Notice, I'm at school and this is nowhere near done, gimme about a week. It will cover everything mentioned on the forum in depth. The other paradise thread should still be used. Will credit necessary people later and format for readability (I'm on a phone!)
------
First of all, if you think you know enough of the terms and tool and what they do, this is the fabled guide for arm9loaderhax, which is currently the best exploit publically available for Nintendo 3DS at this moment. It is futureproof and there is a risk of a brick, but your system will be virtually unbrickable after. Think of it like BootMii for the Wii, but also boots directly into cfw and more programs to run at boot. Remember to follow this guide religiously, do not skip or remedy ANYTHING by yourself. If you have a problem, don't understand something, or have an easier way to get something, be sure to discuss it here at GBATemp.
Introduction to Nintendo 3DS
There are four different revisions of Nintendo 3DS, just like there are many different versions of a phone (Galaxy s7 and s7 Edge for example)
There is the Old Nintendo 3DS family, and the new 3DS family.
--------------
Throughout the years, the 3DS was basically unhacked. Around two years ago the first custom firmware emerged and was pretty primative. In the past year, it has blossomed and now the Nintendo 3DS is fully cracked. [credits go here]
If you are new to hacking, you may want to read the following section.
Terms and abbreviations
HUGE thanks for @BobDoleOwndU for writing most of this section!
Relevant tools for CFW
Decrypt9 - decryption and integrity tool for NANDs.
EmuNAND9 - NAND manager and SD formatter by @dok3.
Homebrew Launcher - menu to launch .3dsx homebrew. Requires an entrypoint, but only a userland one with sufficient access.
PlaiSysUpdater - tool used to downgrade and update firmwares, a mod by @Plailect. He also wrote the a9lh guide above.
Browser - the Nintendo 3DS Internet Browser can be used to gain access to the system and run code from the SD Card.
CakesFW - a custom firmware mainly designed by @midkid
Luma3DS - originally known as AuReiNAND, this is a fork of @Reisyukaku's ReiNAND. Luma3DS is developed by @Aurora Wright.
------
First of all, if you think you know enough of the terms and tool and what they do, this is the fabled guide for arm9loaderhax, which is currently the best exploit publically available for Nintendo 3DS at this moment. It is futureproof and there is a risk of a brick, but your system will be virtually unbrickable after. Think of it like BootMii for the Wii, but also boots directly into cfw and more programs to run at boot. Remember to follow this guide religiously, do not skip or remedy ANYTHING by yourself. If you have a problem, don't understand something, or have an easier way to get something, be sure to discuss it here at GBATemp.
Introduction to Nintendo 3DS
There are four different revisions of Nintendo 3DS, just like there are many different versions of a phone (Galaxy s7 and s7 Edge for example)
There is the Old Nintendo 3DS family, and the new 3DS family.
The o3DS family is the original hardware released by Nintendo, in different forms. Their processors are clocked at 268mhz and is limited toward homebrew. You can always see what version by looking at the box or the back plate, but if you have neither, the different consoles are as follows:
Nintendo 3DS, released by Nintendo. Top screen border is pure black, and the edges while closed are slanted. The entire console is glossy.
Nintendo 3DS XL, a bigger version of the 3DS. Contains the same hardware, and the interior of the console is matte. This looks similar to the new system; so if you don't know, if there is a volume slider on the bottom half on the system, it's old. If it is on the top half, it's new.
Nintendo 2DS, a cheaper revision marketed toward children and people who don't require 3D. It resembles a doorstop and has no 3D feature.
Nintendo 3DS, released by Nintendo. Top screen border is pure black, and the edges while closed are slanted. The entire console is glossy.
Nintendo 3DS XL, a bigger version of the 3DS. Contains the same hardware, and the interior of the console is matte. This looks similar to the new system; so if you don't know, if there is a volume slider on the bottom half on the system, it's old. If it is on the top half, it's new.
Nintendo 2DS, a cheaper revision marketed toward children and people who don't require 3D. It resembles a doorstop and has no 3D feature.
Nintendo's more dramatic revision produced in 2015. It's three times more powerful (804mhz) and provides many more benefits to things like 3D mode, loading speeds and ect.
New Nintendo 3DS, the smaller version of this system. This has a squarelike shape, and the buttons are rainbow colored to match the SNES design.
New Nintendo 3DS XL, the larger version of the system. It is more rounder, and non- special editions have colored lettering instead of buttons.
New Nintendo 3DS, the smaller version of this system. This has a squarelike shape, and the buttons are rainbow colored to match the SNES design.
