First thanks Rei for this.. Thanks daxtsu for some help. Thanks for every reply. As you might already know, that using a nightly build of ReiNAND that supports 10.3.. With START+X pressed you might get a file named as "BootRom.bin" in your SD card root. The address that used for dumping is bootrom mirror, while it should already be locked out after run. If you've got something that not full of 00s, try post your SHA256 hash of the file, such as... SHA256=bc6627b02afbe8ebfbd340bfd928a9e36fbf3fc4395a881783166a46dc88e732 I wonder if that is random memory junk (and this is likely to be). So just compare the hash. Don't forget to load it into IDA if possible (?), address 0x0 or 0xFFFF0000, to see if any code. And.. use hex editor, try to find keyslot 0x39 KeyX inside it, which is supposed to be set by bootrom. The key itself is shared as a spreadsheet on docs.google.com, named as "3DS AES Keys" already. If found don't hesitate to put it somewhere, or use IDA to have a look. EDIT: Solved. The dumped file seems to be different from console to console. Likely to be junk content. So just forget it please.