3DS hacking scene history

Discussion in '3DS - Flashcards & Custom Firmwares' started by Pokem, Sep 29, 2016.

  1. Pokem

    Pokem GBAtemp Advanced Fan

    Jul 22, 2016
    United States
    Can someone tell me the full 5 years timeline of the hacking scene?

    All I know is that Smea created Homebrew
    What else?

    When were CIA files discovered?
    What was the first game dumped as a CIA?
    What was it like before A9LH?
    What was it like when Plailect's guide didn't exist?
    What other major things happened besides stuff like discovery of A9LH?
    How was Homebrew created for the 3DS? Like how was it discovered?
    How was the hacking scene from a year or two ago compared to today?

    You know, stuff like that.

    Also, for those of you who have been here long enough, do you like how the hacking scene today more or the one in the past?

    Those are just some basic questions. If you have more to tell, then please do so.
    Last edited by Pokem, Sep 29, 2016
    pelago likes this.
  2. Pokem

    Pokem GBAtemp Advanced Fan

    Jul 22, 2016
    United States
    This is probably in the wrong subforum x.x
  3. RemixDeluxe

    RemixDeluxe GBAtemp Psycho!

    Nov 23, 2010
    United States
    You give far too much credit to Smea. Arm9loader was a collaborative effort among all the 3DS homebrew devs
    julialy, The Koopa Kingdom and Pokem like this.
  4. Pokem

    Pokem GBAtemp Advanced Fan

    Jul 22, 2016
    United States
    ooo, I was kinda skeptical about that too. I took that part out.
  5. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Dec 22, 2015
    Check out the following post for some history on A9LH, including links for lots more information:
    Pokem likes this.
  6. McWhiters9511

    McWhiters9511 That's Rad Bro

    Mar 28, 2016
    United States
    i faintly remember it before a9lh. gateway and rx tools were the shit lol XP
    and pasta
    Last edited by McWhiters9511, Sep 29, 2016
  7. SMVB64

    SMVB64 Now your playing with power! Super power!

    Feb 13, 2013
    Lets go even further back in time to GovanifY leaked CFW and then Palantine CFW.
    The scene came along way.
    astronautlevel likes this.
  8. zoogie

    zoogie playing around in the dsiware

    Nov 30, 2014
    Micronesia, Federated States of
    A Pretty Brief History of the 3ds Hacking/Homebrew Scene


    the 3ds launches in the west and the famous 3dbrew.org wiki site launches in tandem, which would be the main info hub for 3ds RE for the length of the 3ds's lifespan. Most DS mode flashcarts were quickly fixed to run in DS mode on the 3ds. These carts would periodically be patched until firm 7.0, after which, Nintendo gave up worrying about them.

    First 3ds roms dumped

    crown3ds teases a promising video of a flashcard that would have been the first warez enabling solution for 3ds. What we actually got was an Engrish website forever promising: "We are in progressing ... 72%". A meme was born, and a dream died.

    It is believed Neimod's hardware RAM dumping and subsequent internal research (#3dsdev/3dbrew.org, yellows8 and friends) lead to the first userland (OOT) and a9 exploits. Teasers like IRC chat logs and the following popped up.

    3ds SOC decapping fundraiser started by 3dsdev insider gshock/jl12 to find out the system's secrets and supposedly get it hacked faster. GBAtemp community raises $2300 before gshock disappears with the money, presumably to a resort in fiji with Gateway execs.

    Gateway released. The 3ds is offically hacked and piracy begins. They continue to be basically the entire "homebrew" scene for the next year and a half. There was, however, some basic arm9 homebrew possible via mset exploit + p3ds (rsaVerifySHA256 a9 sploit), but it was limited to just bare-metal stuff like ram dumpers, tetris, pong and the like. It was less impressive than even DS homebrew (and publicly, nobody knew how to properly harness the a9's power like nowadays).

    brickgate/brickway - infamous scandal where Gateway releases a firm that intentionally bricks user 3ds's that run their software on GW clones like R4 gold Deluxe and Orange3DS. Even some legit users get caught up in Gateway's spiderweb of bricks. Gateway did offer to fix those units.

    citra - first commit. the gold standard of 3ds emulators for the PC is born. Wouldn't really hit its stride until 2016, a testament to how complex a system the 3ds is.

