Hacks Guide Wiki - User contributions [en]

User:Kuhprii/History on the DS hacking scene

2026-05-15T22:24:29Z

Kuhprii: header fix, added info about ppflash and nopass. i think dates are still wrong

Sources:

*https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

*https://darkfader.blogspot.com/2005/

*https://pineight.com/ds/pass/#passme

*https://www.gameboy-advance.net/nintendo_ds/passme.htm

==The Release of the Nintendo DS==
The Nintendo DS released November 21st, of 2004.

==2005==

===The first pass-through (January)===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

===The first PassMe device (February)===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

===WiFiMe (April)===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.<blockquote>Note: Needs to be rewritten?</blockquote>

===FlashMe (Spring, Unknown Month)===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

===Nintendo's fixes===
Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

===PPFlash (Add later, Unknown month and season)===
DarkFader had made a program that erased DS firmware (the first virus?). DarkFader then apologized and made a fix, being PPFlash. It involved soldering a cable from a computer's parallel port to the DS's firmware chip, then a program would install PPFlash so you could recover and then go on to install the rest.

===PassMe2 (October)===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

===NoPass===
Martin Korth (author of no$gba) had cracked the encryption on DS cartridges. This allowed SLOT-1 devices to run without an official game being used with it. This technology (NoPass) was implemented into devices such as the Max Media Launcher.

User:Kuhprii

2025-12-31T18:42:58Z

Kuhprii: Q

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages. if you have any questions for me, or about my work, feel free to ask me via nh.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091)
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

User:Kuhprii

2025-10-08T21:24:35Z

Kuhprii: 😾

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages. if you have any questions for me, or about my work, feel free to ask me on discord via nh.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091)
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

User:Kuhprii

2025-09-23T21:05:04Z

Kuhprii: hiatus

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hiatus
hi, I make history pages. if you have any questions for me, or about my work, feel free to ask me on discord via nh.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091)
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

User:Kuhprii/Ooer

2025-09-20T23:42:49Z

Kuhprii: css

'''''Bold text'''''css cluster
''''''

User:Kuhprii/History on the DS hacking scene

2025-08-04T15:48:37Z

Kuhprii: note

Sources:

*https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

*https://darkfader.blogspot.com/2005/

*https://pineight.com/ds/pass/#passme

*https://www.gameboy-advance.net/nintendo_ds/passme.htm

discontinued as of now, dont know if i will work on it for a bit, anyone feel free to

==The Release of the Nintendo DS==
The Nintendo DS released November 21st, of 2004.

==2005 ==

===The first pass-through (January)===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

===The first PassMe device (February)===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

===WiFiMe (April)===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.<blockquote>Note: Needs to be rewritten?</blockquote>

===FlashMe (Spring, Unknown Month)===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

===Nintendo's fixes===

== Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles. ==

===PPFlash (Add later, Unknown month and season)===
filler

===PassMe2 (October)===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

===NoPass===

3DS:Wireless streaming/HzMod

2025-07-26T18:29:17Z

Kuhprii: punctuation

{{warning|text=This is not the preferred streaming method on a New 3DS, as [[3DS:STREAM|ntr-hr]] has notably higher performance. If you have a New 3DS, you will likely want to follow the base page instead.}}

== Installing HzMod ==

=== What You Need ===
* Your console's IP from the first section
* The latest release of {{GitHub|RattletraPM/Snickerstream/releases/latest|Snickerstream}}
* [https://puu.sh/zgjTU/3acfc28fa5.zip HzMod]
* {{GitHub|lifehackerhansol/FBI/releases/latest|FBI}} installed on your console

=== Section I: Prep Work ===
# Ensure that your console and your computer are on the same network
# Download and extract the latest Snickerstream <code>.zip</code> file
# Download and extract the HzMod <code>.zip</code> file
# Take the SD card out of your console and put it into your computer
# Copy the <code>HorizonM.cia</code> and <code>HzLoad.cia</code> files from where you extracted the HzMod <code>.zip</code> file to your SD card
#* You may put these files anywhere where you can easily access them
#* If you plan on streaming extended memory games, copy the <code>HzLoad_HIMEM.cia</code> file to your SD card as well
# Put your SD card back into your console

=== Section II: Installing CIAs ===
# Power on your console if it is not already on
# Open FBI
# Press {{B|A}} on <code>SD</code> at the top of your bottom screen
#Find the <code>.cia</code> files that you copied, press {{B|A}} on each one and select <code>Install and delete CIA</code>
#*Once you are done, press {{B|START}} to exit FBI

=== Section III: Streaming ===
# Open the Snickerstream <code>.exe</code> file from where you extracted it
# Change the Streaming app on the right side of the Snickerstream window to <code>HzMod</code> in the dropdown
# On your console, open all the gifts that appeared on your HOME menu and open HorizonM Loader
#* If you plan on streaming extended memory games, open HorizonM HIMEM Loader instead
#* Your notification LED should now turn cyan, meaning it's ready for streaming
# Input your console's IP from the first section into the IP box in the Snickerstream window
#* You may also {{GitHub|RattletraPM/Snickerstream/wiki/Settings-101|adjust your settings}} to your liking if you wish
# Click <code>Connect!</code> in the Snickerstream window
#* Your console's notification LED should turn green, and it's top screen should now be streamed to your computer
#* You will likely experience an average of 3 FPS with this method if you have an Old 3DS. This low framerate is normal and cannot be improved, as Old 3DS models have weak hardware
# To open a game correctly, '''do not immediately close HorizonM Loader''' - instead, press the HOME button, select a game to open, and only then press {{B|A}} when asked to close the loader
{{success|HzMod has now been installed and activated.}}

[[Category:Nintendo 3DS guides]]

3DS:Flashcarts

2025-07-26T18:27:09Z

Kuhprii: punctuation

{{Page WIP}}
There are two kinds of flashcarts that the 3DS can use: DS-mode (such as the R4 family) and 3DS-mode (such as Gateway-3DS). DS flashcarts are still sometimes used in custom firmware setups (though [[3DS:nds-bootstrap|nds-bootstrap]] is usually a better option, [[3DS:ntrboot|ntrboot]] is a more practical use of the cart in those cases), while 3DS flashcarts have fallen out of favor due to CFW entirely replacing their functionality.

==DS flashcarts==
DS flashcarts refer to any flashcart that runs in DS mode. While such flashcarts may have 3DS in the name (e.g. "R4i SDHC 3DS RTS"), they do not support 3DS games. You can verify this by seeing if the cartridge supports the DS family of consoles (DS / DS lite / DSi). If it does, then it is a DS-mode flashcart. 
Most modern DS flashcarts work on the 3DS just as they did on the DS and DSi. [[3DS:Luma3DS|Luma3DS]] re-enables flashcarts that were blocked through 3DS updates, such as the Acekard 2i. The flashcart blacklist has not been updated since system version 7.x (released in 2013), so any flashcart made after that year should work on unmodified consoles, even on the latest firmware. 
Old flashcarts that never worked on 3DS or DSi firmware (such as the original R4) can still be used on the 3DS with some workarounds.
{{ambox|text=TODO: List the workarounds.}}

==3DS flashcarts==
{{critical|text=3DS flashcarts have been entirely superseded by [[3dsguide:index|custom firmware]] setups. Even if you have an old 3DS-mode flashcart lying around, you should not use it; they are at best cumbersome and at worst a potential brick risk if you're not very careful. '''No support on flashcart-based setups will be provided on this wiki or by affiliated support channels except for the purposes of migrating people ''off'' of flashcart-based setups.'''}}
There were three major 3DS-mode flashcarts released over the lifespan of the 3DS: Gateway-3DS, Sky3DS, and Stargate. Any other flashcarts are clones of one of these cartridges (most likely Gateway-3DS).

