From WikiTemp, the GBAtemp wiki
(ARM11 additional setup: updated link)
(ninjhax)
 
(183 intermediate revisions by 58 users not shown)
Line 1: Line 1:
Welcome to the wonderful world of 3DS Homebrew!
+
{{3DSNav}}
  
 +
Welcome to the wonderful world of '''3DS Homebrew'''!
  
To run homebrew on your 3DS you need a method to run custom code. There is currently only one public exploit (the MSET exploit) available which allows running unsigned code on a 3DS system.
+
To run homebrew on your 3DS you need a method to run custom code. There are currently several public exploits available which allow running unsigned code on a 3DS system.
A 3DS running on System Software version 4.1.x to 4.5.x is required for this exploit, but [[Smealum]] is working on a new vulnerability found on 3DS System Software version 4.x to 8.x.
+
+
+
=The different exploits=
+
==The MSET exploit==
+
This exploit only works on 3DS System Software version  4.1.x to 4.5.x
+
  
This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel.
+
==What can I do?==
 +
Depends on your installed Firmware version (SysNAND):
  
This is currently the only method to run homebrew.
+
{| class="compattable"
 +
! rowspan="2" style="width:13%" | Can I...
 +
! colspan="5" | No A9LH or sighax/B9S installed (unhacked system)
 +
! rowspan="2" style="width:13%" | A9LH installed<br />(any firmware version)
 +
! rowspan="2" style="width:13%" | sighax/B9S installed<br />(any firmware version)
 +
|-
 +
! style="width:12%" | System Menu 11.4 and up
 +
! style="width:12%" | System Menu 11.3
 +
! style="width:12%" | System Menu 11.0 to 11.2
 +
! style="width:12%" | System Menu 9.3 to 10.7
 +
! style="width:13%" | System Menu 9.2 and below
 +
|-
 +
| Run basic homebrew?
 +
| {{opt|Yes}}, but only on New 3DS.
 +
| colspan="3" {{yes}}, use FreakyHax, Ninjhax, Soundhax or a previously installed exploit to run the Homebrew Launcher.
 +
| colspan="3" {{yes}} (same exploits as ≥9.3, plus Homebrew Launcher loader CIA)
 +
|-
 +
| Run arm9loaderhax/brahma homebrew?
 +
| {{no}}
 +
| colspan="3" {{opt|Yes}}, use Safehax (Only some will work)
 +
| colspan="2" {{yes}}
 +
| {{yes}} (convert to firm format or convert an A9LH boot manager to bin.)
 +
|-
 +
| Run BootROM level homebrew?
 +
| colspan="6" {{no}}
 +
| {{yes}}
 +
|-
 +
| Install Custom Themes?
 +
| {{opt|Yes}}, but only on New 3DS.
 +
| colspan="3" {{yes}}, use Themely/CHMM2
 +
| colspan="3" {{yes}}, use Themely/CHMM2/ExtDataTool.<br />Note that themes are for ≥9.x only.
 +
|-
 +
| Install/extract save files?
 +
| {{opt|Yes}}, but only on New 3DS.
 +
| colspan="3" {{yes}}, use svdt for 3DS games, TWLSaveTool for retail DS cartridges
 +
| colspan="3" {{yes}}, use SaveDataFiler or JK's SaveManager for 3DS games, TWLSaveTool for retail DS cartridges
 +
|-
 +
| Run games from other regions (regionfree)?
 +
| {{opt|Yes}}, but only on New 3DS.
 +
| colspan="4" {{yes}}, use the region free launcher of The Homebrew Launcher
 +
| colspan="3" {{yes}}, use a region free CFW
 +
|-
 +
| Go online with a game from another region?
 +
| colspan="3" {{no}}
 +
| {{yes}}, as long as the game doesn't require an update
 +
| colspan="3" {{yes}}
 +
|-
 +
| Run 3DS ROMs?
 +
| colspan="4" {{yes}}, buy a Sky3DS and play ROMs from that.
 +
| colspan="3" {{yes}}, various options.
 +
|-
 +
| Install out-of-region eShop content (like DLC)?
 +
| colspan="4" {{no}}
 +
| colspan="3" {{yes}}
 +
|-
 +
| Play modified ROMs (ROM hacks)?
 +
| {{yes}}, use a flashcart (Hans only on New 3DS)
 +
| colspan="3" {{yes}}, use HANS, or a flashcart
 +
| colspan="3" {{yes}}, use NTR CFW, HANS, a flashcart, or install as a CIA
 +
|-
 +
| Run DS ROMs?
 +
| colspan="4" {{yes}}, use a DS flashcart (Supercard DSTWO/R4i Gold)
 +
| colspan="3" {{yes}}, use a DS flashcart (blocked carts can be unblocked with CFW and/or patched TWL_FIRM)
 +
|-
 +
| Use CFW/EmuNAND?
 +
| colspan="4" {{no}}
 +
| colspan="3" {{yes}}
 +
|-
 +
| Install CIA files?
 +
| {{no}}
 +
| colspan="3" {{opt|Yes}} (Legit CIAs only)
 +
| colspan="3" {{yes}}, use a CFW with signature checks disabled to install unsigned CIAs
 +
|-
 +
| Downgrade my System?
 +
| {{Yes}}, use DSiWare or Hardmod to install CFW then downgrade.
 +
| colspan="2" {{yes}}, use Safehax.
 +
| {{yes}}, use SysUpdater CIA (on EmuNAND) or 3dsx (on SysNAND from Homebrew Launcher)
 +
| colspan="3" {{yes}}, same exploits as ≥9.3 but no need to.
 +
|-
 +
|}
 +
 
 +
<references group=note />
 +
 
 +
==Exploits==
 +
===The MSET exploit===
 +
This exploit only works on 3DS System Software version 4.1.x to 4.5.x
 +
 
 +
This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel.
  
 
To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched.
 
To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched.
  
 +
===Spider exploit===
 +
This exploit works up to version 9.2.0 and grants kernel level access. It was used by flashcart manufacturers after the MSET exploit was patched.
  
