super epic omega very cool explanations and pics

This commit is contained in:
Lily 2022-10-01 15:55:27 -07:00
parent 6a388ff978
commit 020e21508f
21 changed files with 213 additions and 101 deletions

View file

@ -0,0 +1,16 @@
<script>
var elements = document.querySelectorAll('p');
Array.prototype.forEach.call(elements, function(el, i){
if(el.innerHTML=='[expand]') {
var parentcontent = el.parentNode.innerHTML.replace('<p>[expand]</p>','<div class="expand" style="display: none; height: 0; overflow: hidden;">').replace('<p>[/expand]</p>','</div>');
el.parentNode.innerHTML = parentcontent;
}
});
var elements = document.querySelectorAll('div.expand');
Array.prototype.forEach.call(elements, function(el, i){
el.previousElementSibling.innerHTML = el.previousElementSibling.innerHTML + '<span>..&nbsp; <a href="#" style="cursor: pointer;" onclick="this.parentNode.parentNode.nextElementSibling.style.display = \'block\'; this.parentNode.parentNode.nextElementSibling.style.height = \'auto\'; this.parentNode.style.display = \'none\';">read&nbsp;more&nbsp;&rarr;</a></span>';
});
</script>

View file

@ -3,12 +3,19 @@ title: "BannerBomb3"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
To dump system DSiWare, we exploit a flaw in the DSiWare Data Management window of the Settings application.
<p>To dump system DSiWare, we exploit a flaw in the DSiWare Data Management window of the Settings application.</p>
To accomplish this, we use your system's encryption key (movable.sed) to build a DSiWare backup that exploits the system in order to dump the DSi Internet Settings application to the SD root.
<p>To accomplish this, we use your system's encryption key (movable.sed) to build a DSiWare backup that exploits the system in order to dump the DSi Internet Settings application to the SD root.</p>
<p>For a more technical explanation, see <a href="https://github.com/zoogie/Bannerbomb3">here</a>.</p>
</details>
### Compatibility Notes
These instructions work on USA, Europe, Japan, and Korea region consoles as indicated by the letters U, E, J, or K after the system version.
@ -20,6 +27,9 @@ If you have a Taiwanese console (indicated by a T after the system version), fol
* Your `movable.sed` file from completing [Seedminer](seedminer)
#### Section I - Prep Work
In this section, you will copy the files needed to trigger the BannerBomb3 exploit onto your device's SD card.
1. Open [BannerBomb3 Tool](https://3ds.nhnarwhal.com/3dstools/bannerbomb3.php) on your computer
1. Upload your movable.sed using the "Choose File" option
1. Click "Build and Download"
@ -27,28 +37,32 @@ If you have a Taiwanese console (indicated by a T after the system version), fol
1. If your console is powered on, power off your console
1. Insert your SD card into your computer
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<ID1>` on your SD card
+ The `<ID0>` will be the same one that you used in [Seedminer](seedminer)
+ The `<ID1>` is a 32 character long folder inside of the `<ID0>`
+ `<ID0>` is the 32-letter folder name that you copied in [Seedminer](seedminer)
+ `<ID1>` is a 32-letter folder inside of the `<ID0>`
+ ![]({{ "/images/screenshots/bb3/dsiware-location-1.png" | absolute_url }}){: .notice--info}
1. Create a folder named `Nintendo DSiWare` inside of the `<ID1>`
+ If you already had the folder *and* there are any existing DSiWare backup files (`<8-character-id>.bin`) inside, copy them to your PC and remove them from your SD card
1. Copy the `F00D43D5.bin` file from the BannerBomb3 `.zip` to the `Nintendo DSiWare` folder
1. Copy the `F00D43D5.bin` file from `BannerBomb3.zip` to the `Nintendo DSiWare` folder
![]({{ "/images/screenshots/dsiware-save-location.png" | absolute_url }})
![]({{ "/images/screenshots/bb3/dsiware-location-2.png" | absolute_url }})
{: .notice--info}
#### Section II - BannerBomb3
In this section, you will trigger the BannerBomb3 exploit using the DSiWare Management menu and copy the resulting file dump to your computer so that you can use it on the next page.
1. Reinsert your SD card into your device
1. Power on your device
1. Launch System Settings on your device
1. Navigate to `Data Management` -> `DSiWare`
1. Click on the SD Card section
1. Navigate to `Data Management` -> `DSiWare` -> `SD Card` ([image](/images/screenshots/bb3/dsiware-management.png))
+ Your system should flash Magenta (pink/purple) and then crash a few seconds later. This means it worked
1. Power off your device
1. Insert your SD card into your computer
1. You should now have `42383841.bin` in SD root. This is the DSiWare backup you will use later in the guide
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<32-character-id>` -> `Nintendo DSiWare` on your SD card
+ This `<ID0>` will be the same one that you used in [Seedminer](seedminer)
1. Delete `F00D43D5.bin` from the Nintendo DSiWare folder and from your computer. This file will not be needed anymore
1. You should now have `42383841.bin` on the root of your SD card. Copy this file to somewhere on your computer, as you will use it on the next page
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<ID1>` -> `Nintendo DSiWare` on your SD card
![]({{ "/images/screenshots/bb3/dsiware-location-2.png" | absolute_url }}){: .notice--info}
1. Delete `F00D43D5.bin` from your Nintendo DSiWare folder and from your computer. This file will not be needed anymore
Continue to [Installing boot9strap (Fredtool)](installing-boot9strap-(fredtool))
{: .notice--primary}

