安裝 boot9strap (透過 kartdlphax)


若需英語支援,請於 Discord 上的 Nintendo Homebrew 伺服器發問。
如果您喜歡本教學,我們很樂意接受捐贈

This exploit does not currently work on USA region consoles on 11.17.0 (e.g. 11.17.0-50U).

Technical Details (optional)

In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.

To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.

This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.

Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.

For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: kartdlphax, unSAFE_MODE.

相容性資訊

如果你想通過此方法安裝自製韌體,則你需要:

  • A second 3DS with custom firmware (the source 3DS) that is the same region as the 3DS you are trying to modify (the target 3DS)
    • The consoles must be USA, JPN, or EUR region consoles
  • 一份與兩台主機同區的馬利歐賽車 7 (實體或數位版皆可)
  • 兩張 SD 卡

必備項目

On the source 3DS (the 3DS with custom firmware):

On the target 3DS (the 3DS that you are trying to modify):

Section I - Hardware Button Check (target 3DS)

In this section, you will see whether your shoulder buttons are working on your device. This will determine which method you will follow on the next page.

  1. 啟動您的主機
  2. Once you see the HOME Menu, press the (Left Shoulder) and (Right Shoulder) buttons at the same time
    • The camera applet should appear
  3. 關閉您的主機

If the camera does not open, you cannot follow this method. If this is the case, join Nintendo Homebrew on Discord and ask, in English, for help.

Section II - Prep Work (source 3DS)

In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.

  1. Insert the SD card of your source 3DS in your computer
  2. Copy Luma 3GX Loader Edition’s boot.firm to the root of the source 3DS’s SD card, replacing any existing file
    • 「SD 卡的根目錄」指的是你的 SD 卡含有 Nintendo 3DS 資料夾的目錄,而非該資料夾內部
  3. Copy kartdlphax’s plugin.3gx to the following directory on the source 3DS’s SD card, depending on the region of your copy of Mario Kart 7:
    • 美版: luma/plugins/0004000000030800
    • 歐版: luma/plugins/0004000000030700
    • 日版: luma/plugins/0004000000030600
    • Create the plugins and 00040000... folders if they do not already exist
  4. Eject the SD card and put it in the source 3DS

Section III - Prep Work (target 3DS)

In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)’s SD card.

  1. Insert the SD card of your target 3DS in your computer
  2. 解壓 Luma3DS .zip 內的 boot.firmboot.3dsx 到 SD 卡的根目錄底下
  3. 在 SD 卡的根目錄底下建立一個新的資料夾 boot9strap
  4. 解壓 boot9strap .zipboot9strap.firmboot9strap.firm.sha 檔案至 SD 卡的 /boot9strap/ 資料夾中
  5. 將 SafeB9SInstaller .zip 中的 SafeB9SInstaller.bin 複製到 SD 卡的根目錄
  6. Copy usm.bin from the unSAFE_MODE .zip to the root of your SD card
  7. Create a folder called 3ds on the root of your SD card
  8. Copy the slotTool folder from the unSAFE_MODE .zip to the 3ds folder on your SD card
  9. Eject the SD card and put it in the target 3DS

Section IV - kartdlphax

In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.

