Nintendo 3ds: Difference between revisions

From miki
Jump to navigation Jump to search
Line 13: Line 13:
|-
|-
|{{kb|L}}
|{{kb|L}}
|Boot alternate NAND (ie. EmuNAND)
|(maybe old version) Boot alternate NAND (ie. EmuNAND)
|-
|-
|{{kb|START}}
|{{kb|START}}
|Luma Chainloader menu
|Boot Decrypt9
|-
|{{kb|START + SELECT + X}}
|dump the ARM11 bootrom (boot11.bin), the ARM9 bootrom (boot9.bin), and your console unique OTP (OTP.bin) to the /boot9strap/ folder on your SD card (note that this will not have any kind of prompt or message)
|}
|}



Revision as of 14:16, 13 August 2017

Summary

  • A9LH installed in SYSNAND.
  • Luma3DS installed as CFW on internal uSD card.
  • Configured to boot SYSNAND by default (press L to boot EmuNAND).

These are shortcut for Luma3DS (keep these keys pressed when powering up the 3DS).

Shortcut function
SELECT Go to LUMA 3DS config menu
L (maybe old version) Boot alternate NAND (ie. EmuNAND)
START Luma Chainloader menu
START + SELECT + X dump the ARM11 bootrom (boot11.bin), the ARM9 bootrom (boot9.bin), and your console unique OTP (OTP.bin) to the /boot9strap/ folder on your SD card (note that this will not have any kind of prompt or message)

CAUTION

ON SYSNAND, DO NOT DO A FIRMWARE UPDATE WHEN IN GATEWAY MODE - DOING SO WILL DELETE A9LH AND PROBABLY BRICK THE 3DS. THE A9LH LOADER FROM GATEWAY DOES NOT HAVE THE FIRM PROTECTION THAT PREVENTS REMOVAL OF A9LH.'

Links

Database
Custom firmware (CFW)
  • Aureinand / Luma3DS
  • Decrypt9WIP
Homebrew Launchers
 Loader as CIA for CFW.
Original flashcard
  • gateway 3ds -- Original manufacturer of the Gateway 3DS flashcard (the red and blue one)
  • gateway3ds -- an alternate site it seems, but with more detailed info
GBAtemp.net wiki
Youtube tutorials (informative, but not essential)
Including Userspace hax (for Homebrew access), ARM11 Kernel Hax, ARM9 Kernel Hax (ARM9LoaderHax)
Fake / outdated
Often has outdated information about Gateway flashcard, and promotes other cards.
Stuff
 sha256sum 5736ec8d40303b549f11c06b3811817531e17646a91ee2bb0d94afff69cf3a4e  2.1.0E(Full).zip
  • Get DevMenu / SaveDataFiler from link "[MEGA] Retail Encrypted DevApps! (Caution. These will install to NAND!)" (see guide [1])
Interesting stuff to look someday
  • free e-shop — allow to install game if you already have the title key.
  • BootCtr9, a boot manager for A9LH, including a fork of A9LH. Might help loading Gateway A9LH payload (see here for quick setup guide).

Hardware specification

Specification of our nintendo 3ds

  • New 3DS
  • Firmware: 9.9.0-26E

General

Hardware
  • Processor in N3DS: Arm9, and also Arm10?
3DS variants
  • There are 3 types of 3DS:
    • The 2DS
    • The O3DS, the original 3DS (aka. Old 3DS), and
    • The N3DS, the new 3DS that features among others a new StickC button.
Firmware
  • The N3DS CANNOT be downgraded to 4.x firmware

Glossary

Sources: [2]

  • NAND
  • SysNAND refers to the original data/system information on a NAND chip embedded in the 3DS.
  • EmuNAND refers to a backup/copy/emulated version of your SysNAND that runs off the SD card.
 The best SySNAND version (i.e. System Menu version, see below) for now is 9.2.
  • SD Card
  • 3DS microSD card -- The 3DS comes bundled with an SD card (O3DS) or a microSD card (N3DS). When EmuNAND is setup, it contains two partitions.
   The EmuNAND partition, when present, is formatted via the homebrew program EmuNAND9.
   The other partition stores homebrew, custom themes, save files, eShop and .cia home menu channels. It must be formatted as FAT32, cluster size 32kB.
  • Gateway microSD card -- On system with flashcards (like Gateway or Sky3DS), there is a second microSD in the flashcard that contains ROM games (.3ds or .3dz rom images).
  • Firmware / System menu
  • System Menu -- This is the official name for "_firmware_" running in the SysNAND.
  • Custom Firmware, CFW -- A program launched by an exploit (like DS profile exploit or MenuHax) that patches the System Menu in memory, and then "jumps" back to it.

Technical

Nintendo FW History

  • 6.1.0-12 — Blue gateway card blacklisted.

Unlinking EmuNAND and SysNAND

By default, EmuNAND uses the same NNID as SysNAND, and hence all system menu settings are shared (like theme selection). To prevent this, NANDs must be unlinked.

Some guides to do that:

  • On this page suggest to format the SysNAND without any 3DS uSD card inserted.

TitleID

See https://3dbrew.org/wiki/Title_list :

TWL_FIRM DSi Firmware

How-to

Transfer file from / to microSD card via WIFI

Using Nintendo microSD application

From [3]

  • On N3DS, go to device setting, and microSD management
  • Enter user name, password, and device name.
  • On Linux, use command:
mount -t cifs //DEVICE_NAME/microSD /mnt -o user=USER_NAME,password=PASSWORD,ip=IP_ADDRESS,servern=DEVICE_NAME
Issue: very instable. Often disconnect.
  • Use pv to copy and have progress bar:
pv myfile > myfile
Using FTP-3DS
Using ftBrony
  • Use homebrew application ftBRONY. It is available in the default HB launcher kit. See [5] for details.
  • To connect, launch the app to get IP and port number.
  • Start a FTP client. For instance in Midnight Commander:
cd ftp://192.168.1.33:5000/

Convert a .3ds game into .cia game

Using 3DS Simple CIA Converter
786dcbba10092cf57ae007d08ac8f916e764d93684f5e8d052a963922881740e  3DS Simple CIA Converter v4.3.rar
e8e55830a795e337a89589bf267ac815                                  3DS Simple CIA Converter v4.3.rar
  • Run from wine
  • Copy the .3ds file into the roms/ folder
  • Click the generate ncchfile stuff button
  • Copy the file to 3DS uSD root folder.
  • Launch Decrypt9. Select XORpad Generator Options and NCCH Padgen.
Ignore error about missing seeddb.bin file.
  • Back on PC, copy the .xorpad files into converter xorpad/ directory, and click Convert 3DS ROM to CIA button.
(Click FW Spoof first if FW spoofing is needed)
  • When done, copy the .cia file to 3DS uSD and import them using FBI or BigBlueMenu.
Using Decrypt9
  • Can extract .cia file directly from the cartridge.
But I had an issue with Mario Kart 7...
Other converters or guides

Installing .cia from the network

Using SocketPunch
  • On 3DS, start FBI application
  • On PC, go to location where the CIA are, then:
java -jar /smb/lacie-cloudbox/family/backup/nintendo_3ds/nintendo/cia/SocketPunch/SocketPunch_v0.3.4.jar

Downgrade firmware (with A9LH)

Only do this on CFW with A9LH and FIRM protection of course

See https://github.com/Plailect/sysDowngrader

  • Create dir /updates on microSD, and extract inside all fw .cia files (for instance, using 3DSNUS)
  • Install Plailect sysDowngrader as CIA
  • Run the downgrader.

Does NOT work. Application complains it can't open directory /updates, although it exists

Use Gateway Beta 4.1B on A9LH / Luma 3DS

  • Install the v2gw.bin / gateway.bin trick
  • Hold down key when booting to boot into Gateway mode.
Better make sure you have an EmuNAND setup (safer).
  • When seeing the dragon logo:
  • Do nothing to go to home menu
  • Hold L + Select to go to Gateway Menu
  • Hold R to update the Red Card.
  • In Home Menu, press Select to select another ROM on the card.

Backup / restore savegames

  • latest — see Plailect's guide (especially for transfer from GW to CIA).
  • Use SaveDataFiler (Dev kit leaked from Nintendo)
  • Usage guide (guide and info, guide 1, guide 2):
  • This can be used to backup 3DS ROM / cartridge / eshop / cia games, or exchange saves between all these.
  • For 3DS ROM, select the game using Gateway but don't launch it. For cartridge, insert the cartridge first.
  • Start SaveDataFiler
To backup a savegame:
  • For ROM/cartridge, select CTR Card, or the game id for eshop / cia.
For some games (like Fantasy Life), go to extdata/ and select the correct id (Fantasy Life 00001131).
To restore a savegame:
  • Go to SD tab. For ROM/cartridge, select the file and press L+A. For eshop / cia, press R+A. For extdata/ games (like Fantasy Life), simply press A.
Caution. For card1 games (except Fantasy Life), rename the file 000400000FF40A00.sav to game id.
Caution. For card2 games, the save are stored within the game itself. So for GW rom, the save are stored in the .3ds file on the red gateway card!
  • Several versions are available:
|------------------------------------------------------------------|--------|-------------------|
| sha256sum                                                        | length | name              |
|------------------------------------------------------------------|--------|-------------------|
| 3703611dd03ea71c2faab0aca963134472d64957089d335afe67ec9503e5b30d | 498624 | savedatafiler.cia |
| 290721315f2eb465acc0311bc3b8c9e764b54bf3accf1175d2951315edae1146 | 490432 | SaveDataFiler.cia |
|------------------------------------------------------------------|--------|-------------------|
   savedatafiler.txt seems to have a more recent version:
--- savedatafiler.cia.txt   2016-04-05 07:52:13.788224844 +0200
+++ SaveDataFiler.cia.txt   2016-04-05 07:52:18.924175572 +0200
@@ -1,4 +1,4 @@
-0000000: 2020000000000000 000a000050030000 340b0000c03a0000 0028070000000000    ..........P...4....:...(......
+0000000: 2020000000000000 000a000050030000 340b0000c03a0000 0008070000000000    ..........P...4....:..........

Perform maintenance tasks

Tasks to perform:

  • Backup the content of the uSD.
  • Update DECRYPT9 payload (in /luma)
  • Update EMUNAND9 payload (in /luma)
  • Update luma 3DS.
  • See Plailect's guide for updates.
  • See Gateway page for updates.

A9LH

Source: https://github.com/Plailect/Guide/wiki

  • Excellent troubleshooting section (to avoid bricking)


Install

Just got a brand New 3DSXL (N3DSXL), stuffed with firmware 9.9.0-26E.

Will now follow the A9LH guide from Plailect (https://github.com/Plailect/Guide/wiki ).

