This thread is trying to explain exactly what each step in https://3ds.guide/ does. This is NOT a guide, but something to help people who are interested to understand what all the things are. There will probably be some mistakes there, so please tell me if you notice wrong information or have other ideas how to make this thread better. I will credit everyone.
Terms used:
nand = 3ds internal memory
downgrade = installing lower version system titles (opposite of update)
a9lh = arm9loaderhax
arm11 = the 3ds main cpu
arm9 = the 3ds security cpu
cfw = custom firmware
arm9 payload = executable file which can be launched by the arm9 processor (SafeCTRTransfer, GodMode9 etc.)
CIA= CTR Importable Archive (CTR is 3ds model name. Usually CIAs are installed to home menu. for example: All installable games, FBI, even the home menu itself)
Credits:
3dbrew for a lot of information
@Plailect for the guide
@Dionicio3 for correcting me about cias
@PabloMK7 for correcting me about arm9 payloads
@addi33 for giving better explanations for many things (Post #8)
Terms used:
nand = 3ds internal memory
downgrade = installing lower version system titles (opposite of update)
a9lh = arm9loaderhax
arm11 = the 3ds main cpu
arm9 = the 3ds security cpu
cfw = custom firmware
arm9 payload = executable file which can be launched by the arm9 processor (SafeCTRTransfer, GodMode9 etc.)
CIA= CTR Importable Archive (CTR is 3ds model name. Usually CIAs are installed to home menu. for example: All installable games, FBI, even the home menu itself)
What you need
1.-7. Putting the files to the correct locations on your sd card
8.-11. Launching the homebrew launcher
- The Homebrew Starter Kit includes Homebrew Launcher which is used to launch .3dsx executable files by having arm11 userland access and some .3dsx executables
- Soundhax is the arm11 userland exploits which launches the boot.3dsx executable which is usually Homebrew Launcher
- The otherapp payload is a payload file that uses ROP mechanics to bypass the Data Execution prevention and achieve arm11 userland access
1.-7. Putting the files to the correct locations on your sd card
8.-11. Launching the homebrew launcher
What you need
Section I - Prep Work Putting the files to the correct locations on your sd card
Section II - Launch SafeCTRTransfer
- 2.1.0 CTRTransfer image is a ctrnand partition dumped from another 3ds to overflash the current ctrnand partition. This is needed to get your 3ds' unique OTP file which is required to install a9lh
- SafeCTRTransfer will install the CTRTransfer image to your 3ds
- safehax is an arm9 exploit needed to gain arm9 code execution to launch SafeCTRTransfer and achieve NAND read/write access
- udsploit is an arm11 kernel exploit which is needed by safehax
Section I - Prep Work Putting the files to the correct locations on your sd card
Section II - Launch SafeCTRTransfer
- Launching udsploit achieves arm11 kernel access
- Get back to homebrew launcher
- Launching safehax will allow arm9 access
- SafeCTRTransfer will make sure you have done everything correctly and there are no other problems that could brick your 3ds
- SafeCTRTransfer will make a backup of your nand for restoring it later and install the 2.1 nand
- The newer home menu data on your sd is'nt compatible with 2.1 and thats why the sd card needs to be taken out before booting
What you need
Section I - Prep Work
2. Backup your nand backup, so that you have it if you manage to brick your 3ds
3.-18. Putting the files to the correct locations on your sd card
Section II - Installing arm9loaderhax
11. We only enable one option, because without sd there couldn't even be emunand.
- aeskeydb.bin contains the private AES keys
- data_input_v3.zip contains secret_sector.bin and firm0/firm1
- SafeA9LHInstaller installs a9lh
- arm9loaderhax is a persistant low level system exploit, exploiting a flaw in the consoles arm9loader to produce a garbarge kernel entrypoint using a bruteforced key which will let the arm9loader jump to a user placed arm9 executable file and launch it (arm9loaderhax.bin). In this case it's Luma.
