3DS:Alternate Exploits/Installing boot9strap (Fredtool): Difference between revisions

From Hacks Guide Wiki
m (fix link 2)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:


To dump system DSiWare, we exploit a flaw in the DSiWare Data Management window of the Settings application.
== Technical Details ==
This method of using Seedminer for further exploitation uses your <code>movable.sed</code> file to decrypt any DSiWare title for the purposes of injecting an exploitable DSiWare title into the DS Internet Settings application.


To accomplish this, we use your system’s encryption key (movable.sed) to build a DSiWare backup that exploits the system to dump the DSi Internet Settings application to the SD root.
This is a currently working implementation of the “FIRM partitions known-plaintext” exploit detailed [https://www.3dbrew.org/wiki/3DS_System_Flaws here].
 
{{Warning
Once you have a DSiWare backup, an exploitable DSiWare title can be injected into DS Internet, which can be used to install custom firmware.
| text = You should only be able to get to this page if you are running version 11.16.0. If you are on any firmware other than 11.17.0 or 11.16.0, STOP as these instructions WILL LEAD TO A BRICK on other firmwares!!
}}


== What you need ==
== What You Need ==
*Your <code>movable.sed</code> file from completing [[3dsguide:seedminer|Seedminer]]
*The latest release of [https://github.com/zoogie/Frogminer/releases/latest Frogminer_save] (<code>Frogminer_save.zip</code>)
*'''11.16.0 or 11.17.0 users''': The v6.1.1 release of [https://github.com/zoogie/b9sTool/releases/download/v6.1.1/release_6.1.1.zip b9sTool] (direct download)
*The latest release of [https://github.com/LumaTeam/Luma3DS/releases/latest Luma3DS] (the Luma3DS <code>.zip</code> file)


* Your <code>movable.sed</code> file completing Mii Mining
== Instructions ==
* The latest release of [https://github.com/zoogie/b9sTool/releases/download/v6.0.1/release_6.0.1.zip Luma3DS] (the Luma3DS <code>.zip</code> file)
* The 6.0.1 release of [https://github.com/zoogie/b9sTool/releases/download/v6.0.1/release_6.0.1.zip b9stool] for 11.15.0-47 (direct download)
* The latest release of [https://github.com/zoogie/Frogminer/releases/download/v1.0/Frogminer_save.zip Frogminer_save] (direct download)


=== Section I - CFW Check ===
=== Section I - CFW Check ===
As an additional safety measure, we will perform an additional check for custom firmware. This is because using this method when custom firmware is already installed has a risk of bricking the console (rendering it unusable without recovery methods like ntrboot).
As an additional safety measure, we will perform an additional check for custom firmware. This is because using this method when custom firmware is already installed has a risk of bricking the console (rendering it unusable without recovery methods like [[3dsguide:ntrboot|ntrboot]]).


# Power off your device
#Power off your console
# Hold the (Select) button
#Hold the (Select) button
# Power on your device while still holding the (Select) button
# Power on your console while still holding the (Select) button
# If the check was successful, you will boot to the HOME Menu and you may proceed with this guide
#If the check was successful, you will boot to the HOME Menu and you may proceed with this guide
# Power off your device
#Power off your console
{{Warning
{{Critical
| text = If you see a configuration menu or the console immediately powers off, you already have CFW, and continuing with these instructions may BRICK your device! Follow Checking for CFW to upgrade your existing CFW.
| text = If you see a configuration menu or the console immediately powers off, you already have CFW, and continuing with these instructions may BRICK your console! Follow [https://3ds.hacks.guide/checking-for-cfw.html Checking for CFW] to upgrade your existing CFW.
}}
}}


=== Section II - Prep Work ===
=== Section II - BannerBomb3 ===
In this section, you will trigger the BannerBomb3 exploit using the DSiWare Management menu and copy the resulting file dump to your computer so that you can use it on the next section.


