Views: 1,611,512 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 12-02-24 08:58 PM |
Guest: |
0 users reading Questions? and Private Update Server | 2 bots |
Main - Homebrew discussion - Questions? and Private Update Server | Hide post layouts | New reply |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 47/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
I've built a private update server yesterday, and released its source (surely without ninty files). To my surprise, the TitleHash and FsSize inside GetSystemUpdate SOAP isn't actually verified. And no way for me to make a really good GetSystemUpdate reply...
Now i have two questions, looking for someone to answer. So mind you please think for a while? 1. Is there any way to patch the nim module for those update urls, on 9.3+? I do know that eshop.3dsx does something similar but i am not sure about those. Maybe HANS could do this? yeah i have method to pack exefs and romfs.. 2. How much could it benefit with a lower MSET or Spider on those 9.3+? The server can still easily go wrong. Hope someone would like it. Original link is in strikethrough. Alternative link. Server Tool: https://dropfile.to/cvHd1, access: FqdU1Rt. Curl Test: https://dropfile.to/ekeJG, access: KEnFOxs. The previous package is the files to construct the server, written in PHP7.x and Nodejs. The latter one is the Test scripts with curl to test the server output. @d0k3 It is released. Found out you haven't seen the conversation there i just post its links here. |
Opposing Force |
| ||
Newcomer Normal user Level: 7 Posts: 4/7 EXP: 1092 Next: 356 Since: 05-25-15 Last post: 3088 days ago Last view: 2332 days ago |
Is it possible to rehost those files? Probably not many here can read chinese. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 48/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by Opposing Force Well OK. Indeed using google translation isn't hard, but i would update the main post to add attachments. Eh.. this forum doesn't support attachment. I would have to find a free file hosting website first.. EDIT: OK now it is on dropfile.io i hope you can download it easier then. |
Opposing Force |
| ||
Newcomer Normal user Level: 7 Posts: 5/7 EXP: 1092 Next: 356 Since: 05-25-15 Last post: 3088 days ago Last view: 2332 days ago |
Posted by Syphurith Thank you for doing that. : ) Here is a mirror that won't expire in 24 hours. update server http://www20.zippyshare.com/v/YDcVbeXv/file.html server test http://www38.zippyshare.com/v/B5fGYIUj/file.html |
profi200 |
| ||
Member Who knows? Level: 19 Posts: 41/70 EXP: 34564 Next: 1213 Since: 05-21-15 From: Germany Last post: 3004 days ago Last view: 2872 days ago |
1. No.
2. Not going to work because 1. Besides that we still have gamecard titles which can be used as entrypoint. There is no defect in tmd. Nintendo simply fucked it up and does not check the version after installing again. For this to work however it must pass installation time checks which a modified tmd will not so it requires disabled signature checks. If installed however it will run even on sysNAND. This way you can theoretically make a 3DS system Nintendo can never update again. Btw: Why do people use some random upload sites instead of something like Dropbox? |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 49/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by profi200 Thanks much for your reply. Heat down I played with my 9.8 emunand yesterday, and my console is directly updated from 4.1 to 9.2 first with your sysupdator. Well and i used the version spoofed MSET from 9.0 and it gets installed. So it still need to disable the signature checks.. It would be surprised me much if they do not actually check those spoofed ones. Posted by Shared Result But now, i think there should be some checks other than the TMD reading itself. If it is that easy to downgrade i think they would just knock their head with $. (orz) I developed this myself after the ronhero on gbatemp states he has done that can provides a paid service for n00b. Since this is quite risky i didn't post the server there. Even you told them that is there would always be some careless guys (lol). Random upload sites: well cause i can not access those famous upload sites easily from the country normally. I thought of a 3dsx version of sysupdater and now it sounds not of much use then (i mean here it is the server). Hope you a good day. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 50/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by profi200 My mistake. I've checked the signature at the beginning of the TMDs of different titles, and that the whole TMD is protected by signature, thus it deserve a signature patch to install a spoofed CIA. So the hope to downgrade the SysNand on a firmware without sig-patch isn't real. Thanks as lead me the way off the wrong path. Then this can only be useful to play with emunand, or update the sysnand, with untouched CIAs. EDIT: I would update the posts above to strikethrough the wrong statements. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 51/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
@profi200 Sorry to disturb you but.. I'd like to hear your opinion about "where the TitleHash is".
I could not find the TitleHash inside all those modules' ram dumped using NTR, nor the extracted contents from decrypted emunand. It checks if the TitleHash different from maybe "stored" one, and also the hash inside GetSystemUpdate reply and GetTitleHash must match. Once you enter the MSET or other special apps, the wifi would not be kept functional thus NTR lost its connection. So i can not dump mset ones out. It should be in NAND or RAM. But i didn't know where it might be stored. Orz. Dreaming of this get stored in a title and the tmd changes. Yes tmd should not change. It doesn't check tmd of installed ones much. Oh why dreaming? lol Have a good time with your research and life! Also here is a way to generate the TitleHash to keep it different every minute. //Create a 16 bytes random TitleHash to easily issue an update. Or else comment this off and use the line below to give it a value. //This is generated using the client hostname and a date-time string, thus it would change per minute. $TitleHash = md5(gethostname().date('YmdHi')); //$TitleHash = '14C4B935FCB69959B88B7003A5326D2B'; //Wrong TitleHash, this is actually the one of 9.8.0-25J |
evilpdor |
| ||
Newcomer Normal user Level: 3 Posts: 1/1 EXP: 55 Next: 73 Since: 07-25-16 Last post: 3052 days ago Last view: 3048 days ago |
I think the thread is abandoned, but it has some interesting ideas.
I used fiddler2 in proxy mode, and I analyzed the traffic during the firmware update. Obviously now (and probably forever) it is impossible to analyze the traffic in SSL/TSL. Basically I was able to replace the url with the update files with versions of the same update downloaded from 3dnus. The 3DS don't see any difference, and download all update files from my PC. So i try to modify an update patckage switching the original native_firm 11.0.0 to original native_firm 10.4.0, but the update stop. Currently you can then only 'save bandwidth' downloading from your PC the update files. But if it were possible to use the raw response (therefore not editable) of the update server, it would be possible to create a totally offline 11.0.0-33 update. If we can force the 3ds to use http instead of https and fully emulate the update server (not only with an index.php) we can fix softbrick 3ds with a firmware <= 10.7.0. ATM I hope there is a way to send a raw (but uneditable) https data for totaly offline 11.0.0 update (and others to come), it could be useful in the future. |
Main - Homebrew discussion - Questions? and Private Update Server | Hide post layouts | New reply |
Page rendered in 0.023 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 81/81, time: 0.007 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |