Homebrew ARM9Loader -- Technical Details and Discussion

  • Thread starter Thread starter Selver
  • Start date Start date
  • Views Views 578,851
  • Replies Replies 4,025
  • Likes Likes 42
Actually no. I just swapped CTRNAND, AGBSAVE, TWLN, and TWLP of emunand with sysnand. (As long as the FIRM partitions aren't touched, A9L survives this). I had a 10.5 emunand. I basically just transferred that to my sysannd and used the 9.2 sysnand I had before as my emunand. :P

You have to swap the individual partitions though. Octopus Rift made the mistake of writing the entire 10.5 emunand partition to his sysnand. He ended up with a non exploitable 10.5 console. :P

Though he did manage downgrade it without a nand mod though. The details of which I'm not at liberty to discuss as the moment.
that sounds ultra confusing lol :wacko:
 
You know, this whole thing is peachy and all, but I'd really like to hear a simpler explanation on what the A9lh installer is doing to the keystore, FIRM0 and FIRM1.
I understand that the 0x5C000 section is an unused NAND region that contains the payload executor, but I'm still not too sure about what the other three are for.
 
Well I used Decrypt9 to do it. I simply saved all the partitions from emunand with "9" appended to the name. Then exported partitions from sysnand with no number appended. Then transferred the "9" appended partitions to sysnand and the others to emunand. You don't have to remember all the partitions. Just go by the rule of not touching FIRM0 and FIRM1 and you'll be fine. :P
 
Actually no. I just swapped CTRNAND, AGBSAVE, TWLN, and TWLP of emunand with sysnand. (As long as the FIRM partitions aren't touched, A9L survives this). I had a 10.5 emunand. I basically just transferred that to my sysannd and used the 9.2 sysnand I had before as my emunand. :P
hmm. Does the eShop work? (means the Native FIRM transferred over as well.) I wouldn't mind trying it out, but I'd rather wait for a a9lh supported sysNAND restore/backup tool before I mess with my sysNAND :P
 
Well I used Decrypt9 to do it. I simply saved all the partitions from emunand with "9" appended to the name. Then exported partitions from sysnand with no number appended. Then transferred the "9" appended partitions to sysnand and the others to emunand. You don't have to remember all the partitions. Just go by the rule of not touching FIRM0 and FIRM1 and you'll be fine. :P
oh that sounds easy to do then but I'll take the safe route and wait for there to be a better way to update sysnand with a9lh.
 
On my new 10.5 sysnand yes it does. It would work on 9.2 emunand too, but I'd have to install NFC module, update eShop and NVER, then use the eShop spoof. Something I'm too lazy to do right now. :P

But the main benefit of this is that my "exploitable" nand is now my emunand. As long as A9L isn't broken, it's nearly impossible to brick sysnand now. I can just use A9L to boot my exploitable 9.2 emunand and run Decrypt9 to fix it. :D
 
Last edited by Apache Thunder,
This is pretty confusing.
Will I be able to launch reinand from emunand with this? I have an image of my whole sd card. So I'd like to know beforehand if I will be able to use that with arm9 payload.
Thanks!
 
This is pretty confusing.
Will I be able to launch reinand from emunand with this? I have an image of my whole sd card. So I'd like to know beforehand if I will be able to use that with arm9 payload.
Thanks!
my reinand mod works fine on my o3ds using a9lh :)
 
You know, this whole thing is peachy and all, but I'd really like to hear a simpler explanation on what the A9lh installer is doing to the keystore, FIRM0 and FIRM1.
I understand that the 0x5C000 section is an unused NAND region that contains the payload executor, but I'm still not too sure about what the other three are for.
FIRM0 and FIRM1 are corrupted by being decrypted by a corrupted key (which is the one we want when you encrypt it with your OTP). FIRM1 is being decrypted as garbage, and the instruction it's jumped on is a jump to the unused NAND sector.
  1. FIRM partitions are still signed
  2. FIRM partitions are corrupted in a specific way when decrypted with the keystore
  3. Corrupted FIRM partition loads our code
 
This is pretty confusing.
Will I be able to launch reinand from emunand with this? I have an image of my whole sd card. So I'd like to know beforehand if I will be able to use that with arm9 payload.
Thanks!
You can. However, downgrading to 2.1 to dump the OTP has a high brick rate if you don't do it right. (especially on N3DS)
 
Could you explain how you did that? I mean right now ctrbootmanager launches reinand. How did you make arm9loader do it instead?
followed the instructions the reinand mod thread has on the OP and got some extra help to double check I had everything in the right places. afterwards I ran a9lh through homebrew menu on sysnand and now it cold boots emunand or a patched 9.2 sysnand if I hold L+R at boot.
 
  • Like
Reactions: LooneyElsa
You can. However, downgrading to 2.1 to dump the OTP has a high brick rate if you don't do it right. (especially on N3DS)
I see. Well I do have multiple sysnand backups and some soldering skills. ( ͡° ͜ʖ ͡°)
I'm at the part where I have to downgrade emunand, process it with a new "windows.py" script and reflash it on sysnand.
 
I see. Well I do have multiple sysnand backups and some soldering skills. ( ͡° ͜ʖ ͡°)
I'm at the part where I have to downgrade emunand, process it with a new "windows.py" script and reflash it on sysnand.
Hold on right here! Are you using the new Windows.py script ?
 
  • Like
Reactions: LooneyElsa
My 3DS has been sitting on "Exploiting arm9..." for 15 minutes after I launched the .3dsx. Should I turn it off...?
 
I see. Well I do have multiple sysnand backups and some soldering skills. ( ͡° ͜ʖ ͡°)
I'm at the part where I have to downgrade emunand, process it with a new "windows.py" script and reflash it on sysnand.
well you are gtg, after you get the OPT either compile it yourself or have someone else compile it for you.
 

Site & Scene News

Popular threads in this forum