# Power off your device
#Reinsert your SD card into your console
# Insert your SD card into your computer
#Power on your console
# Copy <code>boot.firm</code> and <code>boot.3dsx</code> from the Luma3DS <code>.zip</code> to the root of your SD card
#Launch System Settings on your console
#* The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
#Navigate to <code>Data Management</code> -> <code>DSiWare</code> -> <code>SD Card</code> (image)
# Copy <code>boot.nds</code> (B9STool) from the release <code>.zip</code> to the root of your SD card
#*Your console should show the BB3 multihax menu
# Copy the <code>private</code> folder from the Frogminer_save <code>.zip</code> to the root of your SD card
#*If this step causes your console to crash, follow this troubleshooting guide
# Keep your SD card in your computer - there are more things to do in the next section
# Use the D-Pad to navigate and press the (A) button to select “Dump DSiWare”
#*Your console will automatically reboot
#Power off your console


=== Section III - BannerBomb3 ===
=== Section III - Prep Work ===
In this section, you will copy the files necessary to temporarily replace DS Connection Settings with Flipnote Studio, which is used to launch the boot9strap (custom firmware) installer.


# Power off your device
#Insert your SD card into your computer
# Insert your SD card into your computer
#Open the DSIHaxInjector_new website on your computer
# Open [http://3dstools.nhnarwhal.com/#/bb3gen Bannerbomb3 Injector] on your computer
#Under the “Username” field, enter any alphanumeric name (no spaces or special characters)
# Upload your movable.sed using the “Choose File” option
#Under the “DSiBin” field, upload your DSiWare backup file (e.g. 42383841.bin) from the root of your SD card using the first “Browse…” option
# Click “Build and Download”
#Under the “MovableSed” field, upload your <code>movable.sed</code> file using the second “Browse…” option
#* This will download an exploit DSiWare called <code>F00D43D5.bin</code> and a payload called <code>bb3.bin</code> inside of a zip archive (<code>DSIWARE_EXPLOIT.zip</code>)
#Under the “InjectionTarget” field, set the injection target to <code>DSinternet</code> (NOT memorypit)
# Copy <code>bb3.bin</code> from <code>DSIWARE_EXPLOIT.zip</code> to the root of your SD card
#Click “Build”
#* This file does not need to be opened or extracted 
#*Wait a few seconds for the build process to complete
# Navigate to <code>Nintendo 3DS</code> -> <code><ID0></code> -> <code><ID1></code> on your SD card
#In the Build History section on the left, type the Username into the “Filter Builds” field
#* <code><ID0></code> is the 32-letter folder name that you copied in Seedminer
#Click on the first search result
#* <code><ID1></code> is a 32-letter folder inside of the <code><ID0></code>
#*This result should have the latest timestamp
#* If you have multiple <code><ID1></code> folders, follow the instructions [[3dsguide:troubleshooting#bannerbomb3|here]]  and return to this page
#Click the “output_(name).zip” link
# Create a folder named <code>Nintendo DSiWare</code> inside of the <code><ID1></code>
#Navigate to <code>Nintendo 3DS</code> -> <code><ID0></code> -> <code><ID1></code> -> <code>Nintendo DSiWare</code> on your SD card  
#* If you already had the folder ''and'' there are any existing DSiWare backup files (<code><8-character-id>.bin</code>) inside, copy them to your PC and remove them from your SD card
#*<code><ID0></code> is the 32-letter folder name that you copied in Seedminer
# Copy the <code>F00D43D5.bin</code> file from <code>DSIWARE_EXPLOIT.zip</code> to the <code>Nintendo DSiWare</code> folder
#*<code><ID1></code> is a 32-letter folder inside of the <code><ID0></code>
# Delete <code>F00D43D5.bin</code> from your Nintendo DSiWare folder
#Copy the <code>42383841.bin</code> file from the <code>hax</code> folder of the downloaded DSiWare archive (output_(name).zip) to the <code>Nintendo DSiWare</code> folder
# Copy <code>boot.firm</code> and <code>boot.3dsx</code> from the Luma3DS <code>.zip</code> to the root of your SD card
#*The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
#Copy <code>boot.nds</code> (B9STool) from the release <code>.zip</code> to the root of your SD card
#Copy the <code>private</code> folder from the Frogminer_save <code>.zip</code> to the root of your SD card
#Reinsert your SD card into your console
# Power on your console


=== Section IV - Fredtool ===
=== Section IV - Overwriting DS Connection Settings ===
In this section, you will copy the hacked DS Connection Settings DSiWare to internal memory, which will temporarily replace it with Flipnote Studio.


