Difference between revisions of "3DS Homebrew"
(→ARM11 additional setup: updated link) |
Ironlanderl (talk | contribs) (→ninjhax) |
||
(183 intermediate revisions by 58 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{3DSNav}} | |
+ | Welcome to the wonderful world of '''3DS Homebrew'''! | ||
− | To run homebrew on your 3DS you need a method to run custom code. There | + | To run homebrew on your 3DS you need a method to run custom code. There are currently several public exploits available which allow running unsigned code on a 3DS system. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ==What can I do?== | |
+ | Depends on your installed Firmware version (SysNAND): | ||
− | + | {| class="compattable" | |
+ | ! rowspan="2" style="width:13%" | Can I... | ||
+ | ! colspan="5" | No A9LH or sighax/B9S installed (unhacked system) | ||
+ | ! rowspan="2" style="width:13%" | A9LH installed<br />(any firmware version) | ||
+ | ! rowspan="2" style="width:13%" | sighax/B9S installed<br />(any firmware version) | ||
+ | |- | ||
+ | ! style="width:12%" | System Menu 11.4 and up | ||
+ | ! style="width:12%" | System Menu 11.3 | ||
+ | ! style="width:12%" | System Menu 11.0 to 11.2 | ||
+ | ! style="width:12%" | System Menu 9.3 to 10.7 | ||
+ | ! style="width:13%" | System Menu 9.2 and below | ||
+ | |- | ||
+ | | Run basic homebrew? | ||
+ | | {{opt|Yes}}, but only on New 3DS. | ||
+ | | colspan="3" {{yes}}, use FreakyHax, Ninjhax, Soundhax or a previously installed exploit to run the Homebrew Launcher. | ||
+ | | colspan="3" {{yes}} (same exploits as ≥9.3, plus Homebrew Launcher loader CIA) | ||
+ | |- | ||
+ | | Run arm9loaderhax/brahma homebrew? | ||
+ | | {{no}} | ||
+ | | colspan="3" {{opt|Yes}}, use Safehax (Only some will work) | ||
+ | | colspan="2" {{yes}} | ||
+ | | {{yes}} (convert to firm format or convert an A9LH boot manager to bin.) | ||
+ | |- | ||
+ | | Run BootROM level homebrew? | ||
+ | | colspan="6" {{no}} | ||
+ | | {{yes}} | ||
+ | |- | ||
+ | | Install Custom Themes? | ||
+ | | {{opt|Yes}}, but only on New 3DS. | ||
+ | | colspan="3" {{yes}}, use Themely/CHMM2 | ||
+ | | colspan="3" {{yes}}, use Themely/CHMM2/ExtDataTool.<br />Note that themes are for ≥9.x only. | ||
+ | |- | ||
+ | | Install/extract save files? | ||
+ | | {{opt|Yes}}, but only on New 3DS. | ||
+ | | colspan="3" {{yes}}, use svdt for 3DS games, TWLSaveTool for retail DS cartridges | ||
+ | | colspan="3" {{yes}}, use SaveDataFiler or JK's SaveManager for 3DS games, TWLSaveTool for retail DS cartridges | ||
+ | |- | ||
+ | | Run games from other regions (regionfree)? | ||
+ | | {{opt|Yes}}, but only on New 3DS. | ||
+ | | colspan="4" {{yes}}, use the region free launcher of The Homebrew Launcher | ||
+ | | colspan="3" {{yes}}, use a region free CFW | ||
+ | |- | ||
+ | | Go online with a game from another region? | ||
+ | | colspan="3" {{no}} | ||
+ | | {{yes}}, as long as the game doesn't require an update | ||
+ | | colspan="3" {{yes}} | ||
+ | |- | ||
+ | | Run 3DS ROMs? | ||
+ | | colspan="4" {{yes}}, buy a Sky3DS and play ROMs from that. | ||
+ | | colspan="3" {{yes}}, various options. | ||
+ | |- | ||
+ | | Install out-of-region eShop content (like DLC)? | ||
+ | | colspan="4" {{no}} | ||
+ | | colspan="3" {{yes}} | ||
+ | |- | ||
+ | | Play modified ROMs (ROM hacks)? | ||
+ | | {{yes}}, use a flashcart (Hans only on New 3DS) | ||
+ | | colspan="3" {{yes}}, use HANS, or a flashcart | ||
+ | | colspan="3" {{yes}}, use NTR CFW, HANS, a flashcart, or install as a CIA | ||
+ | |- | ||
+ | | Run DS ROMs? | ||
+ | | colspan="4" {{yes}}, use a DS flashcart (Supercard DSTWO/R4i Gold) | ||
+ | | colspan="3" {{yes}}, use a DS flashcart (blocked carts can be unblocked with CFW and/or patched TWL_FIRM) | ||
+ | |- | ||
+ | | Use CFW/EmuNAND? | ||
+ | | colspan="4" {{no}} | ||
+ | | colspan="3" {{yes}} | ||
+ | |- | ||
+ | | Install CIA files? | ||
+ | | {{no}} | ||
+ | | colspan="3" {{opt|Yes}} (Legit CIAs only) | ||
+ | | colspan="3" {{yes}}, use a CFW with signature checks disabled to install unsigned CIAs | ||
+ | |- | ||
+ | | Downgrade my System? | ||
+ | | {{Yes}}, use DSiWare or Hardmod to install CFW then downgrade. | ||
+ | | colspan="2" {{yes}}, use Safehax. | ||
+ | | {{yes}}, use SysUpdater CIA (on EmuNAND) or 3dsx (on SysNAND from Homebrew Launcher) | ||
+ | | colspan="3" {{yes}}, same exploits as ≥9.3 but no need to. | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | <references group=note /> | ||
+ | |||
+ | ==Exploits== | ||
+ | ===The MSET exploit=== | ||
+ | This exploit only works on 3DS System Software version 4.1.x to 4.5.x | ||
+ | |||
+ | This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel. | ||
To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched. | To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched. | ||
+ | ===Spider exploit=== | ||
+ | This exploit works up to version 9.2.0 and grants kernel level access. It was used by flashcart manufacturers after the MSET exploit was patched. | ||