  • List of files used (and CRC):
Name sha256sum filename Source
Homebrew Starter Kit fea1bd4bc7d961b419dfd1819534586d749bff1f9e9cdc9675ae843fd28de2c4 starter.zip [6]
New 3DS 9.2.0 - EUR e7fbaf4ee01b81a3c2297028ef3fddc002f6933bfd20c2453bc6137bda89e5fd 9.2.0-20E(Full)_n3DS.zip [7]
New 3DS / Old 3DS or 2DS 2.1.0 - EUR 5736ec8d40303b549f11c06b3811817531e17646a91ee2bb0d94afff69cf3a4e 2.1.0E(Full).zip [8]
EmuNAND9 5cb845cc79199b4db2c169094be69fd2a7ea907fc79f67e322dd23895118b88f EmuNAND9-20160326-150056.zip [9]
PlaiSysUpdater 1c727727f11123a4bf7544c77ecb2bc109348c38ff18051fd0bb1e93905c7aa5 PlaiSysUpdater_v04.zip [10]
Slot0x05KeyY.bin 9824271422b06bf210969c3642537c8662225cfd6fae9b0a85a5ce21aab6c84d Slot0x05KeyY.bin [11]
slot0x11key96.bin 8bb9777686bdccff30e94dc65f2343f7412e3d6c1912e318da9f173596b9e898 slot0x11key96.bin [12]
slot0x25KeyX.bin 7e878dde92938e4c717dd53d1ea35a75633f5130d8cfd7c76c8f4a8fb87050cd slot0x25KeyX.bin [13]
TinyFormat 4affcec758bf48f135cd6a2f89d3bb54cd7a6ea6500e9882937fcb504bdae0da TinyFormat_v1.0.0.zip [14]
CakesFW (zip) d0d9215ba76b3258d78561851c4796b3ab9b5029a6e38a6e76d0dd1d2117ac79 Cakes_138.zip [15]
CakesFW - firmware.bin (N3DS) 2682cdda651d5822b05056a9dddaad19b4bac211376753b6d2e02e0b8cab6cf2 firmkey.bin [16]
CakesFW - firmkey.bin (N3DS) e0a58d52e45d5b530909ad1540c88754922856d93a9941d46efe6f46887ce74e firmware.bin [17]
Decrypt9WIP ca08c62aab848ac6669ae1b242fe59ec6311b0657c351c97cbf3394984f6164f Decrypt9WIP-20160309-160637.zip [18]
Decrypt9WIP (with April's fools joke) 1b0bb189745b74da60d6c74198f60e19758c5e1cd76ff6a6ecf71329a5f748aa Decrypt9WIP-20160401-012607.zip [19]
Decrypt9WIP 5327b591b5927b03c91a43e68a1697d736aa90b9cc44cef8abd0dd3e2582b481 Decrypt9WIP-20160401-201317.zip [20]
OTPHelper 80714b1294e05a547da5120747a27d500a5590eb61396c66a1226a933de35f6c OTPHelper-20160330-104342.zip [21]
FBI a8831d099b3803f5ea43d0f99da32ea7d7cc306d3fcdf4812b15b85f8071e80a FBI.zip [22]
Universal Inject Generator 11f9a74c9348cb8bd98408b5ae66fb0f55c5fbd11fbd07dbd55257af5dfbc48e Universal-Inject-Generator-master.zip [23]
data_input.zip ab8cf68a11a5a9bc83913b8365aaa4895f0089a9abb72323c39bf23f3e5ae45c data_input.zip [24]
payload_input.zip 99934daec4415123853415cbdac5cf5c11bc3cab448627d8221a7739e1c6ac6d payload_input.zip [25]
MiniPasta ed5e42a8d305753a3f4c08fa77668181a981fc4f56404747ffda7015da9b91c6 MiniPastaCFW_v1_GitHub.zip [26]
hblauncher_loader dc5482f5a21dd5ec9867e8f1b744739b9edb8f34254010f87e684093dac9c77e hblauncher_loader_v1.1.zip [27]
AuReiNand c98d97ad7cf562369a7485530ab5b8a084035013bb717bb4c94038acc3c4c505 AuReiNandv4.1.7z [28]
SafeA9LHInstaller 9221fa49ebb60fd173975b9a964a44c2179df601d380d57fa2d5ff6a33314d9a SafeA9LHInstallerv1.5.2.7z [29]
AuReiNAND NTR firmware.bin N3DS b4b01172a57312bbac97baacdaa178f2e5f015a3d17b7ec3eadc5aa25845afa1 Firmware_NTR_n3DS.zip [30]
Uncart for arm9loaderhax 6627ecf28c5b1073039a4c28112b7d0d62070b266acb684e80f7b2558b769459 Uncart.zip [31]
From https://gist.github.com/d3m3vilurr/c826737bdf6f7fcf5ea2#file-slot0x18keyx-bin
76c76b655db85219c5d35d517ffaf7a43ebad66e31fbdd5743925937a893ccfc  slot0x18KeyX.bin
9a201e7c3737f3722e5b578d11837f197ca65bf52625b2690693e4165352c6bb  slot0x1BKeyX.bin
7e878dde92938e4c717dd53d1ea35a75633f5130d8cfd7c76c8f4a8fb87050cd  slot0x25KeyX.bin

e8bcc1cbb0ebe0f83ef0a3b7401d15db8d8b8c7c4808ff8e9e34f7a95dc4e2a2  asr.dat
ffb040b039532ba7ffef7d5f308c73283beb9741717966d7f95b8fbed0f5b8c1  svdt.3dsx
4caa07f15297c37edd04e78601c240a5ced8d8852f1c49a44ac870715ccd91fb  svdt.smdh
eda68cea4fd212d6894597de60e806432b794c628e708b4a92d7303cfe94f74d  svdt.xml

