1. sofakng

    OP sofakng GBAtemp Regular
    Member

    Joined:
    Jul 3, 2007
    Messages:
    101
    Country:
    United States
    I've downgraded my N3DS from 10.3 to 9.2 and installed EmuNAND9 and other things. Everything is working great but as an engineer I like to understand how things work so I have a couple of questions.

    Do I understand the boot process correctly?

    1) Power on 3DS.
    2) 3DS will always boot to SysNAND.
    3) MenuHax exploit will cause SD:\boot.3dsx to run.
    3a) This executable is unsigned so how is it allowed to run?
    4) boot.3dsx was replaced with CtrBootManager so it is the executable that will run.
    5) CtrBootManager loads rxTools (SD:\rxTools\sys\code.bin)
    6) rxTools will "reboot" the system into EmuNAND.
     
  2. juniorcba

    juniorcba Advanced Member
    Newcomer

    Joined:
    Aug 23, 2007
    Messages:
    83
    Country:
    Brazil
    3a is explained by 3, is allowed to run by exploit!
    5) it loads what you want to, xrtool included, because hax just happened

    6) wrong, it will make your 3ds use emunand to boot system. It is lost when you reboot, and have to hax again (hold L if menuhax installed)
    edit: Or will work as Urbanshadow said, I just say that because if you trigger the menuhax after rxtools reboot (into Pasta menu or into sysnand rx mode) the remaps must be lost, because it goes again the same route as before
     
    Last edited by juniorcba, Jan 11, 2016
  3. Urbanshadow

    Urbanshadow GBAtemp Maniac
    Member

    Joined:
    Oct 16, 2015
    Messages:
    1,492
    Country:
    3a: as you say, MenuHax is an exploit which escalates unsigned user code execution.
    4: CtrBootManager, as well as other 3dsx files are using one or another permission escalation to gain kernel level execution if the 3ds version is lower or equal than 9.2 (mainly libkhax)
    5: CtrBootManager launches a kernel level payload (in this case, code.bin) with an offset (0x12000)
    6: Rxtools will remap the nand access to the sd emunand and start again the boot process (with signature checks disabled).
     
    Last edited by Urbanshadow, Jan 11, 2016
  4. ZoneBlaze

    ZoneBlaze GBAtemp Regular
    Member

    Joined:
    Aug 14, 2014
    Messages:
    169
    Country:
    United States
    "ninjhax is a piece of software that allows you to run unsigned code on your 3DS. In practice, this means being able to run homebrew applications such as games, tools and emulators!"
    This exploit is installed through other exploits.

    Or, at least I think so .-.
     
  5. sofakng

    OP sofakng GBAtemp Regular
    Member

    Joined:
    Jul 3, 2007
    Messages:
    101
    Country:
    United States
    Is the permission escalation/kernel execution (libkhax) the step that requires the 9.2 firmware?

    I'm assuming that's true because MenuHax works on 10.3, but doesn't work with CFW (if I understand correctly)

    — Posts automatically merged - Please don't double post! —

    I'm not sure how ninjhax fits into all of this? Is that the kernel exploit used by CtrlBootManager/Homebrew Launcher?
     
  6. The Real Jdbye

    The Real Jdbye *is birb*
    Member

    Joined:
    Mar 17, 2010
    Messages:
    21,085
    Country:
    Norway
    Actually, it does soft reset the 3DS after loading a new FIRM binary into memory and applying some patches to redirect NAND access, disable signature checks and such.

    Actually, libkhax supports memchunkhax2 now, so it will work on 10.3, what doesn't work is the arm9 exploit (firmlaunch-hax) which was patched in 9.5. Technically 9.3/9.4 can support CFW now.
     
    Last edited by The Real Jdbye, Jan 11, 2016
  7. Urbanshadow

    Urbanshadow GBAtemp Maniac
    Member

    Joined:
    Oct 16, 2015
    Messages:
    1,492
    Country:
    Step by step please. Is CtrBootManager, Rxtools 3dsx, Cakes 3dsx or anything that uses libkhax what is not working on 10.3 yes, because the permission escalation was fixed in 9.3.

    Ninjhax was the original user mode exploit for Cubic Ninja game. Pretty much any *hax is derived from it or pursues the same objective: to run a 3dsx in 3ds user mode. The kernel mode escalation can be done from here, but it's not the same.
     
  8. sofakng

    OP sofakng GBAtemp Regular
    Member

    Joined:
    Jul 3, 2007
    Messages:
    101
    Country:
    United States
    OK - Let me try to follow it through again...

    BrowserHax is the first exploit I used. That is a user-land exploit, right? By executing that it allows for unsigned code to run, right? I understand that user-land exploits are often very limited though so I'm guessing you couldn't replace firmware or other "advanced" things.

    Could you run an unsigned 3DS game from that, or would you need a higher-level kernel exploit?
     
  9. Josephvb10

    Josephvb10 GBAtemp Advanced Fan
    Member

    Joined:
    Aug 26, 2009
    Messages:
    652
    Country:
    Costa Rica
    No. For that we need an ARM9 exploit.
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - understand, process, rxTools