|
|
(10 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| {{Infobox 3DS Homebrews | | {{Infobox 3DS Homebrews |
| |title=BootCtr9 | | |title=BootCtr9 |
| |image=BootCtr9.jpeg | | |image=Bootntr93ds2.png |
| |description=3DS ARM9 code execution at boot | | |description=3DS ARM9 code execution at boot. |
| |author=hartmannaf | | |author=Hartie95 (hartmannaf) |
| |lastupdated=2016/07/13 | | |lastupdated=2016/07/13 |
| |type=PC Utilities | | |type=Utilities |
| |version=Pre-v1.0 | | |version=Pre-v1.0 |
| |license=Mixed | | |license=GPL-2.0 |
| |download=https://dlhb.gamebrew.org/3dshomebrew/BootCtr9-3DS.rar | | |download=https://dlhb.gamebrew.org/3dshomebrews/bootctr93ds.7z |
| |website=https://github.com/hartmannaf/BootCtr9 | | |website=https://github.com/hartmannaf/BootCtr9 |
| |source=https://github.com/hartmannaf/BootCtr9 | | |source=https://github.com/hartmannaf/BootCtr9 |
| | |donation=https://www.patreon.com/hartie95 |
| }} | | }} |
| <youtube>XI-bt5WNYT0</youtube>
| | {{Obsolete}} |
| | BootCTR9 is an ARM9 bootloader for the 3DS System. It's based on [[BootCtr_3DS|BootCTR]] and its configuration, but with some additional features. |
|
| |
|
| == What is BootCTR9 ==
| | It's for arm9loaderhax users only, but it should be possible to load it with any arm9payload loader, that allows the loading a payload from offset 0x0. |
|
| |
|
| BootCTR9 is an ARM9 bootloader for the 3DS System. It's based on BootCTR and its configuration, but with some additional features. It's currently for arm9loaderhax users only, but it should be possible to load it with any arm9payload loader, that allows the loading a payload from offset 0x0.
| | ==Features== |
| | * Boot ARM9 payloads (.dat and .bin). |
| | * Setting a delay to be able to press the payloads button after powering the 3DS on. |
| | * Setting a boot delay, between the selection of the payload and running it, which allows to press the button combinations for the payload. |
| | * Enabling and disabling of the screen. |
| | * Setting the screen brightness for BootCTR9 and the payloads. |
| | * Show splashscreens. |
| | * Show bootanimations (based on BootAnim9). |
| | * Detect softboots and skip the payload selection and splashscreen. |
| | * Path the payloads path in it's binary (currently only needed in LumaCFW). |
|
| |
|
| == What it's able to do == | | ==User guide== |
| | For information about it and its usage [https://github.com/Hartie95/BootCtr9/wiki/Usage official wiki page]. |
|
| |
|
| * Boot ARM9 payloads(.dat and .bin)
| | See also the [https://gbatemp.net/threads/magikarp-custom-splash-screens-thread.410948/ Custom Splash Screens thread]. |
| * Setting a delay to be able to press the payloads button after powering the 3DS on
| |
| * Setting a boot delay, between the selection of the payload and running it, which allows to press the button combinations for the payload
| |
| * Enabling and disabling of the screen
| |
| * Setting the screen brightness for BootCTR9 and the payloads
| |
| * Show splashscreens
| |
| * Show bootanimations (based on BootAnim9)
| |
| * Detect softboots and skip the payload selection and splashscreen
| |
| * Path the payloads path in it's binary (currently only needed in LumaCFW)
| |
|
| |
|
| == What it's not able to do == | | ==Changelog== |
| | '''Pre-v1.0''' |
| | * Support to configure the payloads screen brightness. |
| | * Configurable softboot features. |
| | ** Fast softboot -> its now possible to automaticly load the latest payload that got loaded. |
