Hacking 3ds.guide explanation

[Uumas]

This thread is trying to explain exactly what each step in https://3ds.guide/ does. This is NOT a guide, but something to help people who are interested to understand what all the things are. There will probably be some mistakes there, so please tell me if you notice wrong information or have other ideas how to make this thread better. I will credit everyone.

Terms used:
nand = 3ds internal memory
downgrade = installing lower version system titles (opposite of update)
a9lh = arm9loaderhax
arm11 = the 3ds main cpu
arm9 = the 3ds security cpu
cfw = custom firmware
arm9 payload = executable file which can be launched by the arm9 processor (SafeCTRTransfer, GodMode9 etc.)
CIA= CTR Importable Archive (CTR is 3ds model name. Usually CIAs are installed to home menu. for example: All installable games, FBI, even the home menu itself)

Spoiler: Homebrew Launcher (Soundhax)

What you need

• The Homebrew Starter Kit includes Homebrew Launcher which is used to launch .3dsx executable files by having arm11 userland access and some .3dsx executables
  
• Soundhax is the arm11 userland exploits which launches the boot.3dsx executable which is usually Homebrew Launcher
  
• The otherapp payload is a payload file that uses ROP mechanics to bypass the Data Execution prevention and achieve arm11 userland access

Instructions

1.-7. Putting the files to the correct locations on your sd card
8.-11. Launching the homebrew launcher

Spoiler: SafeCTRTransfer (Homebrew Launcher)

What you need

• 2.1.0 CTRTransfer image is a ctrnand partition dumped from another 3ds to overflash the current ctrnand partition. This is needed to get your 3ds' unique OTP file which is required to install a9lh
  
• SafeCTRTransfer will install the CTRTransfer image to your 3ds
  
• safehax is an arm9 exploit needed to gain arm9 code execution to launch SafeCTRTransfer and achieve NAND read/write access
  
• udsploit is an arm11 kernel exploit which is needed by safehax

Instructions

Section I - Prep Work Putting the files to the correct locations on your sd card

Section II - Launch SafeCTRTransfer

1. Launching udsploit achieves arm11 kernel access
2. Get back to homebrew launcher
3. Launching safehax will allow arm9 access

Section III - CTRTransfer

1. SafeCTRTransfer will make sure you have done everything correctly and there are no other problems that could brick your 3ds
2. SafeCTRTransfer will make a backup of your nand for restoring it later and install the 2.1 nand
3. The newer home menu data on your sd is'nt compatible with 2.1 and thats why the sd card needs to be taken out before booting

Spoiler: Installing arm9loaderhax

What you need

• aeskeydb.bin contains the private AES keys
  
• data_input_v3.zip contains secret_sector.bin and firm0/firm1
  
• SafeA9LHInstaller installs a9lh
  
• arm9loaderhax is a persistant low level system exploit, exploiting a flaw in the consoles arm9loader to produce a garbarge kernel entrypoint using a bruteforced key which will let the arm9loader jump to a user placed arm9 executable file and launch it (arm9loaderhax.bin). In this case it's Luma.
  
• Luma3DS is a signature patcher, which patches the systems signature checks to allow the installation of unsigned titles and also patching a lot more stuff, for example the syscall that overrwrites firm0/firm1 at system update. said syscall will return true without having performed its action, leaving our haxx payload secured on top of firm0. For a list of features check this and this
• hblauncher_loader is an application that achieves arm11 userland exploit using ROP and launches a .3dsx executable file (Homebrew Launcher)
  
• GodMode9 AIO encryption/decryption tool, that can access any partition on the systems nand and read / write (not all) from/to them
  
• Luma3DS Updater is an application that replaces the arm9loader.bin payload using one of the current luma payloads
  
• FBI is an application that manages titles, by taking advantage of the arm11 kernel
  
• The Old 3DS 11.2.0-35 otherapp payload is needed because aurora wright (Luma3ds developer) simply used the best working ROP payload to gain arm11 userland by the hbl loader cia and implemented that into luma

Instructions

Section I - Prep Work
2. Backup your nand backup, so that you have it if you manage to brick your 3ds
3.-18. Putting the files to the correct locations on your sd card

Section II - Installing arm9loaderhax

1. self-explanatory
2. to be able to get the OTP file
3. web exploit to achieve arm9 kernel access to launch the safea9lhinstaller payload
4. SafeA9LHInstaller is now launched
5. it will now dump your OTP to /a9lh/ folder and flash the haxx payload on top of the consoles firm0 partition (writes the haxx payload on top of firm0 to trigger the flaw in the arm9loader which causes said loader to jump to our arm9 payload (arm9loaderhax.bin))
6. -9. Backing up your OTP for future use (Might not be needed, but better safe than sorry)

Section III - Configuring Luma3DS

1. a9lh is now installed and every time the 3ds is booted it loads arm9loaderhax.bin from the root of the sd. It is for us Luma3ds. By holding select, Luma will launch its configuration menu instead of trying to launch the home menu
2. Autoboot SysNAND will make sure Luma doesn't try to boot an emunand from sd card. Use SysNAND FIRM if booting with R will make sure Luma doesn't try to boot emunand firm from sd even if holding R while boot. Show NAND or user string in System Settings will make the version in system settings show Sys instead of Ver. This doesn't really matter
3. You'll get black screen or error, because Luma doesn't support 2.1 nfirm.

Section IV - Restoring the System

1. The chainloader menu allows you to boot to some other arm9 payload instead of the firmware
   
2. GodMode9 is used to restore your system to the version it was on before starting the guide
3. The Nand backup is stored there
4. This will restore the Nand backup without overwriting a9lh
5. This is a security measure to make sure you don't accidentally make modifications
6. The Nand backup is now restored
7. You'll now be where you started with a9lh
8. self-explanatory
9. Luma needs these files to support versions 3 and 4.5
10. This will update normally.

Section V - Injecting FBI

1. Going to GodMode9 again
2. This time we'll replace stock Health & Safety .app with FBI's .app file which exchanges the applications core (essentially replaces H&S with FBI)
   
3. FBI is there
4. This will mount the FBI cia so that you can see the contents of it
5. This app file is the actual FBI
6. This is a security measure to make sure you don't accidentally make modifications
7. Health & Safety is now FBI

Section VI - Installing CIAs

1. We'll use FBI to install FBI, hblauncher_loader and lumaupdater
2. The cias are there
3. -4. Will install all 3 of the cias at once

Section VII - Restore Health and Safety

1. Going to GodMode9 once again
2. Now we'll restore stock Health & Safety's .app file and copy Luma3ds's arm9 payload to the root of the ctrnand partition
3. Nothing to explain
4. Same as above
   
5. This will restore it
6. Explained twice already

Section VIII - CTRNAND Luma3DS

1. Luma is there
2. This will copy luma to clipboard
3. -
4. -6. By copying Luma there, Luma will be loaded from there when your sd card isn't inserted. Otherwise the 3ds couldn't boot without sd card

7. -10. This way you get to the CTRNAND Luma configuration.
11. We only enable one option, because without sd there couldn't even be emunand.

Credits:
3dbrew for a lot of information
@Plailect for the guide
@Dionicio3 for correcting me about cias
@PabloMK7 for correcting me about arm9 payloads
@addi33 for giving better explanations for many things (Post #8)

 

[Uumas]

reserved

 

[Dionicio3]

cia = 3ds app installed to home menu

That is not entirely true, CIAs can be for system updates, keyboards, the home menu itself, and hidden system apps.

 

[Acrux]

Very helpful when noobs like me just start getting into hacking and see those terms but dont know what they exactly mean lol.

 

[PabloMK7]

An arm9 payload not only can be launched with a9lh, but also with arm9 exploits (safehax)

 

[adrifcastr]

CIA = CTR Importable Archive ( NOT 3ds App)
CTR = Nintendo 3DS Unit Model Name
Importable = something then can be injected into something else
Archive = (in this case) Compressed files

=

CIA = CTR Importable Archive = Nintendo 3DS compatible, injectible bunch of compressed files.

xD

 

[Uumas]

CIA = CTR Importable Archive ( NOT 3ds App)
CTR = Nintendo 3DS Unit Model Name
Importable = something then can be injected into something else
Archive = (in this case) Compressed files

=

CIA = CTR Importable Archive = Nintendo 3DS compatible, injectible bunch of compressed files.

xD

Yes, I know, but couldn't find a way to explain it understandably. That's what they basically are after all. If someone can think of a way to explain it shortly so anyone would understand, please let me know.

 

[adrifcastr]

@Uumas I think I managed to fix your crappy explanations

Terms used:
nand = 3ds internal memory
downgrade = installing lower version system titles
a9lh = arm9loaderhax
arm11 = the 3ds main cpu
arm9 = the 3ds security cpu
cfw = custom firmware
arm9 payload = executable file which can be launched by the arm9 processor.
cia = CTR Importable Archive

• The Homebrew Starter Kit includes the Homebrew Launcher which is used to launch .3dsx executable files by having arm11 userland access
  
• Soundhax is the arm11 userland exploits which launches the boot.3dsx executable
  
• The otherapp payload is a payload file using ROP mechanics to bypass the Data Execution prevention and achieve arm11 userland access

• 2.1.0 CTRTransfer image is a ctrnand partition dumped from another 3ds to overflash the current ctrnand partition
• This is needed to get your 3ds' unique OTP file, which is required to install a9lh
  
• SafeCTRTransfer will install the CTRTransfer image to your 3ds
  
• safehax is an arm9 exploit needed to gain arm9 code execution to launch SafeCTRTransfer and achieve NAND R/W access
  
• udsploit is an arm11 kernel exploit which is needed by safehax

1. Launching udsploit achieves arm11 kernel access
2. Get back to homebrew launcher
3. Launching safehax will achieve arm9 access

• aeskeydb.bin contains the private AES keys
  
• data_input_v3.zip contains secret sector.bin plus firm0/firm1
• arm9loaderhax is a persistant low level system exploit, exploiting a flaw in the consoles arm9loader to produce a garbarge kernel entrypoint using a bruteforced key which will let the arm9loader jump to a user placed arm9 executable file and launch it
• Luma3DS is a signature patcher, which patches the systems signature checks to allow the installation of unsigned titles and also patching a lot more stuff, for example the syscall that overrwrites firm0/firm1 at system update. said syscall will return true without having performed its action, leaving our haxx payload secured on top of firm0
• hblauncher_loader is an application that achieves arm11 userland exploit using ROP and launches a .3dsx executable file
  
• GodMode9 is an AIO encryption/decryption tool, that ca access any partition on the systems nand and read / write (not all) from/to them
  
• Luma3DS Updater is an application that replaces the arm9loader.bin payload using one of the current luma payloads
  
• FBI is an application that manages titles, by taking advantage of the arm11 kernel
  
• The Old 3DS 11.2.0-35 otherapp payload is needed because aurora wright simply used the best working ROP payload to gain arm11 userland by the hbl loader cia and implemented that into luma

Section II - Installing arm9loaderhax

1. web exploit to achieve arm9 kernel access to launch the safea9lhinstaller payload

3. it will now dump your OTP to /a9lh/ folder and flash the haxx payload on top of the consoles firm0 partition
(writes the haxx payload on top of firm0 to trigger the flaw in the arm9loader which causes said loader to jump to our arm9 payload (arm9loaderhax.bin))

Section III - Configuring Luma3DS

You'll get black screen or error, because Luma doesn't support 2.1 nfirm

Section IV - Restoring the System

1. The chainloader menu allows you to boot to some other arm9 payload instead of the firmware

Section V - Injecting FBI

1. Going to GodMode9 again
2. This time we'll replace stock Health & Safety .app with FBI'S .app file which exchanges the applications core

Section VII - Restore Health and Safety

1. Going to GodMode9 once again
2. Now we'll restore stock Health & Safety's .app file and copy Luma3ds's arm9 payload to the root of the ctrnand partition

 

[Uumas]

@Uumas I think I managed to fix your really crappy explanations.

Thanks. When I get to my computer (probably tomorrow), I will update the OP

 

[Majickhat55]

While I think things like this may be useful, too many of you go into way too much detail when it comes to explaining vs in laymans terms. If you're going to make an explanation post, you need to do it in a way that's not going to lead to more confusion. I.e. They don't need to know how it works, only what it can/can't do and why they may or may not have a use for it.

It's starting to get to the point where when half of you are trying to help the noobs you make it worse by confusing them further. Most of them have no idea what you're talking about, nor do they care. They only want to know what things do, and how they can use them. Telling them about the Arm9 sys protocols and how they work is doing nothing. Sorry I used your post as a vent, BUT it's getting to the point where every other post ends up in "dev talk" as I call it, vs trying to explain things in the simplest way for the majority to understand.

 

[Uumas]

While I think things like this may be useful, too many of you go into way too much detail when it comes to explaining vs in laymans terms. If you're going to make an explanation post, you need to do it in a way that's not going to lead to more confusion. I.e. They don't need to know how it works, only what it can/can't do and why they may or may not have a use for it.

It's starting to get to the point where when half of you are trying to help the noobs you make it worse by confusing them further. Most of them have no idea what you're talking about, nor do they care. They only want to know what things do, and how they can use them. Telling them about the Arm9 sys protocols and how they work is doing nothing. Sorry I used your post as a vent, BUT it's getting to the point where every other post ends up in "dev talk" as I call it, vs trying to explain things in the simplest way for the majority to understand.

I said in the beginning of the OP that this is for people who are interested

 

[Majickhat55]

You know like instead of saying things like NAND = 3DS internal memory, you can say NAND = System OS/ EmuNAND = Copy of System OS. See? Now people know what you mean, regardless if they understand what it is and how it works. That isn't necessary if they aren't asking for more detail, and while it may be not be the exact definition (Sig Patcher vs CFW) it's understood as the same thing by noobs in the community.

--------------------- MERGED ---------------------------

I said in the beginning of the OP that this is for people who are interested

Alright well, in that case your explanations were too bare bones to explain anything. Why not go into full detail about what they are, what they do, and how they work vs saying "this is this, that is that"?

 

[GerbilSoft]

You know like instead of saying things like NAND = 3DS internal memory, you can say NAND = System OS/ EmuNAND = Copy of System OS. See?

Except that's wrong. The 3DS NAND *is* the internal memory. The system itself calls it "System Memory".

NAND = internal memory. This is where the OS and important files are located.
EmuNAND = copy of NAND located on the SD card.

 

[Uumas]

The thing is you can either explain it in a very easy to understand way or exactly correct way. I have decided to go with correct, but if anyone wants to do one that's easier to understand, I have nothing against that

 

[Majickhat55]

Except that's wrong. The 3DS NAND *is* the internal memory. The system itself calls it "System Memory".

NAND = internal memory. This is where the OS and important files are located.
EmuNAND = copy of NAND located on the SD card.

I never said it was correct in those terms, yes it IS the internal memory but the OS is still installed to the NAND so for noobs sake they CAN be considered the same as the OS. That's the point I was making. Also same reason why I compared it to the sig patcher/CFW argument. Splitting hairs for the sake of it, isn't helping noobs. If the threads purpose was to explain in detail, it didn't do that well either. Sorry I'm just confused on the target audience of this post....

 

[gnmmarechal]

a CTR Importable Archive is an importable/installable package for the 3DS. That is all it is. I believe that is more accurate of an explanation.

I never said it was correct in those terms, yes it IS the internal memory but the OS is still installed to the NAND so for noobs sake they CAN be considered the same as the OS. That's the point I was making. Also same reason why I compared it to the sig patcher/CFW argument. Splitting hairs for the sake of it, isn't helping noobs. If the threads purpose was to explain in detail, it didn't do that well either. Sorry I'm just confused on the target audience of this post....

No, it can't. You can't teach noobs wrong definitions just because they're noobs.

 

[Majickhat55]

a CTR Importable Archive is an importable/installable package for the 3DS. That is all it is. I believe that is more accurate of an explanation.



No, it can't. You can't teach noobs wrong definitions just because they're noobs.

It's not wrong per se, the OS is installed to the NAND which is the internal memory. Regardless, a noob is going to understand it AS the OS, and nothing more. If they were more curious or tech savvy, they may be interested further. To help a noob you have to think like one, half of them don't even know what the root of their SD card is, I don't expect them to care one way or the other. That's why I was asking. As long as they know what things DO, and what they can do with them, very little care about the how. So no, I wasn't saying give misinformation on purpose, I was saying give half-information until they understand enough to go into full detail.

 

[GerbilSoft]

And this is why we end up with people who think the hard drive is the "operating system" - or worse: the hard drive is the computer tower. (Source: /r/talesfromtechsupport)

 

[Majickhat55]

I was just saying, most people just use things, they don't care how they work. It's better to call a cottonmouth a snake rather than Agkistrodon piscivorus and expect people to know what you're talking about.

 

[vinstage]

I never said it was correct in those terms, yes it IS the internal memory but the OS is still installed to the NAND so for noobs sake they CAN be considered the same as the OS. That's the point I was making. Also same reason why I compared it to the sig patcher/CFW argument. Splitting hairs for the sake of it, isn't helping noobs. If the threads purpose was to explain in detail, it didn't do that well either. Sorry I'm just confused on the target audience of this post....

You can't teach noobs wrong terms because they're noobs. That literally defies the purpose of this thread, helping them understand, not teaching them wrong things.
If you teach someone something that's wrong then, what's the point of teaching them at all?
The target audience is well met imo, and it helps clear up some definitions on what certain items are. Also, it states for people interested... some people will only want to follow the guide and use their CFW, others may want to understand it a little more. Teaching them something wrong isn't going to help that from my perspective.