As noted by dark_samus on 3dbrew,
This is currently not ready for general usage -- I'm the only one who has tested it, but expect OTPless A9LH installations for N3DS users soon (only an arm9 exploit required, so it's still only for those on 9.2 or below/those who can downgrade to 9.2).
If you have a New 3DS with a hardmod, feel like you understand everything written above, and know what you're doing (IE, no noobs), there's an alpha on my github that you can test out.
If you don't, WAIT FOR THIS TO BE BETTER TESTED.
Credit to dark_samus for finding the vuln, delebile for his key bruteforcer, Normmatt for helping dark_samus mod the key bruteforcer, Myria for helping figure out some conditionals, as well as answering questions leading to the discovery of the vuln.
dark_samus said:Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.
This is currently not ready for general usage -- I'm the only one who has tested it, but expect OTPless A9LH installations for N3DS users soon (only an arm9 exploit required, so it's still only for those on 9.2 or below/those who can downgrade to 9.2).
If you have a New 3DS with a hardmod, feel like you understand everything written above, and know what you're doing (IE, no noobs), there's an alpha on my github that you can test out.
If you don't, WAIT FOR THIS TO BE BETTER TESTED.
Credit to dark_samus for finding the vuln, delebile for his key bruteforcer, Normmatt for helping dark_samus mod the key bruteforcer, Myria for helping figure out some conditionals, as well as answering questions leading to the discovery of the vuln.
Last edited by SciresM,