| | ** Softboot splash configuration -> it's now possible enable/disable the splash on softboots. |
| | * Support for top screen booanimations (compressed and uncompressed). |
| | * Automatic path patching for luma. |
| | * Support for a9lh netloader companion. |
| | * Support to use multiple framebuffers. |
| | * Boot passwords -> prevent other people from booting anything that's not the default payload. |
|
| |
|
| * Boot .3dsx files | | ==Credits== |
| * Use the ZL and ZR buttons(maybe in the future) | | * Smealum and contributors for libctru. |
| | * Normmatt for sdmmc.c and .h, and also for .ld files and the log from XDS by ichfly that provided us some of the information needed to get screen init. |
| | * Christophe Devine for the SHA codes. |
| | * Archshift for i2c.c and .h. |
| | * Megazig for crypto.c and .h. |
| | * Patois for original BRAHMA code. |
| | * Smealum, Derrek, Plutoo for publishing the exploit. |
| | * Yellows8 and Plutoo as ideators of it. |
| | * [http://3dbrew.org/ 3dbrew community]. |
| | * bilis/b1l1s for his screen init code, and work on inegrating it into stage 2. |
| | * dark_samus for work on integrating screen init into stage 2. |
| | * m45t3r for the base BootCTR version as .3dsx. |
| | * delibles for the base implementation of arm9loaderhax. |
|
| |
|
| == Planned Features == | | ==External links== |
| | | * GitHub - https://github.com/Hartie95/BootCtr9 |
| * Arm9Companion support
| | * GBAtemp - https://gbatemp.net/threads/support-the-bootctr9-support-thread.435348 |
| * Support for the new BootAnim9 Animations
| |
| * An ARM11 API for ARM9 Payloads
| |
| | |
| == How to build it ==
| |
| | |
| == BootCTR9 Dev builds ==
| |
| | |
| BootCTR9 Dev Builds are frequently released on gbatemp, check out the arm9loaderhax technical discussion thread to find them.
| |
| | |
| == Requirements ==
| |
| | |
| === BootCTR9 ===
| |
| | |
| * devkitARM r45
| |
| | |
| === BootCTRs ARM9loaderhax fork ===
| |
| | |
| ==== Software ====
| |
| | |
| * devkitARM r45
| |
| * libctru (ver. 1.0.0)
| |
| * Python 2.7 with PyCcrypto
| |
| * GCC or MinGW (Only needed to compile the buildt-in tool, you can download a pre-compiled windows build here, place it in common folder)
| |
| | |
| ==== Files ====
| |
| | |
| Some files are needed in order to make the setup compilable, be sure to put the following files in the '''data_input''' folder, you have to find them on your own:
| |
| | |
| {|
| |
| ! Name
| |
| ! Description
| |
| ! SHA-256
| |
| |-
| |
| | '''new3ds10.firm'''
| |
| | New3DS NATIVE_FIRM from system version 10.2.
| |
| | d253c1cc0a5ffac6b383dac1827cfb3b2d3d566c6a1a8e5254e389c2950623e5
| |
| |-
| |
| | '''new3ds90.firm'''
| |
| | New3DS NATIVE_FIRM from system version 9.0.
| |
| | d7be76e1813f398dcea85572d0c058f7954761a1d5ea03b5eb5047ac63ac5d6b
| |
| |-
| |
| | '''secret_sector.bin'''
| |
| | The New 3DS secret 0x96 key sector.
| |
| | 82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3
| |
| |-
| |
| | '''otp.bin'''
| |
| | A dump of your console OTP data from region 0x10012000-0x10012100. Using other console's OTP will result in a brick.
| |
| |
| |
| |}
| |
| | |
| == Build commands ==
| |
| | |
| * '''make''' : This will compile all the files
| |
| * '''make bootloader''' : This will only build BootCTR9 (arm9bootloader.bin) and the BootCTR9 loader (armloaderhax.bin)
| |
| * '''make hax''' : This will skip the 3DSX installer compilation
| |
| * '''make stage2_update''' : This will generate an updater pack with only the secondary payload, mainly for updating the exploit files.