https://github.com/mid-kid/CakesForeveryWan/releases

  • First restore the SysNAND using GW Menu. Scary... but at least I'm sure I start from a fresh state.
I checked that my backup was correctly copied to 3DS uSD (using sha1sum) and that it has the correct size:
+ Toshiba NAND:
1.979.711.488 bytes = 1.84GB
Reboot. We are in 9.2.0-21E. The DS profile exploit is gone.
  • Clean the 3DS uSD: remove /updates, Launcher.dat, and /3ds/GW folder.
  • Part 1 - Homebrew:
  • Install starter.zip on 3DS uSD.
  • Boot into HBL. COnfigure menuhax to Type 1, D-PAD Down.
  • Part 2 - Downgrading:
  • Install PlaiSysUpdater + EmuNAND9 on 3DS uSD.
  • Make a SysNAND backup using EmuNAND9.
Launch EmuNAND9 from HBL (can take several tries).
Go to 'EmuNAND Manager Options', select 'Backup SysNAND to file', filename 'sysNAND.bin'
  • Move the backup to PC.
In EmuNAND9, press SELECT to eject the 3DS uSD, then on PC, copy 'sysNAND.bin' on a safe location, and delete it from the uSD.
Insert back the uSD in the 3DS and reboot.
  • Part 3 (EmuNAND):
  • Setup EmuNAND.
Boot 'Complete EmuNAND Setup'.
  • Copy back files to 3DS uSD
  • Open Cakes from within HBM
  • Part 4 (Getting the OTP):
  • Injecting
  • Injecting FBI into hs.app (Linux fails, but do 'wine cmd.exe', then run go.bat works (ignore errors). Same results as on win7), it gives
c947512f37d6e9a2faeec54e5c03a721d3f6291e93c079a3881ea9ea4cc7035f  FBI_inject_no_banner.app
86afaf58943ac4fa6b4795e9b0e9a48018381ac02b0f0b366dbdd9d90c40b2e3  FBI_inject_with_banner.app
$ sha256sum otp.bin
792fe44b0b861df75d47edb935370a2ec2019299591ce4ed25f24e6dbabaa2cf  otp.bin

$ sha256sum *
3049df18550020a5942dda0a1e98fab94c69a49adaa9e314c3624b64700be129  emuNAND_formatted.bin
c86b2281e477b03dbce7b3a01dcbf3feca511294c9809d0994dcd69903602bb3  emuNAND_original.bin
792fe44b0b861df75d47edb935370a2ec2019299591ce4ed25f24e6dbabaa2cf  otp.bin
4034527b90cf6b318b4d851a1e0329cdcd09c9b9745ef90a0f3904e362e6bace  sysNAND_original.bin

Firmware downgrade

  • Using 9.2.0-20E(Full)_n3DS.zip downloaded from here (google query [MEGA] [CIA/BIN] MSET 4.X & 6.X backups, Browser backups, Update packs (All Regions))
 (md5sum)     aaa5960a3061da1f08d944d8e7017bd6  9.2.0-20E(Full)_n3DS.zip
 (sha1sum)    306d0aa8cd195f9ee4388a9686db5658a330b59b  9.2.0-20E(Full)_n3DS.zip
 (sha256sum)  e7fbaf4ee01b81a3c2297028ef3fddc002f6933bfd20c2453bc6137bda89e5fd  9.2.0-20E(Full)_n3DS.zip
 (not the same as the one reported on gbatemp forum thread, but as reported by some commenters, these work as well)
  • Before update:
  • Reset DNS settings to 'Auto-obtain'
     Just in case the downgrade process fails and we want to resort to recovery mode.
  • Used SafeSysUpdater
  • Had to retry 3 times (updater froze at #7 Clean memory...)
  • After update, got the system error message from nintendo, so power down the system.
  • Black screen after reboot. To fix that, remove the microSD card.
  • Back up the microSD card on PC, and delete all content.
  • UPDATE Actually the nintendo error message indicated the downgrade was wrong (even though the 3DS menu showed v9.2).
  • Solution repeat the process again until it says 'success'!
List of firmwares
sha256sum Name Verified
dffd2d602ccfd187d07c756de18856453fde3bb0c3d1393facda865428428062 10.3.0-28E(Full)_n3DS.zip Same md5sum as reported on [MEGA] [CIA/BIN]
62153c81205b507c589a881cd7592b6402be97ab296e591287905b31a6f6c628 10.7.0-32E(Full)_n3DS.tgz Maybe downloaded via 3DNUS
  • Reference:

Luma3DS

Upgrade to Luma3DS 8.0 - A9LH to B9S

Luma3DS 8.0 requires boot9strap [32]. We follow this guide to install boot9strap starting from A9LH.

Protects against Nintenda ban wave
  • Disable Sending of System Information
  • Disable Show friends what you’re playing

Gateway

The Gateway flashcart.

Status
My feature requests

Info

  • microSD card
The 3DS comes with a pre-bundled microSD card that is used to store user custom data like themes, but also pictures. We refer to it as the 3DS microSD card.
In a system with a flashcart, there is actually a second microSD card, in the flashcart itself. This is flashcart microSD card, or for gateway users, the gateway microSD card.
  • Sysnand vs emunand
Sysnand is the real nand memory on the 3DS itself, containing the original 3ds fw. Emunand is the one emulated on the 3DS microSD card.
  • Homebrew vs Gateway (flashcart) exploits
Howebrew only requires a userland exploit to launch. Gateway requires a kernel level exploit. So homebrew can run on more recent sysnand version than gateway does.
See this comment for a detailed answer.
Gateway's firmware is updated instead to run its exploit on specific sysnand versions.
...
And Gateway won't support 10.5 in the near future, as homebrew and Gateway (or other CFWs) are completely different things. Homebrew can be run with a userland exploit (some rights on the system, but nothing severe), while Gateway, rxTools, etc. need a kernel exploit (execution and manipulation rights for many parts of the console's memory, only achievable through exploits that can be run in userland mode).
  • Sysnand >9.2 support by gateway
Pending. See this comment and follow-up answers.

