m (reword missed) |
StarlitSkies (talk | contribs) (overhaul conventions, create a (mostly) consistent style and tone, and patch the gaps where some bits of info that should be mentioned aren't) |
||
| Line 1: | Line 1: | ||
{{#approvable_by: users = Wariohax}}<!-- remove this when the page is moved to 3DS namespace --> | |||
<references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp. | |||
{{#approvable_by: users = Wariohax}}<!-- remove this when the page is moved to 3DS namespace --> | {{#approvable_by: users = Wariohax}}<!-- remove this when the page is moved to 3DS namespace --> | ||
<references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp. | <references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp. | ||
| Line 4: | Line 6: | ||
=== March === | === March === | ||
The official release of the Nintendo 3DS in the west, and the creation of the wiki [[3dbrew:Main_Page|3dbrew]]. | |||
=== June === | === June === | ||
The first 3DS roms are dumped. | |||
=== September === | === September === | ||
Crown3DS | Crown3DS gives a teaser implying the creation of a flashcart, but instead released an Engrish website promising the community that they are progressing. | ||
=== December === | === December === | ||
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera. | |||
== 2012 == | == 2012 == | ||
=== Unknown Month === | === Unknown Month === | ||
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.<ref>https://gbatemp.net/threads/3ds-hacking-scene-history.443396/</ref> | |||
=== March === | === March === | ||
The first (?) homebrew written in .cxi format, | The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format) | ||
== 2013 == | == 2013 == | ||
=== August === | === August === | ||
[[Gateway-3DS]] is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an [https://www.3dbrew.org/wiki/System_Settings MSET] exploit combined with [https://github.com/naehrwert/p3ds/tree/df8f52a8c22b7f4758e1a47b2ca712d12be60bc6 p3ds] (python tools for the 3DS). | |||
=== December === | === December === | ||
Users in the community figure out how to reverse | Users in the community figure out how to reverse engineer [[Gateway-3DS]]' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND. | ||
== 2014 == | == 2014 == | ||
=== January === | === January === | ||
brickgate/brickway - A scandal where Gateway | brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire. | ||
=== March === | === March === | ||
The first commit of | The first commit of [https://citra-emulator.com/ Citra], the first major 3DS emulator, is released. | ||
=== November === | === November === | ||
[https://www.gamebrew.org/wiki/Palantine_CFW_3DS Palantine] (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after. | |||
The | The flashcart [[Sky3DS]] is released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked. | ||
The | The userland exploit [https://gbatemp.net/threads/introducing-ninjhax-a-nintendo-3ds-homebrew-exploit.374233/ ninjhax] is officially released. | ||
== 2015 == | == 2015 == | ||
=== January === | === January === | ||
Gateway cracks 9.2 and updates their flashcards to OMEGA. | Gateway cracks 9.2 and updates their flashcards to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after. | ||
=== February === | === February === | ||
[https://gbatemp.net/threads/release-rxtools-roxas75-3ds-toolkit-fw-2-0-9-2.382782/ rxTools] is first released by roxas75. | |||
=== May === | === May === | ||
PastaCFW (named after a leak of sigpatches on pastebin) is first released. It combined the works of patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware, though with no emuNAND support. | |||
A fork of rxTools with sigpatches is released by ahp_person (appletinivi), and roxas75 attempts to stop the patches from becoming widespread out of concerns over piracy. | |||
=== June === | === June === | ||
roxas75 eventually gives in due to popular demand, releasing the rxTools source and adding sigpatches in officially, then quits the homebrew scene immediately afterward. | |||
=== July === | === July === | ||
The | The exploit Ninjhax2x is first released. | ||
=== August === | === August === | ||
The | The exploits Tubehax and Ironhax are first released. | ||
* Tubehax was a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all firmware. | |||
* Ironhax was the first secondary userland exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax). | |||
ReiNand, the first fully-featured custom firmware to support the New 3DS, is released. | |||
=== September === | === September === | ||
The | The exploits Menuhax and Browserhax are first released. | ||
* Menuhax is a secondary exploit of the Home Menu that allows userland control to be gained immediately on boot. | |||
* Browserhax is a term for a series of primary exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax. | |||
=== December === | |||
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and adding a filesystem-based game loading feature. | |||
The CCC hosts [https://gbatemp.net/threads/32c3-console-hacking-3ds-talk-dec-27-smea-derrek-plutoo.405640/ 32c3] in Hamburg, Germany. During 32c3, [https://smealum.github.io/3ds/32c3/ smealum gives a talk] where snshax, [[arm9loaderhax]], memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning. | |||
* snshax, menuchunkhax2, and ntrcardhax would ultimately be of little interest. | |||
* Arm9loaderhax was the first custom bootloader (and thus also the first coldboot custom firmware) for the 3DS, and although it was somewhat unsafe and risky to install, it was still a massive step forward for the homebrew community. | |||
== 2016 == | == 2016 == | ||
=== January === | === January === | ||
Downgrading is first introduced, allowing 10.x firmwares to revert to 9.2 for certain exploits. | |||
Downgrading patched | Downgrading would soon after be patched by version 10.4. | ||
=== February === | === February === | ||
[[arm9loaderhax]] is fully released, and becomes a mainstay of the scene. | |||
