Skip to content
ARM9 Pre-Kernel Code Execution - Nintendo 3DS
C C++ Other
Branch: master
Clone or download
Jason Dellaluce
Jason Dellaluce Merge pull request #32 from gemarcano/PIC
Makes both stage1 and 2 as position independent executables
Latest commit ae297e8 Jun 17, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
common Stage2 now supports PIC Jun 13, 2016
data_input foldersss Jan 25, 2016
payload_installer Update main.c Apr 17, 2016
payload_stage1 Refactoring, cleanups Jun 14, 2016
payload_stage2 Refactoring, cleanups Jun 14, 2016
screen_init Refactoring, cleanups Jun 14, 2016
.gitattributes 💥🐫 Added .gitattributes & .gitignore files Jan 25, 2016
.gitignore Big software update Apr 16, 2016
Makefile
README.md Update README.md Jun 7, 2016
license.txt . Jan 25, 2016

README.md

Arm9LoaderHax for Nintendo 3DS

Explanation

This is my personal implementation of the arm9loaderhax exploit, documented here and also presented in this conference, which provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader.

It works on both New and OLD 3DS.

This exploit was found by plutoo and yellows8, i do not own the idea, just the implementation of it.

Screen_init was implemented by dark-samus pull request (thank you!).

Usage

Once you installed the exploit, it will launch the arm9loaderhax.bin file from the root of your SD card directly as the console boots.

If the file is not found, the console will shut down.

Installation

After the compilation you'll have three files in the data_output directory:

  • arm9loaderhax.3dsx
  • arm9loaderhax.bin
  • arm9loaderhax.pack

The .pack file contains all the content that will be installed (in case of a full package, your console-unique data too), and has to be placed in the root of your SD card.

The .bin file is an indipendent payload that can be launched from Brahma2, CakeHax, Arm9LoaderHax itself (mainly for update the exploit), and so on. It is the installeing software, once you find your way to launch it, just follow the instruction.

The .3dsx file is a pre-buildt Brahma2 3dsx that can be launched on consoles with firmware below 9.2 through the Homebrew Launcher. It is a loader for the .bin file, wich is included in the 3dsx.

Software Update

When some essential parts of the software will be released, you'll be able to update your setup with the installer by using .pack files that i will provide in future releases.

Setup

####Required Files Some files are needed in order to make the setup compilable, be sure to put the following files in the data_input folder, you have to find them on your own:

Name Description SHA-256
new3ds10.firm New3DS NATIVE_FIRM from system version 10.2. d253c1cc0a5ffac6b383dac1827cfb3b2d3d566c6a1a8e5254e389c2950623e5
new3ds90.firm New3DS NATIVE_FIRM from system version 9.0. d7be76e1813f398dcea85572d0c058f7954761a1d5ea03b5eb5047ac63ac5d6b
secret_sector.bin The New 3DS secret 0x96 key sector. 82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3
otp.bin A dump of your console OTP data from region 0x10012000-0x10012100. Using other console's OTP will result in a brick.

####Required Enviroment

  • devkitARM r45
  • libctru (ver. 1.0.0)
  • Python with PyCcrypto (2.7 or 3.x should work)
  • GCC or MinGW (Only needed to compile the buildt-in tool, you can download a pre-compiled windows build here, place it in common folder)

####Compilation Modes

  • make : This will compile all the files
  • make hax : This will skip the 3DSX installer compilation
  • make stage2_update : This will generate an updater pack with only the secondary payload, mainly for updating the exploit files.

Credits

Copyright 2016, Jason Dellaluce

Licensed under GPLv2 or any later version, refer to the license.txt file included.

  • Smealum and contributors for libctru
  • Normmatt for sdmmc.c and .h, and also for .ld files and the log from XDS by ichfly that provided us some of the information needed to get screen init
  • Christophe Devine for the SHA codes
  • Archshift for i2c.c and .h
  • Megazig for crypto.c and .h
  • Patois for original BRAHMA code
  • Smealum, Derrek, Plutoo for publishing the exploit
  • Yellows8 and Plutoo as ideators of it
  • 3dbrew community
  • bilis/b1l1s for his screen init code, and work on inegrating it into stage 2
  • dark_samus for work on integrating screen init into stage 2
You can’t perform that action at this time.