Views: 1,611,767 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 12-03-24 05:13 PM |
Guest: |
0 users reading How Does Version Spoofing Work? | 1 bot |
Main - Reverse-engineering - How Does Version Spoofing Work? | Hide post layouts | New reply |
gudenau |
| ||
Member Normal user Level: 14 Posts: 18/34 EXP: 11586 Next: 1485 Since: 07-29-15 From: /dev/random Last post: 3123 days ago Last view: 3068 days ago |
How does version spoofing work on the 3DS, I would like to attempt to implement a version spoofer so n3DS emuNAND users can get intomthe eShop. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 55/59 EXP: 26136 Next: 3761 Since: 10-26-15 Last post: 3246 days ago Last view: 3196 days ago |
Posted by gudenau Quite sorry for replying this late. 1.Version Spoofing itself is not hard, just edit the Version inside TMD. However this would break the TMD signatures so you would need sig-patch environment - except Injected APP that isn't checked for the signature tightly. 2.The main reason you can not access Eshop due to the Service URL changed. Thanks to Smea that already a homebrew based on HANS can give you the access. Hope you could find something interesting next time. |
gudenau |
| ||
Member Normal user Level: 14 Posts: 20/34 EXP: 11586 Next: 1485 Since: 07-29-15 From: /dev/random Last post: 3123 days ago Last view: 3068 days ago |
Posted by Syphurith That does not explain how it is done on the console though. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 56/59 EXP: 26136 Next: 3761 Since: 10-26-15 Last post: 3246 days ago Last view: 3196 days ago |
Posted by gudenau Okey.. First the eShop changed their server URLs so the eShop spoofing is done by HANS. In my own understanding the Version itself is only a number checked mostly, that marked in the TMD of the title, to say it is a certain version - not really mean that version, if modified - yes that is it so you can disable some update notice for some certain games that modified. If you patch a game to make its Version be the same of its update, and the system would think it is updated - well i've done that when i bundled an update to a game and it doesn't pop for update notice for that game. If without other checks, a title would be regarded as "update" by system if the version is simply higher than the current one. But this won't always work - i tried to downgrade the emunand with spoofed TMDs for the whole system titles and yes failed. To change a version is easy, but remake a valid signature isn't. And i don't think Ninty would enable fake-sign (as wii) again. Even you can fake the signature, when the application is so complex that related tightly with other services of the newer system version, or with a newly updated web server, that would not work. And eShop is just this type, so the modification of exefs/romfs is needed for them - and that's the reason why that's HANS enhanced. Most time for a not that important title, the system would just check if that is updated, compare the current installed version to the latest version. For System Titles, this isn't handled this way, even the console would only accept higher version except removed first, there are more checks. And for eShop, this is quite important, and web related. The actual obstacle for them is the changed service urls. I think the main purpose of dealing with the eShop has already come to an end. Hope my poor speaking can deal with your question this time. |
gudenau |
| ||
Member Normal user Level: 14 Posts: 21/34 EXP: 11586 Next: 1485 Since: 07-29-15 From: /dev/random Last post: 3123 days ago Last view: 3068 days ago |
Posted by Syphurith I would like to know about the firmware version part, not the title version. But that is a good post none the less. |
hartie95 |
| ||
Newcomer Normal user Level: 6 Posts: 1/5 EXP: 641 Next: 266 Since: 12-03-15 From: Germany Last post: 3218 days ago Last view: 3007 days ago |
I means the kernel version check. Don't know if he would like to know it for patching the firmware or to patching the applications itself. |
gudenau |
| ||
Member Normal user Level: 14 Posts: 22/34 EXP: 11586 Next: 1485 Since: 07-29-15 From: /dev/random Last post: 3123 days ago Last view: 3068 days ago |
Posted by hartie95 Somehow making the firmware ether change the required firm version or ignore it, so that some newer titles that die when launching would launch just fine. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 57/59 EXP: 26136 Next: 3761 Since: 10-26-15 Last post: 3246 days ago Last view: 3196 days ago |
Posted by gudenau The firmware version? This version is inside exheader of CXI of CIA/CCI, telling what minimum version of firmware is needed for running it. See this page: http://3dbrew.org/wiki/NCCH/Extended_Header#ARM11_Kernel_Capabilities Posted by Masks This is actually kernel release version. The version spoof for those 9.5+ titles that changed this value and system just run those. Cause till now there are many FIRMs updates that just for "stability" and not infects the functionality much, so this spoofing likely works for games. However for eShop and other titles on 10.3, the firmware set up a bitmask and the apps asks for it - just check those title decrypted with ctrtool. If just modify the kernel version it wouldn't work (tried). But i haven't tried if i remove this mark, and you can test it alone if you have decrypt9. You might know already that GW can partially update some titles and get eShop access without HANS, thinking of those GW patches, it might patched kernel to produce the false bitmask for those. I've heard about GW heavily patched the system and even a running thread in ARM11, but i don't know really about that. This is just like the region free for games, the era of just modify the exheader/what leaves us after ninty introduced a new mechiasm to check the region, so only GW/NTR locale emulation could work. I'm quite noob at RE so I can not reveal how that is done, nor this for kernel release version. |
gudenau |
| ||
Member Normal user Level: 14 Posts: 23/34 EXP: 11586 Next: 1485 Since: 07-29-15 From: /dev/random Last post: 3123 days ago Last view: 3068 days ago |
Posted by Syphurith Ok, so basically I would just need to change the kernel version or change the needed one on load. That *should* be fun, eh? |
Main - Reverse-engineering - How Does Version Spoofing Work? | Hide post layouts | New reply |
Page rendered in 0.017 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 81/81, time: 0.005 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |