Hacking 3DS hacking scene history

Pokem

Well-Known Member
OP
Member
Joined
Jul 22, 2016
Messages
1,058
Trophies
0
XP
1,381
Country
United States
Entire history: HUGE thank to Zoogie for writing this.
A Pretty Brief History of the 3ds Hacking/Homebrew Scene

201120122013201420152016201720182019


  1. March
    The 3ds launches in the west and the famous 3dbrew.org wiki site launches in tandem, which would be the main info hub for 3ds RE for the length of the 3ds's lifespan. Most DS mode flashcarts were quickly fixed to run in DS mode on the 3ds. These carts would periodically be patched until firm 7.0, after which, Nintendo gave up worrying about them.

    June
    First 3ds roms dumped

    September
    Crown3ds teases a promising video of a flashcard that would have been the first warez enabling solution for 3ds. What we actually got was an Engrish website forever promising: "We are in progressing ... 72%". A meme was born, and a dream died.

  2. Unknown Month
    It is believed Neimod's hardware RAM dumping and subsequent internal research (#3dsdev/3dbrew.org, yellows8 and friends) lead to the first userland (OOT) and a9 exploits. Teasers like IRC chat logs and the following popped up.
    https://gbatemp.net/threads/3ds-hack-we-hacked-it.339271/

    November
    3ds SOC decapping fundraiser started by 3dsdev insider gshock/jl12 to find out the system's secrets and supposedly get it hacked faster. GBAtemp community raises $2300 before gshock disappears with the money, presumably to a resort in Fiji with Gateway execs.

  3. August
    Gateway released. The 3ds is officially hacked and piracy begins. They continue to be basically the entire "homebrew" scene for the next year and a half. There was, however, some basic arm9 homebrew possible via mset exploit + p3ds (rsaVerifySHA256 a9 sploit), but it was limited to just bare-metal stuff like ram dumpers, Tetris, Pong and the like. It was less impressive than even DS homebrew (and publicly, nobody knew how to properly harness the arm9's power like nowadays).

  4. January
    brickgate/brickway - Infamous scandal where Gateway releases a firm that intentionally bricks user 3ds's that run their software on Gateway clones like R4 gold Deluxe and Orange3DS. Even some legit users get caught up in Gateway's spiderweb of bricks. Gateway did offer to fix those units.

    March
    Citra - first commit. the gold standard of 3ds emulators for the PC is born. Wouldn't really hit its stride until 2016, a testament to how complex a system the 3ds is.

    November

    - Then the Palantine cfw (internally made by yellows8 and others) leak happened, bringing the first free, closed source cfw to the masses. Limitations: 4.5, emunand not updatable, low boot rate, a bitch to install, etc. But it did run cias, and it forced Gateway to add cia support to its flashcard in a panic about a week later.

    - Sky3ds flashcart released. plays clean cart roms on any firmware, but no homebrew, cias, mods, etc. Initial model limited to just 10 non-replaceable games with the manufacturer suggesting 'buy another' if you want more. Pirates consider this theft and whine incessantly. Sky3ds eases its restriction and releases a 'blue button' card without the game limit.

    -Ninjhax userland (1st sane hb environment) and ctrulib make their triumphant, morally-centered debut shortly after "Palantine" cfw.
    Ntr cfw released. A plug-in based a11 kernal cfw that adds many cool features like RAM poking and 3ds -> PC video streaming (added 2016).

  5. January
    Gateway cracks 9.2 and updates its flashcard to the OMEGA series. Genius yifanlu posts detailed blog REing the GW memchunkhax/firmlaunchhax combo and teams like SALT, roxas75, and patois quickly implement it.

    February
    Rxtools released. 1st legit emunand/multi-tool implementation. Anti-piracy.

    May
    Pasta cfw released after sig patches leaked on pastebin (hence the name). Combined with patois open source memchunkhax/firmlaunchhax (brahma) this resulted in the 1st open source cfw. No emunand.

    Rxtools patched with above sig patches by ahp_person (appletinivi). Roxas does not approve, throws fit.

    June

    Roxas gives in, released rxtools source, adds sig patches officially. Quits scene.
    Rxtools goes on to be the "it" cfw for the next several months, despite being kinda sloppily coded and a risk to inexperienced users with its dangerous arm9 power-user features built-in.

    July
    Ninjhax2x released. App takeover, rom hacks, and other nice things too numerous to detail.

    August
    Tubehax - primary userland exploit that takes advantage of the 3ds's otherwise useless Youtube app. An excellent primary entrypoint. Unfortunately patched a couple months later on all firmwares.
    Ironhax - first secondary userland exploit - one that requires a primary (like tubehax) to install.
    Reinand - first full featured New3ds cfw.

    September

    Menuhax - secondary home menu exploit that allows boot time userland execution. Fantastic when paired with cfw launchers save for the annoyingly unreliable *hax bootrates on 9.2. A favorite among homebrew peasants, and the sworn enemy of the late Margen67.
    Browserhax - primary browser exploits for old/new 3ds that would be updated on and off over the coming months.

