From WikiTemp, the GBAtemp wiki
Revision as of 22:51, 18 December 2015 by 73.214.46.163 (talk) (The MSET exploit)

Welcome to the wonderful world of 3DS Homebrew!

To run homebrew on your 3DS you need a method to run custom code. There are currently several public exploits available which allow running unsigned code on a 3DS system.

What can I do?

Depends on your installed Firmware version:

Can I... System Menu 9.3 and up System Menu 9.2 and below
Run basic homebrew? Yes, use a Ninjhax2 series exploit to run the Homebrew Launcher Yes
Install Custom Themes? Yes, use CHMM2 Yes, use ExtDataTool. Note that themes are for 9.x only.
Install/extract save files? Yes, use svdt Yes, use SaveDataFiler
Run games from other regions (regionfree)? Yes, use the region free launcher of The Homebrew Launcher Yes, use a region free CFW
Go online with a game from another region? Yes, as long as the game doesn't require an update Yes
Run 3DS ROMs? Yes, buy a Sky3DS and play ROMs from that. Yes, various options.
Install out-of-region eShop content (like DLC)? No Yes
Play modified ROMs (ROM hacks)? Yes Yes
Run DS ROMs? Yes, use a DS flashcart (Supercard DSTWO/R4i Gold) Yes, use a DS flashcart (blocked carts can be unblocked with CFW)
Use CFW/EmuNAND? No Yes
Install CIA files? No Yes
Downgrade my System? Only if you have a backup of your old NAND and your 3DS is hardmodded Yes

Exploits

The MSET exploit

This exploit only works on 3DS System Software version 4.1.x to 4.5.x

This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel.

To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched.

Spider exploit

This exploit works up to version 9.2.0 and grants kernel level access. It was used by flashcart manufacturers after the MSET exploit was patched.

ninjhax

Released November 20th 2014

Ninjhax is an exploit developed by Smealum to launch homebrew. It is launched via the game Cubic Ninja.

It works on 3DS System Software version 4.x to 10.x at the time of writing.

Videos: Here it is in use.

ironhax

Ironhax is an exploit for the eshop game IronFall: Invasion. It works up to system menu version 10.1, but must be installed, which requires use of another exploit.

tubehax

An exploit for the YouTube application of the Nintendo 3DS, which is available for free in the eShop. It also works for 10.1.

Executable formats

There are a few different types of executables made for the 3DS at this time.

The .cxi format

This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers).

This is not a format used by the homebrew community. It's listed for historical reasons.

The .bin format

This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, or converted into a .3ds file to be launched using a front-end homebrew launcher.

  • Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew.
  • Filename: Whatever you want, with a .bin extension
  • Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
  • Access level: The homebrew has full Kernel-mode access and has access to both the ARM9 and ARM11 cores, but the console's services in ARM11 are all disabled, due to the public method of taking over the ARM11 core from within the ARM9 core (credit to Kane49) (This means you have no access to the 3D slider, sound, etc. unless you code it back yourself).
  • Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too.

If you get homebrew in this format, you will need a python script to insert it into a Launcher.dat file.

Or use a script to copy a ROP header and footer around the payload binary file, example: copy /b header+binary+footer Launcher.dat

You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's 3DS Homebrew demo package.

The Launcher.dat format

  • Boot method: The homebrew is launched directly from the MSET exploit.
  • Filename: The homebrew filename is usually "Launcher.dat" but can come using the "MsetForBoss.dat" variant using a alternate MSET exploit roploader, you can have upto 2 homebrew files at the same time on your console (one using the launcher.dat file name and one with the name MsetForBoss.dat), but it requires switch between DS profile roploaders to alternate which file will be loaded.
  • Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew.
  • Access level: Full Kernel-mode control (same as .bin homebrew).
  • Restriction: file size (same as .bin homebrew)

There are 2 different formats of launcher.dat/MsetForBoss.dat, unencrypted(also referred to as homebrew or non gateway), and encrypted(also known as gateway encrypted) you will need to use a alternate DS profile exploit depending on whether you are trying to run a encrypted or unencrypted launcher.dat file, but most if not all MsetForBoss.dat files are unencrypted

The .3ds / .3dsx format

  • Boot method: The homebrew is launched from a front end launcher.
  • Filename: For Smealum's homebrew launcher use boot.3dsx, every homebrew has a different folder. For Gateway use any name .3ds and place in on a microSD.
  • Requirement: For the gateway (.3ds) requires a Gateway 3DS flashcart running firmware 2.2 OMEGA or newer. For Smealum's homebrew launcher (.3dsx) requires Cubic Ninja and an SD card with boot.3dsx (can be either your homebrew or the homebrew launcher) files on it you'll also need a wifi connection to the internet from your 3DS.
  • Access level: The homebrew ran using Smealum's homebrew launcher is only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread. As a result, the homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available. Homebrew ran using the gateway will have as much access as any other game.

The .cia format

This file format is used officially by the console as a container for eShop downloaded contents. It's meant to be extracted, installed and displayed on the console's system menu using its own icon.

The .cia container type can only be installed on a 3DS with installation privilege. To unlock the installation feature, you need a modified EmuNAND or Gateway 3DS v2.6 or newer.

Launching Homebrew

ATTENTION: All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.

The .cxi format

There's currently no method to directly launch this format on a retail unit. It can, however, be launched by packaging it into a CIA.

The .bin/elf format

These formats are the raw executable.

Some ARM9 (in Launcher.dat format) experimental homebrew can launch the .bin format, but require a 3DS with a System Software version 4.x.

There's currently no .elf homebrew launcher to use with Ninjhax.

These files are usually converted to another format (dat, cia, 3ds, 3dsx) by the developers when released to public. Then can then be launched using one of the existing homebrew loading methods below.  

Launcher.dat format

This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable.

There are two ROP chain exploits you can use:

  • Gateway 3DS's ROP Chain. (Encrypted ROP Chain)
  • Fierce Waffle's Open source ROP chain. (Unencrypted ROP Chain)

The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.

Gateway 3DS, which was the first to publicly release this exploit, encrypted their ROP chain to prevent flashcart clones. If you install the Gateway ROP chain, you will have to encrypt your Launcher.dat homebrew using their encryption key. If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain.

There are tools to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain.

The different ROP Chain installers

  • Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
  • ROP Chain installer, by Fierce Waffle. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
  • Alternate ROP Installer, by Drenn, based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use ROP Installer Modifier to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation.
  • ROP MultiLoader, by SnailFace. Lets you easily choose the ROP chain you want to install.

Installing a ROP Chain

The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program.

  1. Choose a ROP chain installer from the list above.
  2. Extract the NDS file if needed and place it on your MicroSD Card, then insert it into your compatible NDS-mode Flashcart.
  3. Insert the NDS-mode flashcart into your 3DS console and launch the installer.

Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.

Launching the Homebrew

  1. Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
  2. Place the Launcher.dat file on the root of your SD Card.
  3. Boot the 3DS and go to Settings > Other > Profile > DS Profile.
  4. The homebrew will launch.

The .3ds format

The .3ds format requires a gateway 3DS flashcart or a MT-card flashcart.

Gateway 3DS Flashcart

The Gateway 3DS flashcart homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the Gateway 3DS firmware version 2.2 Omega or newer.

  1. Install the Gateway 3DS ROP Chain. (See the ROP chain installation method above)
  2. Place the Gateway Launcher.dat file on the root of your SD Card.
  3. Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
  4. Launch Gateway from the DS Profile.
  5. Press Select button to list all homebrew on your MicroSD card and press A to mount it.
  6. Launch it like a game.

MT-Card Flashcart

The MT-Card homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the MT-Card firmware version 2.0 or newer.

  1. Install the MT-Card exploit using the DS mode flashcart. (See the ROP chain installation method above)
  2. Place the MT-Card Launcher.dat file on the root of your SD Card.
  3. Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
  4. Launch MT-Card from the DS Profile.
  5. Press Select button to list all homebrew on your MicroSD card and press A to mount it.
  6. Launch it like a game.

The .3dsx format

The .3dsx format requires a front end to be launched first.

The Homebrew Launcher

The Homebrew Launcher lets the user run unsigned homebrew compiled in .3dsx format in User-mode on the ARM11 core. It was originally developed by smealum and gemisisDev, since its release more developers are helping and improving it. It exploits a vulnerability in 3DS a System Software versions 4.x to 9.2.x with eShop revision 7 to 20.

You will not need a Flashcart to use it, but will need the retail game Cubic Ninja. Cubic Ninja launched from a flashcart is working too.

Installing The Homebrew Launcher

  1. Download and extract The Homebrew Starter Kit to the root of your 3DS SD Card. You should now have a file named boot.3dsx and a "3ds" folder on the root of your SD Card.
  2. Enable Wifi and launch Cubic Ninja game
  3. Choose the "Create" menu and select "QR Code" method, then "Scan QR code" option.
  4. Go to http://smealum.net/ninjhax/#qrcode and select your System version to generate the corresponding QR Code
  5. Scan your QR code and it will download "The Homebrew Launcher" loader automatically and install it into the Savegame slot of Cubic Ninja game. It will also launch automatically after the Installation.

Launching The Homebrew Launcher

  1. You don't need Wifi once it's already installed to your Cubic Ninja game.
  2. Run Cubic Ninja and go to QR Code menu. The Homebrew Launcher will load.

Place your homebrew in either one of these locations:

  1. /3ds/<homebrew_name>/boot.3dsx
  2. /3ds/<homebrew_name>/<same_as_folder_name>.3dsx
  3. /3ds/<filename>.3dsx

If you want an icon for your Homebrew to be displayed in The Homebrew Launcher, place it in either one of these locations:

  1. /3ds/<homebrew_name>/icon.bin
  2. /3ds/<homebrew_name>/<icon or folder_name>.smdh
  3. /3ds/<homebrew_name>/<icon or folder_name>.icn

The .cia format

The .cia format requires a patched firmware (CFW) or Gateway 3DS flashcart. The user needs a 3DS with a System Software version 4.0.x to 9.2.x.

Dev Menu

Currently, one of the ways to install cia files and manage installed titles is by using DevMenu program from the official Nintendo 3DS development kit (SDK). This program is illegal to share and will not be linked here or on the forum. However, homebrew alternatives exist such as Big Red Menu. To use DevMenu and install files to your NAND or EmuNAND, you need enough privileges which is only possible on a modified EmuNAND (commonly called "custom Firmware") or using Gateway 3DS v2.6 or newer.

- When using a modified EmuNAND you need to permanently install DevMenu program on your console.

- When using Gateway 3DS you can use BigBlueMenu, which is the DevMenu program converted to .3ds format.