Toggle sidebar

Homebrew ARM9Loader -- Technical Details and Discussion

  • Thread starter Thread starter Selver
  • Start date Start date
  • Views Views 571,356
  • Replies Replies 4,025
  • Likes Likes 42
Slightly off-topic, but it'd be cool to see Xerpi's Linux payload working with this too sometime. Coldboot directly into Linux. :P
 
MassExplosion213 said:
There is...look at stage0x5C000.
Click to expand...
Yes, stage0x5C000 should be the payload2 part, which loades the arm9loaderhax.bin, but updating something on nand is more work than updating something on sd.
If something goes wrong on updating stage0x5C000 we would need to use a hardmod to fix, updating it on sd is simple drag'n'drop, if it got broken, its simply putting the sd into the card reader.
Edit:
I thought about making everything on nand as simple as possible, and doing everything that could be more(which leads to more possible mistakes) on sd.
 
Last edited by RednaxelaNnamtra,
with this would it be possible to add a recovery menu (holding r while booting) that would make nand injection and dumping possible? Basically the "recovery menu" would even be able to do stuff that decrypt9 would like xorpads? So basically a priiloader on steroids. Should all be possible since it would be booting up in early arm9 before the homemenu even appeared so dumping and injecting nand should easily be possible.

The possibilities with this entry point are amazing so happy people are developing with this, gonna wait about a month to see if downgrading to 2.0 gets any smoother and to see if some of the cfw's start to support it(though I did here reinand does now)

Anyhow great work to everyone working on this as usual the 3ds scene is amazing right now
 
  • Like
Reactions: AtlasFontaine and FenrirWolf
How can i dump the otp from a n3ds by using brute force? Any tutorial?

I have hard mod. Thanks
 
4gionz said:
with this would it be possible to add a recovery menu (holding r while booting) that would make nand injection and dumping possible? Basically the "recovery menu" would even be able to do stuff that decrypt9 would like xorpads? So basically a priiloader on steroids. Should all be possible since it would be booting up in early arm9 before the homemenu even appeared so dumping and injecting nand should easily be possible.

The possibilities with this entry point are amazing so happy people are developing with this, gonna wait about a month to see if downgrading to 2.0 gets any smoother and to see if some of the cfw's start to support it(though I did here reinand does now)

Anyhow great work to everyone working on this as usual the 3ds scene is amazing right now
Click to expand...
This would be very neat
 
Table of Contents:

Introduction, BootRom, ARM9Loader Theory
ARM9Loader v1
ARM9Loader v2 (1/3 and 2/3)
ARM9Loader v2 (3/3), Conclusions
OTP dumping progress post / summary
Plailect's OTP Dumping Guide (external link)
Arm9LoaderHax source code (GitHub link)
Summary of differences from prior *hax (1/3)
Summary of differences from prior *hax (2/3)
Summary of differences from prior *hax (3/3)
This post used to have updates on Downgrade / OTP dumping. It now seems to be fairly stable if following Plialect's Guide. Risk is lowered significantly (but risk still exists) by tools linked there that reduce common user errors.

See https://plailect.github.io/OTP/.

CONFIRMED: Downgrade to FW 2.1.0-4U is possible on N3DS, and Cubic Ninja hax confirmed to work.

OTP downgrading tutorial development is now mature, see @Plialect 's OTP downgrade guide.
This still has a moderate risk of bricking a system.
Both N3DS and O3DS now have *hax and payload to restore sysNAND from prior backup.
O3DS upgrade might also be possible via a game cartridge.
N3DS upgrade will brick if attempted via a game cartridge.
Still not recommended without a NAND hardmod, or if you're not interested in active development of new CFW, as Arm9LoaderHax creation is not for the faint-of-heart.

Current Outdated hints:
1. Downgrade in EmuNAND, even if EmuNAND can't boot the final downgrade directly. This avoids the major pain of having to re-flash SysNAND if sysupdater instability hits.
2. Use the .CIA version of SysUpdater (so install it before updating your emuNAND.bin past 9.2)
3. Backup, backup, backup... and have a hardmod to restore when things go awry after modifying sysNAND
  • a reliable webHax - Apparently completed!
  • method to restore SysNAND from 2.1 (e.g., after OTP is dumped) - Restore prior NAND dump via webHax & custom 2.1 payload (Decrypt9?)
  • Arm9LoaderHax -- screen init and other firm-style initialization so UI can work - Apparently added last week of February
  • Whether to screen-init at loader, or in each payload Aurora's last commits merge both options into single A9LH
  • How bright to set backlight during screen-init
  • If it's OK to use SysNAND to store additional data
  • How to detect that portions of SysNAND not used by the 3DS are in use by another payload
  • How to detect that portions of SysNAND are being used by their own payload
NinjHax 1, supporting firmware 4.0.0-07 through 9.2.0-20
==> http://smealum.net/ninjhax/

NinjHax 2.5, supporting firmware 9.0.0-xx through 10.3.0-xx
==> https://smealum.github.io/ninjhax2/

Clear cartridge's save game by, at main menu, holding L+R+X+Y.
1.0 QR code: https://i.imgur.com/7Q35Tuy.png
1.1 QR code: http://i.imgur.com/XfdtO8f.png
2.1 QR code: http://i.imgur.com/HLteE39.png
Clear cartridge's save game by, at main menu, holding L+R+X+Y.

