From WikiTemp, the GBAtemp wiki
(How does it work ?)
(How does it work ?: precisions, removed unclear statement)
Line 44: Line 44:
  
  
Nintendo patched the first vulnerability in System version 7.0.0 and the second vulnerability in System version 5.0.0. Although the first vulnerability still works up to System version 6.3.0, it can't be used to get "kernel access" on System version 5.0.0 and above using the known exploit. If another Kernel access vulnerability is found on 6.3.0, the DS profile method might still be used. If you are already in 6.3.0 and don't need the latest System version, staying on this version is recommended.
+
Nintendo patched the second vulnerability in System version 5.0.0, and prevented the DS profile to crash in System version 7.0.0. Although the modified NVRAM still crash the system up to version 6.3.0, there's no indication that the MSET exploit wasn't patched in version 5.0.0 too.
 
+
 
+
4.5.0 had Arm9 & Arm11 MSET exploit<br/>
+
6.3.0 still has a Arm11 MSET exploit available<br/>
+
The Arm11 exploit was patched in 7.0.0
+
  
  

Revision as of 11:35, 11 December 2013

This page will list frequently asked questions about the 3DS hacking using flashcarts like Gateway 3DS or R4i Gold 3DS Deluxe.

If you have a question, put it at the end of the page, or ask on GBATemp's forum (will add a thread link here later).

If you have an answer or can help provide better answers and informations than the currently listed one, please edit this page to help other users.

If you found a new question in the forum and know the answer, put it in the corresponding section.


Contents

Glossary

NAND

You will find a lot of terms to talk about the NAND. There are in fact only two type.

1. The NAND is the chipset located in your 3DS and containing all the data/memory/program/etc.

This chipset is referred to as NAND, System NAND, SysNAND, Physical NAND, PhyNAND, Real NAND, 3DS NAND, Console NAND, etc.


2. There is a possibility to make a copy of this memory and store it outside of the console (usually on SD card).

This copy can be used by the console, and it's often called and Emulated NAND, as the console use it as if it was the real one. All access to the console memory is redirected to the SD card. You are then using your copy located on your SD card as NAND, and everything you are doing is in fact happening on your SD card instead of your System NAND.

This NAND copy located on SD card is referred to as Emulated NAND, EmuNAND, Redirected NAND, RedNAND.


Firmware / System Menu

Users often use "Firmware" to talk about the version of their console or Flashcart, but it's not the correct name.

Like for Wii and WiiU, the 3DS use a System Menu version. If you speak about the 3DS, please use "System version" instead of Firmware in this FAQ.

If you speak about the Flashcart's Launcher.dat, it's not a firmware either. It's a program launched by the DS profile exploit. The firmware would be what's inside the flashcart's chipset. But a lot of users call the Launcher.dat the "Firmware" so I used that word in the FAQ. If it's better to use another word, feel free to replace it.

Exploit

How does it work ?

This hack exploits two different vulnerabilities in the 3DS system menu.

The first one consists in altering the DS profile stored in DS NVRAM (by using a compatible DS flashcart and running a DS homebrew), to exploit the MSET vulnerability in "User mode".

The second one grants access to the 3DS "kernel mode" by launching the DS profile in the 3DS Settings. When the DS profile is launched, it use a vulnerability to gets Kernel access and loads a Launcher.dat file located on the SD card.


Nintendo patched the second vulnerability in System version 5.0.0, and prevented the DS profile to crash in System version 7.0.0. Although the modified NVRAM still crash the system up to version 6.3.0, there's no indication that the MSET exploit wasn't patched in version 5.0.0 too.


Discussion threads : (find the thread with ROP explanation), DS Exploit.

3dbrew....

Console

Is it working in all consoles and regions?

Consoles from all regions are compatible with this exploit, and works on all 3DS consoles (Original and XL/LL). You need a 3DS with a System version from 4.1.0 to 4.5.0 to use this exploit. If your 3DS System version is 5.0.0 or newer, it will not work. The 2DS is manufactured with a System version higher than 4.5.0 so it will not work.


Is it a softmod or hardmod?

This hack is currently based on both. The exploit itself is done in software (It runs by launching programs on the console), but requires a Flashcart to install the DS exploit and another Flashcart to play 3DS ROMs.