===Gateway-3DS===
'''Gateway-3DS''' was the first flashcart for the 3DS, and one of the earliest ways to run 3DS games from a flashcart. It required it's own custom firmware to function, generally relying on an out-of-date SysNAND (often on 4.x or 9.x) and an up-to-date EmuNAND. Most 3DS flashcart clones are based on this cartridge. 
Gateway-3DS came with two flashcarts, one blue and one red. The blue one was just a traditional DS flashcart that was occasionally required to install an exploit to run custom firmware, while the red one was the 3DS-mode flashcart. 
The cartridge/custom firmware is notorious for it's implementation of a clone flashcart detector which could trigger at random for genuine flashcarts, and when triggered, would cause a software brick in the 3DS. This ''was'' notable for being the only software brick that requires a hardmod to fix, but '''recent developments have created a way to fix gateway bricks via ntrboot.''' For assistance with this fix, [https://discord.gg/C29hYvh join the Nintendo Homebrew Discord] and ask, in English, for help. 
Gateway's custom firmware no longer works properly on the latest firmware and is generally not compatible with boot9strap-based setups. If you have such a setup, you should [[3DS:Migrate from Gateway|migrate away from it]].

===Sky3DS===
'''Sky3DS''' is the other most common 3DS flashcart. Unlike Gateway, it doesn't require modifications to the console to use. Sky3DS cartridges work by pretending to be a retail cartridge and cycling through games through a physical button on the cartridge, so they cannot be used to directly run homebrew applications (they can, however, be used to run *hax through cartridge-based exploits). 
Because Sky3DS is not a legitimate cartridge, it does not have the private headers that are available on a genuine cartridge. Users of Sky3DS cartridges may therefore get banned from online play unless they get a donor header from a genuine cartridge, but due to the nature of private headers the same header can be used for all games ran through this method. 
Sky3DS cartridges still work on the latest firmware, but because of how cumbersome they are, custom firmware is considered to be vastly preferable.

===Stargate===
'''Stargate''' was a short-lived 3DS flashcart released in around 2018. It was most likely developed by the same team between Gateway-3DS. The main feature of this flashcart is that it offers three functions in one: it is an NDS flashcart that is capable of ntrboot with Sky3DS-style 3DS cartridge emulation for playing 3DS backups. 
Using it's ntrboot feature, Stargate offered it's own boot9strap-based custom firmware installation pack with generally weird payloads. If you have such a setup, you can probably migrate away from it by wiping your SD card and following [[3dsguide:updating-b9s|Updating B9S]]. Otherwise, the cartridge can still serve as a DS flashcart / ntrboot cartridge. The 3DS cartridge emulation should be avoided for the same reasons as Sky3DS cartridges.

[[Category:Nintendo 3DS information]]

3DS:Recover movable.sed

2025-07-26T18:25:47Z

Kuhprii: punctuation

If you require a console's <code>movable.sed</code> for some purpose but cannot obtain it directly from the NAND for some reason, there are still multiple potential ways to reobtain it's <code>movable.sed</code>.

{{warning|Ensure the Yes/No prompts are answered correctly before you read the solution the page returns. The solution changes drastically based on what you have available.}}
----
== Instructions ==
Do you have a backup of the console, either <code>essentials.exefs</code> or a NAND backup (a <code>.bin</code> file between 0.9GB and 1.3GB that has '''nand''' in it's name)? 
These files may be found in <code>sd:gm9/out</code> on the console's SD card, or on your PC in a place you keep backups.

<tabber>

|-|Yes, I have a backup=

----

<big>Solution:</big>

You will need to use [[ninfs]] to mount the backup on a PC and then pull the <code>movable.sed</code> out of the mount.

Ensure you have a copy of the file <code>boot9.bin</code>, as ninfs requires it to work. This file can be obtained through [[3DS:fastboot3DS|fastboot3DS]] or GodMode9 on any working 3DS that has CFW installed, or from the folder <code>sd:/luma/backups</code> on the SD card of a console that has previously been modded.

This may not work depending on how and when the backup was created, in which case you will need an alternate method.

|-|No, I don't have a backup=

----

Do you have the console's <code>otp.bin</code> and know its eShop region?

'''OTP:''' <code>otp.bin</code> file may be found on the console's SD card in <code>sd:/luma/backups</code> or <code>sd:/gm9/out</code>, and you may be able to dump it through either GodMode9 or [[3DS:fastboot3DS|fastboot3DS]] even if most of the console is unusuable. 
'''eShop Region:''' If your console has never had a SOAP transfer or a motherboard swap before, there are several potential ways to find the serial number to determine it.
* '''Serial Label:''' The serial label can be found on/under the backplate of the 3DS or under the battery, except on a 2DS XL where it will be under the game card/SD card slot cover. Once found, check its serial number against [[https://www.3dbrew.org/wiki/Serials this page]] to determine your region.
* '''SecureInfo''': This file may be found on the console's SD card in <code>sd:/luma/backups</code>, or on its NAND in the folder <code>[1:]/rw/sys</code> if it can boot into GodMode9. When opened in the hexeditor, the end of this file contains the serial number. Check it against 3dbrew, as above.
* '''inspect.log''': This file can normally only be found through GodMode9, and is on the NAND in the folder <code>[2:]/sys/log</code>. When opened in either the hexeditor or textviewer, this file contains the serial number. Check it against 3dbrew, as above.

{{#tag:tabber|

Yes, I have the OTP and know the region=

<big>Solution:</big>

You will need to install [[3DS:Cleaninty|cleaninty]]. Once all constants are set up, attempt to run <code>RecoverIVS</code> and/or <code>GetIVS</code>. If the commands work as intended but cleaninty cannot obtain the correct <code>movable.sed</code> for your console, you will need another method.

{{!}}-{{!}}

No, I don't have them=

<big>Solution:</big>

If you have the console on hand and its power LED lights up when you attempt to boot it, join [https://discord.gg/C29hYvh the Nintendo Homebrew Discord] and ask for help - there may be an alternate solution available.

If this is not the case, unfortunately, you cannot recover your <code>movable.sed</code> at this time. If you obtain more of the console's data, revisit this guide.
}}

</tabber>

[[Category:Nintendo 3DS guides]]

User:Kuhprii/sandbox

2025-07-26T18:21:58Z

Kuhprii: test

asdfafsdasfd '''hmm''hmmhmhghhrt'''''

= xdfggfef =

*

{| class="wikitable"
|+ok
!table
table
table
tyable
!c
!
!<tabber>
asfd
</tabber>
|-
|<tabbertransclude>
asdf
</tabbertransclude>
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|}

*

3DS:History of 3DS Hacking

2025-07-26T18:19:25Z

Kuhprii: redundancy, punctuation and clarification

<references />
== 2011 ==

=== March ===
The official release of the Nintendo 3DS in the west, and the creation of the wiki [[3dbrew:Main_Page|3dbrew]].

=== June ===
The first 3DS roms are dumped.

=== September ===
Crown3DS gives a teaser implying the creation of a flashcart, but instead released a website written in broken English promising the community that they are progressing.

=== December ===
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.

== 2012 ==

=== Unknown Month ===
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.<ref>https://gbatemp.net/threads/3ds-hacking-scene-history.443396/</ref>

=== March ===
The first (?) homebrew app is written in .cxi format, that being "Hello World" by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)

== 2013 ==

=== August ===
The flashcart [[Gateway-3DS]] is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an [https://www.3dbrew.org/wiki/System_Settings MSET] exploit combined with [https://github.com/naehrwert/p3ds/tree/df8f52a8c22b7f4758e1a47b2ca712d12be60bc6 p3ds] (python tools for the 3DS).

=== December ===
Users in the community figure out how to reverse engineer [[Gateway-3DS]]' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.

== 2014 ==

=== January ===
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, it's code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.

=== March ===
The first commit of [https://citra-emulator.com/ Citra], the first major 3DS emulator, is released.

=== August ===
The secondary userland exploit {{GitHub|yellows8/oot3dhax|oot3dhax}} is first released by yellows8.

=== November ===
[https://www.gamebrew.org/wiki/Palantine_CFW_3DS Palantine] (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the emuNAND not being update-able, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.

The flashcart [[Sky3DS]] is first released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked. This ban risk was unfixable until full custom firmware was released, and by that point it became obsolete anyway.

The primary userland exploit {{GitHub|smealum/ninjhax|ninjhax}} is first released by smealum.

== 2015 ==

=== January ===
Gateway cracks firmware version 9.2 and updates their flashcarts to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway; roxas75, patois, and team SALT all implement their own versions of it shortly after.

=== February ===
The custom firmware {{GitHub|roxas75/rxTools|rxTools}} is first released by roxas75, notable for being purely focused on utilitarian homebrew and trying to avoid piracy entirely to avoid all potential legal issues.

=== May ===
The custom firmware PastaCFW is first released. It is named after a leak of sigpatches on pastebin, which was combined with patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware. It's only major caveat was that it had no emuNAND support.

A fork of rxTools with PastaCFW's sigpatches is released by ahp_person (appletinivi), causing roxas75 to openly dispute him in an attempt to stop piracy from becoming a legal issue for the wider homebrew community.

=== June ===
Once popular demand turns against him, roxas75 eventually gives in, releasing the rxTools source and officially adding sigpatches. He then, understandably, quits the homebrew scene immediately afterward and does not ever return.

=== July ===
The primary userland exploit Ninjhax2x is first released.

=== August ===
The exploits Tubehax and Ironhax are first released.
* Tubehax is a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all versions.
* Ironhax is the first secondary (userland) exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).

ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.

=== September ===
The exploits Menuhax and Browserhax are first released.
* Menuhax is a secondary userland exploit targeting the Home Menu. After the one use of a primary exploit needed to install it, it gives fully untethered coldboot userland access by exploiting the Home Menu automatically as it loads.
* Browserhax is a term for a series of primary userland exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.

=== December ===
An upgrade to Sky3DS, Sky3DS+, is released. Among others, it's new features included bypassing cart-based AP in recent games and having a second button for more ease of selecting games.

The CCC hosts [https://gbatemp.net/threads/32c3-console-hacking-3ds-talk-dec-27-smea-derrek-plutoo.405640/ 32c3] in Hamburg, Germany. During 32c3, [https://smealum.github.io/3ds/32c3/ smealum gives a talk] where snshax, [[arm9loaderhax]], memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.
* snshax and ntrcardhax would ultimately be of little interest, thanks to snshax being n3DS-only and ntrcardhax requiring an extremely specific type of modified flashcart that effectively didn't exist.
* memchunkhax2 is a privilege escalation k11 exploit that, although not immediately useful, would quickly become the foundation of downgrading as part of other exploit chains.
* Arm9loaderhax is an untethered coldboot custom firmware loader that is installed directly to the FIRM partitions. Although it was somewhat unsafe and risky to install through its entire lifetime, it was still a massive step forward for the homebrew community by allowing homebrew tools even larger amounts of control over the system.

== 2016 ==

=== January ===
An exploit chain using memchunkhax2 is introduced, the first implementation of downgrading from 10.x firmwares to 9.2 for certain other exploits.

Downgrading would soon after be patched by version 10.4.

=== February ===
[[arm9loaderhax]] is fully released, and becomes a mainstay of the scene.

The primary userland exploit ctr-httpwn is first released by yellows8.

A complex dispute between the original author of ReiNand (Reisyukaku) and the rest of it's developer team hits it's first overt boiling point, causing them to cut ties as much as possible and officially fork the project into AuReiNand.

=== March ===
The privilege escalation k11 exploit memchunkhax2.1 is first released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.

=== April ===
AuReiNand is renamed to Luma3DS, and work begins towards rewriting every line of code. Once this is done, they detach it from ReiNand's fork network on GitHub, which marks the point where it is converted into an entirely original project.

The tool {{GitHub|dazjo/salt_sploit_installer|salt_sploit_installer}} is first released, being unique because it sets the stage for three secondary userland exploits very shortly afterward.
Just a few days later, two of those three - {{GitHub|shinyquagsire23/v_hax|(v*)hax}} and {{GitHub|shinyquagsire23/supermysterychunkhax|supermysterychunkhax}} - are both first released by shinyquagsire23.

=== May ===
The third secondary userland exploit to use salt_sploit_installer, {{GitHub|dazjo/humblehax|humblehax}}, is first released by dazjo. This one is especially notable because it required purchasing a limited-time game from Humble Bundle, a quirk not seen in any exploit before or since.

=== June ===
The secondary userland exploit {{GitHub|MrNbaYoh/basehaxx|basehaxx}} is first released by MrNbaYoh.

=== July ===
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.

=== September ===
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (an instant N3DS install method). CTRNand Transfer would be kept and see far more use later, but OTPless was later removed from use due to having a small but completely random chance to brick.

=== December ===
The CCC hosts [https://gbatemp.net/threads/33c3-console-hacking-2016-3ds-wiiu-talk-dec-27-30-smea-derrek-nedwill-naehrwert.450043/ 33c3] in Hamburg, Germany. During 33c3, [https://derrekr.github.io/3ds/33c3/ derrekr gives a talk] where soundhax, fasthax, and sighax are revealed.
* Soundhax is a primary userland exploit targeting Nintendo 3DS Sound that was made by nedwill. Because it was free (unlike ninjhax, which required Cubic Ninja, a paid game), almost all consoles at the time were vulnerable to this exploit.
* Fasthax is another privilege escalation k11 exploit, also made by nedwill.
* [https://zoogie.github.io/sh/ Sighax] is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.<ref>https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/</ref>

Nintendo launches a bug bounty program for the 3DS on HackerOne, with bounties from $100 - $20,000 per exploit. This caused exploit developers to start moving away from public releases.
== 2017 ==

=== January ===
The privilege escalation k9 exploit chain safehax is first released by the user appleTinivi, after an anonymous user posted the method on 3dbrew. Through the use of this exploit chain (usable on all versions up to 11.2), the process for installing a9lh was significantly streamlined: specifically, it shortens the list of needed steps to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, restoring the original NAND, and installing a9lh using the otp.

=== February ===
safehax and fasthax are patched by the release of version 11.3, also temporarily patching firm downgrading via DSiWare and hardmodding again in the process.

=== April ===
A previously-unknown privilege escalation k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4. However, it remains useful for those who stayed on version 11.3.

Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.

=== May ===
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. [https://sciresm.github.io/33-and-a-half-c3/ During this talk], [[boot9strap]] and the concepts that would later allow [[ntrboot]] are revealed.
* Boot9strap is effectively the successor to arm9loaderhax, being another coldboot firmware loader that works in a much cleaner way by implementing a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
* Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.

Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.

=== June ===
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.

=== August ===
The first practical implementation of [[Ntrboot]] is released, starting only with support for ak2i and R4 flashcards but quickly growing to others.

=== September ===
The Gateway team reveals they have been working on a new flashcard called [[Stargate]], a 3-in-1 hybrid of an ntrboot card, DS flashcart, and [[Sky3DS]]. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.

