Difference between revisions of "3DS Homebrew"
(→The homebrew type: Added cxi format) |
m (→The homebrew type: fix) |
||
Line 35: | Line 35: | ||
You will never have to run this format. It's listed for historical reason. | You will never have to run this format. It's listed for historical reason. | ||
− | + | ||
− | + | ||
'''The .bin format''' | '''The .bin format''' | ||
Revision as of 19:04, 22 August 2014
Welcome to the wonderful world of 3DS Homebrew!
To run homebrew on 3DS you need a method to run custom code. There is currently only one public exploit (the MSET exploit) available which allows running unsigned code on 3DS system.
A 3DS running on System version 4.1.x to 4.5.x is required for this exploit, but Smealum is working on a new vulnerability found on 3DS System version 5.0.x to 8.2.x.
Contents
The different exploits
The MSET exploit
It works on 3DS System version 4.1.x to 4.5.x
This exploit is also used by Flashcarts manufacturers to get Kernel access.
This is currently the only method to run homebrew.
To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and run a NDS Homebrew to alter the DS Profile setting. When launching the DS profile from the 3DS settings, it will launch the custom code written in the profile and allow homebrew launching.
Go tho the MSET exploit page, or on this blog to read information on the hack itself.
Unknown name exploit
Unreleased.
Smealum uses this exploit for his Homebrew launcher. It works on 3DS System version 5.0.x to 8.2.x.
The homebrew type
There are different types of homebrew.
The .cxi format
This file format is used officially by the console. The .cxi file can only be launched on Development unit (A 3DS for developers).
You will never have to run this format. It's listed for historical reason.
The .bin format
This type is the raw format for homebrew compiled binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, or converted into a .3ds file to be launched using a front-end homebrew launcher.
- Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew.
- Filename: Whatever you want, with .bin extension
- Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
- Access level: Same as Launcher.dat.
- Restriction: file size (please complete the max size)
If you get homebrew in this format, you will need a python script to insert it into a Launcher.dat file.
- 3DS Python Tool by Naehrwert.
- Build.py for Linux by Tomiga.
- build.py by Kane. (Advice from here: make sure to change both instances of "-mcpu=mpcore -march=armv6k" in it to "-mcpu=arm946e-s -march=armv5te")
Or use a script to copy a ROP header and footer around the payload binary file, example: copy /b header+binary+footer Launcher.dat
You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's 3DS Homebrew demo package.
The Launcher.dat format
- Boot method: The homebrew is launched directly from the MSET exploit.
- Filename: The homebrew filename is always "Launcher.dat" so you can't have multiple homebrew at the same time on your console.
- Requirement: You need a DS flashcart to exploit the MSET vulnerability and run the Launcher.dat homebrew.
- Access level: The homebrew has full Kernel level access and has access to ARM9 and ARM11 but the console's services in ARM11 are all disabled (no access to 3D sliders, sound, etc. unless you code it back yourself).
- Restriction: file size (please complete the max size)
The .3ds format
- Boot method: The homebrew is launched from a front end launcher.
- Filename: The homebrew filename can be what you want and ends with .3ds extension.
- Requirement: There is currently only one front end, which is based on the work done by Smealum to create a homebrew environment, and requires a Gateway 3DS flashcart Firmware 2.2 OMEGA or newer.
- Access level: The homebrew has only User level access and has access to ARM11 only. As a result, the homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.
Launching Homebrew
The Launcher.dat format
This exploit works by using a ROP Chain to get access to Kernel level and run the homebrew. The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.
Gateway 3DS, which was the first to publicly release this exploit, encrypted their ROP chain to prevent flashcart clones. If you install the Gateway ROP chain, you will have to encrypt your Launcher.dat homebrew using their encryption key. If you install an open source ROP chain, you can run unencrypted homebrew but you will not be able to run Gateway 3DS until you reinstall their own ROP chain.
There are tools to quickly encrypt or decrypt Launcher.dat file to work with corresponding ROP chain.
The different ROP Chain installers
- Official Gateway ROP chain installer. (No link will be share here. the installer is provided with the Gateway firmware)
- ROP Chain installer, by Fierce Waffle. Open source, it's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
- Alternate ROP Installer, by Drenn, based on Fierce Waffle ROP Chain. More stable than the previous one, but it fully replace your profile information. You can use ROP Installer Modifier to edit the informations to be written in the profile before installing it.
- ROP MultiLoader, by SnailFace. Lets you choose easily the ROP you want to install.
Installing a ROP Chain
The ROP chain installation requires a DS Mode Flashcart to run the installer.nds program.
- Choose a ROP chain installer from the list above.
- Extract the NDS file if needed and place it on your MicroSD Card, then insert it in your compatible NDS Mode Flashcart.
- Insert the NDS Mode flashcart in your 3DS console and launch the installer.
Note: If you launch the DS Mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.
Launching the Homebrew
- Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
- Place the Launcher.dat file on the root of your SD Card.
- Boot the 3DS and go to Settings > Other > Profile > DS Profile.
- The homebrew will launch.
The .3ds format
The .3ds homebrew are using LibCTRU libraries instead of being developed on bare ARM commands.
The .3ds format requires a front end to be launched first. There are actually two front end you can use.
Gateway 3DS Flashcart
This Front end require the Gateway 3DS Flashcart and the Omega 2.2+ firmware only. It's launched using the Launcher.dat exploit and thus works only on 3DS System version 4.0 to 4.5.
- Install the Gateway 3DS ROP Chain.
- Place the Gateway 2.2 Omega Launcher.dat file on the root of your SD Card.
- Place your homebrew on your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
- Launch Gateway from the DS Profile and update your card's firmware if required.
- Press Select button to list all homebrew on your MicroSD card and press A to mount it.
- Launch it like a game.
The 3DS Homebrew Launcher
The 3DS Homebrew Launcher lets the user run unsigned homebrew compiled in .3ds format. It's developed by ... and exploit a vulnerability in 3DS System version 5.x to 8.x found by Smealum to run homebrew in user mode with ARM11.
You don't need a Flashcart to use it.
Launching method will be added when the Launcher is released.
Developing homebrew for 3DS
The "Official" homebrew development thread can be found on the forum from this link:
--Add here more information to install a development environment and how to compile homebrew (both .dat and .3ds?)--