Front-page Hacking  Updated

NTRBoot Released!

It's here!
ntrboot_checklist_2.png

Info

@Normmatt has created a way to run B9S .firm files from bootrom via a DSi Flashcard and a magnet! This works on every 3DS on any firmware version.

For installation without a PC, user @TheCyberQuake has created a pack which will automatically install B9S and copy over essential starter homebrew from the flashcard's SD to the 3DS's. This will mainly be used for PC-less B9S installations. If you have a PC with you, use 3ds.guide. Read more here: https://gbatemp.net/threads/481141/

How does this work?

This works because of a flaw in the bootrom. Before the bootrom boots the NAND, it checks to see if Start+Select+X is held down, and if the shell is closed. If these requirements are met, it will boot an NDS cartridge from the bootrom. This give that cartridge bootrom access. You might be wondering how you'd hold down buttons while the shell is closed, and why you need a magnet. If you put a magnet in a specific spot on the 3DS, it will go into sleep mode. Using this, you can boot the NDS cartridge with the buttons held down while in sleep mode! Using a reflashable flashcard, you can boot B9SInstaller using the flashcard, and easily install it on your 3DS.
zoogie said:
The 2DS doesn't need a magnet since a switch puts it to sleep instead of a magnet.
Click to expand...

What does this mean?

  1. Any 3DS model on any firmware can be hacked with minimal effort
  2. You can unbrick any 3DS model from any type of brick.
    - Remember, you don't need a NAND backup for this. Just do a CTRTransfer.
    - This does not apply to MCU bricks.
  3. Even consoles with fried NAND, or even the NAND chip physically removed, can use this
This is incredibly impressive stuff, and will most likely be released soon! edit: now!

FAQ

Q: Can Nintendo patch this?
A: Nope! Not without a new hardware revision.

Q: My flashcard is blocked by my firmware! Can I still use this?
A: Yes! The flashcard blacklist is not enabled on the bootrom.

Q: Why can't this work with my flashcard?
A: The installation requires you to flash NTRBoot to the flashcard's nand. Most DS flashcards, such as the original R4, have a ROM, which is not flashable.

Q: Can I install NTRBoot on my flashcard without another 3DS system?
A: If you can run NDS roms on your 3DS with it, then yes. If it's blocked on your 3DS version, then you'll need another 3DS system to use it.

Q: Will my 3DS flashcard work?
A: No, only the NDSi flashcards listed above.

Q: Will any other flash cards work?
A: Only the ones listed in the OP. However keep in mind that flashcards such as the DSTT, Supercard DS2 and R4 SDHC Dualcore are planned to be supported in the future.

Q: I tried to do this with my cartridge and it didn't work?
A: It doesn't work with regular DS cards.

Q: Can I unbrick from a ____ brick?
A: Considering the card has access to the bootrom, yes! This can unbrick any brick (except MCU), unless you've taken a knife to the motherboard.

Q: Can I install B9S on the latest firmware with this?
A: Again, since the card has access to the bootrom, you can do this easily! Just plug in your flashcard, boot up using the magnet and button combination, and install.

Q: Does this work on the New Nintendo 2DS XL?
A: Yes!

:arrow: Release
:arrow: Guide
:arrow: Free NTRBoot Flashing
:arrow: Free B9S Installations

Here is SciresM's post about this

Please see SciresM's presentation on bootromhax.
 
Last edited by Deleted member 381889,
  • Like
Reactions: Deleted User, Heretix88, lemonmaster and 158 others
Click to expand...
Starzcream

Starzcream

Well-Known Member
Newcomer
Level 1
Joined
Feb 22, 2017
Messages
84
Trophies
0
Age
37
XP
93
Country
United States
Does the attached image have anything to do with this method?
 

Attachments

  • IMG_2277.PNG
    IMG_2277.PNG
    125 KB · Views: 388
D

Deleted User

Guest
Starzcream said:
Does the attached image have anything to do with this method?
Click to expand...
I saw the word Gateway in there and the answer is no.

Gateway released a Blue DS Flashcard along with a .nds rom that crashed the DS Profile of the system settings, which therefore allowed for ARM9 code execution. This was one of the earliest exploits. Gateway isn't advanced enough to mess with BootROM if it isn't them stealing Open Source work
 
  • Like
Reactions: pandavova
Cuphat

Cuphat

Well-Known Member
Member
Level 7
Joined
May 16, 2011
Messages
1,295
Trophies
1
XP
1,223
Country
United States
Starzcream said:
Does the attached image have anything to do with this method?
Click to expand...
Nope, that's about the DS profile exploit (mset) that was used back on 3DS 4.x to boot CFW. Gateway was the first to publicly release that exploit.

Besides needing a DS flashcart, the two are unrelated.
 
D

Deleted User

Guest
ZhafuanZ said:
Is there a source for this?
Click to expand...
Acekard2i: from Normmatt (the dev) on IRC
DSTWO: Normmatt (the dev) said he was going to work on DSTWO compatibility next because he has one of those.

Other than IRC, pretty much no
 
Starzcream

Starzcream

Well-Known Member
Newcomer
Level 1
Joined
Feb 22, 2017
Messages
84
Trophies
0
Age
37
XP
93
Country
United States
Found this...

DSTWO FPGA Interface
I don’t know the details, but here is some information necessary to implement ntrcardhax.

#Ports FIFO: 0xB4000000

Control: 0xB4000002

Control2: 0xB4000004

##Control 5: FIFO clear

7: Mode for compatibility?

