended_Header#ARM11_Kernel_Capabilities
Posted by Masks
0b1111110xxxxx Kernel release version Bits 8-15: Major version; Bits 0-7: Minor version

This is actually kernel release version. The version spoof for those 9.5+ titles that changed this value and system just run those.
Cause till now there are many FIRMs updates that just for "stability" and not infects the functionality much, so this spoofing likely works for games.
However for eShop and other titles on 10.3, the firmware set up a bitmask and the apps asks for it - just check those title decrypted with ctrtool.
If just modify the kernel version it wouldn't work (tried). But i haven't tried if i remove this mark, and you can test it alone if you have decrypt9.
You might know already that GW can partially update some titles and get eShop access without HANS, thinking of those GW patches, it might patched kernel to produce the false bitmask for those. I've heard about GW heavily patched the system and even a running thread in ARM11, but i don't know really about that.
This is just like the region free for games, the era of just modify the exheader/what leaves us after ninty introduced a new mechiasm to check the region, so only GW/NTR locale emulation could work. I'm quite noob at RE so I can not reveal how that is done, nor this for kernel release version.

gudenau
Posted on 01-09-16 10:10 PM Link | #869
Posted by Syphurith
The firmware version? This version is inside exheader of CXI of CIA/CCI, telling what minimum version of firmware is needed for running it.
See this page: http://3dbrew.org/wiki/NCCH/Extended_Header#ARM11_Kernel_Capabilities
This is actually kernel release version. The version spoof for those 9.5+ titles that changed this value and system just run those.
Cause till now there are many FIRMs updates that just for "stability" and not infects the functionality much, so this spoofing likely works for games.
However for eShop and other titles on 10.3, the firmware set up a bitmask and the apps asks for it - just check those title decrypted with ctrtool.
If just modify the kernel version it wouldn't work (tried). But i haven't tried if i remove this mark, and you can test it alone if you have decrypt9.
You might know already that GW can partially update some titles and get eShop access without HANS, thinking of those GW patches, it might patched kernel to produce the false bitmask for those. I've heard about GW heavily patched the system and even a running thread in ARM11, but i don't know really about that.
This is just like the region free for games, the era of just modify the exheader/what leaves us after ninty introduced a new mechiasm to check the region, so only GW/NTR locale emulation could work. I'm quite noob at RE so I can not reveal how that is done, nor this for kernel release version.

Ok, so basically I would just need to change the kernel version or change the needed one on load. That *should* be fun, eh?


Main - Reverse-engineering - How Does Version Spoofing Work? New reply

Page rendered in 0.021 seconds. (2048KB of memory used)
MySQL - queries: 26, rows: 79/79, time: 0.013 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.