Tips

  • Distinguish EmuNAND and SysNAND
  • (source Gateway manual) To easily differentiate between booting from SysNAND or EmuNAND, just setup folders with initials "S Y S" for SysNAND, and "E M U" for EmuNAND.
Not that setting a theme color does not work since themes are shared by both NAND.
  • Boot back directly in SysNAND*
  • Simply go to the System Settings, and leave. LEAVING SYSTEM SETTINGS !ALWAYS! RESUME INTO SYSNAND, SO BE CAREFUL NOT TO DO ANY UPDATE THERE!

Shortcuts

  • hold 'L' when booting Gateway menu --> Go into Gateway menu.
  • In gateway menu, hold down + B to power off.
  • In GW Menu, HBL Menu: 'B' is often used to exit.
  • Hold D-PAD Down button while booting to boot into HBL (MenuHax shortcut, configured as Type1).

Reference manual

Reference software

Including the Menuhax manager

Entering the gateway menu. We follow the Gateway manual:

  • We must create a new WiFi profile, but also prevent firmware update. For this, we use custom DNS settings.
So create a new WiFi profile on the 3DS manually, with
  • SSID / Security: enter your WiFi settings
  • IP Address: Auto-obtain
  • DNS: DO NOT auto-obtain. Set primary DNS to 107.211.140.165, and secondary DNS to 107.211.140.065.
(The gateway manual refers only to 107.211.140.065. Got both addresses from here.)
Run a Connection Test to make sure the WiFi settings are correct.
  • Go to Home Menu Settings, and select Change Theme. Select a random theme (like red), and back to Default.
This is to make sure the required files are created for the MenuHax to work.
  • Power off the 3DS, and move the 3DS internal microSD to the PC, then:
  • HBL Starter Pack -- Extract starter.zip to microSD root folder
  • GW Firmware -- Copy latest Launcher.dat to microSD root folder
  • GW Firmware -- Extract GW_3DSX.zip to microSD root folder (will create a /3ds/GW folder).
The microSD root folder should look as follows:
3ds/
    CHMM2/
    ctr-httpwn/
    ftbrony/
    GW/                                <---
        GW.3dsx
        GW.smdh
    hans/
    install/
    menuhax_manager/
    mgba/
    prboom/
    qtm/
    scrtool/
    eshop.smdh
    eshop.xml
    ironhax.smdh
    ironhax.xml
    sploit_installer_oot3dhax.smdh
    sploit_installer_oot3dhax.xml
Nintendo 3DS/
boot.3dsx
Launcher.dat                           <---
webkithax_tmp.bin
  • !!! ISSUE ON 9.9.0-26E !!!
We get the following message:
The Internet Browser cannot be used at this time. Please try again later or in a different network environment.
Solution from https://yls8.mtheall.com/3dsbrowserhax.php:
  • Go to browser, and close all opened pages. The browser should display the empty URL bar (with text Enter a URL or search item).
  • Back to HOME menu, set date/time to 2000/01/01 00:00 (that exact day and year, i.e. year two thousand)
  • Go to browser, and quickly click the setting button (bottom left) and select Settings. Then click Clear All Save Data.
  • Then either scan the QR code using the camera or open the browser, and enter the auto browserhax URL.
  • On launch, the browser will welcome you again. Select your favorite search engine, and then browserhax should start normally.
Don't move back to HOME menu after going to the browser. Also, steps above must be repeated when date reaches January 2. So better install a more permanent hax.
  • In HBL menu, select and start menuhax_manager v2.2. In order:
  • Select Configure/check haxx trigger button. I choose Type 1 with 'L' key.
  • Select Install.
  • Select Configure menuhax main-screen image.
  • Reboot, and press 'L' to go into HBL menu using the menuhax trigger.
  • CANNOT go into Gateway menu
  • Downgrade to 9.2 (see above)
  • Still CANNOT go into Gateway menu
  • --> From the forum, I have to redo the firmware downgrade again. So tried again (had to try 4x). Indeed one file was updated.
  • Now, finally, CAN start the Gateway menu from HBL!

Updating the RED Card

  • Start HBL, and start the Gateway menu
  • Select 'BOOT GATEWAY MODE', press A. Press A again to proceed to update, and press START to confirm. Wait a minute for update to complete.

Backing up the SysNAND

  • In the Gateway menu, select "BACKUP SYSTEM NAND", press A then START to start.
  • When done, move the internal microsd to PC, and move the file NAND.BIN to a safe location (for later restore if needed).

EmuNAND Setup

  • !!! THIS WILL DELETE EVERYTHING ON INTERNAL MICROSD !!! So backup all data first.
  • In the Gateway menu (Don't forget to press L when booting from HBL because RED card is now setup), select "FORMAT EMUNAND".
  • Setup again HBL and MenuHax as usual (since the microSD has been formatted).

Install ROM on the Gateway microSD

  • Format the gateway microSD card in ExFat format (done in Windows 7)
  • Copy the *.3ds file in the microSD root folder.
  • Rename the *.3dz file to enable online play (only if game backup was done from the same 3DS console).

