Views: 1,526,335 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 07-22-24 08:33 AM

0 users reading Building a new NAND image from "scratch" | 1 bot

Main - Unbricking and fixing - Building a new NAND image from "scratch" Hide post layouts | New reply

Posted on 07-25-16 12:55 PM Link | #1055
Posting this thread here, just because I felt it might be a good place for discussion

me and few others have been working on getting this working, I figured maybe with an information dump I might get people interested

What is it:
As suggested by the title, we're trying to completely rebuild a new NAND image from "scratch." It will most likely never be 100% from scratch, but it'll at least get you back to a functioning console even if you've completely 100% zeroed out your NAND, lost all your NAND backups and the like, with the exception of a few files (which are very small and easy to manage, whereas a NAND backup is large)

How are we going to achieve it?
Well, as mentioned before, we'll need a few critical files, backed up from the device before it was bricked. Many users already have these files backed up without knowing that they have them! In later versions of the OTP obtaining guide, some of the tools used automatically dump these files. Using these files, we can begin to rebuild the NAND to a state where we can get arm9 code execution, which will let us encrypt new partitions for the 3ds, sending us well on our way to a fully restored console.

Needed files (list may change in the future):
NCSD header from NAND before the console was bricked
firm0firm1 xorpad
A decrypted CTRNAND backup from any 3ds that is the "same" model (old 3ds > old 3ds, 2ds >old 3ds, old 3ds > 2ds, new 3ds > new 3ds)

Process outline:
NOTE: a hardmod (access to the NAND eternally) will be needed to perform these steps, unless you somehow already have code execution on the 3ds

Starting with a hardmod, flash the NCSD header into place, next we'll need to install arm9loaderhax, that won't be covered here, but the basic process will be: encrypt the FIRM images and flash into NAND at correct offset, flash stage2 payload, encrypt modified secret sector with OTP hash. Once finished, you should have arm9 code execution. From here we can go about encrypting and flashing the CTRNAND backup at the correct place in NAND. From here we'll need to recalculate the AES-CMAC hashes for the .db files contained withing CTRNAND, more information can be found on 3dbrew about how to go about this. Then, from here, we can inject our files from before the console was bricked (moveable.sed and Secureinfo_A). after this the NAND image should be mostly fixed. Depending on the damage, some other work may need to be done (TWL partitions might need to be recovered)

This process, as of now, is not currently fully confirmed working and may be subject to revisions

Main - Unbricking and fixing - Building a new NAND image from "scratch" Hide post layouts | New reply

Page rendered in 0.020 seconds. (2048KB of memory used)
MySQL - queries: 26, rows: 63/63, time: 0.009 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2018-07-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.