''Go to the [[MSET exploit]] page, or [http://www.fiercewaffle.com/blogpost.php?id=1 on this blog] to read more information on the hack itself.''
+
===arm9loaderhax===
 +
* Released by [[User:delebile|delebile]]. Exploit discovered by [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:shinyquagsire23|shinyquagsire23]], [[User:plutoo|plutoo]], [[User:Normmatt|Normmatt]], and [[User:yellows8|yellows8]].
 +
* Requires an exploit on ≤9.2 in order to install; must be built from source, using the console-specific OTP hash
 +
* Exploits a vulnerability in arm9loader to execute ARM9 code directly at boot (arm9loaderhax.bin)
 +
* Works on New 3DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5
 +
* Can be used with an [https://github.com/Plailect/Guide/wiki updated SysNAND] (up to 11.5).
 +
* [https://github.com/delebile/arm9loaderhax Source]
 +
* [http://delebile.bplaced.net/topic.php?id=9 Documentation 1], [https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/ Documentation 2]
 +
* [https://github.com/Plailect/Guide/wiki Guide]
 +
* [https://www.youtube.com/watch?v=QKNLa8I8hPQ Video]
  
==SSSpwn Exploit (Name may not be final)==
+
===Boot9Strap===
Unreleased.
+
* Requires an exploit on ≤11.3 , or hardmod/DSiWarehax in order to install. (Or the upcoming ntrboothax)
 +
* Exploits a vulnerability in the bootrom.
 +
* Works on New 3DS, New 2DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5.
 +
* Can be used with an [https://3ds.guide updated SysNAND] (up to 11.5).
 +
* [https://github.com/SciresM/boot9strap Source]
 +
* [https://sciresm.github.io/33-and-a-half-c3 Documentation]
 +
* [https://3ds.guide Guide]
  
[[Smealum]] uses this exploit for his homebrew launcher.
+
===ninjhax===
It works on 3DS System Software version 4.x to 8.x at the time of writing.
+
* Released by [[User:smealum|Smealum]]
It is planned to be usable from 3DS System Software version 4.x to the newest available 3DS System Software version at the time of release.
+
* Uses an exploit in sharing user-created levels in the game ''Cubic Ninja'' to launch homebrew.
+
* Works up to 11.5.
+
* [https://github.com/smealum/ninjhax/ Source]
=The executable formats=
+
* [https://www.youtube.com/watch?v=iKjuy3-z054 Video]
  
There are a few different types of executables made for the 3DS at this time.
+
===ironhax===
 +
* Released by [[User:smealum|Smealum]]
 +
* Requires an exploit in order to install
 +
* Uses a save game exploit for ''IronFall: Invasion'' in order to launch homebrew.
 +
* Works up to 10.3
 +
* [https://github.com/smealum/ironhax Source]
  
'''The .cxi format'''
+
===tubehax===
 +
* Released by [[User:smealum|Smealum]]
 +
* Uses a DNS server to redirect the app's traffic to a exploitable webpage.
 +
* Technically works up to 10.1, but older Youtube versions are blocked by Nintendo, effectively killing the exploit
 +
* [https://github.com/smealum/tubehax Source]
 +
 
 +
===browserhax===
 +
* Released by [[User:yellows8|yellows8]].
 +
* A collection of webkit exploits for the use of launching 3DS homebrew.
 +
* Works up to 11.0
 +
* [https://github.com/yellows8/3ds_browserhax_common Source]
 +
 
 +
===oot3dhax===
 +
* Released by [[User:yellows8|yellows8]].
 +
* Requires an exploit or PowerSaves device in order to install
 +
* Uses a save game exploit for ''The Legend of Zelda: Ocarina of Time 3D'' in order to launch homebrew.
 +
* Works up to 11.5.0-38.
 +
* [https://github.com/yellows8/oot3dhax Source]
 +
 
 +
===smashhax===
 +
* Released by [[User:yellows8|yellows8]]
 +
* Only works on N3DS.
 +
* Uses a exploit in local multiplayer for ''Smash Bros for 3DS'' by acting like a fake beacon for sessions.
 +
* Works up to 11.2. Fixed in v11.3
 +
* [https://github.com/yellows8/3ds_smashbroshax Source]
 +
 
 +
===menuhax (AKA themehax, HomeMenuHax)===
 +
* Released by [[User:yellows8|yellows8]]
 +
* Uses a exploit in themedata used by the home menu in order to launch homebrew.
 +
* Works up to 11.2
 +
* [https://github.com/yellows8/3ds_homemenuhax Source]
 +
 
 +
===Freakyhax (AKA Freakyformshax)===
 +
* Released by [[User:Qlutoo|Qlutoo]]
 +
* Uses a exploit in the games Qr code loader.
 +
* Works up to 11.0
 +
* [http://plutooo.github.io/freakyhax/ Website]
 +
 
 +
===BASICSploit===
 +
* Released by [[User:MrNbaYoh|MrNbaYoh]]
 +
* Uses an exploit in BG handling
 +
* Works up to 11.0.33
 +
* Only USA 3.2.1 version for now
 +
* [http://mrnbayoh.github.io/basicsploit/ Website]
 +
 
 +
==Executable formats==
 +
There are a few different types of executables made for the 3DS at this time.
  
 +
===The .cxi format===
 
This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers).
 
This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers).
  
This is not a format used by the homebrew community. It's listed for historical reasons.
+
It is used by later versions of [https://github.com/neobrain/braindump Braindump].
+
+
'''The .bin format'''
+
  
This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, or converted into a .3ds file to be launched using a front-end homebrew launcher.
+
===The .bin format===
 +
This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, converted into a .3ds file to be launched using a front-end homebrew launcher, or launched as-is with an arm9loader exploit.
  
* Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew.
+
* Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew  
 
* Filename: Whatever you want, with a .bin extension
 
* Filename: Whatever you want, with a .bin extension
 
* Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
 
* Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
Line 48: Line 198:
 
* Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too.
 
* Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too.
  
 
+
If you get homebrew in this format and do not have a way to launch a raw .bin file, you will need a python script to insert it into a Launcher.dat file.
If you get homebrew in this format, you will need a python script to insert it into a Launcher.dat file.
+
  
 
* [https://github.com/naehrwert/p3ds 3DS Python Tool] by Naehrwert.
 
* [https://github.com/naehrwert/p3ds 3DS Python Tool] by Naehrwert.
Line 58: Line 207:
  
 
You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's [[3DS Homebrew demo (Snailface)|3DS Homebrew demo]] package.
 
