This is kind of OT, (PM me for questions. I don't want to muddy the thread) but here's how I did it. You have to decrypt your extracted payload with
blowfish.py after making this change,
ret=cipher(S,P,l,r,
0) --> ret=cipher(S,P,l,r,
1)
and it's hardcoded to load blowfish_processed.bin (google for a pastebin)
There will be a number of 'boot.3dsx' instances in the file output to hex edit, and when that's done you change the code back to 0, and reverse the command line arguments
and then you'll have your edited payload ready to be injected.