== 2018 ==

=== January ===
A user reveals a method to brute-force the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This entrypoint, called [[3DS:Seedminer|Seedminer]], allowed users to inject hacked DSiWare and install [[boot9strap]] with only one 3DS.

=== July ===
Nintendo releases version 11.8.

=== August ===
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.

=== September ===
The primary *miner exploit Frogminer is first released. This variant of the *miner exploit path utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike its predecessor, it is a completely free *miner exploit.

=== December ===
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.

== 2019 ==

=== July ===
The primary userland exploit BannerBomb3, which targeted System Settings and mostly used the *miner series to complete the exploit chain, is first released.

=== December ===
The CCC hosts [https://gbatemp.net/threads/36c3-hacker-conference-underway-27th-to-30th-of-december-2019.555023/ 36c3] in Leipzig, Germany. During 36c3, [https://mrnbayoh.github.io/36c3/ MrNbaYoh gives a talk] that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to it's potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.

== 2020 ==

=== April ===
The privilege escalation k9 exploit chain unSAFE_MODE, a revised version of safehax for version 11.13, is first released. Notably, this exploit chain would never be directly patched, but would be made unusuable when universal_otherapp is patched.

=== July ===
Nintendo's HackerOne bounty program [https://hackerone.com/nintendo/updates?type=team is closed on July 15th.]

=== August ===
The primary userland exploit new-browserhax, which is the simplest and most potent browserhax yet, is first released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).

=== September ===
Nintendo shuts down retail production of all 3DS models.

=== October ===
The secondary exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit still requires initial userland access, but has even more privileges and is simpler to activate than the original. (And it's a great meme)

=== November ===
Nintendo releases version 11.14.0-46, patching a few last-minute submissions of exploits from the HackerOne bounty. This includes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.

=== December ===
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the entrypoint SSLoth and an exploit for it, safecerthax. Together, they create a full chain to boot9strap on o3DS models (and this chain still works on certain older versions, though it requires access to [[3DS:Safe Mode|Safe Mode]]).

TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.

The primary userland exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.

== 2021 ==

=== January ===
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.

=== April ===
The privilege escalation userland exploit chain nimhax, an expansion of ctr-httpwn that simultaneously takes over the nim sysmodule, is first released by luigoalma.

The primary userland exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.

The semi-primary userland exploit [[3DS:Kartdlphax|kartdlphax]], an exploit for Mario Kart 7 that requires a second modded console, is first released by PabloMK7 (creator of CTGP-7).

=== July ===
Nintendo releases version 11.15, which patches both browserhax-xl exploits, ending the 'golden age' for good in the process. It also patches SSLoth (which leaves safecerthax unpatched but unusuable), and as such Seedminer becomes the main exploit again.

== 2022 ==

=== August ===
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.

Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER (most likely meaning Network Version) on this title due to a typo in the web data module.

=== December ===
The entrypoint ENLBufferPwn, an online RCE for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it could be used to remotely load universal-otherapp over the network; doing so would create a k9 exploit chain that also had potential for mass bricks, online cheats, remote installation of malware, or practically anything else (though with size constraints). By the time of disclosure, it was already being used in the wild to reset VR scores and interfere with races, making this claim of threat even more credible.

== 2023 ==

=== March ===
The primary userland exploit super-skaterhax, another n3DS-only browser exploit, is first released.

Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.

=== May ===
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.

=== July ===
The privilege escalation "k11" exploit chain nimdsphax, an expansion of nimhax that also takes over the dsp sysmodule, is first released by TuxSH and luigoalma. It is notable in that it does not directly exploit k11, but instead disables GPU_PROT and then uses the GPU to directly overwrite k11 code.

The secondary exploit Kartminer7, a secondary *miner exploit also requiring a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.

=== October ===
The primary k9 exploit MSET9, which targets System Settings and has no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.

=== December ===
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie
<references />

(Credit to zoogie for writing "A Pretty Brief History of the 3ds Hacking/Homebrew Scene", the GBAtemp page that this page was heavily adapted from.)

User:Kuhprii/Super Monkey Ball 3D

2025-07-11T03:03:51Z

Kuhprii: i make it

== Overview ==
Super Monkey Ball 3D is a platformer video game for the Nintendo 3DS, it is the ninth game in the Super Monkey Ball series. It was released in the U.S. on March 27, 2011. Other region release dates were: Japan on March 3rd. in the EU on March 25th. and AU on 31st. Super Monkey Ball 3D was developed by Sega CS1 R&D.

== Gameplay ==
Super Monkey Ball 3D was similar to the other games in the series, having puzzle styled platforming and party games. Super Monkey Ball 3D is somewhat unique because of gyro controls, not that they were not used before, but Super Monkey Ball can require precise movements.

== Other Info ==
Super Monkey Ball 3D has an unused graphic, it looks like this: https://tcrf.net/images/1/18/SMB3D-f128.png

Super Monkey Ball 3D's build date is 4599 2011-01-27 16:01:05, this was found in smbctrver (most likely meaning Super Monkey Ball CTR Version)

In the file code.bin, there is text relating to development, which can be found here:https://tcrf.net/Super_Monkey_Ball_3D

== Mods and Tools ==
Unlike other games in the series, Super Monkey Ball 3D seems to have no tools or mods.

== Other resources/sources used ==

* Wikipedia article: https://en.wikipedia.org/wiki/Super_Monkey_Ball_3D
* TCRF page: https://tcrf.net/Super_Monkey_Ball_3D

User:Kuhprii/History on the DS hacking scene

2025-06-19T02:44:01Z

Kuhprii:

Sources:

* https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

* https://darkfader.blogspot.com/2005/

* https://pineight.com/ds/pass/#passme

* https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (April) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.<blockquote>Note: Needs to be rewritten?</blockquote>

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (October) ===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

=== NoPass ===

User:Kuhprii

2025-05-31T16:54:47Z

Kuhprii: jibbleglap dooglesong

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages. if you have any questions for me, or about my work, feel free to ask me on discord via nh.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091)
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

User:Kuhprii/sandbox

2025-05-31T16:53:50Z

Kuhprii:

User:Kuhprii/History on the DS hacking scene

2025-04-22T16:11:14Z

Kuhprii: months added

Sources: https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

https://darkfader.blogspot.com/2005/

https://pineight.com/ds/pass/#passme

https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (April) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. To do this method, you need a PCI/PCMCIA wireless network card, you could achieve this with a Ralink chipset. You also would need a program called WMB (Wireless Multiboot). All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firm version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution the the GBA SRAM space. (It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (October) ===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

User:Kuhprii/History on the DS hacking scene

2025-04-22T16:04:14Z

Kuhprii:

Sources: https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

https://darkfader.blogspot.com/2005/

https://pineight.com/ds/pass/#passme

https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (Spring, Unknown Month) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. To do this method, you need a PCI/PCMCIA wireless network card, you could achieve this with a Ralink chipset. You also would need a program called WMB (Wireless Multiboot). All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firm version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution the the GBA SRAM space. (It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (October) ===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

User:Kuhprii/History on the DS hacking scene

2025-04-22T16:00:15Z

Kuhprii:

Sources: https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

https://darkfader.blogspot.com/2005/

https://pineight.com/ds/pass/#passme

https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (Spring, Unknown Month) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. To do this method, you need a PCI/PCMCIA wireless network card, you could achieve this with a Ralink chipset. You also would need a program called WMB (Wireless Multiboot). All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firm version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution the the GBA SRAM space. (It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (Spring, Unknown Month) ===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

User:Kuhprii/History on the DS hacking scene

2025-04-22T15:54:27Z

Kuhprii:

Sources: https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

https://darkfader.blogspot.com/2005/

https://pineight.com/ds/pass/#passme

https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (Spring, Unknown Month) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. To do this method, you need a PCI/PCMCIA wireless network card, you could achieve this with a Ralink chipset. You also would need a program called WMB (Wireless Multiboot). All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firm version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution the the GBA SRAM space. (It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (Spring, Unknown Month) ===
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)

=== NoPass (Spring, Unknown Month) ===
A new PassMe device emerges, called NoPass.

