Instalar boot9strap (kartdlphax)
This exploit does not currently work on USA region consoles on 11.17.0 (e.g. 11.17.0-50U).
Technical Details (optional)
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.
This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: kartdlphax, unSAFE_MODE.
Compatibility Notes
Para seguir estas instrucciones, necesitarás lo siguiente:
- Una segunda 3DS con custom firmware (la 3DS de origen) que sea de la misma región que la 3DS que estás intentando modificar (la 3DS de destino)
- The consoles must be USA, JPN, or EUR region consoles
- Una copia física o digital de Mario Kart 7 de la misma región que ambas consolas
- Una tarjeta SD para cada consola
Qué necesitas
En la 3DS de origen (la 3DS con custom firmware):
- The latest release of kartdlphax (
plugin.3gx
) - The latest release of Luma3DS 3GX Loader Edition (
boot.firm
)
En la 3DS de destino (la 3DS que estás intentando modificar):
- The latest release of SafeB9SInstaller (direct download)
- The latest release of boot9strap (direct download)
- The latest release of standard Luma3DS (the Luma3DS
.zip
file) - The latest release of unSAFE_MODE (the RELEASE
.zip
file)
Section I - Hardware Button Check (target 3DS)
In this section, you will see whether your shoulder buttons are working on your device. This will determine which method you will follow on the next page.
- Enciende tu consola
- Once you see the HOME Menu, press the (Left Shoulder) and (Right Shoulder) buttons at the same time
- The camera applet should appear
- Apaga tu consola
If the camera does not open, you cannot follow this method. If this is the case, join Nintendo Homebrew on Discord and ask, in English, for help.
Section II - Prep Work (source 3DS)
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
- Inserta la tarjeta SD de la 3DS de origen en tu computadora
- Copy Luma 3GX Loader Edition’s
boot.firm
to the root of the source 3DS’s SD card, replacing any existing file- La raíz de tu tarjeta SD se refiere al primer directorio de la tarjeta, donde puedes ver la carpeta Nintendo 3DS pero no estás dentro de ella
- Copia el archivo
plugin.3gx
de kartdlphax al siguiente directorio en la tarjeta SD de la 3DS de origen, dependiendo de la región de tu copia de Mario Kart 7:- USA:
luma/plugins/0004000000030800
- EUR:
luma/plugins/0004000000030700
- JPN:
luma/plugins/0004000000030600
- Crea las carpetas
plugins
y00040000...
si no existen
- USA:
- Saca la tarjeta SD de la computadora y ponla en la 3DS de origen
Section III - Prep Work (target 3DS)
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)’s SD card.
- Inserta la tarjeta SD de la 3DS de destino en tu computadora
- Copia los archivos
boot.firm
yboot.3dsx
desde el.zip
de Luma3DS normal a la raíz de tu tarjeta SD - Crea una carpeta llamada
boot9strap
en la raíz de tu tarjeta SD - Copia
boot9strap.firm
yboot9strap.firm.sha
desde el.zip
deboot9strap
a la carpeta/boot9strap/
en tu tarjeta SD - Copia
SafeB9SInstaller.bin
desde el.zip
de SafeB9SInstaller a la raíz de tu tarjeta SD - Copy
usm.bin
from the unSAFE_MODE.zip
to the root of your SD card - Create a folder called
3ds
on the root of your SD card - Copy the
slotTool
folder from the unSAFE_MODE.zip
to the3ds
folder on your SD card - Saca la tarjeta SD de la computadora y ponla en la 3DS de destino
Section IV - kartdlphax
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
- Enciende la 3DS de origen
- Si te le pide que configures Luma3DS, pulsa START para guardar la configuración
- Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
- Selecciona “Enable plugin loader”
- Presiona (B) para salir del menú de Rosalina
- Inicia Mario Kart 7
- Asegúrate de que la conectividad inalámbrica está habilitada
- Navigate to
Local Multiplayer
. A menu should pop up- If the screen freezes, hold the power button for fifteen seconds to force power off your device, then try again
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select
Use settings
and skip the next 3 steps. If they are incorrect, selectChange settings
and proceed.
- Select your target 3DS device type (Old 3DS family or New 3DS family)
- Select the exploit type
3DS ROP xPloit Injector
- A confirmation menu will show up. If the settings shown on the top screen are correct, select
Use settings
- If the settings are not correct, press
Change settings
and modify them accordingly
- If the settings are not correct, press
- Select
Create Group
- If the source 3DS freezes at this point and you are using a cartridge, try installing the cartridge to the system
- Enciende la 3DS de destino
- Asegúrate de que la conectividad inalámbrica está habilitada
- En la 3DS de destino, abre la aplicación de Modo Descarga (), luego selecciona “Nintendo 3DS”
- Entra al grupo creado por la 3DS de origen
- Selecciona “Start” en la 3DS de origen una vez detectada la 3DS de destino
- Once multiplayer has loaded, navigate to
Grand Prix
->50cc
-> (any driver) ->Mushroom Cup
->OK
- Espera un rato (se debería mostrar un porcentaje en la 3DS de origen)
- If the exploit was successful, the target 3DS will have booted into the 3DS ROP xPloit Injector
- If the exploit was not successful, power off the source 3DS and target 3DS and start again from the beginning of
Section III - kartdlphax
- If the exploit was not successful, power off the source 3DS and target 3DS and start again from the beginning of
- Press (X) to inject unSAFE_MODE
- If the injection was successful, the screen will turn green and the target 3DS will automatically power off
- If the screen turns red, power off the target 3DS and start again from the beginning of
Section III - kartdlphax
. If this doesn’t work, ask for help at Nintendo Homebrew on Discord)
- If the screen turns red, power off the target 3DS and start again from the beginning of
You will not need to use your source 3DS to complete any further steps on this guide. Any further steps should only be completed on the target 3DS.
Section V - unSAFE_MODE
In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
- With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
- Keep holding the buttons until the device boots into Safe Mode (a “system update” menu)
- Press “OK” to accept the update
- There is no update. This is part of the exploit
- Press “I accept” to accept the terms and conditions
- The update will eventually fail, with the error code
003-1099
. This is intended behaviour - When asked “Would you like to configure Internet settings?”, select “Yes”
- On the following menu, navigate to
Connection 1
->Change Settings
->Next Page (right arrow)
->Proxy Settings
->Detailed Setup
(image) - If the exploit was successful, your device will have booted into SafeB9SInstaller
- If your device instead freezes on a white screen, hold the POWER button until it turns off, then retry this section
- If your device instead freezes on a red screen, you are missing
usm.bin
from the root of your SD card - If you get a different error, follow this troubleshooting guide
Section VI - Installing boot9strap
In this section, you will install custom firmware onto your device.
- When prompted, input the key combo given on the top screen to install boot9strap
- If a step on the lower screen has red-colored text, and you are not prompted to input a key combo, follow this troubleshooting guide
- Once it is complete, press (A) to reboot your device
- Your device should have booted into the Luma3DS configuration menu
- Luma3DS configuration menu are settings for the Luma3DS custom firmware. Many of these settings may be useful for customization or debugging
- For the purpose of this guide, leave these options on the default settings (do not check or uncheck anything)
- If your device shuts down when you try to power it on, ensure that you have copied
boot.firm
from the Luma3DS.zip
to the root of your SD card
- Presiona (Start) para guardar y reiniciar
At this point, your console will boot to Luma3DS by default.
- Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
- On the next page, you will install useful homebrew applications to complete your setup.
Section VII - Restoring WiFi Configuration Profiles
In this section, you will enter the Homebrew Launcher (using custom firmware) so that you can restore the Wi-Fi connection slots that were overwritten in Section I.
- Inicia la aplicación de Modo Descarga
- Espera hasta que veas los dos botones
- Do not press either of the buttons
- Presiona (Left Shoulder) + (Abajo) + (Select) a la vez para abrir el menú de Rosalina
- Selecciona “Miscellaneous options”
- Selecciona “Switch the hb. title to the current app.”
- Presiona (B) para continuar
- Presiona (B) para regresar al menú principal de Rosalina
- Presiona (B) para salir del menú de Rosalina
- Presiona (Home), luego cierra la aplicación de Modo Descarga
- Relaunch the Download Play application
- Tu consola debería cargar el Homebrew Launcher
- Launch slotTool from the list of homebrew
- Select “RESTORE original wifi slots 1,2,3”
- Your device will then reboot