Guide_3DS/_pages/en_US/installing-boot9strap-(kartdlphax).txt
2022-10-19 09:10:12 -07:00

160 lines
10 KiB
Text

---
title: "Installing boot9strap (kartdlphax)"
---
{% include toc title="Table of Contents" %}
<details>
<summary><em>Technical Details (optional)</em></summary>
<p>In order to exploit the SAFE_MODE firmware of our system, we need to inject an exploited WiFi profile.</p>
<p>To accomplish this, we can use the Download Play functionality of the game Mario Kart 7, using a 3DS with custom firmware already installed along with a custom game plugin.</p>
<p>This custom plugin will send a hacked payload to an unhacked console, which then exploits the system in order to inject the exploited WiFi profile into your connections list.</p>
<p>Once the WiFi profile has been injected, we will use SAFE_MODE, which is a recovery feature present on all 3DS consoles, to activate the exploited WiFi profile.</p>
<p>For a more technical explanation, see the following links for information on the kartdlphax and unSAFE_MODE exploits: <a href="https://github.com/PabloMK7/kartdlphax">kartdlphax</a>, <a href="https://github.com/zoogie/unSAFE_MODE/">unSAFE_MODE</a>.</p>
</details>
{: .notice--info}
### Compatibility Notes
In order to follow these instructions, you will need the following:
- A second 3DS with custom firmware (the **source 3DS**) that is the same region as the 3DS you are trying to modify (the **target 3DS**)
- The consoles must be USA, JPN, or EUR region consoles
- A physical or digital copy of Mario Kart 7 that is the same region as both consoles
- An SD card for both devices
If the (Right/Left Shoulder), (D-Pad Up), or (A) buttons on the **target 3DS** do not work, you will not be able to follow these instructions. For further assistance with this matter, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
{: .notice--warning}
### What You Need
On the **source 3DS** (the 3DS with custom firmware):
* The latest release of [kartdlphax](https://github.com/PabloMK7/kartdlphax/releases/latest) (`plugin.3gx`)
* The latest release of [Luma3DS 3GX Loader Edition](https://github.com/Nanquitas/Luma3DS/releases/latest) (`boot.firm`)
On the **target 3DS** (the 3DS that you are trying to modify):
* The latest release of [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases/download/v0.0.7/SafeB9SInstaller-20170605-122940.zip) (direct download)
* The latest release of [boot9strap](https://github.com/SciresM/boot9strap/releases/download/1.4/boot9strap-1.4.zip) (direct download)
* The latest release of [standard Luma3DS](https://github.com/LumaTeam/Luma3DS/releases/latest) (the Luma3DS `.zip` file)
* The latest release of [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE/releases/latest) (the RELEASE `.zip` file)
#### Section I - Prep Work (source 3DS)
In this section, you will set up your source 3DS (the 3DS with custom firmware) for delivery of the exploit data to the target 3DS.
1. Insert the SD card of your **source 3DS** in your computer
1. Copy Luma 3GX Loader Edition's `boot.firm` to the root of the **source 3DS**'s SD card, replacing any existing file
+ The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
1. Copy kartdlphax's `plugin.3gx` to the following directory on the **source 3DS**'s SD card, depending on the **region of your copy of Mario Kart 7**:
- USA: `luma/plugins/0004000000030800`
- EUR: `luma/plugins/0004000000030700`
- JPN: `luma/plugins/0004000000030600`
- Create the `plugins` and `00040000...` folders if they do not already exist
1. Eject the SD card and put it in the **source 3DS**
#### Section II - Prep Work (target 3DS)
In this section, you will copy the files needed to trigger the unSAFE_MODE exploit onto your target 3DS (the 3DS that you are trying to modify)'s SD card.
1. Insert the SD card of your **target 3DS** in your computer
1. Copy `boot.firm` and `boot.3dsx` from the standard Luma3DS `.zip` to the root of your SD card
1. Create a folder named `boot9strap` on the root of your SD card
1. Copy `boot9strap.firm` and `boot9strap.firm.sha` from the boot9strap `.zip` to the `/boot9strap/` folder on your SD card
1. Copy `SafeB9SInstaller.bin` from the SafeB9SInstaller `.zip` to the root of your SD card
1. Copy `usm.bin` from the unSAFE_MODE `.zip` to the root of your SD card
1. Create a folder called `3ds` on the root of your SD card
1. Copy the `slotTool` folder from the unSAFE_MODE `.zip` to the `3ds` folder on your SD card
1. Eject the SD card and put it in the **target 3DS**
#### Section III - kartdlphax
In this section, you will use Download Play to transfer the exploit data from the source 3DS to the target 3DS, which can be used to overwrite your Wi-Fi slots with hacked data. Your Wi-Fi connection settings will be temporarily overwritten while the exploit is active.
