diff --git a/_pages/0_15_20-ctrtransfer.md b/_pages/0_15_20-ctrtransfer.md new file mode 100644 index 00000000..ccec2513 --- /dev/null +++ b/_pages/0_15_20-ctrtransfer.md @@ -0,0 +1,64 @@ +--- +title: "0_15_20 ctrtransfer" +permalink: /0_15_20-ctrtransfer.html +--- + +If you downgrade to 0_15_20 on a New 3DS PANDA or 2DS PANDA and left Wireless Communication off, you can re-enable the wireless by removing the battery for several seconds then booting back up. +{: .notice--info} + +Your device may not show some installed titles after the ctrtransfer. This is due to the tickets being removed by the transfer; they will be restored when you restore your NAND backup. +{: .notice--info} + +Never format a 2DS while on a version <6.0.0 or you will be unable to complete initial setup and will BRICK! +{: .notice--danger} + +#### What you need + +* You will need to have booted into Decrypt9 +* The 0_15_20 PANDA / SNAKE ctrtransfer image + + [ctrtransfer - 0_15_20 - PANDA / SNAKE](https://3ds.guide/torrents/ctrtransfer_CTR-0_15_20-panda_snake.torrent) - +* [`SecureInfo_B_panda.zip`](https://3ds.guide/torrents/SecureInfo_B_panda.torrent) - + +#### Instructions + +##### Section I - Prep work + +You should be in Decrypt9 for these steps. + +1. Press (Select) on the main menu to eject your SD card, then put it in your computer +2. Copy the 0_15_20 `.bin` and `.bin.sha` from the ctrtransfer zip to the `/files9/` folder on your SD card +3. Copy `SecureInfo_B` from `SecureInfo_B-panda.zip` to the `/files9/` folder on your SD card +3. Reinsert your SD card into your 3DS +4. Press (B) to get to the Decrypt9 main menu + +##### Section II - ctrtransfer + +4. Go to "SysNAND Options", then "CTRNAND Transfer", then "Auto CTRNAND Transfer" +5. Select `ctrtransfer_CTR-0_15_20-panda_snake.bin` when prompted by pressing (A) +6. **Backup SysNAND to `NANDmin.bin` when prompted by pressing (A)** +7. Allow the transfer process to proceed automatically, this may take some time +8. Once the transfer is complete, press (B) and go back to the main menu +9. Go to "SysNAND Options", then "System File Inject", then "Inject SecureInfo_B" +10. Select `SecureInfo_B` when prompted by pressing (A) +9. Press (Select) to eject your SD card +9. Delete `ctrtransfer_CTR-0_15_20-panda_snake.bin` and `ctrtransfer_CTR-0_15_20-panda_snake.bin.sha` from the `/files9/` folder on your SD card +19. Clear Home Menu's extdata by navigating to the following folder on your SD card: `/Nintendo 3DS/(32 Character ID)/(32 Character ID)/extdata/00000000/` + + EUR Region: Delete `00000098` + + JPN Region: Delete `00000082` + + USA Region: Delete `0000008f` + + CHN Region: Delete `000000A1` + + KOR Region: Delete `000000A9` + + TWN Region: Delete `000000B1` +12. Reinsert your SD card into your 3DS +11. Press (Start) to reboot + +___ + +*(Screen distortions or discolorations are normal for some devices while on 0_15_20, they will go away once you restore your backup)* +{: .notice--info} + +Putting a retail 2.1.0 New 3DS into sleep mode is known to cause BRICKS! I cannot be sure if this applies to 0_15_20 PANDA units aswell, but it would be wise to assume it does and continue the installation as soon as possible! +{: .notice--danger} + +Continue to [Installing arm9loaderhax](installing-arm9loaderhax). +{: .notice--primary} diff --git a/_pages/2.1.0-ctrtransfer.md b/_pages/2.1.0-ctrtransfer.md deleted file mode 100644 index 78a56951..00000000 --- a/_pages/2.1.0-ctrtransfer.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: "2.1.0 ctrtransfer" -permalink: /2.1.0-ctrtransfer.html ---- - -If you downgrade to 2.1.0 on a New 3DS PANDA or 2DS PANDA and left Wireless Communication off, you can re-enable the wireless by removing the battery for several seconds then booting back up. -{: .notice--info} - -Your device may not show some installed titles after the ctrtransfer. This is due to the tickets being removed by the transfer; they will be restored when you restore your NAND backup. -{: .notice--info} - -Never format a 2DS while on a version <6.0.0 or you will be unable to complete initial setup and will BRICK! -{: .notice--danger} - -#### What you need - -* You will need to have booted into Decrypt9 -* The 2.1.0 PANDA / SNAKE ctrtransfer image - + [ctrtransfer - 2.1.0 - PANDA / SNAKE](https://3ds.guide/torrents/ctrtransfer_2.1.0_panda_snake.torrent) - -* [`SecureInfo_B_panda.zip`](https://3ds.guide/torrents/SecureInfo_B_panda.torrent) - - -#### Instructions - -##### Section I - Prep work - -You should be in Decrypt9 for these steps. - -1. Press (Select) on the main menu to eject your SD card, then put it in your computer -2. Copy the 2.1.0 `.bin` and `.bin.sha` from the ctrtransfer zip to the `/files9/` folder on your SD card -3. Copy `SecureInfo_B` from `SecureInfo_B_panda.zip` to the `/files9/` folder on your SD card -3. Reinsert your SD card into your 3DS -4. Press (B) to get to the Decrypt9 main menu - -##### Section II - ctrtransfer - -4. Go to "SysNAND Options", then "CTRNAND Transfer", then "Auto CTRNAND Transfer" -5. Select `ctrtransfer_2.1.0_panda.bin` when prompted by pressing (A) -6. **Backup SysNAND to `NANDmin.bin` when prompted by pressing (A)** -7. Allow the transfer process to proceed automatically, this may take some time -8. Once the transfer is complete, press (B) and go back to the main menu -9. Go to "SysNAND Options", then "System File Inject", then "Inject SecureInfo_B" -10. Select `SecureInfo_B` when prompted by pressing (A) -9. Press (Select) to eject your SD card -9. Delete `ctrtransfer_2.1.0_panda.bin` and `ctrtransfer_2.1.0_panda.bin.sha` from the `/files9/` folder on your SD card -19. Clear Home Menu's extdata by navigating to the following folder on your SD card: `/Nintendo 3DS/(32 Character ID)/(32 Character ID)/extdata/00000000/` - + EUR Region: Delete `00000098` - + JPN Region: Delete `00000082` - + USA Region: Delete `0000008f` - + CHN Region: Delete `000000A1` - + KOR Region: Delete `000000A9` - + TWN Region: Delete `000000B1` -12. Reinsert your SD card into your 3DS -11. Press (Start) to reboot - -___ - -*(Screen distortions or discolorations are normal for some devices while on 2.1.0, they will go away once you restore your backup)* -{: .notice--info} - -Putting a retail 2.1.0 New 3DS into sleep mode is known to cause BRICKS! I cannot be sure if this applies to PANDA units aswell, but it would be wise to assume it does and continue the installation as soon as possible! -{: .notice--danger} - -Continue to [Installing arm9loaderhax](installing-arm9loaderhax). -{: .notice--primary} diff --git a/_pages/Decrypt9-(MSET).md b/_pages/Decrypt9-(MSET).md index 6bb3873f..6e298bff 100644 --- a/_pages/Decrypt9-(MSET).md +++ b/_pages/Decrypt9-(MSET).md @@ -7,14 +7,14 @@ permalink: /decrypt9-(mset).html * DS flashcard that works on your PANDA / SNAKE * The latest release of [Decrypt9WIP](https://github.com/d0k3/Decrypt9WIP/releases/) -* The 4.0.0 MSET CIA for your region: - + [MSET 4.0.0 - EUR - PANDA / SNAKE](https://3ds.guide/torrents/mset_4.0.0_eur_panda.torrent) - - + [MSET 4.0.0 - JPN - PANDA / SNAKE](https://3ds.guide/torrents/mset_4.0.0_jpn_panda.torrent) - - + [MSET 4.0.0 - USA - PANDA / SNAKE](https://3ds.guide/torrents/mset_4.0.0_usa_panda.torrent) - +* The 0_17_6 MSET CIA for your region: + + [MSET 0_17_6 - EUR - PANDA / SNAKE](https://3ds.guide/torrents/mset-0_17_6-eur-panda.torrent) - + + [MSET 0_17_6 - JPN - PANDA / SNAKE](https://3ds.guide/torrents/mset-0_17_6-jpn-panda.torrent) - + + [MSET 0_17_6 - USA - PANDA / SNAKE](https://3ds.guide/torrents/mset-0_17_6-usa-panda.torrent) - #### Instructions -1. Install the 4.0.0 MSET CIA for your region using Dev Menu +1. Install the 0_17_6 MSET CIA for your region using Dev Menu 1. Create a folder named `files9` on the root of your SD card if it does not already exist 2. Copy `Launcher.dat` and `Decrypt9WIP.dat` from the Decrypt9WIP zip to the root of your SD card 3. Reinsert your SD card into your PANDA / SNAKE @@ -27,5 +27,5 @@ permalink: /decrypt9-(mset).html 8. Reboot the system, then go to System Settings, then "Other Settings", then "Profile", then "Nintendo DS Profile" 9. If the exploit was successful, you will have booted into Decrypt9 -Continue to [2.1.0 ctrtransfer](2.1.0-ctrtransfer). +Continue to [0_15_20 ctrtransfer](0_15_20-ctrtransfer). {: .notice--primary} diff --git a/_pages/Get-Started.md b/_pages/Get-Started.md index c6f73367..f639cdeb 100644 --- a/_pages/Get-Started.md +++ b/_pages/Get-Started.md @@ -15,9 +15,9 @@ Before starting, you may want to check your SD card for errors using [H2testw (W #### Overview of steps - Install the 0_23_5 CIAs for your region / device -- Downgrade