User:Kuhprii

2025-04-22T00:18:39Z

Kuhprii: yeah

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091)
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

Nintendo 3DS

2025-04-22T00:16:40Z

Kuhprii: added history, feel free to move it around and put it somewhere else on the page, just put it there to get a start

{{Page WIP|notes=
*I should use css grid for the table, it would make it easier to move stuff around between desktop and mobile screens. [[User:Ihaveahax|ihaveahax]] ([[User talk:Ihaveahax|talk]]) 05:08, 13 August 2022 (UTC)
}}
{{Infobox console
| title = Nintendo 3DS
| image = Nintendo-3DS-AquaOpen.png
| imagesize = 300px
| caption = The original Nintendo 3DS in Aqua Blue
| imagealt = The original Nintendo 3DS in the Aqua Blue color, open and showing the top and bottom screens.
| aka = {{plainlist|
* 3DS (abbreviation)
* iQue 3DS (China)
* Citrus/CTR (Code name)
}}
| systems = {{plainlist|
* Nintendo 3DS
* Nintendo 3DS XL
* Nintendo 2DS
* New Nintendo 3DS
* New Nintendo 3DS XL
* New Nintendo 2DS XL
}}
| version = {{SystemVersion|ctr}}
| recommended = [[3DS:boot9strap|boot9strap]] + [[3DS:Luma3DS|Luma3DS]]
| guide = [[3dsguide:index|3ds.hacks.guide]]
| namespace = 3DS:
}}
The '''{{iw|wikipedia|Nintendo 3DS}}''' is a handheld game console released by Nintendo in 2011. Multiple revisions have been released for the Nintendo 3DS over the years, including the more-powerful "New Nintendo 3DS" series and the budget "2DS" set of consoles. All 3DS revisions run the same system software, so homebrew methods and software are generally identical (except in cases where the more-powerful hardware of the New Nintendo 3DS is required and the 3D feature on 2DS not being there ).
{| style="table-layout: fixed;"
| style="vertical-align: top; width: 50%;" class="collapse-on-mobile" |
== Getting started ==
{{Warning|Never use video guides as those can get outdated quickly and can contain mistakes or modified files.}}
The current recommended setup is [[3DS:boot9strap|boot9strap]] + [[3DS:Luma3DS|Luma3DS]].

Instructions on setting up homebrew and custom firmware on your console can be found on [[3dsguide:index|3ds.hacks.guide]].

<div class="center">{{Clickable button 2|3dsguide:index|Go to 3DS Hacks Guide|class=mw-ui-progressive}}</div>
| style="vertical-align: top; width: 50%;" class="collapse-on-mobile" |
== Use homebrew ==
Looking for things to do with your newly-homebrewed console? Here are some ideas:
* Back up or restore game saves using [[Checkpoint]]
* [[3DS:Dump titles and game cartridges|Dump titles and game cartridges]]
* Mod your [[:Category:Nintendo_3DS_games|3DS games]]
* Use a [[3DS:Custom_themes|custom theme]] or even [[3DS:Creating_custom_themes|create your own]]
<div class="center">{{Clickable button 2|3DS:Things to do|See the full list of things to do|class=mw-ui-progressive}}Curious on the history of homebrew/hacking on the 3DS?: [[3DS:History of 3DS Hacking]]</div>
|}

== Get help ==
Having an issue setting up homebrew, or using it? Maybe your console is doing something weird?

First, try searching for your issue. If you cannot find the right information or don't understand it, you can [[Get support|'''ask someone for help''']].

<inputbox>
type=search
placeholder=Enter a description of your issue...
namespaces=Main**,3DS**
width=70
</inputbox>
__NOTOC____NOEDITSECTION__

User:Kuhprii/History on the DS hacking scene

2025-04-22T00:13:45Z

Kuhprii: flashme added, nintendos fixes, added passme2 as most likely my next starting point, + other content

Sources: https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/

https://darkfader.blogspot.com/2005/

https://pineight.com/ds/pass/#passme

https://www.gameboy-advance.net/nintendo_ds/passme.htm

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.

=== WiFiMe (Spring, Unknown Month) ===
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. To do this method, you need a PCI/PCMCIA wireless network card, you could achieve this with a Ralink chipset. You also would need a program called WMB (Wireless Multiboot). All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.

=== FlashMe (Spring, Unknown Month) ===
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.

=== Nintendo's fixes ===
Nintendo fixes the vulnerabilities present in firm version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution the the GBA SRAM space. (It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.

=== PPFlash (Add later, Unknown month and season) ===
filler

=== PassMe2 (Spring, Unknown Month) ===

User:Kuhprii/History on the DS hacking scene

2025-04-20T15:49:50Z

Kuhprii: wifime done

User:Kuhprii

2025-04-18T19:18:21Z

Kuhprii:

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091.)*
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)

User:Kuhprii/History on the DS hacking scene

2025-04-18T18:53:23Z

Kuhprii: first passme device done

User:Kuhprii

2025-04-18T17:28:00Z

Kuhprii:

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

hi, I make history pages.

==== My pages: ====

* [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091.)*
* [[User:Kuhprii/History on the DS hacking scene]] (WIP)
* [[User:Kuhprii/History on the Wii hacking scene]] (WIP, currently being worked on by Abdelali221)

User:Kuhprii/History on the DS hacking scene

2025-04-14T14:26:32Z

Kuhprii: sources added

User:Kuhprii/History on the DS hacking scene

2025-04-14T14:25:12Z

Kuhprii: yeah

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through (January) ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

=== The first PassMe device (February) ===
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA

User:Kuhprii/History on the DS hacking scene

2025-04-13T21:24:46Z

Kuhprii: first pass-through

== The Release of the Nintendo DS ==
The Nintendo DS released November 21st, of 2004.

== 2005 ==

=== The first pass-through ===
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.

He then made a programmable logic chip based pass-through that let him capture, and alter the traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.

Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.

User:Kuhprii

2025-04-11T21:12:25Z

Kuhprii: shoutout removed. get help.

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])
hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by fox8091.)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-31T04:50:33Z

Kuhprii:

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])
hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by starlitskies and fox8091.) (thank you guys!)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii/sig

2025-03-31T04:49:57Z

Kuhprii:

[[User:Kuhprii|Kuhprii]] ([[User talk:Kuhprii|talk]])

3DS:History of 3DS Hacking

2025-03-29T00:55:45Z

Kuhprii: removed credits

{{#approvable_by: users = Wariohax}}
<references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.
== 2011 ==

=== March ===
The official release of the Nintendo 3DS in the west, and the creation of the wiki [[3dbrew:Main_Page|3dbrew]].

=== June ===
The first 3DS roms are dumped.

=== September ===
Crown3DS gives a teaser implying the creation of a flashcart, but instead released a website written in broken English promising the community that they are progressing.

=== December ===
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.

== 2012 ==

=== Unknown Month ===
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.<ref>https://gbatemp.net/threads/3ds-hacking-scene-history.443396/</ref>

=== March ===
The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)

== 2013 ==

=== August ===
The flashcart [[Gateway-3DS]] is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an [https://www.3dbrew.org/wiki/System_Settings MSET] exploit combined with [https://github.com/naehrwert/p3ds/tree/df8f52a8c22b7f4758e1a47b2ca712d12be60bc6 p3ds] (python tools for the 3DS).