View file

@ -3,6 +3,7 @@ title: "Finalizing Setup"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
@ -20,6 +21,8 @@ On this page, we will make critical system file backups and install the followin
It is not recommended to skip downloading any of these applications, as many of them will be used later on this page. At the end of this page, your SD card will be cleaned up by removing unnecessary installation files.
{: .notice--warning}
### Compatibility Notes
If your **New 3DS** was on version 2.1.0 before following this guide, you should [restore your NAND backup](godmode9-usage#restoring-a-nand-backup) before continuing.
{: .notice--warning}
@ -39,6 +42,8 @@ If your previous CFW setup was EmuNAND-based and you wish to move the contents o
#### Section I - Prep Work
In this section, you will copy the files necessary to follow the rest of the instructions on this page.
1. Power off your device
1. Insert your SD card into your computer
1. Create a folder named `cias` on the root of your SD card if it does not already exist
@ -52,15 +57,18 @@ If your previous CFW setup was EmuNAND-based and you wish to move the contents o
1. Reinsert your SD card into your device
1. Power on your device
These screenshots indicate the minimum SD card layout that is required to follow this page. You may have extra files or folders on your SD card, depending on your previous setup or the method that you followed.
![]({{ "/images/screenshots/finalizing-root-layout.png" | absolute_url }})
{: .notice--info}
![]({{ "/images/screenshots/godmode9-location.png" | absolute_url }})
{: .notice--info}
These screenshots indicate the minimum SD card layout that is required to follow this page. You may have extra files or folders on your SD card, depending on your previous setup or the method that you followed.
#### Section II - Updating the System
In this section, you will update your system to the latest version, which is safe to do with custom firmware.
1. Update your device by going to System Settings, then "Other Settings", then going all the way to the right and using "System Update"
+ Updates while using B9S + Luma (what you have) are safe
+ The updater may display a message saying "Your system is up to date" instead of updating. This is normal if you are already up to date; continue with the next section
@ -69,6 +77,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section III - Homebrew Launcher
In this section, you will temporarily replace Download Play with Homebrew Launcher (which we need to launch FBI). Download Play will automatically go back to normal once you reboot your device.
1. Launch the Download Play application (![]({{ "/images/download-play-icon.png" | absolute_url }}){: height="24px" width="24px"})
1. Wait until you see the `Nintendo 3DS` and `Nintendo DS` buttons
1. Press (Left Shoulder) + (D-Pad Down) + (Select) at the same time to open the Rosalina menu
@ -83,6 +93,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section IV - RTC and DSP Setup
In this section, you will sync your 3DS internal clock with the actual time and dump the sound firmware (which is necesssary for some homebrew software to use sound properly).
1. Press (Left Shoulder) + (D-Pad Down) + (Select) at the same time to open the Rosalina menu
1. Select "Miscellaneous options"
1. Select "Dump DSP firmware"
@ -94,6 +106,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section V - Installing CIAs
In this section, you will install several useful homebrew applications to HOME Menu.
1. Launch FBI from the list of homebrew
1. Navigate to `SD` -> `cias`
1. Select "\<current directory>"
@ -102,6 +116,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section VI - CTRNAND Luma3DS
In this section, you will use a script to copy some of Luma3DS's files to internal memory so that they can be accessed, even without an SD card inserted.
1. Power off your device
1. Press and hold (Start), and while holding (Start), power on your device. This will launch GodMode9
+ If you do not boot into GodMode9, ensure that `GodMode9.firm` is in `/luma/payloads/` and that `payloads` is correctly spelled
@ -118,6 +134,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section VII - Cleanup SD Card
In this section, you will use a script to remove some unnecessary files from your SD card.
1. Select "Cleanup SD Card"
1. When prompted, press (A) to proceed
1. Press (A) to continue
@ -125,6 +143,8 @@ These screenshots indicate the minimum SD card layout that is required to follow
#### Section VIII - Backup Essential Files
In this section, you will make backups of flies that can be used to recover from softwaer bricks or to recover data.
1. Select "Backup Options"
1. Select "SysNAND Backup"
1. Press (A) to confirm
@ -159,7 +179,7 @@ You're done! Custom firmware is now fully configured on your device.
Hello! We're looking for feedback on the overall experience of following our guide. If you'd like to help out, check out the survey [here](https://forms.gle/vZNoc4QLCz5MEXCK7) (only available in English). Thanks!
{: .notice--info}
#### Information and Notes
### Information and Notes
{% capture notice-6 %}
Here are some key combos that you should know:

