THAT was actually more helpful.
But do you know how that large string actually reach those config? How does the handshake work between the card and the 3DS? How does the flash card trick the 3DS to break out of the protected environment to gain Kernel access?
Or is that just it? After the 3DS start communicating with the card it simply send a string that does all the trick?
I would like a detailed description of the whole process, do you have a link?
This is how the first exploit works, too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash.
The kernel exploit is actually tied to a huge rsa_verify request for which the length isn't checked, the payload written by gateway's ROP chain at 0x080C3EE0 is copied somewhere in the 0x20000000 area by the kernel and what triggers it to jump to the code later on.