- Luma3DS is a signature patcher, which patches the systems signature checks to allow the installation of unsigned titles and also patching a lot more stuff, for example the syscall that overrwrites firm0/firm1 at system update. said syscall will return true without having performed its action, leaving our haxx payload secured on top of firm0. For a list of features check this and this
- hblauncher_loader is an application that achieves arm11 userland exploit using ROP and launches a .3dsx executable file (Homebrew Launcher)
- GodMode9 AIO encryption/decryption tool, that can access any partition on the systems nand and read / write (not all) from/to them
- Luma3DS Updater is an application that replaces the arm9loader.bin payload using one of the current luma payloads
- FBI is an application that manages titles, by taking advantage of the arm11 kernel
- The Old 3DS 11.2.0-35 otherapp payload is needed because aurora wright (Luma3ds developer) simply used the best working ROP payload to gain arm11 userland by the hbl loader cia and implemented that into luma
Section I - Prep Work
2. Backup your nand backup, so that you have it if you manage to brick your 3ds
3.-18. Putting the files to the correct locations on your sd card
Section II - Installing arm9loaderhax
- self-explanatory
- to be able to get the OTP file
- web exploit to achieve arm9 kernel access to launch the safea9lhinstaller payload
- SafeA9LHInstaller is now launched
- it will now dump your OTP to /a9lh/ folder and flash the haxx payload on top of the consoles firm0 partition (writes the haxx payload on top of firm0 to trigger the flaw in the arm9loader which causes said loader to jump to our arm9 payload (arm9loaderhax.bin))
- -9. Backing up your OTP for future use (Might not be needed, but better safe than sorry)
- a9lh is now installed and every time the 3ds is booted it loads arm9loaderhax.bin from the root of the sd. It is for us Luma3ds. By holding select, Luma will launch its configuration menu instead of trying to launch the home menu
- Autoboot SysNAND will make sure Luma doesn't try to boot an emunand from sd card. Use SysNAND FIRM if booting with R will make sure Luma doesn't try to boot emunand firm from sd even if holding R while boot. Show NAND or user string in System Settings will make the version in system settings show Sys instead of Ver. This doesn't really matter
- You'll get black screen or error, because Luma doesn't support 2.1 nfirm.
- The chainloader menu allows you to boot to some other arm9 payload instead of the firmware
- GodMode9 is used to restore your system to the version it was on before starting the guide
- The Nand backup is stored there
- This will restore the Nand backup without overwriting a9lh
- This is a security measure to make sure you don't accidentally make modifications
- The Nand backup is now restored
- You'll now be where you started with a9lh
- self-explanatory
- Luma needs these files to support versions 3 and 4.5
- This will update normally.
- Going to GodMode9 again
- This time we'll replace stock Health & Safety .app with FBI's .app file which exchanges the applications core (essentially replaces H&S with FBI)
- FBI is there
- This will mount the FBI cia so that you can see the contents of it
- This app file is the actual FBI
- This is a security measure to make sure you don't accidentally make modifications
- Health & Safety is now FBI
- We'll use FBI to install FBI, hblauncher_loader and lumaupdater
- The cias are there
- -4. Will install all 3 of the cias at once
- Going to GodMode9 once again
- Now we'll restore stock Health & Safety's .app file and copy Luma3ds's arm9 payload to the root of the ctrnand partition
- Nothing to explain
- Same as above
- This will restore it
- Explained twice already
- Luma is there
- This will copy luma to clipboard
- -
- -6. By copying Luma there, Luma will be loaded from there when your sd card isn't inserted. Otherwise the 3ds couldn't boot without sd card
11. We only enable one option, because without sd there couldn't even be emunand.
Credits:
3dbrew for a lot of information
@Plailect for the guide
@Dionicio3 for correcting me about cias
@PabloMK7 for correcting me about arm9 payloads
@addi33 for giving better explanations for many things (Post #8)
Last edited by Uumas,