View file

@ -3,10 +3,19 @@ title: "Homebrew Launcher (PicHaxx)"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
This method of using Seedminer for further exploitation uses your `movable.sed` file to write a custom save file for Pokémon Picross, which can then be used with unSAFE_MODE to run SafeB9SInstaller.
This method of using Seedminer for further exploitation uses your <code>movable.sed</code> file to write a custom save file for Pokémon Picross, which can then be used with unSAFE_MODE (via Homebrew Launcher) to run SafeB9SInstaller.
</details>
### Compatibility Notes
These instructions work on USA, Europe, and Japan consoles as indicated by the letters U, E, or J after the system version.
You will need a Nintendo Network ID to download Pokémon Picross.
This process will overwrite your Pokémon Picross save file, if you have one. If you wish to preserve your Pokémon Picross game data, you should make a backup of your `00000001.sav` file before overwriting it.
{: .notice--warning}
@ -24,15 +33,8 @@ This process will overwrite your Pokémon Picross save file, if you have one. If
#### Section I - Prep Work
1. Power on your device
1. Open the Nintendo eShop
1. Tap the Search icon (small magnifying glass)
1. Search for `picross`
1. Open the store page for Pokémon Picross
1. Download Pokémon Picross
+ You can scan [this QR code](http://api.qrserver.com/v1/create-qr-code/?color=000000&bgcolor=FFFFFF&data=ESHOP://50010000037815&margin=0&qzone=1&size=400x400&ecc=L) using the Nintendo 3DS Camera for a direct link to the eShop app
+ Your SD card must be inserted in your device to install Pokémon Picross
1. Power off your device
In this section, you will copy some of the files that will be used to launch the Homebrew Launcher.
1. Insert your SD card into your computer
1. Copy `boot.firm` and `boot.3dsx` from the Luma3DS `.zip` to the root of your SD card
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
@ -42,6 +44,7 @@ This process will overwrite your Pokémon Picross save file, if you have one. If
#### Section II - PicHaxx
In this section, you will create a hacked Pokémon Picross save file that, when used, will load the Homebrew Launcher on your device.
1. Open [the PicHaxx Injector website](https://3ds.nhnarwhal.com/3dstools/pichaxx.php) on your computer
1. Select your `movable.sed` file
1. Select "Build and Download"

View file

@ -3,16 +3,19 @@ title: "Installing boot9strap (Fredtool)"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
This method of using Seedminer for further exploitation uses your `movable.sed` file to decrypt any DSiWare title for the purposes of injecting an exploitable DSiWare title into the DS Internet Settings application. This requires you to have a DSiWare backup, for example from BannerBomb or the DSiWare Dumper tool.
<p>This method of using Seedminer for further exploitation uses your <code>movable.sed</code> file to decrypt any DSiWare title for the purposes of injecting an exploitable DSiWare title into the DS Internet Settings application. This requires you to have a DSiWare backup, which you should have gotten in the previous section.</p>
This is a currently working implementation of the "FIRM partitions known-plaintext" exploit detailed [here](https://www.3dbrew.org/wiki/3DS_System_Flaws).
<p>This is a currently working implementation of the "FIRM partitions known-plaintext" exploit detailed <a href="https://www.3dbrew.org/wiki/3DS_System_Flaws">here</a>.</p>
</details>
### What You Need
* A DSiWare Backup (You should have one on the root of your SD card from following [BannerBomb3](bannerbomb3))
* A DSiWare Backup, normally `42383841.bin` (You should have one on the root of your SD card from following [BannerBomb3](bannerbomb3))
* Your `movable.sed` file from completing [Seedminer](seedminer)
* The latest release of [Frogminer_save](https://github.com/zoogie/Frogminer/releases/latest) (`Frogminer_save.zip`)
* The latest release of [b9sTool](https://github.com/zoogie/b9sTool/releases/latest) (`boot.nds`)
@ -20,6 +23,8 @@ This is a currently working implementation of the "FIRM partitions known-plainte
#### Section I - CFW Check
As an additional safety measure, we will perform an additional check for custom firmware. This is because using this method when custom firmware is already installed has a risk of bricking the console (rendering it unusable without recovery methods like [ntrboot](ntrboot)).
1. Power off your device
1. Hold the (Select) button
1. Power on your device while still holding the (Select) button
@ -30,17 +35,7 @@ If you see a configuration menu, you already have CFW, and continuing with these
#### Section II - Prep Work
1. Power off your device
1. Insert your SD card into your computer
1. Copy `boot.firm` and `boot.3dsx` from the Luma3DS `.zip` to the root of your SD card
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
1. Copy `boot.nds` (B9STool) to the root of your SD card
1. Copy the `private` folder from the Frogminer_save `.zip` to the root of your SD card
![]({{ "/images/screenshots/fredtool-root-layout.png" | absolute_url }})
{: .notice--info}
#### Section III - Fredtool
In this section, you will copy the files necessary to temporarily replace DS Connection Settings with Flipnote Studio, which is used to launch the boot9strap (custom firmware) installer.
1. Open the [DSIHaxInjector_new](https://jenkins.nelthorya.net/job/DSIHaxInjector_new/build?delay=0sec) website on your computer
1. Under the "Username" field, enter any alphanumeric name (no spaces or special characters)
@ -53,19 +48,31 @@ If you see a configuration menu, you already have CFW, and continuing with these
1. Click on the first search result
+ This result should have the latest timestamp
1. Click the "output_(name).zip" link
1. Insert your SD card into your computer
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<ID1>` -> `Nintendo DSiWare` on your SD card
+ The `<ID0>` will be the same one that you used in [Seedminer](seedminer)
+ The `<ID1>` is a 32 character long folder inside of the `<ID0>`
+ If the `Nintendo DSiWare` folder does not exist, create it inside of the `<ID1>`
+ `<ID0>` is the 32-letter folder name that you copied in [Seedminer](seedminer)
+ `<ID1>` is a 32-letter folder inside of the `<ID0>`
![]({{ "/images/screenshots/bb3/dsiware-location-1.png" | absolute_url }}){: .notice--info}
1. Copy the `42383841.bin` file from the `hax` folder of the downloaded DSiWare archive (output_(name).zip) to the `Nintendo DSiWare` folder
1. Reinsert your SD card into your device
1. Copy `boot.firm` and `boot.3dsx` from the Luma3DS `.zip` to the root of your SD card
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
1. Copy `boot.nds` (B9STool) to the root of your SD card
1. Copy the `private` folder from the Frogminer_save `.zip` to the root of your SD card
![]({{ "/images/screenshots/fredtool-root-layout.png" | absolute_url }})
{: .notice--info}
#### Section III - Overwriting DS Connection Settings
In this section, you will copy the hacked DS Connection Settings DSiWare to internal memory, which will temporarily replace it with Flipnote Studio.
1. Power on your device
1. Launch System Settings on your device
1. Navigate to `Data Management` -> `DSiWare`
1. Under the "SD Card" section, select the "Haxxxxxxxxx!" title
1. Navigate to `Data Management` -> `DSiWare`-> `SD Card` ([image](/images/screenshots/bb3/dsiware-management.png))
1. Select the "Haxxxxxxxxx!" title
1. Select "Copy", then select "OK"
1. Return to main menu of the System Settings
1. Navigate to `Internet Settings` -> `Nintendo DS Connections`, then select "OK"
1. Navigate to `Internet Settings` -> `Nintendo DS Connections`, then select "OK" ([image](/images/screenshots/fredtool/dsconnections.png))
1. If the exploit was successful, your device will have loaded the JPN version of Flipnote Studio
#### Section IV - Flipnote Exploit
@ -73,6 +80,8 @@ If you see a configuration menu, you already have CFW, and continuing with these
If you would prefer a visual guide to this section, one is available [here](https://zoogie.github.io/web/flipnote_directions/).
{: .notice--info}
In this section, you will perform a series of very specific steps within Flipnote Studio that, when performed correctly, will launch the boot9strap (custom firmware) installer.
1. Complete the initial setup process for the launched game until you reach the main menu
+ Select the left option whenever prompted during the setup process
1. Using the touch-screen, select the large left box, then select the box with an SD card icon
@ -94,6 +103,8 @@ If you would prefer a visual guide to this section, one is available [here](http
#### Section V - Luma3DS Verification
Due to the nature of the exploit used, it is occasionally (but rarely) possible for boot9strap to not actually get installed. This section will therefore verify that boot9strap was successfully installed by seeing if some files that are normally automatically generated by Luma3DS were created.
1. Power off your device
1. Insert your SD card into your computer
1. Verify that a `luma` folder exists and that `config.ini` is inside of it
@ -106,13 +117,15 @@ At this point, your console will boot to Luma3DS by default.
#### Section VI - Restoring DS Connection Settings
In this section, you will restore DS Connection Settings to the way it was before it was temporarily replaced with Flipnote Studio in Section III.
1. Copy the `42383841.bin` file from the `clean/` folder of the downloaded DSiWare archive (`output_(name).zip`) to the `Nintendo 3DS/<ID0>/<ID1>/Nintendo DSiWare/` folder on your SD card
+ Replace the existing `42383841.bin` file
1. Reinsert your SD card into your device
1. Power on your device
1. Launch System Settings on your device
1. Navigate to `Data Management` -> `DSiWare`
1. Under the "SD Card" section, select the "Nintendo DSi™" title
1. Navigate to `Data Management` -> `DSiWare`-> `SD Card` ([image](/images/screenshots/bb3/dsiware-management.png))
1. Select the "Nintendo DSi™" title
1. Select "Copy", then select "OK"
___

View file

@ -3,14 +3,21 @@ title: "Installing boot9strap (HBL-USM)"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
<p>In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.</p>
As we already have Homebrew access, we can use slotTool to do this.
<p>As we already have Homebrew access, we can use slotTool to do this.</p>
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
<p>Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.</p>
<p>For a more technical explanation, see <a href="https://github.com/zoogie/unSAFE_MODE/">here</a> for information about the unSAFE_MODE exploit.</p>
</details>
### Compatibility Notes
If your (Right/Left Shoulder), (D-Pad Up) or (A) buttons do not work, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
{: .notice--danger}
@ -24,6 +31,8 @@ If your (Right/Left Shoulder), (D-Pad Up) or (A) buttons do not work, join [Nint
#### Section I - Prep Work
In this section, you will use Homebrew Launcher to launch slotTool, which will overwrite your Wi-Fi slots with hacked data. Then, you will copy the files needed to trigger the unSAFE_MODE exploit onto your device's SD card. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
1. Your console should be powered on and showing the Homebrew Launcher from the previous part of the guide
1. Launch slotTool from the list of homebrew
+ If you get stuck on a red screen, forcefully power off the console by holding the power button for fifteen seconds, then retry this section
@ -38,20 +47,23 @@ If your (Right/Left Shoulder), (D-Pad Up) or (A) buttons do not work, join [Nint
#### Section II - unSAFE_MODE
In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
1. With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
+ Keep holding the buttons until the device boots into Safe Mode
+ Keep holding the buttons until the device boots into Safe Mode (a "system update" menu)
+ If you're unable to get into Safe Mode after multiple attempts, one of your buttons may be failing or broken. If this is the case, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
1. Press "OK" to accept the update
+ There is no update. This is part of the exploit
1. Press "I accept" to accept the terms and conditions
1. The update will eventually fail, with the error code `003-1099`. This is intended behaviour
1. When asked "Would you like to configure Internet settings?", select "Yes"
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup`
+ This is a [visual representation](https://uwuu.ca/images/safemode_highlighted.png)
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup` ([image](/images/screeshots/bb3/safemode_highlighted.png))
1. If the exploit was successful, your device will have booted into SafeB9SInstaller
#### Section III - Installing boot9strap
In this section, you will install custom firmware onto your device.
1. When prompted, input the key combo given on the top screen to install boot9strap
+ If the top screen is blank, power off your device and re-do Section III
1. Once it is complete, press (A) to reboot your device
@ -65,6 +77,8 @@ At this point, your console will boot to Luma3DS by default.
#### Section IV - Restoring WiFi Configuration Profiles
In this section, you will enter the Homebrew Launcher (this time using custom firwmare) so that you can restore the Wi-Fi connection slots that were overwritten in Section II.
1. Launch the Download Play application
1. Wait until you see the two buttons
+ Do not press either of the buttons

View file

@ -3,8 +3,15 @@ title: "Installing boot9strap (Soundhax)"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
<p>For technical details on the exploits that you will be using on this page, see <a href="https://github.com/nedwill/soundhax">here</a> (Soundhax) and <a href="https://github.com/TuxSH/universal-otherapp/">here</a> (universal-otherapp).</p>
</details>
### Compatibility Notes
Soundhax (when combined with universal-otherapp) is compatible with versions 1.0.0 through 11.3.0 in all regions.
@ -21,6 +28,8 @@ Soundhax (when combined with universal-otherapp) is compatible with versions 1.0
#### Section I - Prep Work
In this section, you will copy the files needed to trigger both Soundhax and universal-otherapp.
1. Power off your device
1. Insert your SD card into your computer
1. Copy the Soundhax `.m4a` to the root of your SD card
@ -38,6 +47,8 @@ Soundhax (when combined with universal-otherapp) is compatible with versions 1.0
#### Section II - Launching SafeB9SInstaller
In this section, you will launch Soundhax through the Nintendo 3DS Sound app, which will use universal-otherapp to launch the boot9strap (custom firmware) installer.
1. Reinsert your SD card into your device
1. Power on your device
1. Launch Nintendo 3DS Sound
@ -58,6 +69,8 @@ Soundhax (when combined with universal-otherapp) is compatible with versions 1.0
#### Section III - Installing boot9strap
In this section, you will install custom firmware onto your device.
1. When prompted, input the key combo given on the top screen to install boot9strap
1. Once it is complete, press (A) to reboot your device
1. Your device should have rebooted into the Luma3DS configuration menu