    December

    Sky3ds+ released. Bypasses cart-based AP in recent games and adds filesystem-based game loading among other features.

    32c3 hacker conference - snshax, arm9loaderhax, memchunkhax2, ntrcardhax revealed. Userland exploits menuhax, and ironfall were updated too.

  6. January
    10.x downgrading to 9.2 released. FBI dev Steveice10 implements. Biggest PM group in the history of GBAtemp forged in secret ;p Downgrading patched with 10.4.

    February
    Arm9loaderhax emerges, lumbering and crushing everything in its path. Menuhax peasants begin their suffering.
    Aureinand/luma3ds - fork of reinand that took the cfw's features to a new level. The authors, aurora wright and tuxsh, had a public falling out with the original author, reisukaku, and subsequently cut all ties with him by first renaming the project from aureinand to luma3ds, then removing the fork status altogether. It is currently the most popular cfw today (6/2019).

    March

    Aliaspider releases memchunkhax2.1, allowing downgrades to 9.2 to resume. Calls it svchax for reasons only known to him. This new k11 sploit would last through 10.7.

    May
    @TheCruel Releases what would probably become the most notorious (and popular) piracy app for the 3ds, Freeshop. It let you conveniently download eShop games directly to your 3ds from Nintendo's CDN without paying for them. All that was needed for any specific game was its "titlekey" to decrypt them. This required just one person to buy the game and upload the key.
    Naturally, Nintendo wasn't amused by this and actually DMCA'd Freeshop's repo from Github. It was promptly rehosted on a competing git service.

    July
    Someone finally reveals the dsiware firm downgrade method after hinting about it for months. This allows the 9.2 downgrading to resume yet again on firms 11.0 - 11.2 (given a second fully hacked system). Nintendo privately thinks it's pretty cool, ignores it. Fieldrunners sales skyrocket.

    September
    Arm9loaderhax becomes even more unstoppable due to ctrnand transfer (shortens install time on both new/old 3ds) and otpless (instant new3ds install). Otpless was later scuttled (from 3ds.guide) due to a low chance of random bricking.

    December
    33c3. Yes, more c3 hax megatons. First off, Soundhax, a free userland primary for a system app so almost all 3ds's are vulnerable (the best userland hack ever to date). Fasthax, another k11 sploit, is revealed. Both of these are by scene newcomer nedwill, and are immediately released. Scene veteran derrek then reveals sighax, a bootrom vuln that allows one to sign arbitrary firmware code. He also reveals vague details on how he dumped the 3ds arm9/arm11 bootroms. No actual code releases from derrek though.

  7. January
    New arm9 sploit safehax is released by appleTinivi after an anon posted the method on 3dbrew.org. So now, full control is possible up to firm 11.2. People usually use this to ctrnand downgrade to 2.1, get the otp, then restore original nand and install a9lh.

    February
    11.3 is released and Fasthax/safehax are fixed. Firm downgrading with dsiware or hardmod is also fixed.
    Gatway promises support for 11.3 and new exciting stuff for their loyal customers. Go to 9/2017 to see how that turned out.

    April
    @TheCruel, dev of notorious piracy app Freeshop, becomes notorious in his personal life after he is charged and convicted of child pron, and is sentenced to 20 years hard time!
    He also gets banned from gbatemp, horrors! :P

    11.4 is released fixing a previously unknown k11 vuln, udsploit. Smealum releases that exploit for those still on 11.3. Soon after, AppleTinivi updates safehax for 11.3 due to an oversight in Nintendo's previous safehax fix. A9lh masterrace resumes for a little longer.

    May
    33.5c3. An unofficial sequel to the blockbuster 33c3 sees sighax implemented. This version is called boot9strap, since it adds the feature of being able to dump the bootroms in software. Ntrboot, a method to hack any 3ds at boot-time with a modified DS flashcard (made possible mostly with sighax/boot9strap), is theorized and confirmed privately. Since firms can now be forged with nothing more than nand access, the dsiware transfer and hardmod methods of installing cfw resume on latest firmware using the known-plaintext attack.

    June
    The New2dsXL is released in Australia and it is discovered to have the same vulnerable bootroms as 3ds's manufactured 7 years ago, making people concerned for the 1000000th time if Nintendo knows what it's doing.

    August
    Ntrboot is finally released starting with support for just the ak2i and r4ids.cn flashcards but quickly growing to many others. A new generation of Nintendo homebrewers discovers the utter joy of trying to figure out what DS flashcard clone they actually have and if it's actually good for anything.

    September
    Gateway team reveals what they have been working on for the last several months: ditching their old flashcard and making a new one, of course. It's called Stargate and is supposed to be a hybrid of ntrboot card, ds card, and sky3ds. It's expensive ($80), and already has been delayed several times. Soon.
    It received tepid support, and was abandoned after a few months due to people seeking out cheaper ntrboot card options.

  8. January
    Someone reveals a method to brute-force the 3ds's movable.sed with only the Local Friend Code Seed, which is obtainable in userland and below. This allows people to inject hacked dsiware and install B9S with only one 3ds. Seedminer is the name of the implementation of this vulnerability, and only requires the purchase of a $2 dsiware game if they don't already have a compatible one. This vuln is extremely versatile as it allows one to attack all encrypted contents on the sd card.

    July

    Nintendo releases firmware 11.8 which prepares the 3ds for new server side authentication for CDN downloads. What this means in English is that piracy apps like Freeshop (and its siblings) can no longer download pirated games directly from the eShop. @TheCruel's agony in prison increases.

    August

    3ds scene legend Smealum reveals his long teased arm9 exploit chain at defcon. Unfortunately, it was already patched in firmware 11.8 since he had disclosed it to the hackerone bounty previously. Additionally, he posted incomplete repos of the chain on Github. Nobody to date has been able to get any of them to work.
    Smea rightfully gets a free pass on this one because he's been so awesome in the past. He deserves a little bread for all he's done for the scene.

    September
    A new version of Seedminer called Frogminer is released (we'll just call this family of exploits " *miner "). This utilizes an old version of the Japanese Flipnote Studio instead of Sudoku and it's injected to DS download play instead of another dsiware game. This allows this *miner sploit to be a completely free method to cfw your console!

    December

    11.9 releases and an unreleased browser exploit for both old/new 3ds is patched. This happened because -- you guessed it -- another hackerone bounty submission. This time it's userland sploit dev extraordinaire, MrNbaYoh.

  9. July
    Bannerbomb3 released. This is a *miner userland primary for System Settings. It was released mainly for QOL improvements to the *miner cfw chains (they're no longer dependent on free eShop titles being available and unpatched).

    December
    MrNbaYoh demonstrates a new cfw chain at his 36c3 conference talk. He developed a primary that can remotely takeover a 3ds in userland using streetpass tags. This sets up further exploits (developed by Tuxsh) that take over arm11 kernel (lazypixie) and arm9 (safehax 2.x). This chain was patched on firmware 11.12, released two months before the conference. They were submitted to the h1 bounty at some earlier date.

Can someone tell me the full 5 years timeline of the hacking scene?

All I know is that Smea created Homebrew
What else?

When were CIA files discovered?
What was the first game dumped as a CIA?
What was it like before A9LH?
What was it like when Plailect's guide didn't exist?
What other major things happened besides stuff like discovery of A9LH?
How was Homebrew created for the 3DS? Like how was it discovered?
How was the hacking scene from a year or two ago compared to today?

You know, stuff like that.

Also, for those of you who have been here long enough, do you like how the hacking scene today more or the one in the past?

Those are just some basic questions. If you have more to tell, then please do so.
 
Last edited by Pokem,
  • Like
Reactions: dude1709 and pelago

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
396
Country
Can someone tell me the full 5 years timeline of the hacking scene?

All I know is that Smea created Homebrew
What else?

When were CIA files discovered?
What was the first game dumped as a CIA?
What was it like before A9LH?
What was it like when Plailect's guide didn't exist?
What other major things happened besides stuff like discovery of A9LH?
How was Homebrew created for the 3DS? Like how was it discovered?
How was the hacking scene from a year or two ago compared to today?

You know, stuff like that.

Also, for those of you who have been here long enough, do you like how the hacking scene today more or the one in the past?

Those are just some basic questions. If you have more to tell, then please do so.

Check out the following post for some history on A9LH, including links for lots more information:
https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/
 
  • Like
Reactions: Pokem
3DS Scene History

zoogie

playing around in the dsiware
Developer
Joined
Nov 30, 2014
Messages
8,289
Trophies
2
XP
13,102
Country
Micronesia, Federated States of
A Pretty Brief History of the 3ds Hacking/Homebrew Scene

20112012201320142015201620172018201920202021


  1. March
    The 3ds launches in the west and the famous 3dbrew.org wiki site launches in tandem, which would be the main info hub for 3ds RE for the length of the 3ds's lifespan. Most DS mode flashcarts were quickly fixed to run in DS mode on the 3ds. These carts would periodically be patched until firm 7.0, after which, Nintendo gave up worrying about them.

    June
    First 3ds roms dumped

    September
    Crown3ds teases a promising video of a flashcard that would have been the first warez enabling solution for 3ds. What we actually got was an Engrish website forever promising: "We are in progressing ... 72%". A meme was born, and a dream died.

