More actions
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
|image=Boot9strap.jpg | |image=Boot9strap.jpg | ||
|description=Boot9/Boot11 code execution. | |description=Boot9/Boot11 code execution. | ||
|author=SciresM | |author=SciresM, Hedgeberg | ||
|lastupdated=2017/09/06 | |lastupdated=2017/09/06 | ||
|type=System Tools | |type=System Tools | ||
|version=1.3 | |version=1.3 | ||
|license= | |license=GPL-3.0 | ||
|download=https://dlhb.gamebrew.org/ | |download=https://dlhb.gamebrew.org/3dshomebrews/ | ||
|website=https://github.com/SciresM/boot9strap | |website=https://github.com/SciresM/boot9strap | ||
|source=https://github.com/SciresM/boot9strap | |source=https://github.com/SciresM/boot9strap | ||
}} | }} | ||
Boot9strap (B9S) is a modified firmware that makes use of sighax and a vulnerability in the console's NDMA engine to gain code execution on the ARM9 BootROM (Boot9) and load a payload (boot.firm) from the SD card. It uses a modified version the ARM9 payload loader of [[Luma3DS]]. The software can also dump the console-specific OTP and BootROMs. | |||
It is a bootrom exploit that runs a lot earlier in the boot process in comparison to Armloader9hax (A9LH), allowing access to new system files that A9LH didn't, as well as adding better brick protection, and update protection, because it's unpatchable without a hardware revision (it is also worth noting that B9S uses .firm files instead of .bin files for payloads). B9S has effectively replaced AL9H, and if you use Luma3DS and would like to still be supported with updates, you have to switch to B9S. | |||
For more technical details, refer to the presentation [https://sciresm.github.io/33-and-a-half-c3 here]. | |||
==Installation== | |||
Install via [[SafeB9SInstaller 3DS|SafeB9SInstaller]]. | |||
Launches boot.firm off of the SD card or CTRNAND. | |||
Hold Start+Select+X on boot to dump the bootroms/your OTP. | |||
==Credits== | |||
* [https://github.com/Normmatt Normmatt] - Theorizing the NDMA overwite exploit. | |||
* [https://github.com/TuxSH TuxSH] - Help implementing bootrom payloads. | |||
* [https://github.com/AuroraWright/Luma3DS Luma3DS] - Codebase used in the stage 2 FIRM loader. | |||
==External links== | |||
* GitHub - https://github.com/SciresM/boot9strap | |||
== | |||
* | |||
Revision as of 11:59, 3 February 2022
| Boot9strap | |
|---|---|
| File:Boot9strap.jpg | |
| General | |
| Author | SciresM, Hedgeberg |
| Type | System Tools |
| Version | 1.3 |
| License | GPL-3.0 |
| Last Updated | 2017/09/06 |
| Links | |
| Download | |
| Website | |
| Source | |
Boot9strap (B9S) is a modified firmware that makes use of sighax and a vulnerability in the console's NDMA engine to gain code execution on the ARM9 BootROM (Boot9) and load a payload (boot.firm) from the SD card. It uses a modified version the ARM9 payload loader of Luma3DS. The software can also dump the console-specific OTP and BootROMs.
It is a bootrom exploit that runs a lot earlier in the boot process in comparison to Armloader9hax (A9LH), allowing access to new system files that A9LH didn't, as well as adding better brick protection, and update protection, because it's unpatchable without a hardware revision (it is also worth noting that B9S uses .firm files instead of .bin files for payloads). B9S has effectively replaced AL9H, and if you use Luma3DS and would like to still be supported with updates, you have to switch to B9S.
For more technical details, refer to the presentation here.
Installation
Install via SafeB9SInstaller.
Launches boot.firm off of the SD card or CTRNAND.
Hold Start+Select+X on boot to dump the bootroms/your OTP.