Toggle search
Toggle menu
313
301
458
7.4K
Hacks Guide Wiki
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

User:Wariohax/History on custom firmware

User page
More actions
< User:Wariohax
Revision as of 00:50, 14 March 2025 by StarlitSkies (talk | contribs) (overhaul conventions, create a (mostly) consistent style and tone, and patch the gaps where some bits of info that should be mentioned aren't)

Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.

Heavy adaption of zoogie's "A Pretty Brief History of the 3ds Hacking/Homebrew Scene" from the "3DS hacking scene history" section on GBAtemp.

2011

March

The official release of the Nintendo 3DS in the west, and the creation of the wiki 3dbrew.

June

The first 3DS roms are dumped.

September

Crown3DS gives a teaser implying the creation of a flashcart, but instead released an Engrish website promising the community that they are progressing.

December

The first release of tools that convert video to the type of stereographic 3D video compatible with the Nintendo 3DS Camera.

2012

Unknown Month

It is believed that Neimod's hardware RAM dumps and internal research led to the first userland and a9 exploits.[1]

March

The first (?) homebrew app is written in .cxi format, "Hello World", is written by Xcution (author of CiTRUS, a tool that allows BaNneR and ICoN files to be made using the .xbsf format)

2013

August

Gateway-3DS is first released, and serves as the sole option for homebrew in the 3DS' early years. At this time, there was basic arm9 homebrew possible via an MSET exploit combined with p3ds (python tools for the 3DS).

December

Users in the community figure out how to reverse engineer Gateway-3DS' payload to create their own NAND emulation (or redirection). This leads to the users Smealum and Yellows8 creating a private payload called RedNAND.

2014

January

brickgate/brickway - A scandal where Gateway released a FIRM that intentionally bricks consoles using Gateway3DS flashcart clones (such as R4 and Orange3DS). On top of this, its code was written badly enough that it triggered on many legitimate Gateway3DS cartridges, bricking completely 'innocent' users in the crossfire.

March

The first commit of Citra, the first major 3DS emulator, is released.

November

Palantine (a CFW made by Yellows8 and other) is leaked, bringing a closed-source custom firmware to the public. However, it had limitations such as the EmuNAND not being updateable, having a low boot rate, and being difficult to install, among others. The thing it did best, running CIAs, would be taken and added to Gateway3DS shortly after.

The flashcart Sky3DS is released. It could play pirated roms on entirely stock consoles, but couldn't run homebrew and had a very high ban risk due to the way it worked.

The userland exploit ninjhax is officially released.

2015

January

Gateway cracks 9.2 and updates their flashcards to OMEGA. The user yifanlu makes a blog post about reverse engineering the memchunkhax/firmlaunchhax combo used by Gateway, and teams such SALT, roxas75, and patois implement their own versions of it shortly after.

February

rxTools is first released by roxas75.

May

PastaCFW (named after a leak of sigpatches on pastebin) is first released. It combined the works of patois' Brahma (an open source memchunkhax/firmlaunchhax) to make the first open source custom firmware, though with no emuNAND support.

A fork of rxTools with sigpatches is released by ahp_person (appletinivi), and roxas75 attempts to stop the patches from becoming widespread out of concerns over piracy.

June

roxas75 eventually gives in due to popular demand, releasing the rxTools source and adding sigpatches in officially, then quits the homebrew scene immediately afterward.

July

The exploit Ninjhax2x is first released.

August

The exploits Tubehax and Ironhax are first released.

  • Tubehax was a primary userland exploit that took advantage of the 3DS YouTube app, but was unfortunately patched only a couple months later on all firmware.
  • Ironhax was the first secondary userland exploit, meaning it requires extra leverage to work (usually from a primary exploit such as Tubehax).

ReiNand, the first fully-featured custom firmware to support the New 3DS, is released.

September

The exploits Menuhax and Browserhax are first released.

  • Menuhax is a secondary exploit of the Home Menu that allows userland control to be gained immediately on boot.
  • Browserhax is a term for a series of primary exploits using the internet browsers for the n3DS and o3DS, which would become mainstays of the scene for a few more years before Nintendo finally killed off the potential for any new Browserhax.

December

An upgrade to Sky3DS, Sky3DS+, is released. Among others, its new features included bypassing cart-based AP in recent games and adding a filesystem-based game loading feature.

The CCC hosts 32c3 in Hamburg, Germany. During 32c3, smealum gives a talk where snshax, arm9loaderhax, memchunkhax2, and ntrcardhax are revealed, & menuhax and ironhax receive updates to continue functioning.

  • snshax, menuchunkhax2, and ntrcardhax would ultimately be of little interest.
  • Arm9loaderhax was the first custom bootloader (and thus also the first coldboot custom firmware) for the 3DS, and although it was somewhat unsafe and risky to install, it was still a massive step forward for the homebrew community.


2016

January

Downgrading is first introduced, allowing 10.x firmwares to revert to 9.2 for certain exploits.

Downgrading would soon after be patched by version 10.4.

February

arm9loaderhax is fully released, and becomes a mainstay of the scene.

AuReiNand, a fork of ReiNAND, is released after a disagreement with ReiNand's original author (Reisukaku) caused the rest of the developer team to cut ties. Soon after, it would be renamed to Luma3DS and lose its official status as a fork to help distance itself even further.

March

The exploit memchunkhax2.1 is released by Aliaspider, which allowed 9.2 downgrades to resume until version 10.7 patched it a second time.

May

R11

July

A user reveals a DSiWare-based firm downgrade method after several months' worth of teasers. The release of this allowed 9.2 downgrades to continue on versions 11.0 - 11.2, before being patched a third time.

September

Arm9loaderhax gains two new tools that make its installation even easier: CTRNand Transfer (shortening the install time of both new and old 3DS) and OTPless (instant N3DS install). CTRNand Transfer would survive to see far more use, but OTPless was later removed from use due to having a small but completely random chance to brick.

December

The CCC hosts 33c3 in Hamburg, Germany. During 33c3, derrekr gives a talk where soundhax, fasthax, and sighax are revealed.

  • Soundhax is a free (as opposed to ninjhax, which required Cubic Ninja, a paid game) userland primary exploit for Nintendo 3DS Sound made by nedwill. Almost all consoles at the time were vulnerable to this exploit.
  • Fasthax is another k11 (arm11 kernel) exploit, also made by nedwill.
  • Sighax is a complex exploit of a vulnerability in the bootrom revealed by derrekr; when used properly, it allows anyone to sign arbitrary firmware code without restrictions. derrekr also revealed vague details about how he dumped the 3DS ARM9/ARM11 bootroms, though gave no detail about the exact code.[2]

Nintendo launches a bug bounty program for the 3DS, the bounties being $100 - $20,000 per exploit, this would have an affect of exploit developers moving away from public releases.

2017

January

The arm9 exploit Safehax is released by the user appleTinivi after an anonymous user posted the method on 3dbrew. This exploit allows for full system control up to version 11.2, which significantly streamlined the process for installing a9lh; from this point on, it is reduced to directly downgrading to 2.1, using exploits on 2.1 to get a copy of otp.bin, and then restoring the original NAND and installing a9lh using their otp.

February

safehax and fasthax are patched by the release of version 11.3, also permanently patching firm downgrading with DSiWare and hardmodding in the process.

April

A previously-unknown k11 exploit, udsploit is first released by Smealum just as it's patched by the release of version 11.4.

Safehax is updated to work on 11.3 by AppleTinivi due to an oversight in Nintendo's previous patch for safehax.

May

SciresM creates and gives an unofficial sequel to 33c3, 33.5c3. During this talk, boot9strap and the concepts that would later allow ntrboot are revealed.

  • Boot9strap is effectively the sequel to arm9loaderhax, being a much cleaner custom bootloader that implements a FIRM sighax signature. Because of how it works, it carries near-zero brick risk and gains control early enough to keep access to the bootroms and decrypted OTP, allowing it to dump them in software.
  • Ntrboot allows for any correctly signed firm to be booted from a DS cartridge when the correct keycombo is held down, which also skips the entire normal boot process. This allows it to serve both as an instant custom firmware installation method and an extremely potent unbricking tool.

Since legitimate firms can now be created with nothing more than NAND access, DSiWare and hardmod-based downgrades resume on the latest firmware by using the known plaintext attack.

June

The n2DSXL is released in Australia, and it is quickly discovered that it happens to have the same vulnerable bootroms as the old 3DS models did.

August

Ntrboot is first released, starting only with support for ak2i and R4 flashcards but quickly growing to others.

September

The Gateway team reveals they have been working on a new flashcard called Stargate, a supposed 3-in-1 hybrid of an ntrboot card, DS flashcart, and Sky3DS. It was abandoned after a few months due to people seeking out cheaper options for ntrboot cards.

2018

January

A user reveals a method that brute-forces the movable.sed using only the LocalFriendCodeSeed (which is obtainable in userland). This method, called Seedminer, allowed users to inject hacked DSiWare and install boot9strap with only one 3DS.

July

Nintendo releases version 11.8.

August

Smealum reveals an arm9 exploit chain that he had been teasing at defcon, but it had already been patched in version 11.8 because he disclosed it to the HackerOne bug bounty program earlier on. As part of the reveal, he posted the incomplete repos on Github, but nobody to date has been able to make the exploit work.

September

A new version of Seedminer called Frogminer is released. This variant of the exploit utilizes an old version of the Japanese Flipnote Studio injected into DS Download Play instead of using Sudoku, meaning unlike the original, it was a completely free miner exploit.

December

Nintendo releases version 11.9, patching an unreleased browser exploit for both the O3DS and N3DS thanks to another HackerOne bounty submission by the userland exploit developer MrNbaYoh.

2019

July

The exploit BannerBomb3, a userland primary exploit for System Settings that mostly uses the miner series as its secondary exploits, is first released.

December

The CCC hosts 36c3 in Leipzig, Germany. During 36c3, MrNbaYoh gives a talk that demonstrates a new primary exploit chain: using StreetPass tags, someone could remotely takeover a 3DS in userland and install custom firmware, with zero user interaction required. This would set up further exploits developed by TuxSH and Lazypixie which would take over the ARM11 kernel, and later on Safehax 2.x to also take over ARM9. However, due to its potential for malicious use (i.e. remotely bricking consoles), this exploit chain was submitted to HackerOne sometime earlier and patched in version 11.12, two months before 36c3 started.

2020

April

The exploit unSAFE_MODE, a new version of safehax for version 11.13, is first released.

July

Nintendo's HackerOne bounty program is closed on July 15th. [1]

August

The exploit new-browserhax, the simplest and most potent browserhax yet, is released for both the n3DS and o3DS by zoogie. This begins a temporary 'golden age' where installing CFW is the easiest it ever has been, or will be (as of 2025-03-13).

September

Nintendo shuts down retail production of all 3DS models.

October

The exploit menuhax67, the successor to Yellows8's menuhax, is first released by zoogie. This version of the exploit is even simpler to activate than the original. (And it's a great meme)

November

Nintendo releases version 11.14.0-46, fixing a few last-minute submissions of exploits from the HackerOne bounty. This also fixes zoogie's new-browserhax, which ends the 'golden age' temporarily and changes the main userland entry point to back to Seedminer.

December

After the one month cooldown between each submission of bugs to HackerOne, MrNbaYoh and TuxSH disclose the exploits SSLoth and safecerthax. These two exploits, combined, created a full chain to boot9strap on o3DS models (and still do, when triggered through Safe Mode).

TuxSH updates universal-otherapp to include a new exploit chain (based on smpwn, spipwn, khax and agbhax) that works on NATIVE_FIRM.

The exploit new-browserhax-xl is released by zoogie, resuming the 'golden age' of easy CFW installs.

2021

January

Nintendo ends Unity3DS and many debugging/dev hardware items in one fell swoop.

April

The exploit old-browserhax-xl is first released by zoogie, complementing new-browserhax-xl so that all consoles have a browser exploit available again.

The exploit kartdlphax, a semi-primary exploit for Mario Kart 7, is released by PabloMK7 (creator of CTGP-7).

July

Nintendo releases version 11.15, which patches SSLoth in Safe Mode and both browserhax-xl exploits, ending the 'golden age' for good. Seedminer takes its place again.

2022

August

Nintendo releases version 11.16, breaking TuxSH's universal-otherapp combo by patching smpwn.

Nintendo also lays the foundation for the eShop closure by updating MINT/ESHOP to handle shutting down eShop payments. Just two weeks later, they would update the NVER on this title due to a typo in the web data module.

December

The exploit ENLBufferPwn, an online RCE exploit for Mario Kart 7, is disclosed by PabloMK7 after it was already patched in version 1.2 of the game. Although it had potential for custom firmware, PabloMK7 disclosed it because it also had potential for mass bricks and/or online cheats.

2023

March

The exploit super-skaterhax, another n3DS-only primary browser exploit, is first released.

Nintendo closes the eShop on the 27th, restricting all exploits that relied on free games and DSiWare to people who had bought them before its close. These exploits were removed from the guide's main paths shortly after.

May

Nintendo releases version 11.17, patching BannerBomb3 and leaving the o3DS with no free softmod method for the first time in a while.

July

The exploit nimdsphax, a secondary exploit requiring userland access, is first released by TuxSH and luigoalma.

The exploit Kartminer7, a secondary exploit requiring Seedminer and a copy of Mario Kart 7 (can be either physical or digital), is first released by zoogie.

October

The exploit MSET9, a full exploit of System Settings with no extra requirements, is first released by zoogie. This restores free softmod access for the o3DS, but also works consistently on the n3DS as well and is generally an extremely stable exploit.

December

Zoogie(?) calls it quits and is looking forward to future challenges whilst appreciating the time "he had helping people unlock their 3DSs!" -zoogie

  1. https://gbatemp.net/threads/3ds-hacking-scene-history.443396/
  2. https://wololo.net/2016/12/28/33c3-3ds-bootrom-cracked-sign-firmwares/
Retrieved from "https://wiki.hacks.guide/w/index.php?title=User:Wariohax/History_on_custom_firmware&oldid=7240"