​

​

(complete video of the talk - uploaded Oct. 22, 2018)

UPDATE (10-23-18): This hack was patched on 11.8 and was never publicly implemented
Please use Frogminer -> Free B9S cfw, works on 11.8, covers all major regions
(disclosure: Frogminer is my hack, but it serves the same purpose smeahax originally promised, so it's relevant here)​

​

It looks like our old 3DS scene pal @smealum has returned to the limelight! Famous for his groundbreaking Ninjhax, Ironhax, and Tubehax userland exploits, and the udsploit kernel11 hax, Smea is back and better than ever with a total of four new exploits set to be revealed this Saturday at Defcon 26 in Las Vegas! So if you never got on the CFW bandwagon (full control of your 3DS with all the implied benefits), you'd better come and tune in with us this Saturday at 11:00 am PT sharp!​

Slides and Additional Videos

MHAX userland
ROHAX2 priv. escalation
ZHAX kernel11
TWLHAX arm9

(please wait for the guide to be updated for instructions)
^ skeletonwaiting.gif

code for my full 3DS exploit chain is available on GitHub https://t.co/7tp679fBEO https://t.co/d98VJ0kfX3 https://t.co/BuFKA3CcSv https://t.co/yypeZTMDpN

— smea (@smealum) August 11, 2018

​

 

[TurdPooCharger]

How does NTRBoot not work for you? It's a bootrom expoit, there's no reason why it shouldn't work

Honestly I am more confused by the notion that NTRBoot isn't working for them. There's literally no reason for it not to be working if they did everything right

Here are two cases of ntrboot failure. Absolutely beyond a doubt user error was not the issue. Extremely rare, but it can happen.

• Ntrboothax not working?
• Please tell me how to fix this!

 

[Insane]

But for him it is, because he cannot buy a flashcart or do online shopping in his country at all (e.g. Uruguay, Philipines). So no user error, but inability to get the hardware required. (Hence the proposal of hard-mod).

 

[TurdPooCharger]

But for him it is, because he cannot buy a flashcart or do online shopping in his country at all (Mexico would be my guess for a country like that). So no user error, but inability to get the hardware required. (Hence the proposal of hard-mod).

Oh, that I read. We can't do much to help him with restrictions on acquiring hard goods.

I just wanted to inform that the ntrboot method is not failproof. I think I read one or two other accounts here, but those 3DS users never followed up with verifying end results on their ntrboot attempts.

 

[Insane]

Oh, that I read. We can't do much to help him with restrictions on acquiring hard goods.

I just wanted to inform that the ntrboot method is not failproof. I think I read one or two other accounts here, but those 3DS users never followed up with verifying end results on their ntrboot attempts.

Which is good mentioning! I just wanted to put the hardmod option out there, as I assume, that he/she can get this done at a random repair shop with a proper manual. At least with a hardmod nand backup he/she the chance of bricking due to user error are lower, as the backup can be restored without a booting 3ds.

I must say: I hacked like 15 3ds with the NTRBOOT method and never had an issue (okay I also did not have an issue with the "no downgrade" method when hacking the 3 new 3ds)

 

[zoogie]

For those still waiting around for this, I suggest just trying this instead.
https://jisagi.github.io/FrogminerGuide/

Totally free cfw on latest firm for all major regions US,EU,JP.

If you still want to hold out for twlhax etc.; be my guest, but no one is working on it to my knowledge.

 

[jimmyj]

why is it not being implemented though? I don't need it but it's nice for someone who can't buy a ntrboot cart

 

[lAkdaOpeKA]

why is it not being implemented though? I don't need it but it's nice for someone who can't buy a ntrboot cart

Apparently the source code is incomplete and nobody managed to figure out what's missing. But there's frogminer now so it doesn't matter all that much

 

[zoogie]

why is it not being implemented though? I don't need it but it's nice for someone who can't buy a ntrboot cart

The entirely practical reason is because it's blocked on 11.8.
Also what zacchi4k said.

 

[Blue]

For those still waiting around for this, I suggest just trying this instead.
https://jisagi.github.io/FrogminerGuide/

Totally free cfw on latest firm for all major regions US,EU,JP.

If you still want to hold out for twlhax etc.; be my guest, but no one is working on it to my knowledge.

Nice! Didn't know this was a thing, I had CFW for a while got banned on Sun/Moon early, uninstalled B9S and updated it and tried to sell it then neglected it for a few months. Luckily the ban didn't affect eshop so I can still get SteelDiver.

 

[Ryab]

Nice! Didn't know this was a thing, I had CFW for a while got banned on Sun/Moon early, uninstalled B9S and updated it and tried to sell it then neglected it for a few months. Luckily the ban didn't affect eshop so I can still get SteelDiver.

they most likely NNID banned you thats why

 

[Blue]

they most likely NNID banned you thats why

Oh I messed up... I formatted it now (cause it kept giving connection errors) so I lost the NNID, now because of the NNID ban I can't link a new one. And Steel Diver requires a NNID to be installed

 

[Insane]

why is it not being implemented though? I don't need it but it's nice for someone who can't buy a ntrboot cart

Well I believe the requirements for the exploit are: can't buy an NTRBoot card (which to be honest, you can get on nearly every street corner for 15$ or use your old DS card for that purpose) AND doesn't know anybody with an ntrboot card, cannot solder (otherwise we'd hardmod it) and on top of that did not update to 11.8. So I guess those 2 guys are out of luck.

 

[jimmyj]

Apparently the source code is incomplete and nobody managed to figure out what's missing. But there's frogminer now so it doesn't matter all that much

why did smea leave it incomplete ?

 

[SRKTiberious]

So, I read through the frogminer tutorial, and the Steelminer bit seems to rely on someone else either getting a movable_part1 or for brute-forcing.

Is there a 'self-sufficient' method available? One where you can retrieve your own movable_part1.sed and brute-forcing it yourself?

 

[zoogie]

So, I read through the frogminer tutorial, and the Steelminer bit seems to rely on someone else either getting a movable_part1 or for brute-forcing.

Is there a 'self-sufficient' method available? One where you can retrieve your own movable_part1.sed and brute-forcing it yourself?

The way the guide words it makes the process sound like a "social" experience when in practice it's really very automatic.
You put your info into this site https://bruteforcemovable.com/ and a few minutes later it spits out your movable.sed.
It's pretty easy.

You can bruteforce your own movable.sed but that process requires your own PC with a discrete GPU and a decent amount of computer literacy.
I would recommend the automatic way to almost everybody.

 

[SirNapkin1334]

Apparently the source code is incomplete and nobody managed to figure out what's missing. But there's frogminer now so it doesn't matter all that much

Why doesn’t smea like...complete the code?

 

[The Catboy]

why did smea leave it incomplete ?

Most likely because he actually already sold the code to Nintendo and chances are this is what he was allowed release. Literally just a shot in the dark, based on some evidence and speculation.

 

[jimmyj]

Most likely because he actually already sold the code Nintendo and chances are this is what he was allowed release. Literally just a shot in the dark, based on some evidence and speculation.

well I suppose frogminer will save all the other people and not twl hax anymore

 

[zoogie]

First post updated with a youtube video of Smea's 3ds talk.

A reminder that what's shown in the video is still patched on latest firm and still not in a usable state.
But don't despair; if you want completely free cfw on latest firmware, this is still available: https://jisagi.github.io/FrogminerGuide/