You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's [[3DS Homebrew demo (Snailface)|3DS Homebrew demo]] package.
+
 
+
===The Launcher.dat format===
'''The Launcher.dat format'''
+
 
* Boot method: The homebrew is launched directly from the MSET exploit.
 
* Boot method: The homebrew is launched directly from the MSET exploit.
* Filename: The homebrew filename is always "Launcher.dat", as that is the expected string hard-coded into the MSET exploit's publicly available ROP chains, so you can't have multiple homebrew at the same time on your console.  
+
* Filename: The homebrew filename is usually "Launcher.dat" but can come using the "MsetForBoss.dat" variant using a alternate MSET exploit roploader, you can have upto 2 homebrew files at the same time on your console (one using the launcher.dat file name and one with the name MsetForBoss.dat), but it requires switch between DS profile roploaders to alternate which file will be loaded.  
 
* Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew.
 
* Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew.
 
* Access level: Full Kernel-mode control (same as .bin homebrew).
 
* Access level: Full Kernel-mode control (same as .bin homebrew).
 
* Restriction: file size (same as .bin homebrew)
 
* Restriction: file size (same as .bin homebrew)
  
 +
There are 2 different formats of launcher.dat/MsetForBoss.dat, unencrypted(also referred to as homebrew or non gateway), and encrypted(also known as gateway encrypted) you will need to use a alternate DS profile exploit depending on whether you are trying to run a encrypted or unencrypted launcher.dat file, but most if not all MsetForBoss.dat files are unencrypted
  
'''The .3ds format'''
+
===The .3ds / .3dsx format===
 
* Boot method: The homebrew is launched from a front end launcher.
 
* Boot method: The homebrew is launched from a front end launcher.
* Filename: The homebrew filename can be what you want and ends with .3ds extension.  
+
* Filename: For Smealum's homebrew launcher use boot.3dsx, every homebrew has a different folder. For Gateway use any name .3ds and place in on a microSD.
* Requirement: There is currently only one front end, which is based on the work done by Smealum to create a homebrew environment, and requires a [[Gateway 3DS]] flashcart running firmware 2.2 OMEGA or newer.
+
* Requirement: For the gateway (.3ds) requires a [[Gateway 3DS]] flashcart running firmware 2.2 OMEGA or newer. For Smealum's homebrew launcher (.3dsx) requires a [[ninjhax]] exploit and an SD card with boot.3dsx (can be either your homebrew or the homebrew launcher) files on it you'll also need a wifi connection to the internet from your 3DS.
* Access level: The homebrew is only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread. As a result, the homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.
+
* Access level HBL with ≥9.2 SysNAND: The homebrew is usually only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread, although it can gain limited system access by using [[memchunkhax2]]. As a result, most homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.
 +
* Access level HBL with ≤9.2 SysNAND: Homebrew is allowed system access if using a CFW with signature checks disabled.
 +
* Access level Gateway: Homebrew ran using the gateway will have as much access as any other game.
  
=Launching Homebrew=
+
===The .cia format===
 +
This file format is used officially by the console as a container for eShop downloaded contents.
 +
It's meant to be extracted, installed and displayed on the console's system menu using its own icon.
  
 +
The .cia container type can only be installed on a 3DS with installation privilege. To unlock the installation feature, you need a modified emuNAND/ sysNAND or Gateway 3DS v2.6 or newer.
 +
 +
==Launching Homebrew==
 
'''ATTENTION''': All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console.
 
'''ATTENTION''': All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console.
 
Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.
 
Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.
  
 +
===The .cxi format===
 +
There's currently no method to directly launch this format on a retail unit. It can, however, be launched by packaging it into a CIA.
 +
 +
===The .bin/elf format===
 +
These formats are the raw executable.
 +
* There's currently no .elf homebrew launcher to use with Ninjhax.
 +
* These files are sometimes converted to another format (dat, cia, 3ds, 3dsx) by the developers when released to public. Then can then be launched using a different homebrew loading method.
 +
* Some ARM9 (in Launcher.dat format) experimental homebrew can launch the .bin format, but require a 3DS with a System Software version 4.x.
 +
* [[Arm9loaderhax]] is capable of launching homebrew in .bin format on System Software version 9.x to 11.x.
  
==The Launcher.dat format==
+
===Launcher.dat format===
 
This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable.
 
This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable.
  
Line 86: Line 251:
 
* [[Gateway 3DS]]'s ROP Chain. (Encrypted ROP Chain)
 
* [[Gateway 3DS]]'s ROP Chain. (Encrypted ROP Chain)
 
* Fierce Waffle's  [http://www.fiercewaffle.com/softwareArticle.php?id=10 Open source] ROP chain. (Unencrypted ROP Chain)
 
* Fierce Waffle's  [http://www.fiercewaffle.com/softwareArticle.php?id=10 Open source] ROP chain. (Unencrypted ROP Chain)
 
  
 
The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.
 
The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.
Line 93: Line 257:
 
If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain.
 
If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain.
  
There are [[List of applications for 3DS|tools]] to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain.
+
There are [[List of 3DS homebrew applications#Utilities|tools]] to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain.
+
 
   
 
   
=== The different ROP Chain installers===
+
====The different ROP Chain installers====
 
* Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
 
* Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
 
* [http://www.mediafire.com/download/6j9v70csj4g75it/ROPLoader.nds ROP Chain installer], by [[Fierce Waffle]]. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
 
* [http://www.mediafire.com/download/6j9v70csj4g75it/ROPLoader.nds ROP Chain installer], by [[Fierce Waffle]]. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
 
* [http://gbatemp.net/threads/alternate-rop-installer.361185/ Alternate ROP Installer], by [[Drenn]], based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use [[List of applications for 3DS|ROP Installer Modifier]] to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation.
 
* [http://gbatemp.net/threads/alternate-rop-installer.361185/ Alternate ROP Installer], by [[Drenn]], based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use [[List of applications for 3DS|ROP Installer Modifier]] to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation.
* [http://filetrip.net/3ds-downloads/homebrew/download-rop-multi-loader-1-1-f32900.html ROP MultiLoader], by [[SnailFace]]. Lets you easily choose the ROP chain you want to install.
+
* [http://filetrip.net/3ds-downloads/homebrew/download-ropmultiloader-1-1-f32981.html ROP MultiLoader], by [[SnailFace]]. Lets you easily choose the ROP chain you want to install.
+
 
+
====Installing a ROP Chain====
===Installing a ROP Chain===
+
 
The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program.
 
