(very bare bones start) |
StarlitSkies (talk | contribs) (give far more specific (and more correct) details on exploits mentioned, portray the rxTools dispute correctly, and add several more exploits to the timeline) |
||
| (31 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
{{#approvable_by: users = Wariohax}}<!-- remove this when the page is moved to 3DS namespace --> | |||
<references />Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp. | |||
== 2011 == | == 2011 == | ||
=== March === | === March === | ||
The official release of the Nintendo 3DS in the west, and the creation of the wiki [[3dbrew:Main_Page|3dbrew]]. | |||
=== June === | === June === | ||
The first 3DS roms are dumped. | |||
=== September === | === September === | ||
Crown3DS | Crown3DS gives a teaser implying the creation of a flashcart, but instead released a website written in broken English promising the community that they are progressing. | ||
=== December === | |||
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera. | |||
== 2012 == | == 2012 == | ||
=== Unknown Month === | |||
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.<ref>https://gbatemp.net/threads/3ds-hacking-scene-history.443396/</ref> | |||
=== March === | |||
The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format) | |||
== 2013 == | |||
=== August === | |||
The flashcart [[Gateway-3DS]] is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an [https://www.3dbrew.org/wiki/System_Settings MSET] exploit combined with [https://github.com/naehrwert/p3ds/tree/df8f52a8c22b7f4758e1a47b2ca712d12be60bc6 p3ds] (python tools for the 3DS). | |||
=== December === | |||
Users in the community figure out how to reverse engineer [[Gateway-3DS]]' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND. | |||
== 2014 == | |||
=== January === | |||
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire. | |||
=== March === | |||
The first commit of [https://citra-emulator.com/ Citra], the first major 3DS emulator, is released. | |||
=== August === | |||
The secondary userland exploit {{GitHub|yellows8/oot3dhax|oot3dhax}} is first released by yellows8. | |||
=== November === | |||
[https://www.gamebrew.org/wiki/Palantine_CFW_3DS Palantine] (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after. | |||
The flashcart [[Sky3DS]] is first released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked. This ban risk was unfixable until full custom firmware was released, and by that point it became obsolete anyway. | |||
The primary userland exploit{{GitHub|smealum/ninjhax|ninjhax}} is first released by smealum. | |||
== 2015 == | |||
=== January === | |||
Gateway cracks firmware version 9.2 and updates their flashcarts to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after. | |||
=== February === | |||
The custom firmware {{GitHub|roxas75/rxTools|rxTools}} is first released by roxas75, notable for being purely focused on utilitarian homebrew and trying to avoid piracy entirely to avoid all potential legal issues. | |||
=== May === | |||
The custom firmware PastaCFW is first released. It is named after a leak of sigpatches on pastebin, which was combined with patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware. Its only major caveat was that it had no emuNAND support. | |||
A fork of rxTools with PastaCFW's sigpatches is released by ahp_person (appletinivi), causing roxas75 to openly dispute him in an attempt to stop piracy from becoming a legal issue for the wider homebrew community. | |||
=== June === | |||
Once popular demand turns against him, roxas75 eventually gives in, releasing the rxTools source and officially adding sigpatches. He then, understandably, quits the homebrew scene immediately afterward and does not ever return. | |||
=== July === | |||
The primary userland exploit Ninjhax2x is first released. | |||
=== August === | |||
The exploits Tubehax and Ironhax are first released. | |||
* Tubehax is a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all versions. | |||
* Ironhax is the first secondary (userland) exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax). | |||
ReiNand, the first fully-featured custom firmware to support the New 3DS, is released. | |||
=== September === | |||
The exploits Menuhax and Browserhax are first released. | |||
* Menuhax is a secondary userland exploit targeting the Home Menu. After the one use of a primary exploit needed to install it, it gives fully untethered coldboot userland access by exploiting the Home Menu automatically as it loads. | |||
* Browserhax is a term for a series of primary userland exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax. | |||
=== December === | |||
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and having a second button for more ease of selecting games. | |||
The CCC hosts [https://gbatemp.net/threads/32c3-console-hacking-3ds-talk-dec-27-smea-derrek-plutoo.405640/ 32c3] in Hamburg, Germany. During 32c3, [https://smealum.github.io/3ds/32c3/ smealum gives a talk] where snshax, [[arm9loaderhax]], memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning. | |||
* snshax and ntrcardhax would ultimately be of little interest, thanks to snshax being n3DS-only and ntrcardhax requiring an extremely specific type of modified flashcart that effectively didn't exist. | |||
* memchunkhax2 is a privilege escalation k11 exploit that, although not immediately useful, would quickly become the foundation of downgrading as part of other exploit chains. | |||
