This is my personal implementation of the arm9loaderhax exploit, documented here and also presented in this conference, which provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader.
It works on both New and OLD 3DS.
This exploit was found by plutoo and yellows8, i do not own the idea, just the implementation of it.
Screen_init was implemented by dark-samus pull request (thank you!).
Once you installed the exploit, it will launch the arm9loaderhax.bin file from the root of your SD card directly as the console boots.
If the file is not found, the console will shut down.
After the compilation you'll have three files in the data_output directory:
The .pack file contains all the content that will be installed (in case of a full package, your console-unique data too), and has to be placed in the root of your SD card.
The .bin file is an indipendent payload that can be launched from Brahma2, CakeHax, Arm9LoaderHax itself (mainly for update the exploit), and so on. It is the installeing software, once you find your way to launch it, just follow the instruction.
The .3dsx file is a pre-buildt Brahma2 3dsx that can be launched on consoles with firmware below 9.2 through the Homebrew Launcher. It is a loader for the .bin file, wich is included in the 3dsx.
When some essential parts of the software will be released, you'll be able to update your setup with the installer by using .pack files that i will provide in future releases.
Some files are needed in order to make the setup compilable, be sure to put the following files in the data_input folder, you have to find them on your own:
Name | Description | SHA-256 |
---|---|---|
new3ds10.firm | New3DS NATIVE_FIRM from system version 10.2. | d253c1cc0a5ffac6b383dac1827cfb3b2d3d566c6a1a8e5254e389c2950623e5 |
new3ds90.firm | New3DS NATIVE_FIRM from system version 9.0. | d7be76e1813f398dcea85572d0c058f7954761a1d5ea03b5eb5047ac63ac5d6b |
secret_sector.bin | The New 3DS secret 0x96 key sector. | 82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3 |
otp.bin | A dump of your console OTP data from region 0x10012000-0x10012100. Using other console's OTP will result in a brick. |
Copyright 2016, Jason Dellaluce
Licensed under GPLv2 or any later version, refer to the license.txt file included.