Installing boot9strap (kartdlphax)
Technische Details (optional)
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.
This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: kartdlphax, unSAFE_MODE.
Kompatibilitätshinweise
In order to follow these instructions, you will need the following:
- A second 3DS with custom firmware (the source 3DS) that is the same region as the 3DS you are trying to modify (the target 3DS)
- The consoles must be USA, JPN, or EUR region consoles
- The source 3DS can be region changed to match the target 3DS if necessary
- A physical or digital copy of Mario Kart 7 that is the same region as both consoles
- An SD card for both consoles
Was du brauchst
- The latest release of kartdlphax (
plugin.3gx
) - Die neueste Version vom SafeB9SInstaller (Direkter Download)
- Die neueste Version von Luma3DS (die Luma3DS
.zip
Datei) - The latest release of unSAFE_MODE (the RELEASE
.zip
file)
Section I - Hardware Button Check (target 3DS)
In this section, you will see whether your shoulder buttons are working on your console. This will determine which method you will follow on the next page.
- Power on your console
- Once you see the HOME Menu, press the (Left Shoulder) and (Right Shoulder) buttons at the same time
- The camera applet should appear
- Power off your console
If the camera does not open, you cannot follow this method. Wenn das der Fall ist, trete dem Nintendo Homebrew on Discord Server bei und frage, auf Englisch, nach Hilfe.
Section II - Prep Work (source 3DS)
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
- Insert the SD card of your source 3DS in your computer
- Copy
boot.firm
from the Luma3DS.zip
to the root of the source 3DS’s SD card, replacing any existing file- The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
- Copy kartdlphax’s
plugin.3gx
to the following directory on the source 3DS’s SD card, depending on the region of your copy of Mario Kart 7:- USA:
luma/plugins/0004000000030800
- EUR:
luma/plugins/0004000000030700
- JPN:
luma/plugins/0004000000030600
- Create the
plugins
and00040000...
folders if they do not already exist
- USA:
- Eject the SD card and put it in the source 3DS
Section III - Prep Work (target 3DS)
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)’s SD card.
- Insert the SD card of your target 3DS in your computer
- Copy
boot.firm
andboot.3dsx
from the Luma3DS.zip
to the root of the target 3DS’s SD card - Erstelle einen Ordner namens
boot9strap
im Stammverzeichnis deiner SD-Karte - Copy
boot9strap.firm
andboot9strap.firm.sha
from the RELEASE.zip
to the/boot9strap/
folder on your SD card - Copy
SafeB9SInstaller.bin
from the SafeB9SInstaller.zip
to the root of your SD card - Copy
usm.bin
from the RELEASE.zip
to the root of your SD card - Create a folder called
3ds
on the root of your SD card - Copy
slotTool.3dsx
from theslotTool
folder inside the RELEASE.zip
to the/3ds/
folder on your SD card - Eject the SD card and put it in the target 3DS
Section IV - kartdlphax
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
- Power on the source 3DS
- If you are prompted to set up Luma3DS, just press START to save the configuration
- Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
- Select “Enable plugin loader”
- Drücke (B), um das Rosalina-Menü zu schließen
- Launch Mario Kart 7
- Ensure that wireless connectivity is enabled
- Navigate to
Local Multiplayer
. A menu should pop up- If the screen freezes, hold the power button for fifteen seconds to force power off your console, then try again
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select
Use settings
and skip the next 3 steps. If they are incorrect, selectChange settings
and proceed.
- Select your target 3DS console type (Old 3DS family or New 3DS family)
- Select the following exploit type depending on your system version:
- 11.16.0: select
xPloitInjector (11.16)
- 11.17.0: select
xPloitInjector (11.17)
- 11.16.0: select
- A confirmation menu will show up. If the settings shown on the top screen are correct, select
Use settings
- If the settings are not correct, press
Change settings
and modify them accordingly
- If the settings are not correct, press
- Select
Create Group
- If the source 3DS freezes at this point and you are using a cartridge, try installing the cartridge to the system
- Power on the target 3DS
- Ensure that wireless connectivity is enabled
- On the target 3DS, open the Download Play application (), then select “Nintendo 3DS”
- Join the group created by the source 3DS
- Select “Start” on the source 3DS once it has detected the target 3DS
- Once multiplayer has loaded, navigate to
Grand Prix
->50cc
-> (any driver) ->Mushroom Cup
->OK
- Wait a while (a percentage should be displayed on the source 3DS)
- If the exploit was successful, the target 3DS will have booted into the 3DS ROP xPloit Injector
- If the exploit was not successful, power off the source 3DS and target 3DS and start again from the beginning of
Section III - kartdlphax
- If the exploit was not successful, power off the source 3DS and target 3DS and start again from the beginning of
- Press (X) to inject unSAFE_MODE
- If the injection was successful, the screen will turn green and the target 3DS will automatically power off
- If the screen turns red, power off the target 3DS and start again from the beginning of
Section III - kartdlphax
. If this doesn’t work, ask for help at Nintendo Homebrew on Discord)
- If the screen turns red, power off the target 3DS and start again from the beginning of
You will not need to use your source 3DS to complete any further steps on this guide. Any further steps should only be completed on the target 3DS.