− | + | ===arm9loaderhax=== | |
+ | * Released by [[User:delebile|delebile]]. Exploit discovered by [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:shinyquagsire23|shinyquagsire23]], [[User:plutoo|plutoo]], [[User:Normmatt|Normmatt]], and [[User:yellows8|yellows8]]. | ||
+ | * Requires an exploit on ≤9.2 in order to install; must be built from source, using the console-specific OTP hash | ||
+ | * Exploits a vulnerability in arm9loader to execute ARM9 code directly at boot (arm9loaderhax.bin) | ||
+ | * Works on New 3DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5 | ||
+ | * Can be used with an [https://github.com/Plailect/Guide/wiki updated SysNAND] (up to 11.5). | ||
+ | * [https://github.com/delebile/arm9loaderhax Source] | ||
+ | * [http://delebile.bplaced.net/topic.php?id=9 Documentation 1], [https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/ Documentation 2] | ||
+ | * [https://github.com/Plailect/Guide/wiki Guide] | ||
+ | * [https://www.youtube.com/watch?v=QKNLa8I8hPQ Video] | ||
− | == | + | ===Boot9Strap=== |
− | + | * Requires an exploit on ≤11.3 , or hardmod/DSiWarehax in order to install. (Or the upcoming ntrboothax) | |
+ | * Exploits a vulnerability in the bootrom. | ||
+ | * Works on New 3DS, New 2DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5. | ||
+ | * Can be used with an [https://3ds.guide updated SysNAND] (up to 11.5). | ||
+ | * [https://github.com/SciresM/boot9strap Source] | ||
+ | * [https://sciresm.github.io/33-and-a-half-c3 Documentation] | ||
+ | * [https://3ds.guide Guide] | ||
− | [[Smealum]] | + | ===ninjhax=== |
− | + | * Released by [[User:smealum|Smealum]] | |
− | + | * Uses an exploit in sharing user-created levels in the game ''Cubic Ninja'' to launch homebrew. | |
− | + | * Works up to 11.5. | |
− | + | * [https://github.com/smealum/ninjhax/ Source] | |
− | = | + | * [https://www.youtube.com/watch?v=iKjuy3-z054 Video] |
− | + | ===ironhax=== | |
+ | * Released by [[User:smealum|Smealum]] | ||
+ | * Requires an exploit in order to install | ||
+ | * Uses a save game exploit for ''IronFall: Invasion'' in order to launch homebrew. | ||
+ | * Works up to 10.3 | ||
+ | * [https://github.com/smealum/ironhax Source] | ||
− | '''The . | + | ===tubehax=== |
+ | * Released by [[User:smealum|Smealum]] | ||
+ | * Uses a DNS server to redirect the app's traffic to a exploitable webpage. | ||
+ | * Technically works up to 10.1, but older Youtube versions are blocked by Nintendo, effectively killing the exploit | ||
+ | * [https://github.com/smealum/tubehax Source] | ||
+ | |||
+ | ===browserhax=== | ||
+ | * Released by [[User:yellows8|yellows8]]. | ||
+ | * A collection of webkit exploits for the use of launching 3DS homebrew. | ||
+ | * Works up to 11.0 | ||
+ | * [https://github.com/yellows8/3ds_browserhax_common Source] | ||
+ | |||
+ | ===oot3dhax=== | ||
+ | * Released by [[User:yellows8|yellows8]]. | ||
+ | * Requires an exploit or PowerSaves device in order to install | ||
+ | * Uses a save game exploit for ''The Legend of Zelda: Ocarina of Time 3D'' in order to launch homebrew. | ||
+ | * Works up to 11.5.0-38. | ||
+ | * [https://github.com/yellows8/oot3dhax Source] | ||
+ | |||
+ | ===smashhax=== | ||
+ | * Released by [[User:yellows8|yellows8]] | ||
+ | * Only works on N3DS. | ||
+ | * Uses a exploit in local multiplayer for ''Smash Bros for 3DS'' by acting like a fake beacon for sessions. | ||
+ | * Works up to 11.2. Fixed in v11.3 | ||
+ | * [https://github.com/yellows8/3ds_smashbroshax Source] | ||
+ | |||
+ | ===menuhax (AKA themehax, HomeMenuHax)=== | ||
+ | * Released by [[User:yellows8|yellows8]] | ||
+ | * Uses a exploit in themedata used by the home menu in order to launch homebrew. | ||
+ | * Works up to 11.2 | ||
+ | * [https://github.com/yellows8/3ds_homemenuhax Source] | ||
+ | |||
+ | ===Freakyhax (AKA Freakyformshax)=== | ||
+ | * Released by [[User:Qlutoo|Qlutoo]] | ||
+ | * Uses a exploit in the games Qr code loader. | ||
+ | * Works up to 11.0 | ||
+ | * [http://plutooo.github.io/freakyhax/ Website] | ||
+ | |||
+ | ===BASICSploit=== | ||
+ | * Released by [[User:MrNbaYoh|MrNbaYoh]] | ||
+ | * Uses an exploit in BG handling | ||
+ | * Works up to 11.0.33 | ||
+ | * Only USA 3.2.1 version for now | ||
+ | * [http://mrnbayoh.github.io/basicsploit/ Website] | ||
+ | |||
+ | ==Executable formats== | ||
+ | There are a few different types of executables made for the 3DS at this time. | ||
+ | ===The .cxi format=== | ||
This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers). | This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers). | ||
− | + | It is used by later versions of [https://github.com/neobrain/braindump Braindump]. | |
− | + | ||
− | + | ||
− | + | ||
− | This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, | + | ===The .bin format=== |
+ | This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, converted into a .3ds file to be launched using a front-end homebrew launcher, or launched as-is with an arm9loader exploit. | ||
− | * Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew | + | * Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew |
* Filename: Whatever you want, with a .bin extension | * Filename: Whatever you want, with a .bin extension | ||
* Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console. | * Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console. | ||
Line 48: | Line 198: | ||
* Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too. | * Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too. | ||
− | + | If you get homebrew in this format and do not have a way to launch a raw .bin file, you will need a python script to insert it into a Launcher.dat file. | |
− | If you get homebrew in this format, you will need a python script to insert it into a Launcher.dat file. | + | |
* [https://github.com/naehrwert/p3ds 3DS Python Tool] by Naehrwert. | * [https://github.com/naehrwert/p3ds 3DS Python Tool] by Naehrwert. | ||
Line 58: | Line 207: | ||
You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's [[3DS Homebrew demo (Snailface)|3DS Homebrew demo]] package. | You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's [[3DS Homebrew demo (Snailface)|3DS Homebrew demo]] package. | ||
− | + | ||
− | + | ===The Launcher.dat format=== | |
− | + | ||
* Boot method: The homebrew is launched directly from the MSET exploit. | * Boot method: The homebrew is launched directly from the MSET exploit. | ||
− | * Filename: The homebrew filename is | + | * Filename: The homebrew filename is usually "Launcher.dat" but can come using the "MsetForBoss.dat" variant using a alternate MSET exploit roploader, you can have upto 2 homebrew files at the same time on your console (one using the launcher.dat file name and one with the name MsetForBoss.dat), but it requires switch between DS profile roploaders to alternate which file will be loaded. |
* Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew. | * Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew. | ||
* Access level: Full Kernel-mode control (same as .bin homebrew). | * Access level: Full Kernel-mode control (same as .bin homebrew). | ||
* Restriction: file size (same as .bin homebrew) | * Restriction: file size (same as .bin homebrew) | ||
+ | There are 2 different formats of launcher.dat/MsetForBoss.dat, unencrypted(also referred to as homebrew or non gateway), and encrypted(also known as gateway encrypted) you will need to use a alternate DS profile exploit depending on whether you are trying to run a encrypted or unencrypted launcher.dat file, but most if not all MsetForBoss.dat files are unencrypted | ||
− | + | ===The .3ds / .3dsx format=== | |
* Boot method: The homebrew is launched from a front end launcher. | * Boot method: The homebrew is launched from a front end launcher. | ||
− | * Filename: | + | * Filename: For Smealum's homebrew launcher use boot.3dsx, every homebrew has a different folder. For Gateway use any name .3ds and place in on a microSD. |
− | * Requirement: | + | * Requirement: For the gateway (.3ds) requires a [[Gateway 3DS]] flashcart running firmware 2.2 OMEGA or newer. For Smealum's homebrew launcher (.3dsx) requires a [[ninjhax]] exploit and an SD card with boot.3dsx (can be either your homebrew or the homebrew launcher) files on it you'll also need a wifi connection to the internet from your 3DS. |
− | * Access level: The homebrew is only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread. As a result, | + | * Access level HBL with ≥9.2 SysNAND: The homebrew is usually only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread, although it can gain limited system access by using [[memchunkhax2]]. As a result, most homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available. |
+ | * Access level HBL with ≤9.2 SysNAND: Homebrew is allowed system access if using a CFW with signature checks disabled. | ||
+ | * Access level Gateway: Homebrew ran using the gateway will have as much access as any other game. | ||
− | = | + | ===The .cia format=== |
+ | This file format is used officially by the console as a container for eShop downloaded contents. | ||
+ | It's meant to be extracted, installed and displayed on the console's system menu using its own icon. | ||
+ | The .cia container type can only be installed on a 3DS with installation privilege. To unlock the installation feature, you need a modified emuNAND/ sysNAND or Gateway 3DS v2.6 or newer. | ||
+ | |||
+ | ==Launching Homebrew== | ||
'''ATTENTION''': All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. | '''ATTENTION''': All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. | ||
Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter. | Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter. | ||
+ | ===The .cxi format=== | ||
+ | There's currently no method to directly launch this format on a retail unit. It can, however, be launched by packaging it into a CIA. | ||
+ | |||
+ | ===The .bin/elf format=== | ||
+ | These formats are the raw executable. | ||