# Open the [https://jenkins.nelthorya.net/job/DSIHaxInjector_new/build?delay=0sec DSIHaxInjector_new] website on your computer
#Launch System Settings on your console
# Under the “Username” field, enter any alphanumeric name (no spaces or special characters)
#Navigate to <code>Data Management</code> -> <code>DSiWare</code> -> <code>SD Card</code> (image)
#* You might want to put in a different name to differentiate it from BannerBomb3’s output
#Select the “Haxxxxxxxxx!” title
# Under the “DSiBin” field, upload your <code>42383841.bin</code> file using the first “Browse…” option
#*If you are unable to select the “Haxxxxxxxxx” title, follow this troubleshooting guide
# Under the “MovableSed” field, upload your <code>movable.sed</code> file using the second “Browse…” option
#Select “Copy”, then select “OK”
# Under the “InjectionTarget” field, set the injection target to <code>DSinternet</code>(NOT memorypit)
#Return to main menu of the System Settings
# Click “Build”
#Navigate to <code>Internet Settings</code> -> <code>Nintendo DS Connections</code>, then select “OK” (image)
#* Wait a few seconds for the build process to complete
#If the exploit was successful, your console will have loaded the JPN version of Flipnote Studio  
# In the Build History section on the left, type the Username into the “Filter Builds” field
#*If your console does not load the JPN version of Flipnote Studio, follow this troubleshooting guide
# Click on the first search result
#* This result should have the latest timestamp
# Click the “output_(name).zip” link
# Navigate to <code>Nintendo 3DS</code> -> <code><ID0></code> -> <code><ID1></code> -> <code>Nintendo DSiWare</code> on your SD card
# Delete <code>F00D43D5.bin</code> from your Nintendo DSiWare folder
# Copy the <code>42383841.bin</code>  file from the <code>hax</code> folder of the downloaded DSiWare archive (output_(name).zip) to the <code>Nintendo DSiWare</code> folder
# Reinsert your SD card into your device
# Power on your device
# Launch System Settings on your device
# Navigate to <code>Data Management</code> -> <code>DSiWare</code>
# Under the “SD Card” section, select the “Haxxxxxxxxx!” title
# Select “Copy”, then select “OK”
# Exit System Settings
# Return to main menu of the System Settings
# Navigate to <code>Internet Settings</code> -> <code>Nintendo DS Connections</code>, then select “OK” (image)
# If the exploit was successful, your 3DS will have loaded into the JPN version of Flipnote Studio


=== Section V - Flipnote Exploit ===
=== Section V - Flipnote Exploit ===
If you would prefer a visual guide to this section, one is available [https://zoogie.github.io/web/flipnote_directions/ here].
{{Info
 
| text = If you would prefer a visual guide to this section, one is available [https://zoogie.github.io/web/flipnote_directions/ here].
In this section, you will perform a series of very specific steps within Flipnote Studio that, when performed correctly, will launch the boot9strap (custom firmware) installer.
}}
In this section, you will perform a series of very specific steps within Flipnote Studio that, when performed correctly, will launch b9sTool, the boot9strap (custom firmware) installer.


