My implementation of safefirmhax:
C Makefile Assembly C++
Switch branches/tags
Clone or download
Latest commit 200dbcf Aug 13, 2017
Failed to load latest commit information.
include Updated k11 standard. Jan 7, 2017
payload Revert FIRM Support. Aug 13, 2017
source Revert FIRM Support. Aug 13, 2017
Makefile Updated k11 standard. Jan 7, 2017
README.MD Revert FIRM Support. Aug 13, 2017
icon.png Initial commit. Jan 2, 2017



What this is:


Basically, safehax works like Brahma's arm9 bootstrap, but for a wider range of firmwares. It will attempt to load one of the listed payloads from the SD card root:

  • safehaxpayload.bin
  • arm9.bin
  • arm9loaderhax.bin

These files are ordered by load priority, so if safehaxpayload.bin is present it will not try and load either of the other payloads. After this, it'll load the payload it finds into memory @ 0x23F00000. This is useful for a number of things, including installing otpless arm9loaderhax on N3DS, dumping your nand on the newer firmwares, and running CFW.

A Kernel11 exploit must be run ahead of time that either enables all srv/svc access, or gives us the global svc 0x30 backdoor.

How it works:

Because 'SAFE_MODE' firm is out of date (~3.0 on O3DS, ~8.1 on N3DS), it's still vulnerable to firmlaunch-hax, which allows us to overwrite the arm9 entry pointer on firmlaunch. Knowing this, we can trigger a firmlaunch, so that 'SAFE_MODE' arm9 can run, then we sync up with arm9 until we can send another firmlaunch request to it. From there, we can do firmlaunch-hax like normal and gain arm9 code execution.

11.3.0 - The fix (not really!):

Nintendo added a flag under Process9 which, when set, triggers a panic on SAFE_MODE launch. This flag is set when certain titles are launched, ensuring that SAFE_MODE can only be launched early in the boot process.

However, this is incredibly easy to circumvate since you can just relaunch NATIVE_FIRM and the flag will be reset. Therefore, all we need to do to allow 11.3 support is to relaunch NATIVE_FIRM before performing the attack.