3DS Injector

Discussion in '3DS - Flashcards & Custom Firmwares' started by zoogie, Mar 26, 2016.

  1. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    This is a nice new CFW-ish thing from our good friend @yifan_lu (GW ultra reversing, spider3dstools). Obviously, don't install this unsigned module to sysnand or you'll likely brick.

    Update: Here is a Writeup from the author's blog that explains how things work things nicely. It's in a conversation tone, so even novices might want to give it a read!
    Update2: It appears 3ds injector now is part of a larger plan for yifanlu's new cfw!
    https://github.com/yifanlu/Cosmo3DS/releases (a fork of reinand!)
    http://yifan.lu/2016/03/28/cosmo3ds-the-cfw-nobody-wanted/ (another writeup!)
    Note: installation instructions under the "Build" heading in the above readme
    https://github.com/yifanlu/3ds_injector
    Latest release
    https://github.com/yifanlu/3ds_injector/releases
     

    Attached Files:

    Last edited by zoogie, Mar 28, 2016
    chronoss, Faru, BasedIndex and 6 others like this.


  2. A_Random_Guy

    A_Random_Guy Officially That Dev

    Member
    862
    459
    May 22, 2015
    Malaysia
    Smea's closet
    Woah, any brave soul would care to try this?
     
  3. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,406
    845
    May 5, 2010
    Mexico
    On a Strange Journey
    I could try but atm I don't have any out of region content installed on my 3DS.

    Someone with A9LH could try easily without fear with a reovery set up.
     
    1 person likes this.
  4. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    I'd mess with it but i can't build it because it needs the latest commit makerom which doesn't want to build for me atm :( (on windows).
     
  5. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    I've already built it you know. Attachment. :P
     
    peteruk likes this.
  6. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    That doesn't help when i want to mess with stuff in the source before building. :P
     
  7. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    I've updated the OP with the padded version of the loader.
    Turns out the patch made by yifanlu is exectly what's needed (9K -> 12K)

    You simply overwrite this file where the loader ncch begins in the decrypted firm. (cntl-F "loader" then back up 0x200)
    If you used phailect's a9lh guide and aureinand, then the file offsets should be:
    old 0x26400
    new 0x26600

    MD5
    firmware.bin old
    clean 180d297732415d27ca49e69967eb68b6
    patched 5d99ccb9db1a9325b4eadd10d2036df1

    firmware.bin new
    clean 7512abc6bdfddb2fcf10732888ff81e5
    patched d58bf5ce02f1cb4fd631f4bc1adb8bd6

    Interestingly new 3ds worked for region free, but old3ds did not. The loader moduledid function at least though. Tested with EUR mario 3d land legit on US consoles.
     
    Last edited by zoogie, Mar 26, 2016
    peteruk likes this.
  8. yifan_lu

    yifan_lu @yifanlu

    Member
    654
    1,368
    Apr 28, 2007
    United States
    Yeah, I was planning to make a post when it's in a more presentable fashion. It's pretty useless right now--it duplicates Nintendo's code exactly. Also, you need to manually pull the latest version of ctrulib, Project_CTR (makerom), and devkitARM (specifically this patch https://github.com/devkitPro/buildscripts/pull/9) manually to get it to compile. Hopefully by the time everything is done, all the tools will be updated to support it.

    The goal of this is to provide a basic framework for creating patches for more than just Kernel11. You can patch processes after the .code is loaded to memory but BEFORE the process runs. So you can, for example, patch home menu to skip region checks or NIM to skip update checks and so on without any hacky linear scan of physical memory or the need to query kernel objects every so often to find new processes and so on. I've tested it on 7.4, 9.2, and 9.6 but it should work on any firmware > 2.x (provided you run it with the right CFW that supports it in emunand). If you have patches, make sure they're for the right FW version.

    If you have patches you want to write, please tell me what kind of features you want from such a framework. For example, I will provide a simple search and replace system to load patches like the ones you find in freemultipatcher. I'll also provide support for absolute addresses (you must specify one for each fw version).
     
    Last edited by yifan_lu, Mar 26, 2016
    Faru, Doopl, SLiV3R and 8 others like this.
  9. yifan_lu

    yifan_lu @yifanlu

    Member
    654
    1,368
    Apr 28, 2007
    United States
    In terms of help, if anyone can PM me with a complete set decrypted CIAs for FW versions 9.2U, 10.4U, and 10.7U, it would help a lot with testing. Of course I can do it myself, but I would rather waste time programming rather than finding and decrypting stuff.

    EDIT: Got it thanks.
     
    Last edited by yifan_lu, Mar 27, 2016
    Subtle Demise, peteruk and daxtsu like this.
  10. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    n3ds or o3ds?
     
  11. yifan_lu

    yifan_lu @yifanlu

    Member
    654
    1,368
    Apr 28, 2007
    United States
    Ideally both (just decrypt all the update files) but N3DS if I have to choose.
     
  12. Asia81

    Asia81 In my Ecchi World <3

    Member
    4,950
    2,434
    Nov 15, 2014
    France
    Albi
    It's useful for?
     
    MattKimura likes this.
  13. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    Anything us "E" system users can do to help? :)
    Also, with the example patch you added to test, what would need to be changed to work/test on EUR systems? besides the titleID obviously.
    As always, great work. :)
     
    peteruk likes this.
  14. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    tl;dr a better way to patch the OS to do cool tricks.

    If you want to know more, read the following blog post by Yifanlu just released today:
    http://yifan.lu/2016/03/28/3ds-code-injection-through-loader/
    It offers a deeper look into 3ds injector's inner workings and how to use it.
     
  15. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    Tried the latest one earlier, works a treat for region free. NEARLY got rid of my need for NTR. (out of region dlc still needs NTR stuff to work :( )
     
    peteruk and zoogie like this.
  16. TVL

    TVL #|

    Member
    466
    207
    Feb 17, 2004
    World -1
    I didn't really get what this was offering, but the stuff mentioned under loaderbased CFWs really sound interesting.
     
    peteruk likes this.
  17. peteruk

    peteruk GBAtemp Maniac

    Member
    1,397
    634
    Jun 26, 2015
    So this one is targeting emunand users only ?
     
  18. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,248
    7,917
    Nov 30, 2014
    United States
    Umm, I wouldn't say that. It should theoretically work for anything that uses firmlaunch. a9lh too.
     
    peteruk likes this.
  19. peteruk

    peteruk GBAtemp Maniac

    Member
    1,397
    634
    Jun 26, 2015
    thanks, it wasn't 100% clear if sysnand only users were able to use it, appreciate your comment
     
  20. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    No, it works with sysnand too. i run it on my updated a9lh n3ds with aureinand. :)
     
    zoogie and peteruk like this.