* Arm9loaderhax is an untethered coldboot custom firmware loader that is installed directly to the FIRM partitions. Although it was somewhat unsafe and risky to install through its entire lifetime, it was still a massive step forward for the homebrew community by allowing homebrew tools even larger amounts of control over the system. | |||
== 2016 == | |||
=== January === | |||
An exploit chain using memchunkhax2 is introduced, the first implementation of downgrading from 10.x firmwares to 9.2 for certain other exploits. | |||
Downgrading would soon after be patched by version 10.4. | |||
=== February === | |||
[[arm9loaderhax]] is fully released, and becomes a mainstay of the scene. | |||
The primary userland exploit ctr-httpwn is first released by yellows8. | |||
A complex dispute between the original author of ReiNand (Reisyukaku) and the rest of its developer team hits its first overt boiling point, causing them to cut ties as much as possible and officially fork the project into AuReiNand. | |||
=== March === | |||
The privilege escalation k11 exploit memchunkhax2.1 is first released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time. | |||
=== April === | |||
AuReiNand is renamed to Luma3DS, and work begins towards rewriting every line of code. Once this is done, they detach it from ReiNand's fork network on GitHub, which marks the point where it is converted into an entirely original project. | |||
The tool {{GitHub|dazjo/salt_sploit_installer|salt_sploit_installer}} is first released, being unique because it sets the stage for three secondary userland exploits very shortly afterward. | |||
Just a few days later, two of those three - {{GitHub|shinyquagsire23/v_hax|(v*)hax}} and {{GitHub|shinyquagsire23/supermysterychunkhax|supermysterychunkhax}} - are both first released by shinyquagsire23. | |||
=== May === | |||
The third secondary userland exploit to use salt_sploit_installer, {{GitHub|dazjo/humblehax|humblehax}}, is first released by dazjo. This one is especially notable because it required purchasing a limited-time game from Humble Bundle, a quirk not seen in any exploit before or since. | |||
=== June === | |||
The secondary userland exploit {{GitHub|MrNbaYoh/basehaxx|basehaxx}} is first released by MrNbaYoh. | |||
=== July === | |||
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time. | |||
=== September === | |||
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (an instant N3DS install method). CTRNand Transfer would be kept and see far more use later, but OTPless was later removed from use due to having a small but completely random chance to brick. | |||
=== December === | |||
The CCC hosts [https://gbatemp.net/threads/33c3-console-hacking-2016-3ds-wiiu-talk-dec-27-30-smea-derrek-nedwill-naehrwert.450043/ 33c3] in Hamburg, Germany. During 33c3, [https://derrekr.github.io/3ds/33c3/ derrekr gives a talk] where soundhax, fasthax, and sighax are revealed. | |||
* Soundhax is a primary userland exploit targeting Nintendo 3DS Sound that was made by nedwill. Because it was free (unlike ninjhax, which required Cubic Ninja, a paid game), almost all consoles at the time were vulnerable to this exploit. | |||
* Fasthax is another privilege escalation k11 exploit, also made by nedwill. | |||
* [https://zoogie.github.io/sh/ Sighax] is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.<ref>https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/</ref> | |||
Nintendo launches a bug bounty program for the 3DS on HackerOne, with bounties from $100 - $20,000 per exploit. This caused exploit developers to start moving away from public releases. | |||
== 2017 == | |||
=== January === | |||
The privilege escalation k9 exploit chain safehax is first released by the user appleTinivi, after an anonymous user posted the method on 3dbrew. Through the use of this exploit chain (usable on all versions up to 11.2), the process for installing a9lh was significantly streamlined: specifically, it shortens the list of needed steps to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, restoring the original NAND, and installing a9lh using the otp. | |||
=== February === | |||
safehax and fasthax are patched by the release of version 11.3, also temporarily patching firm downgrading via DSiWare and hardmodding again in the process. | |||
=== April === | |||
A previously-unknown privilege escalation k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4. However, it remains useful for those who stayed on version 11.3. | |||
Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax. | |||
=== May === | |||
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. [https://sciresm.github.io/33-and-a-half-c3/ During this talk], [[boot9strap]] and the concepts that would later allow [[ntrboot]] are revealed. | |||
* Boot9strap is effectively the successor to arm9loaderhax, being another coldboot firmware loader that works in a much cleaner way by implementing a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software. | |||
* Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool. | |||
Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack. | |||
=== June === | |||
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did. | |||
=== August === | |||
The first practical implementation of [[Ntrboot]] is released, starting only with support for ak2i and R4 flashcards but quickly growing to others. | |||
=== September === | |||
The Gateway team reveals they have been working on a new flashcard called [[Stargate]], a 3-in-1 hybrid of an ntrboot card, DS flashcart, and [[Sky3DS]]. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards. | |||
== 2018 == | |||
=== January === | |||