You don't need to open your console or solder a modchip to play 3DS Roms, but it's possible to do physical modifications if you want to backup/restore your NAND. See this FAQ's NAND section for more informations.

Flashcarts

How many 3DS Flashcart exist?


All three products are bundled with both a DS mode flashcart and a 3DS mode flashcart.


Why are there two flashcarts?

The DS mode flashcart is used to run a DS Homebrew which will replace the DS profile informations. The modified DS profile is then used to exploit a vulnerability in 3DS mode, access Kernel mode and patch the 3DS system.

The 3DS mode flashcart is used to play 3DS Game ROMs.


Can I use my own DS mode Flashcart?

Yes.

If you already have a DS mode flashcart working with your 3DS, you can use it to run the DS homebrew. Just put the installer.nds file on your MicroSD and launch it from your usual method of booting DS homebrew.


Can I use the DS Mode flashcart bundled with 3DS Flashcart to run DS homebrew/games?

Yes.

The bundled DS Mode flashcart is a regular card working with 3DS firmware 4.5.0 (or newer, depending which product you buy).

  • Gateway: This is a r4i gold 3DS clone, using a hacked Wood firmware.
  • R4i Gold 3DS Deluxe: This is an official R4i Gold 3DS, with the official Wood Firmware.
  • 3DS Link: This card and R4i Gold 3DS Deluxe are the same product.


Do 3DS Flashcarts work with all consoles?

The 3DS flashcarts are region free and works on all existing 3DS consoles (Original and XL/LL). It doesn't work on 2DS due to bundled system version at manufacturing time.


Do 3DS Flashcarts work on all 3DS System version?

The exploit currently used to get access to the 3DS Kernel works only on System version 4.1.0 to 4.5.0.


My 3DS System version is below 4.5.0, how can I update it?

The current exploit is working with 3DS System Menu version 4.1.0 to 4.5.0

There are two different methods to update your System NAND:

  1. Using an original game cartridge bundled with System update 4.5.0 (for example Luigi's Mansion 2).
  2. Using a game's ROM bundled with System update 4.5.0 and with Gateway v1.0 (which doesn't prevent the System version checking).


You can check this website to find which System version is present in a game's update partition.

Note: The ROM method is not possible with R4i Gold 3DS Deluxe / 3DS Link flashcarts as their initial release (v2.0) prevent the game from checking the required firmware.

My console's firmware is above 4.5.0, what can I do? Is it possible to downgrade?

Downgrading is possible only if you have a backup of your NAND chipset created before updating. You can't restore another console's NAND backup.

If you have a NAND backup of your console and want to restore it, check the NAND section.

If you don't have a NAND backup, you can't use this hack at all. You must buy a new console if you want one with System version 4.5.0 or below.

Can you check the System version before buying a new 3DS?

It's not 100% accurate, but you'll have more chance to get a firmware bellow 5.0.0 if the packaging indicates "Copyright 2012".

You'll also have more chance with a Red/black Blue/black consoles.

Discussion thread: ....


Using the flashcarts

Do I need to run DS exploit every time?

No.

The patched DS profile is reset only if you launch a DS game or a DS mode flashcard. In this case, you will need to run the DS install.nds homebrew again.

You will also need to run the install.nds again if you changed your 3DS System language.

Is the 3DS hack permanent or do I need to run it after every reboot?

You need to run the exploit after each console's reboot/shutdown.

Go to Settings > Other Settings > Nintendo DS Profile to launch the hack again.


I want to remove all exploit and hack

  1. Run a DS game or a DS mode flashcart.
  2. Shut Down your 3DS
  3. Delete the Launcher.dat from your big SD card
  4. Delete the install.nds from your DS flashcard's MicroSD.

Games

Are all games working ?

It depends on the flashcart and its firmware version.

ROMs:

  • GW2.0b1, R4i Gold 3DS Deluxe 3.0, 3DS Link 3.0: Only 2 games (Pokemon X/Y and Animal Crossing) are not working when using the ROM form.
  • GW1.2, R4i Gold 3DS Deluxe/ 3DS Link 2.0: Games using SDK5+ are not working.