=== December ===
Users in the community figure out how to reverse engineer [[Gateway-3DS]]' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.

== 2014 ==

=== January ===
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.

=== March ===
The first commit of [https://citra-emulator.com/ Citra], the first major 3DS emulator, is released.

=== August ===
The secondary userland exploit {{GitHub|yellows8/oot3dhax|oot3dhax}} is first released by yellows8.

=== November ===
[https://www.gamebrew.org/wiki/Palantine_CFW_3DS Palantine] (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.

The flashcart [[Sky3DS]] is first released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked. This ban risk was unfixable until full custom firmware was released, and by that point it became obsolete anyway.

The primary userland exploit{{GitHub|smealum/ninjhax|ninjhax}} is first released by smealum.

== 2015 ==

=== January ===
Gateway cracks firmware version 9.2 and updates their flashcarts to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after.

=== February ===
The custom firmware {{GitHub|roxas75/rxTools|rxTools}} is first released by roxas75, notable for being purely focused on utilitarian homebrew and trying to avoid piracy entirely to avoid all potential legal issues.

=== May ===
The custom firmware PastaCFW is first released. It is named after a leak of sigpatches on pastebin, which was combined with patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware. Its only major caveat was that it had no emuNAND support.

A fork of rxTools with PastaCFW's sigpatches is released by ahp_person (appletinivi), causing roxas75 to openly dispute him in an attempt to stop piracy from becoming a legal issue for the wider homebrew community.

=== June ===
Once popular demand turns against him, roxas75 eventually gives in, releasing the rxTools source and officially adding sigpatches. He then, understandably, quits the homebrew scene immediately afterward and does not ever return.

=== July ===
The primary userland exploit Ninjhax2x is first released.

=== August ===
The exploits Tubehax and Ironhax are first released.
* Tubehax is a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all versions.
* Ironhax is the first secondary (userland) exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).

ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.

=== September ===
The exploits Menuhax and Browserhax are first released.
* Menuhax is a secondary userland exploit targeting the Home Menu. After the one use of a primary exploit needed to install it, it gives fully untethered coldboot userland access by exploiting the Home Menu automatically as it loads.
* Browserhax is a term for a series of primary userland exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.

=== December ===
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and having a second button for more ease of selecting games.

The CCC hosts [https://gbatemp.net/threads/32c3-console-hacking-3ds-talk-dec-27-smea-derrek-plutoo.405640/ 32c3] in Hamburg, Germany. During 32c3, [https://smealum.github.io/3ds/32c3/ smealum gives a talk] where snshax, [[arm9loaderhax]], memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.
* snshax and ntrcardhax would ultimately be of little interest, thanks to snshax being n3DS-only and ntrcardhax requiring an extremely specific type of modified flashcart that effectively didn't exist.
* memchunkhax2 is a privilege escalation k11 exploit that, although not immediately useful, would quickly become the foundation of downgrading as part of other exploit chains.
* Arm9loaderhax is an untethered coldboot custom firmware loader that is installed directly to the FIRM partitions. Although it was somewhat unsafe and risky to install through its entire lifetime, it was still a massive step forward for the homebrew community by allowing homebrew tools even larger amounts of control over the system.

== 2016 ==

=== January ===
An exploit chain using memchunkhax2 is introduced, the first implementation of downgrading from 10.x firmwares to 9.2 for certain other exploits.

Downgrading would soon after be patched by version 10.4.

=== February ===
[[arm9loaderhax]] is fully released, and becomes a mainstay of the scene.

The primary userland exploit ctr-httpwn is first released by yellows8.

A complex dispute between the original author of ReiNand (Reisyukaku) and the rest of its developer team hits its first overt boiling point, causing them to cut ties as much as possible and officially fork the project into AuReiNand.

=== March ===
The privilege escalation k11 exploit memchunkhax2.1 is first released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.

=== April ===
AuReiNand is renamed to Luma3DS, and work begins towards rewriting every line of code. Once this is done, they detach it from ReiNand's fork network on GitHub, which marks the point where it is converted into an entirely original project.

The tool {{GitHub|dazjo/salt_sploit_installer|salt_sploit_installer}} is first released, being unique because it sets the stage for three secondary userland exploits very shortly afterward.
Just a few days later, two of those three - {{GitHub|shinyquagsire23/v_hax|(v*)hax}} and {{GitHub|shinyquagsire23/supermysterychunkhax|supermysterychunkhax}} - are both first released by shinyquagsire23.

=== May ===
The third secondary userland exploit to use salt_sploit_installer, {{GitHub|dazjo/humblehax|humblehax}}, is first released by dazjo. This one is especially notable because it required purchasing a limited-time game from Humble Bundle, a quirk not seen in any exploit before or since.

=== June ===
The secondary userland exploit {{GitHub|MrNbaYoh/basehaxx|basehaxx}} is first released by MrNbaYoh.

=== July ===
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.

=== September ===
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (an instant N3DS install method). CTRNand Transfer would be kept and see far more use later, but OTPless was later removed from use due to having a small but completely random chance to brick.

=== December ===
The CCC hosts [https://gbatemp.net/threads/33c3-console-hacking-2016-3ds-wiiu-talk-dec-27-30-smea-derrek-nedwill-naehrwert.450043/ 33c3] in Hamburg, Germany. During 33c3, [https://derrekr.github.io/3ds/33c3/ derrekr gives a talk] where soundhax, fasthax, and sighax are revealed.
* Soundhax is a primary userland exploit targeting Nintendo 3DS Sound that was made by nedwill. Because it was free (unlike ninjhax, which required Cubic Ninja, a paid game), almost all consoles at the time were vulnerable to this exploit.
* Fasthax is another privilege escalation k11 exploit, also made by nedwill.
* [https://zoogie.github.io/sh/ Sighax] is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.<ref>https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/</ref>

Nintendo launches a bug bounty program for the 3DS on HackerOne, with bounties from $100 - $20,000 per exploit. This caused exploit developers to start moving away from public releases.
== 2017 ==

=== January ===
The privilege escalation k9 exploit chain safehax is first released by the user appleTinivi, after an anonymous user posted the method on 3dbrew. Through the use of this exploit chain (usable on all versions up to 11.2), the process for installing a9lh was significantly streamlined: specifically, it shortens the list of needed steps to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, restoring the original NAND, and installing a9lh using the otp.

=== February ===
safehax and fasthax are patched by the release of version 11.3, also temporarily patching firm downgrading via DSiWare and hardmodding again in the process.

=== April ===
A previously-unknown privilege escalation k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4. However, it remains useful for those who stayed on version 11.3.

Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.

=== May ===
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. [https://sciresm.github.io/33-and-a-half-c3/ During this talk], [[boot9strap]] and the concepts that would later allow [[ntrboot]] are revealed.
* Boot9strap is effectively the successor to arm9loaderhax, being another coldboot firmware loader that works in a much cleaner way by implementing a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
* Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.

Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.

=== June ===
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.

=== August ===
The first practical implementation of [[Ntrboot]] is released, starting only with support for ak2i and R4 flashcards but quickly growing to others.

=== September ===
The Gateway team reveals they have been working on a new flashcard called [[Stargate]], a 3-in-1 hybrid of an ntrboot card, DS flashcart, and [[Sky3DS]]. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.

== 2018 ==

=== January ===
A user reveals a method to brute-force the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This entrypoint, called [[3DS:Seedminer|Seedminer]], allowed users to inject hacked DSiWare and install [[boot9strap]] with only one 3DS.

=== July ===
Nintendo releases version 11.8.

=== August ===
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.

=== September ===
The primary *miner exploit Frogminer is first released. This variant of the *miner exploit path utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike its predecessor, it is a completely free *miner exploit.

=== December ===
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.

== 2019 ==

=== July ===
The primary userland exploit BannerBomb3, which targeted System Settings and mostly used the *miner series to complete the exploit chain, is first released.

=== December ===
The CCC hosts [https://gbatemp.net/threads/36c3-hacker-conference-underway-27th-to-30th-of-december-2019.555023/ 36c3] in Leipzig, Germany. During 36c3, [https://mrnbayoh.github.io/36c3/ MrNbaYoh gives a talk] that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.

== 2020 ==

=== April ===
The privilege escalation k9 exploit chain unSAFE_MODE, a revised version of safehax for version 11.13, is first released. Notably, this exploit chain would never be directly patched, but would be made unusuable when universal_otherapp is patched.

=== July ===
Nintendo's HackerOne bounty program [https://hackerone.com/nintendo/updates?type=team is closed on July 15th.]

=== August ===
The primary userland exploit new-browserhax, which is the simplest and most potent browserhax yet, is first released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).

=== September ===
Nintendo shuts down retail production of all 3DS models.

=== October ===
The secondary exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit still requires initial userland access, but has even more privileges and is simpler to activate than the original. (And it's a great meme)

=== November ===
Nintendo releases version 11.14.0-46, patching a few last-minute submissions of exploits from the HackerOne bounty. This includes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.

=== December ===
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the entrypoint SSLoth and an exploit for it, safecerthax. Together, they create a full chain to boot9strap on o3DS models (and this chain still works on certain older versions, though it requires access to [[3DS:Safe Mode|Safe Mode]]).

TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.

The primary userland exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.

== 2021 ==

=== January ===
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.

=== April ===
The privilege escalation userland exploit chain nimhax, an expansion of ctr-httpwn that simultaneously takes over the nim sysmodule, is first released by luigoalma.

The primary userland exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.

The semi-primary userland exploit [[3DS:Kartdlphax|kartdlphax]], an exploit for Mario Kart 7 that requires a second modded console, is first released by PabloMK7 (creator of CTGP-7).

=== July ===
Nintendo releases version 11.15, which patches both browserhax-xl exploits, ending the 'golden age' for good in the process. It also patches SSLoth (which leaves safecerthax unpatched but unusuable), and as such Seedminer becomes the main exploit again.

== 2022 ==

=== August ===
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.

Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module.

=== December ===
The entrypoint ENLBufferPwn, an online RCE for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it could be used to remotely load universal-otherapp over the network; doing so would create a k9 exploit chain that also had potential for mass bricks, online cheats, remote installation of malware, or practically anything else (though with size constraints). By the time of disclosure, it was already being used in the wild to reset VR scores and interfere with races, making this claim of threat even more credible.

== 2023 ==

=== March ===
The primary userland exploit super-skaterhax, another n3DS-only browser exploit, is first released.

Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.

=== May ===
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.

=== July ===
The privilege escalation "k11" exploit chain nimdsphax, an expansion of nimhax that also takes over the dsp sysmodule, is first released by TuxSH and luigoalma. It is notable in that it does not directly exploit k11, but instead disables GPU_PROT and then uses the GPU to directly overwrite k11 code.

The secondary exploit Kartminer7, a secondary *miner exploit also requiring a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.

=== October ===
The primary k9 exploit MSET9, which targets System Settings and has no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.

=== December ===
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie
<references />

3DS:History of 3DS Hacking

2025-03-26T00:20:44Z

Kuhprii:

3DS:History of 3DS Hacking

2025-03-26T00:12:03Z

Kuhprii: credits

User:Kuhprii

2025-03-26T00:05:37Z

Kuhprii:

[[User:Wariohax|Wariohax]] ([[User talk:Wariohax|talk]])
hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by starlitskies and fox8091.) (thank you guys!)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii/sig

2025-03-25T23:58:00Z

Kuhprii: hey little stylus, hey mario

[[User:Wariohax|Wariohax]] ([[User talk:Wariohax|talk]])

User:Kuhprii

2025-03-20T20:20:47Z

Kuhprii:

hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved to 3DS space, also revised by starlitskies and fox8091.) (thank you guys!)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-20T20:20:11Z

Kuhprii:

hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved and revised by starlitskies and fox8091.) (thank you guys!)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-20T20:19:40Z

Kuhprii: shoutouts and shenanigans

hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]] (was originally a userspace under my user, was moved and revised by starlitskies and fox8091. (thank you guys!)

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-20T20:17:50Z

Kuhprii:

hi I make history pages.

my pages: [[3DS:History_of_3DS_Hacking]]

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-20T20:16:46Z

Kuhprii:

hi I make history pages.

my pages: [[3DS/ History of 3DS Hacking]]

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-20T20:16:20Z

Kuhprii: link fix

hi I make history pages.

my pages: [[3DS/History of 3DS Hacking]]

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

3DS:History of 3DS Hacking

2025-03-19T18:04:16Z

Kuhprii: Wariohax moved page User:Wariohax/History on custom firmware to 3DS:History of 3DS Hacking: complete enough to move out of userspace

User:Kuhprii

2025-03-14T17:49:04Z

Kuhprii: my pages added

hi I make history pages.

my pages: [[User:Wariohax/History on custom firmware]]

[[User:Wariohax/History on the DS hacking scene]] (WIP)

[[User:Wariohax/History on the Wii hacking scene]] (WIP)

User:Kuhprii

2025-03-14T17:38:38Z

Kuhprii: hi

hi I make history pages.

my pages: [[User:Wariohax/History on custom firmware]]

User:Kuhprii/History on the DS hacking scene

2025-03-14T17:33:04Z

Kuhprii: page creation, another another history!

WIP

Wii:History on the Wii hacking scene

2025-03-14T17:31:30Z

Kuhprii: sources added

WIP

Sources found:https://gbatemp.net/threads/the-early-history-of-wii-modding.243461/

https://gbatemp.net/threads/part-of-the-wii-hacking-history-summer-2008-to-2009.521275/

probably check failoverflow

Wii:History on the Wii hacking scene

2025-03-14T17:29:17Z

Kuhprii: page creation, another history!

WIP

3DS:History of 3DS Hacking

2025-03-14T17:25:52Z

Kuhprii: .

{{#approvable_by: users = Wariohax}}
== The history of the 3DS hacking scene. ==

== 2011 ==

=== March ===
The official release of the Nintendo 3DS in the west, and the creation of the wiki [[3dbrew:Main_Page|3dbrew]].

=== June ===
The first 3DS roms are dumped.

=== September ===
Crown3DS gives a teaser implying the creation of a flashcart, but instead released an Engrish website promising the community that they are progressing.

=== December ===
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.

== 2012 ==

=== Unknown Month ===
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.<ref>https://gbatemp.net/threads/3ds-hacking-scene-history.443396/</ref>

=== March ===
The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)

== 2013 ==

=== August ===
[[Gateway-3DS]] is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an [https://www.3dbrew.org/wiki/System_Settings MSET] exploit combined with [https://github.com/naehrwert/p3ds/tree/df8f52a8c22b7f4758e1a47b2ca712d12be60bc6 p3ds] (python tools for the 3DS).

=== December ===
Users in the community figure out how to reverse engineer [[Gateway-3DS]]' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.

== 2014 ==

=== January ===
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.

=== March ===
The first commit of [https://citra-emulator.com/ Citra], the first major 3DS emulator, is released.

=== November ===
[https://www.gamebrew.org/wiki/Palantine_CFW_3DS Palantine] (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.

The flashcart [[Sky3DS]] is released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked.

