2b. Gaining Arm11 userland code execution
1. Porting Yifan Lu's LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage) - if you're currently working on this, did you manage to find an exploit in SKATER and get ROP off of it that quickly?
2. Injecting the ported code to replace Ninjhax's Thread 0 ROP
3. Testing with UVLoader(or some other publicly available code)
3b. Gaining kernel access from within userland
1. Converting Gateway's Arm11 exploit to New3DS(as usual, using Yifan's writeup and the info on 3dbrew) - fairly simple - why are you doing this if you're launching from cubic ninja? also you should know by this point that writeups are useless for reimplementing things. you're going to want to look at gateway's actual exploit code, obviously.
2. Converting Gateway's Arm9 exploit to New3DS(it is possible we could use Roxas' work here, it'd probably be more work though) - quite difficult - same as before, look at gw's actual payload. not very hard.
4. Utilising our new-found power! (I haven't thought too much about this to be honest, so just ideas)
1. Work out nand interface and dump nand - you're going to need to understand the SD interface really well to get emunand working anyways...
2. Work out cartridge interface and dump cartridge - you won't be able to get this from GW's code unless you're really good with reading MIPS. better to figure out this interface yourself with info from 3dbrew
3. Work out decryption and do that (maybe look at VOID?) - this stuff is all open-source, thank god
4. Figure out how to create and boot a region free REDNand - this is done through patching process9
5. On the fly game patching - probably the last thing you're gonna want to do
6. Modify Sysnand to boot into our kernel code - literally just do patches without redirecting nand, if i'm understanding you right?
7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!) - do it