| |
| | |
| == How to use BootCTR9 ==
| |
| | |
| == General Information ==
| |
| | |
| There are two official supported way you could use BootCTR9, using the "arm9bootloader.bin" and BootCTR9s a9lh fork, or using the "arm9loaderhax.bin" for normal a9lh forks. Besides this it should be possible to use BootCTR9 with other ways to load arm9 payloads, if you are able to load it from payload address 0.
| |
| | |
| Beside the payload itself you need to always put an boot_config.ini in one of the supported folders on your SD-card. This configuration file is needed to tell BootCTR9 which payload it should load in which case, and to configure all the other features of BootCTR9.
| |
| | |
| == Normal a9lh + arm9loaderhax.bin ==
| |
| | |
| This method allows you to use BootCTR9 with any normal a9lh fork, but you are forced to put the "arm9loaderhax.bin" in your SD-cards root directory. You also don't need to copy the "arm9bootloader.bin" to your SD-card, since it's already included in the "arm9loaderhax.bin"
| |
| | |
| == BootCTR9s a9lh + arm9bootloader.bin ==
| |
| | |
| This method allows you to keep your root directory as clean as possible, because you don't need an "arm9loaderhax.bin" on your SD-cards root. For this method you need to copy the "arm9bootloader.bin" in one of the supported folders.
| |
| | |
| == Supported Folders ==
| |
| | |
| There are some files, that you could only put in certain folder.
| |
| | |
| The supported folders are the following:
| |
| | |
| * /arm9loaderhax
| |
| * /a9lh
| |
| * /arm9bootloader
| |
| * /
| |
| | |
| == Splashscreens and Animations ==
| |
| | |
| To use splashscreens and animations, you simple need to set "splash" for an payload splash and "boot_splash" for an generell BootCTR9 splash (check out the [[Configuration|configuration Page]] for the values). After this set "splash_image" or "boot_splash_image" to the filepath of your splashimage or animation. For animations its also possible to set the framerate, for this the bootloader searches for a '''plaintext file named "[animationpath].cfg"''' or a '''binary file named "[animationpath].cfgb"'''.
| |
| | |
| The first two characters of the '''plaintext configuration''' will be used for the framerate, and after that "lzd" will identify an compressed animation.
| |
| | |
| In an '''binary configuration''', the first Byte will be used as Framerate, and setting the second byte to 1 will identify compressed animations.
| |
| | |
| While its in theory possible to use animations with high framerates, the SD-cards read-speed is very limited, so that its possible that you need to use a lower framerate for your animation.
| |
| | |
| To '''stop an animation''' before it's finished, you jest need to press [START]+[SELECT].
| |
| | |
| == File structure ==
| |
| | |
| Besides the payload and configuration file, you are completely free to organize your files, the way you want to, but a good way to do it would be something like this:
| |
| | |
| * /(arm9loaderhaxfolder)/Payloads/
| |
| * /(arm9loaderhaxfolder)/Splashscreens/
| |
| * /(arm9loaderhaxfolder)/Animations/
| |
| * /(arm9loaderhaxfolder)/boot_config.ini
| |
| * /(arm9loaderhaxfolder)/arm9bootloader.bin (if needed) | |
| | |
| == The configuration file ==
| |
| | |
| To know what it should load and do, BootCTR9 needs a configuration file, that's based on BootCTR ones.
| |
| | |
| == BootCTR9s main configuration ==
| |
| | |
| The main option of BootCTR9 itself are in the [BOOTCTR9] region of your configuration
| |
| | |
| {|
| |
| ! Name
| |
| ! Description
| |
| ! Default Value
| |
| |-
| |
| | key_delay
| |
| | Time in ms to wait for a button press
| |
| | 100
| |
| |-
| |
| | bootPassword
| |
| | The password needed to load a non default payload. The max-length should be arround 10 Keys. The password needs to by defined by KEY_* seperated by a space. example: KEY_X KEY_X KEY_A
| |
| |
| |
| |-
| |
| | enableAutosoftboot
| |
| | Enable or disable the automatic selection of the latest selected configuration on softboot (for example KEY_UP)
| |
| | 0
| |
| |-
| |
| | enableArm9CompanionBoot
| |
| | Enables or disables the autoatic booting of an payload defined in the "COMPANION" section. This payload will be renamed after execution to PAYLOADNAME.old. This aption is mostly ineressting for developers of arm9 Payloads.
| |
| |
| |
| |-
| |
| | enableSoftbootSplash
| |
| | Enable or disable splashes and animation on softboot
| |
| | 0
| |
| |-
| |
| | boot_splash
| |
| | Enables or disables the splash or animation that is shown while waiting for a button press. This also defines the type of media that is shown
| |
| | 0
| |
| |-
| |
| | boot_splash_image
| |
| | Path to the image or animation you want to use as boot splash
| |
| |
| |
| |-
| |
| | fileLog
| |
| | Enables or disables the logging to a file
| |
| | 0
| |
| |-
| |
| | screenLog
| |
| | Enable or disable the printing of debug output to the screen
| |
| | 0
| |
| |-
| |
| | screenEnabled
| |
| | Enable or disable the Screen at boot
| |
| | 1
| |
| |-
| |
| | screenBrightness
| |
| | Set the screen brightness used while BootCTR9 is running. [https://docs.google.com/spreadsheets/d/1hZ9QfDdIVrpZqtnCYAd8uDWvlNZB35Q8oGDyU09R0HQ/pubhtml?gid=0&single=true List of available brightnesslevels]
| |
| | 0xFF
| |
| |}
| |
| | |
| == Payload configuration ==
| |
| | |
| This category allows you to define on which buttonpress which payload is loaded. It also defines how BootCTR9 should load it.<br />
| |
| '''Tip: To make it easier to boot luma config additionaly add KEY_SELECT for the luma payload (read the example configuration at the end for more).'''
| |
| | |
| {|
| |
| ! Name
| |
| ! Description
| |
| ! Default Value
| |
| |-
| |
| | path
| |
| | The path of the payload BootCTR9 should load
| |
| |
| |
| |-
| |
| | delay
| |
| | The delay between loading the payload and jumping to it
| |
| | 0
| |
| |-
| |
| | payload
| |
| | The payload time, this is only left in for backwards compatibility with BootCTRs configution, to show error messages of the user tries to load a .3dsx file
| |
| | -1
| |
| |-
| |
| | offset
| |
| | The payloads arm9 binary offset, for arm9loaderhax payloads this should be 0, for .dat payloads its normaly 0x12000
| |
| | 0x0
| |
| |-
| |
| | enableSoftbootSplash
| |
| | Enables or disables the splashscreen or animation on Softboot
| |
| | 0
| |
| |-
| |
| | splash
| |
| | Enables or disables the splash or animation that is shown before the delay and jumping to the payload. This also defines the type of media that is shown
| |
| | 0
| |
| |-
| |
| | splash_image
| |
| | Path to the image or animation you want to use as splash image for the payload
| |
| |
| |
| |-
| |
| | screenEnabled
| |
| | Enables or disables the screen when jumping to the screen
| |
| | 1
| |
| |-
| |
| | screenBrightness
| |
| | Sets the payloads screen brightness. [https://docs.google.com/spreadsheets/d/1hZ9QfDdIVrpZqtnCYAd8uDWvlNZB35Q8oGDyU09R0HQ/pubhtml?gid=0&single=true List of available brightnesslevels]
| |
| | 0xFF
| |
| |-
| |
| | enablePathFix
| |
| | This got included mainly for LumaCFW and allows you to simple drag and drop lumas payload to your SD-card, without the need to always use the path changer.
| |
| | 0
| |
| |}
| |
| | |
| == Splash types ==
| |
| | |
| {|
| |
| ! Value
| |
| ! Result
| |
| |-
| |
| | 0
| |
| | The splash screen is disabled
| |
| |-
| |
| | 1
| |
| | A Splash image is used
| |
| |-
| |
| | 2
| |
| | An ASCII splash is shown
| |
| |-
| |
| | 3
| |
| | A Splash image is used, if its not loadable, an ASCII splash is used as fallback
| |
| |-
| |
| | 4
| |
| | An animation is used, if its not loadable, an ASCII splash is used as fallback
| |
| |}
| |
| | |
| == Available configuration sections ==
| |
| | |
| {|
| |
| ! Section name
| |
| ! Description
| |
| |-
| |
| | [BOOTCTR9]
| |
| | This is the configuration for the bootloader itself
| |
| |-
| |
| | [GLOBAL]
| |
| | This allows to override default values for all payload sections
| |
| |-
| |
| | [DEFAULT]
| |
| | Default Configuration, used when no button is pressed
| |
| |-
| |
| | [COMPANION]
| |
| | This section is used for a9lh netloader companion payload configurations
| |
| |-
| |
| | [KEY_X]
| |
| | This section is loaded when pressing button X.
| |
| |}
| |
| | |
| Available Keys:
| |
| | |
| * Common keys: KEY_A, KEY_B, KEY_X, KEY_Y, KEY_L, KEY_R, KEY_SELECT, KEY_START
| |
| * D-PAD: KEY_DUP, KEY_DDOWN, KEY_DLEFT, KEY_DRIGHT.
| |
| | |
| == Example configuration ==
| |
| | |
| <source lang="ini">;Comments starts with ";" or "#", so you need to remove it first to the
| |
| ;line actually do something.
| |
| | |
| ;configuration with ascii boot Image
| |
| ;You have also 1 sec to press the button for the payload you want to boot
| |
| [BOOTCTR9]
| |
| key_delay = 1000
| |
| boot_splash = 3
| |
| enableAutosoftboot = 1
| |
| enableArm9CompanionBoot = 1
| |
| | |
| ;Section to allow a9lh net companion payload auto booting
| |
| [COMPANION]
| |
| path = /a9nc.bin
| |
| delay = 100
| |
| offset = 0
| |
| payload = -1
| |
| | |
| ;luma with BootAnimation and enabled Pathfix
| |
| [DEFAULT]
| |
| path = /Payloads/luma.bin
| |
| delay = 1000
| |
| splash = 4
| |
| splash_image = /Animations/anim
| |
| screenBrightness = 0x30
| |
| enablePathFix = 1
| |
| | |
| ;cakes.dat with splash screen and offset
| |
| [KEY_R]
| |
| path = /Cakes.dat
| |
| delay = 1000
| |
| offset = 0x12000
| |
| splash = 3
| |
| splash_image = /Splashes/splash.bin
| |
| | |
| ;Reinand.dat with offset and ascii splash
| |
| [KEY_DUP]
| |
| path = /ReiNand.dat
| |
| delay = 1000
| |
| offset = 0x12000
| |
| splash = 1
| |
| | |
| ;ARM9 Payloads
| |
| ;Luma3DS CFW
| |
| [KEY_L]
| |
| path = /arm9loaderhax/Payloads/luma.bin
| |
| ;Luma3DS CFW config (to easier boot the luma config)
| |
| [KEY_SELECT]
| |
| path = /arm9loaderhax/Payloads/luma.bin
| |
| ;Decrypt9WIP
| |
| [KEY_X]
| |
| path = /arm9loaderhax/Payloads/Decrypt9WIP.bin
| |
| ;EmuNAND9
| |
| [KEY_Y]
| |
| path = /arm9loaderhax/Payloads/EmuNAND9.bin
| |
| ;Hourglass9
| |
| [KEY_START]
| |
| path = /arm9loaderhax/Payloads/Hourglass9.bin
| |
| ;SafeMode9
| |
| [KEY_B]
| |
| path = /arm9loaderhax/Payloads/SafeMode9.bin
| |
| | |
| ;Each key can be defined using a section, like the example below. Section
| |
| ;names must be ALL caps, and between "[]". Valid keys:
| |
| ;You MUST set at least "path" for each section, and it is the ONLY option you
| |
| ;should set in the majority of cases.
