Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

[WulfyStylez]

Once you get there, I can pass along some process9 patches to disable region checks and enable launching unsigned titles as well. I'm not too familiar with process9 myself, but those patches are what i've gleaned from reversing launchers and the like.

 

[Apache Thunder]

I sure hope you plan on making this work on old3DS too if it ends up doing similar things that Gateway did. (launch unsigned titles/region free).

 

[ninjanick999]

Hello everyone! After sensing some interest in the community after reading this thread, I thought I'd make a page for a project I've been working on, so people can join in, give advice etc.

The project is called KARL3DS(a bad acronym originally meant to stand for Kernel Anti-piracy Region-free Loader....3DS) - and its goal is to have usable kernel access on N3DS for Nand dumping and decrypting, cartridge dumping and decrypting and hopefully(!) the ability to launch a CFW that allows for the bypassing of region lock. A project outline is below.
*snip*

If you need any help with testing, I might be able to help.
I have:
a 3DS on 4.5
a 3DS on 7.1
a 3DSXL on 9.2
a N3DSXL on 9.0
a copy of Cubic Ninja
and a Gateway 3DS card

I don't know a lot on how 3DS exploit coding works, but I am interested in learning.
This sounds like a good project, let me know if there is any way I can help.

 

[Zidapi]

Yikes. Yes, let's bitch about someone working hard for free to bring region free to the N3DS because his project doesn't do what you want it to do. Not every dev is comfortable with designing tools or methods for piracy and shouldn't have to feel pressure from any community to facilitate it if they choose not to.

While I agree with you completely, that opinion isn't really welcome here unfortunately.

 

[ShadowOne333]

1. Gathering of team and resources (the intent of this thread)

2. Gaining kernel access from within Ninjhax
1. Memchunkhax to get Arm11 kernel access using gspwn
2. Firmlaunchhax to Arm9code execution

2b. Gaining Arm11 userland code execution
1. Porting Yifan Lu's LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage)
2. Injecting the ported code to replace Ninjhax's Thread 0 ROP
3. Testing with UVLoader(or some other publicly available code)
3b. Gaining kernel access from within userland
1. Converting Gateway's Arm11 exploit to New3DS(as usual, using Yifan's writeup and the info on 3dbrew) - fairly simple
2. Converting Gateway's Arm9 exploit to New3DS(it is possible we could use Roxas' work here, it'd probably be more work though) - quite difficult
3. Utilising our new-found power! (I haven't thought too much about this to be honest, so just ideas)
1. Work out nand interface and dump nand
2. Work out cartridge interface and dump cartridge
3. Work out decryption and do that (maybe look at VOID?)
4. Figure out how to create and boot a region free REDNand
5. On the fly game patching
6. Modify Sysnand to boot into our kernel code
7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!)

I just saw that you guys almost crossed half of the list within this week. O.O
Wow!

You guys are really making some serious progress here!
I'll be looking forward to this.

 

[Henning B]

Will it be open-source?

 

[guitarheroknight]

More importantly, will it support cia?

 

[Henning B]

More importantly, will it support cia?

Probably not, since no piracy

 

[guitarheroknight]

Probably not, since no piracy

Who said anything about piracy? I'm talking about "backups" If they don't do it someone else will, history only remembers the winners.

 

[Henning B]

Who said anything about piracy? I'm talking about "backups" If they don't do it someone else will, history only remembers the winners.

This wont support 'backups'

 

[Margen67]

This wont support 'backups'

It could be added by somebody else since it has no restrictions, though.

 

[Henning B]

It could be added by somebody else since it has no restrictions, though.

Depends on if somebody wants to, or if the source is released. lets just hope there will be some anti-piracy backup manager

 

[VeryCrushed]

What the 3DS needs in an open-source CFW that can run backups as well as homebrew. I enjoyed using PSP CFW, so many nice features in it. If only we could get that on the 3DS.

 

[Margen67]

Depends on if somebody wants to, or if the source is released. lets just hope there will be some anti-piracy backup manager

Maybe Deathracelord could make a public repo so people can easily contribute?

 

[Slushie3DS]

Don't derail the thread with petty disagreements.

 

[shinyquagsire23]

TBH region free is my personal first priority. I mean, I don't really know much of anything at the moment, but I think I know enough to at least get some region free from ARM11 kernel I guess. NAND redirect is also something I'd like 100% vanilla/without Gateway patches in there, and then maybe .cia. I'm not exactly against piracy per-se, but I just don't endorse it 100%. We'll see how this goes though.

EDIT: Can't use services from ARM11 apparently. Have enough to do region free, maybe.

 

[Slushie3DS]

TBH region free is my personal first priority. I mean, I don't really know much of anything at the moment, but I think I know enough to at least get some region free from ARM11 kernel I guess. NAND redirect is also something I'd like 100% vanilla/without Gateway patches in there, and then maybe .cia. I'm not exactly against piracy per-se, but I just don't endorse it 100%. We'll see how this goes though.

What more would there be than to point the meditype towards the cartridge like Regionthree?

Edit: By that, I mean like this snippet inside of shared.s:

ldr r2, =0x00000000 ; lower word PID (0 for gamecard)
    str r2, [r1], #4
    ldr r2, =0x00000000 ; upper word PID
    str r2, [r1], #4
    ldr r2, =0x00000001 ; mediatype (1 for SD card)

Do you plan to hijack something, or am I lost?

 

[phanteon]

Gateway team likes this.

 

[Rokkubro]

I just saw that you guys almost crossed half of the list within this week. O.O
Wow!

You guys are really making some serious progress here!
I'll be looking forward to this.

I crossed that out because that method was unnecessary (and also far slower, using the ungainly and difficult to use ROP code) and we have a different method of gaining access we are using now.

 

[shinyquagsire23]

What more would there be than to point the meditype towards the cartridge like Regionthree?

Edit: By that, I mean like this snippet inside of shared.s:

ldr r2, =0x00000000 ; lower word PID (0 for gamecard)
    str r2, [r1], #4
    ldr r2, =0x00000000 ; upper word PID
    str r2, [r1], #4
    ldr r2, =0x00000001 ; mediatype (1 for SD card)

Do you plan to hijack something, or am I lost?

Neither the web browser nor Cubic Ninja has access to ns:s as far as I know. ARM11 kernel will help that.