A user reveals a method to brute-force the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This entrypoint, called [[3DS:Seedminer|Seedminer]], allowed users to inject hacked DSiWare and install [[boot9strap]] with only one 3DS. | |||
=== July === | |||
Nintendo releases version 11.8. | |||
=== August === | |||
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work. | |||
=== September === | |||
The primary *miner exploit Frogminer is first released. This variant of the *miner exploit path utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike its predecessor, it is a completely free *miner exploit. | |||
=== December === | |||
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh. | |||
== 2019 == | |||
=== July === | |||
The primary userland exploit BannerBomb3, which targeted System Settings and mostly used the *miner series to complete the exploit chain, is first released. | |||
=== December === | |||
The CCC hosts [https://gbatemp.net/threads/36c3-hacker-conference-underway-27th-to-30th-of-december-2019.555023/ 36c3] in Leipzig, Germany. During 36c3, [https://mrnbayoh.github.io/36c3/ MrNbaYoh gives a talk] that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started. | |||
== 2020 == | |||
=== April === | |||
The privilege escalation k9 exploit chain unSAFE_MODE, a revised version of safehax for version 11.13, is first released. Notably, this exploit chain would never be directly patched, but would be made unusuable when universal_otherapp is patched. | |||
=== July === | |||
Nintendo's HackerOne bounty program [https://hackerone.com/nintendo/updates?type=team is closed on July 15th.] | |||
=== August === | |||
The primary userland exploit new-browserhax, which is the simplest and most potent browserhax yet, is first released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13). | |||
=== September === | |||
Nintendo shuts down retail production of all 3DS models. | |||
=== October === | |||
The secondary exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit still requires initial userland access, but has even more privileges and is simpler to activate than the original. (And it's a great meme) | |||
=== November === | |||
Nintendo releases version 11.14.0-46, patching a few last-minute submissions of exploits from the HackerOne bounty. This includes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer. | |||
=== December === | |||
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the entrypoint SSLoth and an exploit for it, safecerthax. Together, they create a full chain to boot9strap on o3DS models (and this chain still works on certain older versions, though it requires access to [[3DS:Safe Mode|Safe Mode]]). | |||
TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM. | |||
The primary userland exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs. | |||
== 2021 == | |||
=== January === | |||
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop. | |||
=== April === | |||
The privilege escalation userland exploit chain nimhax, an expansion of ctr-httpwn that simultaneously takes over the nim sysmodule, is first released by luigoalma. | |||
The primary userland exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again. | |||
The semi-primary userland exploit [[3DS:Kartdlphax|kartdlphax]], an exploit for Mario Kart 7 that requires a second modded console, is first released by PabloMK7 (creator of CTGP-7). | |||
=== July === | |||
Nintendo releases version 11.15, which patches both browserhax-xl exploits, ending the 'golden age' for good in the process. It also patches SSLoth (which leaves safecerthax unpatched but unusuable), and as such Seedminer becomes the main exploit again. | |||
== 2022 == | |||
=== August === | |||
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn. | |||
Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module. | |||
=== December === | |||
The entrypoint ENLBufferPwn, an online RCE for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it could be used to remotely load universal-otherapp over the network; doing so would create a k9 exploit chain that also had potential for mass bricks, online cheats, remote installation of malware, or practically anything else (though with size constraints). By the time of disclosure, it was already being used in the wild to reset VR scores and interfere with races, making this claim of threat even more credible. | |||
== 2023 == | |||
=== March === | |||
The primary userland exploit super-skaterhax, another n3DS-only browser exploit, is first released. | |||
Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after. | |||
=== May === | |||
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while. | |||
=== July === | |||
The privilege escalation "k11" exploit chain nimdsphax, an expansion of nimhax that also takes over the dsp sysmodule, is first released by TuxSH and luigoalma. It is notable in that it does not directly exploit k11, but instead disables GPU_PROT and then uses the GPU to directly overwrite k11 code. | |||
The secondary exploit Kartminer7, a secondary *miner exploit also requiring a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie. | |||
=== October === | |||
The primary k9 exploit MSET9, which targets System Settings and has no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit. | |||
=== December === | |||
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie | |||
Latest revision as of 20:07, 14 March 2025
Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.
2011
March
The official release of the Nintendo 3DS in the west, and the creation of the wiki 3dbrew.
June
The first 3DS roms are dumped.
