ac15f7fc85
kartdlphax + menuhax67 appears to currently be broken.
150 lines
9.4 KiB
Text
150 lines
9.4 KiB
Text
---
|
|
title: "Installing boot9strap (kartdlphax)"
|
|
---
|
|
|
|
{% include toc title="Table of Contents" %}
|
|
|
|
{% capture technical_info %}
|
|
<summary><em>Technical Details (optional)</em></summary>
|
|
|
|
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
|
|
|
|
To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.
|
|
|
|
This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.
|
|
|
|
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
|
|
|
|
For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: [kartdlphax](https://github.com/PabloMK7/kartdlphax), [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/).
|
|
|
|
{% endcapture %}
|
|
<details>{{ technical_info | markdownify }}</details>
|
|
{: .notice--info}
|
|
|
|
### Compatibility Notes
|
|
|
|
In order to follow these instructions, you will need the following:
|
|
|
|
- A second 3DS with custom firmware (the **source 3DS**) that is the same region as the 3DS you are trying to modify (the **target 3DS**)
|
|
- The consoles must be USA, JPN, or EUR region consoles
|
|
- The source 3DS can be [region changed](region-changing) to match the target 3DS if necessary
|
|
- A physical or digital copy of Mario Kart 7 that is the same region as both consoles
|
|
- An SD card for both consoles
|
|
|
|
### What You Need
|
|
|
|
* The latest release of [kartdlphax](https://github.com/PabloMK7/kartdlphax/releases/latest) (`plugin.3gx`)
|
|
* The latest release of [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases/download/v0.0.7/SafeB9SInstaller-20170605-122940.zip) (direct download)
|
|
* The latest release of [Luma3DS](https://github.com/LumaTeam/Luma3DS/releases/latest) (the Luma3DS `.zip` file)
|
|
* The latest release of [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/releases/latest) (the RELEASE `.zip` file)
|
|
|
|
#### Section I - Hardware Button Check (target 3DS)
|
|
|
|
{% include_relative include/safemodecheck.txt %}
|
|
|
|
If the camera does not open, you cannot follow this method. If this is the case, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
|
|
{: .notice--warning}
|
|
|
|
#### Section II - Prep Work (source 3DS)
|
|
|
|
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
|
|
|
|
1. Insert the SD card of your **source 3DS** in your computer
|
|
1. Copy `boot.firm` from the Luma3DS `.zip` to the root of the **source 3DS**'s SD card, replacing any existing file
|
|
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
|
|
1. Copy kartdlphax's `plugin.3gx` to the following directory on the **source 3DS**'s SD card, depending on the **region of your copy of Mario Kart 7**:
|
|
- USA: `luma/plugins/0004000000030800`
|
|
- EUR: `luma/plugins/0004000000030700`
|
|
- JPN: `luma/plugins/0004000000030600`
|
|
- Create the `plugins` and `00040000...` folders if they do not already exist
|
|
1. Eject the SD card and put it in the **source 3DS**
|
|
|
|
#### Section III - Prep Work (target 3DS)
|
|
|
|
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)'s SD card.
|
|
|
|
1. Insert the SD card of your **target 3DS** in your computer
|
|
1. Copy `boot.firm` and `boot.3dsx` from the Luma3DS `.zip` to the root of the **target 3DS's** SD card
|
|
1. Create a folder named `boot9strap` on the root of your SD card
|
|
1. Copy `boot9strap.firm` and `boot9strap.firm.sha` from the RELEASE `.zip` to the `/boot9strap/` folder on your SD card
|
|
1. Copy `SafeB9SInstaller.bin` from the SafeB9SInstaller `.zip` to the root of your SD card
|
|
1. Copy `usm.bin` from the RELEASE `.zip` to the root of your SD card
|
|
1. Create a folder called `3ds` on the root of your SD card
|
|
1. Copy `slotTool.3dsx` from the `slotTool` folder inside the RELEASE `.zip` to the `/3ds/` folder on your SD card
|
|
1. Eject the SD card and put it in the **target 3DS**
|
|
|
|
#### Section IV - kartdlphax
|
|
|
|
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
|
|
|
|
1. Power on the **source 3DS**
|
|
- If you are prompted to set up Luma3DS, just press START to save the configuration
|
|
1. Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
|
|
1. Select "Enable plugin loader"
|
|
1. Press (B) to exit the Rosalina menu
|
|
1. Launch Mario Kart 7
|
|
- Ensure that wireless connectivity is enabled
|
|
1. Navigate to `Local Multiplayer`. A menu should pop up
|
|
- If the screen freezes, hold the power button for fifteen seconds to force power off your console, then try again
|
|
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select `Use settings` and skip the next 3 steps. If they are incorrect, select `Change settings` and proceed.
