- arm9loaderhax is a way to inject a payload directly into a N3DS bootrom (just after the the firm boot). This is like a CFW coldboot N3DS-only.
It requires hardware, you need the firmware blob to "decrypt" into a branch point, the problem is, the Kernel9 loader uses a hash derived from a per 3DS OTP (which you don't know) in other to decrypt keys stored in NAND, most particularly key #2 which you replace with a garbage key in the hope of obtaining the branch point mentioned above (used to get the Kernel9 loader to jump to your payload), since you can't predict the output, you can't generalize this hack as it needs trials and errors for each units, therefore requires a way to write the nand using hardware.
- There is a way to get the key that blocks emuNAND 9.6+ on N3DS (it unlocks the new layer of security added to ARM9 bootrom on the N3DS).
No, there isn't, you only gain code execution AFTER the Kernel9 loader runs, this means you can't read the OTP and keyslot 0x11 gets cleared, not to mention you would be replacing the NAND key #2 used to decrypt the new Kernel9 with garbage anyway (since that's required for this hack to work in the first place) good luck decrypting 9.6+ kernel9 this way...
- There is also a way to calculate the AES key of the console, which is pretty cool to be honest.
There is not an "AES key of the console" what you can do is to calculate/bruteforce the constant used by the key scrambler and use that to generate missing KeyX for known normal (AES) keys + KeyY and of course bypass the keyscrambler all together.
You need to keep in mind that :
- there aren't a lot of normal keys in the wild, only the one used by NFC and used by the WiiU, so you won't be getting a lot of KeyX
- most of the keyX are set in write only keyslots (which can be used as arguments for the key scrambler) which are set by the bootrom and cannot be read, therefore you won't be able to get the normal key even if you do know KeyY and have the keyscrambler operations + constant figured out.
(You need keyX + keyY to generate a normal key, likewise you need Normal key + keyY to generate KeyX)