3dbrew - User contributions [en]

Internet Browser

2025-09-21T07:18:14Z

Danny8376: info for 11.14 spider

The 3DS Internet Browser was added in the June 2011 Update for JPN/EUR/USA.

From the Internet Browser help section:
In compliance with the LGPL, the source code of the OSS is available via the Nintendo website.
This source code can be downloaded here:
[http://mediacontent.nintendo-europe.com/NOE/images/service/OpenSources.zip] [http://www.nintendo.co.jp/support/oss/index.html]

The 3DS Internet Browser is [http://en.wikipedia.org/wiki/Netfront Netfront] Browser NX v1.0 based on [http://en.wikipedia.org/wiki/WebKit WebKit] engine.

On O3DS the exheader name of this title is "SPIDER"; on N3DS, "SKATER".
The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.

A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]].
In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.

==[[New 3DS]] Internet Browser==
New3DS has a separate browser title, with the exheader name "SKATER".
Unlike the Old3DS browser, the New3DS browser has videos+HTML5 support.

This browser also has a filter enabled by default in the JPN version.
Disabling it requires paying money with a credit-card, for [[NIM_Services|purchasing]] web-browser [[Title_list/DLC|DLC]].
During startup the browser does various HTTPS comms. When visting an URL, the browser sends a plaintext HTTP POST here: [http://ars.ifuser.jp:20080/ars2/rating]. The raw POST data begins with "ARS/2.0\r\n\x00", the rest appears to be encrypted. The server reply content also has this ARS header + encrypted data. This appears to use a fixed xorpad, likely from a fixed encryption CTR/IV. The server content responses for allowed sites, and blocked sites, are fixed. When the server returns that the site is blocked, the browser goes to this page: [http://ars.ifuser.jp/filter/44.html](the Referrer header value is set to the same URL it's actually requesting).

The WebKit source was updated since the Old3DS browser.
The New3DS browser uses the following services: [[MVD_Services|mvd:STD]] and [[IR_Services|ir:rst]](DLC-related services are used too but those aren't New3DS specific).
Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.

=== Video / libstagefright ===
The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP.

HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check.

===User-Agent and Browser Versions===
Normal user-agent format: <code style="font-size:larger;">Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/<WebKit version> (KHTML, like Gecko) NX/<Netfront version> Mobile NintendoBrowser/<Mobile NintendoBrowser version>.<region></code>

<region> can be one of the following: "JP", "US", or "EU".

Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.

{| class="wikitable" border="1"
|-
! Mobile NintendoBrowser version(displayed in browser settings)
! Normal UA
! CDN Title-version
! Network-only system-update version
! Notes
|-
| 1.0.9934
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>
| v10
| [[9.0.0-20]]
| Initial version.
|-
| 1.1.9996
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>
| v1027
| [[9.3.0-21]]
| See below regarding OSS changes.
|-
| 1.2.10085
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>
| v2051
| [[9.6.0-24]]
| See below.
|-
| None
| None
| v3075
| v9.9 CUP
| v9.9 CUP dummy web-browser, see below.
|-
| 1.3.10126
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region>
| v3077
| [[9.9.0-26]]
| See below.
|-
| 1.4.10138
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region>
| v4096
| [[10.2.0-28]]
| See below.
|-
| 1.5.10143
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region>
| v5121
| [[10.4.0-29]]
| See below.
|-
| 1.6.10147
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region>
| v6144
| [[10.6.0-31]]
| See below.
|-
| None
| None
| v7168
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
| 1.7.10150
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region>
| v7184
| [[10.7.0-32]]
| See below.
|-
| 1.8.10156
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region>
| v8192
| [[11.1.0-34]]
| See below.
|-
| None
| None
| v9217
| v11.4 CUP
| v11.4 CUP dummy web-browser, see below.
|-
| 1.9.10160
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region>
| v9232
| [[11.4.0-37]]
| See below.
|-
| 1.10.10166
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.22 Mobile NintendoBrowser/1.10.10166.<region>
| v10272
| [[11.9.0-42]]
| See below.
|-
| 1.11.10172
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.23 Mobile NintendoBrowser/1.11.10172.<region>
| v11264
| [[11.14.0-46]]
| See below.
|-
| 1.12.10178
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.24 Mobile NintendoBrowser/1.12.10178.<region>
| v12289
| [[11.15.0-47]]
| See below.
|}

Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.

The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).

==== OSS 9.0 and 9.3 diff ====
The following is a diff of the OSS archives from [http://www.nintendo.co.jp/support/oss/index.html here], for v9.0 and v9.3.

Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp and NewNintendo3DS_OpenSources9.3.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp differ
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebKit/WKC/webkit/WKCVersion.h and NewNintendo3DS_OpenSources9.3.0-/WKC/WebKit/WKC/webkit/WKCVersion.h differ

WKC_CUSTOMER_RELEASE_VERSION was changed from "0.5.8" to "0.5.10".

The following code was added to ResourceHandleManager::doRedirect(): curl_easy_setopt(d->m_handle, CURLOPT_SHARE, 0);

==== v9.6 ====
WebKit/OSS code was actually updated.
ExeFS .code was updated. The following files in RomFS were updated:
* "/banner/CN/Skater.icn" and "/banner/KR/Skater.icn".
* "/browser/rootca.pem"
* "/build/buildinfo.dat"
* "/cairo.cro.lex" and "/.crr/static.crr"
* "/lyt/Button/ButtonSelectHSearch.arc"
* "/lyt/Kbd/Swkbd.arc"
* "lyt/Kbd.arc"
* "skater.msbt" under all of the "/message/<region>_<language>/" directories.
* "/oss.cro.lex", "/peer.cro.lex", "/static.crs", and "/webkit.cro.lex".

The following was added to RomFS:
* "/favicon/naver.dat"
* A "KO" directory under "/iwnn".

==== v9.9 ====
ExeFS:/.code was updated.

The only RomFS changes is file-updating, all of the following files were updated:
/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/peer.cro.lex
/static.crs
/webkit.cro.lex

See [https://gist.github.com/yellows8/9fb509fde4112339f342 here] for a diff of the OSS(WebKitLibraries/ is not included due to the massive cairo library diff). An exploitable security vuln(which was already known in the context of 3DS webkit) was fixed. [[User:Yellows8|Yellows8]]' private(at the time of writing) exploit for it is based on the PoC from [http://pastebin.com/ufBCQKda here](see the pastebin for the actual pastebin author).

==== v10.2 ====
The libstagefright build in the main SKATER codebin was updated to a version which fixed libstagefright vuln(s): the vuln used in [[browserhax|browserhax_fright]] at the time of sysupdate release was fixed. The *only* code changed in the main codebin, was code related to libstagefright.

The only RomFS changes is file-updating, all of the following files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem
/build/buildinfo.dat
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/static.crs
/webkit.cro.lex

OSS diff:
diff --git a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
index 4543297..0860336 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "0.5.15"
+#define WKC_CUSTOMER_RELEASE_VERSION "0.5.17"

#define WKC_WEBKIT_VERSION "536.30"

diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
index a5abb35..cf5a9fa 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
@@ -1,3 +1,12 @@
+2013-11-05 Ryosuke Niwa <rniwa@webkit.org>
+
+ Use-after-free in SliderThumbElement::dragFrom
+ https://bugs.webkit.org/show_bug.cgi?id=123873
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
+
2015-02-06 Maciej Stachowiak <mjs@apple.com>

REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
@@ -879,7 +888,7 @@
* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

-2014-01-21 LÃ¡szlÃ³ LangÃ³ <llango.u-szeged@partner.samsung.com>
+2014-01-21 Laszlo Lango <llango.u-szeged@partner.samsung.com>

Assertion failure in Range::nodeWillBeRemoved
https://bugs.webkit.org/show_bug.cgi?id=121694
@@ -1879,7 +1888,7 @@

2012-09-14 Simon Fraser <simon.fraser@apple.com>

- REGRESSION: transition doesnât always override transition-property
+ REGRESSION: transition doesnft always override transition-property
https://bugs.webkit.org/show_bug.cgi?id=96658

Reviewed by Dean Jackson.
@@ -3691,8 +3700,8 @@
glyph with font data for the primary font, presumably to meet the SVG
spec requirement: "If the references to alternate glyphs do not result
in successful identification of alternate glyphs to use, then the
- character(s) that are inside of the çª¶åltGlyphçª¶?element are rendered as
- if the çª¶åltGlyphçª¶?element were a çª¶?spançª¶?element instead."
+ character(s) that are inside of the âaltGlyphâ?element are rendered as
+ if the âaltGlyphâ?element were a â?spanâ?element instead."

If the alt glyph is not then found we are in the case from the spec
and indeed we should use the primary font. However, we end up replacing the GlyphPage
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
index 484adec..d7e9e8d 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
@@ -164,7 +164,7 @@ void RangeInputType::handleMouseDownEvent(MouseEvent* event)
ASSERT(element()->hasShadowRoot());
if (targetNode != element() && !targetNode->isDescendantOf(element()->shadowTree()->oldestShadowRoot()))
return;
- SliderThumbElement* thumb = sliderThumbElementOf(element());
+ RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element());
if (targetNode == thumb)
return;
thumb->dragFrom(event->absoluteLocation());

==== v10.4 ====
The ExeFS codebin was updated, the only change was that the following code was updated in the actual NupCheck HTTPS request function:
* Previous version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/2/%s", region);
* Current version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/%d/%s", 3, region);

libpng was updated from version 1.5.21 to 1.5.24.

The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex differ
/peer.cro.lex differ
/static.crs differ
/webkit.cro.lex differ

==== v10.6 ====
The ExeFS codebin was updated.

[[browserhax|browserhax_fright_tx3g]] was fixed. The code handling tx3g now matches the latest libstagefright git.

Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).

The following RomFS files were updated:
/build/buildinfo.dat
/static.crs

==== v10.7 ====
Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check [[3DS_Userland_Flaws|bypass]] was publicly disclosed.

cat v7184/00000025_romfs/build/buildinfo.dat
10150
applet
2016-03-02 18:25

==== v11.1 ====
The ExeFS codebin was updated. The following files in RomFS were updated:

/build/buildinfo.dat
/.crr/static.crr
/oss.cro.lex
/static.crs
/webkit.cro.lex

cat v8192/00000026_romfs/build/buildinfo.dat
10156
applet
2016-08-26 19:47

Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)

Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"

This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.

The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".

==== v11.4 ====
The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.

The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.

cat v9232/00000027_romfs/build/buildinfo.dat
10160
applet
2017-03-08 19:44

=== New3DS Browser Specifications ===
[http://www.nintendo.co.jp/3ds/new/features/modal_net.html]

English version:
* "Browser engine: NetFront® Browser NX v3.0"
* "User agent: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML and like Gecko) NX/3.0.*.*.* Mobile NintendoBrowser/1.0.**** JP
* ** Version information is stated.
* *** When using the “Mobile version request” function, it differs from the above-mentioned character string"
* "Supported protocols: HTTP1.0/HTTP1.1/SSL3.0/TLS1.0/TLS1.1/TLS1.2"
* "Web standard: HTML4.01 / HTML5 / XHTML1.1 / Fullscreen API / Gamepad API / SVG / WebSocket / Video Subtitle / WOFF / Web Messaging / Server-Sent / Web Storage (partial) / XMLHttpRequest / Canvas element / Video / DOM Levels 1-3 / ECMAScript / CSS1 / CSS2.1 / CSS3 (partial)"
* "Image format: bmp / gif / ico / jpeg / png / svg (There are, however, possibilities that some images won't display.)"
* "Image preview: mpo / jpeg (There are, however, possibilities that some images won't display.)"
* "Video format: MP4, M3U8 + TS (HTTPLiveStreaming) (There are, however, some videos that may not be played.)"
* "Video codec: H.264 - MPEG-4 AVC Video (max 854x480 at level 3.2, 3D compatible) (There are, however, some videos that can not be played.)"
* "Audio codec: AAC - ISO / IEC 14496-3 MPEG-4AAC, MP3 (There are, however, some videos that can not be played.)"
* "Format for uploading 3D videos: .mkv (In order to be played, videos must be converted to the appropriate format within the site you are uploading to. In some cases, the video will not play even if converted.)"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"
* "Active Rating System filtering: provided by Digital Arts, Inc.. Access to web content can be limited based on its category information, restricting access to web content that may result inappropriate."
* "Websites can be requested to provide the mobile version (However, if the web page does not have a mobile version, it won't change the way it's displayed.)"

MJPEG + .avi is also supported.

==== Gamepad ====
The browser's now-outdated gamepad API provides information about the states of the circle pad, C-stick, and every button aside from the Home and Power buttons. The gamepad, which has an ID of <code>New Nintendo 3DS Controller</code>, is contained within the array returned by the <code>navigator.webkitGetGamepads</code> function.

Both of the gamepad's arrays, which contain the states of various inputs, seem to be reconstructed each time they are accessed via their gamepad object. It is not known if the values within the arrays can update upon each access of the array, but the values can update frequently enough to obtain accurate readings of the system's controls.

===== Axes =====
The gamepad's <code>axes</code> array contains four floating-point numbers in the following order:

{|class="wikitable" width="20%"
! Index !! Axis
|-
| 0 || Circle pad X
|-
| 1 || Circle pad Y
|-
| 2 || C-stick X
|-
| 3 || C-stick Y
|}

Each coordinate ranges from -1.0 (left/up) to 1.0 (right/down). Neutral position is indicated by 0.0. Drift and/or inaccurate calibration may make these exact values unattainable.

===== Buttons =====
The gamepad's <code>buttons</code> array contains numbers for the following numbers:
{|class="wikitable" width="20%"
! Index !! Button
|-
| 0 || B
|-
| 1 || A
|-
| 2 || Y
|-
| 3 || X
|-
| 4 || L
|-
| 5 || R
|-
| 6 || ZL
|-
| 7 || ZR
|-
| 8 || Select
|-
| 9 || Start
|-
| 10 || Unused
|-
| 11 || Unused
|-
| 12 || Up
|-
| 13 || Down
|-
| 14 || Left
|-
| 15 || Right
|}

Each button's value is 0 while the button is not pressed, and 1 while the button is pressed.

Based on the Gamepad API's specifications, buttons 10 and 11 are reserved for left stick presses and right stick presses respectively, which the 3DS does not support.

==== Notes ====
* Viewport information can be specified with the <meta> element.
* The html "color" <input> type is not supported.
* 3D images appear as their right-eye image within webpages.
* Webpages are locked to the bottom screen when zooming is disabled, the webpage's initial scale is 1, and the entire webpage can fit within the bottom screen's dimensions (320x212).
* Interactable elements that are positioned partially outside of the bottom screen can temporarily be moved further inside the bottom screen by tapping them with the touchscreen.
* Favicons can be changed using Javascript, but they become unchangeable once the document's readystatechange event finishes firing with a ready state of "complete".
* Focusing on text-editable elements via Javascript will always open the keyboard.
* Webpage content is usually rendered at 30 FPS despite the <code>webkitRequestAnimationFrame</code> function allowing code to run at a rate of 60 FPS.
** As a result, display-related routines may only show half of their intended updates.
** This issue can be mitigated by rendering on every other frame. However, various factors (such as touchscreen input and sleep mode) make this fairly inconsistent.

== Old3DS browser ==

=== Old3DS Browser Specifications ===
* "Browser engine: NetFront® Browser"
* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"
* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"

Old3DS browser doesn't support events "focusin" and "focusout"

=== User-Agent and Browser Versions ===
User-agent format: <code style="font-size:larger;">Mozilla/5.0 (Nintendo 3DS; U; ; <lang>) Version/<version>.<region></code>.