10: Mode

#Initialization ```C #define GPIO_ADDR_RECOVER() \ do { \ REG_GPIO_PXFUNS(2) = 0x065Cffff; \ REG_GPIO_PXSELC(2) = 0x065Cffff; \ REG_GPIO_PXPES(2) = 0x065Cffff; \ REG_GPIO_PXFUNC(2) = 0x00820000; \ REG_GPIO_PXSELC(2) = 0x00820000; \ REG_GPIO_PXPES(2) = 0x00820000; \ REG_GPIO_PXDIRS(2) = 0x00820000; \ REG_GPIO_PXDATC(2) = GPIO_ADDR_15; \ } while(0)

#define INITFPGAPORTTIME() \ do{ \ REG_EMC_SMCR2 = ((0«24)|/strv/(3«20)|/taw r */(2«16)|/tbp w /(2«12) |/tah/(3«8) |/tas / (1«6)|/bw 16 / (0«3)|/bcm / (0«1)|/bl/(0«0) /smt / );\ REG_EMC_SACR2 =( (0x14«8)|/BASE/(0xfc«0));/MASK */\ } while (0) #endif

#define SET_ADDR_GROUP(n) \ do { \ ndelay(); \ REG_GPIO_PXDATS(2) = n; \ REG_GPIO_PXDATC(2) = n ^ (SA4 | SA3);\ } while(0)

#define SET_ADDR_DEFT() \ ndelay(); \ SET_ADDR_GROUP(0)

void init() { GPIO_ADDR_RECOVER(); INITFPGAPORTTIME(); SET_ADDR_GROUP(1«23); FIFO=0x6bf3; Control=0xf0c2; Control2=0x9252; SET_ADDR_DEFT(); Control=0;

udelay(1); } ```

#NTR Command It corresponds to CARD_COMMAND in libnds. The command length is 64 bit, so read the FIFO port 4 times.

##IRQ Enable IRQ for GPIO Port 107. See Jz4740 document for the details.

#Response It corresponds to REG_CARD_DATA_RD in libnds.

Write to the mode port: Mode = 1, Mode for compatibility = 1, FIFO clear = 1.

Write the response to the FIFO port using DMA. See Jz4740 document for the details of DMA.

#How to exploit As you can see, you can send arbitrary data. Usually 3DS requests 0x200 bytes, so, we should send valid information if it requests 0x200 bytes. However, if it requests 0x4000 bytes, which is the sign of ARM11 attack, reply the payload, and boom.

#Further Improvement for ntrcardhax In the presentation of 32C3, ARM11 overwrites the lengh of the response. What if we can modify the length in DSTWO FPGA? It depends on whether the controller of NTRCARD in 3DS accepts the corrupted response.

[top]
 
  • Like
Reactions: Deleted User, Gamer4647 and Quantumcat
yacepi15

yacepi15

Well-Known Member
Member
Level 9
Joined
Aug 15, 2015
Messages
1,023
Trophies
0
XP
1,883
Country
Germany
And... The Gateway red cart? That's maybe the "feature that will revolutionize the 3DS scene". It doesnt work as-is without a exploit/launcher, it isnt a normal cart. They could put the appropiate header for this with an update, and just change the offsets for the stardard functions in their launcher, right? But it seems to be too much work for them...
 
Last edited by yacepi15, , Reason: typo
D

Deleted member 381889

Guide Writer
OP
Member
Level 14
Joined
Jan 29, 2016
Messages
2,035
Trophies
1
XP
4,420
RedBlueGreen said:
Have any flashcarts been confirmed to work yet?
Click to expand...
blujay said:
Acekard 2i
Click to expand...
Sammy_Lee said:
DSTWO also ;-)
Click to expand...
Please remember that this will be released when as many flashcards as possible are compatible. I'd advise not buying one until you know for definite that your flashcard does not work.
blujay said:
Normmatt (the dev) said he was going to work on DSTWO compatibility next because he has one of those
Click to expand...
Just because Normmatt said that he will begin working on the DSTWO does not mean it's compatible. It means that Normmatt is trying to make it compatible. Do not spread misinformation.
 
  • Like
Reactions: Deleted User, uyjulian, Tomy Sakazaki and 2 others
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,294
Country
United States
hurrz said:
Also, I think it might be a good idea for the devs of NTRboothax or whatever it will be called to make some kind of own flashcard to get profit of their wonderful exploit / work even if it is unlikely to make an own one. But this would be a appropriate credit to what they will have done for the community!
Click to expand...

Or, or, hear me out: I could also not do that, and keep all this as a free voluntary hobby to which I have no real obligations outside of my own personal interest.

As soon as you start selling hardware it stops being a free voluntary hobby for the benefit of the community and starts becoming a business, and you have obligations to customers etc etc....

Not even getting into the fact that it would be a legal nigtmare :P

Would much rather just give back to the community while maintaining the status quo of "I choose to do this stuff because it's fun" and "other people who benefit from my work pay it forward by making their own work free and open source so that I can use it in return"....there's a reason I GPL most all of my projects ;)

Plus selling exploits is just shitty behavior.

Also, the arguments about the name are silly. It doesn't have an official one. I call it magnethax, ntrboothax is also really common (and what Normmatt prefers iirc), but really anything is fine so long as it's clear...
 
Last edited by SciresM,
  • Like
Reactions: Deleted User, uyjulian, repulse and 4 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Lmao that sold out fast +1