New Nintendo 3DS XL, the larger version of the system. It is more rounder, and non- special editions have colored lettering instead of buttons.
Throughout the years, the 3DS was basically unhacked. Around two years ago the first custom firmware emerged and was pretty primative. In the past year, it has blossomed and now the Nintendo 3DS is fully cracked. [credits go here]
If you are new to hacking, you may want to read the following section.
Terms and abbreviations
HUGE thanks for @BobDoleOwndU for writing most of this section!
Firmware (abbreviated as FW): The 3DS's system software. This can essentially be thought about as the 3DS's operating system. NintyFW is stock firmware, usually completely unmodified. Custom firmware will be discussed in NAND KNOWLEDGE.
Unsigned Software: Software which has not been "signed" with Nintendo's private key. The 3DS will not run unsigned software without modifications. Unsigned software includes homebrew and pirated software.
Homebrew: Unofficial software made by developers like you and I. This does NOT automatically equal piracy, these are vastly different ideas.
System NAND (abbreviated as sysNAND): The 3DS's real NAND.
Emulated NAND/Redirected NAND (abbreviated as emuNAND/redNAND): A copy of the NAND which is stored in a hidden partition on the 3DS's SD card. This partion is used as a fake (emulated) NAND, which can be updated without affecting sysNAND.
See more about NANDs below!
Read-only Memory (abbreviated as ROM): A piece of software which can not be written to by the system. It is only to be read from. This is the format games are stored in, which is why they are referred to as ROMs. The 3DS's ROMs are stored as .3ds and .cxi files.
CTR Importable Archive (abbreviated as CIA): ROMs converted into an installable format for the 3DS. CIAs are stored as .cia files.
CIA Installer: Software for the 3DS which can install .cia files. The most commonly used CIA Installers are FBI, BigBlueMenu, and DevMenu.
Exploit: A flaw in the 3DS's software which can be used to run unsigned code.
Userland Exploit: An exploit which can be triggered directly by the user. Userland exploits are the most common exploit, and give the least amount offunctionality. Userlands exploits usually allow for the same permissions as the app that is being exploited.
ARM11 Kernel Exploit: A deeper exploit that gives access to the 3DS's ARM11 processor. Without goinginto a ton of detail, exploiting the ARM11 processor gives enough permissions to install signed (or legit)software.
ARM9 Kernel Exploit: A very deep exploit that gives access to the 3DS's ARM9 processor. The ARM9 processor controls most of the 3DS's security. Once it is compromised, unsigned software can be installed to the 3DS.
MSET Exploit: An early exploit found in the 3DS's software which is triggered by accessing the 3DS's DS Settings menu. This exploit only exists betweenfirmwares 4.X and 6.X.
Spider Exploits: A series of exploits found in the O3DS's "Spider" web browser. ARM9 Kernel access can be gained through Spider on firmwares 4.X-9.2. ARM11 Kernel access can be gained through Spider on firmwares 4.X-10.5
Browserhax: A series of exploits in both the O3DS's "Spider" web browser and the N3DS's "Skater" web browser.
Ninjhax/*hax/anyhax: An umbrella term used to describe a hack that boots into the Homebrew Launcher. Anything that boots into it is known ninjhax, but Ninjhax alone can refer to the original game that was required for homebrew at first.
OoThax: An exploit found in the game, Legend of Zelda: Ocarina of Time 3D.
Arm9Loaderhax: An exploit in the FIRM0/FIRM1(?) sections of the 3DS's firmware. This exploit islaunched very early on in the 3DS's boot process, negating the firmware requirement togain ARM9 access.
AGB_FIRM: The section of the 3DS's firmware which handles GBA virtual consoletitles.
TWL_FIRM: The section of the 3DS's firmware which handles backwards compatibility for DSi titles.
One Time Programmable (abbreviated as OTP): A section of the 3DS's firmware believed to contain the console unique keys in an encrypted format. The OTP can only be accessed on firmwares below 3.0.
Unsigned Software: Software which has not been "signed" with Nintendo's private key. The 3DS will not run unsigned software without modifications. Unsigned software includes homebrew and pirated software.
Homebrew: Unofficial software made by developers like you and I. This does NOT automatically equal piracy, these are vastly different ideas.
System NAND (abbreviated as sysNAND): The 3DS's real NAND.