Update to latest System Menu in EmuNAND

  • Done it via the System Settings menu (NOT via eShop, since gbatemp FAQ reports that doing so would actually update the SysNAND).

Restore the extdata backup:

  • See https://3dbrew.org/wiki/Extdata for reference info (extdata identifier)
  • Copied back 00000227 (Mii Maker)
  • copied back 00000228 (Streetpass Mii Plaza)
  • Copied back 0000022d (Face Raiders)
  • Note: had to boot browserHax 3x before could get successfully into EmuNAND.

Install bluecardfix.cia (or similar):

  • Boot into GW Menu using BrowserHax -> HBL -> hold 'L' key and select GW Menu.
  • Follow the GW Manual, but after importing mset_eur.cia, also import bluecardfix.cia (to enable back the Blue GW card).
  • IT WORKS! Don't forget to:
   * Remove DevMenu.3ds for the Red GW (or rename it). To avoid innocent hands to mess with it.

Install OoTHax on Zelda OoT Game

  • Copied the file AQEP.sav (for EUR) to 3DS uSD.
  • Boot into GW menu, insert Zelda OoT cartridge, and select Restore Game Save.
  • Check that hax works: boot Zelda OoT, select 1st save (it's normal it save title exceeds the box), and then press 'A' (Check/Voir) to go to GW Menu.

DS / DSi game support

DS / DSi game support
  • Can boot in EmuNAND (default) or SysNAND (with nag screen, NOT RECOMMENDED because firmware update can brick your device)
  • on EmuNAND, either in GATEWAY mode or CLASSIC mode.
  • DSi ware, DS card, acekard2i DOES NOT work in gateway mode.
  • With A9HL, Classic mode is obsolete since it is better to boot in SysNAND directly and boot acekard2i from there.


Install GW on Luma 3DS

See https://gbatemp.net/threads/tutorial-using-luma3ds-with-gateway-on-v2-a9lh.431691/

First attempt (on Sys 11.0.0_33E)
  • Without emunand. GW not booting after dragon logo. According to post above, this would be because the old EMUNand was not completely deleted.
Second attempt (on Sys 11.0.0_33E)
  • Using GW w/o EMUNand is dangerous because there is no FIRM0/FIRM1 protection. So a FW update can brick the console and/or remove A9LH, locking us to the newest firmware. So we'll create again a new EMUNand.
  • Use recent EMUNand9 to create a new EMUNand.
  • At boot, press Down to trigger GW, then R to trigger GW Red Card Update.
  • Wait for the Red Card Update to complete
  • Reboot... press Down, and Voila! we are in GW mode!

Update History

  • 2016/05/11 -- Update SysNAND to 11.0-33E, pushed by Nintendo.
  • This breaks HBL Loader CIA. Possible Fix: rename the otherapp payload. See [33][34].
  • This breaks OOTHax in general. But OOTHax works on CFW.
  • List of patched exploits: https://3dbrew.org/wiki/Homebrew_Exploits (see also this thread).
  • Update AuReiNand to new version (aka Luma3DS), with in-place firmware patching
  • Update to latest Plailect guide (namelly using Firmware 10.2)

Games

  • Look on 3dsdb.com for the releasename of a given game (for instance New.Super.Mario.Bros.2.EUR.3DS-CONTRAST for _New Super Mario Bros 2_).
  • Search the releasename on Google.
  • Download.

History - games:

History - website:

  • http://www.nds-passion.xyz -- Requires subscription, but quality links and little nags (many different possibilities for download).

Homebrew

Install

On A9LH system:

  • Use CFW like Luma 3DS.
  • Install HW starter kit on 3DS uSD
  • Install HB Launcher as CIA (use FBI to install).
  • Start the HB Launcher to go to HB menu (first launch requires internet access to dowload the hax payload).

List of Hax

  • A9LH
  • BrowserHax
  • TubeHax
  • MenuHax

A9HL

A9HL, aka. arm9loaderhax (complete guide) is the best way to root the device. Gives full device access only a few millisecond after boot.

Browser hax

https://github.com/yellows8/ctr-httpwn
http://go.gateway-3ds.com/
  • is also browser exploit, like BrowserHax. But it is only for Spider, the browser on O3DS.

MenuHax

Note that changing the menu theme removes the menuhax.

MSET / Menu settings

  • From here: After boot strapping the process, install bluecardfix.cia to allow booting the Blue GW Card. On that card, one can start the Gateway menu, which in turn can install the MSET exploit that allows to restore the DS Profile exploit. MSET.CIA install an old version of System Settings with a hole. This hole is exploited by the NVRAM profile to reboot into GW menu. Running DS Mode game sometimes remove that exploit and must be restored. GW Menu only install the NVRAM profile. So MSET.CIA installs the exploits. The exploits payload is the NVRAM profile, which sometimes is removed when running DS games. It can be restored by booting into GW menu. An easy way to do this is to use the blue cartridge (or BrowserHax, or ...).
So
  • MSET opens the door. Must be installed only once.
  • NVRAM profile is the instructions to run Launcher.dat.
  • To uninstall MSET, simply install the original upgraded version, or restore the untouched backup. Use 3DNUS or 3DNUS mod, and get the titleid
USA = 0004001000021000 9.0-9.5 = v8203 MD5: 5077D839633EC80E7A9D3CA98B794D4B
EUR = 0004001000022000 9.0-9.5 = v8202 MD5: 7D9E073A6349DDEF77E67B2102B4EEA5
JPN = 0004001000020000 8.1-9.5 = v9224 MD5: 375EDB36DA62AE44D4D8C91DAB854573
Note: these are simply files coming from the official firmware updates (9.2.0-20E(Full)_n3DS.zip)

Applications

ARM9 homebrew
Applications (aka. ARM9 payloads) that run on the ARM9 processor on the 3DS. Note that applications running on the ARM9 have the most privileges (see ARM9 section).

