160 lines
10 KiB
Text
160 lines
10 KiB
Text
---
|
|
title: "Installing boot9strap (kartdlphax)"
|
|
---
|
|
|
|
{% include toc title="Table of Contents" %}
|
|
|
|
<details>
|
|
<summary><em>Technical Details (optional)</em></summary>
|
|
<p>In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.</p>
|
|
<p>To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.</p>
|
|
<p>This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.</p>
|
|
<p>Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.</p>
|
|
<p>For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: <a href="https://github.com/PabloMK7/kartdlphax">kartdlphax</a>, <a href="https://github.com/zoogie/unSAFE_MODE/">unSAFE_MODE</a>.</p>
|
|
</details>
|
|
{: .notice--info}
|
|
|
|
### Compatibility Notes
|
|
|
|
In order to follow these instructions, you will need the following:
|
|
|
|
- A second 3DS with custom firmware (the **source 3DS**) that is the same region as the 3DS you are trying to modify (the **target 3DS**)
|
|
- The consoles must be USA, JPN, or EUR region consoles
|
|
- A physical or digital copy of Mario Kart 7 that is the same region as both consoles
|
|
- An SD card for both devices
|
|
|
|
If the (Right/Left Shoulder), (D-Pad Up), or (A) buttons on the **target 3DS** do not work, you will not be able to follow these instructions. For further assistance with this matter, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
|
|
{: .notice--warning}
|
|
|
|
### What You Need
|
|
|
|
On the **source 3DS** (the 3DS with custom firmware):
|
|
|
|
* The latest release of [kartdlphax](https://github.com/PabloMK7/kartdlphax/releases/latest) (`plugin.3gx`)
|
|
* The latest release of [Luma3DS 3GX Loader Edition](https://github.com/Nanquitas/Luma3DS/releases/latest) (`boot.firm`)
|
|
|
|
On the **target 3DS** (the 3DS that you are trying to modify):
|
|
|
|
* The latest release of [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases/download/v0.0.7/SafeB9SInstaller-20170605-122940.zip) (direct download)
|
|
* The latest release of [boot9strap](https://github.com/SciresM/boot9strap/releases/download/1.4/boot9strap-1.4.zip) (direct download)
|
|
* The latest release of [standard Luma3DS](https://github.com/LumaTeam/Luma3DS/releases/latest) (the Luma3DS `.zip` file)
|
|
* The latest release of [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/releases/latest) (the RELEASE `.zip` file)
|
|
|
|
#### Section I - Prep Work (source 3DS)
|
|
|
|
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
|
|
|
|
1. Insert the SD card of your **source 3DS** in your computer
|
|
1. Copy Luma 3GX Loader Edition's `boot.firm` to the root of the **source 3DS**'s SD card, replacing any existing file
|
|
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
|
|
1. Copy kartdlphax's `plugin.3gx` to the following directory on the **source 3DS**'s SD card, depending on the **region of your copy of Mario Kart 7**:
|
|
- USA: `luma/plugins/0004000000030800`
|
|
- EUR: `luma/plugins/0004000000030700`
|
|
- JPN: `luma/plugins/0004000000030600`
|
|
- Create the `plugins` and `00040000...` folders if they do not already exist
|
|
1. Eject the SD card and put it in the **source 3DS**
|
|
|
|
#### Section II - Prep Work (target 3DS)
|
|
|
|
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)'s SD card.
|
|
|
|
1. Insert the SD card of your **target 3DS** in your computer
|
|
1. Copy `boot.firm` and `boot.3dsx` from the standard Luma3DS `.zip` to the root of your SD card
|
|
1. Create a folder named `boot9strap` on the root of your SD card
|
|
1. Copy `boot9strap.firm` and `boot9strap.firm.sha` from the boot9strap `.zip` to the `/boot9strap/` folder on your SD card
|
|
1. Copy `SafeB9SInstaller.bin` from the SafeB9SInstaller `.zip` to the root of your SD card
|
|
1. Copy `usm.bin` from the unSAFE_MODE `.zip` to the root of your SD card
|
|
1. Create a folder called `3ds` on the root of your SD card
|
|
1. Copy the `slotTool` folder from the unSAFE_MODE `.zip` to the `3ds` folder on your SD card
|
|
1. Eject the SD card and put it in the **target 3DS**
|
|
|
|
#### Section III - kartdlphax
|
|
|
|
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
|
|
|
|
1. Power on the **source 3DS**
|
|
- If you are prompted to set up Luma3DS, just press START to save the configuration
|
|
1. Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
|
|
1. Select "Enable plugin loader"
|
|
1. Press (B) to exit the Rosalina menu
|
|
1. Launch Mario Kart 7
|
|
- Ensure that wireless connectivity is enabled
|
|
1. Navigate to `Local Multiplayer`. A menu should pop up
|
|
- If the screen freezes, hold the power button for fifteen seconds to force power off your device, then try again
|
|
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select `Use settings` and skip the next 3 steps. If they are incorrect, select `Change settings` and proceed.
