https://www.3dbrew.org/w/api.php?action=feedcontributions&user=Pigeon&feedformat=atom3dbrew - User contributions [en]2024-03-29T14:43:41ZUser contributionsMediaWiki 1.35.8https://www.3dbrew.org/w/index.php?title=Main_Page/Welcome&diff=20580Main Page/Welcome2018-01-25T21:18:40Z<p>Pigeon: Reverted</p>
<hr />
<div>{{Main page box|Welcome!|Main Page/Welcome}}<br />
<div style="margin: -.3em -1em -1em -1em;"><br />
{| width="100%" bgcolor="#fff" border="0" cellpadding="2px" cellspacing="2px" style="margin:auto;"<br />
|- align="center" bgcolor="#e7eef6"<br />
! width="50%" | '''What is Homebrew?'''<br />
! width="50%"| '''How do I run homebrew?'''<br />
|- valign="top" align="left" style="background: #F5FAFF;"<br />
| [http://en.wikipedia.org/wiki/Homebrew_(video_games) Homebrew] is a popular term used for applications that are created and executed on a video game console by hackers, programmers, developers, and consumers. <br />
| Keep an eye out on the [[Homebrew Exploits]] page for a list of available exploits and their respective requirements.<br />
|}<br />
{| width="100%" bgcolor="#fff" border="0" cellpadding="2px" cellspacing="2px" style="margin:auto;"<br />
|- align="center" bgcolor="#e7eef6"<br />
! width="50%" | '''How do I develop homebrew?'''<br />
! width="50%"| '''What homebrew can I run?'''<br />
|- valign="top" align="left" style="background: #F5FAFF;"<br />
| See the [[Setting up Development Environment]] page for a guide on how to get started with homebrew development for the 3DS. The toolchain supports Windows, Linux, and Mac OS X.<br />
| See the [[Homebrew Applications]] page for a partial list of homebrew applications/games that can be downloaded and installed.<br />
|}<br />
<br />
</div><br />
{{box-footer-empty}}</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Main_Page/Welcome&diff=20579Main Page/Welcome2018-01-25T21:18:04Z<p>Pigeon: </p>
<hr />
<div>{{Main page box|Welcome.|Main Page/Welcome}}<br />
<div style="margin: -.3em -1em -1em -1em;"><br />
{| width="100%" bgcolor="#fff" border="0" cellpadding="2px" cellspacing="2px" style="margin:auto;"<br />
|- align="center" bgcolor="#e7eef6"<br />
! width="50%" | '''What is Homebrew?'''<br />
! width="50%"| '''How do I run homebrew?'''<br />
|- valign="top" align="left" style="background: #F5FAFF;"<br />
| [http://en.wikipedia.org/wiki/Homebrew_(video_games) Homebrew] is a popular term used for applications that are created and executed on a video game console by hackers, programmers, developers, and consumers. <br />
| Keep an eye out on the [[Homebrew Exploits]] page for a list of available exploits and their respective requirements.<br />
|}<br />
{| width="100%" bgcolor="#fff" border="0" cellpadding="2px" cellspacing="2px" style="margin:auto;"<br />
|- align="center" bgcolor="#e7eef6"<br />
! width="50%" | '''How do I develop homebrew?'''<br />
! width="50%"| '''What homebrew can I run?'''<br />
|- valign="top" align="left" style="background: #F5FAFF;"<br />
| See the [[Setting up Development Environment]] page for a guide on how to get started with homebrew development for the 3DS. The toolchain supports Windows, Linux, and Mac OS X.<br />
| See the [[Homebrew Applications]] page for a partial list of homebrew applications/games that can be downloaded and installed.<br />
|}<br />
<br />
</div><br />
{{box-footer-empty}}</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Savegames/es&diff=20576Savegames/es2018-01-23T21:24:49Z<p>Pigeon: </p>
<hr />
<div>Esta página describe el formato, la des/encriptación, etc de las partidas guardadas de los cartuchos de los juegos de la 3DS. Puedes encontrar partidas guardadas de varios juegos de la 3DS en la página de [[Games|Juegos (Inglés)]].<br />
<br />
<br />
=== Encriptación ===<br />
<br />
En la 3DS las partidas se almacenan de una forma similar a la DS, en un chip FLASH en el cartucho del juego. En la DS estas partidas están en formato de texto plano pero en la 3DS se añade una capa de encriptación. Esto se parece mucho a un flujo de cifrado, donde los contenidos de algunas partidas tienen un comportamiento extraño cuando se XORean algunas partes juntas de la partida y da como resultado un archivo de texto plano.<br />
<br />
La razón por la que esto funciona es porque el cifrado usado tiene un tamaño de 512 bytes. Que es lo mismo, se va repitiendo la misma clave cada 512 bytes. La forma de encriptar con un cifrado es la producida por una clave XOR. Por desgracia, si se repite la clave y estás encriptando un texto plano conocido (en nuestro caso, ceros) básicamente estás “regalando” tu clave.<br />
<br />
Entonces, ¿cómo puedo utilizar esto para desencriptar una partida guardada en una 3DS? En primer lugar, tienes que dividir la partida en chunks (trozos) de 512 bytes. Entonces, debes seleccionar los chunks por su contenido, descartando los que solo contengan FF. Ahora debes buscar el chunk más común. Esta es la clave. Ahora XORea con la clave que acabas de encontrar la partida original y deberías obtener la partida completamente desencriptada. Si vuelves a XORear con la clave a la partida desencriptada volverás a obtener la partida completamente encriptada. <br />
<br />
Actualización:<br />
<br />
Desde el firmware 2.0.0-4 Nintendo ha introducido una nueva forma de encriptación (podría ser una solución para la exploit de más arriba). El xorpad parece repetirse en el archivo pero no cada 0x200 bytes. Así que por ahora no se sabe cómo descifrar las nuevas partidas.<br />
<br />
'''Juegos que usan la nueva encriptación:'''<br />
* Super Mario 3D Land<br />
* Mario Kart 7<br />
* Need for Speed - The Run<br />
<br />
'''Más información:'''<br />
*Los juegos viejos aún usan el antiguo xorpad de 0x200 bytes.<br />
*Los juegos nuevos puedes ser copiados y restaurados (se usa la misma clava tanto una partida como para otra)<br />
* El wearleveling sigue siendo el mismo.<br />
*XOReando dos archivos juntos puede producir algo de texto claro.<br />
*Se ha observado que el xorpad se repite cada 0x1000 bytes (podría ser la longitud máxima pero aún no se ha probado).<br />
<br />
=== Nivel de desgaste ===<br />
<br />
La 3DS utiliza un esquema para prevenir el nivel de desgaste de los chips FLASH de las partidas. Eso lo consigue utilizando blockmaps i un journal. El blockmap se encuentra en el offset 0 del chip, y es seguido inmediatamente por el journal. El estado inicial es dictado por el blockmap, y el journal es entonces aplicado.<br />
<br />
Primero hay 8 bytes cuyos fines se desconocen aún. Luego viene el blockmap.<br />
La estructura del blockmap es simple:<br />
<pre><br />
struct header_entry {<br />
uint8_t phys_sec; // cuando se establece el sépitmo bit, el bloque tiene checksums, de lo contrario los checksums son cero<br />
uint8_t alloc_cnt;<br />
uint8_t chksums[8];<br />
} __attribute__((__packed__));<br />
</pre><br />
<br />
Hay un journal por sector, contando desde el sector físico 1(el sector 0 contiene el blockmap/journal).<br />
Los siguientes dos bytes que siguen al blockmap son el CRC16 (con 0xFFFF como valor inicial (como el modbus)) de los primeros 8 bytes del blockmap.<br />
<br />
Entonces hay el journal.<br />
La estructura del journal es:<br />
<pre><br />
struct sector_entry {<br />
