My implementation of safefirmhax:
C Makefile Assembly C++
Latest commit e0572a7 Jan 18, 2017 @TiniVi Check for bundled payloads, updated readme.
Small change to let users compile multiple binaries that will launch
embedded payloads, etc.



What this is:

Basically, it works like Brahma's arm9 bootstrap, but for a wider range of firmwares. It will attempt to load one of the listed payloads from the SD card root:

  • safehaxpayload.bin
  • arm9.bin
  • arm9loaderhax.bin

These files are ordered by load priority, so if safehaxpayload.bin is present it will not try and load either of the other payloads. After this, it'll load the payload it finds into memory @ 0x23F00000. This is useful for a number of things, including installing otpless arm9loaderhax on N3DS, dumping your nand on the newer firmwares, and running CFW.

A Kernel11 exploit must be run ahead of time that either enables all srv/svc access, or gives us the global svc 0x30 backdoor.

How it works:

Because 'SAFE_MODE' firm is out of date (~3.0 on O3DS, ~8.1 on N3DS), it's still vulnerable to firmlaunch-hax, which allows us to overwrite the arm9 entry pointer on firmlaunch. Knowing this, we can trigger a firmlaunch, so that 'SAFE_MODE' arm9 can run, then we sync up with arm9 until we can send another firmlaunch request to it. From there, we can do firmlaunch-hax like normal and gain arm9 code execution.