Game Cartridge:

  • EmuNAND classic with GW2.0b1: All games (tested up to release 497) are working using EmuNAND classic Firmware 6.3.0


Attention: Since SDK6 (and System version 6.0+) games are using a different save encryption method. While in EmuNAND, the system is still running under 4.5.0 and it's using the old encryption method. If you play your cartridge in System NAND 6.0+ it will not be compatible with EmuNAND 6.0+ and the game will delete/reinitialize the save.


You can check the 3DS flashcarts game compatibility page to see which games are not working, and which version you need.

Are games region free?

Yes.

You can play games from all regions when using ROMs. But if you are using EmuNAND Classic (GW2.0b1), you still need to use a game cartridge from your region.


ROMs:

  • GW2.0b1, R4i Gold 3DS Deluxe 2.0, 3DS Link 2.0: Working with games from all regions.
  • EmuNAND (GW2.0b1): Working with games from all regions.


Game Cartridge:

  • EmuNAND Classic (GW2.0b1) : No region free.


Can I play games requiring System version past 4.5.0?

Yes.

The flashcarts are spoofing the required System version and prevent the prompt asking to update your console if you play from ROMs. But if you are using EmuNAND Classic (GW2.0b1), you still need to use an updated EmuNAND.

ROMs:

  • GW1.2, R4i Gold 3DS Deluxe 2.0, 3DS Link 2.0: Working with all games requiring System version up to 4.5.0 and some games requiring 5.1.0.
  • GW2.0b1, R4i Gold 3DS Deluxe 3.0, 3DS Link 3.0: Working with all games requiring System version up to 6.2.0.
  • EmuNAND (GW2.0b1): Working with all games requiring System version up to 6.2.0.


Game Cartridge:

  • EmuNAND Classic (GW2.0b1) : No System version spoofing. You need to update your EmuNAND System version to 5.1.0 or newer.

Why games using SDK5+ are not working with old flashcart's firmware?

In the SDK5, Nintendo changed the location of the booting logo (the Nintendo logo at the bottom of the booting screen). It's now located outside of the ExeFS, in unencrypted form. Unable to locate this file, the game couldn't boot.

Flashcart's firmwares are patching the location to allow games created with SDK5 to work with System version 4.5.0.


ROMs:

  • R4i Gold 3DS Deluxe 2.0, 3DS Link 2.0: Not working with SDK5+ games.
  • GW2.0b1, R4i Gold 3DS Deluxe 3.0, 3DS Link 3.0: Working with all SDK5+ games.
  • EmuNAND (GW2.0b1): Working with all SDK5+ games.

Game Cartridge:

  • EmuNAND Classic (GW2.0b1) : No file path patching. You need to update your EmuNAND System version to 5.1.0 or newer.

Can I store multiple games on my MicroSD?

No.

At least, not for the moment. You need 1 game per MicroSD card.

The Gateway team said they are working on a game selection menu for GW 2.0.


How can I store games bigger than 4GB on FAT32?

It's unknown for the moment how the games will be stored to allow multiple games at the same time.


How do I install a game to my MicroSD card?

The game is written in RAW format, it doesn't use any file system.

You need to use tools to write the ROM image to your device. There are different tools depending on your operating system.

Select the device in the list, Select the .3ds game file and click "Write" button. Attention, be sure to select the correct drive's letter. ALL your card will be deleted and the game will be written.

If the MicroSD contains already a game, the program will not display the device in the list. You need to format the MicroSD first (using Panasonic SD Formater).



  • Linux: use dd command line to write binary file to the device.
sudo dd if=/u01/filename.3ds of=/dev/mmcblk0 bs=1M


Which MicroSD should I choose?

Which MicroSD size should I choose?

Can I trim ROMs to fit in a smaller MicroSD?

Yes.

Some games can be trimmed to remove unused dumped binary data. There are different program you can use to do that.


There are two trimming methods, what are the differences?

The normal trimming method removes unused data at the end of the Game's Data. it can be reverted to get the file back to the original Dump.

The second trimming methods also removes the Update Partition from the game's Data and is irreversible. You can't restore the deleted partition from the modified file.

The first method should be enough to fit all games in your MicroSD card.


Where are the saves? Can I backup them ?

When you play, the save is stored into the flashcart.

If you want to backup your current progress to a file, you need to exit the game by using Home > X > A, it will make a copy of the flashcart's internal save chipset to the root of your big SD card, with the filename based on the GameID.

As long as you play the same game, it will use the flashcart's internal save chipset.