DECRYPT9

Best to use the WIP version on GitHub.

EMUNAND9

Best tool to format and adminstrate EmuNAND. Better than using Gateway's tool.

Dev apps

a8b9a63eea50cd58fa71ede5942dd78effd4122c4c9e74e5dbf41fb74cfbb02b  DevMegaPack.rar
[35]
45934b134e9ed7a1b3f78054c1c1b1342c513a63a3b097cc1dea8d5935723e19  DevMenuPack_SDK11_4.rar
[36]
f541b9f666751edb45ea2cec351e22e4313c29327b672ac47f140444eacf6ca6  RepackedDevPack.rar
[37]
  • Latest version of dev app (2016/01/18) from Apache Thunder
  • RepackedDevPack.rar -- Latest version of PlayCoinSetter (install in SD only)
  • DevMenuPack_SDK11_4.rar -- 3D Banner version will install to NAND. Other version will install to SD
  • Version 11.4 does not launch on firmware 9.2
  • Use FBI to install in NAND
  • Uninstall SD version before installing NAND version
  • DevMegaPack.rar -- NAND application
  • DevMenu in this pack is 6.2
  • All these apps show up in DevMenu (because the content ID is not set to SystemApplication)
  • 2 versions of SaveDataFiler / DevMenu, one with standard banner, one with 3D banner

CIA

  • CIA is the format used to install software (games, tools) on the 3DS device uSD card.
  • Legit CIA software are usually installed via eShop.
  • Alternatively they can be installed using a CIA installer and a .cia file.

List of CIA installer:

  • DevMenu
From Nintendo dev kit. Install it using FBI injected in H&S app.
  • FBI
Open-source. Can be safely injected in Nintendo's Health&Safety app on system menu, even on unpatched (non-rooted) device.
  • BigBlueMenu
Another CIA installer.
FBI - network transfer
  • Use falconpunch:
python FalconPunch.py hblauncher_loader.cia
  • There is also a GUI alternatives: SocketPunch_0.3.4.zip

CFW

CFW, or Custom Firmware are modified Firmware for the 3DS that uses the Official firmware as a base. It allows to use applications that aren’t allowed by Nintendo, and among other play game backups.

Recent:

Luma 3DS
  • Was called AuReiNand before, a fork of ReiNand from AuroraWright.
  • List of features:
  • Disable firmware checks (allows to use patched firmware like TWL_FIRM patch to use acekard2i).
  • Remove some nintendo restrictions (like region lock)
  • Start (ie. chainload) ARM9 homebrew applications (like DECRYPT9, EMUNAND9...)

Old:

Reinand
  • A old CFW by Reisyukaku.

Security flaws

Enable DS/DSi linkers (incl Acekard 2i)

On the original O3DS, lot of DS/DSi linkers where still working (albeit some required to be updated). But since firmware 4.5.0, Nintendo started to blacklist many DS/DSi linkers, including the Acekard2i.

Final solution for Acekard2i:

  • Install bluecardfix.cia (this remove all black list from nintendo).
  • Install patched TWL_FIRM on n3DS (necessary for Acekard2i because it was already blacklisted in FW 4.X, i.e. before the first N3DS firmware).
  • Update Acekard2i firmware to ak2ifw_update_dsi-v1.42_3ds-v2.0.7z
  • Installed latest AKAIO, v1.9.0 (optional)

Note that we do not need the TWL Slot 1 Launcher, which is obsolete now.

UPDATE — See also Troubleshooting page in Plailect's guide (section DSi / DS functionality is broken after completing the guide).

Install bluecardfix.cia

bluecardfix.cia is v0 of the DS whitelist (a firmware TITLEID). [38] More info in this thread.

  • Only needed for system menu > 4.5.
  • Some users report problem installing with DevMenu / FBI (Invalid CIA). They suggest to use patched TWL_FIRM, install to NAND.
  • Should be enough to enable booting Blue gateway card (note that Blue GW card is DS cartridge, so does not need patched TWL_FIRM, which is for DSi mode).

flashcardtimewarp.cia is the same as bluecardfix.cia, but with TitleID version maxed out so that it is not replaced during fw update. [39] Build your own (guide), or see checksum below:

CRC-32: 16cd0729
MD4: c638525f886a9f56fdb340cd0957fa1e
MD5: c35645251e1332c3b5d7d2d724e39e27
SHA-1: fb7f845d9293212c548403c5c7e55db5550abdcc

Install patched TWL_FIRM

TWL_FIRM is a firmware TitleID that deals with DSi Mode (although I read somewhere it is for anything DS related, DSiWare or carts). On the forums there are however some contradictory information about whether this patch is necessary to run the Gateway Blue Card. [40], [41], [42], [43]

To boot the Acekard2i, we must use a patched TWL_FIRM that bypasses the blacklist check. Because of the patch, the firmware will fail firmware signature check, and hence this works only when running a CFW (like Luma 3DS) that disables firmware signature check at boot.