  2. Unknown Month
    It is believed Neimod's hardware RAM dumping and subsequent internal research (#3dsdev/3dbrew.org, yellows8 and friends) lead to the first userland (OOT) and a9 exploits. Teasers like IRC chat logs and the following popped up.
    https://gbatemp.net/threads/3ds-hack-we-hacked-it.339271/

    November
    3ds SOC decapping fundraiser started by 3dsdev insider gshock/jl12 to find out the system's secrets and supposedly get it hacked faster. GBAtemp community raises $2300 before gshock disappears with the money, presumably to a resort in Fiji with Gateway execs.

  3. August
    Gateway released. The 3ds is officially hacked and piracy begins. They continue to be basically the entire "homebrew" scene for the next year and a half. There was, however, some basic arm9 homebrew possible via mset exploit + p3ds (rsaVerifySHA256 a9 sploit), but it was limited to just bare-metal stuff like ram dumpers, Tetris, Pong and the like. It was less impressive than even DS homebrew (and publicly, nobody knew how to properly harness the arm9's power like nowadays).

  4. January
    brickgate/brickway - Infamous scandal where Gateway releases a firm that intentionally bricks user 3ds's that run their software on Gateway clones like R4 gold Deluxe and Orange3DS. Even some legit users get caught up in Gateway's spiderweb of bricks. Gateway did offer to fix those units.

    March
    Citra - first commit. the gold standard of 3ds emulators for the PC is born. Wouldn't really hit its stride until 2016, a testament to how complex a system the 3ds is.

    November

    - Then the Palantine cfw (internally made by yellows8 and others) leak happened, bringing the first free, closed source cfw to the masses. Limitations: 4.5, emunand not updatable, low boot rate, a bitch to install, etc. But it did run cias, and it forced Gateway to add cia support to its flashcard in a panic about a week later.

    - Sky3ds flashcart released. plays clean cart roms on any firmware, but no homebrew, cias, mods, etc. Initial model limited to just 10 non-replaceable games with the manufacturer suggesting 'buy another' if you want more. Pirates consider this theft and whine incessantly. Sky3ds eases its restriction and releases a 'blue button' card without the game limit.

    -Ninjhax userland (1st sane hb environment) and ctrulib make their triumphant, morally-centered debut shortly after "Palantine" cfw.
    Ntr cfw released. A plug-in based a11 kernal cfw that adds many cool features like RAM poking and 3ds -> PC video streaming (added 2016).

  5. January
    Gateway cracks 9.2 and updates its flashcard to the OMEGA series. Genius yifanlu posts detailed blog REing the GW memchunkhax/firmlaunchhax combo and teams like SALT, roxas75, and patois quickly implement it.

    February
    Rxtools released. 1st legit emunand/multi-tool implementation. Anti-piracy.

    May
    Pasta cfw released after sig patches leaked on pastebin (hence the name). Combined with patois open source memchunkhax/firmlaunchhax (brahma) this resulted in the 1st open source cfw. No emunand.

    Rxtools patched with above sig patches by ahp_person (appletinivi). Roxas does not approve, throws fit.

    June

    Roxas gives in, released rxtools source, adds sig patches officially. Quits scene.
    Rxtools goes on to be the "it" cfw for the next several months, despite being kinda sloppily coded and a risk to inexperienced users with its dangerous arm9 power-user features built-in.

    July
    Ninjhax2x released. App takeover, rom hacks, and other nice things too numerous to detail.

    August
    Tubehax - primary userland exploit that takes advantage of the 3ds's otherwise useless Youtube app. An excellent primary entrypoint. Unfortunately patched a couple months later on all firmwares.
    Ironhax - first secondary userland exploit - one that requires a primary (like tubehax) to install.
    Reinand - first full featured New3ds cfw.

    September

    Menuhax - secondary home menu exploit that allows boot time userland execution. Fantastic when paired with cfw launchers save for the annoyingly unreliable *hax bootrates on 9.2. A favorite among homebrew peasants, and the sworn enemy of the late Margen67.
    Browserhax - primary browser exploits for old/new 3ds that would be updated on and off over the coming months.

    December

    Sky3ds+ released. Bypasses cart-based AP in recent games and adds filesystem-based game loading among other features.

    32c3 hacker conference - snshax, arm9loaderhax, memchunkhax2, ntrcardhax revealed. Userland exploits menuhax, and ironfall were updated too.

  6. January
    10.x downgrading to 9.2 released. FBI dev Steveice10 implements. Biggest PM group in the history of GBAtemp forged in secret ;p Downgrading patched with 10.4.

    February
    Arm9loaderhax emerges, lumbering and crushing everything in its path. Menuhax peasants begin their suffering.
    Aureinand/luma3ds - fork of reinand that took the cfw's features to a new level. The authors, aurora wright and tuxsh, had a public falling out with the original author, reisukaku, and subsequently cut all ties with him by first renaming the project from aureinand to luma3ds, then removing the fork status altogether. It is currently the most popular cfw today (6/2019).

    March

    Aliaspider releases memchunkhax2.1, allowing downgrades to 9.2 to resume. Calls it svchax for reasons only known to him. This new k11 sploit would last through 10.7.