If you play another game, it will import the game's save file from the big SD card to to internal save chipset. It will NOT backup your previous game's save first, you need to properly exit the game if you don't want to loose your save.

You can then keep a backup of your .sav files on your computer if you want.


How do I change games?

Exit your current game with Home > X > A, and wait few seconds before removing the flashcard, it's doing a backup of the save. change your MicroSD and put the flashcard back in the 3DS.

NAND

How do I backup my NAND?

Yes, There are two methods :

  1. You can backup using a hardware flasher. You need to open your console and solder wires in your console. For instruction, check this thread ....
  2. You can backup using a software. Currently, only GateWay is providing this option.


- GW2.0b1: Launch the Gateway menu (Press L when selecting the DS profile) and select the "Backup NAND" option. It will save your system NAND to Nand.bin file located at your big SD card's root.

Information: You don't need the Gateway flashcart to backup your NAND to nand.bin file.


What is the correct size of the NAND dump?

There are two different NAND chipsets (different manufacturers), and they are of different sizes.

Toshiba NAND:
1931264 sectors
988.807.168 bytes
Samsung NAND:
1953792 sectors
1.000.341.504 bytes

How do I restore my NAND backup?

It's possible only through hardware method.

If you want to modify your console to do hardware NAND backup and restore, you can check this thread: ...

There are two different models (Normal 3DS and 3DS XL). The 3DS XL is easier to mod.

Can I restore another 3DS's NAND backup?

No.

Can I restore a NAND backup made using software tool?

Yes.

But only a NAND backup from your own 3DS.

EmuNAND

What is EmuNAND?

EmuNAND is a copy of your 3DS NAND chipset. It allows you to use this copy located on SD card as if it was your real one located inside the console.

It allows you to do everything without affecting your real NAND, like updating your EmuNAND to access eshop and play online while keeping your realNAND at System version 4.5.0 which lets you run the exploit.


With Gateway 2.0b1, there are two different EmuNAND modes:

  • EmuNAND Gateway: Boots the console into EmuNAND, and lets you play 3DS ROMs from the Gateway flashcart.
  • EmuNAND Classic: Boots the console into EmuNAND, and lets you play retail game's cartridges.


Do I need EmuNAND?

If you want only to play ROMs, you don't need EmuNAND. You can launch all game's ROMs on your System NAND 4.5.0

EmuNAND with ROMs support is useful only if you don't want to affect your System NAND, or if you want to update the EmuNAND to get Online access.

If you want to download Demos, buy games on eshop, use streetpass without the fear that your console download an update, then you need EmuNAND updated to the latest firmware.

Note: EmuNAND is currently tested only up System version 6.3.0


Do I need a 3DS flashcart to setup and use EmuNAND?

You don't need a 3DS flashcart. You only need a DS compatible flashcart (DStwo, R4i, etc.) to install the DS exploit which is used to boot the launcher.

The 3DS flashcart is needed only to launch 3DS Roms.


Can I use another 3DS EmuNAND?

No.


How do I create the EmuNAND partition?

Using the Launcher.dat from Gateway v2.0b1, press L while selecting the DS profile and it will boot the Gateway menu. Select "Prepare EmuNAND" option.

ATTENTION : It will format your SD card and delete everything. Make a backup of all your SD card's content to your computer before proceeding.


How do I launch EmuNAND?

If the SD card has the EmuNAND partition, it will always boot EmuNAND when you launch the exploit.

If you don't want to use EmuNAND, you need an SD card without it.

There's currently no way to boot into System NAND if there is an EmuNAND partition on the SD Card.


What's the differences between Normal and Classic EmuNAND?

  • The EmuNAND Normal lets you play ROMs. You don't need to update EmuNAND to play ROMs requiring a newer System version.
  • The EmuNAND Classic lets you play Cartridges and online. You need to update EmuNAND to play a game requiring a newer System version.


Do I need to update my EmuNAND?

You don't need to update EmuNAND if you don't plan to play a retail cartridge requiring a newer System version, access eshop, download Game's updates/patches or play online.


Can I play online with EmuNAND?

You can play online when using EmuNAND Classic mode and a retail cartridge.

Online doesn't work with ROMs.


How do I update my EmuNAND?

(Link to different tutorials or write one here.)