Install
  • Make sure you run a CFW that disables firmware signature verification (like Luma 3DS).
  • Download from http://www.3dsiso.com (from AuroraWright):
sha256sum Name TItle ID Unique ID Product code Category Version Install to

50f9180696e96fce36b0e4b6be8deae5700be682bfae96495b9674b54d854101
f8a9a00265c444ccfdf1c32dc3901510d012e4b7daf8999de85fd864462bdf29
274405f3a5d3cde1e177e40ebfe67b0026e38c6b86b846660b4d8f6d70b888ea

TWL_FIRM.zip
v1/twlfirm_n3ds.cia
v1/twlfirm_o3ds.cia

0x0004013820000102 0x20000102 System 0xffff NAND

4edb7ef691bf411a729d4c50fbb637f1925d24d6d6b69d0c3466f019a5d2f003
6d0d65abd5892ff9c23dd8ee94da5e3f7830cab1b4f96918dadda41571a26612
38787f0175ffaa13e6c460bbeacb73b12c0c55871656e3fea9ed4395ed52b563

twlfirm_v2.zip
v2/twlfirm_n3ds.cia
v2/twlfirm_o3ds.cia

0x0004013820000102 0x20000102 System 0x26d0 NAND
  • Install with FBI, choose NAND as destination.
Uninstall
  • Uninstall is risky. It requires FBI and DevMenu. Make sure you have both available in system menu and the file below before starting.
  • Extract file 0004013820000102.cia from a recent firmware (9.2.0-20E(Full)_n3DS.zip or 10.3.0-28E(Full)_n3DS.zip) — Make sure to take the N3DS version!
89d884a01ed8593c58d3f23d777e772d87cc9f57b432cf899309cd96e8911838  0004013820000102.cia
  • We can't install with FBI because it complains about bad signature stuff, and DevMenu will complain title already exists.
  • Instead, in FBI, delete the TitleID 0x0004013820000102 (make sure you pick the correct Title ID).
  • WITHOUT REBOOTING, press Home button to go back to system menu, start DevMenu, and import the original TWL_FIRM CIA file.
Problem is we can't install it with FBI, which complains about bad signature stuff. But DevMenu will complain that title already exists, so won't do the import.

Update Acekard2i firmware

Update Acekard2i to have it work on 3DS and use an ID that is not blacklisted in N3DS. [44]

Links
Install
  • Download the udpate:
fdf49f11bdeb42e9fd9355ef42317f8a6436a8735b2f5cd40007b1e0ff00de37  18392-AceKard_2_v4.23_menu.zip
d3f2c724d656e2584f3e15a0ae27348a9842a6bf17ad1706629d93445696cc0d  ak2ifw_update_dsi-v1.41.7z
b5b0fccf2536bf46915817b381ddaae4fdf705ed8deb7ecbd1d9611feb6312d8  ak2ifw_update_dsi-v1.42_3ds-v2.0.7z    (fast start as usual)
9c80186547e6cd8d1ccb0aa4cfdafe9b6186e832e83f302e50f067622c895645  ak2ifw_update_dsi-v1.43_3ds-v3.0.7z    (not tested. Possibly slower start)
891f3d59781bf530ae33fb506abc0bbacd4915218d1422c42c7f4e96d0bddd78  ak2ifw_update_dsi-v1.44_3ds-v4.3.7z    (but very slow start)
  • Use the official Acekard menu v4.23 to update (remove everything else on the card).
  • On N3DS, to get the best boot performance, it is recommended to use update dsi v1.42, and use the patched TWL_FIRM to bypass black list check.
Perso, I did first upgrade with v1.41 (with Alex Rider icon), then the latest (with horse icon).
More troubleshooting

Obsolete: TWL Slot 1 Launcher

The TWL Slot 1 Launcher used to be necessary to start black-listed DSi linkers (like the acekard2i). Not necessary anymore, and actually buggy now.

Install
sha256sum Name TItle ID Unique ID Product code Category Version Install to

513419f6dea6b3c001baa1b09eef162f1dadc600fe5d48cdcb103823dafb7e0d
c3a03b2500db8cc199437515685d0f5d5d000f0887ba3b0f581d7fe2678ddf98
ce75502bb51f74e53a8ce7f4d720a6e369d63a7fb98bb434fa3da6d6fdf1c075

TWLSlot1Launcher_v3.rar
TWLSlot1Launcher.cia
TWLSlot1Launcher.nds

0x00048000544f4f42 0x544f4f42 TWL 0x800 NAND
  • Use FBI. Install to NAND.
Troubleshoot
  • Getting error
summary: summary_invalid argument (ox7)
description: description_invalid_combination (0x3ee)
TWL Slot1 Launcher must be installed to NAND using FBI.
Uninstall
  • In FBI, select destination NAND, select 'delete Title', then select line SLOT1BOOTER (check that title ID matches data above).

Troubleshoot

Fragmentation error

  • Fragmentation error: If a fragmentation error is shown, you need to fix it on your PC with -
GW3DS.EXE FIX DRIVELETTER:

3DS freezes at boot / sleep wake-up w/ Acekard 2i inserted

When inserting Acekard 2i into 3DS, the HOME menu freezes. But still, we get black screen freeze at wake-up from sleep mode. Even though the suspended game is a 3DS (CIA) games. Only solution in that case is to remove the cartridge and hard reset by pressing power button. →See Enable Acekard 2i / GW Blue card.

3D not working on system menu (GW EmuNAND)

Solution: Close the lid and open it back.

Can't open FAT32 partition

Can't open FAT32 partition on 3DS uSD with EmuNAND

On Linux, use instead an SD adapter to read the uSD card.

Can't open exfat partition

On Linux, install the exfat FUSE package (! unstable it seems).