Homebrew [Question] Please Educate me about A9LH and some things

Zech

Well-Known Member
OP
Newcomer
Joined
Mar 11, 2016
Messages
92
Trophies
0
Age
36
XP
140
Country
ok, I've been spectating this forum for years now but this is my first time posting because i want to understand some things.

1. I read the A9LH thread but its not registering in my brain of what the hell it is. I have emunand 10.6 with reinand 3.3. I want to fully understand what it can do and what is the difference. Like pros and cons. And how does AL9H works?

2. Is it possible to change clock on reinand like what i saw with NTR? I'm not able to get ntr working on 10.6.

3. What does the emunand9 tool really do? So i manage to hack my 3ds with just following instructions but not understanding them. So in my understanding, emunand9 format my card. But for what purpose?
 

Omegablu

We shall not yield to the Kingdom of Nohr!
Member
Joined
Mar 10, 2016
Messages
1,140
Trophies
0
Location
Ice Tribe Village
XP
1,015
Country
United States
1. A9lh is a modification of Sysnand that allows control of the 3ds seconds after boot. Think of menuhax, but more powerful. Pros: Fast boot time, recovery of some bricked Sysnands Cons: Takes time to setup, setup can be dangerous.

2. I don't think so. If you use an old enough firmware.bin file then NTR will work in Reinand. 9.6 firm is the right one I think, the Aureinand thread has the NTR compatible file.

3. Emunand9 is a really helpful tool in regards to backing up and restoring your nands in case of bricks etc (won't fix a bricked Sysnand though unless you have a9lh). The reason it formatted your SD card was to create a partition for Emunand on the SD.
 
  • Like
Reactions: zfreeman and Zech

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,191
Country
Antarctica
ok, I've been spectating this forum for years now but this is my first time posting because i want to understand some things.

1. I read the A9LH thread but its not registering in my brain of what the hell it is. I have emunand 10.6 with reinand 3.3. I want to fully understand what it can do and what is the difference. Like pros and cons. And how does AL9H works?

Wall of text incoming. I don't know absolutely every step, but this is how I understand it so far, beware of some technical jargon. I'm not 100% sure on every detail here, so someone like @Mrrraou or @Selver can help fill in the gaps I missed; this is just how I understand it, as I said.

To explain what it is and how it works, you have to get into how the entire New 3DS boots, because ARM9LoaderHax hijacks how the 3DS (both old and new) boots from the moment you turn the power button on. When you hit the power button, a lot of things are going on in order to take you to the home menu; it's not just hit the button and the game starts like the old DS or Gameboy. The 3DS has ROMs (read only memories) that get executed after the power turns on, one for each CPU (ARM11, and ARM9). After those execute and initialise a few basic things, the ARM9 CPU gets the NAND (sysNAND) ready for reading, and eventually NATIVE_FIRM (which is basically the kernel of the 3DS operating system, as well as a few other things) will be brought into memory from FIRM0, which is a place in the NAND that it's stored (also take note that the New 3DS has a "secret sector", which is how it decrypts FIRM on 9.6+, a key is stored there). If it fails to load for any reason, the ARM9 will try to load NATIVE_FIRM from FIRM1, which is a different area, and is there as a fail-safe, to prevent bricks (but also note that FIRM1 is smaller than FIRM0, and this is important). Assuming that the system was able to load one of the two NATIVE_FIRMs, it then lets the ARM9Loader take over, which decrypts some things, and then brings up the ARM11 so that the 3DS OS can truly start. This is the normal boot process.

Now that that's established, here's ARM9LoaderHax. The process begins the same, but instead of executing as normal, garbage was installed into the secret sector in order to make Kernel9 (this is the code that usually runs on the ARM9, if I'm not mistaken) decrypt to garbage. This garbage is specially crafted so it jumps to our code just after the bootROMs finish executing. Since the bootROM can't decrypt FIRM0, it panics and then goes to FIRM1 to see if it can salvage the boot. FIRM1 is left intact on purpose, so that it can be loaded into the place where FIRM0 would've been. But since it's smaller, not everything is overwritten from where FIRM0 was (and FIRM0 has some of our code written into the end of it). Since the secret sector is decrypting things to garbage, FIRM1 also fails, and it ends up taking us right to the end of where FIRM0 was (which is where ARM9LoaderHax begins). A9LH will then look for a payload on the SD card, and then allow that payload to do whatever it wants (typically, boot a CFW, or run a recovery mode like Decrypt9).
 
Last edited by daxtsu,

Mrrraou

Well-Known Member
Member
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
Now that that's established, here's ARM9LoaderHax. The process begins the same, but instead of executing as normal, garbage was installed into the secret sector in order to make NATIVE_FIRM decrypt to garbage. This garbage is specially crafted so it jumps to our code just after the bootROMs finish executing. Since the bootROM can't decrypt FIRM0, it panics and then goes to FIRM1 to see if it can salvage the boot. FIRM1 is left intact on purpose, so that it can be loaded into the place where FIRM0 would've been. But since it's smaller, not everything is overwritten from where FIRM0 was (and FIRM0 has some of our code written into the end of it). Since the secret sector is decrypting things to garbage, FIRM1 also fails, and it ends up taking us right to the end of where FIRM0 was (which is where ARM9LoaderHax begins). A9LH will then look for a payload on the SD card, and then allow that payload to do whatever it wants (typically, boot a CFW, or run a recovery mode like Decrypt9).
It's not NATIVE_FIRM which is decrypted to garbage, but Kernel9, which is decrypted by the arm9loader.
 

Zech

Well-Known Member
OP
Newcomer
Joined
Mar 11, 2016
Messages
92
Trophies
0
Age
36
XP
140
Country
To add to the person above, you can get NTR working if you use the 10.2 firm ^^

where do i place the 10.2 firm on the sd card? And where can i gwt the file? (If allowed)

--------------------- MERGED ---------------------------

I have only one suggestion for you. Never lose your otp file. Make several backup copies of it.

what is an otp file? Sorry I'm not really good at jargons for 3ds hacking.
 

Mazamin

Well-Known Member
Member
Joined
Sep 4, 2014
Messages
1,895
Trophies
0
XP
3,063
Country
Italy
where do i place the 10.2 firm on the sd card? And where can i gwt the file? (If allowed)
You can find that file on that iso site(not allowed to mention the site's name)

--------------------- MERGED ---------------------------

I
where do i place the 10.2 firm on the sd card? And where can i gwt the file? (If allowed)

--------------------- MERGED ---------------------------



what is an otp file? Sorry I'm not really good at jargons for 3ds hacking.
It's a one time pad, a file unique to your console, needed to install a9lh.
 

Zech

Well-Known Member
OP
Newcomer
Joined
Mar 11, 2016
Messages
92
Trophies
0
Age
36
XP
140
Country
1. A9lh is a modification of Sysnand that allows control of the 3ds seconds after boot. Think of menuhax, but more powerful. Pros: Fast boot time, recovery of some bricked Sysnands Cons: Takes time to setup, setup can be dangerous.

2. I don't think so. If you use an old enough firmware.bin file then NTR will work in Reinand. 9.6 firm is the right one I think, the Aureinand thread has the NTR compatible file.

3. Emunand9 is a really helpful tool in regards to backing up and restoring your nands in case of bricks etc (won't fix a bricked Sysnand though unless you have a9lh). The reason it formatted your SD card was to create a partition for Emunand on the SD.

it's good you mentioned that the process of setting up al9h is dangerous. I think i can't afford the risk right now. Also i remember soft bricking my bnew out of the box n3ds with 9.9. And man my heart was really pounding like hell. Luckily i was able to successfully downgrade it with safesysdowngrader.

--------------------- MERGED ---------------------------

You can find that file on that iso site(not allowed to mention the site's name)

--------------------- MERGED ---------------------------

I
It's a one time pad, a file unique to your console, needed to install a9lh.

is this the same as nand.bin? Or different? If yes, what yool do i use to extract the opt file?