Section V - unSAFE_MODE
In this section, you will enter Safe Mode (a feature available on all 3DS family consoles) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
- With your console still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your console
- Keep holding the buttons until the console boots into Safe Mode (a “system update” menu)
- Drücke “OK” um das System-Update zu bestätigen
- Es gibt kein Update. Dies ist ein Teil des Exploits
- Drücke “Akzeptieren”, um die Nutzungsbedingungen und Warnhinweise zu akzeptieren
- Das Update wird irgendwann mit dem Fehlercode
003-1099
fehlschlagen. Dies ist so vorgesehen - When asked “Would you like to configure Internet settings?”, select “Yes”
- On the following menu, navigate to
Connection 1
->Change Settings
->Next Page (right arrow)
->Proxy Settings
->Detailed Setup
(image) - If the exploit was successful, your console will have booted into SafeB9SInstaller
- If your console instead freezes on a white screen, hold the POWER button until it turns off, then retry this section
- If your console instead freezes on a red screen, you are missing
usm.bin
from the root of your SD card - If you get a different error, follow this troubleshooting guide
Section VI - Installing boot9strap
In this section, you will install custom firmware onto your console.
- Wenn du gebeten wirst, eine Tastenkombination einzugeben, gib die Tastenkombination auf dem oberen Bildschirm ein, um boot9strap zu installieren
- If a step on the lower screen has red-colored text, and you are not prompted to input a key combo, follow this troubleshooting guide
- Once it is complete, press (A) to reboot your console
- Your console should have booted into the Luma3DS configuration menu
- Das Luma3DS Konfigurations-Menü enthält Einstellungen für die Luma3DS Custom Firmware. Viele dieser Einstellungen sind nützlich für Personalisierung und Debugging
- For the purpose of this guide, leave these options on the default settings (do not check or uncheck anything)
- If your console shuts down when you try to power it on, ensure that you have copied
boot.firm
from the Luma3DS.zip
to the root of your SD card
- Drücke (Start) zum Speichern und neustarten
Ab diesem Punkt wird deine Konsole standardmäßig Luma3DS starten.
- Luma3DS sieht nicht anders aus als das normale HOME-Menü. Wenn deine Konsole in das HOME-Menü gestartet ist, läuft Custom Firmware auf ihr.
- Auf der nächsten Seite wirst du nützliche Homebrew Apps installieren, um die Installation abzuschließen.
Section VII - Restoring WiFi Configuration Profiles
In this section, you will enter the Homebrew Launcher (using custom firmware) so that you can restore the Wi-Fi connection slots that were overwritten in Section I.
- Launch the Download Play application ()
- Wait until you see the
Nintendo 3DS
andNintendo DS
buttons - Press (Left Shoulder) + (D-Pad Down) + (Select) at the same time to open the Rosalina menu
- Wähle “Miscellaneous options”
- Wähle “Switch the hb. title to the current app.”
- Drücke (B) um fortzufahren
- Drücke (B), um zum Rosalina-Hauptmenü zurückzukehren
- Drücke (B), um das Rosalina-Menü zu schließen
- Press (Home) to suspend Download Play
- Press the “Close” button on the bottom screen to close Download Play
- Re-launch the Download Play application
- Your console should load the Homebrew Launcher
- If your console is stuck on the loading splash screen, you are missing
boot.3dsx
from the root of your SD card
- If your console is stuck on the loading splash screen, you are missing
- Launch slotTool from the list of homebrew
- Select “RESTORE original wifi slots 1,2,3”
- Your console will then reboot