# Complete the initial setup process for the launched game until you reach the main menu
#Complete the initial setup process for the launched game until you reach the main menu
#* Select the left option whenever prompted during the setup process
#* Select the left option whenever prompted during the setup process
# Using the touch-screen, select the large left box, then select the box with an SD card icon
#*If you encounter an issue while doing this section, check this troubleshooting guide for your issue
# Once the menu loads, select the face icon, then the bottom right icon to continue
#Using the touch-screen, select the large left box, then select the box with an SD card icon
# Press (X) or (UP) on the D-Pad depending on which is shown on the top screen
#Once the menu loads, select the face icon, then the bottom right icon to continue
# Select the second button along the top with a film-reel icon
#Press (X) or (UP) on the D-Pad depending on which is shown on the top screen
# Scroll right until reel “3/3” is selected
#Select the second button along the top with a film-reel icon
# Tap the third box with the letter “A” in it
#Scroll right until reel “3/3” is selected
# Scroll left until reel “1/3” is selected
#Tap the third box with the letter “A” in it
#Scroll left until reel “1/3” is selected
# Tap the fourth box with the letter “A” in it
# Tap the fourth box with the letter “A” in it
# If the exploit was successful, your device will have loaded b9sTool
#If the exploit was successful, your console will have loaded b9sTool
# Using the D-Pad, move to “Install boot9strap”
# Using the D-Pad, move to “Install boot9strap”
#* If you miss this step, the system will exit to HOME Menu instead of installing boot9strap and you will need to open Nintendo DS Connections and start over from the beginning of this section
#* If you miss this step, the system will exit to HOME Menu instead of installing boot9strap and you will need to open Nintendo DS Connections and start over from the beginning of this section
# Press (A), then press START and SELECT at the same time to begin the process
#Press (A), then press START and SELECT at the same time to begin the process
# Once completed and the bottom screen says “done.”, exit b9sTool, then power off your device
#Once completed and the bottom screen says “done.”, exit b9sTool, then power off your console
#* You may have to force power off by holding the power button
#*You may have to force power off by holding the power button
#* If your device shuts down when you try to power it on, ensure that you have copied <code>boot.firm</code> from the Luma3DS <code>.zip</code> to the root of your SD card
#*If your console shuts down when you try to power it on, ensure that you have copied <code>boot.firm</code> from the Luma3DS <code>.zip</code> to the root of your SD card
#* If you see the Luma Configuration screen, power off your device and continue to the next section
#*If you see the Luma Configuration screen, power off your console and continue to the next section


=== Section VI - Luma3DS Configuration ===
=== Section VI - Luma3DS Configuration ===
#Press and hold (Select), and while holding (Select), power on your console
#Your console should have booted into the Luma3DS configuration menu
#*Luma3DS configuration menu are settings for the Luma3DS custom firmware. Many of these settings may be useful for customization or debugging
#*For the purpose of this guide, '''leave these options on the default settings''' (do not check or uncheck anything)
#*If your console shuts down when you try to power it on, ensure that you have copied <code>boot.firm</code> from the Luma3DS <code>.zip</code> to the root of your SD card
#Press (Start) to save and reboot
At this point, your console will boot to Luma3DS by default.
*Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
*On the next page, you will install useful homebrew applications to complete your setup.


# Press and hold (Select), and while holding (Select), power on your device. This will launch Luma3DS configuration
=== Section VII - Restoring DS Connection Settings ===
#* Luma3DS configuration menu are settings for the Luma3DS custom firmware. Many of these settings may be useful for customization or debugging
In this section, you will restore DS Connection Settings to the way it was before it was temporarily replaced with Flipnote Studio in an earlier section.
#* For the purpose of this guide, these settings will be left on default settings
#* If you boot to HOME Menu, follow this troubleshooting guide
# Press (Start) to save and reboot
# Power off your device


=== Section VII - Restoring DS Internet ===
#Navigate to <code>Nintendo 3DS</code> -> <code><ID0></code> -> <code><ID1></code> -> <code>Nintendo DSiWare</code> on your SD card
#Copy the <code>42383841.bin</code>  file from the <code>clean</code> folder of the downloaded DSiWare archive (output_(name).zip) to the <code>Nintendo DSiWare</code> folder, replacing the existing one
#Reinsert your SD card into your console
#Power on your console
#Launch System Settings on your console
#Navigate to <code>Data Management</code> -> <code>DSiWare</code> -> <code>SD Card</code> (image)
#Select the “Nintendo DSi™” title
#Select “Copy”, then select “OK”


# Insert your SD card into your computer
<span style="font-size:200%;">Continue to [[3dsguide:finalizing-setup|Finalizing Setup]]</span>
# Navigate to <code>Nintendo 3DS</code> -> <code><ID0></code> -> <code><ID1></code> -> <code>Nintendo DSiWare</code> on your SD card
# Copy the <code>484E4441.bin</code>  file from the <code>clean</code> folder of the downloaded DSiWare archive (output_(name).zip) to the <code>Nintendo DSiWare</code> folder
# Reinsert your SD card into your device
# Power on your device
# Launch System Settings on your device
# Navigate to <code>Data Management</code> -> <code>DSiWare</code>
# Under the “SD Card” section, select the “Haxxxxxxxxx!” title
# Select “Copy”, then select “OK”
# Exit System Settings
# Power off your device

Latest revision as of 22:12, 18 July 2023

Technical Details

This method of using Seedminer for further exploitation uses your movable.sed file to decrypt any DSiWare title for the purposes of injecting an exploitable DSiWare title into the DS Internet Settings application.