--------------------- MERGED ---------------------------

Wall of text incoming. I don't know absolutely every step, but this is how I understand it so far, beware of some technical jargon. I'm not 100% sure on every detail here, so someone like @Mrrraou or @Selver can help fill in the gaps I missed; this is just how I understand it, as I said.

To explain what it is and how it works, you have to get into how the entire New 3DS boots, because ARM9LoaderHax hijacks how the 3DS (both old and new) boots from the moment you turn the power button on. When you hit the power button, a lot of things are going on in order to take you to the home menu; it's not just hit the button and the game starts like the old DS or Gameboy. The 3DS has ROMs (read only memories) that get executed after the power turns on, one for each CPU (ARM11, and ARM9). After those execute and initialise a few basic things, the ARM9 CPU gets the NAND (sysNAND) ready for reading, and eventually NATIVE_FIRM (which is basically the kernel of the 3DS operating system, as well as a few other things) will be brought into memory from FIRM0, which is a place in the NAND that it's stored (also take note that the New 3DS has a "secret sector", which is how it decrypts FIRM on 9.6+, a key is stored there). If it fails to load for any reason, the ARM9 will try to load NATIVE_FIRM from FIRM1, which is a different area, and is there as a fail-safe, to prevent bricks (but also note that FIRM1 is smaller than FIRM0, and this is important). Assuming that the system was able to load one of the two NATIVE_FIRMs, it then lets the ARM9Loader take over, which decrypts some things, and then brings up the ARM11 so that the 3DS OS can truly start. This is the normal boot process.

Now that that's established, here's ARM9LoaderHax. The process begins the same, but instead of executing as normal, garbage was installed into the secret sector in order to make Kernel9 (this is the code that usually runs on the ARM9, if I'm not mistaken) decrypt to garbage. This garbage is specially crafted so it jumps to our code just after the bootROMs finish executing. Since the bootROM can't decrypt FIRM0, it panics and then goes to FIRM1 to see if it can salvage the boot. FIRM1 is left intact on purpose, so that it can be loaded into the place where FIRM0 would've been. But since it's smaller, not everything is overwritten from where FIRM0 was (and FIRM0 has some of our code written into the end of it). Since the secret sector is decrypting things to garbage, FIRM1 also fails, and it ends up taking us right to the end of where FIRM0 was (which is where ARM9LoaderHax begins). A9LH will then look for a payload on the SD card, and then allow that payload to do whatever it wants (typically, boot a CFW, or run a recovery mode like Decrypt9).

thank you so much! this is the type of explanation that im looking for :) I'm no hacker but I'm the type who wants to understand how things works. I just want to know the logic behind it and get the idea.
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,191
Country
Antarctica
thank you so much! this is the type of explanation that im looking for :) I'm no hacker but I'm the type who wants to understand how things works. I just want to know the logic behind it and get the idea.

No problem. It's about as close to Bootmii (a very similar exploit on the old Wii) as we can get.
 
  • Like
Reactions: Zech

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
426
Country
1. I read the A9LH thread but its not registering in my brain of what the hell it is. I have emunand 10.6 with reinand 3.3. I want to fully understand what it can do and what is the difference. Like pros and cons. And how does AL9H works?

Hi Zech, full details are kept on the ARM9Loader -- Technical Discussion thread. I strongly recommend that as a starting point, it's got multiple walls of text. :)

@daxtsu gave a reasonable overview. I also highly recommend the video from December (also linked in that first post)... It describes in great pictures the boot process of the N3DS.
 
  • Like
Reactions: Mrrraou

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
426
Country
It's not NATIVE_FIRM which is decrypted to garbage, but Kernel9, which is decrypted by the arm9loader.
Thanks, Mrraou -- You are right that this distinction can greatly clarify things. I've updated the other thread's posts to reflect this. :)
 
  • Like
Reactions: Mrrraou

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    K3Nv2 @ K3Nv2: https://www.the-sun.com/news/10907833/self-checkout-complaints-new-target-dollar-general-policies...