3DS ARM9 code execution at boot
Switch branches/tags
Nothing to show
Clone or download
#5 Compare This branch is 12 commits ahead, 33 commits behind delebile:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
arm11
common
payload_stage1
payload_stage2
.gitignore
Makefile
README.md
license.txt

README.md

arm9loaderhax for 3DS

What this is

This is my personal implementation of the arm9loaderhax exploit, documented here and also presented in this conference, which provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader.

It works on both New and OLD 3DS.

This exploit was found by plutoo and yellows8, i do not own the idea.

Usage

It loads an arm9loaderhax.bin arm9 payload from the root of the sdcard at address 0x23F00000.

This means that it offers a BRAHMA-like setup, and as such has compatibility with every payload BRAHMA can run; you can also perform a firmlaunch by writing the ARM11 kernel entrypoint at address 0x1FFFFFF8.

The problem here is that it doesn't still initialize the screens, that has still to be achieved, though i was able to load an external patched firmware and make boot the console without any problem while testing.

Installation

The setup will provide a 3dsx installer that will work on system version 9.0-9.2, which should make the things easier.

If, for any reason, you desire to inject the files manually remember to:

  • Inject firm0.bin in the NAND FIRM0 partition, encrypted with your xor stream.
  • Inject firm1.bin in the NAND FIRM1 partition, encrypted with your xor stream.
  • Inject sector.bin at sector 0x96, in the plaintext output you'll have.
  • Inject stage0x5C000.bin at sector 0x5C000, in his plaintext form. It is an unused region for now, you'll not ruin your nand.

Setup

The setup is absolutely user-unfriendly because of the files that needs to be provided in compilation.

In order to make this work you need to creat a directory in the setup root named data_input, and put the following files in it :

  • new3ds10.firm : New 3DS NATIVE_FIRM from system version 10.2. You can dump and decrypt it from both the CDN, NAND, the proper 0004013820000002.cia, or in any way get it leaked.

    SHA-256 : d253c1cc0a5ffac6b383dac1827cfb3b2d3d566c6a1a8e5254e389c2950623e5

  • new3ds90.firm : Same as before, but for New 3DS NATIVE_FIRM from system version 9.0-9.2.

    SHA-256 : d7be76e1813f398dcea85572d0c058f7954761a1d5ea03b5eb5047ac63ac5d6b

  • secret_sector.bin : The New 3DS secret 0x96 sector. Many ways to have it has been made public, if you are not good enough to dump it yourself (or you use an OLD 3DS) you can always search for it in the net.

    SHA-256 : 82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3

  • otp.bin : A dump of your console OTP data from region 0x10012000-0x10012100; in order to dump it you must downgrade to a system version below 3.0, or exploit the New3DS-only vulnerability (This will just give you the hash of it, so you'll need to change the python script). it is console unique, and as such it cannot be shared from other people, because it will cause a brick!

Once you have all of the required files, the compilation needs:

  • devkitARM r45
  • Python 2.7 with pycrypto
  • libctru at least on v1.0.0

Credits

Copyright 2016, Jason Dellaluce

sdmmc.c & sdmmc.h originally written by Normatt

Licensed under GPLv2 or any later version, refer to the license.txt file included.

  • Smealum and contributors for libctru
  • Normatt for sdmmc.c and .h, and also for .ld files and the log from 3dmoo9 that provided us with some of the information needed to get screen init
  • Christophe Devine for the SHA codes
  • Archshift for i2c.c and .h
  • Megazig for crypto.c and .h
  • Patois for original BRAHMA code
  • Smealum, Derrek, Plutoo for publishing the exploit
  • Yellows8 and Plutoo as ideators of it
  • 3dbrew community
  • bilis/b1l1s for his screen init code, and work on inegrating it into stage 2
  • dark_samus for work on integrating screen init into stage 2