|
|
1. Select your **target 3DS** console type (Old 3DS family or New 3DS family)
|
|
1. Select the following exploit type depending on your system version:
|
|
- 11.16.0: select `xPloitInjector (11.16)`
|
|
- 11.17.0: select `xPloitInjector (11.17)`
|
|
1. A confirmation menu will show up. If the settings shown on the top screen are correct, select `Use settings`
|
|
- If the settings are not correct, press `Change settings` and modify them accordingly
|
|
1. Select `Create Group`
|
|
- If the source 3DS freezes at this point and you are using a cartridge, try [installing the cartridge to the system](dumping-titles-and-game-cartridges#installing-a-game-cartridge-directly-to-the-system)
|
|
1. Power on the **target 3DS**
|
|
- Ensure that wireless connectivity is enabled
|
|
1. On the **target 3DS**, open the Download Play application (![]({{ "/images/download-play-icon.png" | absolute_url }}){: height="24px" width="24px"}), then select "Nintendo 3DS"
|
|
1. Join the group created by the **source 3DS**
|
|
1. Select "Start" on the **source 3DS** once it has detected the **target 3DS**
|
|
1. Once multiplayer has loaded, navigate to `Grand Prix` -> `50cc` -> (any driver) -> `Mushroom Cup` -> `OK`
|
|
1. Wait a while (a percentage should be displayed on the **source 3DS**)
|
|
1. If the exploit was successful, the **target 3DS** will have booted into the 3DS ROP xPloit Injector
|
|
- If the exploit was not successful, power off the **source 3DS** and **target 3DS** and start again from the beginning of `Section III - kartdlphax`
|
|
1. Press (X) to inject unSAFE_MODE
|
|
1. If the injection was successful, the screen will turn green and the **target 3DS** will automatically power off
|
|
+ If the screen turns red, power off the target 3DS and start again from the beginning of `Section III - kartdlphax`. If this doesn't work, ask for help at [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp))
|
|
|
|
You will **not** need to use your **source 3DS** to complete any further steps on this guide. Any further steps should only be completed on the **target 3DS**.
|
|
{: .notice--info}
|
|
|
|
#### Section V - unSAFE_MODE
|
|
|
|
In this section, you will enter Safe Mode (a feature available on all 3DS family consoles) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
|
|
|
|
1. With your console still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your console
|
|
+ Keep holding the buttons until the console boots into Safe Mode (a "system update" menu)
|
|
1. Press "OK" to accept the update
|
|
+ There is no update. This is part of the exploit
|
|
1. Press "I accept" to accept the terms and conditions
|
|
1. The update will eventually fail, with the error code `003-1099`. This is intended behaviour
|
|
1. When asked "Would you like to configure Internet settings?", select "Yes"
|
|
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup` ([image](/images/screenshots/usm/safemode_highlighted.png))
|
|
1. If the exploit was successful, your console will have booted into SafeB9SInstaller
|
|
+ If your console instead freezes on a white screen, hold the POWER button until it turns off, then retry this section
|
|
+ If your console instead freezes on a red screen, you are missing `usm.bin` from the root of your SD card
|
|
+ If you get a different error, [follow this troubleshooting guide](troubleshooting#installing-boot9strap-usm)
|
|
|
|
#### Section VI - Installing boot9strap
|
|
|
|
{% include_relative include/install-boot9strap-safeb9sinstaller.txt %}
|
|
{%- include_relative include/configure-luma3ds.txt %}
|
|
|
|
{% include_relative include/luma3ds-installed-note.txt %}
|
|
|
|
#### Section VII - Restoring WiFi Configuration Profiles
|
|
|
|
In this section, you will enter the Homebrew Launcher (using custom firmware) so that you can restore the Wi-Fi connection slots that were overwritten in Section I.
|
|
|
|
{% include_relative include/launch-hbl-dlp.txt %}
|
|
1. Launch slotTool from the list of homebrew
|
|
1. Select "RESTORE original wifi slots 1,2,3"
|
|
1. Your console will then reboot
|
|
|
|
___
|
|
|
|
### Continue to [Finalizing Setup](finalizing-setup)
|
|
{: .notice--primary}
|