| |
| ;Double check the path, since it must be correct (including caps).
| |
| ;Boot examples for almost every CFW out there.
| |
| ;You can use only binary (.bin, .dat) payloads
| |
| ;[KEY_A]
| |
| ;path = /rxTools/sys/code.bin
| |
| ;[KEY_B]
| |
| ;path = /Cakes.dat
| |
| ;[KEY_Y]
| |
| ;path = /ReiNand.dat
| |
| ;An important remark: the majority of CFWs set L button to show menu instead
| |
| ;of autobooting. So it is generally a bad idea to set L button to CFW boot,
| |
| ;but if you use a delay, you have time to release the key so the CFW menu will
| |
| ;not be shown.
| |
| | |
| </source>
| |
| == Arm9loaderhax BootCTR9 Fork ==
| |
| | |
| This arm9loaderhax fork is based on '''delibles''' implementation of the arm9loaderhax exploit, documented [http://3dbrew.org/wiki/3DS_System_Flaws here] and also presented [https://media.ccc.de/v/32c3-7240-console_hacking in this conference]. It provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader.
| |
| | |
| It works on both New and OLD 3DS.
| |
| | |
| == What it does ==
| |
| | |
| This fork of ARM9loaderhax supports the direct loading of an arm9bootloader.bin into the memory (address 0x24F00000). Besides this it supports loading a arm9loaderhax.bin as fallback (address 0x23F00000), and it will directly setup the ARM11 thread for the upcoming ARM11-API, so every arm9payload loaded after this is able to use it. If it fails to find one of the 2 files, the console will shutdown.
| |
| | |
| == How to install it ==
| |
| | |
| After the compilation you'll have three files in the '''data_output''' directory:
| |
| | |
| * arm9loaderhax.3dsx
| |
| * arm9loaderhax.bin
| |
| * arm9loaderhax.pack
| |
| | |
| The ''.pack'' file contains all the content that will be installed (in case of a full package, your console-unique data too), and has to be placed in the root of your SD card.
| |
| | |
| The ''.bin'' file is an indipendent payload that can be launched from Brahma2, CakeHax, Arm9LoaderHax itself (mainly for update the exploit), and so on. It is the installeing software, once you find your way to launch it, just follow the instruction.
| |
| | |
| The ''.3dsx'' file is a pre-buildt Brahma2 3dsx that can be launched on consoles with firmware below 9.2 through the Homebrew Launcher. It is a loader for the ''.bin'' file, wich is included in the 3dsx.
| |
| | |
| == Software Update ==
| |
| | |
| When some essential parts of the software will be released, you'll be able to update your setup with the installer by using ''.pack'' files that i will provide in future releases.
| |
| | |
| == The ARM11-API ==
| |
| | |
| To allow arm9 payloads the easier use of the arm11 processor I'm currently working on an arm11 API. Its not recommend to use this API in a produktiv payload atm, because it still work in progress, and a future update could break the payloads support for it atm.
| |
| | |
| == These people helped to create this ==
| |
| | |
| * Smealum and contributors for libctru
| |
| * Normmatt for sdmmc.c and .h, and also for .ld files and the log from XDS by ichfly that provided us some of the information needed to get screen init
| |
| * Christophe Devine for the SHA codes
| |
| * Archshift for i2c.c and .h
| |
| * Megazig for crypto.c and .h
| |
| * Patois for original BRAHMA code
| |
| * Smealum, Derrek, Plutoo for publishing the exploit
| |
| * Yellows8 and Plutoo as ideators of it
| |
| * [http://3dbrew.org/ 3dbrew community]
| |
| * bilis/b1l1s for his screen init code, and work on inegrating it into stage 2
| |
| * dark_samus for work on integrating screen init into stage 2
| |
| * m45t3r for the base BootCTR version as .3dsx
| |
| * delibles for the base implementation of arm9loaderhax
| |