It's here!

​

Info

@Normmatt has created a way to run B9S .firm files from bootrom via a DSi Flashcard and a magnet! This works on every 3DS on any firmware version.

For installation without a PC, user @TheCyberQuake has created a pack which will automatically install B9S and copy over essential starter homebrew from the flashcard's SD to the 3DS's. This will mainly be used for PC-less B9S installations. If you have a PC with you, use 3ds.guide. Read more here: https://gbatemp.net/threads/481141/

How does this work?

This works because of a flaw in the bootrom. Before the bootrom boots the NAND, it checks to see if Start+Select+X is held down, and if the shell is closed. If these requirements are met, it will boot an NDS cartridge from the bootrom. This give that cartridge bootrom access. You might be wondering how you'd hold down buttons while the shell is closed, and why you need a magnet. If you put a magnet in a specific spot on the 3DS, it will go into sleep mode. Using this, you can boot the NDS cartridge with the buttons held down while in sleep mode! Using a reflashable flashcard, you can boot B9SInstaller using the flashcard, and easily install it on your 3DS.

The 2DS doesn't need a magnet since a switch puts it to sleep instead of a magnet.

What does this mean?

1. Any 3DS model on any firmware can be hacked with minimal effort
2. You can unbrick any 3DS model from any type of brick.
   - Remember, you don't need a NAND backup for this. Just do a CTRTransfer.
   - This does not apply to MCU bricks.
3. Even consoles with fried NAND, or even the NAND chip physically removed, can use this

This is incredibly impressive stuff, and will most likely be released soon! edit: now!

FAQ

Q: Can Nintendo patch this?
A: Nope! Not without a new hardware revision.

Q: My flashcard is blocked by my firmware! Can I still use this?
A: Yes! The flashcard blacklist is not enabled on the bootrom.

Q: Why can't this work with my flashcard?
A: The installation requires you to flash NTRBoot to the flashcard's nand. Most DS flashcards, such as the original R4, have a ROM, which is not flashable.

Q: Can I install NTRBoot on my flashcard without another 3DS system?
A: If you can run NDS roms on your 3DS with it, then yes. If it's blocked on your 3DS version, then you'll need another 3DS system to use it.

Q: Will my 3DS flashcard work?
A: No, only the NDSi flashcards listed above.

Q: Will any other flash cards work?
A: Only the ones listed in the OP. However keep in mind that flashcards such as the DSTT, Supercard DS2 and R4 SDHC Dualcore are planned to be supported in the future.

Q: I tried to do this with my cartridge and it didn't work?
A: It doesn't work with regular DS cards.

Q: Can I unbrick from a ____ brick?
A: Considering the card has access to the bootrom, yes! This can unbrick any brick (except MCU), unless you've taken a knife to the motherboard.

Q: Can I install B9S on the latest firmware with this?
A: Again, since the card has access to the bootrom, you can do this easily! Just plug in your flashcard, boot up using the magnet and button combination, and install.

Q: Does this work on the New Nintendo 2DS XL?
A: Yes!

Release
Guide
Free NTRBoot Flashing
Free B9S Installations

Here is SciresM's post about this

Please see SciresM's presentation on bootromhax.​

 

[Toni456]

Far less possible complications than dsiwarehax.
Dsiwarehax is a more complex procedure and has a decent chance of not working, leaving you with a wasted dsiware purchase and a weeklong transfer waiting period for both systems involved. It's messy, ntrboothax is clean.

I was actually referring to system level complications, like on the 3ds guide in the part that says to copy the 11.4 .firm file for sighax install you need to use the one for your specific 3ds model.
So i was just wondering if there could be any risks by blindly attempting it or if we would have to wait awhile for devs to dump said files from the console and patch it
but i guess i shouldn't rush in anyway i'll wait for a proper guide when everything is ready.

 

[gamesquest1]

I was actually referring to system level complications, like on the 3ds guide in the part that says to copy the 11.4 .firm file for sighax install you need to use the one for your specific 3ds model.
So i was just wondering if there could be any risks by blindly attempting it or if we would have to wait awhile for devs to dump said files from the console and patch it
but i guess i shouldn't rush in anyway i'll wait for a proper guide when everything is ready.

The thing with dsiware has is it uses the plaintext firm exploit, if your on 11.4 then your firm would be 11.4, seeing as all other versions don't need dsiware has then being on 11.4 is currently the only reason to be doing the dsiwarehax method, to make certain your not on some franken firm you could always boot up your console in recovery mode and force a update/check, once your sure your on a clean 11.4 firm just follow the guide and your set

And the worst case scenario where for some bizarre reason your firm wasn't actually on 11.4 or you managed to copy the wrong file for some reason then you can always recover with ntrboothax when it's finally released, but as long as you follow the guide the margin for error is pretty much zero

But the point he was making is that there is room for mistakes and screw up for people who are unable to follow a few steps on the dsiware method, whilst with ntrboothax even the most bizarre screw up should still be recoverable

 

[Toni456]

The thing with dsiware has is it uses the plaintext firm exploit, if your on 11.4 then your firm would be 11.4

But see the problem is the guide has 2 files for 11.4 one for o3ds and another for new 3ds so there's no telling if using any one of them could cause a brick but as i already said i'll just wait it out.
I was just curious if anyone knew what these files did/were for exactly before trying it

 

[Snooli]

But see the problem is the guide has 2 files for 11.4 one for o3ds and another for new 3ds so there's no telling if using any one of them could cause a brick but as i already said i'll just wait it out.
I was just curious if anyone knew what these files did/were for exactly before trying it

The thing is, this is not an actual "hax". There's no real hacking in the install procedure, you aren't forcing userland to force ARM11 to force ARM9 to install the .firm you actually wanted. SleepHax uses direct full priviledge access to ARM9 to install the .firm. Thus there's nothing to bring. An "unrepairable" brick occurs when you mess something up while going down the levels (userland->ARM11->ARM9) and you mess one of them up, so you can't go back but you didn't make it through. SleepHax, however, goes only up. Therefor when you mess something up, you can still go back.

 

[Cuphat]

Far less possible complications than dsiwarehax.
Dsiwarehax is a more complex procedure and has a decent chance of not working, leaving you with a wasted dsiware purchase and a weeklong transfer waiting period for both systems involved. It's messy, ntrboothax is clean.

To be fair, it's actually kind of hard to screw up DSiWarehax to the point of actually having to wait a week. So long as the eShop account transferred and you actually took a backup of the source system beforehand, you have as many shots at getting the injected DSi transferred as you need by using system settings to copy to and from the SD card.

Of course, if you use the wrong FIRM you are probably not in a good position but

 

[nl255]

Just to reiterate: "ntrboothax" is by design. It's used by Nintendo's repair centers in cases where the OS is corrupted.

The problem is the Boot ROM's signature validation is broken for all three methods of booting. (NAND, NTR, and Wi-Fi SPI). (I have no idea what SPI booting would be used for, and its priority is *after* NAND, so it isn't very useful in cases where FIRM is valid but parts of CTRNAND are broken.)

That sound exactly like the psp pandora/memory stick system which worked on everything except the 3000 and go. A low level recovery mode combined with a flaw in signature checking.

I mean that it should work right off the bat with dsiware transfers unless there is something i'm missing or it patches stuff that only works with the older models.

Ntrboothax is basically the 3ds equivelant of the pandora/magic memory stick from the PSP days. It exploits the fact that the same signature checking bug is present in the low level recovery system that Ninty uses to fix bricked systems. Thus, it is firmware independent and can theoretically be used to fix a system where the NAND chip is fried or even physically missing (though you would have to do the magnet/key combo thing every time you turned it on in that case).

 

[GerbilSoft]

That sound exactly like the psp pandora/memory stick system which worked on everything except the 3000 and go. A low level recovery mode combined with a flaw in signature checking.

Pretty much, though there's implementation differences. (Pandora Battery is a battery modified to return a serial number consisting of all 1 bits; no signature checks.)

 

[nl255]

Pretty much, though there's implementation differences. (Pandora Battery is a battery modified to return a serial number consisting of all 1 bits; no signature checks.)

I thought there were signature checks on the recovery stick which is why it no longer worked on the 3000 series.

 

[gamesquest1]

But see the problem is the guide has 2 files for 11.4 one for o3ds and another for new 3ds so there's no telling if using any one of them could cause a brick but as i already said i'll just wait it out.
I was just curious if anyone knew what these files did/were for exactly before trying it

Well you use o3ds for an original 3ds and n3ds for a new 3ds, a̶n̶d̶ ̶y̶e̶a̶h̶ ̶u̶s̶i̶n̶g̶ ̶t̶h̶e̶ ̶w̶r̶o̶n̶g̶ ̶f̶i̶l̶e̶ ̶w̶o̶u̶l̶d̶ ̶r̶e̶s̶u̶l̶t̶ ̶i̶n̶ ̶a̶ ̶b̶l̶u̶e̶ ̶s̶c̶r̶e̶e̶n̶ ̶o̶f̶ ̶d̶e̶a̶t̶h̶ ̶a̶s̶ ̶y̶o̶u̶ ̶w̶o̶u̶l̶d̶ ̶c̶o̶r̶r̶u̶p̶t̶ ̶t̶h̶e̶ ̶f̶i̶r̶m̶ ̶p̶a̶r̶t̶i̶t̶i̶o̶n̶ ̶a̶s̶ ̶t̶h̶o̶s̶e̶ ̶f̶i̶l̶e̶s̶ ̶a̶r̶e̶ ̶u̶s̶e̶d̶ ̶t̶o̶ ̶g̶e̶n̶e̶r̶a̶t̶e̶ ̶t̶h̶e̶ ̶x̶o̶r̶p̶a̶d̶ ̶o̶f̶ ̶t̶h̶e̶ ̶f̶i̶r̶m̶ ̶s̶e̶c̶t̶i̶o̶n̶ ̶ (ok apparently the dsiware boot9installer only writes to firm0, so it probably wouldn't brick as it has it's fall back firm1 left as stock), if you use the wrong one you make a bad xorpad which will encrypt the sighax firm incorrectly

But if you have eyes you should be able to differentiate a o3ds/2ds from a new 3ds/XL

 

[mathieulh]

Pretty much, though there's implementation differences. (Pandora Battery is a battery modified to return a serial number consisting of all 1 bits; no signature checks.)

The IPL blocks need to be encrypted and hashed using AES CBC and CMAC (for the hash), of course back then we didn't have the kirk cmd1 key required to do it so an IPL block was forged using a time attack on the kirk engine (which is a lot more complex than the asn.1 fail). Later IPL blocks were ecdsa signed but sony used the same R in signatures so we have the private key, the main issue is that a new encrypted hash is used for which we don't have the key, it seems likely an extra layer of encryption is used on the kirk1 header on devices such as the psp go.

 

[zoogie]

But see the problem is the guide has 2 files for 11.4 one for o3ds and another for new 3ds so there's no telling if using any one of them could cause a brick but as i already said i'll just wait it out.
I was just curious if anyone knew what these files did/were for exactly before trying it

dsiwarehax installer "b9stool" will not brick your 3ds because it only writes to firm0. That's if you use it according to the guide.
I wrote the tool so I should know.

 

[Toni456]

dsiwarehax installer "b9stool" will not brick your 3ds because it only writes to firm0. That's if you use it according to the guide.
I wrote the tool so I should know.

Yep i understand that but i was strictly speaking if it was used on the new 2dsxl but now that i know what those .firm files do with the installer there's no point trying until more research is done.

 

[GerbilSoft]

The IPL blocks need to be encrypted and hashed using AES CBC and CMAC (for the hash), of course back then we didn't have the kirk cmd1 key required to do it so an IPL block was forged using a time attack on the kirk engine (which is a lot more complex than the asn.1 fail). Later IPL blocks were ecdsa signed but sony used the same R in signatures so we have the private key, the main issue is that a new encrypted hash is used for which we don't have the key, it seems likely an extra layer of encryption is used on the kirk1 header on devices such as the psp go.

I meant for getting into the service mode at all, but okay.

 

[Cuphat]

dsiwarehax installer "b9stool" will not brick your 3ds because it only writes to firm0. That's if you use it according to the guide.
I wrote the tool so I should know.

Just out of curiosity, does recovery mode fix a corrupted firm0 at all?

 

[GerbilSoft]

Just out of curiosity, does recovery mode fix a corrupted firm0 at all?

It does not. You need a working FIRM0 and/or FIRM1 in order to get to Recovery Mode in the first place.

If both FIRM0 and FIRM1 are corrupt, you get a Boot ROM error.

 

[TheCyberQuake]

That sound exactly like the psp pandora/memory stick system which worked on everything except the 3000 and go. A low level recovery mode combined with a flaw in signature checking.



Ntrboothax is basically the 3ds equivelant of the pandora/magic memory stick from the PSP days. It exploits the fact that the same signature checking bug is present in the low level recovery system that Ninty uses to fix bricked systems. Thus, it is firmware independent and can theoretically be used to fix a system where the NAND chip is fried or even physically missing (though you would have to do the magnet/key combo thing every time you turned it on in that case).

So even if someone completely screws over their nand to become fried, you can use ntrboothax to boot something like Luma, and then load emunand instead effectively having a working system. At least that's my current understanding.

 

[Xeonhawk]

What exactly is a MCU brick?

 

[Deleted member 389726]

What exactly is a MCU brick?

a myth.

 

[annson24]

So even if someone completely screws over their nand to become fried, you can use ntrboothax to boot something like Luma, and then load emunand instead effectively having a working system. At least that's my current understanding.

I hope this will come to. I fried my nand a few months ago when permanently hardmodding my n3ds and I now have an expensive paperweight.

Edit: wait. How can we use ntrboothax with a fried 3ds when we can't even go to sleepmode when we're on bootrom error screen.

Sent from my SM-G950F using Tapatalk

 

[RedBlueGreen]

Anything new from the IRC?