    May
    @TheCruel Releases what would probably become the most notorious (and popular) piracy app for the 3ds, Freeshop. It let you conveniently download eShop games directly to your 3ds from Nintendo's CDN without paying for them. All that was needed for any specific game was its "titlekey" to decrypt them. This required just one person to buy the game and upload the key.
    Naturally, Nintendo wasn't amused by this and actually DMCA'd Freeshop's repo from Github. It was promptly rehosted on a competing git service.

    July
    Someone finally reveals the dsiware firm downgrade method after hinting about it for months. This allows the 9.2 downgrading to resume yet again on firms 11.0 - 11.2 (given a second fully hacked system). Nintendo privately thinks it's pretty cool, ignores it. Fieldrunners sales skyrocket.

    September
    Arm9loaderhax becomes even more unstoppable due to ctrnand transfer (shortens install time on both new/old 3ds) and otpless (instant new3ds install). Otpless was later scuttled (from 3ds.guide) due to a low chance of random bricking.

    December
    33c3. Yes, more c3 hax megatons. First off, Soundhax, a free userland primary for a system app so almost all 3ds's are vulnerable (the best userland hack ever to date). Fasthax, another k11 sploit, is revealed. Both of these are by scene newcomer nedwill, and are immediately released. Scene veteran derrek then reveals sighax, a bootrom vuln that allows one to sign arbitrary firmware code. He also reveals vague details on how he dumped the 3ds arm9/arm11 bootroms. No actual code releases from derrek though.
    Nintendo launches a bug bounty program for the 3ds (and soon after, Switch). The bounties are set at $100 - $20,000 per exploit This would have the effect of moving a large portion of exploit developers away from public releases. Nintendo was probably ok with this fact.

  7. January
    New arm9 sploit safehax is released by appleTinivi after an anon posted the method on 3dbrew.org. So now, full control is possible up to firm 11.2. People usually use this to ctrnand downgrade to 2.1, get the otp, then restore original nand and install a9lh.

    February
    11.3 is released and Fasthax/safehax are fixed. Firm downgrading with dsiware or hardmod is also fixed.
    Gatway promises support for 11.3 and new exciting stuff for their loyal customers. Go to 9/2017 to see how that turned out.

    April
    @TheCruel, dev of notorious piracy app Freeshop, becomes notorious in his personal life after he is charged and convicted of child pron, and is sentenced to 20 years hard time!
    He also gets banned from gbatemp, horrors! :P

    11.4 is released fixing a previously unknown k11 vuln, udsploit. Smealum releases that exploit for those still on 11.3. Soon after, AppleTinivi updates safehax for 11.3 due to an oversight in Nintendo's previous safehax fix. A9lh masterrace resumes for a little longer.

    May
    33.5c3. An unofficial sequel to the blockbuster 33c3 sees sighax implemented. This version is called boot9strap, since it adds the feature of being able to dump the bootroms in software. Ntrboot, a method to hack any 3ds at boot-time with a modified DS flashcard (made possible mostly with sighax/boot9strap), is theorized and confirmed privately. Since firms can now be forged with nothing more than nand access, the dsiware transfer and hardmod methods of installing cfw resume on latest firmware using the known-plaintext attack.

    June
    The New2dsXL is released in Australia and it is discovered to have the same vulnerable bootroms as 3ds's manufactured 7 years ago, making people concerned for the 1000000th time if Nintendo knows what it's doing.

    August
    Ntrboot is finally released starting with support for just the ak2i and r4ids.cn flashcards but quickly growing to many others. A new generation of Nintendo homebrewers discovers the utter joy of trying to figure out what DS flashcard clone they actually have and if it's actually good for anything.

    September
    Gateway team reveals what they have been working on for the last several months: ditching their old flashcard and making a new one, of course. It's called Stargate and is supposed to be a hybrid of ntrboot card, ds card, and sky3ds. It's expensive ($80), and already has been delayed several times. Soon.
    It received tepid support, and was abandoned after a few months due to people seeking out cheaper ntrboot card options.

  8. January
    Someone reveals a method to brute-force the 3ds's movable.sed with only the Local Friend Code Seed, which is obtainable in userland and below. This allows people to inject hacked dsiware and install B9S with only one 3ds. Seedminer is the name of the implementation of this vulnerability, and only requires the purchase of a $2 dsiware game if they don't already have a compatible one. This vuln is extremely versatile as it allows one to attack all encrypted contents on the sd card.

    July

    Nintendo releases firmware 11.8 which prepares the 3ds for new server side authentication for CDN downloads. What this means in English is that piracy apps like Freeshop (and its siblings) can no longer download pirated games directly from the eShop. @TheCruel's agony in prison increases.