This is a currently working implementation of the “FIRM partitions known-plaintext” exploit detailed here.

OOjs UI icon information-warning.svg You should only be able to get to this page if you are running version 11.16.0. If you are on any firmware other than 11.17.0 or 11.16.0, STOP as these instructions WILL LEAD TO A BRICK on other firmwares!!

What You Need

  • Your movable.sed file from completing Seedminer
  • The latest release of Frogminer_save (Frogminer_save.zip)
  • 11.16.0 or 11.17.0 users: The v6.1.1 release of b9sTool (direct download)
  • The latest release of Luma3DS (the Luma3DS .zip file)

Instructions

Section I - CFW Check

As an additional safety measure, we will perform an additional check for custom firmware. This is because using this method when custom firmware is already installed has a risk of bricking the console (rendering it unusable without recovery methods like ntrboot).

  1. Power off your console
  2. Hold the (Select) button
  3. Power on your console while still holding the (Select) button
  4. If the check was successful, you will boot to the HOME Menu and you may proceed with this guide
  5. Power off your console
OOjs UI icon information-destructive.svg If you see a configuration menu or the console immediately powers off, you already have CFW, and continuing with these instructions may BRICK your console! Follow Checking for CFW to upgrade your existing CFW.

Section II - BannerBomb3

In this section, you will trigger the BannerBomb3 exploit using the DSiWare Management menu and copy the resulting file dump to your computer so that you can use it on the next section.

  1. Reinsert your SD card into your console
  2. Power on your console
  3. Launch System Settings on your console
  4. Navigate to Data Management -> DSiWare -> SD Card (image)
    • Your console should show the BB3 multihax menu
    • If this step causes your console to crash, follow this troubleshooting guide
  5. Use the D-Pad to navigate and press the (A) button to select “Dump DSiWare”
    • Your console will automatically reboot
  6. Power off your console

Section III - Prep Work

In this section, you will copy the files necessary to temporarily replace DS Connection Settings with Flipnote Studio, which is used to launch the boot9strap (custom firmware) installer.

  1. Insert your SD card into your computer
  2. Open the DSIHaxInjector_new website on your computer
  3. Under the “Username” field, enter any alphanumeric name (no spaces or special characters)
  4. Under the “DSiBin” field, upload your DSiWare backup file (e.g. 42383841.bin) from the root of your SD card using the first “Browse…” option
  5. Under the “MovableSed” field, upload your movable.sed file using the second “Browse…” option
  6. Under the “InjectionTarget” field, set the injection target to DSinternet (NOT memorypit)
  7. Click “Build”
    • Wait a few seconds for the build process to complete
  8. In the Build History section on the left, type the Username into the “Filter Builds” field
  9. Click on the first search result
    • This result should have the latest timestamp
  10. Click the “output_(name).zip” link
  11. Navigate to Nintendo 3DS -> <ID0> -> <ID1> -> Nintendo DSiWare on your SD card
    • <ID0> is the 32-letter folder name that you copied in Seedminer
    • <ID1> is a 32-letter folder inside of the <ID0>
  12. Delete F00D43D5.bin from your Nintendo DSiWare folder
  13. Copy the 42383841.bin file from the hax folder of the downloaded DSiWare archive (output_(name).zip) to the Nintendo DSiWare folder
  14. Copy boot.firm and boot.3dsx from the Luma3DS .zip to the root of your SD card
    • The root of the SD card refers to the initial directory on your SD card where you can see the Nintendo 3DS folder, but are not inside of it
  15. Copy boot.nds (B9STool) from the release .zip to the root of your SD card
  16. Copy the private folder from the Frogminer_save .zip to the root of your SD card
  17. Reinsert your SD card into your console
  18. Power on your console

Section IV - Overwriting DS Connection Settings

In this section, you will copy the hacked DS Connection Settings DSiWare to internal memory, which will temporarily replace it with Flipnote Studio.