+ | * There's currently no .elf homebrew launcher to use with Ninjhax. | ||
+ | * These files are sometimes converted to another format (dat, cia, 3ds, 3dsx) by the developers when released to public. Then can then be launched using a different homebrew loading method. | ||
+ | * Some ARM9 (in Launcher.dat format) experimental homebrew can launch the .bin format, but require a 3DS with a System Software version 4.x. | ||
+ | * [[Arm9loaderhax]] is capable of launching homebrew in .bin format on System Software version 9.x to 11.x. | ||
− | == | + | ===Launcher.dat format=== |
This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable. | This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable. | ||
Line 86: | Line 251: | ||
* [[Gateway 3DS]]'s ROP Chain. (Encrypted ROP Chain) | * [[Gateway 3DS]]'s ROP Chain. (Encrypted ROP Chain) | ||
* Fierce Waffle's [http://www.fiercewaffle.com/softwareArticle.php?id=10 Open source] ROP chain. (Unencrypted ROP Chain) | * Fierce Waffle's [http://www.fiercewaffle.com/softwareArticle.php?id=10 Open source] ROP chain. (Unencrypted ROP Chain) | ||
− | |||
The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary. | The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary. | ||
Line 93: | Line 257: | ||
If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain. | If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain. | ||
− | There are [[List of | + | There are [[List of 3DS homebrew applications#Utilities|tools]] to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain. |
− | + | ||
− | === The different ROP Chain installers=== | + | ====The different ROP Chain installers==== |
* Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.) | * Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.) | ||
* [http://www.mediafire.com/download/6j9v70csj4g75it/ROPLoader.nds ROP Chain installer], by [[Fierce Waffle]]. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it. | * [http://www.mediafire.com/download/6j9v70csj4g75it/ROPLoader.nds ROP Chain installer], by [[Fierce Waffle]]. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it. | ||
* [http://gbatemp.net/threads/alternate-rop-installer.361185/ Alternate ROP Installer], by [[Drenn]], based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use [[List of applications for 3DS|ROP Installer Modifier]] to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation. | * [http://gbatemp.net/threads/alternate-rop-installer.361185/ Alternate ROP Installer], by [[Drenn]], based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use [[List of applications for 3DS|ROP Installer Modifier]] to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation. | ||
− | * [http://filetrip.net/3ds-downloads/homebrew/download- | + | * [http://filetrip.net/3ds-downloads/homebrew/download-ropmultiloader-1-1-f32981.html ROP MultiLoader], by [[SnailFace]]. Lets you easily choose the ROP chain you want to install. |
− | + | ||
− | + | ====Installing a ROP Chain==== | |
− | ===Installing a ROP Chain=== | + | |
The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program. | The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program. | ||
Line 111: | Line 273: | ||
Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew. | Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew. | ||
− | + | ||
− | + | ====Launching the Homebrew==== | |
− | ===Launching the Homebrew=== | + | |
# Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption) | # Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption) | ||
# Place the Launcher.dat file on the root of your SD Card. | # Place the Launcher.dat file on the root of your SD Card. | ||
Line 119: | Line 280: | ||
# The homebrew will launch. | # The homebrew will launch. | ||
− | ==The .3ds format== | + | ===The .3ds format=== |
− | + | The .3ds format requires a gateway 3DS flashcart or a MT-card flashcart. | |
− | + | ||
− | + | ||
− | The .3ds format requires a | + | |
− | + | ||
− | ===Gateway 3DS Flashcart=== | + | ====Gateway 3DS Flashcart==== |
+ | The Gateway 3DS flashcart homebrew launcher can be used only on a 3DS System version 4.0 to 9.2. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. | ||
+ | This Homebrew launching method requires the Gateway 3DS firmware version 2.2 Omega or newer. | ||
− | + | #(4.x only) Install the Gateway 3DS ROP Chain. (See the [[#The different ROP Chain installers|ROP chain installation method]] above) | |
− | + | #Place the Gateway Launcher.dat file on the root of your SD Card. | |
− | + | #Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension. | |
− | + | #(4.x) Launch Gateway from the DS Profile. / (9.x) Open the web browser and visit http://go.gateway-3ds.com/ and launch Gateway mode. | |
− | #Place the Gateway | + | |
− | #Place your homebrew on your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension. | + | |
− | #Launch Gateway from the DS Profile and | + | |