    August

    3ds scene legend Smealum reveals his long teased arm9 exploit chain at defcon. Unfortunately, it was already patched in firmware 11.8 since he had disclosed it to the hackerone bounty previously. Additionally, he posted incomplete repos of the chain on Github. Nobody to date has been able to get any of them to work.
    Smea rightfully gets a free pass on this one because he's been so awesome in the past. He deserves a little bread for all he's done for the scene.

    September
    A new version of Seedminer called Frogminer is released (we'll just call this family of exploits " *miner "). This utilizes an old version of the Japanese Flipnote Studio instead of Sudoku and it's injected to DS download play instead of another dsiware game. This allows this *miner sploit to be a completely free method to cfw your console!

    December

    11.9 releases and an unreleased browser exploit for both old/new 3ds is patched. This happened because -- you guessed it -- another hackerone bounty submission. This time it's userland sploit dev extraordinaire, MrNbaYoh.

  9. July
    Bannerbomb3 released. This is a *miner userland primary for System Settings. It was released mainly for QOL improvements to the *miner cfw chains (they're no longer dependent on free eShop titles being available and unpatched).

    December
    MrNbaYoh demonstrates a new cfw chain at his 36c3 conference talk. He developed a primary that can remotely takeover a 3ds in userland using streetpass tags. This sets up further exploits (developed by Tuxsh) that take over arm11 kernel (lazypixie) and arm9 (safehax 2.x). This chain was patched on firmware 11.12, released two months before the conference. They were submitted to the h1 bounty at some earlier date.

  10. April
    A new exploit for SAFE_MODE system updater (that recovery mode app) is released which heralds a new version of safehax for latest firmware 11.13. It's pretty nifty if I might say so myself :ninja:

    July
    Nintendo's Hackerone bounty program for the 3ds is formally ended on July 15th. Will this finally mean someone besides Zoogie actually releases an exploit for the 3ds? Stay tuned! don't get your hopes up

    August
    The fat cat on a stick releases a new browserhax for old and new 3ds. The author prays these won't be patched since they're pretty convenient homebrew entrypoints.

    September
    Nintendo puts on its creepiest undertaker outfit and shuts down 3ds retail production, noooo!! Hax must go on to preserve its memory.

    November
    Nintendo releases firmware update 11.14.0.46. This fixes quite a few last minute hackerone bounty exploits submitted just before the program ended last July. However, they also fixed my browserhax! Back to Seedminer for the userland entrypoint-- it just won't die!

    December
    After a month cooling off period required when submitting hackone bugs, MrNbaYoh and TuxSH disclosed some nice exploits they bountied! NbaYoh gave use SSLoth, which is a vuln that allows an attacker to bypass SSL encryption for 3ds network communications. This sets up another bountied exploit, safecerthax, that can still be executed on firm 11.4 in safe mode (it's fixed on native firm and new3ds though). This allows a full chain to boot9strap on old3ds -- awesome! TuxSH also got in the game by updating his universal otherapp to include another new full chain (smpwn, spipwn, khax, agbhax) that can work on native firm. Together with a new new3ds browser exploit from yours truly (new-browserhax-XL, don't judge me) we suddenly have a full chain on new3ds too! Back to the crypt, seedminer!

  11. January
    Nintendo quietly kills off Unity3DS and several Debugging/dev hardware items, casting another shovel of dirt on our beloved 3ds.

    April
    Old-browserhax-XL is released, completing the revival of browserhax and elevating the art of terrible hax names.


I probably missed some things, but that's a pretty good start. Let me know if there are any important omissions.
 
Last edited by zoogie,

Elveman

B9S Shitpost Race Smogonite
Member
Joined
Feb 1, 2015
Messages
454
Trophies
0
Age
24
Location
Moscow city
Website
vk.com
XP
721
Country
Russia
There should be also PBT-CFW (After Palantine), Cakes somewhere (in between rxTools and reiNand), the history of Decrypt9 and EmuNAND9 (the last one is important - it allowed users to format their SDs without Gatebrick software), FBI (famous 2.0 ground-up rewrite), hbl-loader, and rxTools trying to get to A9LH and dying out in process. Aside from that, pretty cool and has an explanation of the key points.
 
Last edited by Elveman,
  • Like
Reactions: pelago

Pokem

Well-Known Member
OP
Member
Joined
Jul 22, 2016
Messages
1,058
Trophies
0
XP
1,381
Country
United States
Wow. Looking back at this thread was a blast to read.
Very interesting to see the new developments while I was inactive.
I'll post what Zoogie said in the OP and maybe update the thread once in a while
 

zacchi4k

Well-Known Member
Member
Joined
Feb 6, 2015
Messages
1,386
Trophies
0
Age
19
Location
Somewhere eating pizza
XP
1,408
Country
Italy
A Pretty Brief History of the 3ds Hacking/Homebrew Scene

---

3/2011
the 3ds launches in the west and the famous 3dbrew.org wiki site launches in tandem, which would be the main info hub for 3ds RE for the length of the 3ds's lifespan. Most DS mode flashcarts were quickly fixed to run in DS mode on the 3ds. These carts would periodically be patched until firm 7.0, after which, Nintendo gave up worrying about them.

