From WikiTemp, the GBAtemp wiki
Revision as of 21:54, 22 August 2014 by Cyan (talk | contribs) (fixed System version)

Welcome to the wonderful world of 3DS Homebrew!


To run homebrew on 3DS you need a method to run custom code. There is currently only one public exploit (the MSET exploit) available which allows running unsigned code on 3DS system. A 3DS running on System version 4.1.x to 4.5.x is required for this exploit, but Smealum is working on a new vulnerability found on 3DS System version 5.x to 8.x.


The different exploits

The MSET exploit

It works on 3DS System version 4.1.x to 4.5.x

This exploit is also used by Flashcarts manufacturers to get Kernel access.

This is currently the only method to run homebrew.

To exploit this vulnerability, you need a working DS Mode flashcart for your 3DS and run a NDS Homebrew to alter the DS Profile setting. When launching the DS profile from the 3DS settings, it will launch the custom code written in the profile and allow homebrew launching.


Go tho the MSET exploit page, or on this blog to read information on the hack itself.

Unknown name exploit

Unreleased.

Smealum uses this exploit for his Homebrew launcher. It works on 3DS System version 5.x to 8.x.


The homebrew type

There are different types of homebrew.

The .cxi format

This file format is used officially by the console. The .cxi file can only be launched on Development unit (A 3DS for developers).

You will never have to run this format. It's listed for historical reason.


The .bin format

This type is the raw format for homebrew compiled binary file. It's usually encapsulated into a Launcher.dat file to be launched using the MSET exploit, or converted into a .3ds file to be launched using a front-end homebrew launcher.

  • Boot method: Encapsulated into a Launcher.dat, or using a .bin launcher homebrew.
  • Filename: Whatever you want, with .bin extension
  • Requirement: Python to encapsulate it into a Launcher.dat file, or a method to launch .bin homebrew on your console.
  • Access level: Same as Launcher.dat.
  • Restriction: file size (please complete the max size)


If you get homebrew in this format, you will need a python script to insert it into a Launcher.dat file.

Or use a script to copy a ROP header and footer around the payload binary file, example: copy /b header+binary+footer Launcher.dat

You can find the pre-compiled ROP header (exp.bin) and footer (pad.bin) in Snailface's 3DS Homebrew demo package.


The Launcher.dat format

  • Boot method: The homebrew is launched directly from the MSET exploit.
  • Filename: The homebrew filename is always "Launcher.dat" so you can't have multiple homebrew at the same time on your console.
  • Requirement: You need a DS flashcart to exploit the MSET vulnerability and run the Launcher.dat homebrew.
  • Access level: The homebrew has full Kernel level access and has access to ARM9 and ARM11 but the console's services in ARM11 are all disabled (no access to 3D sliders, sound, etc. unless you code it back yourself).
  • Restriction: file size (please complete the max size)


The .3ds format

  • Boot method: The homebrew is launched from a front end launcher.
  • Filename: The homebrew filename can be what you want and ends with .3ds extension.
  • Requirement: There is currently only one front end, which is based on the work done by Smealum to create a homebrew environment, and requires a Gateway 3DS flashcart Firmware 2.2 OMEGA or newer.
  • Access level: The homebrew has only User level access and has access to ARM11 only. As a result, the homebrew cannot modify or access the system in any way using the current implementation of ARM11 homebrew, but the ARM11 services are available.

Launching Homebrew

ATTENTION: All homebrew using a Launcher.dat file have full Kernel access and therefore can modify the content of your console. Nobody developed or released homebrew explicitly bricking your 3DS, but be careful when you decide to run unknown files. You are responsible for any problem you may encounter.


The Launcher.dat format

This exploit works by using a ROP Chain to get access to Kernel level and run the homebrew.

There are two ROP chain exploits you can use:


The Launcher.dat file contains two sections: The end of the ROP chain initiated by the MSET exploit, and the homebrew binary.

Gateway 3DS, which was the first to publicly release this exploit, encrypted their ROP chain to prevent flashcart clones. If you install the Gateway ROP chain, you will have to encrypt your Launcher.dat homebrew using their encryption key. If you install an open source ROP chain, you can run unencrypted homebrew but you will not be able to run Gateway 3DS until you reinstall their own ROP chain.

There are tools to quickly encrypt or decrypt Launcher.dat file to work with corresponding ROP chain.


The different ROP Chain installers

  • Gateway 3DS ROP chain installer. (No link will be shared here. The installer is provided with the Gateway-3DS flashcart firmware package.)
  • ROP Chain installer, by Fierce Waffle. It's a little unstable and can brick the DS Mode of the console. It requires a full 3DS format to fix it. You will lose all your data installed on 3DS if you format it.
  • Alternate ROP Installer, by Drenn, based on Fierce Waffle ROP Chain binary. It's restoring a full NVRAM dump of Drenn's DS Profile to your console. More stable than using the real installer, but it fully replace your profile informations except wifi. You can use ROP Installer Modifier to edit the DS informations (Favorite color and user name) to be written in the profile before installing it.
  • ROP MultiLoader, by SnailFace. Lets you choose easily the ROP you want to install.


Installing a ROP Chain

The ROP chain installation requires a DS Mode Flashcart to run the installer.nds program.

  1. Choose a ROP chain installer from the list above.
  2. Extract the NDS file if needed and place it on your MicroSD Card, then insert it in your compatible NDS Mode Flashcart.
  3. Insert the NDS Mode flashcart in your 3DS console and launch the installer.

Note: If you launch the DS Mode again (DS Game or DS mode Flashcart) after installing the ROP Chain, the profile will be reset and the exploit deleted. You will need to install it again to launch 3DS homebrew.


Launching the Homebrew

  1. Encrypt or Decrypt the Launcher.dat file based on the ROP chain you installed. (Gateway ROP chain requires encryption)
  2. Place the Launcher.dat file on the root of your SD Card.
  3. Boot the 3DS and go to Settings > Other > Profile > DS Profile.
  4. The homebrew will launch.

The .3ds format

The .3ds homebrew are using LibCTRU libraries instead of being developed on bare ARM commands.

The .3ds format requires a front end to be launched first. There are actually two front end you can use.

Gateway 3DS Flashcart

This Front end require the Gateway 3DS Flashcart and the Omega 2.2+ firmware only. It's launched using the Launcher.dat exploit and thus works only on 3DS System version 4.0 to 4.5.

  1. Install the Gateway 3DS ROP Chain.
  2. Place the Gateway 2.2 Omega Launcher.dat file on the root of your SD Card.
  3. Place your homebrew on your MicroSD Card formated as FAT32 or ExFAT, using the filename you want and .3ds extension.
  4. Launch Gateway from the DS Profile and update your card's firmware if required.
  5. Press Select button to list all homebrew on your MicroSD card and press A to mount it.
  6. Launch it like a game.


The 3DS Homebrew Launcher

The 3DS Homebrew Launcher lets the user run unsigned homebrew compiled in .3ds format. It's developed by ... and exploit a vulnerability in 3DS System version 5.x to 8.x found by Smealum to run homebrew in user mode with ARM11.

You don't need a Flashcart to use it.

Launching method will be added when the Launcher is released.

Developing homebrew for 3DS

The "Official" homebrew development thread can be found on the forum from this link:

Homebrew Development


--Add here more information to install a development environment and how to compile homebrew (both .dat and .3ds?)--