    Then the giovani/palantine cfw (internally made by yellows8 and others) leak happened, bringing the first free, closed source cfw to the masses. Limitations: 4.5, emunand not updatable, low boot rate, a bitch to install, etc. But it did run cias, and it forced Gateway to add cia support to its flashcard in a panic about a week later.

    sky3ds flashcart released. plays clean cart roms on any firmware, but no homebrew, cia's, mods, etc. Initial model limited to just 10 non-replaceable games with the manufacturer suggesting 'buy another' if you want more. Pirates consider this theft and scoff. Sky3ds eases its restriction and releases a 'blue button' card without the game limit.

    ninjhax userland (1st sane hb environment) and ctrulib make their triumphant, morally centered debut shortly after palantine.
    ntr cfw released - plug-in based a11 kernal cfw that adds many cool features like RAM poking and 3ds -> PC video streaming (2016).

    Gateway cracks 9.2 and updates its flashcard to the OMEGA series. Genius yifanlu posts detailed blog REing the GW memchunkhax/firmlaunchhax combo and teams like SALT, roxas75, and patois quickly implement it.

    rxtools released. 1st legit emunand/multi-tool implementation. anti piracy.

    pasta cfw released after sig patches leaked on pastebin (hence the name). Combined with patois open source mchunkhax/firmlaunchhax (brahma) this resulted in the 1st open source cfw. no emunand.

    rxtools patched with above sig patches by ahp_person (appletinivi). roxas does not approve, throws fit.

    roxas gives in, released rxtools source, adds sig patches officially. quits scene.
    Rxtools goes on to be the "it" cfw for the next several months, despite being kinda sloppily coded and a risk to inexperienced users with its dangerous arm9 power-user features built-in.

    ninjhax2x released. App takeover, rom hacks, and other nice things too numerous to detail.

    tubehax - primary userland exploit that takes advantage of the 3ds's otherwise useless youtube app. An excellent primary entrypoint. Unfortunately patched a couple months later.
    ironhax - first secondary userland exploit - one that requires a primary (like tubehax) to install.
    reinand - first full featured New3ds cfw.

    menuhax - secondary home menu exploit that allows boot time userland execution. Fantastic when paired with cfw launchers save for the annoyingly unreliable *hax bootrates on 9.2. a favorite among homebrew peasants, and the sworn enemy of the late Margen67
    browserhax - primary browser exploits for old/new 3ds that would be updated on and off over the coming months.

    sky3ds+ released. bypasses cart-based AP in recent games and adds filesystem-based game loading among other features.

    32c3 hacker conference - snshax, arm9loaderhax, memchunkhax2, ntrcardhax revealed. Userland exploits menuhax, and ironfall were updated too.

    10.x downgrading to 9.2 released. steveice10 implements. biggest PM group in the history of GBAtemp forged in secret ;p Downgrading patched with 10.4.

    arm9loaderhax emerges, lumbering and crushing everything in its path. menuhax peasants begin their suffering.
    aureinand/luma3ds - fork of reinand that took the cfw's features to a new level. The authors, aurora wright and tuxsh, had a public falling out with the original author, reisukaku, and subsequently cut all ties with him by first renaming the project from aureinand to luma3ds, then removing the fork status altogether. It is currently the most popular cfw today (11/2017).

    aliaspider releases memchunkhax2.1, allowing downgrades to 9.2 to resume. calls it svchax for reasons only known to him. This new k11 sploit would last through 10.7.

    stupid lolcat finally reveals the dsiware firm downgrade method after hinting about it for months. This allows the 9.2 downgrading to resume yet again (given a second fully hacked system). Nintendo privately thinks it's pretty cool, ignores it. Fieldrunners sales skyrocket.

    arm9loaderhax becomes even more irresistible due to ctrnand transfer (shortens install time on both new/old 3ds) and otpless (instant new3ds install). Otpless was later scuttled (from 3ds.guide) due to a low chance of random bricking.

    33c3. yes, more megatonhax. First off, Soundhax, free userland primary for a system app so almost all 3ds's are vulnerable. Fasthax, another k11 sploit, is revealed. Both of these are by scene newcomer nedwill, and are immediately released. Scene veteran derrek then reveals sighax, a bootrom vuln that allows one to sign arbitrary firmware code. He also reveals vague details on how he dumped the 3ds arm9/arm11 bootroms. No actual code releases from derrek though.

    New arm9 sploit safehax is released by appleTinivi after an anon posted the method on 3dbrew.org. So now, full control is possible up to firm 11.2. People usually use this to ctrnand downgrade to 2.1, get the otp, then restore original nand and install a9lh.