the MSET application to 4.0.0 on 0_23_5 +- Downgrade the MSET application to 0_17_6 on 0_23_5 - Use a DS flashcart to install an MSET rop for launching Decrypt9 -- Use a ctrtransfer to get to 2.1.0 +- Use a ctrtransfer to get to 0_15_20 - Use a modified SafeA9LHInstaller to install arm9loaderhax and dump the OTP Continue to [0_23_5 Install](0_23_5-install) diff --git a/_pages/Installing-arm9loaderhax.md b/_pages/Installing-arm9loaderhax.md index ca4b8c0b..9bdf77cd 100644 --- a/_pages/Installing-arm9loaderhax.md +++ b/_pages/Installing-arm9loaderhax.md @@ -57,7 +57,7 @@ We will also setup the ability to launch payloads from arm9loaderhax, giving us 1. Reinsert your SD card into your 3DS 2. Do the steps for installing arm9loaderhax on your device: -3. You should be on 2.1.0 +3. You should be on 0_15_20 4. Go to `http://dukesrg.github.io/2xrsa.html?arm11.bin` on your 3DS + If you get an error, [follow this troubleshooting guide](troubleshooting#ts_browser) + If you get a glitched screen, [follow this troubleshooting guide](troubleshooting#ts_safe_a9lh_screen) diff --git a/_pages/OTP-Info.md b/_pages/OTP-Info.md index cca104a5..2e1f49a6 100644 --- a/_pages/OTP-Info.md +++ b/_pages/OTP-Info.md @@ -13,6 +13,6 @@ There is, however, a method to dump the hash of the OTP on version 9.6.0-X. Beca This allows for a hardware based attack where arbitrary data is written to nand_sector96+0x10 in a SysNAND backup and flashed to the device. Afterwards we wire the i2c to MCU reboot on our command, write a payload (which will write 0x1000A040 - 0x1000A060 to a file on the SD card) to arm9 memory somewhere, fill all memory with a NOP sled followed by a JMP instruction pointing to the payload. We can then MCU reboot repeatedly (incrementing nand_sector96+0x10 by 1 each time) until the Kernel9Loader jumps to the payload by random chance. -Because of the complexity and extra hardware involved in the method described above, I have decided to limit the scope of this guide strictly to the software based approach of downgrading to a version below 3.0.0-X. Version 2.1.0-X was selected because it is the only version below 3.0.0-X that contains a fully exploitable browser version (2.0.0-X has a partially exploitable browser, but it won't work for other reasons). +Because of the complexity and extra hardware involved in the method described above, I have decided to limit the scope of this guide strictly to the software based approach of downgrading to a version below 3.0.0-X. Version 0_15_20 was selected because it is the only version below 3.0.0-X that contains a fully exploitable browser version (2.0.0-X has a partially exploitable browser, but it won't work for other reasons). -This process involves flashing your CTRNAND to 2.1.0-4. This is accomplished by installing a premade CTRNAND image containing 2.1.0, copying your console specific files (such as `moveable.sed` and `SecureInfo_A`) to it, then fixing the title database CMACS. On New 3DS, it also swaps CTRNAND's encryption slot and installs an Old 3DS NCSD header to NAND, allowing it to boot the Old 3DS only 2.1.0 software. +This process involves flashing your CTRNAND to 0_15_20. This is accomplished by installing a premade CTRNAND image containing 0_15_20, copying your console specific files (such as `moveable.sed` and `SecureInfo_A`) to it, then fixing the title database CMACS. On New 3DS, it also swaps CTRNAND's encryption slot and installs an Old 3DS NCSD header to NAND, allowing it to boot the Old 3DS only 0_15_20 software. diff --git a/_pages/Troubleshooting.md b/_pages/Troubleshooting.md index 214b4f8f..c2487d15 100644 --- a/_pages/Troubleshooting.md +++ b/_pages/Troubleshooting.md @@ -56,8 +56,8 @@ This happens occasionally, but the reason is unknown. The buttons will still wor 1. Try booting without any cartridges inserted (including flashcarts) 2. If you have a hardmod and a NAND backup, flash the backup back to SysNAND. 3. Try booting into recovery mode and updating your system. - *This probably will not work for an Old 3DS downgraded to 2.1.0* - **This will BRICK a New 3DS downgraded to 2.1.0** + *This probably will not work for an Old 3DS downgraded to 0_15_20* + **This will BRICK a New 3DS downgraded to 0_15_20** 1. Power off your 3DS by holding down the power button. 2. Hold L+R+A+Up. 3. Power on the 3DS.