Updating using internet:

ATTENTION:

Do not update your EmuNAND! 3DS System version 7.0.0 (with GW2.0b1 & R4/link3.0) is not fully compatible with EmuNAND, and not needed to play games.

Read following sections to see what stopped working with newer system versions.


If you downloaded System version 6.3 and didn't update yet, you can still install it offline to play latest Retail game cartridges, but you won't have access to eShop. Follow a tutorial to install this update in offline mode to your EmuNAND.

DO NOT USE eShop or the update prompt to download/update your EmuNAND. It will update your System NAND instead. Always go to Settings > verify that the GW3D text is displayed > go to update menu.


Updating using a cartridge:

There is a report that you can update the EmuNAND with a retail game cartridge, but it's only if you want to stay offline and play your retail game with the required System version. This method is not recommended.

You need to be in EmuNAND Classic to get the update prompt. It will update ONLY your System version without eShop features. If you try to access eshop it will prompt you to update to get the latest eShop features, if you accept it will update your System NAND! NO DOT UPDATE USING ESHOP. If you want to update, use the Settings menu and follow a tutorial.


What is the latest working System version for EmuNAND

Latest fully working System version (with GW2.0b1 & R4/link3.0) is v6.3.0

It's the System version which was available when the Launcher.dat (GW2.0b1, R4/Link 3.0) was released.


System version 6.3.0 works with the two EmuNAND Modes:

  • EmuNAND Normal: Can play ROMs. Can't access internet based application anymore (Prompt to update to latest System version)
  • EmuNAND Classic: Can play retail cartridges, online gaming is working. Can't access internet based application anymore (Prompt to update to latest System version)


What features are working/not working on newer System versions with EmuNAND ?

These System versions are newer than the Launcher.dat (GW2.0b1, R4/Link 3.0) release, therefore the patches are not applied correctly with them and some functions are not working (like Region free, etc.)


System version 7.0.0 (with GW2.0b1 & R4/link3.0):

  • EmuNAND Normal Can play ROMs from the same region only. Console freeze if you try to access settings menu or any internet based application (eShop, Miiverse, Mii Plaza, etc.)
  • EmuNAND Classic: Can play retail cartridges, online gaming is working. Console freeze if you try to access settings menu or any internet based application (eShop, Miiverse, Mii Plaza, etc.)


Can I backup my EmuNAND partition located on my SD card?

Yes.

On Windows, you can use Win32DiskImager. It will backup all your SD card (NAND partition and FAT32 partition) as a single binary file.

On Linux, you can use dd command to backup your EmuNAND partition only.

Related GBATemp's post : How to use dd to backup/restore EmuNAND partition. (Values are for Toshiba NAND. Change the values for Samsung NAND).


Can I use my hardware NAND backup with EmuNAND?

Yes.

The EmuNAND partition has its first sector moved after the last NAND sector, and the first sector is replaced by a dummy sector (acting as SD card's MBR). You can't write your NAND backup directly to SD card without modifying the sector positions.

If you are on Linux, you can use dd command to write your NAND.bin to your SD card.

Related GBATemp's post : How to use dd to backup/restore EmuNAND partition. (Values are for Toshiba NAND. Change the values for Samsung NAND).


Is EmuNAND affecting System NAND?

While in EmuNAND, your System NAND (4.5.0) is still running and active. Some action done in EmuNAND will only affect EmuNAND, while others will affect both EmuNAND and System NAND.


Here is a list of known actions affecting the System NAND:

  • Modifying a betwork setting in EmuNAND will save all EmuNAND's network setting to System NAND's network setting.
  • Updating the System version from Eshop will update the System NAND.


Is System NAND affecting EmuNAND?

Yes. As your console is still running on System NAND 4.5.0, it's using that System version's files and functions.


Here is a list of known actions affecting the EmuNAND:

  • The save data encryption method used by new games (SDK6+) is still using the 4.5.0 encryption method, even if you are using EmuNAND 6.1.0+

Specific Game's Questions

Is Pokemon working on emuNAND?

Do I need EmuNAND to play Zelda ?

No, the Zelda: ALBW ROM works without emuNAND with Gateway 2.0b1 or 3DSLink 3.0. To play the retail Zelda: ALBW, you need emuNAND 6.2 or higher, and need to play it on Classic Mode.