#Press Select button to list all homebrew on your MicroSD card and press A to mount it. | #Press Select button to list all homebrew on your MicroSD card and press A to mount it. | ||
#Launch it like a game. | #Launch it like a game. | ||
− | |||
− | |||
− | |||
− | + | ====MT-Card Flashcart==== | |
− | + | The MT-Card homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. | |
+ | This Homebrew launching method requires the MT-Card firmware version 2.0 or newer. | ||
− | + | #Install the MT-Card exploit using the DS mode flashcart. (See the [[#The different ROP Chain installers|ROP chain installation method]] above) | |
− | + | #Place the MT-Card Launcher.dat file on the root of your SD Card. | |
− | + | #Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension. | |
− | + | #Launch MT-Card from the DS Profile. | |
− | + | #Press Select button to list all homebrew on your MicroSD card and press A to mount it. | |
− | + | #Launch it like a game. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ===The .3dsx format=== | |
− | + | The .3dsx format requires a front end to be launched first. | |
+ | ====The Homebrew Launcher==== | ||
+ | [[The Homebrew Launcher]] lets the user run unsigned homebrew compiled in .3dsx format in User-mode on the ARM11 core. | ||
+ | It was originally developed by [[smealum]] and [https://twitter.com/gemisisDev gemisisDev], since its release more developers are helping and improving it. It exploits a vulnerability in 3DS a System Software versions 4.x to 9.2.x with eShop revision 7 to 20. | ||
− | + | You will not need a Flashcart to use it, but will need the retail game Cubic Ninja. | |
+ | Cubic Ninja launched from a flashcart is working too. | ||
− | + | Installing The Homebrew Launcher | |
− | + | # Download and extract [http://smealum.net/ninjhax/dl/starter.zip The Homebrew Starter Kit] to the root of your 3DS SD Card. You should now have a file named boot.3dsx and a "3ds" folder on the root of your SD Card. | |
+ | # Enable Wifi and launch Cubic Ninja game | ||
+ | # Choose the "Create" menu and select "QR Code" method, then "Scan QR code" option. | ||
+ | # Go to http://smealum.net/ninjhax/#qrcode and select your System version to generate the corresponding QR Code | ||
+ | # Scan your QR code and it will download "The Homebrew Launcher" loader automatically and install it into the Savegame slot of Cubic Ninja game. It will also launch automatically after the Installation. | ||
− | + | Launching The Homebrew Launcher | |
− | + | # You don't need Wifi once it's already installed to your Cubic Ninja game. | |
− | + | # Run Cubic Ninja and go to QR Code menu. The Homebrew Launcher will load. | |
− | + | Place your homebrew in either one of these locations: | |
+ | #/3ds/<homebrew_name>/boot.3dsx | ||
+ | #/3ds/<homebrew_name>/<same_as_folder_name>.3dsx | ||
+ | #/3ds/<filename>.3dsx | ||
− | + | If you want an icon for your Homebrew to be displayed in The Homebrew Launcher, place it in either one of these locations: | |
+ | #/3ds/<homebrew_name>/icon.bin | ||
+ | #/3ds/<homebrew_name>/<icon or folder_name>.smdh | ||
+ | #/3ds/<homebrew_name>/<icon or folder_name>.icn | ||
− | For | + | ===The .cia format=== |
+ | The .cia format requires a patched firmware (CFW) or Gateway 3DS flashcart. The user needs a 3DS with a System Software version 4.0 to 11.2 For unsigned .CIA files. | ||
+ | Consoles between 9.3 and 11.2 have exploits allowing "legit CIA" files to be installed. | ||
− | + | ====Dev Menu==== | |
+ | Currently, one of the ways to install cia files and manage installed titles is by using DevMenu program from the official Nintendo 3DS development kit (SDK). This program is illegal to share and will not be linked here or on the forum. However, homebrew alternatives exist such as FBI and Big Red Menu. | ||
+ | To use DevMenu and install files to your sysNAND or emuNAND, you need enough privileges which is only possible on a modified emuNAND or sysNAND (commonly called "custom Firmware") or using Gateway 3DS v2.6 or newer. | ||
− | + | - When using a modified emuNAND or sysNAND you need to permanently install DevMenu program on your console. | |
+ | - When using Gateway 3DS you can use BigBlueMenu, which is the DevMenu program converted to .3ds format. | ||
− | [[Category:Nintendo 3DS]] | + | [[Category:Nintendo 3DS|Homebrew]] |
− | [[Category:3DS Homebrew]] | + | [[Category:3DS Homebrew| ]] |
− | [[Category:3DS ARM9 Homebrew]] | + | [[Category:3DS ARM9 Homebrew| ]] |
− | [[Category:3DS ARM11 Homebrew]] | + | [[Category:3DS ARM11 Homebrew| ]] |
Latest revision as of 19:25, 22 July 2017
3DS Homebrew | |
---|---|
Introduction • Homebrew Development • Glossary • Flashcart FAQ | |
Lists | All Homebrew • Applications • Games • Emulators • Demos • CFWs • Exploits • Development libraries & tools • PC Utilities |
Welcome to the wonderful world of 3DS Homebrew!
To run homebrew on your 3DS you need a method to run custom code. There are currently several public exploits available which allow running unsigned code on a 3DS system.
Contents
What can I do?
