- Joined
- Jul 7, 2010
- Messages
- 4,111
- Reaction score
- 4,456
- Trophies
- 2
- Location
- /dev/random
- Website
- www.gudenau.net
- XP
- 7,765
- Country
What? Impossible. I get the splash screen when I turn my system on. Booting directly into AureiNand's sysnand with 9.0 firm.
Last edited by urherenow,
Oh... well, if it's taken care of by a9lh already, I'm not sure what the point is then. But I had already posted a vid in case someone wanted to argue about the splash. May as well post it, I guessstage 2 turns the screen on, not aureinand
Oh... well, if it's taken care of by a9lh already, I'm not sure what the point is then. But I had already posted a vid in case someone wanted to argue about the splash. May as well post it, I guess
The point of getting screen init into stage 2 was so that ReiNAND could display a splash image, without having the screen init code (or, you know, any payload could use the screen)
Mildly confused here. I have A9LH and AuReiNand installed on my N3DS. I'm using the 10.4 FIRM that was linked here https://gbatemp.net/threads/aureinand-n3ds-o3ds-a9lh.411110/. How can I:
- Boot into Decrypt9? I have the A9LH version of Decrypt9 that comes with an arm9loaderhax.bin and a D9A9 folder. What do I do with these?
- Boot into sysNAND? Someone said I just needed to hold R, and that seemed to work, but then I wasn't able to run D9 after getting to Homebrew again.
Regular Decrypt9 will not work if your sysnand is over 9.2. You could try holding L to boot with the 9.0 firm.
If you want to boot the A9LH version of Decrypt9 you will have to replace AuReiNands arm9loaderhax.bin with the one for Decrypt9 or use ctrbootloader9.
The D9A9 folder goes to the root of your SD card.
Last edited by Bu2d85,
Table of Contents:
Introduction, BootRom, ARM9Loader Theory
ARM9Loader v1
ARM9Loader v2 (1/3 and 2/3)
ARM9Loader v2 (3/3), Conclusions
OTP dumping progress post / summary
Plailect's OTP Dumping Guide (external link)
Arm9LoaderHax source code (GitHub link)
Summary of differences from prior *hax (1/3)
Summary of differences from prior *hax (2/3)
Summary of differences from prior *hax (3/3)
Introduction, BootRom, ARM9Loader Theory
ARM9Loader v1
ARM9Loader v2 (1/3 and 2/3)
ARM9Loader v2 (3/3), Conclusions
OTP dumping progress post / summary
Plailect's OTP Dumping Guide (external link)
Arm9LoaderHax source code (GitHub link)
Summary of differences from prior *hax (1/3)
Summary of differences from prior *hax (2/3)
Summary of differences from prior *hax (3/3)
Note: This is a GREATLY simplified view...
- Bootrom initializes various keys
- Bootrom loads FIRM0 into memory
- Bootrom validates FIRM0 crypto signatures
- Bootrom branches to loaded FIRM0
- FIRM0 is actually a loader for Kernel9 (the ARM9 thread)...
- Arm9Loader uses OTP hash plus sector 0x96 contents for further decryption of Kernel9
- Arm9Loader branches to properly decrypted Kernel9
- System loads lots of stuff
- Eventually loads menus / themes / etc. (one hax entry point)
- Cartridge launch ... lots of stuff
- Cartridge runs game (another hax entry point)
- Bootrom initializes various keys
- Bootrom loads FIRM0 into memory
- Bootrom FAILS to validate FIRM0 crypto signatures
- Bootrom loads FIRM1 into memory
- Bootrom validates FIRM1 crypto signatures
- Bootrom branches to loaded FIRM1
- FIRM1 is actually a loader for Kernel9 (the ARM9 thread)...
- Arm9Loader uses OTP hash plus sector 0x96 contents for further decryption of Kernel9
!BUT! because sector 0x96 was modified, the decrypted Kernel9 is corrupt. - The first (few) corrupt instruction(s) of Kernel9 branch into memory that was set from FIRM0, and never overwritten when loading FIRM1
Firm0 (attacker generated code) is loaded into memory:
Signature mismatch, so firm1 is loaded into memory, but is smaller size so only partially overwrites firm0:
Corrupt Sector 150 (0x96) causes Kernel9 (after decryption by FIRM1's arm9loader) to branch to the leftover loaded FIRM0 data:
000000000000000000000000000000xxxxxxxxxxxxxxxxx
Signature mismatch, so firm1 is loaded into memory, but is smaller size so only partially overwrites firm0:
111111111111111111111111110000xxxxxxxxxxxxxxxxx
/ sizeof(firm1) \_______^^^^
\ -sizeof(firm0) /
Corrupt Sector 150 (0x96) causes Kernel9 (after decryption by FIRM1's arm9loader) to branch to the leftover loaded FIRM0 data:
111111111111111111111111110000xxxxxxxxxxxxxxxxx
Branches to here...........^
The description at the top of this thread was based on the premise of overwriting all memory with NOP sleds / BRANCH instructions to the payload.
However, the actual Arm9LoaderHax needed to find a way to change Sector 150 such that the corrupt instructions would decode in a way that branch'd into that tiny region where FIRM0 was loaded, and where FIRM1 would not overwrite that data when it was loaded.
This is a much, much smaller target. How many different iterations needed to be tried to find just the right BRANCH instruction? Almost 4 million iterations -- hint: 0x3BF5F6.
But, once the right key was found to get this "just right" branch, it can be used on any 3DS out there, so long as the OTP_HASH could be found for that 3DS.
However, the actual Arm9LoaderHax needed to find a way to change Sector 150 such that the corrupt instructions would decode in a way that branch'd into that tiny region where FIRM0 was loaded, and where FIRM1 would not overwrite that data when it was loaded.
This is a much, much smaller target. How many different iterations needed to be tried to find just the right BRANCH instruction? Almost 4 million iterations -- hint: 0x3BF5F6.
But, once the right key was found to get this "just right" branch, it can be used on any 3DS out there, so long as the OTP_HASH could be found for that 3DS.
Last edited by Selver,
So I don't know if to make a new thread about this but since everyone seems to be discussing A9LH here and this is a (potential) bug, I figure this would be a great place to see if anyone else is having this issue.
It seems that A9LH breaks injected GBA saves if launched through emuNAND. The game will say it saves with no issues but upon relaunching it, there will show no saves at all. The FIRMs are patched, it's not the CIA or CFW because this same issue does not happen on my gf's non-A9LH console.
After doing some digging I found this Reddit post recently that seems to confirm my findings: https://www.reddit.com/r/3dshacks/comments/48q6d4/custom_made_gba_cias_dont_save_in_emunand/
Just wanted to know if anyone else is experiencing this (that is actually running A9LH with emuNAND, because it works just fine with A9LH sysNAND per the Reddit thread) and if there's an easy fix. I know it's not top priority or anything but was curious.
It seems that A9LH breaks injected GBA saves if launched through emuNAND. The game will say it saves with no issues but upon relaunching it, there will show no saves at all. The FIRMs are patched, it's not the CIA or CFW because this same issue does not happen on my gf's non-A9LH console.
After doing some digging I found this Reddit post recently that seems to confirm my findings: https://www.reddit.com/r/3dshacks/comments/48q6d4/custom_made_gba_cias_dont_save_in_emunand/
Just wanted to know if anyone else is experiencing this (that is actually running A9LH with emuNAND, because it works just fine with A9LH sysNAND per the Reddit thread) and if there's an easy fix. I know it's not top priority or anything but was curious.
You need to return to sysNAND after you have finished playing a GBA game for it to finish saving the game.
...Continued from Summary of differences from prior *hax (2/3)...
In conclusion, the main differences for Arm9LoaderHax include:
Who would've thought that the ability to jump to console-unique, non-predictably corrupt code would be such a huge entry point? I certainly learned a lot while trying to understand the scope and severity of this issue.
Table of Contents:
Introduction, BootRom, ARM9Loader Theory
ARM9Loader v1
ARM9Loader v2 (1/3 and 2/3)
ARM9Loader v2 (3/3), Conclusions
OTP dumping progress post / summary
Plailect's OTP Dumping Guide (external link)
Arm9LoaderHax source code (GitHub link)
Summary of differences from prior *hax (1/3)
Summary of differences from prior *hax (2/3)
Summary of differences from prior *hax (3/3)
Introduction, BootRom, ARM9Loader Theory
ARM9Loader v1
ARM9Loader v2 (1/3 and 2/3)
ARM9Loader v2 (3/3), Conclusions
OTP dumping progress post / summary
Plailect's OTP Dumping Guide (external link)
Arm9LoaderHax source code (GitHub link)
Summary of differences from prior *hax (1/3)
Summary of differences from prior *hax (2/3)
Summary of differences from prior *hax (3/3)
In conclusion, the main differences for Arm9LoaderHax include:
- 100% boot rate (vs. semi-random failures)
- Ability to run homebrew kernels (full-hardware access software)
- Ability to run homebrew
(Unfortunately, guaranteeing homebrew can be run also enables less ethical uses) - No known way to prevent the continued use of A9LHax (can't fix with firmware/software updates)
Who would've thought that the ability to jump to console-unique, non-predictably corrupt code would be such a huge entry point? I certainly learned a lot while trying to understand the scope and severity of this issue.
