Hacking Do I understand the boot process for CFW (i.e. rxTools, etc) ?

[sofakng]

I've downgraded my N3DS from 10.3 to 9.2 and installed EmuNAND9 and other things. Everything is working great but as an engineer I like to understand how things work so I have a couple of questions.

Do I understand the boot process correctly?

1) Power on 3DS.
2) 3DS will always boot to SysNAND.
3) MenuHax exploit will cause SD:\boot.3dsx to run.
3a) This executable is unsigned so how is it allowed to run?
4) boot.3dsx was replaced with CtrBootManager so it is the executable that will run.
5) CtrBootManager loads rxTools (SD:\rxTools\sys\code.bin)
6) rxTools will "reboot" the system into EmuNAND.

 

[juniorcba]

3a is explained by 3, is allowed to run by exploit!
5) it loads what you want to, xrtool included, because hax just happened

6) wrong, it will make your 3ds use emunand to boot system. It is lost when you reboot, and have to hax again (hold L if menuhax installed)
edit: Or will work as Urbanshadow said, I just say that because if you trigger the menuhax after rxtools reboot (into Pasta menu or into sysnand rx mode) the remaps must be lost, because it goes again the same route as before

 

[Urbanshadow]

1) Power on 3DS.
2) 3DS will always boot to SysNAND.
3) MenuHax exploit will cause SD:\boot.3dsx to run.
3a) This executable is unsigned so how is it allowed to run?
4) boot.3dsx was replaced with CtrBootManager so it is the executable that will run.
5) CtrBootManager loads rxTools (SD:\rxTools\sys\code.bin)
6) rxTools will "reboot" the system into EmuNAND.

3a: as you say, MenuHax is an exploit which escalates unsigned user code execution.
4: CtrBootManager, as well as other 3dsx files are using one or another permission escalation to gain kernel level execution if the 3ds version is lower or equal than 9.2 (mainly libkhax)
5: CtrBootManager launches a kernel level payload (in this case, code.bin) with an offset (0x12000)
6: Rxtools will remap the nand access to the sd emunand and start again the boot process (with signature checks disabled).

 

[ZoneBlaze]

"ninjhax is a piece of software that allows you to run unsigned code on your 3DS. In practice, this means being able to run homebrew applications such as games, tools and emulators!"
This exploit is installed through other exploits.

Or, at least I think so .-.

 

[sofakng]

Is the permission escalation/kernel execution (libkhax) the step that requires the 9.2 firmware?

I'm assuming that's true because MenuHax works on 10.3, but doesn't work with CFW (if I understand correctly)

--------------------- MERGED ---------------------------

"ninjhax is a piece of software that allows you to run unsigned code on your 3DS. In practice, this means being able to run homebrew applications such as games, tools and emulators!"
This exploit is installed through other exploits.

Or, at least I think so .-.

I'm not sure how ninjhax fits into all of this? Is that the kernel exploit used by CtrlBootManager/Homebrew Launcher?

 

[The Real Jdbye]

3a is explained by 3, is allowed to run by exploit!
5) it loads what you want to, xrtool included, because hax just happened

6) wrong, it will make your 3ds use emunand to boot system. It is lost when you reboot, and have to hax again (hold L if menuhax installed)
edit: Or will work as Urbanshadow said, I just say that because if you trigger the menuhax after rxtools reboot (into Pasta menu or into sysnand rx mode) the remaps must be lost, because it goes again the same route as before

Actually, it does soft reset the 3DS after loading a new FIRM binary into memory and applying some patches to redirect NAND access, disable signature checks and such.

Is the permission escalation/kernel execution (libkhax) the step that requires the 9.2 firmware?

I'm assuming that's true because MenuHax works on 10.3, but doesn't work with CFW (if I understand correctly)

--------------------- MERGED ---------------------------


I'm not sure how ninjhax fits into all of this? Is that the kernel exploit used by CtrlBootManager/Homebrew Launcher?

Actually, libkhax supports memchunkhax2 now, so it will work on 10.3, what doesn't work is the arm9 exploit (firmlaunch-hax) which was patched in 9.5. Technically 9.3/9.4 can support CFW now.

 

[Urbanshadow]

Is the permission escalation/kernel execution (libkhax) the step that requires the 9.2 firmware?

I'm assuming that's true because MenuHax works on 10.3, but doesn't work with CFW (if I understand correctly)

--------------------- MERGED ---------------------------


I'm not sure how ninjhax fits into all of this? Is that the kernel exploit used by CtrlBootManager/Homebrew Launcher?

Step by step please. Is CtrBootManager, Rxtools 3dsx, Cakes 3dsx or anything that uses libkhax what is not working on 10.3 yes, because the permission escalation was fixed in 9.3.

Ninjhax was the original user mode exploit for Cubic Ninja game. Pretty much any *hax is derived from it or pursues the same objective: to run a 3dsx in 3ds user mode. The kernel mode escalation can be done from here, but it's not the same.

 

[sofakng]

OK - Let me try to follow it through again...

BrowserHax is the first exploit I used. That is a user-land exploit, right? By executing that it allows for unsigned code to run, right? I understand that user-land exploits are often very limited though so I'm guessing you couldn't replace firmware or other "advanced" things.

Could you run an unsigned 3DS game from that, or would you need a higher-level kernel exploit?

 

[Astoria]

OK - Let me try to follow it through again...

BrowserHax is the first exploit I used. That is a user-land exploit, right? By executing that it allows for unsigned code to run, right? I understand that user-land exploits are often very limited though so I'm guessing you couldn't replace firmware or other "advanced" things.

Could you run an unsigned 3DS game from that, or would you need a higher-level kernel exploit?

No. For that we need an ARM9 exploit.