Depends on your installed Firmware version (SysNAND):
Can I... | No A9LH or sighax/B9S installed (unhacked system) | A9LH installed (any firmware version) |
sighax/B9S installed (any firmware version) | |||||
---|---|---|---|---|---|---|---|---|
System Menu 11.4 and up | System Menu 11.3 | System Menu 11.0 to 11.2 | System Menu 9.3 to 10.7 | System Menu 9.2 and below | ||||
Run basic homebrew? | Yes, but only on New 3DS. | Yes, use FreakyHax, Ninjhax, Soundhax or a previously installed exploit to run the Homebrew Launcher. | Yes (same exploits as ≥9.3, plus Homebrew Launcher loader CIA) | |||||
Run arm9loaderhax/brahma homebrew? | No | Yes, use Safehax (Only some will work) | Yes | Yes (convert to firm format or convert an A9LH boot manager to bin.) | ||||
Run BootROM level homebrew? | No | Yes | ||||||
Install Custom Themes? | Yes, but only on New 3DS. | Yes, use Themely/CHMM2 | Yes, use Themely/CHMM2/ExtDataTool. Note that themes are for ≥9.x only. | |||||
Install/extract save files? | Yes, but only on New 3DS. | Yes, use svdt for 3DS games, TWLSaveTool for retail DS cartridges | Yes, use SaveDataFiler or JK's SaveManager for 3DS games, TWLSaveTool for retail DS cartridges | |||||
Run games from other regions (regionfree)? | Yes, but only on New 3DS. | Yes, use the region free launcher of The Homebrew Launcher | Yes, use a region free CFW | |||||
Go online with a game from another region? | No | Yes, as long as the game doesn't require an update | Yes | |||||
Run 3DS ROMs? | Yes, buy a Sky3DS and play ROMs from that. | Yes, various options. | ||||||
Install out-of-region eShop content (like DLC)? | No | Yes | ||||||
Play modified ROMs (ROM hacks)? | Yes, use a flashcart (Hans only on New 3DS) | Yes, use HANS, or a flashcart | Yes, use NTR CFW, HANS, a flashcart, or install as a CIA | |||||
Run DS ROMs? | Yes, use a DS flashcart (Supercard DSTWO/R4i Gold) | Yes, use a DS flashcart (blocked carts can be unblocked with CFW and/or patched TWL_FIRM) | ||||||
Use CFW/EmuNAND? | No | Yes | ||||||
Install CIA files? | No | Yes (Legit CIAs only) | Yes, use a CFW with signature checks disabled to install unsigned CIAs | |||||
Downgrade my System? | Yes, use DSiWare or Hardmod to install CFW then downgrade. | Yes, use Safehax. | Yes, use SysUpdater CIA (on EmuNAND) or 3dsx (on SysNAND from Homebrew Launcher) | Yes, same exploits as ≥9.3 but no need to. |
Exploits
The MSET exploit
This exploit only works on 3DS System Software version 4.1.x to 4.5.x
This exploit is also used by Flashcart manufacturers to take over the 3DS's kernel.
To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and you must run an NDS Homebrew designed to alter the DS Profile settings strings. When launching the 3DS System Settings application's DS profile settings editor, it will cause the application that edits the DS profile to crash, and this crash pushes custom code into memory from within the edited profile and makes the security co-processor "accidentally" load that code, resulting in homebrew being launched.
Spider exploit
This exploit works up to version 9.2.0 and grants kernel level access. It was used by flashcart manufacturers after the MSET exploit was patched.
arm9loaderhax
- Released by delebile. Exploit discovered by WulfyStylez, Dazzozo, shinyquagsire23, plutoo, Normmatt, and yellows8.
- Requires an exploit on ≤9.2 in order to install; must be built from source, using the console-specific OTP hash
- Exploits a vulnerability in arm9loader to execute ARM9 code directly at boot (arm9loaderhax.bin)
- Works on New 3DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5
- Can be used with an updated SysNAND (up to 11.5).
- Source
- Documentation 1, Documentation 2
- Guide
- Video
Boot9Strap
- Requires an exploit on ≤11.3 , or hardmod/DSiWarehax in order to install. (Or the upcoming ntrboothax)
- Exploits a vulnerability in the bootrom.
- Works on New 3DS, New 2DS, Old 3DS, and 2DS in the EUR, JAP, or USA regions up to 11.5.
- Can be used with an updated SysNAND (up to 11.5).
- Source
- Documentation
- Guide
ninjhax
- Released by Smealum
- Uses an exploit in sharing user-created levels in the game Cubic Ninja to launch homebrew.
- Works up to 11.5.
- Source
- Video
ironhax
- Released by Smealum
- Requires an exploit in order to install
- Uses a save game exploit for IronFall: Invasion in order to launch homebrew.
- Works up to 10.3
- Source
tubehax
- Released by Smealum
- Uses a DNS server to redirect the app's traffic to a exploitable webpage.
- Technically works up to 10.1, but older Youtube versions are blocked by Nintendo, effectively killing the exploit
- Source
browserhax
- Released by yellows8.
- A collection of webkit exploits for the use of launching 3DS homebrew.
- Works up to 11.0
- Source
oot3dhax
- Released by yellows8.
- Requires an exploit or PowerSaves device in order to install
- Uses a save game exploit for The Legend of Zelda: Ocarina of Time 3D in order to launch homebrew.
- Works up to 11.5.0-38.
- Source
smashhax
- Released by yellows8
- Only works on N3DS.
- Uses a exploit in local multiplayer for Smash Bros for 3DS by acting like a fake beacon for sessions.
- Works up to 11.2. Fixed in v11.3
- Source
- Released by yellows8
- Uses a exploit in themedata used by the home menu in order to launch homebrew.
- Works up to 11.2
- Source
Freakyhax (AKA Freakyformshax)
BASICSploit
- Released by MrNbaYoh
- Uses an exploit in BG handling
- Works up to 11.0.33
- Only USA 3.2.1 version for now
- Website
Executable formats
There are a few different types of executables made for the 3DS at this time.
The .cxi format
This file format is used officially by the console. The .cxi container type can only be launched on a 3DS Development Unit (A 3DS released to developers).
It is used by later versions of Braindump.
The .bin format
This type is the raw format for homebrew compiled into an ARM binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, converted into a .3ds file to be launched using a front-end homebrew launcher, or launched as-is with an arm9loader exploit.
- Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew
- Filename: Whatever you want, with a .bin extension
- Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
- Access level: The homebrew has full Kernel-mode access and has access to both the ARM9 and ARM11 cores, but the console's services in ARM11 are all disabled, due to the public method of taking over the ARM11 core from within the ARM9 core (credit to Kane49) (This means you have no access to the 3D slider, sound, etc. unless you code it back yourself).
- Restriction: When running from a broken-kernel state (Launcher.dat direct from MSET), random regions of the RAM are likely to have the NX (No-eXecute) security bit still active on them. This causes the program to sometimes not be able to start as the memory is set to not allow execution from the address range the program was unluckily loaded into. This also limits the size of the application, as when the application is larger, the chance of it landing in NX-enabled regions is significantly larger than if it is smaller, leaving the likeliness of it being able to start, up to luck. The size limit is around 19-22kb. In ARM11, code is loaded in a clean memory area, but before jumping to ARM11 it starts in ARM9 and is loaded in the same location, so the problem could happen too.
If you get homebrew in this format and do not have a way to launch a raw .bin file, you will need a python script to insert it into a Launcher.dat file.
- 3DS Python Tool by Naehrwert.
- Build.py for Linux by Tomiga.
- build.py by Kane49. (Advice from here: make sure to change both instances of "-mcpu=mpcore -march=armv6k" in it to "-mcpu=arm946e-s -march=armv5te")
Or use a script to copy a ROP header and footer around the payload binary file, example: copy /b header+binary+footer Launcher.dat
You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's 3DS Homebrew demo package.
The Launcher.dat format
- Boot method: The homebrew is launched directly from the MSET exploit.
- Filename: The homebrew filename is usually "Launcher.dat" but can come using the "MsetForBoss.dat" variant using a alternate MSET exploit roploader, you can have upto 2 homebrew files at the same time on your console (one using the launcher.dat file name and one with the name MsetForBoss.dat), but it requires switch between DS profile roploaders to alternate which file will be loaded.
- Requirement: You need a DS flashcart to install the MSET vulnerability and run the Launcher.dat homebrew.
- Access level: Full Kernel-mode control (same as .bin homebrew).
- Restriction: file size (same as .bin homebrew)
There are 2 different formats of launcher.dat/MsetForBoss.dat, unencrypted(also referred to as homebrew or non gateway), and encrypted(also known as gateway encrypted) you will need to use a alternate DS profile exploit depending on whether you are trying to run a encrypted or unencrypted launcher.dat file, but most if not all MsetForBoss.dat files are unencrypted
The .3ds / .3dsx format
- Boot method: The homebrew is launched from a front end launcher.
- Filename: For Smealum's homebrew launcher use boot.3dsx, every homebrew has a different folder. For Gateway use any name .3ds and place in on a microSD.
- Requirement: For the gateway (.3ds) requires a Gateway 3DS flashcart running firmware 2.2 OMEGA or newer. For Smealum's homebrew launcher (.3dsx) requires a ninjhax exploit and an SD card with boot.3dsx (can be either your homebrew or the homebrew launcher) files on it you'll also need a wifi connection to the internet from your 3DS.
- Access level HBL with ≥9.2 SysNAND: The homebrew is usually only allowed User-mode access and has access to only 30% of the system core's first CPU thread, and 100% access to the second thread, although it can gain limited system access by using memchunkhax2. As a result, most homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.
- Access level HBL with ≤9.2 SysNAND: Homebrew is allowed system access if using a CFW with signature checks disabled.
- Access level Gateway: Homebrew ran using the gateway will have as much access as any other game.
The .cia format
This file format is used officially by the console as a container for eShop downloaded contents. It's meant to be extracted, installed and displayed on the console's system menu using its own icon.
The .cia container type can only be installed on a 3DS with installation privilege. To unlock the installation feature, you need a modified emuNAND/ sysNAND or Gateway 3DS v2.6 or newer.
Launching Homebrew
ATTENTION: All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.
The .cxi format
There's currently no method to directly launch this format on a retail unit. It can, however, be launched by packaging it into a CIA.
The .bin/elf format
These formats are the raw executable.
- There's currently no .elf homebrew launcher to use with Ninjhax.
- These files are sometimes converted to another format (dat, cia, 3ds, 3dsx) by the developers when released to public. Then can then be launched using a different homebrew loading method.
- Some ARM9 (in Launcher.dat format) experimental homebrew can launch the .bin format, but require a 3DS with a System Software version 4.x.
- Arm9loaderhax is capable of launching homebrew in .bin format on System Software version 9.x to 11.x.
Launcher.dat format
This exploit works by using a ROP (Return-Oriented Programming) Chain to get access to Kernel-mode control and run a homebrew executable.
There are two ROP chain exploits you can use:
- Gateway 3DS's ROP Chain. (Encrypted ROP Chain)
- Fierce Waffle's Open source ROP chain. (Unencrypted ROP Chain)
The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.
Gateway 3DS, which was the first to publicly release this exploit, encrypted their ROP chain to prevent flashcart clones. If you install the Gateway ROP chain, you will have to encrypt your Launcher.dat homebrew using their encryption key. If you install an open source ROP chain, you can run unencrypted homebrew, but you will not be able to run Gateway 3DS's Launcher.dat until you reinstall their own ROP chain.
There are tools to quickly encrypt or decrypt a Launcher.dat file to work with a corresponding ROP chain.
The different ROP Chain installers
- Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
- ROP Chain installer, by Fierce Waffle. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
- Alternate ROP Installer, by Drenn, based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it will fully replace your profile information, except your WiFi settings. You can use ROP Installer Modifier to edit the DS profile information (Favorite color and user name) to be written to the profile during the installation.
- ROP MultiLoader, by SnailFace. Lets you easily choose the ROP chain you want to install.
Installing a ROP Chain
The ROP chain installation requires a DS-mode Flashcart to run the installer .nds program.
- Choose a ROP chain installer from the list above.
- Extract the NDS file if needed and place it on your MicroSD Card, then insert it into your compatible NDS-mode Flashcart.
- Insert the NDS-mode flashcart into your 3DS console and launch the installer.
Note: If you launch the DS-mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.
Launching the Homebrew
- Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
- Place the Launcher.dat file on the root of your SD Card.
- Boot the 3DS and go to Settings > Other > Profile > DS Profile.
- The homebrew will launch.
The .3ds format
The .3ds format requires a gateway 3DS flashcart or a MT-card flashcart.
Gateway 3DS Flashcart
The Gateway 3DS flashcart homebrew launcher can be used only on a 3DS System version 4.0 to 9.2. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the Gateway 3DS firmware version 2.2 Omega or newer.
- (4.x only) Install the Gateway 3DS ROP Chain. (See the ROP chain installation method above)
- Place the Gateway Launcher.dat file on the root of your SD Card.
- Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
- (4.x) Launch Gateway from the DS Profile. / (9.x) Open the web browser and visit http://go.gateway-3ds.com/ and launch Gateway mode.
- Press Select button to list all homebrew on your MicroSD card and press A to mount it.
- Launch it like a game.
MT-Card Flashcart
The MT-Card homebrew launcher can be used only on a 3DS System version 4.0 to 4.5. The flashcart is required as the 3DS homebrew are stored on the MicroSD inserted in the flashcart. This Homebrew launching method requires the MT-Card firmware version 2.0 or newer.
- Install the MT-Card exploit using the DS mode flashcart. (See the ROP chain installation method above)
- Place the MT-Card Launcher.dat file on the root of your SD Card.
- Place your homebrew on the root of your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
- Launch MT-Card from the DS Profile.
- Press Select button to list all homebrew on your MicroSD card and press A to mount it.
- Launch it like a game.
The .3dsx format
The .3dsx format requires a front end to be launched first.
The Homebrew Launcher
The Homebrew Launcher lets the user run unsigned homebrew compiled in .3dsx format in User-mode on the ARM11 core. It was originally developed by smealum and gemisisDev, since its release more developers are helping and improving it. It exploits a vulnerability in 3DS a System Software versions 4.x to 9.2.x with eShop revision 7 to 20.
You will not need a Flashcart to use it, but will need the retail game Cubic Ninja. Cubic Ninja launched from a flashcart is working too.
Installing The Homebrew Launcher
- Download and extract The Homebrew Starter Kit to the root of your 3DS SD Card. You should now have a file named boot.3dsx and a "3ds" folder on the root of your SD Card.
- Enable Wifi and launch Cubic Ninja game
- Choose the "Create" menu and select "QR Code" method, then "Scan QR code" option.
- Go to http://smealum.net/ninjhax/#qrcode and select your System version to generate the corresponding QR Code
- Scan your QR code and it will download "The Homebrew Launcher" loader automatically and install it into the Savegame slot of Cubic Ninja game. It will also launch automatically after the Installation.
Launching The Homebrew Launcher
- You don't need Wifi once it's already installed to your Cubic Ninja game.
- Run Cubic Ninja and go to QR Code menu. The Homebrew Launcher will load.
Place your homebrew in either one of these locations:
- /3ds/<homebrew_name>/boot.3dsx
- /3ds/<homebrew_name>/<same_as_folder_name>.3dsx
- /3ds/<filename>.3dsx
If you want an icon for your Homebrew to be displayed in The Homebrew Launcher, place it in either one of these locations:
- /3ds/<homebrew_name>/icon.bin
- /3ds/<homebrew_name>/<icon or folder_name>.smdh
- /3ds/<homebrew_name>/<icon or folder_name>.icn
The .cia format
The .cia format requires a patched firmware (CFW) or Gateway 3DS flashcart. The user needs a 3DS with a System Software version 4.0 to 11.2 For unsigned .CIA files. Consoles between 9.3 and 11.2 have exploits allowing "legit CIA" files to be installed.
Dev Menu
Currently, one of the ways to install cia files and manage installed titles is by using DevMenu program from the official Nintendo 3DS development kit (SDK). This program is illegal to share and will not be linked here or on the forum. However, homebrew alternatives exist such as FBI and Big Red Menu. To use DevMenu and install files to your sysNAND or emuNAND, you need enough privileges which is only possible on a modified emuNAND or sysNAND (commonly called "custom Firmware") or using Gateway 3DS v2.6 or newer.
- When using a modified emuNAND or sysNAND you need to permanently install DevMenu program on your console.
- When using Gateway 3DS you can use BigBlueMenu, which is the DevMenu program converted to .3ds format.