  1. Launch System Settings on your console
  2. Navigate to Data Management -> DSiWare -> SD Card (image)
  3. Select the “Haxxxxxxxxx!” title
    • If you are unable to select the “Haxxxxxxxxx” title, follow this troubleshooting guide
  4. Select “Copy”, then select “OK”
  5. Return to main menu of the System Settings
  6. Navigate to Internet Settings -> Nintendo DS Connections, then select “OK” (image)
  7. If the exploit was successful, your console will have loaded the JPN version of Flipnote Studio
    • If your console does not load the JPN version of Flipnote Studio, follow this troubleshooting guide

Section V - Flipnote Exploit

OOjs UI icon information-progressive.svg If you would prefer a visual guide to this section, one is available here.

In this section, you will perform a series of very specific steps within Flipnote Studio that, when performed correctly, will launch b9sTool, the boot9strap (custom firmware) installer.

  1. Complete the initial setup process for the launched game until you reach the main menu
    • Select the left option whenever prompted during the setup process
    • If you encounter an issue while doing this section, check this troubleshooting guide for your issue
  2. Using the touch-screen, select the large left box, then select the box with an SD card icon
  3. Once the menu loads, select the face icon, then the bottom right icon to continue
  4. Press (X) or (UP) on the D-Pad depending on which is shown on the top screen
  5. Select the second button along the top with a film-reel icon
  6. Scroll right until reel “3/3” is selected
  7. Tap the third box with the letter “A” in it
  8. Scroll left until reel “1/3” is selected
  9. Tap the fourth box with the letter “A” in it
  10. If the exploit was successful, your console will have loaded b9sTool
  11. Using the D-Pad, move to “Install boot9strap”
    • If you miss this step, the system will exit to HOME Menu instead of installing boot9strap and you will need to open Nintendo DS Connections and start over from the beginning of this section
  12. Press (A), then press START and SELECT at the same time to begin the process
  13. Once completed and the bottom screen says “done.”, exit b9sTool, then power off your console
    • You may have to force power off by holding the power button
    • If your console shuts down when you try to power it on, ensure that you have copied boot.firm from the Luma3DS .zip to the root of your SD card
    • If you see the Luma Configuration screen, power off your console and continue to the next section

Section VI - Luma3DS Configuration

  1. Press and hold (Select), and while holding (Select), power on your console
  2. Your console should have booted into the Luma3DS configuration menu
    • Luma3DS configuration menu are settings for the Luma3DS custom firmware. Many of these settings may be useful for customization or debugging
    • For the purpose of this guide, leave these options on the default settings (do not check or uncheck anything)
    • If your console shuts down when you try to power it on, ensure that you have copied boot.firm from the Luma3DS .zip to the root of your SD card
  3. Press (Start) to save and reboot

At this point, your console will boot to Luma3DS by default.

  • Luma3DS does not look any different from the normal HOME Menu. If your console has booted into the HOME Menu, it is running custom firmware.
  • On the next page, you will install useful homebrew applications to complete your setup.

Section VII - Restoring DS Connection Settings

In this section, you will restore DS Connection Settings to the way it was before it was temporarily replaced with Flipnote Studio in an earlier section.

  1. Navigate to Nintendo 3DS -> <ID0> -> <ID1> -> Nintendo DSiWare on your SD card
  2. Copy the 42383841.bin file from the clean folder of the downloaded DSiWare archive (output_(name).zip) to the Nintendo DSiWare folder, replacing the existing one
  3. Reinsert your SD card into your console
  4. Power on your console
  5. Launch System Settings on your console
  6. Navigate to Data Management -> DSiWare -> SD Card (image)
  7. Select the “Nintendo DSi™” title
  8. Select “Copy”, then select “OK”

Continue to Finalizing Setup

Retrieved from "https://wiki.hacks.guide/w/index.php?title=3DS:Alternate_Exploits/Installing_boot9strap_(Fredtool)&oldid=3354"