|
|
1. Select your **target 3DS** device type (Old 3DS family or New 3DS family)
|
|
1. Select the exploit type `3DS ROP xPloit Injector`
|
|
1. A confirmation menu will show up. If the settings shown on the top screen are correct, select `Use settings`
|
|
- If the settings are not correct, press `Change settings` and modify them accordingly
|
|
1. Select `Create Group`
|
|
- If the source 3DS freezes at this point and you are using a cartridge, try [installing the cartridge to the system](dumping-titles-and-game-cartridges#installing-a-game-cartridge-directly-to-the-system)
|
|
1. Power on the **target 3DS**
|
|
- Ensure that wireless connectivity is enabled
|
|
1. On the **target 3DS**, open the Download Play application (![]({{ "/images/download-play-icon.png" | absolute_url }}){: height="24px" width="24px"}), then select "Nintendo 3DS"
|
|
1. Join the group created by the **source 3DS**
|
|
1. Select "Start" on the **source 3DS** once it has detected the **target 3DS**
|
|
1. Once multiplayer has loaded, navigate to `Grand Prix` -> `50cc` -> (any driver) -> `Mushroom Cup` -> `OK`
|
|
1. Wait a while (a percentage should be displayed on the **source 3DS**)
|
|
1. If the exploit was successful, the **target 3DS** will have booted into the 3DS ROP xPloit Injector
|
|
- If the exploit was not successful, power off the **source 3DS** and **target 3DS** and start again from the beginning of `Section III - kartdlphax`
|
|
1. Press (X) to inject unSAFE_MODE
|
|
1. If the injection was successful, the screen will turn green and the **target 3DS** will automatically power off
|
|
+ If the screen turns red, power off the target 3DS and start again from the beginning of `Section III - kartdlphax`. If this doesn't work, ask for help at [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp))
|
|
|
|
You will **not** need to use your **source 3DS** to complete any further steps on this guide. Any further steps should only be completed on the **target 3DS**.
|
|
{: .notice--info}
|
|
|
|
#### Section IV - unSAFE_MODE
|
|
|
|
In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
|
|
|
|
1. With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
|
|
+ Keep holding the buttons until the device boots into Safe Mode (a "system update" menu)
|
|
+ If you're unable to get into Safe Mode after multiple attempts, one of your buttons may be failing or broken. If this is the case, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
|
|
1. Press "OK" to accept the update
|
|
+ There is no update. This is part of the exploit
|
|
1. Press "I accept" to accept the terms and conditions
|
|
1. The update will eventually fail, with the error code `003-1099`. This is intended behaviour
|
|
1. When asked "Would you like to configure Internet settings?", select "Yes"
|
|
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup` ([image](/images/screenshots/bb3/safemode_highlighted.png))
|
|
1. If the exploit was successful, your device will have booted into SafeB9SInstaller
|
|
|
|
#### Section V - Installing boot9strap
|
|
|
|
In this section, you will install custom firmware onto your device.
|
|
|
|
1. When prompted, input the key combo given on the top screen to install boot9strap
|
|
+ If the top screen is blank, power off your device and re-do Section III
|
|
1. Once it is complete, press (A) to reboot your device
|
|
1. Your device should have rebooted into the Luma3DS configuration menu
|
|
+ If your device shuts down when you try to power it on, ensure that you have copied `boot.firm` from the Luma3DS `.zip` to the root of your SD card
|
|
1. Press (Start) to save and reboot
|
|
|
|
At this point, your console will boot to Luma3DS by default.
|
|
+ Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
|
|
+ On the next page, you will install useful homebrew applications to complete your setup.
|
|
|
|
#### Section VI - Restoring WiFi Configuration Profiles
|
|
|
|
In this section, you will enter the Homebrew Launcher so that you can restore the Wi-Fi connection slots that were overwritten in Section III.
|
|
|
|
1. Launch the Download Play application
|
|
1. Wait until you see the two buttons
|
|
+ Do not press either of the buttons
|
|
1. Press (Left Shoulder) + (D-Pad Down) + (Select) at the same time to open the Rosalina menu
|
|
1. Select "Miscellaneous options"
|
|
1. Select "Switch the hb. title to the current app."
|
|
1. Press (B) to continue
|
|
1. Press (B) to return to the Rosalina main menu
|
|
1. Press (B) to exit the Rosalina menu
|
|
1. Press (Home), then close Download Play
|
|
1. Relaunch the Download Play application
|
|
1. Your device should load the Homebrew Launcher
|
|
1. Launch slotTool from the list of homebrew
|
|
1. Select "RESTORE original wifi slots 1,2,3"
|
|
1. Your device will then reboot
|
|
|
|
___
|
|
|
|
### Continue to [Finalizing Setup](finalizing-setup)
|
|
{: .notice--primary}
|