138 lines
8 KiB
Text
138 lines
8 KiB
Text
---
|
|
title: "Installing boot9strap (kartdlphax)"
|
|
---
|
|
|
|
{% include toc title="Table of Contents" %}
|
|
|
|
{% capture technical_info %}
|
|
<summary><em>Technical Details (optional)</em></summary>
|
|
|
|
In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.
|
|
|
|
To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.
|
|
|
|
This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.
|
|
|
|
Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.
|
|
|
|
For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: [kartdlphax](https://github.com/PabloMK7/kartdlphax), [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/).
|
|
|
|
{% endcapture %}
|
|
<details>{{ technical_info | markdownify }}</details>
|
|
{: .notice--info}
|
|
|
|
### Compatibility Notes
|
|
|
|
In order to follow these instructions, you will need the following:
|
|
|
|
- A second 3DS with custom firmware (the **source 3DS**) that is the same region as the 3DS you are trying to modify (the **target 3DS**)
|
|
- The consoles must be USA, JPN, or EUR region consoles
|
|
- A physical or digital copy of Mario Kart 7 that is the same region as both consoles
|
|
- An SD card for both devices
|
|
|
|
### What You Need
|
|
|
|
On the **source 3DS** (the 3DS with custom firmware):
|
|
|
|
* The latest release of [kartdlphax](https://github.com/PabloMK7/kartdlphax/releases/latest) (`plugin.3gx`)
|
|
* The latest release of [Luma3DS 3GX Loader Edition](https://github.com/PabloMK7/Luma3DS_3GX/releases/latest) (`boot.firm`)
|
|
|
|
On the **target 3DS** (the 3DS that you are trying to modify):
|
|
|
|
* The latest release of [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases/download/v0.0.7/SafeB9SInstaller-20170605-122940.zip) (direct download)
|
|
* The latest release of [boot9strap](https://github.com/SciresM/boot9strap/releases/download/1.4/boot9strap-1.4.zip) (direct download)
|
|
* The latest release of [standard Luma3DS](https://github.com/LumaTeam/Luma3DS/releases/latest) (the Luma3DS `.zip` file)
|
|
* The latest release of [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/releases/latest) (the RELEASE `.zip` file)
|
|
|
|
#### Section I - Hardware Button Check (target 3DS)
|
|
|
|
{% include_relative include/safemodecheck.txt %}
|
|
|
|
If the camera does not open, you cannot follow this method. If this is the case, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
|
|
{: .notice--warning}
|
|
|
|
#### Section II - Prep Work (source 3DS)
|
|
|
|
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
|
|
|
|
1. Insert the SD card of your **source 3DS** in your computer
|
|
1. Copy Luma 3GX Loader Edition's `boot.firm` to the root of the **source 3DS**'s SD card, replacing any existing file
|
|
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
|
|
1. Copy kartdlphax's `plugin.3gx` to the following directory on the **source 3DS**'s SD card, depending on the **region of your copy of Mario Kart 7**:
|
|
- USA: `luma/plugins/0004000000030800`
|
|
- EUR: `luma/plugins/0004000000030700`
|
|
- JPN: `luma/plugins/0004000000030600`
|
|
- Create the `plugins` and `00040000...` folders if they do not already exist
|
|
1. Eject the SD card and put it in the **source 3DS**
|
|
|
|
#### Section III - Prep Work (target 3DS)
|
|
|
|
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)'s SD card.
|
|
|
|
1. Insert the SD card of your **target 3DS** in your computer
|
|
1. Copy `boot.firm` and `boot.3dsx` from the standard Luma3DS `.zip` to the root of your SD card
|
|
1. Create a folder named `boot9strap` on the root of your SD card
|
|
1. Copy `boot9strap.firm` and `boot9strap.firm.sha` from the boot9strap `.zip` to the `/boot9strap/` folder on your SD card
|
|
1. Copy `SafeB9SInstaller.bin` from the SafeB9SInstaller `.zip` to the root of your SD card
|
|
1. Copy `usm.bin` from the unSAFE_MODE `.zip` to the root of your SD card
|
|
1. Create a folder called `3ds` on the root of your SD card
|
|
1. Copy the `slotTool` folder from the unSAFE_MODE `.zip` to the `3ds` folder on your SD card
|
|
1. Eject the SD card and put it in the **target 3DS**
|
|
|
|
#### Section IV - kartdlphax
|
|
|
|
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
|
|
|
|
1. Power on the **source 3DS**
|
|
- If you are prompted to set up Luma3DS, just press START to save the configuration
|
|
1. Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
|
|
1. Select "Enable plugin loader"
|
|
1. Press (B) to exit the Rosalina menu
|
|
1. Launch Mario Kart 7
|
|
- Ensure that wireless connectivity is enabled
|
|
1. Navigate to `Local Multiplayer`. A menu should pop up
|
|
- If the screen freezes, hold the power button for fifteen seconds to force power off your device, then try again
|
|
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select `Use settings` and skip the next 3 steps. If they are incorrect, select `Change settings` and proceed.
|
|
1. Select your **target 3DS** device type (Old 3DS family or New 3DS family)
|
|
1. Select the following exploit type depending on your system version:
|
|
- 11.16.0: select `xPloitInjector (11.16)`
|
|
- 11.17.0: select `xPloitInjector (11.17)`
|
|
1. A confirmation menu will show up. If the settings shown on the top screen are correct, select `Use settings`
|
|
- If the settings are not correct, press `Change settings` and modify them accordingly
|
|
1. Select `Create Group`
|
|
- If the source 3DS freezes at this point and you are using a cartridge, try [installing the cartridge to the system](dumping-titles-and-game-cartridges#installing-a-game-cartridge-directly-to-the-system)
|
|
1. Power on the **target 3DS**
|
|
- Ensure that wireless connectivity is enabled
|
|
1. On the **target 3DS**, open the Download Play application (![]({{ "/images/download-play-icon.png" | absolute_url }}){: height="24px" width="24px"}), then select "Nintendo 3DS"
|
|
1. Join the group created by the **source 3DS**
|
|
1. Select "Start" on the **source 3DS** once it has detected the **target 3DS**
|
|
1. Once multiplayer has loaded, navigate to `Grand Prix` -> `50cc` -> (any driver) -> `Mushroom Cup` -> `OK`
|
|
1. Wait a while (a percentage should be displayed on the **source 3DS**)
|
|
1. If the exploit was successful, the **target 3DS** will have booted into the 3DS ROP xPloit Injector
|
|
- If the exploit was not successful, power off the **source 3DS** and **target 3DS** and start again from the beginning of `Section III - kartdlphax`
|
|
1. Press (X) to inject unSAFE_MODE
|
|
1. If the injection was successful, the screen will turn green and the **target 3DS** will automatically power off
|
|
+ If the screen turns red, power off the target 3DS and start again from the beginning of `Section III - kartdlphax`. If this doesn't work, ask for help at [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp))
|
|
|
|
You will **not** need to use your **source 3DS** to complete any further steps on this guide. Any further steps should only be completed on the **target 3DS**.
|
|
{: .notice--info}
|
|
|
|
#### Section V - unSAFE_MODE
|
|
|
|
{% include_relative include/exploit-usm.txt %}
|
|
|
|
#### Section VI - Installing boot9strap
|
|
|
|
{% include_relative include/install-boot9strap-safeb9sinstaller.txt %}
|
|
{%- include_relative include/configure-luma3ds.txt %}
|
|
|
|
{% include_relative include/luma3ds-installed-note.txt %}
|
|
|
|
#### Section VII - Restoring WiFi Configuration Profiles
|
|
|
|
{% include_relative include/remove-usm-slottool.txt %}
|
|
|
|
___
|
|
|
|
### Continue to [Finalizing Setup](finalizing-setup)
|
|
{: .notice--primary}
|