Last edited by Selver,
Ah that makes sense. Sorry, I haven't used GBA injections before A9LH. Thinking about it though, the reason why this didn't crop up before was because with non-A9LH you're returning to sysNAND, however briefly, so it has time to write the save.
I just tried again booting the injected CIA through emuNAND, saving, and returning to sysNAND after shutting down and it works! I guess a quick little reboot after returning to sysNAND isn't too bad, especially with how fast we boot now.
Thanks for the answer.
well, he said "who would have thought[...]", as such, no, not literally anyone (if you want to argue otherwise, please try to picture my grand mother thinking of that, thanks ^^)
No. XORPad generation needs FIRM init, which happens AFTER A9LH, so it's not possible for now. Maybe we'll find a workaround, but currently that's not possible.
- Joined
- Jun 4, 2015
- Messages
- 1,441
- Reaction score
- 1,081
- Trophies
- 2
- Location
- Minus World
- Website
- www.youtube.com
- XP
- 3,025
- Country
I've seen a few posts about 128GB SD cards taking longer to boot A9LH, is this a regular occurrence, or isolated incidences?
I'm currently using a SanDisk Ultra 32GB micro SD on N3DS with A9LH and it boots in 9 seconds. The plan is to upgrade to a 128GB SanDisk micro SD, would it impact performance significantly?
I'm currently using a SanDisk Ultra 32GB micro SD on N3DS with A9LH and it boots in 9 seconds. The plan is to upgrade to a 128GB SanDisk micro SD, would it impact performance significantly?
Similar threads
Site & Scene News
New Hot Discussed
-
-
25K views
Twilight Princess PC port "Dusk" gets its first release
It wasn't too long ago we saw our first glimpse of Courage Reborn, another Twilight Princess PC port in the works based on last year's decompilation efforts. With... -
16K views
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
11K views
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
9K views
Nintendo president Shuntaro Furukawa explains Switch 2 price increases in recent Financial Results Briefing
As a part of their Financial Results Briefing for the previous year, Nintendo president Shuntaro Furukawa took to the floor to answer key questions around the Switch... -
9K views
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
7K views
Forza Horizon 6 leaks online after Steam preload data was uploaded without encryption
We are once again here to tell you about a game leaking before its release, but for once, it's not one published by Nintendo. The game files for Microsoft's upcoming... -
7K views
Pokémon Crystal gets a PC port titled "suiCune" based on C/C++ language
Continuing with the great news of Pokémon Platinum getting a native unofficial PC port just a few days ago, today, yet another classic title from the franchise has... -
7K views
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
5K views
Low-level 3DS emulator 3Beans released alongside setup tutorial video
When you talk about 3DS emulation, most people would jump to Citra. As the defacto choice since its first release it's seen tremendous success, and even after its... -
4K views
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a...
-
-
-
169 replies
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
163 replies
Twilight Princess PC port "Dusk" gets its first release
It wasn't too long ago we saw our first glimpse of Courage Reborn, another Twilight Princess PC port in the works based on last year's decompilation efforts. With... -
102 replies
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
92 replies
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
83 replies
Nintendo president Shuntaro Furukawa explains Switch 2 price increases in recent Financial Results Briefing
As a part of their Financial Results Briefing for the previous year, Nintendo president Shuntaro Furukawa took to the floor to answer key questions around the Switch... -
81 replies
What do you want to see in the next Nintendo Direct?
With rumours circulating about a Nintendo Direct in the coming days and weeks, fans are left speculating and hoping as to what might be included. At the centre of all... -
73 replies
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
71 replies
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
63 replies
Call of Duty: Modern Warfare 4 to launch on Nintendo Switch 2 in October
For the first time in 13 years, the Call of Duty series will again return to Nintendo's consoles. Set to launch on the 23rd of October, the latest release, Modern... -
54 replies
Pokémon Crystal gets a PC port titled "suiCune" based on C/C++ language
Continuing with the great news of Pokémon Platinum getting a native unofficial PC port just a few days ago, today, yet another classic title from the franchise has...
-
