Arm9LoaderHax is the ultimate 3DS Hax. With it, you get instant full system control, even before the kernel loads, so you can do almost anything you want. This is even more powerful than a kernel exploit as most system protections haven't been loaded yet.
However, it's extremely complicated, especially the setup process. That's why I'm creating this Q&A thread to answer a few common questions about this exploit.
Q: Why can't I dump my OTP on firmware >2.1?
A: In versions 1.0 to 2.2, Nintendo decided to keep the OTP area locked by the kernel, presumably under the assumption that hackers would never get kernel control. When 3.0 was being developed, someone on the security team wised up* and realized that hackers would, eventually, get kernel control. That employee's answer was CFG_SYSPROT9.
Q: What's CFG_SYSPROT9?
A: CFG_SYSPROT9 is a configuration register that runs immediately after boot. In versions 1.0 to 2.2, it was only used to lock the arm9 bootrom. However, in versions 3.0 and beyond, it's also used to lock the OTP. We can't just unlock the OTP region, as this config can't be set again while the console is running.
Q: Why can't I use arm9loaderhax to get my OTP if I lose it?
A: Though arm9loader runs immediately after boot, it, unfortunately, runs RIGHT AFTER CFG_SYSPROT9. Therefore, we just missed the cutoff.
Q: Say, why not use version 2.2?
A: It's not exploitable using any known kernel exploit.
Q: Wait, so what kernel exploit did we use on 2.1?
A: It's called 2xrsa, and if anyone would give me some info on it I would appreciate it. No, 3dbrew didn't help.
Q: How do we dump the OTP on 2.1?
A: Because Nintendo kept the OTP region locked via the arm9 kernel by taking over the kernel with the kernel exploit 2xrsa, we can dump the OTP.
Q: How does arm9loaderhax work?
A: Black magic.**
Q: Why can't I dump my OTP from emuNAND?
A: This is a very good question. So the OTP region is locked by CFG_SYSPROT9 right? So why wouldn't downgrading emuNAND to 2.1 work? Here's why: While we boot emuNAND, emuNAND doesn't lock the OTP region. Right? Right. But it doesn't need to, because by the time we got code execution and booted emuNAND, the OTP was already locked by sysNAND. So why not just dump the emuNAND's OTP? Think about that for a minute.***
*Apparently for the only time ever.
**Go watch the 32c3 conference. It's really out of my league to explain anyway.
***If we dumped the OTP along with the rest of emuNAND, we could just extract it from the emuNAND file. Furthermore, if we could dump the OTP for emuNAND, we could just dump it period and skip the whole process.
Anyway, I hope this answered a few questions about arm9loaderhax.
*Insert closing here*
Thanks to @Asia81, @ScarletKohaku & @SomeGamer for some cleanup!
(Requesting a mod to correct the space in the 'this' in the poll and move the thread to the tutorial question.)
However, it's extremely complicated, especially the setup process. That's why I'm creating this Q&A thread to answer a few common questions about this exploit.
Q: Why can't I dump my OTP on firmware >2.1?
A: In versions 1.0 to 2.2, Nintendo decided to keep the OTP area locked by the kernel, presumably under the assumption that hackers would never get kernel control. When 3.0 was being developed, someone on the security team wised up* and realized that hackers would, eventually, get kernel control. That employee's answer was CFG_SYSPROT9.
Q: What's CFG_SYSPROT9?
A: CFG_SYSPROT9 is a configuration register that runs immediately after boot. In versions 1.0 to 2.2, it was only used to lock the arm9 bootrom. However, in versions 3.0 and beyond, it's also used to lock the OTP. We can't just unlock the OTP region, as this config can't be set again while the console is running.
Q: Why can't I use arm9loaderhax to get my OTP if I lose it?
A: Though arm9loader runs immediately after boot, it, unfortunately, runs RIGHT AFTER CFG_SYSPROT9. Therefore, we just missed the cutoff.
Q: Say, why not use version 2.2?
A: It's not exploitable using any known kernel exploit.
Q: Wait, so what kernel exploit did we use on 2.1?
A: It's called 2xrsa, and if anyone would give me some info on it I would appreciate it. No, 3dbrew didn't help.
Q: How do we dump the OTP on 2.1?
A: Because Nintendo kept the OTP region locked via the arm9 kernel by taking over the kernel with the kernel exploit 2xrsa, we can dump the OTP.
Q: How does arm9loaderhax work?
A: Black magic.**
Q: Why can't I dump my OTP from emuNAND?
A: This is a very good question. So the OTP region is locked by CFG_SYSPROT9 right? So why wouldn't downgrading emuNAND to 2.1 work? Here's why: While we boot emuNAND, emuNAND doesn't lock the OTP region. Right? Right. But it doesn't need to, because by the time we got code execution and booted emuNAND, the OTP was already locked by sysNAND. So why not just dump the emuNAND's OTP? Think about that for a minute.***
*Apparently for the only time ever.
**Go watch the 32c3 conference. It's really out of my league to explain anyway.
***If we dumped the OTP along with the rest of emuNAND, we could just extract it from the emuNAND file. Furthermore, if we could dump the OTP for emuNAND, we could just dump it period and skip the whole process.
Anyway, I hope this answered a few questions about arm9loaderhax.
*Insert closing here*
Thanks to @Asia81, @ScarletKohaku & @SomeGamer for some cleanup!
(Requesting a mod to correct the space in the 'this' in the poll and move the thread to the tutorial question.)
Last edited by Swiftloke,