September
Crown3DS gives a teaser implying the creation of a flashcart, but instead released a website written in broken English promising the community that they are progressing.
December
The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.
2012
Unknown Month
It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.[1]
March
The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)
2013
August
The flashcart Gateway-3DS is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an MSET exploit combined with p3ds (python tools for the 3DS).
December
Users in the community figure out how to reverse engineer Gateway-3DS' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.
2014
January
brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.
March
The first commit of Citra, the first major 3DS emulator, is released.
August
The secondary userland exploit oot3dhax is first released by yellows8.
November
Palantine (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.
The flashcart Sky3DS is first released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked. This ban risk was unfixable until full custom firmware was released, and by that point it became obsolete anyway.
The primary userland exploitninjhax is first released by smealum.
2015
January
Gateway cracks firmware version 9.2 and updates their flashcarts to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after.
February
The custom firmware rxTools is first released by roxas75, notable for being purely focused on utilitarian homebrew and trying to avoid piracy entirely to avoid all potential legal issues.
May
The custom firmware PastaCFW is first released. It is named after a leak of sigpatches on pastebin, which was combined with patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware. Its only major caveat was that it had no emuNAND support.
A fork of rxTools with PastaCFW's sigpatches is released by ahp_person (appletinivi), causing roxas75 to openly dispute him in an attempt to stop piracy from becoming a legal issue for the wider homebrew community.
June
Once popular demand turns against him, roxas75 eventually gives in, releasing the rxTools source and officially adding sigpatches. He then, understandably, quits the homebrew scene immediately afterward and does not ever return.
July
The primary userland exploit Ninjhax2x is first released.
August
The exploits Tubehax and Ironhax are first released.
- Tubehax is a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all versions.
- Ironhax is the first secondary (userland) exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).
ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.
September
The exploits Menuhax and Browserhax are first released.
- Menuhax is a secondary userland exploit targeting the Home Menu. After the one use of a primary exploit needed to install it, it gives fully untethered coldboot userland access by exploiting the Home Menu automatically as it loads.
- Browserhax is a term for a series of primary userland exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.
December
An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and having a second button for more ease of selecting games.
The CCC hosts 32c3 in Hamburg, Germany. During 32c3, smealum gives a talk where snshax, arm9loaderhax, memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.
- snshax and ntrcardhax would ultimately be of little interest, thanks to snshax being n3DS-only and ntrcardhax requiring an extremely specific type of modified flashcart that effectively didn't exist.
- memchunkhax2 is a privilege escalation k11 exploit that, although not immediately useful, would quickly become the foundation of downgrading as part of other exploit chains.
- Arm9loaderhax is an untethered coldboot custom firmware loader that is installed directly to the FIRM partitions. Although it was somewhat unsafe and risky to install through its entire lifetime, it was still a massive step forward for the homebrew community by allowing homebrew tools even larger amounts of control over the system.
2016
January
An exploit chain using memchunkhax2 is introduced, the first implementation of downgrading from 10.x firmwares to 9.2 for certain other exploits.
Downgrading would soon after be patched by version 10.4.
February
arm9loaderhax is fully released, and becomes a mainstay of the scene.
The primary userland exploit ctr-httpwn is first released by yellows8.
A complex dispute between the original author of ReiNand (Reisyukaku) and the rest of its developer team hits its first overt boiling point, causing them to cut ties as much as possible and officially fork the project into AuReiNand.
March
The privilege escalation k11 exploit memchunkhax2.1 is first released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.
April
AuReiNand is renamed to Luma3DS, and work begins towards rewriting every line of code. Once this is done, they detach it from ReiNand's fork network on GitHub, which marks the point where it is converted into an entirely original project.
The tool salt_sploit_installer is first released, being unique because it sets the stage for three secondary userland exploits very shortly afterward. Just a few days later, two of those three - (v*)hax and supermysterychunkhax - are both first released by shinyquagsire23.
May
The third secondary userland exploit to use salt_sploit_installer, humblehax, is first released by dazjo. This one is especially notable because it required purchasing a limited-time game from Humble Bundle, a quirk not seen in any exploit before or since.
June
The secondary userland exploit basehaxx is first released by MrNbaYoh.
July
A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.
September
Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (an instant N3DS install method). CTRNand Transfer would be kept and see far more use later, but OTPless was later removed from use due to having a small but completely random chance to brick.
December
The CCC hosts 33c3 in Hamburg, Germany. During 33c3, derrekr gives a talk where soundhax, fasthax, and sighax are revealed.
- Soundhax is a primary userland exploit targeting Nintendo 3DS Sound that was made by nedwill. Because it was free (unlike ninjhax, which required Cubic Ninja, a paid game), almost all consoles at the time were vulnerable to this exploit.