Emulated NAND/Redirected NAND (abbreviated as emuNAND/redNAND): A copy of the NAND which is stored in a hidden partition on the 3DS's SD card. This partion is used as a fake (emulated) NAND, which can be updated without affecting sysNAND.
See more about NANDs below!
Read-only Memory (abbreviated as ROM): A piece of software which can not be written to by the system. It is only to be read from. This is the format games are stored in, which is why they are referred to as ROMs. The 3DS's ROMs are stored as .3ds and .cxi files.
CTR Importable Archive (abbreviated as CIA): ROMs converted into an installable format for the 3DS. CIAs are stored as .cia files.
CIA Installer: Software for the 3DS which can install .cia files. The most commonly used CIA Installers are FBI, BigBlueMenu, and DevMenu.
Exploit: A flaw in the 3DS's software which can be used to run unsigned code.
Userland Exploit: An exploit which can be triggered directly by the user. Userland exploits are the most common exploit, and give the least amount offunctionality. Userlands exploits usually allow for the same permissions as the app that is being exploited.
ARM11 Kernel Exploit: A deeper exploit that gives access to the 3DS's ARM11 processor. Without goinginto a ton of detail, exploiting the ARM11 processor gives enough permissions to install signed (or legit)software.
ARM9 Kernel Exploit: A very deep exploit that gives access to the 3DS's ARM9 processor. The ARM9 processor controls most of the 3DS's security. Once it is compromised, unsigned software can be installed to the 3DS.
MSET Exploit: An early exploit found in the 3DS's software which is triggered by accessing the 3DS's DS Settings menu. This exploit only exists betweenfirmwares 4.X and 6.X.
Spider Exploits: A series of exploits found in the O3DS's "Spider" web browser. ARM9 Kernel access can be gained through Spider on firmwares 4.X-9.2. ARM11 Kernel access can be gained through Spider on firmwares 4.X-10.5
Browserhax: A series of exploits in both the O3DS's "Spider" web browser and the N3DS's "Skater" web browser.
Ninjhax/*hax/anyhax: An umbrella term used to describe a hack that boots into the Homebrew Launcher. Anything that boots into it is known ninjhax, but Ninjhax alone can refer to the original game that was required for homebrew at first.
OoThax: An exploit found in the game, Legend of Zelda: Ocarina of Time 3D.
Arm9Loaderhax: An exploit in the FIRM0/FIRM1(?) sections of the 3DS's firmware. This exploit islaunched very early on in the 3DS's boot process, negating the firmware requirement togain ARM9 access.
AGB_FIRM: The section of the 3DS's firmware which handles GBA virtual consoletitles.
TWL_FIRM: The section of the 3DS's firmware which handles backwards compatibility for DSi titles.
One Time Programmable (abbreviated as OTP): A section of the 3DS's firmware believed to contain the console unique keys in an encrypted format. The OTP can only be accessed on firmwares below 3.0.
Relevant tools for CFW
Decrypt9 - decryption and integrity tool for NANDs.
EmuNAND9 - NAND manager and SD formatter by @dok3.
Homebrew Launcher - menu to launch .3dsx homebrew. Requires an entrypoint, but only a userland one with sufficient access.
PlaiSysUpdater - tool used to downgrade and update firmwares, a mod by @Plailect. He also wrote the a9lh guide above.
Browser - the Nintendo 3DS Internet Browser can be used to gain access to the system and run code from the SD Card.
CakesFW - a custom firmware mainly designed by @midkid
Luma3DS - originally known as AuReiNAND, this is a fork of @Reisyukaku's ReiNAND. Luma3DS is developed by @Aurora Wright.
Your system has files that are needed to run the console. This is located inside a physical chip called the NAND. sysNAND is the physical chip that is inside your console. The console usually runs directly off of here, so if this gets comprised or damaged (physically or permanently locked in an error) your console will fail to boot; being useful as a brick. (hence the term "brick")
Unless you have a9lh, a brick is only recoverable through a NANDmod (hardmod).
A hardmod is a physical hardware mod that enables the user to write and read to the NAND, even if it is damaged. A user can use a NAND backup (backup of every file on the NAND) to restore a sysNAND to a working state. Without a NAND backup to restore to sysNAND, the system is *-permanently- * dead.
An emuNAND (or redNAND) is a NAND image that has been REDirected and EMUlated in place of sysNAND. Run off the removable SD or microSD Card, it's a virtual system in a way. Few things in emuNAND can modify sysNAND, so it is safer to use than sysNAND.
If you're not using arm9loaderhax, sysNAND is not touched, meaning you can have an exploitable sysNAND while still having a completely updated emuNAND!
