安装 boot9strap(通过 kartdlphax)

如果有疑问并且懂英语的话,可以到 Nintendo Homebrew Discord 服务器上使用英文寻求帮助。(请注意,如果你身处中国大陆,你可能需要通过科学上网来访问 Discord) 你也可以到译者的 QQ 群寻求帮助,群号为 942052497。
如果你喜欢我们的教程,可以通过捐赠支持我们。
技术细节(选看)

In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.

为了做到这一点,我们将用一台已安装了自制固件的 3DS 安装一个插件,然后利用马里奥赛车 7 这个游戏中的下载通信功能进行一些操作。

This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.

Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.

For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: kartdlphax, unSAFE_MODE.

兼容性注意

如果你想通过此方法安装自制固件,则你需要:

  • 一台已安装自制固件的 3DS (源 3DS),它与你要破解的主机(目标 3DS)系统为同一区域
    • 必须是美版、日版或欧版机
    • The source 3DS can be region changed to match the target 3DS if necessary
  • 一份与两台主机同区的马里奥赛车 7 实体版或数字版
  • An SD card for both consoles

你需要准备点啥?

Section I - Hardware Button Check (target 3DS)

In this section, you will see whether your shoulder buttons are working on your console. This will determine which method you will follow on the next page.

  1. Power on your console
  2. Once you see the HOME Menu, press the (Left Shoulder) and (Right Shoulder) buttons at the same time
    • The camera applet should appear
  3. Power off your console

If the camera does not open, you cannot follow this method. If this is the case, join Nintendo Homebrew on Discord and ask, in English, for help.

Section II - Prep Work (source 3DS)

为了向目标 3DS 传输带有漏洞的数据,你将需要按照以下内容配置源 3DS(已安装了自制固件的 3DS)。

  1. 在你的电脑中插入你的源 3DS 的 SD 卡
  2. Copy boot.firm from the Luma3DS .zip to the root of the source 3DS’s SD card, replacing any existing file
    • 根目录指的是你点进 SD 卡看到的目录,你可以在这个目录下看到 Nintendo 3DS 文件夹,但请不要点进去
  3. 复制 kartdlphax 的 plugin.3gx源3DS 的 SD 卡上对应你所拥有的马里奥赛车 7 区域版本的文件夹:
    • 美版: luma/plugins/0004000000030800
    • 欧版: luma/plugins/0004000000030700
    • 日版: luma/plugins/0004000000030600 如果 plugins00040000... 文件夹不存在,请先创建它们
  4. 弹出 SD 卡并将其插回源 3DS

Section III - Prep Work (target 3DS)

In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)’s SD card.

  1. 在你的电脑中插入你的目标 3DS 的 SD 卡
  2. Copy boot.firm and boot.3dsx from the Luma3DS .zip to the root of the target 3DS’s SD card
  3. 在 SD 卡根目录创建一个名为 boot9strap 的文件夹
  4. Copy boot9strap.firm and boot9strap.firm.sha from the RELEASE .zip to the /boot9strap/ folder on your SD card
  5. 从 SafeB9SInstaller .zip 压缩包中复制 SafeB9SInstaller.bin 到 SD 卡根目录下
  6. Copy usm.bin from the RELEASE .zip to the root of your SD card
  7. Create a folder called 3ds on the root of your SD card
  8. Copy slotTool.3dsx from the slotTool folder inside the RELEASE .zip to the /3ds/ folder on your SD card
  9. 取下 SD 卡并将其插回目标 3DS

Section IV - kartdlphax

In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.