    11.3 is released and Fasthax/safehax are fixed. Firm downgrading with dsiware or hardmod is also fixed.
    Gatway promises support for 11.3 and new exciting stuff for their loyal customers. Go to 9/2017 to see how that turned out.

    11.4 is released fixing a previously unknown k11 vuln, udsploit. Smealum releases that exploit for those still on 11.3. Soon after, AppleTinivi updates safehax for 11.3 due to an oversight in Nintendo's previous safehax fix. a9lh masterrace resumes for a little longer.

    33.5c3. An unofficial sequel to the blockbuster 33c3 sees sighax implemented. This version is called boot9strap, since it adds the feature of being able to dump the bootroms in software. Ntrboot, a method to hack any 3ds at boot-time with a modified ds flashcard (made possible mostly with sighax/boot9strap), is theorized and confirmed privately. Since firms can now be forged with nothing more than nand access, the dsiware transfer and hardmod methods of installing cfw resume on latest firmware.

    The New2dsXL is released in Australia and it is discovered to have the same vulnerable bootroms as 3ds's manufactured 7 years ago, making people concerned for the 1000000th time if Nintendo knows what it's doing.

    ntrboot is finally released starting with support for just the ak2i and r4ids.cn flashcards but quickly growing to many others. A new generation of Nintendo homebrewers discovers the utter joy of trying to figure out what DS flashcard clone they actually have and if it's actually good for anything.

    Gateway team reveals what they have been working on for the last several months: ditching their old flashcard and making a new one of course. It's called Stargate and is supposed to be a hybrid of ntrboot card, ds card, and sky3ds. It's expensive ($80), and already has been delayed several times. Soon.

    Someone reveals a method to brute-force the 3ds's movable.sed with only the Local Friend Code Seed, which is obtainable in userland and below. This allows people to inject hacked dsiware and install B9S with only one 3ds. Seedminer is the name of the implementation of this vulnerability.


    I probably missed some things, but that's a pretty good start. Let me know if there are any important omissions.
    Last edited by zoogie, Feb 16, 2018 at 12:53 PM
  9. yifan_lu

    yifan_lu @yifanlu

    Apr 28, 2007
    United States
    You forgot about the best cfw, Cosmos3DS :D (don't mind me just shit posting)
    julialy, RY0M43CH1Z3N, Coc4tm and 6 others like this.
  10. TheCyberQuake

    TheCyberQuake Certified Geek

    Dec 2, 2014
    United States
    Las Vegas, Nevada
    It's weird to look back and realize that only a year or so ago is when the scene really took off.
  11. Pokem

    Pokem GBAtemp Advanced Fan

    Jul 22, 2016
    United States
    wow, that was very interesting and fun to read.

    — Posts automatically merged - Please don't double post! —

    ikr, so much has happened in a year.
  12. hyprskllz

    hyprskllz GBAtemp Advanced Fan

    Apr 19, 2016
    This is what i'm looking for. A good read for the curious soul.
    Thanks for posting this zoogie. :bow:
  13. Davidosky99

    Davidosky99 Eevee :3

    Jun 7, 2015
    Why isn't this featured.
    And where's STRUYA? :creep:
    zoogie likes this.
  14. Elveman

    Elveman B9S Shitpost Race Smogonite

    GBAtemp Patron
    Elveman is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Feb 1, 2015
    Moscow city
    There should be also PBT-CFW (After Palantine), Cakes somewhere (in between rxTools and reiNand), the history of Decrypt9 and EmuNAND9 (the last one is important - it allowed users to format their SDs without Gatebrick software), FBI (famous 2.0 ground-up rewrite), hbl-loader, and rxTools trying to get to A9LH and dying out in process. Aside from that, pretty cool and has an explanation of the key points.
    Last edited by Elveman, Sep 29, 2016
    pelago likes this.
  15. zoogie

    zoogie playing around in the dsiware

    Nov 30, 2014
    Micronesia, Federated States of
    I've updated my history post starting 9/2016 to now.
    I know you kids are still reading it. I still get random like notifications for it here and there :P
    Pokem, julialy and RY0M43CH1Z3N like this.
  16. Technicmaster0

    Technicmaster0 GBAtemp Psycho!

    Oct 22, 2011
    Gambia, The
    A few things:
    -Nothing about the disappearing of Neimod?
    -GW Bricks happened in 12/2013, not 1/2014
    -You forgot 3ds link in your list of GW clones that bricked
    -1/2014 came the first multi rom card, the mt-card (back then gw only supported one rom per SD)