uint8_t virt_sec; // Asignado al sector<br />
uint8_t prev_virt_sec; // Sector físico previamente asignado<br />
uint8_t phys_sec; // Asignado desde el sector<br />
uint8_t prev_phys_sec; // Sector virtual previamente asignado<br />
uint8_t phys_realloc_cnt; // Cantidas de veces que el sector físico ha sido reasignado<br />
uint8_t virt_realloc_cnt; // Cantidas de veces que el sector virtual ha sido reasignado<br />
uint8_t chksums[8];<br />
} __attribute__((__packed__));<br />
<br />
struct long_sector_entry{<br />
struct sector_entry sector;<br />
struct sector_entry dupe;<br />
uint32_t magic;<br />
}__attribute__((__packed__));<br />
</pre><br />
<br />
Con la constante mágica 0x080d6ce0.<br />
<br />
Los checksums de las entradas del blockmap/journal trabajan de la siguiente forma:<br />
* cada byte es el checksum de un bloque de tamaño 0x200 bytes encriptado<br />
* para calcular el checksum, el CRC16 del bloque ( con el valor iniciar 0xFFFF) es calculado, y los dos bytes del CRC16 son XOReados juntos para producir un checksum de 8 bits.<br />
<br />
=== Particiones===<br />
<br />
Puede haber múltiples particiones en el chip. <br />
Las particiones están representadas por tablas de manchas del DIFI dentro de la estructura DISA.<br />
El orden de las manchas del DIFI es el orden de las particiones del chip.<br />
<br />
'''DISA'''<br />
<br />
* If the uint32 @ 0x168 into the image in the DISA is a %1=1, then first table is is hashed, otherwise the second DIFI table is hashed. <br />
* If the table has more then 1 DIFI then the uint32 @ 0x168 is the offset from the DATA partition to the file base (masked with 0xFFFFFFFE).<br />
<br />
{| class="wikitable"<br />
|-<br />
! Principio<br />
! Longitud<br />
! Descripción<br />
|-<br />
| 0x00<br />
| 4<br />
| Magic ("DISA")<br />
|-<br />
| 0x04<br />
| 4<br />
| Desconocido (puede ser mágico, puede ser el mismo que todas las partidas)<br />
|-<br />
| 0x08<br />
| 8<br />
| Tamaño de la tabla de particiones<br />
|-<br />
| 0x10<br />
| 8<br />
| Offset a la partición primaria de la tabla del DISA<br />
|-<br />
| 0x18<br />
| 8<br />
| Offset a la partición secundaria de la tabla del DISA<br />
|-<br />
| 0x20<br />
| 8<br />
| Longitud de la tabla de particiones<br />
|-<br />
| 0x28<br />
| 8<br />
| Offset de la entrada de guardado en la tabla de particiones<br />
|-<br />
| 0x30<br />
| 8<br />
| Longitud de la entrada de guardado en la tabla de particiones<br />
|-<br />
| 0x38<br />
| 8<br />
| Offset de la entrada de datos en la tabla de particiones<br />
|-<br />
| 0x40<br />
| 8<br />
| Longitud de la entrada de datos en la tabla de particiones<br />
|-<br />
| 0x48<br />
| 8<br />
| Offset de la partición de guardado<br />
|-<br />
| 0x50<br />
| 8<br />
| Longitud de la partición de guardado<br />
|-<br />
| 0x58<br />
| 8<br />
| Offset de la partición de datos<br />
|-<br />
| 0x60<br />
| 8<br />
| Longitud de la partición de datos<br />
|-<br />
| 0x68<br />
| 4<br />
| Tabla activa (y el offset hacia la filebase)<br />
|-<br />
| 0x6C<br />
| 0x20<br />
| Hash desde la partición activa<br />
|-<br />
| 0x8C<br />
| 4*29<br />
| Desconocido<br />
|}<br />
<br />
* The hash in the DISA hashes the Active Table (starting from tables's offset to tables's offset + table length) with SHA256.<br />
<br />
* The partitions offsets points to a 0x1000 long block which isn't understood yet. The actual information starts after that block.<br />
<br />
The DIFIs table @ 0x200 (into the image) is written twice, (Meaning, if there's 4 DIFI blobs then the table is 2 DIFIs long).<br />
<br />