6/2011
First 3ds roms dumped

9/2011
crown3ds teases a promising video of a flashcard that would have been the first warez enabling solution for 3ds. What we actually got was an Engrish website forever promising: "We are in progressing ... 72%". A meme was born, and a dream died.

2012ish
It is believed Neimod's hardware RAM dumping and subsequent internal research (#3dsdev/3dbrew.org, yellows8 and friends) lead to the first userland (OOT) and a9 exploits. Teasers like IRC chat logs and the following popped up.
https://gbatemp.net/threads/3ds-hack-we-hacked-it.339271/

11/2012
3ds SOC decapping fundraiser started by 3dsdev insider gshock/jl12 to find out the system's secrets and supposedly get it hacked faster. GBAtemp community raises $2300 before gshock disappears with the money, presumably to a resort in fiji with Gateway execs.

8/2013
Gateway released. The 3ds is offically hacked and piracy begins. They continue to be basically the entire "homebrew" scene for the next year and a half. There was, however, some basic arm9 homebrew possible via mset exploit + p3ds (rsaVerifySHA256 a9 sploit), but it was limited to just bare-metal stuff like ram dumpers, tetris, pong and the like. It was less impressive than even DS homebrew (and publicly, nobody knew how to properly harness the a9's power like nowadays).

1/2014
brickgate/brickway - infamous scandal where Gateway releases a firm that intentionally bricks user 3ds's that run their software on GW clones like R4 gold Deluxe and Orange3DS. Even some legit users get caught up in Gateway's spiderweb of bricks. Gateway did offer to fix those units.

3/2014
citra - first commit. the gold standard of 3ds emulators for the PC is born. Wouldn't really hit its stride until 2016, a testament to how complex a system the 3ds is.

11/2014
Then the giovani/palantine cfw (internally made by yellows8 and others) leak happened, bringing the first free, closed source cfw to the masses. Limitations: 4.5, emunand not updatable, low boot rate, a bitch to install, etc. But it did run cias, and it forced Gateway to add cia support to its flashcard in a panic about a week later.

11/2014
sky3ds flashcart released. plays clean cart roms on any firmware, but no homebrew, cia's, mods, etc. Initial model limited to just 10 non-replaceable games with the manufacturer suggesting 'buy another' if you want more. Pirates consider this theft and scoff. Sky3ds eases its restriction and releases a 'blue button' card without the game limit.

11/2014
ninjhax userland (1st sane hb environment) and ctrulib make their triumphant, morally centered debut shortly after palantine.
ntr cfw released - plug-in based a11 kernal cfw that adds many cool features like RAM poking and 3ds -> PC video streaming (2016).

1/2015
Gateway cracks 9.2 and updates its flashcard to the OMEGA series. Genius yifanlu posts detailed blog REing the GW memchunkhax/firmlaunchhax combo and teams like SALT, roxas75, and patois quickly implement it.

2/2015
rxtools released. 1st legit emunand/multi-tool implementation. anti piracy.

5/2015
pasta cfw released after sig patches leaked on pastebin (hence the name). Combined with patois open source mchunkhax/firmlaunchhax (brahma) this resulted in the 1st open source cfw. no emunand.

5/2015
rxtools patched with above sig patches by ahp_person (appletinivi). roxas does not approve, throws fit.

6/2015
roxas gives in, released rxtools source, adds sig patches officially. quits scene.
Rxtools goes on to be the "it" cfw for the next several months, despite being kinda sloppily coded and a risk to inexperienced users with its dangerous arm9 power-user features built-in.

7/2015
ninjhax2x released. App takeover, rom hacks, and other nice things too numerous to detail.

8/2015
tubehax - primary userland exploit that takes advantage of the 3ds's otherwise useless youtube app. An excellent primary entrypoint. Unfortunately patched a couple months later.
ironhax - first secondary userland exploit - one that requires a primary (like tubehax) to install.
reinand - first full featured New3ds cfw.

9/2015
menuhax - secondary home menu exploit that allows boot time userland execution. Fantastic when paired with cfw launchers save for the annoyingly unreliable *hax bootrates on 9.2. a favorite among homebrew peasants, and the sworn enemy of the late Margen67
browserhax - primary browser exploits for old/new 3ds that would be updated on and off over the coming months.

12/2015
sky3ds+ released. bypasses cart-based AP in recent games and adds filesystem-based game loading among other features.

12/2015
32c3 hacker conference - snshax, arm9loaderhax, memchunkhax2, ntrcardhax revealed. Userland exploits menuhax, and ironfall were updated too.

1/2016
10.x downgrading to 9.2 released. steveice10 implements. biggest PM group in the history of GBAtemp forged in secret ;p Downgrading patched with 10.4.