  1. Power on the source 3DS
    • If you are prompted to set up Luma3DS, just press START to save the configuration
  2. Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
  3. 選擇『Enable plugin loader』
  4. 按『B』退出 Rosalina 選單
  5. 開啟瑪莉歐賽車 7
    • 請確保您已經開啟了無線連接
  6. Navigate to Local Multiplayer. A menu should pop up
    • If the screen freezes, hold the power button for fifteen seconds to force power off your device, then try again
    • If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select Use settings and skip the next 3 steps. If they are incorrect, select Change settings and proceed.
  7. Select your target 3DS device type (Old 3DS family or New 3DS family)
  8. Select the exploit type 3DS ROP xPloit Injector
  9. A confirmation menu will show up. If the settings shown on the top screen are correct, select Use settings
    • If the settings are not correct, press Change settings and modify them accordingly
  10. Select Create Group
  11. 3DS 目標機 開機
    • 請確保您已經開啟了無線連接
  12. On the target 3DS, open the Download Play application (), then select “Nintendo 3DS”
  13. Join the group created by the source 3DS
  14. Select “Start” on the source 3DS once it has detected the target 3DS
  15. Once multiplayer has loaded, navigate to Grand Prix -> 50cc -> (any driver) -> Mushroom Cup -> OK
  16. Wait a while (a percentage should be displayed on the source 3DS)
  17. If the exploit was successful, the target 3DS will have booted into the 3DS ROP xPloit Injector
    • If the exploit was not successful, power off the source 3DS and target 3DS and start again from the beginning of Section III - kartdlphax
  18. Press (X) to inject unSAFE_MODE
  19. If the injection was successful, the screen will turn green and the target 3DS will automatically power off
    • If the screen turns red, power off the target 3DS and start again from the beginning of Section III - kartdlphax. If this doesn’t work, ask for help at Nintendo Homebrew on Discord)

You will not need to use your source 3DS to complete any further steps on this guide. Any further steps should only be completed on the target 3DS.

Section V - unSAFE_MODE

In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.

  1. With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
    • Keep holding the buttons until the device boots into Safe Mode (a “system update” menu)
  2. Press “OK” to accept the update
    • There is no update. This is part of the exploit
  3. Press “I accept” to accept the terms and conditions
  4. The update will eventually fail, with the error code 003-1099. This is intended behaviour
  5. When asked “Would you like to configure Internet settings?”, select “Yes”
  6. On the following menu, navigate to Connection 1 -> Change Settings -> Next Page (right arrow) -> Proxy Settings -> Detailed Setup (image)
  7. If the exploit was successful, your device will have booted into SafeB9SInstaller
    • If your device instead freezes on a white screen, hold the POWER button until it turns off, then retry this section
    • If your device instead freezes on a red screen, you are missing usm.bin from the root of your SD card
    • If you get a different error, follow this troubleshooting guide

Section VI - Installing boot9strap

In this section, you will install custom firmware onto your device.

  1. When prompted, input the key combo given on the top screen to install boot9strap
  2. Once it is complete, press (A) to reboot your device
  3. Your device should have booted into the Luma3DS configuration menu
    • Luma3DS configuration menu are settings for the Luma3DS custom firmware. Many of these settings may be useful for customization or debugging
    • For the purpose of this guide, leave these options on the default settings (do not check or uncheck anything)
    • If your device shuts down when you try to power it on, ensure that you have copied boot.firm from the Luma3DS .zip to the root of your SD card
  4. 按『Start』鍵以存檔並重新啟動系統

At this point, your console will boot to Luma3DS by default.

  • Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
  • On the next page, you will install useful homebrew applications to complete your setup.

Section VII - Restoring WiFi Configuration Profiles

In this section, you will enter the Homebrew Launcher (using custom firmware) so that you can restore the Wi-Fi connection slots that were overwritten in Section I.

  1. 啟動『下載通信 (Download Play)』程式
  2. 等到你看到兩個按鍵
    • Do not press either of the buttons
  3. 同時按下『L』+『下』+『Select』鍵以啟動 Rosalina 選單
  4. 選擇『Miscellaneous options』
  5. 選擇『Switch the hb. title to the current app.』
  6. 按『B』繼續
  7. 按『B』回到 Rosalina 主選單
  8. 按『B』退出 Rosalina 選單
  9. 按『Home』鍵,並關閉『下載通信 (Download Play)』程式
  10. Relaunch the Download Play application
  11. 您的主機應該就會啟動 Homebrew Launcher 了
  12. Launch slotTool from the list of homebrew
  13. Select “RESTORE original wifi slots 1,2,3”
  14. Your device will then reboot

繼續至完成安裝