AuReiNand, a fork of ReiNAND, is released after a disagreement with ReiNand's original author (Reisukaku) caused the rest of the developer team to cut ties. Soon after, it would be renamed to Luma3DS and lose its official status as a fork to help distance itself even further. | |||
=== March === | === March === | ||
The | The exploit memchunkhax2.1 is released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time. | ||
=== May === | === May === | ||
| Line 103: | Line 106: | ||
=== July === | === July === | ||
A user reveals | A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time. | ||
=== September === | === September === | ||
Arm9loaderhax | Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (instant N3DS install). CTRNand Transfer would survive to see far more use, but OTPless was later removed from use due to having a small but completely random chance to brick. | ||
=== December === | === December === | ||
The CCC hosts [https://gbatemp.net/threads/33c3-console-hacking-2016-3ds-wiiu-talk-dec-27-30-smea-derrek-nedwill-naehrwert.450043/ 33c3] in Hamburg, Germany. During 33c3, [https://derrekr.github.io/3ds/33c3/ derrekr gives a talk] where soundhax, fasthax, and sighax are revealed. | |||
* Soundhax is a free (as opposed to ninjhax, which required Cubic Ninja, a paid game) userland primary exploit for Nintendo 3DS Sound made by nedwill. Almost all consoles at the time were vulnerable to this exploit. | |||
* Fasthax is another k11 (arm11 kernel) exploit, also made by nedwill. | |||
* [https://zoogie.github.io/sh/ Sighax] is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.<ref>https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/</ref> | |||
Nintendo launches a bug bounty program for the 3DS, the bounties being $100 - $20,000 per exploit, this would have an affect of exploit developers moving away from public releases. | Nintendo launches a bug bounty program for the 3DS, the bounties being $100 - $20,000 per exploit, this would have an affect of exploit developers moving away from public releases. | ||
| Line 116: | Line 122: | ||
=== January === | === January === | ||
The arm9 exploit Safehax is released by the user appleTinivi after an anonymous user posted the method on 3dbrew. This exploit allows for full system control up to version 11.2, which significantly streamlined the process for installing a9lh; from this point on, it is reduced to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, and then restoring the original NAND and installing a9lh using their otp. | |||
=== February === | === February === | ||
safehax and fasthax are patched by the release of version 11.3, also permanently patching firm downgrading with DSiWare and hardmodding in the process. | |||
=== April === | === April === | ||
A previously-unknown k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4. | |||
Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax. | |||
=== May === | === May === | ||
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. [https://sciresm.github.io/33-and-a-half-c3/ During this talk], [[boot9strap]] and the concepts that would later allow [[ntrboot]] are revealed. | |||
* Boot9strap is effectively the sequel to arm9loaderhax, being a much cleaner custom bootloader that implements a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software. | |||
* Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool. | |||
Since firms can now be | Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack. | ||
=== June === | === June === | ||
The | The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did. | ||
=== August === | === August === | ||
[[Ntrboot]] is released, starting with support for | [[Ntrboot]] is first released, starting only with support for ak2i and R4 flashcards but quickly growing to others. | ||
=== September === | === September === | ||
The Gateway team reveals | The Gateway team reveals they have been working on a new flashcard called [[Stargate]], a supposed 3-in-1 hybrid of an ntrboot card, DS flashcart, and [[Sky3DS]]. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards. | ||
== 2018 == | == 2018 == | ||
=== January === | === January === | ||
A user reveals a method that brute-forces the movable.sed using only the | A user reveals a method that brute-forces the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This method, called [[3DS:Seedminer|Seedminer]], allowed users to inject hacked DSiWare and install [[boot9strap]] with only one 3DS. | ||
=== July === | === July === | ||
Nintendo releases | Nintendo releases version 11.8. | ||
=== August === | === August === | ||
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work. | |||
=== September === | === September === | ||
A new version of Seedminer | A new version of Seedminer called Frogminer is released. This variant of the exploit utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike the original, it was a completely free miner exploit. | ||
=== December === | === December === | ||
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh. | |||
== 2019 == | == 2019 == | ||
=== July === | === July === | ||
The | The exploit BannerBomb3, a userland primary exploit for System Settings that mostly uses the miner series as its secondary exploits, is first released. | ||
=== December === | === December === | ||
The CCC hosts [https://gbatemp.net/threads/36c3-hacker-conference-underway-27th-to-30th-of-december-2019.555023/ 36c3] in Leipzig, Germany. During 36c3, [https://mrnbayoh.github.io/36c3/ MrNbaYoh gives a talk] that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started. | |||
== 2020 == | == 2020 == | ||
=== April === | === April === | ||
The exploit unSAFE_MODE, a new version of safehax for version 11.13, is first released. | |||
=== July === | === July === | ||
Nintendo's HackerOne bounty program is | Nintendo's HackerOne bounty program is closed on July 15th. [https://hackerone.com/nintendo/updates?type=team] | ||
=== August === | === August === | ||
The | The exploit new-browserhax, the simplest and most potent browserhax yet, is released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13). | ||