<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>.
{| class="wikitable" border="1"
|-
! Browser version
! CDN Title-version
! Network-only system-update version
! Notes
|-
| 1.7412
| v6
| [[2.0.0-2|2.0.0-2]]
| This was the initial version.
|-
| 1.7455
| v1024
| [[2.1.0-4]]
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too.
|-
| 1.7498
| v2050
| [[4.0.0-7]]
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
|-
| 1.7538
| v0
| [[4.2.0-9]]
| First version of the KOR browser. The CROs are different from the USA/EUR/JPN [[4.0.0-7]] browser.
|-
| 1.7552
| v3075
| [[5.0.0-11]]
| ExeFS .code and icon were updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
|-
| 1.7552
| v3088
| [[7.0.0-13]]
| The main NCCH wasn't updated at all(same TMD contentID/content-hash as the previous version), only the manual CFA for this title was updated.
|-
| 1.7567
| v4096
| [[7.1.0-16]]
| The CXI .code was updated, some data in the RomFS was updated(none of the CROs such as webkit.cro were updated). The manual CFA was updated too.
|-
| 1.7585
| v5121
| [[9.5.0-23]]
| The CXI .code was updated, and the manual CFA was updated. RomFS changes:
* "/browser/rootca.pem" updated
* "/cro/oss.cro" updated
* "/cro/static.crs" updated
* "/cro/webkit.cro" updated
* "/.crr/static.crr" updated
* "/layout/dialogheader/WirelessSwitchOff.arc" was removed
* "/layout/favorite/favicondata/KOR.arc" updated

A vuln used in a public(at the time of this sysupdate) webkit exploit for spider was fixed, which also fixed the removewinframe exploit from [https://github.com/yellows8/3ds_webkithax here].
|-
| None
| v6147
| v9.9 CUP
| v9.9 CUP dummy web-browser, see below.
|-
| 1.7610
| v6149
| [[9.9.0-26]]
| See below.
|-
| 1.7616
| v7168
| [[10.2.0-28]]
| See below.
|-
| 1.7622
| v8192
| [[10.6.0-31]]
| See below.
|-
| None
| v9216
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
| 1.7625
| v9232
| [[10.7.0-32]]
| See below.
|-
| 1.7630
| v10240
| [[11.1.0-34]]
| See below.
|-
| 1.7636
| v11297
| [[11.9.0-42]]
| See below.
|-
| 1.7639
| v12288
| [[11.14.0-46]]
| See below.
|-
| 1.7642
| v13313
| [[11.15.0-47]]
| See below.
|}

=== Heap ===
The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.

=== Old3DS v9.9 ===
ExeFS:/.code was updated.

The only changes in RomFS were file-updating, the following files were updated:
/browser/rootca.pem
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/message/CN_Simp_Chinese/spider.msbt
/message/EU_Dutch/spider.msbt
/message/EU_English/spider.msbt
/message/EU_French/spider.msbt
/message/EU_German/spider.msbt
/message/EU_Italian/spider.msbt
/message/EU_Portuguese/spider.msbt
/message/EU_Russian/spider.msbt
/message/EU_Spanish/spider.msbt
/message/JP_Japanese/spider.msbt
/message/KR_Hangeul/spider.msbt
/message/TW_English/spider.msbt
/message/TW_Trad_Chinese/spider.msbt
/message/US_English/spider.msbt
/message/US_French/spider.msbt
/message/US_Portuguese/spider.msbt
/message/US_Spanish/spider.msbt

OSS diff for v9.5 and v9.9, without the .dox changes:

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index be5ff09..55a7274 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.14"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"

#define WKC_WEBKIT_VERSION "532.7"

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
index da4127e..d03403e 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
@@ -305,23 +305,23 @@ int RenderBox::scrollHeight() const

int RenderBox::scrollLeft() const
{
- return hasOverflowClip() ? layer()->scrollXOffset() : 0;
+ return layer() && hasOverflowClip() ? layer()->scrollXOffset() : 0;
}

int RenderBox::scrollTop() const
{
- return hasOverflowClip() ? layer()->scrollYOffset() : 0;
+ return layer() && hasOverflowClip() ? layer()->scrollYOffset() : 0;
}

void RenderBox::setScrollLeft(int newLeft)
{
- if (hasOverflowClip())
+ if (hasOverflowClip() && layer())
layer()->scrollToXOffset(newLeft);
}

void RenderBox::setScrollTop(int newTop)
{
- if (hasOverflowClip())
+ if (hasOverflowClip() && layer())
layer()->scrollToYOffset(newTop);
}

=== Old3DS v10.2 ===
The slider vuln from [https://github.com/yellows8/3ds_webkithax here] was fixed in the Old3DS browser.

The main codebin .text only increased by 0x10-bytes.

The only changes in RomFS was that the following files were updated:
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr

OSS diff:
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index 55a7274..fc153c4 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17"

#define WKC_WEBKIT_VERSION "532.7"

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
index b2f5cef..1dd3dbd 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
@@ -221,6 +221,7 @@ RenderSlider::~RenderSlider()
{
if (m_thumb)
m_thumb->detach();
+ m_thumb = 0;
}

int RenderSlider::baselinePosition(bool, bool) const
@@ -493,7 +494,8 @@ void RenderSlider::forwardEvent(Event* event)
}
}

- m_thumb->defaultEventHandler(event);
+ if (m_thumb)
+ m_thumb->defaultEventHandler(event);
}

bool RenderSlider::inDragMode() const

=== Old3DS v10.6 ===
[[browserhax|spider28hax]] was fixed. The "2^32 characters long string" vuln described [[3DS_Userland_Flaws|here]] was ''finally'' fixed.

''A lot'' of WebKit issues/vulns were fixed, see [https://gist.github.com/yellows8/b1e10caa1d8bb8a46316 here] for the changes.

libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.

The .text size increased by 0x478-bytes.

The only changes in RomFS was that the following files were updated:
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/manual/Manual.bcma

=== Old3DS v10.7 ===
''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].

=== Old3DS v11.1 ===
Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:
/cro/oss.cro
/cro/webkit.cro
/.crr/static.crr

== Forced system-update ==
The Old3DS/New3DS Internet Browser updated with [[9.9.0-26]] added the following message strings:
In order to use the Internet
browser, a system update
is required.
To perform a system update,
select System Update from Other
Settings in System Settings.

The Internet browser cannot be
used at this time.
Please check your network
environment or try again later.

For whatever reason, the above ''message strings'' were removed with New3DS-browser v10.2, then re-added with v10.4. This does not apply to the Old3DS browser. Whenever v10.2 New3DS browser tries to use these message-strings for displaying a browser-update-related message, it will crash due to an assert failing since the message-strings are missing. Hence, if/when the v10.2 update-check page is ever updated where the browser tries to display a message for it, or when accessing that page fails, the browser will automatically crash.

This wasn't enforced(web-browser displaying the above message when the installed browser isn't the latest version) until October 26, 2015.

This message only triggers when attempting to load a web-page. This is only handled the first time the browser accesses a web-page, during this browser session.

The browser codebins starting with v9.9 now contain the following URL strings:
* Old3DS: <nowiki>"https://cbvc.cdn.nintendo.net/CTR/1/<region>"</nowiki>
* New3DS: <nowiki>"https://cbvc.cdn.nintendo.net/SNAKE/1/<region>"</nowiki>

The <region> string is one of the following:
* "JPN"
* "USA"
* "EUR"
* "KOR"

Starting with the browser from [[10.2.0-28]], the "1" in the above URLs were changed to "2". With the New3DS browser from [[10.4.0-29]], it's now "3".

As of October 26, 2015, the "1" URLs return the browser-version for v9.9(decimal number as a string without any "."), while the "2" URLs returns 0.

if(internal_browserver > server_browserver)
{
<safe>
}
else
{
<update message>
}

Hence, internal_browserver == server_browserver will trigger the sysupdate message, which appears to be the normal way to indicate that the current browser is outdated(see above).

There is a cache for this in savedata. The request is only done when at least 24-hours have passed since the last time the request was done(see the below savedata section).

It is still possible to guard against this update by blocking the previous URLs using a proxy.
It is not possible to remove the update message by entering the [[Recovery Mode]].

=== Page request ===
For this request, all root-CAs bundled with the browser are trusted, in addition to two of the SSL module builtin Nintendo root-CAs.

The browser(with New3DS at least) does the following with [[HTTP_Services|HTTPC]] for requesting the above page:
* Initializes the HTTP context and uses [[HTTPC:InitializeConnectionSession]] + [[HTTPC:SetProxyDefault]].
* Uses [[HTTP_Services|HTTPC]] command 0x250080 twice with cmd[1]=contexthandle: first time cmd[2]=0x3, second time cmd[2]=0x6.
* Then [[HTTPC:AddTrustedRootCA]] is used 48 times to setup 48 trusted root CAs. This appears to be every cert in the browser "romfs:/browser/rootca.pem" file converted to DER, in the same order from there(in other words, every single root CA the browser trusts by default for normal web-browsing).
* Then [[HTTPC:BeginRequest]] is used.
* Then [[HTTPC:ReceiveDataTimeout]] is used, the recv-size seems to be fixed to 0x20.
* Then [[HTTPC:GetResponseStatusCodeTimeout]] is used.
* Then [[HTTPC:GetDownloadSizeState]] is used.
* Then the HTTP context is closed.

Raw request data(New3DS USA v10.2 browser):
000000: 47 45 54 20 2f 53 4e 41 4b 45 2f 32 2f 55 53 41 GET /SNAKE/2/USA
000010: 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1.1..Host:
000020: 20 63 62 76 63 2e 63 64 6e 2e 6e 69 6e 74 65 6e cbvc.cdn.ninten
000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....

=== v10.7 ===
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].

== Dummy web-browser ==
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.

== Savedata ==
=== New3DS ===
On newer SKATER versions, it appears *all* NAND savedata is stored under the [[System_SaveData|0x000200BB]] savedata.

==== 0x000200BB savedata ====
This only contains "t.bin" with filesize 0xadf80, the format is below.

The timestamp format used here is the number of milliseconds since January 1, 2000(local-time).

When using the "Initialize savedata" option in the browser, that deletes this savedata file/image then exits the browser. This file is then re-created when the browser gets started again.

{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x68
| 0x4?
| This counter is incremented each time the savedata is written.
|-
| 0x70
| 0x8
| Timestamp for when the savedata was last written.
|-
| 0x94
| 0x15?
| This is all-zeros on non-JPN systems. On JPN systems where the browser filter is disabled, this is a string in the following format: "4110-%016llX".
|-
| 0xD8
| 0x8
| s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.
|}

==APT Parameters==
The URL to load can optionally be loaded from char[] string [[APT:SendParameter|paramblk+0]]. This is used when scanning URL QR-codes in Home Menu / etc.

==Errors==
"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.

==Other details==

*It scored 90/100 on [http://acid3.acidtests.org/ Acid3] test
*Images from the Internet can be saved to the [[SD Filesystem|SD Card]] and viewed using the [[Nintendo 3DS Camera]] application.
*Images saved to an [[SD Filesystem|SD Card]] or to the Nintendo 3DS system memory can be uploaded to blogs or other sites that allow the uploading of photos using :
<input type="file" />
* HTML5Test.com say that Drag and drop is supported but it's not (code on WebKit is ready, but it's not implemented on interface of browser)
* Webpages are rendered with the RGB565 color format.

==Tips==

=== Detect User Agent ===

To detect if the user agent is the Nintendo 3DS Internet Browser (not including mobile site mode):

<script type="text/javascript">
if(navigator.userAgent.indexOf("Nintendo 3DS") == -1) { // If the user agent does not contain "Nintendo 3DS"
location.replace("http://www.3dbrew.org"); // Redirect to another page
}
</script>

* You can check using <code>navigator.platform.indexOf("Nintendo 3DS") > -1</code> as well.
* The New 3DS Internet Browser's "Request Mobile Sites" setting affects the user agent. To detect if the New 3DS Internet Browser is being used with this option enabled, use <code>screen.pixelDepth == 16 && navigator.platform == "iPhone"</code>.
** This relies on the fact that the internet browser renders its webpages in 16-bit color, which is (hopefully?) not possible with a real iPhone.
** Keep in mind that the previous browser-detection examples do not account for this setting.

=== Scrolling ===

Scrolling can be altered by modifying document.body.scrollTop and document.body.scrollLeft. However, there are drawbacks related to working with these properties:

* Both properties return 0 when accessed
* Setting one property resets the other property's scroll position

In order to set both at the same time (without either resetting to 0), use window.scrollTo.

=== Events ===
==== Key Events ====
The following buttons trigger the onkeydown, onkeypress and onkeyup events:

{|class="wikitable" width="20%"
! Code !! Button
|-
| 13 || A
|-
| 37 || Left
|-
| 38 || Up
|-
| 39 || Right
|-
| 40 || Down
|}

The events cannot have their default action cancelled. Other buttons do not trigger key events.

The Old3DS browser dispatches a keypress event once per key press for each of the buttons above, but the New3DS browser dispatches the event continuously until the button is released.

A keyboard event's <code>keyIdentifier</code> property usually should not be used to identify which button was pressed, as the A button's keypress event is dispatched with a key identifier of "" (an empty string) rather than "Enter" in the New3DS browser.

The New3DS browser's keyboard dispatches keydown and keyup events when a key is pressed, but it is not possible to determine which key was pressed based on the event itself. Every keyboard keydown event has a key code of 229 and a key identifier of "U+00E5", and every keyup event has a key code of 0 and a key identifier of "U+0000".

Key events are suppressed while the touchscreen is touched.

==== Touch/Mouse Events ====
The mousedown, mouseup, and click events are all triggered by the browser. However, the mousedown event doesn't trigger until you lift the stylus or you've held it on the screen long enough to trigger text selection mode. Text selection mode requires pressing the touchscreen for approximately 1.05 seconds in the Old3DS browser, or pressing the touchscreen for approximately 0.41 seconds in the New3DS browser. Also, the mousedown event is only dispatched while text selection mode is active. Mouse events cannot have their default actions cancelled.

Touch events are not supported in the Old3DS browser, and the touchcancel event does not seem to be used by either browser. Touches cannot start within the bottom browser bar, but they can move to be within it. The rotation angle, contact radii, and pressure of each touch are always zero, as the 3DS touchscreen is not capable of detecting these values. Only one touch can be detected at a time due to the touchscreen's hardware limitations as well. Unlike mouse events, touch events can have their default actions cancelled. Doing so will prevent the touchscreen from being used to scroll through the webpage, highlight text, zoom out, and interact with the bottom browser bar.

==== System Font Characters ====
The [[System_Font#Unicode_Private_Use_characters|system font]]'s private-use characters can be viewed within the web browser.

== Screen Resolution ==

The up screen resolution is 400×240. However, the viewable area in the browser is only 400×215.

The touch screen resolution is 320×240. However, the viewable area in the browser is 320×212 or 320×240, depending on if the bottom browser bar is visible. The New3DS browser's bottom bar can hidden by scrolling and/or attempting to zoom in/out with the C-stick, unless scrolling and zooming have both been disabled.

You can have a page span both screens. However, the browser will behave as if the bottom screen is the only active screen and the top screen is scrolled off. This is important when computing CSS coordinates. Items positioned from the "bottom" will be positioned based on the height of the bottom screen, not the cumulative height of both screens.

== Using Both Screens ==

Generally the easiest way to accomplish the correct layout is to create HTML elements that "contain" the top and bottom screens. Here's an example:

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=400, initial-scale=1">
<style>
body { margin: 0px; }
#topscreen { width: 400px; height: 215px; overflow: hidden; background-color: red; }
#bottomscreen { width: 320px; height: 212px; overflow: hidden; background-color: blue; margin: 0 40px 28px; }
</style>
</head>
<body>
<div id="topscreen">Top Screen</div>
<div id="bottomscreen">Bottom Screen</div>
</body>
</html>

This scheme allows the page to be easily manipulated through JavaScript. In order to have the window snap to the correct position, use the following JavaScript code:

window.setInterval(function() {
window.scrollTo(40, 215);
}, 0);

This automatically resets the position if the user accidentally scrolls the page. Zooming should probably also be disabled by adding <code>user-scalable=no</code> to the <meta> viewport element, though this will only have an effect in the New3DS browser.

==Example Sites==

* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks]: This is the first bookmark pre-installed in the browser.
* [http://theimageshare.com ImageShare]: Image uploader for the 3DS ([https://github.com/corbindavenport/imageshare source code])
* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)
* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)

Internet Browser

2025-09-21T03:03:23Z

Danny8376: add version and user-agent for 11.15(-11.17)

The 3DS Internet Browser was added in the June 2011 Update for JPN/EUR/USA.

From the Internet Browser help section:
In compliance with the LGPL, the source code of the OSS is available via the Nintendo website.
This source code can be downloaded here:
[http://mediacontent.nintendo-europe.com/NOE/images/service/OpenSources.zip] [http://www.nintendo.co.jp/support/oss/index.html]

The 3DS Internet Browser is [http://en.wikipedia.org/wiki/Netfront Netfront] Browser NX v1.0 based on [http://en.wikipedia.org/wiki/WebKit WebKit] engine.

On O3DS the exheader name of this title is "SPIDER"; on N3DS, "SKATER".
The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.

A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]].
In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.

==[[New 3DS]] Internet Browser==
New3DS has a separate browser title, with the exheader name "SKATER".
Unlike the Old3DS browser, the New3DS browser has videos+HTML5 support.

This browser also has a filter enabled by default in the JPN version.
Disabling it requires paying money with a credit-card, for [[NIM_Services|purchasing]] web-browser [[Title_list/DLC|DLC]].
During startup the browser does various HTTPS comms. When visting an URL, the browser sends a plaintext HTTP POST here: [http://ars.ifuser.jp:20080/ars2/rating]. The raw POST data begins with "ARS/2.0\r\n\x00", the rest appears to be encrypted. The server reply content also has this ARS header + encrypted data. This appears to use a fixed xorpad, likely from a fixed encryption CTR/IV. The server content responses for allowed sites, and blocked sites, are fixed. When the server returns that the site is blocked, the browser goes to this page: [http://ars.ifuser.jp/filter/44.html](the Referrer header value is set to the same URL it's actually requesting).

The WebKit source was updated since the Old3DS browser.
The New3DS browser uses the following services: [[MVD_Services|mvd:STD]] and [[IR_Services|ir:rst]](DLC-related services are used too but those aren't New3DS specific).
Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.

=== Video / libstagefright ===
The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP.

HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check.

===User-Agent and Browser Versions===
Normal user-agent format: <code style="font-size:larger;">Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/<WebKit version> (KHTML, like Gecko) NX/<Netfront version> Mobile NintendoBrowser/<Mobile NintendoBrowser version>.<region></code>

<region> can be one of the following: "JP", "US", or "EU".

Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.

{| class="wikitable" border="1"
|-
! Mobile NintendoBrowser version(displayed in browser settings)
! Normal UA
! CDN Title-version
! Network-only system-update version
! Notes
|-
| 1.0.9934
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>
| v10
| [[9.0.0-20]]
| Initial version.
|-
| 1.1.9996
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>
| v1027
| [[9.3.0-21]]
| See below regarding OSS changes.
|-
| 1.2.10085
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>
| v2051
| [[9.6.0-24]]
| See below.
|-
| None
| None
| v3075
| v9.9 CUP
| v9.9 CUP dummy web-browser, see below.
|-
| 1.3.10126
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region>
| v3077
| [[9.9.0-26]]
| See below.
|-
| 1.4.10138
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region>
| v4096
| [[10.2.0-28]]
| See below.
|-
| 1.5.10143
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region>
| v5121
| [[10.4.0-29]]
| See below.
|-
| 1.6.10147
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region>
| v6144
| [[10.6.0-31]]
| See below.
|-
| None
| None
| v7168
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
| 1.7.10150
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region>
| v7184
| [[10.7.0-32]]
| See below.
|-
| 1.8.10156
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region>
| v8192
| [[11.1.0-34]]
| See below.
|-
| None
| None
| v9217
| v11.4 CUP
| v11.4 CUP dummy web-browser, see below.
|-
| 1.9.10160
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region>
| v9232
| [[11.4.0-37]]
| See below.
|-
| 1.10.10166
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.22 Mobile NintendoBrowser/1.10.10166.<region>
| v10272
| [[11.9.0-42]]
| See below.
|-
| 1.11.10172
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.23 Mobile NintendoBrowser/1.11.10172.<region>
| v11264
| [[11.14.0-46]]
| See below.
|-
| 1.12.10178
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.24 Mobile NintendoBrowser/1.12.10178.<region>
| v12289
| [[11.15.0-47]]
| See below.
|}

Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.

The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).

==== OSS 9.0 and 9.3 diff ====
The following is a diff of the OSS archives from [http://www.nintendo.co.jp/support/oss/index.html here], for v9.0 and v9.3.

Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp and NewNintendo3DS_OpenSources9.3.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp differ
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebKit/WKC/webkit/WKCVersion.h and NewNintendo3DS_OpenSources9.3.0-/WKC/WebKit/WKC/webkit/WKCVersion.h differ

WKC_CUSTOMER_RELEASE_VERSION was changed from "0.5.8" to "0.5.10".

The following code was added to ResourceHandleManager::doRedirect(): curl_easy_setopt(d->m_handle, CURLOPT_SHARE, 0);

==== v9.6 ====
WebKit/OSS code was actually updated.
ExeFS .code was updated. The following files in RomFS were updated:
* "/banner/CN/Skater.icn" and "/banner/KR/Skater.icn".
* "/browser/rootca.pem"
* "/build/buildinfo.dat"
* "/cairo.cro.lex" and "/.crr/static.crr"
* "/lyt/Button/ButtonSelectHSearch.arc"
* "/lyt/Kbd/Swkbd.arc"
* "lyt/Kbd.arc"
* "skater.msbt" under all of the "/message/<region>_<language>/" directories.
* "/oss.cro.lex", "/peer.cro.lex", "/static.crs", and "/webkit.cro.lex".

The following was added to RomFS:
* "/favicon/naver.dat"
* A "KO" directory under "/iwnn".

==== v9.9 ====
ExeFS:/.code was updated.

The only RomFS changes is file-updating, all of the following files were updated:
/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/peer.cro.lex
/static.crs
/webkit.cro.lex

See [https://gist.github.com/yellows8/9fb509fde4112339f342 here] for a diff of the OSS(WebKitLibraries/ is not included due to the massive cairo library diff). An exploitable security vuln(which was already known in the context of 3DS webkit) was fixed. [[User:Yellows8|Yellows8]]' private(at the time of writing) exploit for it is based on the PoC from [http://pastebin.com/ufBCQKda here](see the pastebin for the actual pastebin author).

==== v10.2 ====
The libstagefright build in the main SKATER codebin was updated to a version which fixed libstagefright vuln(s): the vuln used in [[browserhax|browserhax_fright]] at the time of sysupdate release was fixed. The *only* code changed in the main codebin, was code related to libstagefright.

The only RomFS changes is file-updating, all of the following files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem
/build/buildinfo.dat
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/static.crs
/webkit.cro.lex

OSS diff:
diff --git a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
index 4543297..0860336 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "0.5.15"
+#define WKC_CUSTOMER_RELEASE_VERSION "0.5.17"

#define WKC_WEBKIT_VERSION "536.30"

diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
index a5abb35..cf5a9fa 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
@@ -1,3 +1,12 @@
+2013-11-05 Ryosuke Niwa <rniwa@webkit.org>
+
+ Use-after-free in SliderThumbElement::dragFrom
+ https://bugs.webkit.org/show_bug.cgi?id=123873
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
+
2015-02-06 Maciej Stachowiak <mjs@apple.com>

REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
@@ -879,7 +888,7 @@
* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

-2014-01-21 LÃ¡szlÃ³ LangÃ³ <llango.u-szeged@partner.samsung.com>
+2014-01-21 Laszlo Lango <llango.u-szeged@partner.samsung.com>

Assertion failure in Range::nodeWillBeRemoved
https://bugs.webkit.org/show_bug.cgi?id=121694
@@ -1879,7 +1888,7 @@

2012-09-14 Simon Fraser <simon.fraser@apple.com>

- REGRESSION: transition doesnât always override transition-property
+ REGRESSION: transition doesnft always override transition-property
https://bugs.webkit.org/show_bug.cgi?id=96658

Reviewed by Dean Jackson.
@@ -3691,8 +3700,8 @@
glyph with font data for the primary font, presumably to meet the SVG
spec requirement: "If the references to alternate glyphs do not result
in successful identification of alternate glyphs to use, then the
- character(s) that are inside of the çª¶åltGlyphçª¶?element are rendered as
- if the çª¶åltGlyphçª¶?element were a çª¶?spançª¶?element instead."
+ character(s) that are inside of the âaltGlyphâ?element are rendered as
+ if the âaltGlyphâ?element were a â?spanâ?element instead."

If the alt glyph is not then found we are in the case from the spec
and indeed we should use the primary font. However, we end up replacing the GlyphPage
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
index 484adec..d7e9e8d 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
@@ -164,7 +164,7 @@ void RangeInputType::handleMouseDownEvent(MouseEvent* event)
ASSERT(element()->hasShadowRoot());
if (targetNode != element() && !targetNode->isDescendantOf(element()->shadowTree()->oldestShadowRoot()))
return;
- SliderThumbElement* thumb = sliderThumbElementOf(element());
+ RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element());
if (targetNode == thumb)
return;
thumb->dragFrom(event->absoluteLocation());

==== v10.4 ====
The ExeFS codebin was updated, the only change was that the following code was updated in the actual NupCheck HTTPS request function:
* Previous version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/2/%s", region);
* Current version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/%d/%s", 3, region);

libpng was updated from version 1.5.21 to 1.5.24.

The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex differ
/peer.cro.lex differ
/static.crs differ
/webkit.cro.lex differ

==== v10.6 ====
The ExeFS codebin was updated.

[[browserhax|browserhax_fright_tx3g]] was fixed. The code handling tx3g now matches the latest libstagefright git.

Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).

The following RomFS files were updated:
/build/buildinfo.dat
/static.crs

==== v10.7 ====
Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check [[3DS_Userland_Flaws|bypass]] was publicly disclosed.

cat v7184/00000025_romfs/build/buildinfo.dat
10150
applet
2016-03-02 18:25

==== v11.1 ====
The ExeFS codebin was updated. The following files in RomFS were updated:

/build/buildinfo.dat
/.crr/static.crr
/oss.cro.lex
/static.crs
/webkit.cro.lex

cat v8192/00000026_romfs/build/buildinfo.dat
10156
applet
2016-08-26 19:47

Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)

Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"

This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.

The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".

==== v11.4 ====
The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.

The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.

cat v9232/00000027_romfs/build/buildinfo.dat
10160
applet
2017-03-08 19:44

=== New3DS Browser Specifications ===
[http://www.nintendo.co.jp/3ds/new/features/modal_net.html]

English version:
* "Browser engine: NetFront® Browser NX v3.0"
* "User agent: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML and like Gecko) NX/3.0.*.*.* Mobile NintendoBrowser/1.0.**** JP
* ** Version information is stated.
* *** When using the “Mobile version request” function, it differs from the above-mentioned character string"
* "Supported protocols: HTTP1.0/HTTP1.1/SSL3.0/TLS1.0/TLS1.1/TLS1.2"
* "Web standard: HTML4.01 / HTML5 / XHTML1.1 / Fullscreen API / Gamepad API / SVG / WebSocket / Video Subtitle / WOFF / Web Messaging / Server-Sent / Web Storage (partial) / XMLHttpRequest / Canvas element / Video / DOM Levels 1-3 / ECMAScript / CSS1 / CSS2.1 / CSS3 (partial)"
* "Image format: bmp / gif / ico / jpeg / png / svg (There are, however, possibilities that some images won't display.)"
* "Image preview: mpo / jpeg (There are, however, possibilities that some images won't display.)"
* "Video format: MP4, M3U8 + TS (HTTPLiveStreaming) (There are, however, some videos that may not be played.)"
* "Video codec: H.264 - MPEG-4 AVC Video (max 854x480 at level 3.2, 3D compatible) (There are, however, some videos that can not be played.)"
* "Audio codec: AAC - ISO / IEC 14496-3 MPEG-4AAC, MP3 (There are, however, some videos that can not be played.)"
* "Format for uploading 3D videos: .mkv (In order to be played, videos must be converted to the appropriate format within the site you are uploading to. In some cases, the video will not play even if converted.)"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"
* "Active Rating System filtering: provided by Digital Arts, Inc.. Access to web content can be limited based on its category information, restricting access to web content that may result inappropriate."
* "Websites can be requested to provide the mobile version (However, if the web page does not have a mobile version, it won't change the way it's displayed.)"

MJPEG + .avi is also supported.

==== Gamepad ====
The browser's now-outdated gamepad API provides information about the states of the circle pad, C-stick, and every button aside from the Home and Power buttons. The gamepad, which has an ID of <code>New Nintendo 3DS Controller</code>, is contained within the array returned by the <code>navigator.webkitGetGamepads</code> function.

Both of the gamepad's arrays, which contain the states of various inputs, seem to be reconstructed each time they are accessed via their gamepad object. It is not known if the values within the arrays can update upon each access of the array, but the values can update frequently enough to obtain accurate readings of the system's controls.

===== Axes =====
The gamepad's <code>axes</code> array contains four floating-point numbers in the following order:

{|class="wikitable" width="20%"
! Index !! Axis
|-
| 0 || Circle pad X
|-
| 1 || Circle pad Y
|-
| 2 || C-stick X
|-
| 3 || C-stick Y
|}

Each coordinate ranges from -1.0 (left/up) to 1.0 (right/down). Neutral position is indicated by 0.0. Drift and/or inaccurate calibration may make these exact values unattainable.

===== Buttons =====
The gamepad's <code>buttons</code> array contains numbers for the following numbers:
{|class="wikitable" width="20%"
! Index !! Button
|-
| 0 || B
|-
| 1 || A
|-
| 2 || Y
|-
| 3 || X
|-
| 4 || L
|-
| 5 || R
|-
| 6 || ZL
|-
| 7 || ZR
|-
| 8 || Select
|-
| 9 || Start
|-
| 10 || Unused
|-
| 11 || Unused
|-
| 12 || Up
|-
| 13 || Down
|-
| 14 || Left
|-
| 15 || Right
|}

Each button's value is 0 while the button is not pressed, and 1 while the button is pressed.

Based on the Gamepad API's specifications, buttons 10 and 11 are reserved for left stick presses and right stick presses respectively, which the 3DS does not support.

==== Notes ====
* Viewport information can be specified with the <meta> element.
* The html "color" <input> type is not supported.
* 3D images appear as their right-eye image within webpages.
* Webpages are locked to the bottom screen when zooming is disabled, the webpage's initial scale is 1, and the entire webpage can fit within the bottom screen's dimensions (320x212).
* Interactable elements that are positioned partially outside of the bottom screen can temporarily be moved further inside the bottom screen by tapping them with the touchscreen.
* Favicons can be changed using Javascript, but they become unchangeable once the document's readystatechange event finishes firing with a ready state of "complete".
* Focusing on text-editable elements via Javascript will always open the keyboard.
* Webpage content is usually rendered at 30 FPS despite the <code>webkitRequestAnimationFrame</code> function allowing code to run at a rate of 60 FPS.
** As a result, display-related routines may only show half of their intended updates.
** This issue can be mitigated by rendering on every other frame. However, various factors (such as touchscreen input and sleep mode) make this fairly inconsistent.

== Old3DS browser ==

=== Old3DS Browser Specifications ===
* "Browser engine: NetFront® Browser"
* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"
* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"

Old3DS browser doesn't support events "focusin" and "focusout"

=== User-Agent and Browser Versions ===
User-agent format: <code style="font-size:larger;">Mozilla/5.0 (Nintendo 3DS; U; ; <lang>) Version/<version>.<region></code>.

<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>.
{| class="wikitable" border="1"
|-
! Browser version
! CDN Title-version
! Network-only system-update version
! Notes
|-
| 1.7412
| v6
| [[2.0.0-2|2.0.0-2]]
| This was the initial version.
|-
| 1.7455
| v1024
| [[2.1.0-4]]
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too.
|-
| 1.7498
| v2050
| [[4.0.0-7]]
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
|-
| 1.7538
| v0
| [[4.2.0-9]]
| First version of the KOR browser. The CROs are different from the USA/EUR/JPN [[4.0.0-7]] browser.
|-
| 1.7552
| v3075
| [[5.0.0-11]]
| ExeFS .code and icon were updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
|-
| 1.7552
| v3088
| [[7.0.0-13]]
| The main NCCH wasn't updated at all(same TMD contentID/content-hash as the previous version), only the manual CFA for this title was updated.
|-
| 1.7567
| v4096
| [[7.1.0-16]]
| The CXI .code was updated, some data in the RomFS was updated(none of the CROs such as webkit.cro were updated). The manual CFA was updated too.
|-
| 1.7585
| v5121
| [[9.5.0-23]]
| The CXI .code was updated, and the manual CFA was updated. RomFS changes:
* "/browser/rootca.pem" updated
* "/cro/oss.cro" updated
* "/cro/static.crs" updated
* "/cro/webkit.cro" updated
* "/.crr/static.crr" updated
* "/layout/dialogheader/WirelessSwitchOff.arc" was removed
* "/layout/favorite/favicondata/KOR.arc" updated

A vuln used in a public(at the time of this sysupdate) webkit exploit for spider was fixed, which also fixed the removewinframe exploit from [https://github.com/yellows8/3ds_webkithax here].
|-
| None
| v6147
| v9.9 CUP
| v9.9 CUP dummy web-browser, see below.
|-
| 1.7610
| v6149
| [[9.9.0-26]]
| See below.
|-
| 1.7616
| v7168
| [[10.2.0-28]]
| See below.
|-
| 1.7622
| v8192
| [[10.6.0-31]]
| See below.
|-
| None
| v9216
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
| 1.7625
| v9232
| [[10.7.0-32]]
| See below.
|-
| 1.7630
| v10240
| [[11.1.0-34]]
| See below.
|-
| 1.7636
| v11297
| [[11.9.0-42]]
| See below.
|-
| 1.7642
| v13313
| [[11.15.0-47]]
| See below.
|}

=== Heap ===
The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.

=== Old3DS v9.9 ===
ExeFS:/.code was updated.

The only changes in RomFS were file-updating, the following files were updated:
/browser/rootca.pem
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/message/CN_Simp_Chinese/spider.msbt
/message/EU_Dutch/spider.msbt
/message/EU_English/spider.msbt
/message/EU_French/spider.msbt
/message/EU_German/spider.msbt
/message/EU_Italian/spider.msbt
/message/EU_Portuguese/spider.msbt
/message/EU_Russian/spider.msbt
/message/EU_Spanish/spider.msbt
/message/JP_Japanese/spider.msbt
/message/KR_Hangeul/spider.msbt
/message/TW_English/spider.msbt
/message/TW_Trad_Chinese/spider.msbt
/message/US_English/spider.msbt
/message/US_French/spider.msbt
/message/US_Portuguese/spider.msbt
/message/US_Spanish/spider.msbt

OSS diff for v9.5 and v9.9, without the .dox changes:

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index be5ff09..55a7274 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.14"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"

#define WKC_WEBKIT_VERSION "532.7"

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
index da4127e..d03403e 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
@@ -305,23 +305,23 @@ int RenderBox::scrollHeight() const

int RenderBox::scrollLeft() const
{
- return hasOverflowClip() ? layer()->scrollXOffset() : 0;
+ return layer() && hasOverflowClip() ? layer()->scrollXOffset() : 0;
}

int RenderBox::scrollTop() const
{
- return hasOverflowClip() ? layer()->scrollYOffset() : 0;
+ return layer() && hasOverflowClip() ? layer()->scrollYOffset() : 0;
}

void RenderBox::setScrollLeft(int newLeft)
{
- if (hasOverflowClip())
+ if (hasOverflowClip() && layer())
layer()->scrollToXOffset(newLeft);
}

void RenderBox::setScrollTop(int newTop)
{
- if (hasOverflowClip())
+ if (hasOverflowClip() && layer())
layer()->scrollToYOffset(newTop);
}

=== Old3DS v10.2 ===
The slider vuln from [https://github.com/yellows8/3ds_webkithax here] was fixed in the Old3DS browser.

The main codebin .text only increased by 0x10-bytes.

The only changes in RomFS was that the following files were updated:
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr

OSS diff:
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index 55a7274..fc153c4 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))

-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17"

#define WKC_WEBKIT_VERSION "532.7"

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
index b2f5cef..1dd3dbd 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
@@ -221,6 +221,7 @@ RenderSlider::~RenderSlider()
{
if (m_thumb)
m_thumb->detach();
+ m_thumb = 0;
}

int RenderSlider::baselinePosition(bool, bool) const
@@ -493,7 +494,8 @@ void RenderSlider::forwardEvent(Event* event)
}
}

- m_thumb->defaultEventHandler(event);
+ if (m_thumb)
+ m_thumb->defaultEventHandler(event);
}

bool RenderSlider::inDragMode() const

=== Old3DS v10.6 ===
[[browserhax|spider28hax]] was fixed. The "2^32 characters long string" vuln described [[3DS_Userland_Flaws|here]] was ''finally'' fixed.

''A lot'' of WebKit issues/vulns were fixed, see [https://gist.github.com/yellows8/b1e10caa1d8bb8a46316 here] for the changes.

libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.

The .text size increased by 0x478-bytes.

The only changes in RomFS was that the following files were updated:
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/manual/Manual.bcma

=== Old3DS v10.7 ===
''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].

=== Old3DS v11.1 ===
Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:
/cro/oss.cro
/cro/webkit.cro
/.crr/static.crr

== Forced system-update ==
The Old3DS/New3DS Internet Browser updated with [[9.9.0-26]] added the following message strings:
In order to use the Internet
browser, a system update
is required.
To perform a system update,
select System Update from Other
Settings in System Settings.

The Internet browser cannot be
used at this time.
Please check your network
environment or try again later.

For whatever reason, the above ''message strings'' were removed with New3DS-browser v10.2, then re-added with v10.4. This does not apply to the Old3DS browser. Whenever v10.2 New3DS browser tries to use these message-strings for displaying a browser-update-related message, it will crash due to an assert failing since the message-strings are missing. Hence, if/when the v10.2 update-check page is ever updated where the browser tries to display a message for it, or when accessing that page fails, the browser will automatically crash.

This wasn't enforced(web-browser displaying the above message when the installed browser isn't the latest version) until October 26, 2015.

This message only triggers when attempting to load a web-page. This is only handled the first time the browser accesses a web-page, during this browser session.

The browser codebins starting with v9.9 now contain the following URL strings:
* Old3DS: <nowiki>"https://cbvc.cdn.nintendo.net/CTR/1/<region>"</nowiki>
* New3DS: <nowiki>"https://cbvc.cdn.nintendo.net/SNAKE/1/<region>"</nowiki>

The <region> string is one of the following:
* "JPN"
* "USA"
* "EUR"
* "KOR"

Starting with the browser from [[10.2.0-28]], the "1" in the above URLs were changed to "2". With the New3DS browser from [[10.4.0-29]], it's now "3".

As of October 26, 2015, the "1" URLs return the browser-version for v9.9(decimal number as a string without any "."), while the "2" URLs returns 0.

if(internal_browserver > server_browserver)
{
<safe>
}
else
{
<update message>
}

Hence, internal_browserver == server_browserver will trigger the sysupdate message, which appears to be the normal way to indicate that the current browser is outdated(see above).

There is a cache for this in savedata. The request is only done when at least 24-hours have passed since the last time the request was done(see the below savedata section).

It is still possible to guard against this update by blocking the previous URLs using a proxy.
It is not possible to remove the update message by entering the [[Recovery Mode]].

=== Page request ===
For this request, all root-CAs bundled with the browser are trusted, in addition to two of the SSL module builtin Nintendo root-CAs.

The browser(with New3DS at least) does the following with [[HTTP_Services|HTTPC]] for requesting the above page:
* Initializes the HTTP context and uses [[HTTPC:InitializeConnectionSession]] + [[HTTPC:SetProxyDefault]].
* Uses [[HTTP_Services|HTTPC]] command 0x250080 twice with cmd[1]=contexthandle: first time cmd[2]=0x3, second time cmd[2]=0x6.
* Then [[HTTPC:AddTrustedRootCA]] is used 48 times to setup 48 trusted root CAs. This appears to be every cert in the browser "romfs:/browser/rootca.pem" file converted to DER, in the same order from there(in other words, every single root CA the browser trusts by default for normal web-browsing).
* Then [[HTTPC:BeginRequest]] is used.
* Then [[HTTPC:ReceiveDataTimeout]] is used, the recv-size seems to be fixed to 0x20.
* Then [[HTTPC:GetResponseStatusCodeTimeout]] is used.
* Then [[HTTPC:GetDownloadSizeState]] is used.
* Then the HTTP context is closed.

Raw request data(New3DS USA v10.2 browser):
000000: 47 45 54 20 2f 53 4e 41 4b 45 2f 32 2f 55 53 41 GET /SNAKE/2/USA
000010: 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1.1..Host:
000020: 20 63 62 76 63 2e 63 64 6e 2e 6e 69 6e 74 65 6e cbvc.cdn.ninten
000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....

=== v10.7 ===
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].

== Dummy web-browser ==
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.

== Savedata ==
=== New3DS ===
On newer SKATER versions, it appears *all* NAND savedata is stored under the [[System_SaveData|0x000200BB]] savedata.

==== 0x000200BB savedata ====
This only contains "t.bin" with filesize 0xadf80, the format is below.

The timestamp format used here is the number of milliseconds since January 1, 2000(local-time).

When using the "Initialize savedata" option in the browser, that deletes this savedata file/image then exits the browser. This file is then re-created when the browser gets started again.

{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x68
| 0x4?
| This counter is incremented each time the savedata is written.
|-
| 0x70
| 0x8
| Timestamp for when the savedata was last written.
|-
| 0x94
| 0x15?
| This is all-zeros on non-JPN systems. On JPN systems where the browser filter is disabled, this is a string in the following format: "4110-%016llX".
|-
| 0xD8
| 0x8
| s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.
|}

==APT Parameters==
The URL to load can optionally be loaded from char[] string [[APT:SendParameter|paramblk+0]]. This is used when scanning URL QR-codes in Home Menu / etc.

==Errors==
"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.

==Other details==

*It scored 90/100 on [http://acid3.acidtests.org/ Acid3] test
*Images from the Internet can be saved to the [[SD Filesystem|SD Card]] and viewed using the [[Nintendo 3DS Camera]] application.
*Images saved to an [[SD Filesystem|SD Card]] or to the Nintendo 3DS system memory can be uploaded to blogs or other sites that allow the uploading of photos using :
<input type="file" />
* HTML5Test.com say that Drag and drop is supported but it's not (code on WebKit is ready, but it's not implemented on interface of browser)
* Webpages are rendered with the RGB565 color format.

==Tips==

=== Detect User Agent ===

To detect if the user agent is the Nintendo 3DS Internet Browser (not including mobile site mode):

<script type="text/javascript">
if(navigator.userAgent.indexOf("Nintendo 3DS") == -1) { // If the user agent does not contain "Nintendo 3DS"
location.replace("http://www.3dbrew.org"); // Redirect to another page
}
</script>

* You can check using <code>navigator.platform.indexOf("Nintendo 3DS") > -1</code> as well.
* The New 3DS Internet Browser's "Request Mobile Sites" setting affects the user agent. To detect if the New 3DS Internet Browser is being used with this option enabled, use <code>screen.pixelDepth == 16 && navigator.platform == "iPhone"</code>.
** This relies on the fact that the internet browser renders its webpages in 16-bit color, which is (hopefully?) not possible with a real iPhone.
** Keep in mind that the previous browser-detection examples do not account for this setting.

=== Scrolling ===

Scrolling can be altered by modifying document.body.scrollTop and document.body.scrollLeft. However, there are drawbacks related to working with these properties:

* Both properties return 0 when accessed
* Setting one property resets the other property's scroll position

In order to set both at the same time (without either resetting to 0), use window.scrollTo.

=== Events ===
==== Key Events ====
The following buttons trigger the onkeydown, onkeypress and onkeyup events:

{|class="wikitable" width="20%"
! Code !! Button
|-
| 13 || A
|-
| 37 || Left
|-
| 38 || Up
|-
| 39 || Right
|-
| 40 || Down
|}

The events cannot have their default action cancelled. Other buttons do not trigger key events.

The Old3DS browser dispatches a keypress event once per key press for each of the buttons above, but the New3DS browser dispatches the event continuously until the button is released.

A keyboard event's <code>keyIdentifier</code> property usually should not be used to identify which button was pressed, as the A button's keypress event is dispatched with a key identifier of "" (an empty string) rather than "Enter" in the New3DS browser.

The New3DS browser's keyboard dispatches keydown and keyup events when a key is pressed, but it is not possible to determine which key was pressed based on the event itself. Every keyboard keydown event has a key code of 229 and a key identifier of "U+00E5", and every keyup event has a key code of 0 and a key identifier of "U+0000".

Key events are suppressed while the touchscreen is touched.

==== Touch/Mouse Events ====
The mousedown, mouseup, and click events are all triggered by the browser. However, the mousedown event doesn't trigger until you lift the stylus or you've held it on the screen long enough to trigger text selection mode. Text selection mode requires pressing the touchscreen for approximately 1.05 seconds in the Old3DS browser, or pressing the touchscreen for approximately 0.41 seconds in the New3DS browser. Also, the mousedown event is only dispatched while text selection mode is active. Mouse events cannot have their default actions cancelled.

Touch events are not supported in the Old3DS browser, and the touchcancel event does not seem to be used by either browser. Touches cannot start within the bottom browser bar, but they can move to be within it. The rotation angle, contact radii, and pressure of each touch are always zero, as the 3DS touchscreen is not capable of detecting these values. Only one touch can be detected at a time due to the touchscreen's hardware limitations as well. Unlike mouse events, touch events can have their default actions cancelled. Doing so will prevent the touchscreen from being used to scroll through the webpage, highlight text, zoom out, and interact with the bottom browser bar.

==== System Font Characters ====
The [[System_Font#Unicode_Private_Use_characters|system font]]'s private-use characters can be viewed within the web browser.

== Screen Resolution ==

The up screen resolution is 400×240. However, the viewable area in the browser is only 400×215.

The touch screen resolution is 320×240. However, the viewable area in the browser is 320×212 or 320×240, depending on if the bottom browser bar is visible. The New3DS browser's bottom bar can hidden by scrolling and/or attempting to zoom in/out with the C-stick, unless scrolling and zooming have both been disabled.

You can have a page span both screens. However, the browser will behave as if the bottom screen is the only active screen and the top screen is scrolled off. This is important when computing CSS coordinates. Items positioned from the "bottom" will be positioned based on the height of the bottom screen, not the cumulative height of both screens.

== Using Both Screens ==

Generally the easiest way to accomplish the correct layout is to create HTML elements that "contain" the top and bottom screens. Here's an example:

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=400, initial-scale=1">
<style>
body { margin: 0px; }
#topscreen { width: 400px; height: 215px; overflow: hidden; background-color: red; }
#bottomscreen { width: 320px; height: 212px; overflow: hidden; background-color: blue; margin: 0 40px 28px; }
</style>
</head>
<body>
<div id="topscreen">Top Screen</div>
<div id="bottomscreen">Bottom Screen</div>
</body>
</html>

This scheme allows the page to be easily manipulated through JavaScript. In order to have the window snap to the correct position, use the following JavaScript code:

window.setInterval(function() {
window.scrollTo(40, 215);
}, 0);

This automatically resets the position if the user accidentally scrolls the page. Zooming should probably also be disabled by adding <code>user-scalable=no</code> to the <meta> viewport element, though this will only have an effect in the New3DS browser.

==Example Sites==

* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks]: This is the first bookmark pre-installed in the browser.
* [http://theimageshare.com ImageShare]: Image uploader for the 3DS ([https://github.com/corbindavenport/imageshare source code])
* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)
* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)

Homebrew Exploits

2025-05-08T14:23:18Z

Danny8376:

==Payload==
{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Description
! Supported firmwares
|-
| style="background: lightgreen" | Yes
| [https://smealum.github.io/3ds/ *hax payload]
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''
| From '''9.0.0-7''' up to '''11.9.0-42'''.
|}

For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.

==Standalone Homebrew Launcher Exploits==
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.

{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[ninjhax|Ninjhax 1.1b]]
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| smea
| [http://smealum.net/ninjhax/ Install]
|-
| style="background: lightgreen" | Yes
| [[ninjhax|Ninjhax 2.x]]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".
| smea
| [https://smealum.github.io/ninjhax2/ Install]
|-
| style="background: lightgreen" | Yes
| [http://plutooo.github.io/freakyhax/ freakyhax]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
| A cartridge or eShop version (USA/EUR/JPN, not available anymore for purchase) of "Freakyform Deluxe".
| plutoo
| [http://plutooo.github.io/freakyhax/ Install]
|-
| style="background: salmon" | No
| [http://plutooo.github.io/smilehax/ smilehax]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)
| plutoo
| [http://plutooo.github.io/smilehax/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/zoogie/smilehax-IIe smilehax IIe]
| From '''9.0.0-7''' up to and including '''11.13.0-45'''
| SmileBASIC (JPN version 3.3.2 via app downgrade, USA/EUR 3.6.0, aka latest app version)
| zoogie
| [https://github.com/zoogie/smilehax-IIe/releases/latest Install]
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (USA all versions)
| MrNbaYoh
| [http://mrnbayoh.github.io/basicsploit/ Install]
|-
| style="background: lightgreen" | Yes
| [[smashbroshax|smashbroshax]] (beaconhax)
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.9.0-37'''.
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_smashbroshax Install]
|-
| style="background: salmon" | No
| [[browserhax]]
| From '''9.0.0-2''' to '''11.0.0-33'''
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| A USA, EUR, JPN, or KOR system.
| [[User:Yellows8|Yellows8]]
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]
|-
| style="background: salmon" | No
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: salmon" | No
| [https://github.com/nedwill/soundhax soundhax]
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.
| A USA, EUR, JPN or KOR system.
| nedwill
| [http://soundhax.com Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/rpwng2 RPwnG 2]
| From '''11.7.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA. A 3DS on firmware 11.7.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng2/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng/ Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/notehax notehax]
| From '''9.9.0-X''' up to and including '''11.5.0-X'''.
| A digital copy of Flipnote Studio 3D on ver 1.3.1 (JPN) and ver 1.0.0 for EUR/USA (not the latest)
| MrNbaYoh
| [https://mrnbayoh.github.io/notehax/ Install]
|-
| style="background: darkorange" | Only if you already purchased Blockfactory before it was removed from the eShop
| [https://github.com/Stary2001/haxfactory haxfactory]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of "Blockfactory" (USA/EUR)
| Stary2001
| [https://github.com/Stary2001/haxfactory Install]
|}

==Secondary Exploits==
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.

{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[ironhax]]
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.
| smea
| [http://smealum.github.io/3ds/ Install]
|-
| style="background: lightgreen" | Yes
| [http://vegaroxas.github.io/ steelhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X'''
| A copy of Steel Diver: Sub Wars
| Vegaroxas
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/oot3dhax oot3dhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X''', for '''X''' up to and including 39.
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game.
| Yellows8 / smea et al.
| See [https://smealum.github.io/3ds/ here].
|-
| style="background: salmon" | No
| [[menuhax]]
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]
|-
| style="background: lightgreen" | Yes
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to '''11.9.0-X'''.
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.
| Shiny Quagsire / SALT team
| [https://smd.salthax.org/ Install].
|-
| style="background: salmon" | No
| [https://github.com/shinyquagsire23/v_hax (v*)hax]
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.
| Shiny Quagsire / SALT team
| [https://vvvvvv.salthax.org/ Install].
|-
| style="background: lightgreen" | Yes
| [https://github.com/Dazzozo/humblehax humblehax]
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.9.0-X'''.
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.
| Dazzozo / SALT team
| [https://citizens.salthax.org/ Install].
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]
| From '''9.0.0-X''' up to and including '''11.1.0-X'''.
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire v1 or v1.4 with the ability to have a secret base.
| MrNbaYoh
| [http://mrnbayoh.github.io/basehaxx/ install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/stickerhax stickerhax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| A gamecard or eShop-install of Paper Mario: Sticker Star.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/stickerhax Here]
|-
| style="background: lightgreen" | Yes
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/painthax painthax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| An eShop-install of Pixel Paint.
| MrNbaYoh
| [https://github.com/MrNbaYoh/painthax/releases/latest install]
|-
| style="background: salmon" | No
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/ctpkpwn/releases Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.
| An eShop-install of Swapdoodle.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://github.com/ChampionLeake/RPwnG3 RPwnG3]
| From '''9.0.0-X'''(?) up to and including '''11.12.0-X'''.
| A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower ; EUR 1.1.4 or lower).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/RPwnG3/releases Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/luigoalma/nitpic3d nitpic3d]
| From '''9.6.0-X'''(?) up to and including '''11.13.0-X'''.
| A digital or physical of Picross 3D: Round 2
| Luigoalma and Kartik
| [https://github.com/luigoalma/nitpic3d Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/PabloMK7/kartdlphax kartdlphax]
| All system versions work.
| A digital or physical of Mario Kart 7 for the same region as both consoles
| PabloMK7
| [https://3ds.hacks.guide/installing-boot9strap-(kartdlphax) Install]
|}

==Exploits without Homebrew Launcher==

'''Warning:''' The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format, but could still prove useful by chaining to exploits with higher privileges.

{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: lightgreen" | yes
| [https://github.com/zoogie/MSET9 MSET9]
| From '''3.0.0''' to '''latest'''.
| Works on all consoles, but for CHN consoles, will need SD card with preinstalled titles or movable.sed for generating valid SD title database.
| zoogie
|[https://github.com/zoogie/MSET9 Install]
|-
| style="background: salmon" | No
| [https://safecerthax.rocks safecerthax] (Safe Mode System Updater)
| (Old3DS (2DS) (XL)) From '''1.0.0''' to '''11.14.0'''

(New3DS (New2DS) (XL)) '''NOT SUPPORTED'''
|An O3DS or O2DS that can be booted into [[Recovery_Mode|Recovery Mode]] (hold L+R+Up+A at startup) & an internet connection.
|[[User:Nba_Yoh|MrNbaYoh]]
|[https://safecerthax.rocks/user-guide/ Install]
|-
| style="background: lightgreen" | Yes (partially)
| [[bannerbomb3]] (System Settings)
| (USA / EUR / JPN) '''11.5.0''' to '''11.16.0'''

(KOR / TWN) '''(11.4.0)''' '''11.5.0''' to '''latest'''

An exploit that uses a buffer overflow in a TWL export banner's title strings to gain rop execution.
|A USA, EUR, JPN, KOR, or TWN system with its movable.sed keyY extracted.
|[[User:zoogie|zoogie]]
|[[bannerbomb3|Install]]
|-
| style="background: salmon" | No
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)

(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''

Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| An USA, EUR, or JPN system.
| [[User:Yellows8|Yellows8]]
| [[browserhax|Install]]
|-
| style="background: salmon" | No
| Ninjhax (with specialized payloads)
| Up to '''9.2.0-20'''?
|
| smea + independent developers
| N/A
|}

==Previous Exploits==
'''Warning:''' These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.
{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[tubehax|Tubehax]]
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).
| smea
| [http://smealum.github.io/3ds/ Install]
|}

==Other Homebrew Loaders==
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.

[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.

==Sysmodule Exploits==
This section is for system-module exploits, which can be run from the *hax payloads.

{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
|-
| style="background: salmon" | No, still usable pre-v11.4.
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.
| None
| [[User:Yellows8|Yellows8]]
|}

==WebKit vuln testing==
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].

Homebrew Exploits

2025-05-08T14:01:21Z

Danny8376:

==Payload==
{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Description
! Supported firmwares
|-
| style="background: lightgreen" | Yes
| [https://smealum.github.io/3ds/ *hax payload]
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''
| From '''9.0.0-7''' up to '''11.9.0-42'''.
|}

For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.

==Standalone Homebrew Launcher Exploits==
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.

{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[ninjhax|Ninjhax 1.1b]]
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| smea
| [http://smealum.net/ninjhax/ Install]
|-
| style="background: lightgreen" | Yes
| [[ninjhax|Ninjhax 2.x]]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".
| smea
| [https://smealum.github.io/ninjhax2/ Install]
|-
| style="background: lightgreen" | Yes
| [http://plutooo.github.io/freakyhax/ freakyhax]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
| A cartridge or eShop version (USA/EUR/JPN, not available anymore for purchase) of "Freakyform Deluxe".
| plutoo
| [http://plutooo.github.io/freakyhax/ Install]
|-
| style="background: salmon" | No
| [http://plutooo.github.io/smilehax/ smilehax]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)
| plutoo
| [http://plutooo.github.io/smilehax/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/zoogie/smilehax-IIe smilehax IIe]
| From '''9.0.0-7''' up to and including '''11.13.0-45'''
| SmileBASIC (JPN version 3.3.2 via app downgrade, USA/EUR 3.6.0, aka latest app version)
| zoogie
| [https://github.com/zoogie/smilehax-IIe/releases/latest Install]
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (USA all versions)
| MrNbaYoh
| [http://mrnbayoh.github.io/basicsploit/ Install]
|-
| style="background: lightgreen" | Yes
| [[smashbroshax|smashbroshax]] (beaconhax)
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.9.0-37'''.
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_smashbroshax Install]
|-
| style="background: salmon" | No
| [[browserhax]]
| From '''9.0.0-2''' to '''11.0.0-33'''
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| A USA, EUR, JPN, or KOR system.
| [[User:Yellows8|Yellows8]]
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]
|-
| style="background: salmon" | No
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: salmon" | No
| [https://github.com/nedwill/soundhax soundhax]
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.
| A USA, EUR, JPN or KOR system.
| nedwill
| [http://soundhax.com Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/rpwng2 RPwnG 2]
| From '''1.1.7-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA. A 3DS on firmware 11.7.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng2/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng/ Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/notehax notehax]
| From '''9.9.0-X''' up to and including '''11.5.0-X'''.
| A digital copy of Flipnote Studio 3D on ver 1.3.1 (JPN) and ver 1.0.0 for EUR/USA (not the latest)
| MrNbaYoh
| [https://mrnbayoh.github.io/notehax/ Install]
|-
| style="background: darkorange" | Only if you already purchased Blockfactory before it was removed from the eShop
| [https://github.com/Stary2001/haxfactory haxfactory]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of "Blockfactory" (USA/EUR)
| Stary2001
| [https://github.com/Stary2001/haxfactory Install]
|}

==Secondary Exploits==
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.

{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[ironhax]]
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.
| smea
| [http://smealum.github.io/3ds/ Install]
|-
| style="background: lightgreen" | Yes
| [http://vegaroxas.github.io/ steelhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X'''
| A copy of Steel Diver: Sub Wars
| Vegaroxas
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/oot3dhax oot3dhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X''', for '''X''' up to and including 39.
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game.
| Yellows8 / smea et al.
| See [https://smealum.github.io/3ds/ here].
|-
| style="background: salmon" | No
| [[menuhax]]
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]
|-
| style="background: lightgreen" | Yes
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to '''11.9.0-X'''.
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.
| Shiny Quagsire / SALT team
| [https://smd.salthax.org/ Install].
|-
| style="background: salmon" | No
| [https://github.com/shinyquagsire23/v_hax (v*)hax]
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.
| Shiny Quagsire / SALT team
| [https://vvvvvv.salthax.org/ Install].
|-
| style="background: lightgreen" | Yes
| [https://github.com/Dazzozo/humblehax humblehax]
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.9.0-X'''.
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.
| Dazzozo / SALT team
| [https://citizens.salthax.org/ Install].
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]
| From '''9.0.0-X''' up to and including '''11.1.0-X'''.
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire v1 or v1.4 with the ability to have a secret base.
| MrNbaYoh
| [http://mrnbayoh.github.io/basehaxx/ install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/stickerhax stickerhax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| A gamecard or eShop-install of Paper Mario: Sticker Star.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/stickerhax Here]
|-
| style="background: lightgreen" | Yes
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/painthax painthax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| An eShop-install of Pixel Paint.
| MrNbaYoh
| [https://github.com/MrNbaYoh/painthax/releases/latest install]
|-
| style="background: salmon" | No
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/ctpkpwn/releases Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.
| An eShop-install of Swapdoodle.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://github.com/ChampionLeake/RPwnG3 RPwnG3]
| From '''9.0.0-X'''(?) up to and including '''11.12.0-X'''.
| A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower ; EUR 1.1.4 or lower).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/RPwnG3/releases Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/luigoalma/nitpic3d nitpic3d]
| From '''9.6.0-X'''(?) up to and including '''11.13.0-X'''.
| A digital or physical of Picross 3D: Round 2
| Luigoalma and Kartik
| [https://github.com/luigoalma/nitpic3d Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/PabloMK7/kartdlphax kartdlphax]
| All system versions work.
| A digital or physical of Mario Kart 7 for the same region as both consoles
| PabloMK7
| [https://3ds.hacks.guide/installing-boot9strap-(kartdlphax) Install]
|}

==Exploits without Homebrew Launcher==

'''Warning:''' The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format, but could still prove useful by chaining to exploits with higher privileges.

{| class="wikitable" border="1"
|-
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: lightgreen" | yes
| [https://github.com/zoogie/MSET9 MSET9]
| From '''3.0.0''' to '''latest'''.
| Works on all consoles, but for CHN consoles, will need SD card with preinstalled titles or movable.sed for generating valid SD title database.
| zoogie
|[https://github.com/zoogie/MSET9 Install]
|-
| style="background: lime" | Yes
| [https://safecerthax.rocks safecerthax] (Safe Mode System Updater)
| (Old3DS (2DS) (XL)) ''' ALL '''

(New3DS (New2DS) (XL)) '''NOT SUPPORTED'''
|An O3DS or O2DS that can be booted into [[Recovery_Mode|Recovery Mode]] (hold L+R+Up+A at startup) & an internet connection.
|[[User:Nba_Yoh|MrNbaYoh]]
|[https://safecerthax.rocks/user-guide/ Install]
|-
| style="background: lime" | Yes (partially)
| [[bannerbomb3]] (System Settings)
| (USA / EUR / JPN) '''11.5.0''' to '''11.16.0'''

(KOR / TWN) '''(11.4.0)''' '''11.5.0''' to '''latest'''

An exploit that uses a buffer overflow in a TWL export banner's title strings to gain rop execution.
|A USA, EUR, JPN, KOR, or TWN system with its movable.sed keyY extracted.
|[[User:zoogie|zoogie]]
|[[bannerbomb3|Install]]
|-
| style="background: salmon" | No
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)

(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''

Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| An USA, EUR, or JPN system.
| [[User:Yellows8|Yellows8]]
| [[browserhax|Install]]
|-
| style="background: salmon" | No
| Ninjhax (with specialized payloads)
| Up to '''9.2.0-20'''?
|
| smea + independent developers
| N/A
|}

==Previous Exploits==
'''Warning:''' These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.
{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[tubehax|Tubehax]]
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).
| smea
| [http://smealum.github.io/3ds/ Install]
|}

==Other Homebrew Loaders==
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.

[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.

==Sysmodule Exploits==
This section is for system-module exploits, which can be run from the *hax payloads.

{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
|-
| style="background: salmon" | No, still usable pre-v11.4.
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.
| None
| [[User:Yellows8|Yellows8]]
|}

==WebKit vuln testing==
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].

FIRM

2023-03-16T23:27:00Z

Danny8376: /* NATIVE_FIRM */ fix 11.16, never try to type your self...

This page describes the file format for the [[Title list#00040138 - System Firmware|3DS' Firmware]], it contains up to four 'sections' of data comprising the ARM9 and ARM11 kernels, and some fundamental processes. The firmware sections are not encrypted. In a nutshell, a FIRM contains all the data required to set up the ARM9 and ARM11 kernels, and basic operating functionality.

The ARM9 section contains the ARM9 kernel (and loader) and the Process9 NCCH (which is the only process run in user mode on the ARM9). The ARM11 sections contain the ARM11 kernel (and loader), and various ARM11 process NCCHs. For NATIVE_FIRM/SAFE_MODE_FIRM these ARM11 processes are sm, fs, pm, loader, and pxi. Normally the 4th section is not used. The code loaded from FIRM is constantly running on the system until another FIRM is launched. The ARM11 kernel is hard-coded to always decompress the ExeFS .code of embedded ARM11 NCCHs without checking the exheader compression bit.

== FIRM Header ==
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 4
| Magic 'FIRM'
|-
| 0x004
| 4
| Boot priority (highest value = max prio), this is normally zero.
|-
| 0x008
| 4
| ARM11 Entrypoint
|-
| 0x00C
| 4
| ARM9 Entrypoint
|-
| 0x010
| 0x030
| Reserved
|-
| 0x040
| 0x0C0 (0x030*4)
| Firmware Section Headers
|-
| 0x100
| 0x100
| RSA-2048 signature of the FIRM header's SHA-256 hash. The signature is checked when bootrom/Process9 are doing FIRM-launch (with the public key being hardcoded in each). The signature is not checked when installing FIRM to the NAND firm0/firm1 partitions.
|}

== Firmware Section Headers ==

{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 4
| Byte offset
|-
| 0x004
| 4
| Physical address where the section is loaded to.
|-
| 0x008
| 4
| Byte-size. While loading FIRM this is the field used to determine whether the section exists or not, by checking for value 0x0.
|-
| 0x00C
| 4
| Copy-method (0 = NDMA, 1 = XDMA, 2 = CPU mem-copy), Process9 ignores this field. Boot9 doesn't immediately throw an error when this isn't 0..2. In that case it will jump over section-data-loading which then results in the hash verification with the below hash being done with the hash already stored in the SHA hardware.
|-
| 0x010
| 0x020
| SHA-256 Hash of Firmware Section
|}

The contents of individual sections ''may'' be encrypted if the FIRM is not meant to be booted from NAND, i.e. if it is meant to be booted from SPI flash or NTR cartridge. If hash checks fail for all FIRM sections if treated as plaintext, it may be worth trying to check if the sections are encrypted. The encryption is detailed on [[Bootloader#Non-NAND_FIRM_boot|the bootloader page]].

== [[New_3DS]] FIRM ==
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 FIRM binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader. The format of the FIRM header is identical to regular 3DS FIRM(the RSA modulo is the same as regular 3DS too).

Before checking [[CONFIG_Registers|CFG_SYSPROT9]] the loader main() does the following:
* On [[9.5.0-22|9.5.0-X]]: executes a nop instruction with r0=0 and r1=<address of arm9binhdr+0x50>.
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]].

If [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 is clear (which means the OTP area is unlocked and so it knows that this is a hard reboot), it does the following things:
* Clears 0x200-bytes on the stack, then reads [[Flash_Filesystem|NAND]] sector 0x96(NAND image offset 0x12C00), with size 0x200-bytes into that stack buffer.
* Checks [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 again, if it's set then it executes a panic function(set r0-r2=0, execute nop instruction, then execute instruction "bkpt 0x99").
* Hashes data from the OTP region [[IO_Registers|0x10012000-0x10012090]] using SHA256 via the [[SHA_Registers|SHA]] hardware.
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]]. Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of the above hash, respectively. Due to the above hashed data, the keyX+keyY here are console-unique.
* Decrypts the first 0x10-byte block in the above read NAND sector with keyslot 0x11 using AES-ECB. [[9.6.0-24|9.6.0-X]]: Then it decrypts the 0x10-bytes at offset 0x10 in the sector with keyslot 0x11.
* Then the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. Runs the TWL key-init/etc code which was originally in the ARM9-kernel, then writes 0x2 to [[CONFIG_Registers|CFG_SYSPROT9]] to disable the OTP area.
* Then it uses the above decrypted block from sector+0 to set the normalkey for keyslot 0x11. Decrypts arm9_bin_buf+0 using keyslot 0x11 with AES-ECB, and initialises keyX for keyslot 0x15 with it.
* [[9.6.0-24|9.6.0-X]]: Then it uses the above decrypted block from sector+0 to set the normalkey for keyslot 0x11. Decrypts a 0x10-byte block from arm9loader .(ro)data using keyslot 0x11 with AES-ECB, and initializes keyX for keyslot 0x18 with it(same block as previous versions).
* [[9.6.0-24|9.6.0-X]]: Starting with this version keyslot 0x16 keyX init was moved here, see below for details on this. The code for this is same as [[9.5.0-22|9.5.0-X]], except the decrypted normalkey from sector+0x10 is used for keyslot 0x11 instead.
* Initialises KeyX for keyslots 0x18..0x1F(0x19..0x1F with [[9.6.0-24|9.6.0-X]]) with the output of decrypting a 0x10-byte block with AES-ECB using keyslot 0x11. This block was changed to a new one separate from keyslot 0x18, starting with [[9.6.0-24|9.6.0-X]]. The last byte in this 0x10-byte input block is increased by 0x01 after initializing each keyslot. Before doing the crypto each time, the loader sets the normal-key for keyslot 0x11 to the plaintext normalkey from sector+0(+0x10 with [[9.6.0-24|9.6.0-X]]). These are New3DS-specific keys.
* [[9.5.0-22|9.5.0-X]](moved to above with [[9.6.0-24|9.6.0-X]]): Sets the normal-key for keyslot 0x11 to the same one already decrypted on the stack. Decrypts the 0x10-byte block at arm9binhdr+0x60 with AES-ECB using keyslot 0x11, then sets the keyX for keyslot 0x16 to the output data.
* [[9.5.0-22|9.5.0-X]]: The normalkey, keyX, and keyY, for keyslot 0x11 are then cleared to zero.

When [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 is set(which means this happens only when this loader runs again for firm-launch), the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero.

It sets KeyY for keyslot 0x15(0x16 with [[9.5.0-22|9.5.0-X]]) to arm9_bin_buf+16, the CTR to arm9_bin_buf+32 (both are unique for every version). It then proceeds to decrypt the binary with AES-CTR. When done, it sets the normal-key for the keyslot used for binary decryption to zeros. It then decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15([[9.5.0-22|9.5.0-X]]/[[9.6.0-24|9.6.0-X]] also uses keyslot 0x15), sets the normal-key for this keyslot to zeros again, then makes sure the output block is all zeroes. If it is, it does some cleanup then it jumps to the entrypoint for the decrypted binary. Otherwise it will clear the keyX, keyY, and normal-key for each of the keyslots initialized by this loader (on [[9.6.0-24|9.6.0-X]]+, on older versions this was bugged and cleared keys 0x00..0x07 instead of 0x18..0x1F), do cleanup(same cleanup as when the decrypted block is all-zero) then just loop forever.

Thus, the ARM9 binary has the following header:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 16
| Encrypted KeyX (same for all FIRM's)
|-
| 0x010
| 16
| KeyY
|-
| 0x020
| 16
| CTR
|-
| 0x030
| 8
| Size of encrypted binary, as ASCII text?
|-
| 0x038
| 8
| ?
|-
| 0x040
| 16
| Control block
|-
| 0x050
| 16
| Added with [[9.5.0-22|9.5.0-X]]. Only used for hardware debugging: a nop instruction is executed with r0=0 and r1=<address of this data>.
|-
| 0x060
| 16
| Added with [[9.5.0-22|9.5.0-X]]. Encrypted keyX for keyslot 0x16.
|}

Originally the padding after the header before offset 0x800(start of actual ARM9-binary) was 0xFF bytes, with [[9.5.0-22|9.5.0-X]] this was changed to 0x0.

For the New3DS NATIVE_FIRM arm9-section header, the only difference between the [[8.1.0-0_New3DS]] version and the [[9.0.0-20]] version is that the keyY, CTR, and the block at 0x30 in the header were updated.

===New3DS ARM9 binary loader versions===
{| class="wikitable" border="1"
|-
! FIRM system version(s)
! Description
|-
| [[8.1.0-0_New3DS]] - [[9.3.0-21|9.3.0-X]]
| Initial version.
|-
| [[9.5.0-22|9.5.0-X]]
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
|-
| [[9.6.0-24|9.6.0-X]] - [[11.3.0-36|11.3.0-X]]
| See above and [[9.6.0-24|here]].
|}

===New3DS ARM9 kernel===
The only actual code-difference for the Old3DS/New3DS ARM9-kernels' crt0, besides TWL AES / [[IO_Registers|0x10012000]] related code, is that the New3DS ARM9-kernel writes 0x1 to [[CONFIG_Registers|REG_EXTMEMCNT9]] in the crt0.

===New3DS Process9===
The following is all of the differences for Old3DS/New3DS Process9 with [[9.3.0-21|9.3.0-X]]:
* The FIRM-launch code called at the end of the New3DS proc9 main() has different mem-range checks.
* In the New3DS proc9, the v6.0/v7.0 keyinit function at the very beginning(before the original code) had additional code added for setting [[Flash_Filesystem|CTRNAND]] [[AES_Registers|keyslot]] 0x5, with keydata from .data. After setting the keyY, the keyY in .data is cleared.
* In New3DS proc9, the functions for getting the gamecard crypto keyslots / NCCH keyslot can return New3DS keyslots when New3DS flags(NCSD/NCCH) are set.
* The code/data for the binary near the end of arm9mem is slightly different, because of memory-region sizes.
* The only difference in .data(besides the above code binary) is that the New3DS proc9 has an additional 0x10-byte block for the keyslot 0x5 keyY, see above.

== Variations ==
There exists different official firmwares for the 3DS: The default one (NATIVE_FIRM) is used to run all 3DS content and boots by default, while backwards compatibility is handled by TWL_FIRM and AGB_FIRM. There furthermore is a rescue mode provided by SAFE_MODE_FIRM.

=== NATIVE_FIRM ===
NATIVE_FIRM is the FIRM which is installed to the [[Flash_Filesystem|NAND]] firm partitions, which is loaded by bootrom.

Version history:

{| class="wikitable" border="1"
! System version
! old 3DS title version
! old 3DS hex title contentID
! Kernel/FIRM version (old 3DS/new 3DS)
! FIRM ARM11-sysmodule Product Code
|-
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| v0
| 00
| 2.3-0
|-
| Pre-1.0. Referenced in the v1.0 Home Menu NCCH plain-region.
|
|
| 2.23-X
|-
| [[1.0.0-0|1.0.0]]
| v432
| 00
| 2.27-0
|-
| [[1.1.0-1|1.1.0]]
| v1472
| 02
| 2.28-0
|-
| [[2.0.0-2|2.0.0]]
| v2516
| 09
| 2.29-7
|-
| [[2.1.0-3|2.1.0]]
| v3553
| 0B
| 2.30-18
| 0608builder
|-
| [[2.2.0-X|2.2.0]]
| v4595
| 0F
| 2.31-40
| 0909builder
|-
| [[3.0.0-5|3.0.0]]
| v5647
| 18
| 2.32-15
| 1128builder
|-
| [[4.0.0-7|4.0.0]]
| v6677
| 1D
| 2.33-4
| 0406builder
|-
| [[4.1.0-8|4.1.0]]
| v7712
| 1F
| 2.34-0
| 0508builder
|-
| [[5.0.0-11|5.0.0]]
| v8758
| 25
| 2.35-6
| 0228builder
|-
| [[5.1.0-11|5.1.0]]
| v9792
| 26
| 2.36-0
| 0401builder
|-
| [[6.0.0-11|6.0.0]]
| v10833
| 29
| 2.37-0
| 0520builder
|-
| [[6.1.0-11|6.1.0]]
| v11872
| 2A
| 2.38-0
| 0625builder
|-
| [[7.0.0-13|7.0.0]]
| v12916
| 2E
| 2.39-4
| 1125builder
|-
| [[7.2.0-17|7.2.0]]
| v13956
| 30
| 2.40-0
| 0404builder
|-
| [[8.0.0-18|8.0.0]]
| v15047
| 37
| 2.44-6
| 0701builder
|-
| [[8.1.0-0_New3DS]]
|N/A
|N/A
| 2.45-5
|-
| [[9.0.0-20|9.0.0]]
| v17120
| 38
| 2.46-0
| 0828builder
|-
| [[9.3.0-21|9.3.0]]
| v18182
| 3F
| 2.48-3
| 1125builder
|-
| [[9.5.0-22|9.5.0]]
| v19216
| 40
| 2.49-0
| 0126builder
|-
| [[9.6.0-24|9.6.0]]
| v20262
| 49
| 2.50-1
| 0311builder
|-
| [[10.0.0-27|10.0.0]]
| v21288
| 4B
| 2.50-7
| 0812builder
|-
| [[10.2.0-28|10.2.0]]
| v22313
| 4C
| 2.50-9
| 1009builder
|-
| [[10.4.0-29|10.4.0]]
| v23341
| 50
| 2.50-11
| 1224builder
|-
| [[11.0.0-33|11.0.0]]
| v24368
| 52
| 2.51-0
| 0406builder
|-
| [[11.1.0-34|11.1.0]]
| v25396
| 56
| 2.51-2
| 0805builder
|-
| [[11.2.0-35|11.2.0]]
| v26432
| 58
| 2.52-0
| 1015builder
|-
| [[11.3.0-36|11.3.0]]
| v27476
| 5C
| 2.53-0
| 0126builder
|-
| [[11.4.0-37|11.4.0]]
| v28512
| 5E
| 2.54-0
| 0314builder
|-
| [[11.8.0-41|11.8.0]]
| v29557
| 64
| 2.55-0
| 0710pseg-ciuser
|-
| [[11.12.0-44|11.12.0]]
| v30593
| 66
| 2.56-0
| 1021pseg-ciuser
|-
| [[11.14.0-46|11.14.0]]
| v31633
| 69
| 2.57-0
| 0929pseg-ciuser
|-
| [[11.16.0-48|11.16.0]]
| v32673
| 6C
| 2.58-0
| 0701pseg-ciuser
|}

The above kernel/FIRM versions are in the format: <KERNEL_VERSIONMAJOR>.<KERNEL_VERSIONMINOR>-<KERNEL_VERSIONREVISION>.

=== SAFE_MODE_FIRM ===
SAFE_MODE is used for running the [[System_Settings#System_Updater|System Updater]]. SAFE_MODE_FIRM and NATIVE_FIRM for the initial versions are exactly the same, except for the system core version fields. Kernel/FIRM versions for SAFE_MODE_FIRM are: (old3ds) v432 = 3.27-0, v5632 = 3.32-0, (new3ds) v16081 = 3.45-3.

=== TWL_FIRM ===
TWL_FIRM handles DS(i) backwards compatibility.

The 3DS-mode ARM9 core seems to switch into DSi-mode(for running DSi-mode ARM9 code) by writing to a [[PDN]] register(this changes the memory layout to DSi-mode / etc, therefore this register poke *must* be executed from ITCM). This is the final 3DS-mode register poke before the ARM9 switches into DSi-mode. DS(i)-mode ARM7 code is run on the internal [[ARM7]] core, which is started up during TWL_FIRM boot. Trying to read from the exception-vector region(address 0x0) under this DSi-mode ARM7 seems to only return 0x00/0xFF data. Also note that this DSi-mode ARM7 runs code(stored in TWL_FIRM) which pokes some DSi-mode registers that on the DSi were used for disabling access to the DSi bootROMs, however these registers do not affect the 3DS DSi-mode ARM9/ARM7 "bootrom" region(exceptionvector region + 0x8000) at all.

For shutting down the system, TWL_FIRM writes u8 value 8 to [[I2C]] MCU register 0x20. For returning to 3DS-mode, TWL_FIRM writes value 4 to that MCU register to trigger a hardware system reboot.

The TWL_FIRM ARM11-process includes a TWL bootloader, see [http://dsibrew.org/wiki/Bootloader here] and [[Memory_layout#Detailed_TWL_FIRM_ARM11_Memory|here]] for details.

TWL_FIRM verifies all TWL RSA padding with the following. This is different from the DSi "BIOS" code.
* The first byte must be 0x0.
* The second byte must be 0x1 or 0x2.
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.
* Returns an address for msg_curpos+1.
totalhashdatasize = rsasig_bytesize - above position in the message for the hashdata. The actual "totalhashdatasize" in the RSA message must be <= <expected hashdata_size>(0x74 for bootloader). The TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".

=== AGB_FIRM ===
AGB_FIRM handles running GBA VC titles. The ARM9 FIRM section for TWL_FIRM and AGB_FIRM are exactly the same (for TWL_FIRM and AGB_FIRM versions which were updated with the same system-update).

== FIRM Launch Parameters ==
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.

Note: it seems NATIVE_FIRM ARM11-kernel didn't parse this during boot until [[3.0.0-5|3.0.0-X]]?

{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 0x300
| TWL auto-load parameters, passed as-is onto the new title. NS will only read the oldTitleId field from it and add it to the TWL title list if it's a CTR titleId
|-
| 0x300
| 0x100
| 'TLNC' block created by TWL applications, handled by NS for backwards-compatibility purposes. See [[NS#Auto-boot|here]] for more info.
|-
| 0x400
| 0x4
| Flags
|-
| 0x410
| 0xC
| This is used for overriding the FIRM_* fields in [[Configuration_Memory]], when the flag listed below is set, in the following order(basically just data-copy from here to 0x1FF80060): "FIRM_?", FIRM_VERSIONREVISION, FIRM_VERSIONMINOR, FIRM_VERSIONMAJOR, FIRM_SYSCOREVER, and FIRM_CTRSDKVERSION.
|-
| 0x438
| 0x4
| The kernel checks this field for value 0xFFFF, if it matches the kernel uses the rest of these parameter fields, otherwise FIRM-launch parameters fields are ignored by the kernel.
|-
| 0x43C
| 0x4
| CRC32, this is calculated starting at FIRM-params offset 0x400, with size 0x140(with this field cleared to zero during calculation). When invalid the kernel clears the entire buffer used for storing the FIRM-params, therefore no actual FIRM-params are handled after that.
|-
| 0x440
| 0x10
| Titleinfo [[Filesystem_services#ProgramInfo|Program Info]], used by NS during NS startup, to launch the specified title when the below flag is set.
|-
| 0x450
| 0x10
| Titleinfo [[Filesystem_services#ProgramInfo|Program Info]]. This might be used for returning to the specified title, once the above launched title terminates?
|-
| 0x460
| 0x4
| Bit0: 0 = titleinfo structure isn't set, 1 = titleinfo structure is set.
|-
| 0x480
| 0x20
| This can be set via buf1 for [[APT:SendDeliverArg]]/[[APT:StartApplication]].
|-
| 0x4A0
| 0x10
| This can be set by [[NSS:SetWirelessRebootInfo]].
|-
| 0x4B0
| 0x14
| SHA1-HMAC of the banner for TWL/NTR titles. This can be set by [[NSS:SetTWLBannerHMAC]].
|-
| 0x500
| 0x40
| This is used by [[APT:LoadSysMenuArg]] and [[APT:StoreSysMenuArg]].
|-
| 0xD50
| 0x20
| Atheros WiFi configuration struct
|-
| 0xD70
| 0x290
| [[Config Savegame|Config]] data struct for LGY FIRM.
|}

Flags from offset 0x400:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| This can be used for overriding the default FCRAM [[Memory_layout|memory-regions]] allocation sizes(APPLICATION, SYSTEM, and BASE). The values for this is the same as [[Configuration_Memory#APPMEMTYPE|Configmem-APPMEMTYPE]]. Values 0-1 are handled the same way by the kernel. However for NS, 0=titleinfo structure for launching a title isn't set, while non-zero=titleinfo structure is set.
|-
| 0x1
| 0x3
| Setting bit0 here enables overriding the FIRM_* fields in [[Configuration_Memory]].
|}

Atheros WiFi configuration struct for booting TWL_FIRM, from offset 0xD50. This struct is copied directly to 0x20005E0 in DSi memory. Since DSi cartridge ROMs include SDIO drivers for the wireless card and can't be updated, this structure allows interoperability between the original DSi wireless cards (AR6002/DWM-W015 and AR6013/DWM-W024) as well as the 3DS's AR6014/DWM-W028.
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| WiFi Board Type (1=DWM-W015, 2=DWM-W024, 3=DWM-W028; 0x03 on 3DS)
|-
| 0x1
| 0x1
| Unknown (0x00)
|-
| 0x2
| 0x2
| CRC16 from 0x4 to 0x20 (0x1C bytes)
|-
| 0x4
| 0x4
| Atheros RAM Vars/Host Interest address (0x520000 on 3DS)
|-
| 0x8
| 0x4
| Atheros RAM base (0x520000 on 3DS)
|-
| 0xC
| 0x4
| Atheros RAM size (0x20000 on 3DS)
|-
| 0x10
| 0x10
| Unknown (Zeroed)
|}

[[Config Savegame|Config]] struct for booting LGY FIRMs from offset 0xD70:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| RTC compensation value (config block 0x30000).
|-
| 0x1
| 0x1
| Sound output mode (config block 0x70001).
|-
| 0x2
| 0x1
| System language (config block 0xA0002).
|-
| 0x3
| 0x1
| [[Cfg:SecureInfoGetRegion|Region from SecureInfo]] ("pseudo-block" 0x140000 in LGY FIRM).
|-
| 0x4
| 0xF
| [[CfgS:SecureInfoGetSerialNo|Serial number from SecureInfo]] ("pseudo-block" 0x140001 in LGY FIRM).
|-
| 0x13
| 0x1
| TWL country code (config block 0x100002).
|-
| 0x14
| 0x10
| TWL "movable" UID, used for DSiWare exports (config block 0x100003).
|-
| 0x24
| 0x2
| TWL EULA info (config block 0x100000).
|-
| 0x26
| 0x1
| Cleared to zero.
|-
| 0x27
| 0x1
| Cleared to zero.
|-
| 0x28
| 0x94
| TWL parental control data (config block 0x100001).
|-
| 0xBC
| 0x2
| LCD flicker calibration data (config block 0x50000).
|-
| 0xBE
| 0x2
| Backlight data (config block 0x50001).
|-
| 0xC0
| 0x38
| Backlight PWM table (config block 0x50002).
|-
| 0xF8
| 0x20
| Power saving mode (ABL) calibration (config block 0x50004).
|-
| 0x118
| 0x134
| CODEC calibration data (config block 0x20000).
|-
| 0x24C
| 0x10
| Touch screen calibration data (config block 0x40000).
|-
| 0x25C
| 0x1C
| Analog stick calibration data (config block 0x40001).
|-
| 0x278
| 0x4
| Cleared to zero.
|-
| 0x27C
| 0x4
| Cleared to zero.
|-
| 0x280
| 0x8
| User time offset (config block 0x30001).
|-
| 0x288
| 0x2
| CRC16 over the above fields from offset 0x0, size 0x288. If not valid, LGY FIRM uses dummy data from .(ro)data.
|-
| 0x28A
| 0x2
| Version, maybe? If non-zero, the size (below) is hardcoded (currently) to value 0x288, otherwise the size field below is used.
|-
| 0x28C
| 0x4
| Value 0x288 (size used for verifying the CRC16).
|}

"Cleared to zero" fields above are not read at all by LGY FIRM.

FIRM

2023-03-16T16:59:19Z

Danny8376: 11.16

This page describes the file format for the [[Title list#00040138 - System Firmware|3DS' Firmware]], it contains up to four 'sections' of data comprising the ARM9 and ARM11 kernels, and some fundamental processes. The firmware sections are not encrypted. In a nutshell, a FIRM contains all the data required to set up the ARM9 and ARM11 kernels, and basic operating functionality.

The ARM9 section contains the ARM9 kernel (and loader) and the Process9 NCCH (which is the only process run in user mode on the ARM9). The ARM11 sections contain the ARM11 kernel (and loader), and various ARM11 process NCCHs. For NATIVE_FIRM/SAFE_MODE_FIRM these ARM11 processes are sm, fs, pm, loader, and pxi. Normally the 4th section is not used. The code loaded from FIRM is constantly running on the system until another FIRM is launched. The ARM11 kernel is hard-coded to always decompress the ExeFS .code of embedded ARM11 NCCHs without checking the exheader compression bit.

== FIRM Header ==
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 4
| Magic 'FIRM'
|-
| 0x004
| 4
| Boot priority (highest value = max prio), this is normally zero.
|-
| 0x008
| 4
| ARM11 Entrypoint
|-
| 0x00C
| 4
| ARM9 Entrypoint
|-
| 0x010
| 0x030
| Reserved
|-
| 0x040
| 0x0C0 (0x030*4)
| Firmware Section Headers
|-
| 0x100
| 0x100
| RSA-2048 signature of the FIRM header's SHA-256 hash. The signature is checked when bootrom/Process9 are doing FIRM-launch (with the public key being hardcoded in each). The signature is not checked when installing FIRM to the NAND firm0/firm1 partitions.
|}

== Firmware Section Headers ==

{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 4
| Byte offset
|-
| 0x004
| 4
| Physical address where the section is loaded to.
|-
| 0x008
| 4
| Byte-size. While loading FIRM this is the field used to determine whether the section exists or not, by checking for value 0x0.
|-
| 0x00C
| 4
| Copy-method (0 = NDMA, 1 = XDMA, 2 = CPU mem-copy), Process9 ignores this field. Boot9 doesn't immediately throw an error when this isn't 0..2. In that case it will jump over section-data-loading which then results in the hash verification with the below hash being done with the hash already stored in the SHA hardware.
|-
| 0x010
| 0x020
| SHA-256 Hash of Firmware Section
|}

The contents of individual sections ''may'' be encrypted if the FIRM is not meant to be booted from NAND, i.e. if it is meant to be booted from SPI flash or NTR cartridge. If hash checks fail for all FIRM sections if treated as plaintext, it may be worth trying to check if the sections are encrypted. The encryption is detailed on [[Bootloader#Non-NAND_FIRM_boot|the bootloader page]].

== [[New_3DS]] FIRM ==
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 FIRM binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader. The format of the FIRM header is identical to regular 3DS FIRM(the RSA modulo is the same as regular 3DS too).

Before checking [[CONFIG_Registers|CFG_SYSPROT9]] the loader main() does the following:
* On [[9.5.0-22|9.5.0-X]]: executes a nop instruction with r0=0 and r1=<address of arm9binhdr+0x50>.
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]].

If [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 is clear (which means the OTP area is unlocked and so it knows that this is a hard reboot), it does the following things:
* Clears 0x200-bytes on the stack, then reads [[Flash_Filesystem|NAND]] sector 0x96(NAND image offset 0x12C00), with size 0x200-bytes into that stack buffer.
* Checks [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 again, if it's set then it executes a panic function(set r0-r2=0, execute nop instruction, then execute instruction "bkpt 0x99").
* Hashes data from the OTP region [[IO_Registers|0x10012000-0x10012090]] using SHA256 via the [[SHA_Registers|SHA]] hardware.
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]]. Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of the above hash, respectively. Due to the above hashed data, the keyX+keyY here are console-unique.
* Decrypts the first 0x10-byte block in the above read NAND sector with keyslot 0x11 using AES-ECB. [[9.6.0-24|9.6.0-X]]: Then it decrypts the 0x10-bytes at offset 0x10 in the sector with keyslot 0x11.
* Then the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. Runs the TWL key-init/etc code which was originally in the ARM9-kernel, then writes 0x2 to [[CONFIG_Registers|CFG_SYSPROT9]] to disable the OTP area.
* Then it uses the above decrypted block from sector+0 to set the normalkey for keyslot 0x11. Decrypts arm9_bin_buf+0 using keyslot 0x11 with AES-ECB, and initialises keyX for keyslot 0x15 with it.
* [[9.6.0-24|9.6.0-X]]: Then it uses the above decrypted block from sector+0 to set the normalkey for keyslot 0x11. Decrypts a 0x10-byte block from arm9loader .(ro)data using keyslot 0x11 with AES-ECB, and initializes keyX for keyslot 0x18 with it(same block as previous versions).
* [[9.6.0-24|9.6.0-X]]: Starting with this version keyslot 0x16 keyX init was moved here, see below for details on this. The code for this is same as [[9.5.0-22|9.5.0-X]], except the decrypted normalkey from sector+0x10 is used for keyslot 0x11 instead.
* Initialises KeyX for keyslots 0x18..0x1F(0x19..0x1F with [[9.6.0-24|9.6.0-X]]) with the output of decrypting a 0x10-byte block with AES-ECB using keyslot 0x11. This block was changed to a new one separate from keyslot 0x18, starting with [[9.6.0-24|9.6.0-X]]. The last byte in this 0x10-byte input block is increased by 0x01 after initializing each keyslot. Before doing the crypto each time, the loader sets the normal-key for keyslot 0x11 to the plaintext normalkey from sector+0(+0x10 with [[9.6.0-24|9.6.0-X]]). These are New3DS-specific keys.
* [[9.5.0-22|9.5.0-X]](moved to above with [[9.6.0-24|9.6.0-X]]): Sets the normal-key for keyslot 0x11 to the same one already decrypted on the stack. Decrypts the 0x10-byte block at arm9binhdr+0x60 with AES-ECB using keyslot 0x11, then sets the keyX for keyslot 0x16 to the output data.
* [[9.5.0-22|9.5.0-X]]: The normalkey, keyX, and keyY, for keyslot 0x11 are then cleared to zero.

When [[CONFIG_Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit 1 is set(which means this happens only when this loader runs again for firm-launch), the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero.

It sets KeyY for keyslot 0x15(0x16 with [[9.5.0-22|9.5.0-X]]) to arm9_bin_buf+16, the CTR to arm9_bin_buf+32 (both are unique for every version). It then proceeds to decrypt the binary with AES-CTR. When done, it sets the normal-key for the keyslot used for binary decryption to zeros. It then decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15([[9.5.0-22|9.5.0-X]]/[[9.6.0-24|9.6.0-X]] also uses keyslot 0x15), sets the normal-key for this keyslot to zeros again, then makes sure the output block is all zeroes. If it is, it does some cleanup then it jumps to the entrypoint for the decrypted binary. Otherwise it will clear the keyX, keyY, and normal-key for each of the keyslots initialized by this loader (on [[9.6.0-24|9.6.0-X]]+, on older versions this was bugged and cleared keys 0x00..0x07 instead of 0x18..0x1F), do cleanup(same cleanup as when the decrypted block is all-zero) then just loop forever.

Thus, the ARM9 binary has the following header:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 16
| Encrypted KeyX (same for all FIRM's)
|-
| 0x010
| 16
| KeyY
|-
| 0x020
| 16
| CTR
|-
| 0x030
| 8
| Size of encrypted binary, as ASCII text?
|-
| 0x038
| 8
| ?
|-
| 0x040
| 16
| Control block
|-
| 0x050
| 16
| Added with [[9.5.0-22|9.5.0-X]]. Only used for hardware debugging: a nop instruction is executed with r0=0 and r1=<address of this data>.
|-
| 0x060
| 16
| Added with [[9.5.0-22|9.5.0-X]]. Encrypted keyX for keyslot 0x16.
|}

Originally the padding after the header before offset 0x800(start of actual ARM9-binary) was 0xFF bytes, with [[9.5.0-22|9.5.0-X]] this was changed to 0x0.

For the New3DS NATIVE_FIRM arm9-section header, the only difference between the [[8.1.0-0_New3DS]] version and the [[9.0.0-20]] version is that the keyY, CTR, and the block at 0x30 in the header were updated.

===New3DS ARM9 binary loader versions===
{| class="wikitable" border="1"
|-
! FIRM system version(s)
! Description
|-
| [[8.1.0-0_New3DS]] - [[9.3.0-21|9.3.0-X]]
| Initial version.
|-
| [[9.5.0-22|9.5.0-X]]
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
|-
| [[9.6.0-24|9.6.0-X]] - [[11.3.0-36|11.3.0-X]]
| See above and [[9.6.0-24|here]].
|}

===New3DS ARM9 kernel===
The only actual code-difference for the Old3DS/New3DS ARM9-kernels' crt0, besides TWL AES / [[IO_Registers|0x10012000]] related code, is that the New3DS ARM9-kernel writes 0x1 to [[CONFIG_Registers|REG_EXTMEMCNT9]] in the crt0.

===New3DS Process9===
The following is all of the differences for Old3DS/New3DS Process9 with [[9.3.0-21|9.3.0-X]]:
* The FIRM-launch code called at the end of the New3DS proc9 main() has different mem-range checks.
* In the New3DS proc9, the v6.0/v7.0 keyinit function at the very beginning(before the original code) had additional code added for setting [[Flash_Filesystem|CTRNAND]] [[AES_Registers|keyslot]] 0x5, with keydata from .data. After setting the keyY, the keyY in .data is cleared.
* In New3DS proc9, the functions for getting the gamecard crypto keyslots / NCCH keyslot can return New3DS keyslots when New3DS flags(NCSD/NCCH) are set.
* The code/data for the binary near the end of arm9mem is slightly different, because of memory-region sizes.
* The only difference in .data(besides the above code binary) is that the New3DS proc9 has an additional 0x10-byte block for the keyslot 0x5 keyY, see above.

== Variations ==
There exists different official firmwares for the 3DS: The default one (NATIVE_FIRM) is used to run all 3DS content and boots by default, while backwards compatibility is handled by TWL_FIRM and AGB_FIRM. There furthermore is a rescue mode provided by SAFE_MODE_FIRM.

=== NATIVE_FIRM ===
NATIVE_FIRM is the FIRM which is installed to the [[Flash_Filesystem|NAND]] firm partitions, which is loaded by bootrom.

Version history:

{| class="wikitable" border="1"
! System version
! old 3DS title version
! old 3DS hex title contentID
! Kernel/FIRM version (old 3DS/new 3DS)
! FIRM ARM11-sysmodule Product Code
|-
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| v0
| 00
| 2.3-0
|-
| Pre-1.0. Referenced in the v1.0 Home Menu NCCH plain-region.
|
|
| 2.23-X
|-
| [[1.0.0-0|1.0.0]]
| v432
| 00
| 2.27-0
|-
| [[1.1.0-1|1.1.0]]
| v1472
| 02
| 2.28-0
|-
| [[2.0.0-2|2.0.0]]
| v2516
| 09
| 2.29-7
|-
| [[2.1.0-3|2.1.0]]
| v3553
| 0B
| 2.30-18
| 0608builder
|-
| [[2.2.0-X|2.2.0]]
| v4595
| 0F
| 2.31-40
| 0909builder
|-
| [[3.0.0-5|3.0.0]]
| v5647
| 18
| 2.32-15
| 1128builder
|-
| [[4.0.0-7|4.0.0]]
| v6677
| 1D
| 2.33-4
| 0406builder
|-
| [[4.1.0-8|4.1.0]]
| v7712
| 1F
| 2.34-0
| 0508builder
|-
| [[5.0.0-11|5.0.0]]
| v8758
| 25
| 2.35-6
| 0228builder
|-
| [[5.1.0-11|5.1.0]]
| v9792
| 26
| 2.36-0
| 0401builder
|-
| [[6.0.0-11|6.0.0]]
| v10833
| 29
| 2.37-0
| 0520builder
|-
| [[6.1.0-11|6.1.0]]
| v11872
| 2A
| 2.38-0
| 0625builder
|-
| [[7.0.0-13|7.0.0]]
| v12916
| 2E
| 2.39-4
| 1125builder
|-
| [[7.2.0-17|7.2.0]]
| v13956
| 30
| 2.40-0
| 0404builder
|-
| [[8.0.0-18|8.0.0]]
| v15047
| 37
| 2.44-6
| 0701builder
|-
| [[8.1.0-0_New3DS]]
|N/A
|N/A
| 2.45-5
|-
| [[9.0.0-20|9.0.0]]
| v17120
| 38
| 2.46-0
| 0828builder
|-
| [[9.3.0-21|9.3.0]]
| v18182
| 3F
| 2.48-3
| 1125builder
|-
| [[9.5.0-22|9.5.0]]
| v19216
| 40
| 2.49-0
| 0126builder
|-
| [[9.6.0-24|9.6.0]]
| v20262
| 49
| 2.50-1
| 0311builder
|-
| [[10.0.0-27|10.0.0]]
| v21288
| 4B
| 2.50-7
| 0812builder
|-
| [[10.2.0-28|10.2.0]]
| v22313
| 4C
| 2.50-9
| 1009builder
|-
| [[10.4.0-29|10.4.0]]
| v23341
| 50
| 2.50-11
| 1224builder
|-
| [[11.0.0-33|11.0.0]]
| v24368
| 52
| 2.51-0
| 0406builder
|-
| [[11.1.0-34|11.1.0]]
| v25396
| 56
| 2.51-2
| 0805builder
|-
| [[11.2.0-35|11.2.0]]
| v26432
| 58
| 2.52-0
| 1015builder
|-
| [[11.3.0-36|11.3.0]]
| v27476
| 5C
| 2.53-0
| 0126builder
|-
| [[11.4.0-37|11.4.0]]
| v28512
| 5E
| 2.54-0
| 0314builder
|-
| [[11.8.0-41|11.8.0]]
| v29557
| 64
| 2.55-0
| 0710pseg-ciuser
|-
| [[11.12.0-44|11.12.0]]
| v30593
| 66
| 2.56-0
| 1021pseg-ciuser
|-
| [[11.14.0-46|11.14.0]]
| v31633
| 69
| 2.57-0
| 0929pseg-ciuser
|-
| [[11.16.0-48|11.16.0]]
| v32673
| 6C
| 2.58-0
| 0710pseg-ciuser
|}

The above kernel/FIRM versions are in the format: <KERNEL_VERSIONMAJOR>.<KERNEL_VERSIONMINOR>-<KERNEL_VERSIONREVISION>.

=== SAFE_MODE_FIRM ===
SAFE_MODE is used for running the [[System_Settings#System_Updater|System Updater]]. SAFE_MODE_FIRM and NATIVE_FIRM for the initial versions are exactly the same, except for the system core version fields. Kernel/FIRM versions for SAFE_MODE_FIRM are: (old3ds) v432 = 3.27-0, v5632 = 3.32-0, (new3ds) v16081 = 3.45-3.

=== TWL_FIRM ===
TWL_FIRM handles DS(i) backwards compatibility.

The 3DS-mode ARM9 core seems to switch into DSi-mode(for running DSi-mode ARM9 code) by writing to a [[PDN]] register(this changes the memory layout to DSi-mode / etc, therefore this register poke *must* be executed from ITCM). This is the final 3DS-mode register poke before the ARM9 switches into DSi-mode. DS(i)-mode ARM7 code is run on the internal [[ARM7]] core, which is started up during TWL_FIRM boot. Trying to read from the exception-vector region(address 0x0) under this DSi-mode ARM7 seems to only return 0x00/0xFF data. Also note that this DSi-mode ARM7 runs code(stored in TWL_FIRM) which pokes some DSi-mode registers that on the DSi were used for disabling access to the DSi bootROMs, however these registers do not affect the 3DS DSi-mode ARM9/ARM7 "bootrom" region(exceptionvector region + 0x8000) at all.

For shutting down the system, TWL_FIRM writes u8 value 8 to [[I2C]] MCU register 0x20. For returning to 3DS-mode, TWL_FIRM writes value 4 to that MCU register to trigger a hardware system reboot.

The TWL_FIRM ARM11-process includes a TWL bootloader, see [http://dsibrew.org/wiki/Bootloader here] and [[Memory_layout#Detailed_TWL_FIRM_ARM11_Memory|here]] for details.

TWL_FIRM verifies all TWL RSA padding with the following. This is different from the DSi "BIOS" code.
* The first byte must be 0x0.
* The second byte must be 0x1 or 0x2.
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.
* Returns an address for msg_curpos+1.
totalhashdatasize = rsasig_bytesize - above position in the message for the hashdata. The actual "totalhashdatasize" in the RSA message must be <= <expected hashdata_size>(0x74 for bootloader). The TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".

=== AGB_FIRM ===
AGB_FIRM handles running GBA VC titles. The ARM9 FIRM section for TWL_FIRM and AGB_FIRM are exactly the same (for TWL_FIRM and AGB_FIRM versions which were updated with the same system-update).

== FIRM Launch Parameters ==
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.

Note: it seems NATIVE_FIRM ARM11-kernel didn't parse this during boot until [[3.0.0-5|3.0.0-X]]?

{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x000
| 0x300
| TWL auto-load parameters, passed as-is onto the new title. NS will only read the oldTitleId field from it and add it to the TWL title list if it's a CTR titleId
|-
| 0x300
| 0x100
| 'TLNC' block created by TWL applications, handled by NS for backwards-compatibility purposes. See [[NS#Auto-boot|here]] for more info.
|-
| 0x400
| 0x4
| Flags
|-
| 0x410
| 0xC
| This is used for overriding the FIRM_* fields in [[Configuration_Memory]], when the flag listed below is set, in the following order(basically just data-copy from here to 0x1FF80060): "FIRM_?", FIRM_VERSIONREVISION, FIRM_VERSIONMINOR, FIRM_VERSIONMAJOR, FIRM_SYSCOREVER, and FIRM_CTRSDKVERSION.
|-
| 0x438
| 0x4
| The kernel checks this field for value 0xFFFF, if it matches the kernel uses the rest of these parameter fields, otherwise FIRM-launch parameters fields are ignored by the kernel.
|-
| 0x43C
| 0x4
| CRC32, this is calculated starting at FIRM-params offset 0x400, with size 0x140(with this field cleared to zero during calculation). When invalid the kernel clears the entire buffer used for storing the FIRM-params, therefore no actual FIRM-params are handled after that.
|-
| 0x440
| 0x10
| Titleinfo [[Filesystem_services#ProgramInfo|Program Info]], used by NS during NS startup, to launch the specified title when the below flag is set.
|-
| 0x450
| 0x10
| Titleinfo [[Filesystem_services#ProgramInfo|Program Info]]. This might be used for returning to the specified title, once the above launched title terminates?
|-
| 0x460
| 0x4
| Bit0: 0 = titleinfo structure isn't set, 1 = titleinfo structure is set.
|-
| 0x480
| 0x20
| This can be set via buf1 for [[APT:SendDeliverArg]]/[[APT:StartApplication]].
|-
| 0x4A0
| 0x10
| This can be set by [[NSS:SetWirelessRebootInfo]].
|-
| 0x4B0
| 0x14
| SHA1-HMAC of the banner for TWL/NTR titles. This can be set by [[NSS:SetTWLBannerHMAC]].
|-
| 0x500
| 0x40
| This is used by [[APT:LoadSysMenuArg]] and [[APT:StoreSysMenuArg]].
|-
| 0xD50
| 0x20
| Atheros WiFi configuration struct
|-
| 0xD70
| 0x290
| [[Config Savegame|Config]] data struct for LGY FIRM.
|}

Flags from offset 0x400:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| This can be used for overriding the default FCRAM [[Memory_layout|memory-regions]] allocation sizes(APPLICATION, SYSTEM, and BASE). The values for this is the same as [[Configuration_Memory#APPMEMTYPE|Configmem-APPMEMTYPE]]. Values 0-1 are handled the same way by the kernel. However for NS, 0=titleinfo structure for launching a title isn't set, while non-zero=titleinfo structure is set.
|-
| 0x1
| 0x3
| Setting bit0 here enables overriding the FIRM_* fields in [[Configuration_Memory]].
|}

Atheros WiFi configuration struct for booting TWL_FIRM, from offset 0xD50. This struct is copied directly to 0x20005E0 in DSi memory. Since DSi cartridge ROMs include SDIO drivers for the wireless card and can't be updated, this structure allows interoperability between the original DSi wireless cards (AR6002/DWM-W015 and AR6013/DWM-W024) as well as the 3DS's AR6014/DWM-W028.
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| WiFi Board Type (1=DWM-W015, 2=DWM-W024, 3=DWM-W028; 0x03 on 3DS)
|-
| 0x1
| 0x1
| Unknown (0x00)
|-
| 0x2
| 0x2
| CRC16 from 0x4 to 0x20 (0x1C bytes)
|-
| 0x4
| 0x4
| Atheros RAM Vars/Host Interest address (0x520000 on 3DS)
|-
| 0x8
| 0x4
| Atheros RAM base (0x520000 on 3DS)
|-
| 0xC
| 0x4
| Atheros RAM size (0x20000 on 3DS)
|-
| 0x10
| 0x10
| Unknown (Zeroed)
|}

[[Config Savegame|Config]] struct for booting LGY FIRMs from offset 0xD70:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| RTC compensation value (config block 0x30000).
|-
| 0x1
| 0x1
| Sound output mode (config block 0x70001).
|-
| 0x2
| 0x1
| System language (config block 0xA0002).
|-
| 0x3
| 0x1
| [[Cfg:SecureInfoGetRegion|Region from SecureInfo]] ("pseudo-block" 0x140000 in LGY FIRM).
|-
| 0x4
| 0xF
| [[CfgS:SecureInfoGetSerialNo|Serial number from SecureInfo]] ("pseudo-block" 0x140001 in LGY FIRM).
|-
| 0x13
| 0x1
| TWL country code (config block 0x100002).
|-
| 0x14
| 0x10
| TWL "movable" UID, used for DSiWare exports (config block 0x100003).
|-
| 0x24
| 0x2
| TWL EULA info (config block 0x100000).
|-
| 0x26
| 0x1
| Cleared to zero.
|-
| 0x27
| 0x1
| Cleared to zero.
|-
| 0x28
| 0x94
| TWL parental control data (config block 0x100001).
|-
| 0xBC
| 0x2
| LCD flicker calibration data (config block 0x50000).
|-
| 0xBE
| 0x2
| Backlight data (config block 0x50001).
|-
| 0xC0
| 0x38
| Backlight PWM table (config block 0x50002).
|-
| 0xF8
| 0x20
| Power saving mode (ABL) calibration (config block 0x50004).
|-
| 0x118
| 0x134
| CODEC calibration data (config block 0x20000).
|-
| 0x24C
| 0x10
| Touch screen calibration data (config block 0x40000).
|-
| 0x25C
| 0x1C
| Analog stick calibration data (config block 0x40001).
|-
| 0x278
| 0x4
| Cleared to zero.
|-
| 0x27C
| 0x4
| Cleared to zero.
|-
| 0x280
| 0x8
| User time offset (config block 0x30001).
|-
| 0x288
| 0x2
| CRC16 over the above fields from offset 0x0, size 0x288. If not valid, LGY FIRM uses dummy data from .(ro)data.
|-
| 0x28A
| 0x2
| Version, maybe? If non-zero, the size (below) is hardcoded (currently) to value 0x288, otherwise the size field below is used.
|-
| 0x28C
| 0x4
| Value 0x288 (size used for verifying the CRC16).
|}

"Cleared to zero" fields above are not read at all by LGY FIRM.

Home Menu

2011-11-07T11:08:10Z

Danny8376: /* Versions */

{{Stub}}
The '''Home Menu''' is the heart of the Nintendo 3DS. From there one can start games, channels, and manage contacts and settings. It is launched first, and working background with 3DS games, without System Settings or DS/DSi mode game.

== Versions ==
{| class="wikitable"
|-
! Version
! JPN
! USA
! EUR
! Release date
! Changelog
! CDN Availability
! CDN Post Date
|-
| [[1.0.0-0|1.0.0-0]]
| 432
| 432
| 432
| February 26, 2011
| Shipped with 3DS on launch
| Available
| February 18, 2011
|-
| [[1.1.0-0|1.1.0-0]]
| ?
| ?
| ?
| ?
| Update from some game cards
| Unavailable
| N/A
|-
| [[1.1.0-1|1.1.0-1]]
| 1472
| 1472
| 1472
| February ?, 2011
| General bug fixes
Added 3D Video title to menu. ("For a Limited Time Only")
| Available
| March 1, 2011
|-
| [[2.0.0-2|2.0.0-2]]
| 2516
| 2516
| 2516
| June 6/7, 2011
| From the update notification:(DSiWare management isn't mentioned in the notice but is available) [[Nintendo eShop]] added, web browser available, [[System Transfer]] added. Full DSiWare data management available. [[SpotPass|Automatic]] system updates added.
| Available
| June 6, 2011
|-
| [[2.1.0-3|2.1.0-3]]
| 3553
| 3553
| 3553
| June 15, 2011
| Fixes the Ridge Racer freeze.
| Available
| June 15, 2011
|-
| [[2.1.0-4|2.1.0-4]]
| ?
| ?
| ?
| July 25, 2011
| System stability improvements and other adjustments.
| Available
| ?
|-
| [[2.2.0-4|2.2.0-4]]
| ?
| ?
| ?
| November 6, 2011
| Improve the arrangement of [[Friend List]]. Update from some game cards such as Mario 3D Land(JPN).
| Unavailable
| ?
|}

[[Category:Nintendo Software]]
[[Homeメニュー|Japanese]]

=== See Also ===
http://www.nintendo.com/consumer/systems/3ds/en_na/menu_update.jsp

Home Menu

2011-11-04T17:04:02Z

Danny8376:

{{Stub}}
The '''Home Menu''' is the heart of the Nintendo 3DS. From there one can start games, channels, and manage contacts and settings. It is launched first, and working background with 3DS games, without System Settings or DS/DSi mode game.

== Versions ==
{| class="wikitable"
|-
! Version
! JPN
! USA
! EUR
! Release date
! Changelog
! CDN Availability
! CDN Post Date
|-
| [[1.0.0-0|1.0.0-0]]
| 432
| 432
| 432
| February 26, 2011
| Shipped with 3DS on launch
| Available
| February 18, 2011
|-
| [[1.1.0-0|1.1.0-0]]
| ?
| ?
| ?
| ?
| Update from some game cards
| Unavailable
| N/A
|-
| [[1.1.0-1|1.1.0-1]]
| 1472
| 1472
| 1472
| February ?, 2011
| General bug fixes
Added 3D Video title to menu. ("For a Limited Time Only")
| Available
| March 1, 2011
|-
| [[2.0.0-2|2.0.0-2]]
| 2516
| 2516
| 2516
| June 6/7, 2011
| From the update notification:(DSiWare management isn't mentioned in the notice but is available) [[Nintendo eShop]] added, web browser available, [[System Transfer]] added. Full DSiWare data management available. [[SpotPass|Automatic]] system updates added.
| Available
| June 6, 2011
|-
| [[2.1.0-3|2.1.0-3]]
| 3553
| 3553
| 3553
| June 15, 2011
| Fixes the Ridge Racer freeze.
| Available
| June 15, 2011
|-
| [[2.1.0-4|2.1.0-4]]
| ?
| ?
| ?
| July 25, 2011
| System stability improvements and other adjustments.
| Available
| ?
|-
| [[2.2.0-4|2.2.0-4]]
| ?
| ?
| ?
| November 25, 2011
| Improve the arrange of [[Friend List]].
| Unavailable
| ?
|}

[[Category:Nintendo Software]]
[[Homeメニュー|Japanese]]

=== See Also ===
http://www.nintendo.com/consumer/systems/3ds/en_na/menu_update.jsp