The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program.
  
Line 111: Line 273:
  
 
Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.
 
Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.
+
 
+
====Launching the Homebrew====
===Launching the Homebrew===
+
 
# Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
 
# Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
 
# Place the Launcher.dat file on the root of your SD Card.
 
# Place the Launcher.dat file on the root of your SD Card.
Line 119: Line 280:
 
# The homebrew will launch.
 
# The homebrew will launch.
  
==The .3ds format==
+
===The .3ds format===
 
+
The .3ds format requires a gateway 3DS flashcart or a MT-card flashcart.
The .3ds homebrew use ctrulib libraries instead of being developed on bare ARM commands.
+
 
+
The .3ds format requires a front end to be launched first.
+
There are actually two front ends you can use currently.
+
 
   
 
   
===Gateway 3DS Flashcart===
+
====Gateway 3DS Flashcart====
 +
The Gateway 3DS flashcart homebrew launcher can be used only on a 3DS System version 4.0 to 9.2. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart.
 +
This Homebrew launching method requires the Gateway 3DS firmware version 2.2 Omega or newer.
  
This Front end require the Gateway 3DS Flashcart and the Omega 2.2+ firmware only.
+
#(4.x only) Install the Gateway 3DS ROP Chain. (See the [[#The different ROP Chain installers|ROP chain installation method]] above)
It's launched using the Launcher.dat exploit and thus works only on 3DS System version 4.0 to 4.5.
+
#Place the Gateway Launcher.dat file on the root of your SD Card.
 
+
#Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
#Install the Gateway 3DS ROP Chain.
+
#(4.x) Launch Gateway from the DS Profile. / (9.x) Open the web browser and visit http://go.gateway-3ds.com/ and launch Gateway mode.
#Place the Gateway 2.2 Omega Launcher.dat file on the root of your SD Card.
+
#Place your homebrew on your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
+
#Launch Gateway from the DS Profile and update your card's firmware if required.
+
 
#Press Select button to list all homebrew on your MicroSD card and press A to mount it.
 
#Press Select button to list all homebrew on your MicroSD card and press A to mount it.
 
#Launch it like a game.
 
#Launch it like a game.
 
 
===The 3DS Homebrew Launcher===
 
  
The 3DS Homebrew Launcher lets the user run unsigned homebrew compiled in .3ds format, with the same User-mode permissions as the Gateway loader.
+
====MT-Card Flashcart====
It's being developed by [[Smealum]] and [https://twitter.com/gemisisDev gemisisDev], and is planned to exploit a vulnerability in 3DS System Software versions 4.x to 8.x, found by [[Smealum]], to run homebrew in User-mode on the ARM11 core.
+
The MT-Card homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart.
 +
This Homebrew launching method requires the MT-Card firmware version 2.0 or newer.
  
You will not need a Flashcart to use it.
+
#Install the MT-Card exploit using the DS mode flashcart. (See the [[#The different ROP Chain installers|ROP chain installation method]] above)
 
+
#Place the MT-Card Launcher.dat file on the root of your SD Card.
As the exploit and loader are yet to be released, the launching method is yet to be know.
+
#Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
 
+
#Launch MT-Card from the DS Profile.
=Developing homebrew for 3DS=
+
#Press Select button to list all homebrew on your MicroSD card and press A to mount it.
 
+
#Launch it like a game.
If you have any questions, you can come to GBATemp's main [http://gbatemp.net/threads/homebrew-development.360646/ homebrew development and help thread]. It contains shared sources, examples and libraries.
+
 
+
You can find all known resources (hardware registers, syscalls, utilities) to develop your homebrew on http://3dbrew.org.
+
 
+
 
+
To develop 3DS homebrew you need a development environment consisting of tools, scripts and libraries which will be detailed below.
+
The languages used to write homebrew is C, C++ and ASM, then the sources are compiled to binary using GNU GCC-ARM and Devkit pro with DevkitARM. It will also require Python if you plan to create ARM9 homebrew (Launcher.dat format).
+
The available tools and SDK work on Windows 32/64bit and Linux.
+
 
+
==Development environment==
+
===ARM9 and ARM11 setup===
+
 
+
'''1. Install Python 2.7.x'''
+
 
+
Note: You can skip this step if you want. Go to step 2. directly if you don't want to use Python to compile your homebrew.
+
 
+
 
+
* [https://www.python.org/downloads/ Download] the latest version of Python 2.7.x
+
* Install Python on your computer.
+
* If you are on Linux, add Python to your environment variable $PATH
+
* If you are on Windows, install it in C:\Python27\, and it should edit the environment variable "Path" automatically.
+
If you need to do it manually, follow this steps:
+
- Go to My Computer > Right-click > Properties > Advanced tab > Environment variables > System variables
+
- In the list search for "Path", select it and press Edit/Modify
+
- At the end of the line, add this:
+
;C:\Python27
+
It will allow you to call the Python program from any place by typing "Python" in a command line window.
+
 
+
 
+
'''2. Install a compiler'''
+
 
+
* Install DevkitPro + DevkitARM by following [http://sourceforge.net/projects/devkitpro/files/Automated%20Installer/ this guide] if you are using Linux or Mac.
+
* If you are using Windows, use the  [http://sourceforge.net/projects/devkitpro/files/Automated%20Installer/ automated-installer]. Install in C:\devkitPro\ and it will install all the latest versions of the required programs (you can disable DevKit PSP). It will create the environment variables automatically.
+
 
+
 
+
You can install and use [https://launchpad.net/gcc-arm-embedded GNU Tools for ARM Embedded Processors] as alternate compiler, but it will not be enough to develop ARM11 homebrew as you will need additional libraries provided by DevkitPro.
+
If you use this compiler for ARM9 homebrew, you will also need to add the ARM binaries path to your environment variables. Follow the previous Python steps to add this path:
+
;C:\Program Files\GNU Tools ARM Embedded\''4.8 2013q4''\bin
+
Attention, change the version in the path, do not keep ''4.8 2013q'' but use the one you installed instead.
+
 