EmuNAND and redNAND is safe to use interchangeably, term wise.
Custom firmware - these are patches applied to a NAND when it boots. CFWs do not effect anything saved on the NAND, so switching a CFW does NOT delete your games.
Unless you have a9lh, a brick is only recoverable through a NANDmod (hardmod).
A hardmod is a physical hardware mod that enables the user to write and read to the NAND, even if it is damaged. A user can use a NAND backup (backup of every file on the NAND) to restore a sysNAND to a working state. Without a NAND backup to restore to sysNAND, the system is *-permanently- * dead.
An emuNAND (or redNAND) is a NAND image that has been REDirected and EMUlated in place of sysNAND. Run off the removable SD or microSD Card, it's a virtual system in a way. Few things in emuNAND can modify sysNAND, so it is safer to use than sysNAND.
If you're not using arm9loaderhax, sysNAND is not touched, meaning you can have an exploitable sysNAND while still having a completely updated emuNAND!
EmuNAND and redNAND is safe to use interchangeably, term wise.
Custom firmware - these are patches applied to a NAND when it boots. CFWs do not effect anything saved on the NAND, so switching a CFW does NOT delete your games.
General reasons for nag to appear - downgraded system apps and dependancies such as downgraded browser, AGB_FIRM or TWL_FIRM.
Types of update nag:
HOME Menu update nag - nag shown on the HOME Menu. This is actual nag. You can always decline.
Browser nag - nag shown through the Internet Browser. This is real nag, and also blocks use until you update. There is a way to bypass this, however.
NNID service nag: eShop, NNID settings, and some in-game shops and services will restrict use until you update. On older firmware, there is a temporary way to bypass this.
Download Play nag - just nag that prevents you from using Download Play.
Update nag through notifications is NOT actual update nag. It's completely normal for the system to remind of updates even on unhacked systems of the latest update.
Types of update nag:
HOME Menu update nag - nag shown on the HOME Menu. This is actual nag. You can always decline.
Browser nag - nag shown through the Internet Browser. This is real nag, and also blocks use until you update. There is a way to bypass this, however.
NNID service nag: eShop, NNID settings, and some in-game shops and services will restrict use until you update. On older firmware, there is a temporary way to bypass this.
Download Play nag - just nag that prevents you from using Download Play.
Update nag through notifications is NOT actual update nag. It's completely normal for the system to remind of updates even on unhacked systems of the latest update.
Unless you have arm9loaderhax, anything above system menu version 9.2 can only run userland exploits, like the Homebrew Launcher (HBL). You can check your firmware by going in System Settings via the HOME Menu and checking out what numbers are behind the Ver. string on the top screen. (e.g. Ver. 9.2.0-20).
U refers to a North American console, E for European and J for Japan. -20 is usually irrelevant, usually you'll want the first two numbers.
If your HOME Menu is on 10.6 or above, go to part 1.
If on 9.3 to 10.5, use part 2.
If on 9.0 to 9.2, go to part 3.
If on anything lower, go to Extra.
Part 1: These firmwares are not fully exploitable. And since all free exploits have been patched by Nintendo, you need to pay for an exploitable game. After this you can downgrade using PlaiSysUpdater to 9.2.
Part 2: These firmwares still have free exploits available. Utilize browserhax to downgrade to 9.2.
Part 3: You are already on exploitable firmware! You need not downgrading. Go on to emuNAND setup.
Extra: You need to upgrade to 9.2. Old 3DS users can use a browser exploit to run a 9.2 update, but n3DS users might have to fully update to the latest firmware.
U refers to a North American console, E for European and J for Japan. -20 is usually irrelevant, usually you'll want the first two numbers.
If your HOME Menu is on 10.6 or above, go to part 1.
If on 9.3 to 10.5, use part 2.
If on 9.0 to 9.2, go to part 3.
If on anything lower, go to Extra.
Part 1: These firmwares are not fully exploitable. And since all free exploits have been patched by Nintendo, you need to pay for an exploitable game. After this you can downgrade using PlaiSysUpdater to 9.2.
Part 2: These firmwares still have free exploits available. Utilize browserhax to downgrade to 9.2.
Part 3: You are already on exploitable firmware! You need not downgrading. Go on to emuNAND setup.
Extra: You need to upgrade to 9.2. Old 3DS users can use a browser exploit to run a 9.2 update, but n3DS users might have to fully update to the latest firmware.
Last edited by Halvorsen,