2/2016
arm9loaderhax emerges, lumbering and crushing everything in its path. menuhax peasants begin their suffering.
aureinand/luma3ds - fork of reinand that took the cfw's features to a new level. The authors, aurora wright and tuxsh, had a public falling out with the original author, reisukaku, and subsequently cut all ties with him by first renaming the project from aureinand to luma3ds, then removing the fork status altogether. It is currently the most popular cfw today (11/2017).

3/2016
aliaspider releases memchunkhax2.1, allowing downgrades to 9.2 to resume. calls it svchax for reasons only known to him. This new k11 sploit would last through 10.7.

7/2016
stupid lolcat finally reveals the dsiware firm downgrade method after hinting about it for months. This allows the 9.2 downgrading to resume yet again (given a second fully hacked system). Nintendo privately thinks it's pretty cool, ignores it. Fieldrunners sales skyrocket.

9/2016
arm9loaderhax becomes even more irresistible due to ctrnand transfer (shortens install time on both new/old 3ds) and otpless (instant new3ds install). Otpless was later scuttled (from 3ds.guide) due to a low chance of random bricking.

12/2016
33c3. yes, more megatonhax. First off, Soundhax, free userland primary for a system app so almost all 3ds's are vulnerable. Fasthax, another k11 sploit, is revealed. Both of these are by scene newcomer nedwill, and are immediately released. Scene veteran derrek then reveals sighax, a bootrom vuln that allows one to sign arbitrary firmware code. He also reveals vague details on how he dumped the 3ds arm9/arm11 bootroms. No actual code releases from derrek though.

1/2017
New arm9 sploit safehax is released by appleTinivi after an anon posted the method on 3dbrew.org. So now, full control is possible up to firm 11.2. People usually use this to ctrnand downgrade to 2.1, get the otp, then restore original nand and install a9lh.

2/2017
11.3 is released and Fasthax/safehax are fixed. Firm downgrading with dsiware or hardmod is also fixed.
Gatway promises support for 11.3 and new exciting stuff for their loyal customers. Go to 9/2017 to see how that turned out.

4/2017
11.4 is released fixing a previously unknown k11 vuln, udsploit. Smealum releases that exploit for those still on 11.3. Soon after, AppleTinivi updates safehax for 11.3 due to an oversight in Nintendo's previous safehax fix. a9lh masterrace resumes for a little longer.

5/2017
33.5c3. An unofficial sequel to the blockbuster 33c3 sees sighax implemented. This version is called boot9strap, since it adds the feature of being able to dump the bootroms in software. Ntrboot, a method to hack any 3ds at boot-time with a modified ds flashcard (made possible mostly with sighax/boot9strap), is theorized and confirmed privately. Since firms can now be forged with nothing more than nand access, the dsiware transfer and hardmod methods of installing cfw resume on latest firmware.

6/2017
The New2dsXL is released in Australia and it is discovered to have the same vulnerable bootroms as 3ds's manufactured 7 years ago, making people concerned for the 1000000th time if Nintendo knows what it's doing.

8/2017
ntrboot is finally released starting with support for just the ak2i and r4ids.cn flashcards but quickly growing to many others. A new generation of Nintendo homebrewers discovers the utter joy of trying to figure out what DS flashcard clone they actually have and if it's actually good for anything.

9/2017
Gateway team reveals what they have been working on for the last several months: ditching their old flashcard and making a new one of course. It's called Stargate and is supposed to be a hybrid of ntrboot card, ds card, and sky3ds. It's expensive ($80), and already has been delayed several times. Soon.

1/2018
Someone reveals a method to brute-force the 3ds's movable.sed with only the Local Friend Code Seed, which is obtainable in userland and below. This allows people to inject hacked dsiware and install B9S with only one 3ds. Seedminer is the name of the implementation of this vulnerability.

---

I probably missed some things, but that's a pretty good start. Let me know if there are any important omissions.
OoT was discovered before MSET? I always thought that the latter was the first exploit discovered ever. Also how is it only barebones if iirc it was the first one GW used?

--------------------- MERGED ---------------------------

Also "exploit that takes advantage of the 3ds's otherwise useless youtube app" :rofl2::rofl2::rofl2:
Gosh I remenber when that app first came out it was pure shit since the only thing it was good at was continuously crashing with no goddamn reason
 
Last edited by zacchi4k,
  • Like
Reactions: Pokem

Pokem

Well-Known Member
OP
Member
Joined
Jul 22, 2016
Messages
1,058
Trophies
0
XP
1,381
Country
United States
I’ll try to add on the bits and pieces of history you guys post to the big history timeline Zoogie made in the OP so whoever decides to look at this thread doesn’t have to scroll around this entire thread. (Although there’s not much here xD)
If you do decide to leave something, please include a date. If no exact date, then please give a month/year.
Example: 8/2017:
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://imgur.com/gallery/THrBdLQ