+
 
+
'''3. Build script'''
+
 
+
To compile your homebrew sources to an executable binary file you can use either a Python script or a Makefile script.
+
Makefile is easier, but this guide will also detail how the Python package is created to cover and understand all installation steps.
+
 
+
 
+
There are two packages ready to download: One for [http://gbatemp.net/attachments/3ds_homebrew_demo-zip.5947/ Python] and one for [http://gbatemp.net/attachments/3ds_homebrew_makefileedition-zip.5960/ Makefile], both made by [[Snailface]].
+
Just download the one you want and extract it in any folder. This will become your homebrew working folder.
+
Create one copy per homebrew you are developing.
+
 
+
 
+
This is how the Python package has been created:
+
* Download the files from [https://github.com/insaneKane/3DS_Homebrew_Stuff2 Kane49's github], and extract to a folder of your choice.
+
* Download the files from [https://github.com/naehrwert/p3ds Naehrwert's gitHub], and extract the files and the folder into the p3ds folder from the previous download.
+
* For Linux users, download the modified [https://www.dropbox.com/s/jyzhkk9giy1saq0/build.py.zip build.py] file from [[Tomiga]] to replace the one you downloaded from Kane49's repository.
+
* Open build.by and replace both instances of:
+
"-mcpu=mpcore -march=armv6k"
+
to
+
"-mcpu=arm946e-s -march=armv5te".
+
* Comment the lines:
+
#run("copy Launcher.dat E:\\Launcher.dat > NUL")
+
#upload("Launcher.dat")
+
#run("del payload.bin")
+
 
+
 
+
 
+
 
+
===ARM11 additional setup===
+
 
+
If you want to created homebrew in .3ds format to be launched from SSSPwn exploit or from a Gateway 3DS flashcart, you will need additional steps.
+
 
+
* If you didn't install DevkitPro in previous step, do it now. You need to install DevkitARM and all NDS Libraries.
+
* Download [https://github.com/smealum/ctrulib CTRULib] from Smealum's gitHub. (There's a package with pre-compiled libraries, but doing it yourself will help you understand how to update it manually)
+
* Download the [https://gist.github.com/3DSGuy/53475c0cc74996b1606e linker script] for Gateway flashcart 3DS Homebrew, by [[3DSGuy]].
+
* Extract the downloaded gitHub package to a new folder. (You can rename the ctrulib-master to another folder name, we will use "3DSHomebrew" name as example for next steps).
+
* Rename ctr_homebrew.ld to ccd00.ld and place it in the arm11u folder in the root directory of ctrulib-master (example: "3DSHomebrew/arm11u/ccd00.ld").
+
* Now, compile the CTRU libraries : Open a command line window, go to ctrulib-master/libctru/ folder (or "3DSHomebrew/libctru/") and type "make" command, then enter.
+
 
+
 
+
 
+
Follow the same layout than the examples provided with CTRUlib to create your homebrew project:
+
 
+
You need to create a folder in your CTRULib-master (or 3DSHomebrew) folder, name it like you want. example: /3DSHomebrew/myFirstHomebrew/
+
Inside, you need a makefile and create another folder named "source" where you will put your homebrew source files.
+
 
+
 
+
You can find a [http://filetrip.net/dl?L8XiLzNOZt folder template] provided by [[YoshiInAVoid]] for starting new homebrew project.
+
 
+
Extract the "3DSTemplate" folder in CTRULib, you should have both the 3DSTemplate and libctru folders in the same level:
+
 
+
- CTRULib-master/ (or 3DSHomebrew)
+
  - libctru/
+
  - 3DSTemplate/
+
      - source/
+
        - main.cpp
+
        - ...
+
      - makefile
+
      - ccd00.ld
+
      - ...
+
 
+
 
+
You can find another full standalone [http://gbatemp.net/attachments/3dstemplate-zip.8000/ template] by [[Snailface]], it contains an old pre-compiled CTRUlib version, but it's just another example to show how to manage the folders for your own homebrew.
+
 
+
==Writing your first code==
+
Maybe link to a different page starting from here.
+
 
+
Make a hello world example from scratch.
+
 
+
==Compiling==
+
 
+
===ARM9===
+
 
+
If you are using Python to compile your homebrew:
+
* In your development folder, open a command line and type "Python build.py"
+
* You can also run Build.bat
+
 
+
 
+
If you are using makefile:
+
* In your development folder, open a command line and type "make"
+
* You can also run Build.bat
+
 
+
 
+
Your homebrew will be compiled as a Payload.bin and will be encapsulated into a Launcher.dat file ready to launch using a ROP exploit.
+
You can provide both the .bin and .dat file when you share your homebrew.
+
 
+
 
+
===ARM11===
+
 
+
* Open a command line window and navigate to your homebrew folder and type "make".
+
It will create a <folder name of your project>.elf file.
+
 
+
 
+
To convert the elf file to .3ds format:
+
 
+
* Download [http://3dbrew.org/wiki/Makerom MakeROM] by [[3DSGuy]].
+
* [http://www.mediafire.com/download/4ckk6tmqcq11rai/CTR.zip Alternative Download Link]
+
* Extract it to a new folder.
+
* If you don't want to make homebrew for Gateway 3DS flashcart, you can find file requirement and command line format to use with MakeROM on [http://3dbrew.org/wiki/Makerom 3dbrew.org].
+
 
+
 
+
* If you want to make the .3ds file working on Gateway 3DS flashcart homebrew menu, download the [https://www.dropbox.com/s/emnre6pyz2e6j7j/gwcardhbfiles.zip Gateway Card Homebrew Files], by [[3DSGuy]], and extract its content into the Makerom folder.
+
* Open a command line window and navigate to the MakeROM folder.
+
* type
+
build <elf file> <output 3ds file>
+
where <elf.file> is the name of your homebrew.elf, and <output 3ds file> is the name of the .3ds file
+
  
example
+
===The .3dsx format===
build myproject.elf AwesomeGame.3ds
+
The .3dsx format requires a front end to be launched first.
  
 +
====The Homebrew Launcher====
 +
[[The Homebrew Launcher]] lets the user run unsigned homebrew compiled in .3dsx format in User-mode on the ARM11 core.
 +
It was originally developed by [[smealum]] and [https://twitter.com/gemisisDev gemisisDev], since its release more developers are helping and improving it. It exploits a vulnerability in 3DS a System Software versions 4.x to 9.2.x with eShop revision 7 to 20.
  
===Making your own Homebrew Icon and Banner===
+
You will not need a Flashcart to use it, but will need the retail game Cubic Ninja.
 +
Cubic Ninja launched from a flashcart is working too.
  
If you want to create your own banner and icon for ARM11 homebrew, you can use [[3DS Banner Maker]], by [[Snailface]], to convert png pictures to the correct format used by MakeROM.
+
Installing The Homebrew Launcher
It requires Python 2 and PIL (Python Image Library).
+
# Download and extract [http://smealum.net/ninjhax/dl/starter.zip The Homebrew Starter Kit] to the root of your 3DS SD Card. You should now have a file named boot.3dsx and a "3ds" folder on the root of your SD Card.
 +
# Enable Wifi and launch Cubic Ninja game
 +
# Choose the "Create" menu and select "QR Code" method, then "Scan QR code" option.
 +
# Go to http://smealum.net/ninjhax/#qrcode and select your System version to generate the corresponding QR Code
 +
# Scan your QR code and it will download "The Homebrew Launcher" loader automatically and install it into the Savegame slot of Cubic Ninja game. It will also launch automatically after the Installation.
  
==Releasing==
+
Launching The Homebrew Launcher
Please create (and maintain) a page on this Wiki and/or 3dbrew about your homebrew.
+
# You don't need Wifi once it's already installed to your Cubic Ninja game.
It will help referencing it, and will be easier for everyone to find if there's any update and follow your homebrew progress, sources and links.
+
# Run Cubic Ninja and go to QR Code menu. The Homebrew Launcher will load.
  
When you release the homebrew, provide (along the sources if your project is open) all the compiled files:
+
Place your homebrew in either one of these locations:
 +
#/3ds/<homebrew_name>/boot.3dsx
 +
#/3ds/<homebrew_name>/<same_as_folder_name>.3dsx
 +
#/3ds/<filename>.3dsx
  
For ARM9 homebrew, the .bin and .dat file. If you want you can also provide both signed and unsigned .dat file to prevent the user to check if the file is signed or not, or tell the user if it's signed for Gateway ROP exploit or unsigned for the open source ROP exploit.
+
If you want an icon for your Homebrew to be displayed in The Homebrew Launcher, place it in either one of these locations:
 +
#/3ds/<homebrew_name>/icon.bin
 +
#/3ds/<homebrew_name>/<icon or folder_name>.smdh
 +
#/3ds/<homebrew_name>/<icon or folder_name>.icn
  
For ARM11 homebrew, the .elf and the .3ds file.
+
===The .cia format===
 +
The .cia format requires a patched firmware (CFW) or Gateway 3DS flashcart. The user needs a 3DS with a System Software version 4.0 to 11.2 For unsigned .CIA files.
 +
Consoles between 9.3 and 11.2 have exploits allowing "legit CIA" files to be installed.
  
The elf and bin could be useful in case the file need to be repack later using a different makeROM (one for gateway 3DS, one for Smealum's Homebrew loader, etc.), or a different ROP exploit.
+
====Dev Menu====
 +
Currently, one of the ways to install cia files and manage installed titles is by using DevMenu program from the official Nintendo 3DS development kit (SDK). This program is illegal to share and will not be linked here or on the forum. However, homebrew alternatives exist such as FBI and Big Red Menu.
 +
To use DevMenu and install files to your sysNAND or emuNAND, you need enough privileges which is only possible on a modified emuNAND or sysNAND (commonly called "custom Firmware") or using Gateway 3DS v2.6 or newer.
  
Elf file can also be used on 3DS Emulators (currently two available, [http://gbatemp.net/threads/citra-new-3ds-emulator.365154/ Citra] and [http://gbatemp.net/threads/3dmoo-new-3ds-emulator.366138/ 3DMoo] ), while the .dat and .3ds format are not always supported or working fine.
+
- When using a modified emuNAND or sysNAND you need to permanently install DevMenu program on your console.
  
 +
- When using Gateway 3DS you can use BigBlueMenu, which is the DevMenu program converted to .3ds format.
  
[[Category:Nintendo 3DS]]
+
[[Category:Nintendo 3DS|Homebrew]]
[[Category:3DS Homebrew]]
+
[[Category:3DS Homebrew| ]]
[[Category:3DS ARM9 Homebrew]]
+
[[Category:3DS ARM9 Homebrew| ]]
[[Category:3DS ARM11 Homebrew]]
+
[[Category:3DS ARM11 Homebrew| ]]

Latest revision as of 19:25, 22 July 2017

Welcome to the wonderful world of 3DS Homebrew!

To run homebrew on your 3DS you need a method to run custom code. There are currently several public exploits available which allow running unsigned code on a 3DS system.

What can I do?

Depends on your installed Firmware version (SysNAND):

Can I... No A9LH or sighax/B9S installed (unhacked system) A9LH installed
(any firmware version)
sighax/B9S installed
(any firmware version)
System Menu 11.4 and up System Menu 11.3 System Menu 11.0 to 11.2 System Menu 9.3 to 10.7 System Menu 9.2 and below
Run basic homebrew? Yes, but only on New 3DS. Yes, use FreakyHax, Ninjhax, Soundhax or a previously installed exploit to run the Homebrew Launcher. Yes (same exploits as ≥9.3, plus Homebrew Launcher loader CIA)
Run arm9loaderhax/brahma homebrew? No Yes, use Safehax (Only some will work) Yes Yes (convert to firm format or convert an A9LH boot manager to bin.)
Run BootROM level homebrew? No Yes
Install Custom Themes? Yes, but only on New 3DS. Yes, use Themely/CHMM2 Yes, use Themely/CHMM2/ExtDataTool.
Note that themes are for ≥9.x only.
Install/extract save files? Yes, but only on New 3DS. Yes, use svdt for 3DS games, TWLSaveTool for retail DS cartridges Yes, use SaveDataFiler or JK's SaveManager for 3DS games, TWLSaveTool for retail DS cartridges
Run games from other regions (regionfree)? Yes, but only on New 3DS. Yes, use the region free launcher of The Homebrew Launcher Yes, use a region free CFW
Go online with a game from another region? No Yes, as long as the game doesn't require an update Yes
Run 3DS ROMs? Yes, buy a Sky3DS and play ROMs from that. Yes, various options.
Install out-of-region eShop content (like DLC)? No Yes
Play modified ROMs (ROM hacks)? Yes, use a flashcart (Hans only on New 3DS) Yes, use HANS, or a flashcart Yes, use NTR CFW, HANS, a flashcart, or install as a CIA
Run DS ROMs? Yes, use a DS flashcart (Supercard DSTWO/R4i Gold) Yes, use a DS flashcart (blocked carts can be unblocked with CFW and/or patched TWL_FIRM)
Use CFW/EmuNAND? No Yes
Install CIA files? No Yes (Legit CIAs only) Yes, use a CFW with signature checks disabled to install unsigned CIAs
Downgrade my System? Yes, use DSiWare or Hardmod to install CFW then downgrade. Yes, use Safehax. Yes, use SysUpdater CIA (on EmuNAND) or 3dsx (on SysNAND from Homebrew Launcher) Yes, same exploits as ≥9.3 but no need to.