=== September === | === September === | ||
Nintendo shuts down | Nintendo shuts down retail production of all 3DS models. | ||
=== October === | === October === | ||
The exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit is even simpler to activate than the original. (And it's a great meme) | |||
=== November === | === November === | ||
Nintendo releases | Nintendo releases version 11.14.0-46, fixing a few last-minute submissions of exploits from the HackerOne bounty. This also fixes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer. | ||
=== December === | === December === | ||
After | After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the exploits SSLoth and safecerthax. These two exploits, combined, created a full chain to boot9strap on o3DS models (and still do, when triggered through [[3DS:Safe Mode|Safe Mode]]). | ||
TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM. | |||
The exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs. | |||
== 2021 == | == 2021 == | ||
=== January === | === January === | ||
Nintendo | Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop. | ||
=== April === | === April === | ||
The exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again. | |||
The exploit [[3DS:Kartdlphax|kartdlphax]], a semi-primary exploit for Mario Kart 7, is released by PabloMK7 (creator of CTGP-7). | |||
=== July === | === July === | ||
Nintendo releases | Nintendo releases version 11.15, which patches SSLoth in Safe Mode and both browserhax-xl exploits, ending the 'golden age' for good. Seedminer takes its place again. | ||
== 2022 == | == 2022 == | ||
=== August === | === August === | ||
Nintendo releases 11.16, breaking TuxSH's universal-otherapp combo | Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn. | ||
Nintendo also lays foundation for the eShop closure | Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module. | ||
=== December === | === December === | ||
The exploit ENLBufferPwn, an online RCE exploit for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it also had potential for mass bricks and/or online cheats. | |||
== 2023 == | == 2023 == | ||
=== March === | === March === | ||
The exploit super-skaterhax, another n3DS-only primary browser exploit, is first released. | |||
Nintendo closes the eShop on the 27th, | Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after. | ||
=== May === | === May === | ||
Nintendo releases | Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while. | ||
=== July === | === July === | ||
The exploit nimdsphax, a secondary exploit requiring userland access, is first released by TuxSH and luigoalma. | |||
The exploit Kartminer7, a secondary exploit requiring Seedminer and a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie. | |||
=== October === | === October === | ||
The exploit MSET9, a full exploit of System Settings with no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit. | |||
=== December === | === December === | ||
Zoogie (?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie | Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie | ||
Revision as of 00:50, 14 March 2025
Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.
Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.
2011
March
The official release of the Nintendo 3DS in the west, and the creation of the wiki 3dbrew.
June
The first 3DS roms are dumped.
September
Crown3DS gives a teaser implying the creation of a flashcart, but instead released an Engrish website promising the community that they are progressing.
December
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.
2012
Unknown Month
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.[1]
March
The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)
2013
August
Gateway-3DS is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an MSET exploit combined with p3ds (python tools for the 3DS).
December
Users in the community figure out how to reverse engineer Gateway-3DS' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.
2014
January
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.
March
The first commit of Citra, the first major 3DS emulator, is released.
November
Palantine (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.
The flashcart Sky3DS is released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked.
The userland exploit ninjhax is officially released.
2015
January
Gateway cracks 9.2 and updates their flashcards to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after.
February
rxTools is first released by roxas75.
May
PastaCFW (named after a leak of sigpatches on pastebin) is first released. It combined the works of patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware, though with no emuNAND support.
A fork of rxTools with sigpatches is released by ahp_person (appletinivi), and roxas75 attempts to stop the patches from becoming widespread out of concerns over piracy.
June
roxas75 eventually gives in due to popular demand, releasing the rxTools source and adding sigpatches in officially, then quits the homebrew scene immediately afterward.
July
The exploit Ninjhax2x is first released.
August
The exploits Tubehax and Ironhax are first released.
- Tubehax was a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all firmware.
- Ironhax was the first secondary userland exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).
ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.
September
The exploits Menuhax and Browserhax are first released.
- Menuhax is a secondary exploit of the Home Menu that allows userland control to be gained immediately on boot.
- Browserhax is a term for a series of primary exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.
December
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and adding a filesystem-based game loading feature.
The CCC hosts 32c3 in Hamburg, Germany. During 32c3, smealum gives a talk where snshax, arm9loaderhax, memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.