- Fasthax is another privilege escalation k11 exploit, also made by nedwill.
- Sighax is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.[2]
Nintendo launches a bug bounty program for the 3DS on HackerOne, with bounties from $100 - $20,000 per exploit. This caused exploit developers to start moving away from public releases.
2017
January
The privilege escalation k9 exploit chain safehax is first released by the user appleTinivi, after an anonymous user posted the method on 3dbrew. Through the use of this exploit chain (usable on all versions up to 11.2), the process for installing a9lh was significantly streamlined: specifically, it shortens the list of needed steps to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, restoring the original NAND, and installing a9lh using the otp.
February
safehax and fasthax are patched by the release of version 11.3, also temporarily patching firm downgrading via DSiWare and hardmodding again in the process.
April
A previously-unknown privilege escalation k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4. However, it remains useful for those who stayed on version 11.3.
Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.
May
SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. During this talk, boot9strap and the concepts that would later allow ntrboot are revealed.
- Boot9strap is effectively the successor to arm9loaderhax, being another coldboot firmware loader that works in a much cleaner way by implementing a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
- Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.
Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.
June
The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.
August
The first practical implementation of Ntrboot is released, starting only with support for ak2i and R4 flashcards but quickly growing to others.
September
The Gateway team reveals they have been working on a new flashcard called Stargate, a 3-in-1 hybrid of an ntrboot card, DS flashcart, and Sky3DS. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.
2018
January
A user reveals a method to brute-force the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This entrypoint, called Seedminer, allowed users to inject hacked DSiWare and install boot9strap with only one 3DS.
July
Nintendo releases version 11.8.
August
Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.
September
The primary *miner exploit Frogminer is first released. This variant of the *miner exploit path utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike its predecessor, it is a completely free *miner exploit.
December
Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.
2019
July
The primary userland exploit BannerBomb3, which targeted System Settings and mostly used the *miner series to complete the exploit chain, is first released.
December
The CCC hosts 36c3 in Leipzig, Germany. During 36c3, MrNbaYoh gives a talk that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.
2020
April
The privilege escalation k9 exploit chain unSAFE_MODE, a revised version of safehax for version 11.13, is first released. Notably, this exploit chain would never be directly patched, but would be made unusuable when universal_otherapp is patched.
July
Nintendo's HackerOne bounty program is closed on July 15th.
August
The primary userland exploit new-browserhax, which is the simplest and most potent browserhax yet, is first released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).
September
Nintendo shuts down retail production of all 3DS models.
October
The secondary exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit still requires initial userland access, but has even more privileges and is simpler to activate than the original. (And it's a great meme)
November
Nintendo releases version 11.14.0-46, patching a few last-minute submissions of exploits from the HackerOne bounty. This includes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.
December
After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the entrypoint SSLoth and an exploit for it, safecerthax. Together, they create a full chain to boot9strap on o3DS models (and this chain still works on certain older versions, though it requires access to Safe Mode).
TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.
The primary userland exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.
2021
January
Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.
April
The privilege escalation userland exploit chain nimhax, an expansion of ctr-httpwn that simultaneously takes over the nim sysmodule, is first released by luigoalma.
The primary userland exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.
The semi-primary userland exploit kartdlphax, an exploit for Mario Kart 7 that requires a second modded console, is first released by PabloMK7 (creator of CTGP-7).
July
Nintendo releases version 11.15, which patches both browserhax-xl exploits, ending the 'golden age' for good in the process. It also patches SSLoth (which leaves safecerthax unpatched but unusuable), and as such Seedminer becomes the main exploit again.
2022
August
Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.
Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module.
December
The entrypoint ENLBufferPwn, an online RCE for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it could be used to remotely load universal-otherapp over the network; doing so would create a k9 exploit chain that also had potential for mass bricks, online cheats, remote installation of malware, or practically anything else (though with size constraints). By the time of disclosure, it was already being used in the wild to reset VR scores and interfere with races, making this claim of threat even more credible.
2023
March
The primary userland exploit super-skaterhax, another n3DS-only browser exploit, is first released.
Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.
May
Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.
July
The privilege escalation "k11" exploit chain nimdsphax, an expansion of nimhax that also takes over the dsp sysmodule, is first released by TuxSH and luigoalma. It is notable in that it does not directly exploit k11, but instead disables GPU_PROT and then uses the GPU to directly overwrite k11 code.
The secondary exploit Kartminer7, a secondary *miner exploit also requiring a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.
October
The primary k9 exploit MSET9, which targets System Settings and has no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.
December
Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie