[Question] Please Educate me about A9LH and some things

Discussion in '3DS - Homebrew Development and Emulators' started by Zech, Mar 11, 2016.

  1. Zech
    OP

    Zech Advanced Member

    Newcomer
    92
    51
    Mar 11, 2016
    ok, I've been spectating this forum for years now but this is my first time posting because i want to understand some things.

    1. I read the A9LH thread but its not registering in my brain of what the hell it is. I have emunand 10.6 with reinand 3.3. I want to fully understand what it can do and what is the difference. Like pros and cons. And how does AL9H works?

    2. Is it possible to change clock on reinand like what i saw with NTR? I'm not able to get ntr working on 10.6.

    3. What does the emunand9 tool really do? So i manage to hack my 3ds with just following instructions but not understanding them. So in my understanding, emunand9 format my card. But for what purpose?
     
  2. Omegablu

    Omegablu We shall not yield to the Kingdom of Nohr!

    Member
    1,039
    288
    Mar 10, 2016
    United States
    Ice Tribe Village
    1. A9lh is a modification of Sysnand that allows control of the 3ds seconds after boot. Think of menuhax, but more powerful. Pros: Fast boot time, recovery of some bricked Sysnands Cons: Takes time to setup, setup can be dangerous.

    2. I don't think so. If you use an old enough firmware.bin file then NTR will work in Reinand. 9.6 firm is the right one I think, the Aureinand thread has the NTR compatible file.

    3. Emunand9 is a really helpful tool in regards to backing up and restoring your nands in case of bricks etc (won't fix a bricked Sysnand though unless you have a9lh). The reason it formatted your SD card was to create a partition for Emunand on the SD.
     
    zfreeman and Zech like this.
  3. Scarlet

    Scarlet Rydeen

    Member
    GBAtemp Patron
    Scarlet is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,708
    1,713
    Jan 7, 2015
    United Kingdom
    Middleish North-Right
    To add to the person above, you can get NTR working if you use the 10.2 firm ^^
     
  4. Omegablu

    Omegablu We shall not yield to the Kingdom of Nohr!

    Member
    1,039
    288
    Mar 10, 2016
    United States
    Ice Tribe Village
    Thanks. I wasn't sure what the version cap was.
     
  5. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,494
    3,879
    Jun 9, 2007
    Wall of text incoming. I don't know absolutely every step, but this is how I understand it so far, beware of some technical jargon. I'm not 100% sure on every detail here, so someone like @Mrrraou or @Selver can help fill in the gaps I missed; this is just how I understand it, as I said.

    To explain what it is and how it works, you have to get into how the entire New 3DS boots, because ARM9LoaderHax hijacks how the 3DS (both old and new) boots from the moment you turn the power button on. When you hit the power button, a lot of things are going on in order to take you to the home menu; it's not just hit the button and the game starts like the old DS or Gameboy. The 3DS has ROMs (read only memories) that get executed after the power turns on, one for each CPU (ARM11, and ARM9). After those execute and initialise a few basic things, the ARM9 CPU gets the NAND (sysNAND) ready for reading, and eventually NATIVE_FIRM (which is basically the kernel of the 3DS operating system, as well as a few other things) will be brought into memory from FIRM0, which is a place in the NAND that it's stored (also take note that the New 3DS has a "secret sector", which is how it decrypts FIRM on 9.6+, a key is stored there). If it fails to load for any reason, the ARM9 will try to load NATIVE_FIRM from FIRM1, which is a different area, and is there as a fail-safe, to prevent bricks (but also note that FIRM1 is smaller than FIRM0, and this is important). Assuming that the system was able to load one of the two NATIVE_FIRMs, it then lets the ARM9Loader take over, which decrypts some things, and then brings up the ARM11 so that the 3DS OS can truly start. This is the normal boot process.

    Now that that's established, here's ARM9LoaderHax. The process begins the same, but instead of executing as normal, garbage was installed into the secret sector in order to make Kernel9 (this is the code that usually runs on the ARM9, if I'm not mistaken) decrypt to garbage. This garbage is specially crafted so it jumps to our code just after the bootROMs finish executing. Since the bootROM can't decrypt FIRM0, it panics and then goes to FIRM1 to see if it can salvage the boot. FIRM1 is left intact on purpose, so that it can be loaded into the place where FIRM0 would've been. But since it's smaller, not everything is overwritten from where FIRM0 was (and FIRM0 has some of our code written into the end of it). Since the secret sector is decrypting things to garbage, FIRM1 also fails, and it ends up taking us right to the end of where FIRM0 was (which is where ARM9LoaderHax begins). A9LH will then look for a payload on the SD card, and then allow that payload to do whatever it wants (typically, boot a CFW, or run a recovery mode like Decrypt9).
     
    Last edited by daxtsu, Mar 11, 2016
    Rombrian, [Truth], Zech and 1 other person like this.
  6. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    It's not NATIVE_FIRM which is decrypted to garbage, but Kernel9, which is decrypted by the arm9loader.
     
    Selver, Zech, Scarlet and 1 other person like this.
  7. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,494
    3,879
    Jun 9, 2007
    Thanks, will correct.
     
  8. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,682
    621
    Sep 4, 2014
    Italy
    I have only one suggestion for you. Never lose your otp file. Make several backup copies of it.
     
    Zech, ihaveamac and daxtsu like this.
  9. Zech
    OP

    Zech Advanced Member

    Newcomer
    92
    51
    Mar 11, 2016
    where do i place the 10.2 firm on the sd card? And where can i gwt the file? (If allowed)

    — Posts automatically merged - Please don't double post! —

    what is an otp file? Sorry I'm not really good at jargons for 3ds hacking.
     
  10. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,682
    621
    Sep 4, 2014
    Italy
    You can find that file on that iso site(not allowed to mention the site's name)

    — Posts automatically merged - Please don't double post! —

    I
    It's a one time pad, a file unique to your console, needed to install a9lh.
     
  11. Zech
    OP

    Zech Advanced Member

    Newcomer
    92
    51
    Mar 11, 2016
    it's good you mentioned that the process of setting up al9h is dangerous. I think i can't afford the risk right now. Also i remember soft bricking my bnew out of the box n3ds with 9.9. And man my heart was really pounding like hell. Luckily i was able to successfully downgrade it with safesysdowngrader.

    — Posts automatically merged - Please don't double post! —

    is this the same as nand.bin? Or different? If yes, what yool do i use to extract the opt file?

    — Posts automatically merged - Please don't double post! —

    thank you so much! this is the type of explanation that im looking for :) I'm no hacker but I'm the type who wants to understand how things works. I just want to know the logic behind it and get the idea.
     
  12. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,494
    3,879
    Jun 9, 2007
    No problem. It's about as close to Bootmii (a very similar exploit on the old Wii) as we can get.
     
    Zech likes this.
  13. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    199
    276
    Dec 22, 2015
    Hi Zech, full details are kept on the ARM9Loader -- Technical Discussion thread. I strongly recommend that as a starting point, it's got multiple walls of text. :)

    @daxtsu gave a reasonable overview. I also highly recommend the video from December (also linked in that first post)... It describes in great pictures the boot process of the N3DS.
     
    Mrrraou likes this.
  14. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    199
    276
    Dec 22, 2015
    Thanks, Mrraou -- You are right that this distinction can greatly clarify things. I've updated the other thread's posts to reflect this. :)
     
    Mrrraou likes this.