- snshax, menuchunkhax2, and ntrcardhax would ultimately be of little interest.
- Arm9loaderhax was the first custom bootloader (and thus also the first coldboot custom firmware) for the 3DS, and although it was somewhat unsafe and risky to install, it was still a massive step forward for the homebrew community.
2016
January
Downgrading is first introduced, allowing 10.x firmwares to revert to 9.2 for certain exploits.
Downgrading would soon after be patched by version 10.4.
February
arm9loaderhax is fully released, and becomes a mainstay of the scene.
AuReiNand, a fork of ReiNAND, is released after a disagreement with ReiNand's original author (Reisukaku) caused the rest of the developer team to cut ties. Soon after, it would be renamed to Luma3DS and lose its official status as a fork to help distance itself even further.
March
The exploit memchunkhax2.1 is released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.
May
R11
July
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.
September
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (instant N3DS install). CTRNand Transfer would survive to see far more use, but OTPless was later removed from use due to having a small but completely random chance to brick.
December
The CCC hosts 33c3 in Hamburg, Germany. During 33c3, derrekr gives a talk where soundhax, fasthax, and sighax are revealed.
- Soundhax is a free (as opposed to ninjhax, which required Cubic Ninja, a paid game) userland primary exploit for Nintendo 3DS Sound made by nedwill. Almost all consoles at the time were vulnerable to this exploit.
- Fasthax is another k11 (arm11 kernel) exploit, also made by nedwill.
- Sighax is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.[2]
Nintendo launches a bug bounty program for the 3DS, the bounties being $100 - $20,000 per exploit, this would have an affect of exploit developers moving away from public releases.
2017
January
The arm9 exploit Safehax is released by the user appleTinivi after an anonymous user posted the method on 3dbrew. This exploit allows for full system control up to version 11.2, which significantly streamlined the process for installing a9lh; from this point on, it is reduced to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, and then restoring the original NAND and installing a9lh using their otp.
February
safehax and fasthax are patched by the release of version 11.3, also permanently patching firm downgrading with DSiWare and hardmodding in the process.
April
A previously-unknown k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4.
Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.
May
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. During this talk, boot9strap and the concepts that would later allow ntrboot are revealed.
- Boot9strap is effectively the sequel to arm9loaderhax, being a much cleaner custom bootloader that implements a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
- Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.
Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.
June
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.
August
Ntrboot is first released, starting only with support for ak2i and R4 flashcards but quickly growing to others.
September
The Gateway team reveals they have been working on a new flashcard called Stargate, a supposed 3-in-1 hybrid of an ntrboot card, DS flashcart, and Sky3DS. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.
2018
January
A user reveals a method that brute-forces the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This method, called Seedminer, allowed users to inject hacked DSiWare and install boot9strap with only one 3DS.
July
Nintendo releases version 11.8.
August
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.
September
A new version of Seedminer called Frogminer is released. This variant of the exploit utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike the original, it was a completely free miner exploit.
December
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.
2019
July
The exploit BannerBomb3, a userland primary exploit for System Settings that mostly uses the miner series as its secondary exploits, is first released.
December
The CCC hosts 36c3 in Leipzig, Germany. During 36c3, MrNbaYoh gives a talk that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.
2020
April
The exploit unSAFE_MODE, a new version of safehax for version 11.13, is first released.
July
Nintendo's HackerOne bounty program is closed on July 15th. [1]
August
The exploit new-browserhax, the simplest and most potent browserhax yet, is released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).
September
Nintendo shuts down retail production of all 3DS models.
October
The exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit is even simpler to activate than the original. (And it's a great meme)
November
Nintendo releases version 11.14.0-46, fixing a few last-minute submissions of exploits from the HackerOne bounty. This also fixes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.
December
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the exploits SSLoth and safecerthax. These two exploits, combined, created a full chain to boot9strap on o3DS models (and still do, when triggered through Safe Mode).
TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.
The exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.
2021
January
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.
April
The exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.
The exploit kartdlphax, a semi-primary exploit for Mario Kart 7, is released by PabloMK7 (creator of CTGP-7).
July
Nintendo releases version 11.15, which patches SSLoth in Safe Mode and both browserhax-xl exploits, ending the 'golden age' for good. Seedminer takes its place again.
2022
August
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.
Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module.
December
The exploit ENLBufferPwn, an online RCE exploit for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it also had potential for mass bricks and/or online cheats.
2023
March
The exploit super-skaterhax, another n3DS-only primary browser exploit, is first released.
Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.
May
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.
July
The exploit nimdsphax, a secondary exploit requiring userland access, is first released by TuxSH and luigoalma.
The exploit Kartminer7, a secondary exploit requiring Seedminer and a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.
October
The exploit MSET9, a full exploit of System Settings with no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.
December
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie