What this is:
Basically, it works like Brahma's arm9 bootstrap, but for a wider range of firmwares. It will attempt to load one of the listed payloads from the SD card root:
These files are ordered by load priority, so if
safehaxpayload.bin is present it will not try and load either of the other payloads. After this, it'll load the payload it finds into memory @ 0x23F00000. This is useful for a number of things, including installing otpless arm9loaderhax on N3DS, dumping your nand on the newer firmwares, and running CFW.
A Kernel11 exploit must be run ahead of time that either enables all srv/svc access, or gives us the global svc 0x30 backdoor.
How it works:
Because 'SAFE_MODE' firm is out of date (~3.0 on O3DS, ~8.1 on N3DS), it's still vulnerable to firmlaunch-hax, which allows us to overwrite the arm9 entry pointer on firmlaunch. Knowing this, we can trigger a firmlaunch, so that 'SAFE_MODE' arm9 can run, then we sync up with arm9 until we can send another firmlaunch request to it. From there, we can do firmlaunch-hax like normal and gain arm9 code execution.
- Normmatt - Finding the vuln, helping work out an issue during KSync.
- 'Everyone' - For also finding the vuln.
- shinyquagsire23/patois(/etc?) - The firmlaunch-hax code that this uses snippets from, and was used as reference.
- Mrrraou/nedwill - Snippets for the changes described here.
- zoogie - Finding a fix for the cartridge bug.
- 3DBrew's Users - VAddrs, and other useful information in general.