1. Power on the **source 3DS**
- If you are prompted to set up Luma3DS, just press START to save the configuration
1. Once in the HOME Menu, press (Left Shoulder) + (Down D-Pad) + (Select) to bring up the Rosalina menu
1. Select "Enable plugin loader"
1. Press (B) to exit the Rosalina menu
1. Launch Mario Kart 7
- Ensure that wireless connectivity is enabled
1. Navigate to `Local Multiplayer`. A menu should pop up
- If the screen freezes, hold the power button for fifteen seconds to force power off your device, then try again
- If you have launched kartdlphax previously, the last selected settings will be loaded. If they are correct, select `Use settings` and skip the next 3 steps. If they are incorrect, select `Change settings` and proceed.
1. Select your **target 3DS** device type (Old 3DS family or New 3DS family)
1. Select the exploit type `3DS ROP xPloit Injector`
1. A confirmation menu will show up. If the settings shown on the top screen are correct, select `Use settings`
- If the settings are not correct, press `Change settings` and modify them accordingly
1. Select `Create Group`
- If the source 3DS freezes at this point and you are using a cartridge, try [installing the cartridge to the system](dumping-titles-and-game-cartridges#installing-a-game-cartridge-directly-to-the-system)
1. Power on the **target 3DS**
- Ensure that wireless connectivity is enabled
1. On the **target 3DS**, open the Download Play application (![]({{ "/images/download-play-icon.png" | absolute_url }}){: height="24px" width="24px"}), then select "Nintendo 3DS"
1. Join the group created by the **source 3DS**
1. Select "Start" on the **source 3DS** once it has detected the **target 3DS**
1. Once multiplayer has loaded, navigate to `Grand Prix` -> `50cc` -> (any driver) -> `Mushroom Cup` -> `OK`
1. Wait a while (a percentage should be displayed on the **source 3DS**)
1. If the exploit was successful, the **target 3DS** will have booted into the 3DS ROP xPloit Injector
- If the exploit was not successful, power off the **source 3DS** and **target 3DS** and start again from the beginning of `Section III - kartdlphax`
1. Press (X) to inject unSAFE_MODE
1. If the injection was successful, the screen will turn green and the **target 3DS** will automatically power off
+ If the screen turns red, power off the target 3DS and start again from the beginning of `Section III - kartdlphax`. If this doesn't work, ask for help at [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp))
You will **not** need to use your **source 3DS** to complete any further steps on this guide. Any further steps should only be completed on the **target 3DS**.
{: .notice--info}
#### Section IV - unSAFE_MODE
In this section, you will enter Safe Mode (a feature available on all 3DS family devices) and navigate to a menu where unSAFE_MODE will be triggered, which will launch you into the boot9strap (custom firmware) installer.
1. With your device still powered off, hold the following buttons: (Left Shoulder) + (Right Shoulder) + (D-Pad Up) + (A), and while holding these buttons together, power on your device
+ Keep holding the buttons until the device boots into Safe Mode (a "system update" menu)
+ If you're unable to get into Safe Mode after multiple attempts, one of your buttons may be failing or broken. If this is the case, join [Nintendo Homebrew on Discord](https://discord.gg/MWxPgEp) and ask, in English, for help.
1. Press "OK" to accept the update
+ There is no update. This is part of the exploit
1. Press "I accept" to accept the terms and conditions
1. The update will eventually fail, with the error code `003-1099`. This is intended behaviour
1. When asked "Would you like to configure Internet settings?", select "Yes"
1. On the following menu, navigate to `Connection 1` -> `Change Settings` -> `Next Page (right arrow)` -> `Proxy Settings` -> `Detailed Setup` ([image](/images/screenshots/bb3/safemode_highlighted.png))
1. If the exploit was successful, your device will have booted into SafeB9SInstaller
#### Section V - Installing boot9strap
In this section, you will install custom firmware onto your device.
1. When prompted, input the key combo given on the top screen to install boot9strap
+ If the top screen is blank, power off your device and re-do Section III
1. Once it is complete, press (A) to reboot your device
1. Your device should have rebooted into the Luma3DS configuration menu
+ If your device shuts down when you try to power it on, ensure that you have copied `boot.firm` from the Luma3DS `.zip` to the root of your SD card
1. Press (Start) to save and reboot
At this point, your console will boot to Luma3DS by default.
+ Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
+ On the next page, you will install useful homebrew applications to complete your setup.
#### Section VI - Restoring WiFi Configuration Profiles
In this section, you will enter the Homebrew Launcher so that you can restore the Wi-Fi connection slots that were overwritten in Section III.
1. Launch the Download Play application
1. Wait until you see the two buttons
+ Do not press either of the buttons
1. Press (Left Shoulder) + (D-Pad Down) + (Select) at the same time to open the Rosalina menu
1. Select "Miscellaneous options"
1. Select "Switch the hb. title to the current app."
1. Press (B) to continue
1. Press (B) to return to the Rosalina main menu
1. Press (B) to exit the Rosalina menu
1. Press (Home), then close Download Play
1. Relaunch the Download Play application
1. Your device should load the Homebrew Launcher
1. Launch slotTool from the list of homebrew
1. Select "RESTORE original wifi slots 1,2,3"
1. Your device will then reboot
___
### Continue to [Finalizing Setup](finalizing-setup)
{: .notice--primary}