The userland exploit [https://gbatemp.net/threads/introducing-ninjhax-a-nintendo-3ds-homebrew-exploit.374233/ ninjhax] is officially released.

== 2015 ==

=== January ===
Gateway cracks 9.2 and updates their flashcards to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after.

=== February ===
[https://gbatemp.net/threads/release-rxtools-roxas75-3ds-toolkit-fw-2-0-9-2.382782/ rxTools] is first released by roxas75.

=== May ===
PastaCFW (named after a leak of sigpatches on pastebin) is first released. It combined the works of patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware, though with no emuNAND support.

A fork of rxTools with sigpatches is released by ahp_person (appletinivi), and roxas75 attempts to stop the patches from becoming widespread out of concerns over piracy.

=== June ===
roxas75 eventually gives in due to popular demand, releasing the rxTools source and adding sigpatches in officially, then quits the homebrew scene immediately afterward.

=== July ===
The exploit Ninjhax2x is first released.

=== August ===
The exploits Tubehax and Ironhax are first released.
* Tubehax was a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all firmware.
* Ironhax was the first secondary userland exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).

ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.

=== September ===
The exploits Menuhax and Browserhax are first released.
* Menuhax is a secondary exploit of the Home Menu that allows userland control to be gained immediately on boot.
* Browserhax is a term for a series of primary exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.

=== December ===
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and adding a filesystem-based game loading feature.

The CCC hosts [https://gbatemp.net/threads/32c3-console-hacking-3ds-talk-dec-27-smea-derrek-plutoo.405640/ 32c3] in Hamburg, Germany. During 32c3, [https://smealum.github.io/3ds/32c3/ smealum gives a talk] where snshax, [[arm9loaderhax]], memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.
* snshax, menuchunkhax2, and ntrcardhax would ultimately be of little interest.
* Arm9loaderhax was the first custom bootloader (and thus also the first coldboot custom firmware) for the 3DS, and although it was somewhat unsafe and risky to install, it was still a massive step forward for the homebrew community.

== 2016 ==

=== January ===
Downgrading is first introduced, allowing 10.x firmwares to revert to 9.2 for certain exploits.

Downgrading would soon after be patched by version 10.4.

=== February ===
[[arm9loaderhax]] is fully released, and becomes a mainstay of the scene.

AuReiNand, a fork of ReiNAND, is released after a disagreement with ReiNand's original author (Reisyukaku) caused the rest of the developer team to cut ties. Soon after, it would be renamed to Luma3DS and lose its official status as a fork to help distance itself even further.

=== March ===
The exploit memchunkhax2.1 is released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.

=== May ===
R11

=== July ===
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.

=== September ===
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (instant N3DS install). CTRNand Transfer would survive to see far more use, but OTPless was later removed from use due to having a small but completely random chance to brick.

=== December ===
The CCC hosts [https://gbatemp.net/threads/33c3-console-hacking-2016-3ds-wiiu-talk-dec-27-30-smea-derrek-nedwill-naehrwert.450043/ 33c3] in Hamburg, Germany. During 33c3, [https://derrekr.github.io/3ds/33c3/ derrekr gives a talk] where soundhax, fasthax, and sighax are revealed.
* Soundhax is a free (as opposed to ninjhax, which required Cubic Ninja, a paid game) userland primary exploit for Nintendo 3DS Sound made by nedwill. Almost all consoles at the time were vulnerable to this exploit.
* Fasthax is another k11 (arm11 kernel) exploit, also made by nedwill.
* [https://zoogie.github.io/sh/ Sighax] is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.<ref>https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/</ref>

Nintendo launches a bug bounty program for the 3DS, the bounties being $100 - $20,000 per exploit, this would have an affect of exploit developers moving away from public releases.

== 2017 ==

=== January ===
The arm9 exploit Safehax is released by the user appleTinivi after an anonymous user posted the method on 3dbrew. This exploit allows for full system control up to version 11.2, which significantly streamlined the process for installing a9lh; from this point on, it is reduced to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, and then restoring the original NAND and installing a9lh using their otp.

=== February ===
safehax and fasthax are patched by the release of version 11.3, also permanently patching firm downgrading with DSiWare and hardmodding in the process.

=== April ===
A previously-unknown k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4.

Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.

=== May ===
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. [https://sciresm.github.io/33-and-a-half-c3/ During this talk], [[boot9strap]] and the concepts that would later allow [[ntrboot]] are revealed.
* Boot9strap is effectively the sequel to arm9loaderhax, being a much cleaner custom bootloader that implements a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
* Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.

Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.

=== June ===
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.

=== August ===
[[Ntrboot]] is first released, starting only with support for ak2i and R4 flashcards but quickly growing to others.

=== September ===
The Gateway team reveals they have been working on a new flashcard called [[Stargate]], a supposed 3-in-1 hybrid of an ntrboot card, DS flashcart, and [[Sky3DS]]. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.

== 2018 ==

=== January ===
A user reveals a method that brute-forces the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This method, called [[3DS:Seedminer|Seedminer]], allowed users to inject hacked DSiWare and install [[boot9strap]] with only one 3DS.

=== July ===
Nintendo releases version 11.8.

=== August ===
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.

=== September ===
A new version of Seedminer called Frogminer is released. This variant of the exploit utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike the original, it was a completely free miner exploit.

=== December ===
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.

== 2019 ==

=== July ===
The exploit BannerBomb3, a userland primary exploit for System Settings that mostly uses the miner series as its secondary exploits, is first released.

=== December ===
The CCC hosts [https://gbatemp.net/threads/36c3-hacker-conference-underway-27th-to-30th-of-december-2019.555023/ 36c3] in Leipzig, Germany. During 36c3, [https://mrnbayoh.github.io/36c3/ MrNbaYoh gives a talk] that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.

== 2020 ==

=== April ===
The exploit unSAFE_MODE, a new version of safehax for version 11.13, is first released.

=== July ===
Nintendo's HackerOne bounty program is closed on July 15th. [https://hackerone.com/nintendo/updates?type=team]

=== August ===
The exploit new-browserhax, the simplest and most potent browserhax yet, is released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).

=== September ===
Nintendo shuts down retail production of all 3DS models.

=== October ===
The exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit is even simpler to activate than the original. (And it's a great meme)

=== November ===
Nintendo releases version 11.14.0-46, fixing a few last-minute submissions of exploits from the HackerOne bounty. This also fixes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.

=== December ===
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the exploits SSLoth and safecerthax. These two exploits, combined, created a full chain to boot9strap on o3DS models (and still do, when triggered through [[3DS:Safe Mode|Safe Mode]]).

TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.

The exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.

== 2021 ==

=== January ===
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.

=== April ===
The exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.

The exploit [[3DS:Kartdlphax|kartdlphax]], a semi-primary exploit for Mario Kart 7, is released by PabloMK7 (creator of CTGP-7).

=== July ===
Nintendo releases version 11.15, which patches SSLoth in Safe Mode and both browserhax-xl exploits, ending the 'golden age' for good. Seedminer takes its place again.

== 2022 ==

=== August ===
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.

Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module.

=== December ===
The exploit ENLBufferPwn, an online RCE exploit for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it also had potential for mass bricks and/or online cheats.

== 2023 ==

=== March ===
The exploit super-skaterhax, another n3DS-only primary browser exploit, is first released.

Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.

=== May ===
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.

=== July ===
The exploit nimdsphax, a secondary exploit requiring userland access, is first released by TuxSH and luigoalma.

The exploit Kartminer7, a secondary exploit requiring Seedminer and a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.

=== October ===
The exploit MSET9, a full exploit of System Settings with no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.

=== December ===
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie.
<references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.