Hacking 3DS Injector

[zoogie]

This is a nice new CFW-ish thing from our good friend @yifan_lu (GW ultra reversing, spider3dstools). Obviously, don't install this unsigned module to sysnand or you'll likely brick.

Update: Here is a Writeup from the author's blog that explains how things work things nicely. It's in a conversation tone, so even novices might want to give it a read!
Update2: It appears 3ds injector now is part of a larger plan for yifanlu's new cfw!
https://github.com/yifanlu/Cosmo3DS/releases (a fork of reinand!)
http://yifan.lu/2016/03/28/cosmo3ds-the-cfw-nobody-wanted/ (another writeup!)

3DS Loader Replacement

This is an open source implementation of 3DS loader system module--with additional features. The current aim of the project is to provide a nice entry point for patching 3DS modules.

Roadmap
Right now, this can serve as an open-source replacement for the built in loader. There is additional support for patching any executable after it's loaded but before it starts. For example, you can patch menu to skip region checks and have region free game launching directly from the home menu. There is also support for SDMC reading (not found in original loader implementation) which means that patches can be loaded from the SD card. Ultimately, there would be a patch system that supports easy loading of patches from the SD card.

Build
You need a working 3DS build environment with a fairly recent copy of devkitARM, ctrulib, and makerom. If you see any errors in the build process, it's likely that you're using an older version.

Currently, there is no support for FIRM building, so you need to do some steps manually. First, you have to add padding to make sure the NCCH is of the right size to drop in as a replacement. A hacky way is this patch which adds junk data. Play around with the size value to get the NCCH to be the exact same size as the one found in your decrypted FIRM dump.

Once you have a NCCH of the right size, just replace it in your decrypted FIRM and find a way to launch it (for example with ReiNAND).

Note: installation instructions under the "Build" heading in the above readme
https://github.com/yifanlu/3ds_injector
Latest release
https://github.com/yifanlu/3ds_injector/releases

 

[A_Random_Guy]

Woah, any brave soul would care to try this?

 

[DSoryu]

I could try but atm I don't have any out of region content installed on my 3DS.

Someone with A9LH could try easily without fear with a reovery set up.

 

[Shadowtrance]

I'd mess with it but i can't build it because it needs the latest commit makerom which doesn't want to build for me atm (on windows).

 

[zoogie]

I'd mess with it but i can't build it because it needs the latest commit makerom which doesn't want to build for me atm (on windows).

I've already built it you know. Attachment.

 

[Shadowtrance]

I've already built it you know. Attachment.

That doesn't help when i want to mess with stuff in the source before building.

 

[zoogie]

I've updated the OP with the padded version of the loader.
Turns out the patch made by yifanlu is exectly what's needed (9K -> 12K)

You simply overwrite this file where the loader ncch begins in the decrypted firm. (cntl-F "loader" then back up 0x200)
If you used phailect's a9lh guide and aureinand, then the file offsets should be:
old 0x26400
new 0x26600

MD5
firmware.bin old
clean 180d297732415d27ca49e69967eb68b6
patched 5d99ccb9db1a9325b4eadd10d2036df1

firmware.bin new
clean 7512abc6bdfddb2fcf10732888ff81e5
patched d58bf5ce02f1cb4fd631f4bc1adb8bd6

Interestingly new 3ds worked for region free, but old3ds did not. The loader moduledid function at least though. Tested with EUR mario 3d land legit on US consoles.

 

[yifan_lu]

Yeah, I was planning to make a post when it's in a more presentable fashion. It's pretty useless right now--it duplicates Nintendo's code exactly. Also, you need to manually pull the latest version of ctrulib, Project_CTR (makerom), and devkitARM (specifically this patch https://github.com/devkitPro/buildscripts/pull/9) manually to get it to compile. Hopefully by the time everything is done, all the tools will be updated to support it.

The goal of this is to provide a basic framework for creating patches for more than just Kernel11. You can patch processes after the .code is loaded to memory but BEFORE the process runs. So you can, for example, patch home menu to skip region checks or NIM to skip update checks and so on without any hacky linear scan of physical memory or the need to query kernel objects every so often to find new processes and so on. I've tested it on 7.4, 9.2, and 9.6 but it should work on any firmware > 2.x (provided you run it with the right CFW that supports it in emunand). If you have patches, make sure they're for the right FW version.

If you have patches you want to write, please tell me what kind of features you want from such a framework. For example, I will provide a simple search and replace system to load patches like the ones you find in freemultipatcher. I'll also provide support for absolute addresses (you must specify one for each fw version).

 

[yifan_lu]

In terms of help, if anyone can PM me with a complete set decrypted CIAs for FW versions 9.2U, 10.4U, and 10.7U, it would help a lot with testing. Of course I can do it myself, but I would rather waste time programming rather than finding and decrypting stuff.

EDIT: Got it thanks.

 

[zoogie]

In terms of help, if anyone can PM me with a complete set decrypted CIAs for FW versions 9.2U, 10.4U, and 10.7U, it would help a lot with testing. Of course I can do it myself, but I would rather waste time programming rather than finding and decrypting stuff.

n3ds or o3ds?

 

[yifan_lu]

n3ds or o3ds?

Ideally both (just decrypt all the update files) but N3DS if I have to choose.

 

[Asia81]

It's useful for?

 

[Shadowtrance]

In terms of help, if anyone can PM me with a complete set decrypted CIAs for FW versions 9.2U, 10.4U, and 10.7U, it would help a lot with testing. Of course I can do it myself, but I would rather waste time programming rather than finding and decrypting stuff.

Anything us "E" system users can do to help?
Also, with the example patch you added to test, what would need to be changed to work/test on EUR systems? besides the titleID obviously.
As always, great work.

 

[zoogie]

It's useful for?

tl;dr a better way to patch the OS to do cool tricks.

If you want to know more, read the following blog post by Yifanlu just released today:
http://yifan.lu/2016/03/28/3ds-code-injection-through-loader/
It offers a deeper look into 3ds injector's inner workings and how to use it.

 

[Shadowtrance]

Tried the latest one earlier, works a treat for region free. NEARLY got rid of my need for NTR. (out of region dlc still needs NTR stuff to work )

 

[TVL]

tl;dr a better way to patch the OS to do cool tricks.

If you want to know more, read the following blog post by Yifanlu just released today:
http://yifan.lu/2016/03/28/3ds-code-injection-through-loader/
It offers a deeper look into 3ds injector's inner workings and how to use it.

I didn't really get what this was offering, but the stuff mentioned under loaderbased CFWs really sound interesting.

 

[peteruk]

So this one is targeting emunand users only ?

 

[zoogie]

So this one is targeting emunand users only ?

Umm, I wouldn't say that. It should theoretically work for anything that uses firmlaunch. a9lh too.

 

[peteruk]

Umm, I wouldn't say that. It should theoretically work for anything that uses firmlaunch. a9lh too.

thanks, it wasn't 100% clear if sysnand only users were able to use it, appreciate your comment

 

[Shadowtrance]

So this one is targeting emunand users only ?

No, it works with sysnand too. i run it on my updated a9lh n3ds with aureinand.