  1. 启动 **源 3DS **
    • 若主机提示设置 Luma3DS,则你可以直接按下 START 键来保存配置
  2. 进入主菜单后,同时按下 “L” + “↓” + “Select” 键调出 Rosalina 菜单
  3. 选择 “Enable plugin loader”
  4. 按 “B” 键退出 Rosalina 菜单
  5. 启动马里奥赛车 7
    • 请确保你已经打开了无线连接
  6. 选择 本地多人游戏(Local Multiplayer) 一个菜单应该会弹出来
    • If the screen freezes, hold the power button for fifteen seconds to force power off your console, then try again
    • 如果你先前已经启动过了 kartdlphax,则最后选定的设置将会被加载。 如果一切正确,请选中 Use settings 然后跳过接下来的 3 个小步骤。 如果不对,请选择 Change settings 然后继续操作。
  7. Select your target 3DS console type (Old 3DS family or New 3DS family)
  8. Select the following exploit type depending on your system version:
    • 11.16.0: select xPloitInjector (11.16)
    • 11.17.0: select xPloitInjector (11.17)
  9. 确认菜单将会显示。 如果上屏显示的设置一切正确,请选中 Use settings
    • 如果不正确,请选择 Change settings 然后进行相应的修改
  10. 选择 Create Group
  11. 启动**目标 3DS **
    • 请确保你已经打开了无线连接
  12. 目标 3DS上,打开下载通信(Download Play)应用 (),然后选择 “Nintendo 3DS”
  13. 加入由源 3DS 创建的群组
  14. 源 3DS 检测到目标 3DS 后,点击“开始”
  15. 多人游戏加载完成后,依次点击 大奖赛 -> 50cc ->(任何角色)-> 蘑菇杯 -> OK
  16. 稍等一会儿(百分比应该会显示在源 3DS 上)
  17. 如果漏洞执行成功,目标 3DS 将会启动 3DS ROP xPloit Injector
    • 如果漏洞没有成功触发,则请将源 3DS目标 3DS 一起关机,然后从 第三步 — kartdlphax 重新开始
  18. Press (X) to inject unSAFE_MODE
  19. If the injection was successful, the screen will turn green and the target 3DS will automatically power off
    • If the screen turns red, power off the target 3DS and start again from the beginning of Section III - kartdlphax. If this doesn’t work, ask for help at Nintendo Homebrew on Discord)

You will not need to use your source 3DS to complete any further steps on this guide. Any further steps should only be completed on the target 3DS.

Section V - unSAFE_MODE

In this section, you will enter Safe Mode (a feature available on all 3DS family consoles) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.

  1. With your console still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your console
    • Keep holding the buttons until the console boots into Safe Mode (a “system update” menu)
  2. Press “OK” to accept the update
    • There is no update. This is part of the exploit
  3. Press “I accept” to accept the terms and conditions
  4. The update will eventually fail, with the error code 003-1099. This is intended behaviour
  5. When asked “Would you like to configure Internet settings?”, select “Yes”
  6. On the following menu, navigate to Connection 1 -> Change Settings -> Next Page (right arrow) -> Proxy Settings -> Detailed Setup (image)
  7. If the exploit was successful, your console will have booted into SafeB9SInstaller
    • If your console instead freezes on a white screen, hold the POWER button until it turns off, then retry this section
    • If your console instead freezes on a red screen, you are missing usm.bin from the root of your SD card
    • If you get a different error, follow this troubleshooting guide

Section VI - Installing boot9strap

In this section, you will install custom firmware onto your console.

  1. When prompted, input the key combo given on the top screen to install boot9strap
  2. Once it is complete, press (A) to reboot your console
  3. Your console should have booted into the Luma3DS configuration menu
    • Luma3DS 配置菜单用于设置 Luma3DS 自制固件的可选功能 其中有许多功能可用于个性化或调试
    • For the purpose of this guide, leave these options on the default settings (do not check or uncheck anything)
    • If your console shuts down when you try to power it on, ensure that you have copied boot.firm from the Luma3DS .zip to the root of your SD card
  4. 按下 “Start” 键保存设置并重启

At this point, your console will boot to Luma3DS by default.

  • Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
  • On the next page, you will install useful homebrew applications to complete your setup.

Section VII - Restoring WiFi Configuration Profiles

In this section, you will enter the Homebrew Launcher (using custom firmware) so that you can restore the Wi-Fi connection slots that were overwritten in Section I.

  1. 启动“下载通信(Download Play)”程序 ()
  2. 等到你看到 Nintendo 3DSNintendo DS 按钮
  3. 同时按下 “L” + “↓” + “Select” 键来打开 Rosalina 菜单
  4. 选择 “Miscellaneous options”
  5. 选择 “Switch the hb. title to the current app.”
  6. 按 “B” 键继续
  7. 按 “B” 键返回 Rosalina 主菜单
  8. 按 “B” 键退出 Rosalina 菜单
  9. Press (Home) to suspend Download Play
  10. Press the “Close” button on the bottom screen to close Download Play
  11. Re-launch the Download Play application
  12. Your console should load the Homebrew Launcher
    • If your console is stuck on the loading splash screen, you are missing boot.3dsx from the root of your SD card
  13. Launch slotTool from the list of homebrew
  14. Select “RESTORE original wifi slots 1,2,3”
  15. Your console will then reboot

继续至完成安装