Exploits

The MSET exploit

This exploit only works on 3DS System Software version 4.1.x to 4.5.x

This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel.

To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched.

Spider exploit

This exploit works up to version 9.2.0 and grants kernel level access. It was used by flashcart manufacturers after the MSET exploit was patched.

arm9loaderhax

Boot9Strap

  • Requires an exploit on ≤11.3 , or hardmod/DSiWarehax in order to install. (Or the upcoming ntrboothax)
  • Exploits a vulnerability in the bootrom.
  • Works on New 3DS, New 2DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5.
  • Can be used with an updated SysNAND (up to 11.5).
  • Source
  • Documentation
  • Guide

ninjhax

  • Released by Smealum
  • Uses an exploit in sharing user-created levels in the game Cubic Ninja to launch homebrew.
  • Works up to 11.5.
  • Source
  • Video

ironhax

  • Released by Smealum
  • Requires an exploit in order to install
  • Uses a save game exploit for IronFall: Invasion in order to launch homebrew.
  • Works up to 10.3
  • Source

tubehax

  • Released by Smealum
  • Uses a DNS server to redirect the app's traffic to a exploitable webpage.
  • Technically works up to 10.1, but older Youtube versions are blocked by Nintendo, effectively killing the exploit
  • Source

browserhax

  • Released by yellows8.
  • A collection of webkit exploits for the use of launching 3DS homebrew.
  • Works up to 11.0
  • Source

oot3dhax

  • Released by yellows8.
  • Requires an exploit or PowerSaves device in order to install
  • Uses a save game exploit for The Legend of Zelda: Ocarina of Time 3D in order to launch homebrew.
  • Works up to 11.5.0-38.
  • Source

smashhax

  • Released by yellows8
  • Only works on N3DS.
  • Uses a exploit in local multiplayer for Smash Bros for 3DS by acting like a fake beacon for sessions.
  • Works up to 11.2. Fixed in v11.3
  • Source

menuhax (AKA themehax, HomeMenuHax)

  • Released by yellows8
  • Uses a exploit in themedata used by the home menu in order to launch homebrew.
  • Works up to 11.2
  • Source

Freakyhax (AKA Freakyformshax)

  • Released by Qlutoo
  • Uses a exploit in the games Qr code loader.
  • Works up to 11.0
  • Website

BASICSploit

  • Released by MrNbaYoh
  • Uses an exploit in BG handling
  • Works up to 11.0.33
  • Only USA 3.2.1 version for now
  • Website

Executable formats

There are a few different types of executables made for the 3DS at this time.

The .cxi format

This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers).

It is used by later versions of Braindump.

The .bin format

This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, converted into a .3ds file to be launched using a front-end homebrew launcher, or launched as-is with an arm9loader exploit.

  • Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew
  • Filename: Whatever you want, with a .bin extension
  • Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
  • Access level: The homebrew has full Kernel-mode access and has access to both the ARM9 and ARM11 cores, but the console's services in ARM11 are all disabled, due to the public method of taking over the ARM11 core from within the ARM9 core (credit to Kane49) (This means you have no access to the 3D slider, sound, etc. unless you code it back yourself).
  • Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too.

If you get homebrew in this format and do not have a way to launch a raw .bin file, you will need a python script to insert it into a Launcher.dat file.

Or use a script to copy a ROP header and footer around the payload binary file, example: copy /b header+binary+footer Launcher.dat

You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's 3DS Homebrew demo package.

The Launcher.dat format

  • Boot method: The homebrew is launched directly from the MSET exploit.
  • Filename: The homebrew filename is usually "Launcher.dat" but can come using the "MsetForBoss.dat" variant using a alternate MSET exploit roploader, you can have upto 2 homebrew files at the same time on your console (one using the launcher.dat file name and one with the name MsetForBoss.dat), but it requires switch between DS profile roploaders to alternate which file will be loaded.
  • Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew.
  • Access level: Full Kernel-mode control (same as .bin homebrew).
  • Restriction: file size (same as .bin homebrew)

There are 2 different formats of launcher.dat/MsetForBoss.dat, unencrypted(also referred to as homebrew or non gateway), and encrypted(also known as gateway encrypted) you will need to use a alternate DS profile exploit depending on whether you are trying to run a encrypted or unencrypted launcher.dat file, but most if not all MsetForBoss.dat files are unencrypted

The .3ds / .3dsx format

  • Boot method: The homebrew is launched from a front end launcher.
  • Filename: For Smealum's homebrew launcher use boot.3dsx, every homebrew has a different folder. For Gateway use any name .3ds and place in on a microSD.
  • Requirement: For the gateway (.3ds) requires a Gateway 3DS flashcart running firmware 2.2 OMEGA or newer. For Smealum's homebrew launcher (.3dsx) requires a ninjhax exploit and an SD card with boot.3dsx (can be either your homebrew or the homebrew launcher) files on it you'll also need a wifi connection to the internet from your 3DS.
  • Access level HBL with ≥9.2 SysNAND: The homebrew is usually only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread, although it can gain limited system access by using memchunkhax2. As a result, most homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.
  • Access level HBL with ≤9.2 SysNAND: Homebrew is allowed system access if using a CFW with signature checks disabled.
  • Access level Gateway: Homebrew ran using the gateway will have as much access as any other game.

The .cia format

This file format is used officially by the console as a container for eShop downloaded contents. It's meant to be extracted, installed and displayed on the console's system menu using its own icon.

The .cia container type can only be installed on a 3DS with installation privilege. To unlock the installation feature, you need a modified emuNAND/ sysNAND or Gateway 3DS v2.6 or newer.

Launching Homebrew

ATTENTION: All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.

The .cxi format

There's currently no method to directly launch this format on a retail unit. It can, however, be launched by packaging it into a CIA.

The .bin/elf format

These formats are the raw executable.

  • There's currently no .elf homebrew launcher to use with Ninjhax.
  • These files are sometimes converted to another format (dat, cia, 3ds, 3dsx) by the developers when released to public. Then can then be launched using a different homebrew loading method.
  • Some ARM9 (in Launcher.dat format) experimental homebrew can launch the .bin format, but require a 3DS with a System Software version 4.x.
  • Arm9loaderhax is capable of launching homebrew in .bin format on System Software version 9.x to 11.x.

Launcher.dat format

This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable.

There are two ROP chain exploits you can use:

  • Gateway 3DS's ROP Chain. (Encrypted ROP Chain)
  • Fierce Waffle's Open source ROP chain. (Unencrypted ROP Chain)

The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.

Gateway 3DS, which was the first to publicly release this exploit, encrypted their ROP chain to prevent flashcart clones. If you install the Gateway ROP chain, you will have to encrypt your Launcher.dat homebrew using their encryption key. If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain.

There are tools to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain.

The different ROP Chain installers

  • Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
  • ROP Chain installer, by Fierce Waffle. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
  • Alternate ROP Installer, by Drenn, based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use ROP Installer Modifier to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation.
  • ROP MultiLoader, by SnailFace. Lets you easily choose the ROP chain you want to install.

Installing a ROP Chain

The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program.

  1. Choose a ROP chain installer from the list above.
  2. Extract the NDS file if needed and place it on your MicroSD Card, then insert it into your compatible NDS-mode Flashcart.
  3. Insert the NDS-mode flashcart into your 3DS console and launch the installer.

Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.

Launching the Homebrew

  1. Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
  2. Place the Launcher.dat file on the root of your SD Card.
  3. Boot the 3DS and go to Settings > Other > Profile > DS Profile.
  4. The homebrew will launch.

The .3ds format

The .3ds format requires a gateway 3DS flashcart or a MT-card flashcart.

Gateway 3DS Flashcart

The Gateway 3DS flashcart homebrew launcher can be used only on a 3DS System version 4.0 to 9.2. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the Gateway 3DS firmware version 2.2 Omega or newer.

  1. (4.x only) Install the Gateway 3DS ROP Chain. (See the ROP chain installation method above)
  2. Place the Gateway Launcher.dat file on the root of your SD Card.
  3. Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
  4. (4.x) Launch Gateway from the DS Profile. / (9.x) Open the web browser and visit http://go.gateway-3ds.com/ and launch Gateway mode.
  5. Press Select button to list all homebrew on your MicroSD card and press A to mount it.
  6. Launch it like a game.

MT-Card Flashcart

The MT-Card homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the MT-Card firmware version 2.0 or newer.

  1. Install the MT-Card exploit using the DS mode flashcart. (See the ROP chain installation method above)
  2. Place the MT-Card Launcher.dat file on the root of your SD Card.
  3. Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
  4. Launch MT-Card from the DS Profile.
  5. Press Select button to list all homebrew on your MicroSD card and press A to mount it.
  6. Launch it like a game.

The .3dsx format

The .3dsx format requires a front end to be launched first.

The Homebrew Launcher

The Homebrew Launcher lets the user run unsigned homebrew compiled in .3dsx format in User-mode on the ARM11 core. It was originally developed by smealum and gemisisDev, since its release more developers are helping and improving it. It exploits a vulnerability in 3DS a System Software versions 4.x to 9.2.x with eShop revision 7 to 20.

You will not need a Flashcart to use it, but will need the retail game Cubic Ninja. Cubic Ninja launched from a flashcart is working too.

Installing The Homebrew Launcher

  1. Download and extract The Homebrew Starter Kit to the root of your 3DS SD Card. You should now have a file named boot.3dsx and a "3ds" folder on the root of your SD Card.
  2. Enable Wifi and launch Cubic Ninja game
  3. Choose the "Create" menu and select "QR Code" method, then "Scan QR code" option.
  4. Go to http://smealum.net/ninjhax/#qrcode and select your System version to generate the corresponding QR Code
  5. Scan your QR code and it will download "The Homebrew Launcher" loader automatically and install it into the Savegame slot of Cubic Ninja game. It will also launch automatically after the Installation.

Launching The Homebrew Launcher

  1. You don't need Wifi once it's already installed to your Cubic Ninja game.
  2. Run Cubic Ninja and go to QR Code menu. The Homebrew Launcher will load.

Place your homebrew in either one of these locations:

  1. /3ds/<homebrew_name>/boot.3dsx
  2. /3ds/<homebrew_name>/<same_as_folder_name>.3dsx
  3. /3ds/<filename>.3dsx

If you want an icon for your Homebrew to be displayed in The Homebrew Launcher, place it in either one of these locations:

  1. /3ds/<homebrew_name>/icon.bin
  2. /3ds/<homebrew_name>/<icon or folder_name>.smdh
  3. /3ds/<homebrew_name>/<icon or folder_name>.icn

The .cia format

The .cia format requires a patched firmware (CFW) or Gateway 3DS flashcart. The user needs a 3DS with a System Software version 4.0 to 11.2 For unsigned .CIA files. Consoles between 9.3 and 11.2 have exploits allowing "legit CIA" files to be installed.

Dev Menu

Currently, one of the ways to install cia files and manage installed titles is by using DevMenu program from the official Nintendo 3DS development kit (SDK). This program is illegal to share and will not be linked here or on the forum. However, homebrew alternatives exist such as FBI and Big Red Menu. To use DevMenu and install files to your sysNAND or emuNAND, you need enough privileges which is only possible on a modified emuNAND or sysNAND (commonly called "custom Firmware") or using Gateway 3DS v2.6 or newer.

- When using a modified emuNAND or sysNAND you need to permanently install DevMenu program on your console.

- When using Gateway 3DS you can use BigBlueMenu, which is the DevMenu program converted to .3ds format.