View file

@ -3,16 +3,24 @@ title: "Installing boot9strap (USM)"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
<p>In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.</p>
We can do this using an existing exploit, BannerBomb3.
<p>We can do this using an existing exploit, BannerBomb3.</p>
To accomplish this, we use your system's encryption key (movable.sed) to build a DSiWare backup that exploits the system in order to inject the exploited WiFi profile into your connections list.
<p>To accomplish this, we use your system's encryption key (movable.sed) to build a DSiWare backup that exploits the system in order to inject the exploited WiFi profile into your connections list.</p>
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
<p>Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.</p>
<p>For a more technical explanation, see the following links for information on the BannerBomb3 and unSAFE_MODE exploits: <a href="https://github.com/zoogie/Bannerbomb3">BannerBomb3</a>, <a href="https://github.com/zoogie/unSAFE_MODE/">unSAFE_MODE</a>.</p>
</details>
### Compatibility Notes
These instructions work on USA, Europe, Japan, and Korea region consoles as indicated by the letters U, E, J, or K after the system version.
@ -29,6 +37,8 @@ If your (Right/Left Shoulder), (D-Pad Up), or (A) buttons do not work, you will
#### Section I - Prep Work
In this section, you will copy the files needed to trigger the BannerBomb3 and unSAFE_MODE exploits onto your device's SD card.
1. If your device is powered on, power off your device
1. Open [unSAFE_MODE Exploit Injector](https://3ds.nhnarwhal.com/3dstools/unsafemode.php) on your computer
1. Upload your movable.sed using the "Choose File" option
@ -41,47 +51,50 @@ If your (Right/Left Shoulder), (D-Pad Up), or (A) buttons do not work, you will
1. Copy `boot9strap.firm` and `boot9strap.firm.sha` from the boot9strap `.zip` to the `/boot9strap/` folder on your SD card
1. Copy `SafeB9SInstaller.bin` from the SafeB9SInstaller `.zip` to the root of your SD card
1. Copy `usm.bin` from `unSAFE_MODE.zip` to the root of your SD card
+ ![]({{ "/images/screenshots/usm-root-layout.png" | absolute_url }})
{: .notice--info}
![]({{ "/images/screenshots/bb3/usm-root-layout.png" | absolute_url }}){: .notice--info}
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<ID1>` on your SD card
+ The `<ID0>` will be the same one that you used in [Seedminer](seedminer)
+ The `<ID1>` is a 32 character long folder inside of the `<ID0>`
+ `<ID0>` is the 32-letter folder name that you copied in [Seedminer](seedminer)
+ `<ID1>` is a 32-letter folder inside of the `<ID0>`
+ ![]({{ "/images/screenshots/bb3/dsiware-location-1.png" | absolute_url }}){: .notice--info}
1. Create a folder named `Nintendo DSiWare` inside of the `<ID1>`
+ If you already had the folder *and* there are any existing DSiWare backup files (`<8-character-id>.bin`) inside, copy them to your PC and remove them from your SD card
1. Copy the `F00D43D5.bin` file from `unSAFE_MODE.zip` to the `Nintendo DSiWare` folder
![]({{ "/images/screenshots/dsiware-save-location.png" | absolute_url }})
![]({{ "/images/screenshots/bb3/dsiware-location-2.png" | absolute_url }})
{: .notice--info}
#### Section II - BannerBomb3
In this section, you will trigger the BannerBomb3 exploit using the DSiWare Management menu, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwitten while the exploit is active.
1. Reinsert your SD card into your device
1. Power on your device
1. Launch System Settings on your device
1. Navigate to `Data Management` -> `DSiWare`
1. Click on the SD Card section
+ Your device should show a menu with some text
1. Navigate to `Data Management` -> `DSiWare`-> `SD Card` ([image](/images/screenshots/bb3/dsiware-management.png))
+ Your device should show the [Bannerbomb3 menu](/images/screenshots/bb3/usm-menu.png)
+ If this step causes your device to crash, [follow this troubleshooting guide](troubleshooting#dsiware-management-menu-crashes-without-showing-usm-menu)
1. Select "Inject haxx"
1. Press (A) to select "Inject haxx"
+ Your device will automatically power off
#### Section III - unSAFE_MODE
In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
1. With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
+ Keep holding the buttons until the device boots into Safe Mode
+ Keep holding the buttons until the device boots into Safe Mode (a "system update" menu)
+ If you're unable to get into Safe Mode after multiple attempts, one of your buttons may be failing or broken. If this is the case, you will need to follow [an alternate branch of Seedminer](bannerbomb3). For assistance with this matter, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
1. Press "OK" to accept the update
+ There is no update. This is part of the exploit
1. Press "I accept" to accept the terms and conditions
1. The update will eventually fail, with the error code `003-1099`. This is intended behaviour
1. When asked "Would you like to configure Internet settings?", select "Yes"
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup`
+ This is a [visual representation](/images/safemode_highlighted.png)
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup` ([image](/images/screeshots/bb3/safemode_highlighted.png))
1. If the exploit was successful, your device will have booted into SafeB9SInstaller
#### Section IV - Installing boot9strap
In this section, you will install custom firmware onto your device.
1. When prompted, input the key combo given on the top screen to install boot9strap
+ If the top screen is blank, power off your device and re-do Section III
1. Once it is complete, press (A) to reboot your device
@ -95,16 +108,18 @@ At this point, your console will boot to Luma3DS by default.
#### Section V - Restoring WiFi Configuration Profiles
In this section, you will trigger the BannerBomb3 exploit a second time so that you can restore the Wi-Fi connection slots that were overwritten in Section II.
1. Launch System Settings on your device
1. Navigate to `Data Management` -> `DSiWare`
1. Click on the SD Card section
+ Your device should show a menu with some text
1. Select "Restore slots"
1. Navigate to `Data Management` -> `DSiWare`-> `SD Card` ([image](/images/screenshots/bb3/dsiware-management.png))
+ Your device should show the [Bannerbomb3 menu](/images/screenshots/bb3/usm-menu.png)
1. Use the D-Pad to navigate and press the (A) button to select "Restore slots"
+ Your device will automatically reboot
1. Power off your device
1. Insert your SD card into your computer
1. Navigate to `Nintendo 3DS` -> `<ID0>` -> `<ID1>` -> `Nintendo DSiWare` on your SD card
1. Delete `F00D43D5.bin` from your Nintendo DSiWare folder
![]({{ "/images/screenshots/bb3/dsiware-location-2.png" | absolute_url }}){: .notice--info}
1. Delete `F00D43D5.bin` from your Nintendo DSiWare folder and from your computer. This file will not be needed anymore
___

View file

@ -3,53 +3,57 @@ title: "Seedminer"
---
{% include toc title="Table of Contents" %}
{% include text-expand.html %}
### Required Reading
<details>
<summary><em>Technical Details (optional)</em></summary>
To install boot9strap on your device, we derive your device's unique encryption key. To accomplish this, we use a tool called Seedminer to calculate the data encryption key (movable.sed) for your device.
<p>To install boot9strap on your device, we derive your device's unique encryption key. To accomplish this, we use a tool called Seedminer to calculate the data encryption key (movable.sed) for your device.</p>
For information on how Seedminer works, see [this presentation](https://zoogie.github.io/web/34⅕c3).
<p>For information on how Seedminer works, see <a href="https://zoogie.github.io/web/34⅕c3">this presentation</a>.</p>
This method uses a powerful graphics card to perform the calculations needed. A volunteer-run website is used for the purpose of assisting you with this method.
<p>This method uses a powerful graphics card to perform the calculations needed. A volunteer-run website is used for the purpose of assisting you with this method.</p>
</details>
### Instructions
### Section I - Prep Work
#### Section I - Prep Work
In this section, you will get the necessary details from your 3DS that are required to figure out your device's encryption key.
1. Insert your SD card into your computer
1. Navigate to the `Nintendo 3DS` folder on your SD card
1. Copy the 32 character long name of the folder you see inside Nintendo 3DS
+ Do not go inside any more folders
+ If you see multiple 32 character long folders, follow [these instructions](troubleshooting#multiple-long-folder-names-in-nintendo-3ds-folder)
+ If you don't have a `Nintendo 3DS` folder, put your SD card into your 3DS and power it on so that the folder can be created
1. Copy the name of the 32-letter folder you see directly inside Nintendo 3DS
+ If you see multiple 32-letter folders, follow [these instructions](troubleshooting#multiple-long-folder-names-in-nintendo-3ds-folder)
+ You can ignore the `private` folder if you have it
![]({{ "/images/screenshots/id0-example.png" | absolute_url }})
![]({{ "/images/screenshots/seedminer/id0-example.png" | absolute_url }})
{: .notice--info}
1. Paste your 32 character long folder name into a document you can reference later
+ This folder name is also known as your "ID0"
1. Paste your 32 character long folder name into [a document](/images/screenshots/seedminer/text-document.png) you can reference later
+ This folder is known as your "ID0". Take note of this as this guide will refer to it as such later
1. Power on your device
+ Your SD card does not need to be inserted at this point
1. Go to your Friend List (the [orange Face Icon]({{ "/images/friend-list-icon.png" | absolute_url }}) in the top row of your HOME Menu)
+ If you receive an error and are kicked out of the menu, you either must create a new Mii or your device cannot connect to Nintendo's servers (due to a ban or connection issues)
1. Find your Mii profile, then find the "Friend Code" field on the top screen
#### Section II - Seedminer
### Section II - Seedminer
In this section, you will use the Bruteforce Movable website to retrieve your device's encryption key in the form of `movable.sed`.
1. Open [Bruteforce Movable](https://seedminer.hacks.guide/) on your computer
+ This site can automate the retrieval of `movable_part1.sed` (using a bot 3DS console) and the breaking of your device's DSiWare encryption (using a volunteer's computer to run Seedminer)
+ If the site isn't working, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask (in English) for someone there to assist you
1. Enter your device's Friend Code (with no spaces or dashes) into the "Your friend code" field
1. Paste your device's 32 character long folder name into the "Your ID0" field
+ Do not attempt to enter the ID0 by hand. Ensure the ID0 is entered correctly by copying and pasting it from where you saved it in the previous section
+ Do not attempt to enter the ID0 manually, as it is easy to make a mistake. Ensure the ID0 is entered correctly by copying and pasting it from where you saved it in the previous section
1. Select "Go"
+ If the site immediately goes to step 4, the website has already correctly processed your bruteforce request. You can download your `movable.sed` file and continue to the next section. You do not need to re-add the bot
1. Use the "Register Friend" button on your device to add the bot's friend code as given by the website
1. Use the ["Register Friend" button](/images/screenshots/seedminer/register-friend.png) on your device to add the bot's friend code as given by the website
+ If prompted, the name that you give to the friend does not matter
1. Wait for the site to update
+ If it does not, wait a few minutes before refreshing the page once
1. Once the site processes your information, the site will continue to `Step 2: Bruteforce` automatically
1. Wait for the remainder of the process to complete
+ This is usually fast (1-5 minutes) but in some cases, can take up to half an hour
+ This is usually fast (1-5 minutes)
+ During this process, the bot you added may not show up on your 3DS. As long as the website updates, this is not an issue
+ If you are still waiting after half an hour, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask (in English) for someone there to assist you
1. When the process is completed, download your `movable.sed` file from the site
@ -57,7 +61,7 @@ This method uses a powerful graphics card to perform the calculations needed. A
___
### Next Steps
### Next steps: Choose an exploit
Once you have your device's encryption key (`movable.sed`), you will use it in conjunction with other exploits to install custom firmware on your 3DS.

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 110 KiB

View file

Before

Width:  |  Height:  |  Size: 266 KiB

After

Width:  |  Height:  |  Size: 266 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 108 KiB

View file

Before

Width:  |  Height:  |  Size: 6.2 KiB

After

Width:  |  Height:  |  Size: 6.2 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.9 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 59 KiB