Do I understand the boot process for CFW (i.e. rxTools, etc) ?

Discussion in '3DS - Flashcards & Custom Firmwares' started by sofakng, Jan 11, 2016.

  1. sofakng
    OP

    sofakng Advanced Member

    Newcomer
    77
    0
    Jul 3, 2007
    United States
    I've downgraded my N3DS from 10.3 to 9.2 and installed EmuNAND9 and other things. Everything is working great but as an engineer I like to understand how things work so I have a couple of questions.

    Do I understand the boot process correctly?

    1) Power on 3DS.
    2) 3DS will always boot to SysNAND.
    3) MenuHax exploit will cause SD:\boot.3dsx to run.
    3a) This executable is unsigned so how is it allowed to run?
    4) boot.3dsx was replaced with CtrBootManager so it is the executable that will run.
    5) CtrBootManager loads rxTools (SD:\rxTools\sys\code.bin)
    6) rxTools will "reboot" the system into EmuNAND.
     
  2. juniorcba

    juniorcba Advanced Member

    Newcomer
    66
    11
    Aug 23, 2007
    Brazil
    3a is explained by 3, is allowed to run by exploit!
    5) it loads what you want to, xrtool included, because hax just happened

    6) wrong, it will make your 3ds use emunand to boot system. It is lost when you reboot, and have to hax again (hold L if menuhax installed)
    edit: Or will work as Urbanshadow said, I just say that because if you trigger the menuhax after rxtools reboot (into Pasta menu or into sysnand rx mode) the remaps must be lost, because it goes again the same route as before
     
    Last edited by juniorcba, Jan 11, 2016
  3. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,293
    471
    Oct 16, 2015
    3a: as you say, MenuHax is an exploit which escalates unsigned user code execution.
    4: CtrBootManager, as well as other 3dsx files are using one or another permission escalation to gain kernel level execution if the 3ds version is lower or equal than 9.2 (mainly libkhax)
    5: CtrBootManager launches a kernel level payload (in this case, code.bin) with an offset (0x12000)
    6: Rxtools will remap the nand access to the sd emunand and start again the boot process (with signature checks disabled).
     
    Last edited by Urbanshadow, Jan 11, 2016
  4. ZoneBlaze

    ZoneBlaze GBAtemp Regular

    Member
    135
    45
    Aug 14, 2014
    United States
    "ninjhax is a piece of software that allows you to run unsigned code on your 3DS. In practice, this means being able to run homebrew applications such as games, tools and emulators!"
    This exploit is installed through other exploits.

    Or, at least I think so .-.
     
  5. sofakng
    OP

    sofakng Advanced Member

    Newcomer
    77
    0
    Jul 3, 2007
    United States
    Is the permission escalation/kernel execution (libkhax) the step that requires the 9.2 firmware?

    I'm assuming that's true because MenuHax works on 10.3, but doesn't work with CFW (if I understand correctly)

    — Posts automatically merged - Please don't double post! —

    I'm not sure how ninjhax fits into all of this? Is that the kernel exploit used by CtrlBootManager/Homebrew Launcher?
     
  6. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,832
    5,002
    Mar 17, 2010
    Norway
    Alola
    Actually, it does soft reset the 3DS after loading a new FIRM binary into memory and applying some patches to redirect NAND access, disable signature checks and such.

    Actually, libkhax supports memchunkhax2 now, so it will work on 10.3, what doesn't work is the arm9 exploit (firmlaunch-hax) which was patched in 9.5. Technically 9.3/9.4 can support CFW now.
     
    Last edited by The Real Jdbye, Jan 11, 2016
  7. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,293
    471
    Oct 16, 2015
    Step by step please. Is CtrBootManager, Rxtools 3dsx, Cakes 3dsx or anything that uses libkhax what is not working on 10.3 yes, because the permission escalation was fixed in 9.3.

    Ninjhax was the original user mode exploit for Cubic Ninja game. Pretty much any *hax is derived from it or pursues the same objective: to run a 3dsx in 3ds user mode. The kernel mode escalation can be done from here, but it's not the same.
     
  8. sofakng
    OP

    sofakng Advanced Member

    Newcomer
    77
    0
    Jul 3, 2007
    United States
    OK - Let me try to follow it through again...

    BrowserHax is the first exploit I used. That is a user-land exploit, right? By executing that it allows for unsigned code to run, right? I understand that user-land exploits are often very limited though so I'm guessing you couldn't replace firmware or other "advanced" things.

    Could you run an unsigned 3DS game from that, or would you need a higher-level kernel exploit?
     
  9. Josephvb10

    Josephvb10 The Pokémon guy

    Member
    532
    384
    Aug 26, 2009
    Lumiose City
    No. For that we need an ARM9 exploit.