4dsdev
Views: 592,271 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 08-22-17 12:34 PM
Guest:

0 users reading Questions? and Private Update Server | 1 bot

Main - Homebrew discussion - Questions? and Private Update Server New reply


Syphurith
Posted on 11-29-15 08:06 PM (rev. 4 of 11-30-15 12:52 PM) Link | #799
I've built a private update server yesterday, and released its source (surely without ninty files). To my surprise, the TitleHash and FsSize inside GetSystemUpdate SOAP isn't actually verified. And no way for me to make a really good GetSystemUpdate reply...
Also to note, there is a defect inside TMD structure and therefore the CIA, so that version spoof works. I even used the server with a spoofed MSET to cheat the emunand, and orz.. Unfortunately i can not get those total downgraded even on my emunand, maybe that's just too greedy.

Now i have two questions, looking for someone to answer. So mind you please think for a while?
1. Is there any way to patch the nim module for those update urls, on 9.3+? I do know that eshop.3dsx does something similar but i am not sure about those. Maybe HANS could do this? yeah i have method to pack exefs and romfs..
2. How much could it benefit with a lower MSET or Spider on those 9.3+?

The server can still easily go wrong. Hope someone would like it. Original link is in strikethrough.
Server Tool: http://pan.baidu.com/s/1qW3UQza, Curl Test: http://pan.baidu.com/s/1sj6ADdV
Alternative link. Server Tool: https://dropfile.to/cvHd1, access: FqdU1Rt. Curl Test: https://dropfile.to/ekeJG, access: KEnFOxs.
The previous package is the files to construct the server, written in PHP7.x and Nodejs. The latter one is the Test scripts with curl to test the server output.
I haven't used it to play with sysNand - mine isn't hard modded. But since the signature isn't broken i think that doesn't matter. Spoofed CIA would break the signature.

@d0k3 It is released. Found out you haven't seen the conversation there i just post its links here.

Opposing Force
Posted on 11-29-15 10:37 PM Link | #800
Is it possible to rehost those files? Probably not many here can read chinese.

Syphurith
Posted on 11-29-15 10:39 PM (rev. 3 of 11-29-15 10:51 PM) Link | #801
Posted by Opposing Force
Is it possible to rehost those files? Probably not many here can read chinese.

Well OK. Indeed using google translation isn't hard, but i would update the main post to add attachments.
Eh.. this forum doesn't support attachment. I would have to find a free file hosting website first..
EDIT: OK now it is on dropfile.io i hope you can download it easier then.

Opposing Force
Posted on 11-30-15 12:39 AM (rev. 3 of 11-30-15 12:47 AM) Link | #802
Posted by Syphurith
Well OK. Indeed using google translation isn't hard, but i would update the main post to add attachments.
Eh.. this forum doesn't support attachment. I would have to find a free file hosting website first..
EDIT: OK now it is on dropfile.io i hope you can download it easier then.

Thank you for doing that. : )

Here is a mirror that won't expire in 24 hours.
update server
http://www20.zippyshare.com/v/YDcVbeXv/file.html
server test
http://www38.zippyshare.com/v/B5fGYIUj/file.html

profi200
Posted on 11-30-15 10:46 AM Link | #803
1. No.
2. Not going to work because 1. Besides that we still have gamecard titles which can be used as entrypoint.

There is no defect in tmd. Nintendo simply fucked it up and does not check the version after installing again. For this to work however it must pass installation time checks which a modified tmd will not so it requires disabled signature checks. If installed however it will run even on sysNAND. This way you can theoretically make a 3DS system Nintendo can never update again.

Btw: Why do people use some random upload sites instead of something like Dropbox?

Syphurith
Posted on 11-30-15 11:29 AM (rev. 6 of 11-30-15 11:49 AM) Link | #804
Posted by profi200
1. No.
2. Not going to work because 1. Besides that we still have gamecard titles which can be used as entrypoint.

There is no defect in tmd. Nintendo simply fucked it up and does not check the version after installing again. For this to work however it must pass installation time checks which a modified tmd will not so it requires disabled signature checks. If installed however it will run even on sysNAND. This way you can theoretically make a 3DS system Nintendo can never update again.

Btw: Why do people use some random upload sites instead of something like Dropbox?

Thanks much for your reply. Heat down
I played with my 9.8 emunand yesterday, and my console is directly updated from 4.1 to 9.2 first with your sysupdator. Well and i used the version spoofed MSET from 9.0 and it gets installed. So it still need to disable the signature checks.. It would be surprised me much if they do not actually check those spoofed ones.
Posted by Shared Result
And mind me share some result with you? Emunand: 9.8.0. JPN.
0.Complete official pack of 9.9.0, official SOAP TitleList. Success.
1.Complete official pack of 9.9.0, SOAP crafted. Success. Confirm: It doesn't actually read FsSize maybe.
2.Complete official pack of 9.9.0, SOAP crafted, and wrong TitleHash. Confirm: It doesn't actually calculate the hash but store it instead.
3.InComplete pack of 9.9.0, SOAP crafted. Success. Confirm: So it really doesn't know if a pack is really complete.
4.A version spoofed MSET/CVer/NVer from 9.0. Success, NNID settings removed. Confirm: WTF, I can not believe it.
5.A generated spoofed pack of 9.0/4.5. FAIL, that time i just think there is some checks. Ever failed on a title which id ends with 20F00.

There is only hashes in TMD, and CXI/CFA (encrypted) is signed, cert no difference.
Still it is not hard to just decrypt the CIA with console partially to get the correct hashes. There is already tool to re-produce a valid TMD file.
If it checks by the CXI/CFA content id (00000002.app) it is still easy to an extent, original hash of contents doesn't need to change.

But now, i think there should be some checks other than the TMD reading itself. If it is that easy to downgrade i think they would just knock their head with $. (orz)

I developed this myself after the ronhero on gbatemp states he has done that can provides a paid service for n00b. Since this is quite risky i didn't post the server there. Even you told them that is there would always be some careless guys (lol).

Random upload sites: well cause i can not access those famous upload sites easily from the country normally.
I thought of a 3dsx version of sysupdater and now it sounds not of much use then (i mean here it is the server). Hope you a good day.

Syphurith
Posted on 11-30-15 12:51 PM (rev. 2 of 11-30-15 12:52 PM) Link | #805
Posted by profi200
--Snip--

My mistake. I've checked the signature at the beginning of the TMDs of different titles, and that the whole TMD is protected by signature, thus it deserve a signature patch to install a spoofed CIA. So the hope to downgrade the SysNand on a firmware without sig-patch isn't real. Thanks as lead me the way off the wrong path.
Then this can only be useful to play with emunand, or update the sysnand, with untouched CIAs.
EDIT: I would update the posts above to strikethrough the wrong statements.

Syphurith
Posted on 12-01-15 12:45 PM Link | #806
@profi200 Sorry to disturb you but.. I'd like to hear your opinion about "where the TitleHash is".
I could not find the TitleHash inside all those modules' ram dumped using NTR, nor the extracted contents from decrypted emunand.
It checks if the TitleHash different from maybe "stored" one, and also the hash inside GetSystemUpdate reply and GetTitleHash must match.
Once you enter the MSET or other special apps, the wifi would not be kept functional thus NTR lost its connection. So i can not dump mset ones out.
It should be in NAND or RAM. But i didn't know where it might be stored. Orz.
Dreaming of this get stored in a title and the tmd changes. Yes tmd should not change. It doesn't check tmd of installed ones much. Oh why dreaming? lol

Have a good time with your research and life!

Also here is a way to generate the TitleHash to keep it different every minute.
//Create a 16 bytes random TitleHash to easily issue an update. Or else comment this off and use the line below to give it a value.
//This is generated using the client hostname and a date-time string, thus it would change per minute.
$TitleHash = md5(gethostname().date('YmdHi'));
//$TitleHash = '14C4B935FCB69959B88B7003A5326D2B'; //Wrong TitleHash, this is actually the one of 9.8.0-25J

evilpdor
Posted on 07-25-16 08:37 AM (rev. 3 of 07-25-16 09:10 AM) Link | #1054
I think the thread is abandoned, but it has some interesting ideas.

I used fiddler2 in proxy mode, and I analyzed the traffic during the firmware update.
Obviously now (and probably forever) it is impossible to analyze the traffic in SSL/TSL.

Basically I was able to replace the url with the update files with versions of the same update downloaded from 3dnus. The 3DS don't see any difference, and download all update files from my PC.
So i try to modify an update patckage switching the original native_firm 11.0.0 to original native_firm 10.4.0, but the update stop.

Currently you can then only 'save bandwidth' downloading from your PC the update files. But if it were possible to use the raw response (therefore not editable) of the update server, it would be possible to create a totally offline 11.0.0-33 update.

If we can force the 3ds to use http instead of https and fully emulate the update server (not only with an index.php) we can fix softbrick 3ds with a firmware <= 10.7.0.
ATM I hope there is a way to send a raw (but uneditable) https data for totaly offline 11.0.0 update (and others to come), it could be useful in the future.


Main - Homebrew discussion - Questions? and Private Update Server New reply

Page rendered in 0.080 seconds. (2048KB of memory used)
MySQL - queries: 26, rows: 79/79, time: 0.045 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2015-10-07)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.