These load the file sd:/load.bin into fcram at 0x23F00000 and starts execution. Size of load.bin is limited to 0x3000 bytes.
One could also replace the code.bin, which is based at 0x20600000.
Post #385 or mega folder in pakrett's thread ??what is this??
 
Last edited by Selver,
  • Like
Reactions: AtlasFontaine
Apache Thunder said:
sysupdater doesn't handle isntalling TWL titles correctly so remove them from the updates folder prior to downgrading!
Click to expand...
I thought TWL titles shouldn't matter? Since they're not a vital part of the boot process, 3DS should still start fine even if TWL doesn't work.

Also, just another confirmation of 2.1.0-4E downgrade successful, OTP dumped. :)
 
Last edited by Vappy,
Selver said:
Post to have updates on Downgrade / OTP dumping.

At the time of this post, this is very early in development, and has a high risk of bricking a system. Not recommended without at least a hardmod.

Various people have now been able to downgrade their systems to v2.1.0-4U, both O3DS and N3DS, for the purpose of dumping the OTP. N3DS, once downgraded, cannot be updated via cart nor sysupdater (soft brick).

NinjHax 1, supporting firmware 4.0.0-07 through 9.2.0-20
==> http://smealum.net/ninjhax/

NinjHax 2.5, supporting firmware 9.0.0-xx through 10.3.0-xx
==> https://smealum.github.io/ninjhax2/

Clear cartridge's save game by, at main menu, holding L+R+X+Y.
1.0 QR code: https://i.imgur.com/7Q35Tuy.png
1.1 QR code: http://i.imgur.com/XfdtO8f.png
2.1 QR code: http://i.imgur.com/HLteE39.png
Clear cartridge's save game by, at main menu, holding L+R+X+Y.

These load the file sd:/load.bin into fcram at 0x23F00000 and starts execution. Size of load.bin is limited to 0x3000 bytes.
One could also replace the code.bin, which is based at 0x20600000.

Plailect has links to OTP downgrade guides at: https://plailect.github.io/OTP/

Post #385 or mega folder in pakrett's thread on some other site
Click to expand...
Wasn't there a brute force method for 3ds which doesn't need to downgrade?
 
A_Bricked_Guy said:
Isn't it supposed to be "bruteforced" on N3DS with a raspberry pi?
Click to expand...

The bruteforce using RPI2 is to find a "secret sector" value that will execute a payload previously left in memory via another means. Those other means could be the exception vectors, if already have some existing method of attacking the system, or it could be via custom FIRM0 / FIRM1 (using OTP_HASH).

It's not a complete solution, as the OTP itself is, because only a few bytes of the secret sector have been used thus far in new firmware....
 
  • Like
Reactions: A_Bricked_Guy
Shadowtrance said:
Well this has been fun. :)
Now i have arm9loaderhax on sysnand 10.5 and a mod of AuReiNand running too (sysnand only), on one of my n3ds's. :D
Click to expand...
Oh nice! You got it to work :P
Was wondering if you were able to get it to work. (I left #cakey a bit after you started to download the 10.5 files yesterday).

You just deleted the 10.4 NATIVE_FIRM right? So your sysNAND is still on the 9.2 NATIVE_FIRM?
 
Supster131 said:
Oh nice! You got it to work :P
Was wondering if you were able to get it to work. (I left #cakey a bit after you started to download the 10.5 files yesterday).

You just deleted the 10.4 NATIVE_FIRM right? So your sysNAND is still on the 9.2 NATIVE_FIRM?
Click to expand...
Yeah at first i removed the native firm cia from the update pack but eshop still complained, so i made a backup let eshop update system, of course that bricked.
Restored backup, installed the native firm cia myself with devmenu and all is working fine. :D
 
  • Like
Reactions: Supster131
Shadowtrance said:
Yeah at first i removed the native firm cia from the update pack but eshop still complained, so i made a backup let eshop update system, of course that bricked.
Restored backup, installed the native firm cia myself with devmenu and all is working fine. :D
Click to expand...
Oh shit. Pretty nice to hear!
I'll give this a shot once I hardmod my n3DS.
 
Plailect said:
Some updates:
  • The linux version is not fucked, it just looked to be.
  • 2DS will work, but some emunand related things need to be done first, it will be once again split into a separate guide
  • old 3DS guide will be updated to use emunand as well for general safety
  • JAP is still on the way
  • Once all guides are on emunand for downgrade, Normmatt gets 2.1 working in emunand, and AHP person finishes his 2.x nand restore, I will consider making this guide officially safe enough to use without a hardmod.
Click to expand...
 
  • Like
Reactions: klear, AHP_person, FenrirWolf and 3 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Homebrew  My Secret World DS: is there a way to bypass the password lock?

Homebrew Homebrew app  [Release] GridLauncher Rosalina

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside