r4iGold.cn rev5 ntrboot patch script

gistfile1.py

#r4ids.cn rev5 ntr flasher - zoogie
#notes: for r4igold rev5, non-3ds sticker ONLY! (check above rightmost pin on back of card for your version)
#the existing ntrboot flasher works for RW, but since card shows up as hwrev 0x0 instead of 0xA7A7A7A7, you need to account for that and recompile

f=open("backup.bin","rb")
r4iflash=bytearray(f.read())
f.close()

f=open("boot9strap_ntr.firm","rb")
b9s_payload_len=len(f.read()) - 0x200
f.seek(0)
b9s_header=bytearray(f.read(0x200))
b9s_payload=bytearray(f.read())
f.close()

f=open("blowfish_retail.bin","rb")
blowfish=bytearray(f.read())
f.close()

#write ntr retail blowfish to 0x0
for i in range(0x1048):
	r4iflash[i] = blowfish[i]
	
#encrypt ntr b9s payload (different memecrypto from new r4ids.cn cards) and write it to 0x82200
b9s_payload_offset=0x82200
for i in range(b9s_payload_len):
	xorpad_byte=(b9s_payload_offset%256+9) & 0xFF
	r4iflash[b9s_payload_offset] = xorpad_byte ^ b9s_payload[i]
	b9s_payload_offset+=1

#write ntr b9s header to last sector of r4iflash (total length of flash is 2MB in rev5, not 4MB as in later versions)
b9s_header_offset=0x1FFE00
for i in range(0x200):
	r4iflash[b9s_header_offset] = b9s_header[i]
	b9s_header_offset+=1
	
f=open("backup_patched.bin","wb")
f.write(r4iflash)
f.close()