The second table is for backup. The active table is mentioned at 0x13C into the image (1=First table, other=Second Table)<br />
<br />
'''DIFI'''<br />
<br />
These 0x130 large blobs describe the partitions. Every DIFI blob describes a partition. Partitions are catted together, so after the end of one partition is the beginning of the next.<br />
<br />
Actually DIFI blobs are 0x12C large because the last 4 are not used and appear 0xFFFFFFFF at the encrypted image.<br />
<br />
Para la mayoria de los juegos hay solo 1 division(La division SAVE) y algunos(como Asphalt 3D , Steel Diver & Lego Star Wars III) tienen 2 divisiones<br />
<br />
* 2 Divisiones significan que los archivos dentro de la division SAVE estan en otra division ( nosotro podriamos llamarla division DATA).<br />
<br />
* No mas de 2 divisiones han sido vistas todavia (y no pueden ser debido a la estructura conocida DISA).<br />
<br />
{| class="wikitable"<br />
|-<br />
! Start<br />
! Length<br />
! Description<br />
|-<br />
| 0x00<br />
| 4<br />
| Magic ("DIFI")<br />
|-<br />
| 0x04<br />
| 4<br />
| Magic Number (0x10000)<br />
|-<br />
| 0x08<br />
| 8<br />
| Offset to "IVFC" blob in DIFI (usually 0x44)<br />
|-<br />
| 0x10<br />
| 8<br />
| Size of "IVFC" blob<br />
|-<br />
| 0x18<br />
| 8<br />
| Offset to "DPFS" blob in DIFI (usually 0xBC)<br />
|-<br />
| 0x20<br />
| 8<br />
| Size of "DPFS" blob<br />
|-<br />
| 0x28<br />
| 8<br />
| Offset to the hash in DIFI (usually 0x010C)<br />
|-<br />
| 0x30<br />
| 8<br />
| Size of this hash<br />
|-<br />
| 0x38<br />
| 4<br />
| Flags (1 means DATA partition)<br />
|-<br />
| 0x3C<br />
| 8<br />
| File base offset (for DATA partitions)<br />
|}<br />
<br />
'''IVFC'''<br />
<br />
{| class="wikitable"<br />
|-<br />
! Start<br />
! Length<br />
! Description<br />
|-<br />
| 0x00<br />
| 4<br />
| Magic ("IVFC")<br />
|-<br />
| 0x04<br />
| 4<br />
| Magic Number (0x20000)<br />
|-<br />
| 0x08<br />
| 8<br />
| Unknown (0x20?)<br />
|-<br />
| 0x10<br />
| 8<br />
| First Hash Offset<br />
|-<br />
| 0x18<br />
| 8<br />
| First Hash Length<br />
|-<br />
| 0x20<br />
| 8<br />
| First Hash Block Size (1<<value)<br />
|-<br />
| 0x28<br />
| 8<br />
| Second Hash Offset<br />
|-<br />
| 0x30<br />
| 8<br />
| Second Hash Length<br />
|-<br />
| 0x38<br />
| 8<br />
| Second Hash Block Size (1<<value)<br />
|-<br />
| 0x40<br />
| 8<br />
| HashTable Offset<br />
|-<br />
| 0x48<br />
| 8<br />
| HashTable Length<br />
|-<br />
| 0x50<br />
| 8<br />
| HashTable Block Size (1<<value)<br />
|-<br />
| 0x58<br />
| 8<br />
| FileSystem Offset<br />
|-<br />
| 0x60<br />
| 8<br />
| FileSystem Length<br />
|-<br />
| 0x68<br />
| 8<br />
| FileSystem Block Size (1<<value)<br />
|-<br />
| 0x70<br />
| 8<br />
| Unknown (usually 0x78=120)<br />
|-<br />
|}<br />
<br />
* First & Second hash are not understood yet.<br />
<br />
'''DPFS'''<br />
<br />
{| class="wikitable"<br />
|-<br />
! Start<br />
! Length<br />
! Description<br />
|-<br />
| 0x00<br />
| 4<br />
| Magic ("DPFS")<br />
|-<br />
| 0x04<br />
| 4<br />
| Magic Number (0x10000)<br />
|-<br />
| 0x08<br />
| 8<br />
| Offset To First table<br />
|-<br />
| 0x10<br />
| 8<br />
| First table length<br />
|-<br />
| 0x18<br />
| 8<br />
| First table block size (1<<value)<br />
|-<br />
| 0x20<br />
| 8<br />
| Offset To Second table<br />
|-<br />
| 0x28<br />
| 8<br />
| Second table length<br />
|-<br />
| 0x30<br />
| 8<br />
| Second table block size (1<<value)<br />
|-<br />
| 0x38<br />
| 8<br />
| Offset to Data<br />
|-<br />
| 0x40<br />
| 8<br />
| Data Length<br />
|-<br />
| 0x48<br />
| 8<br />
| Data block size (1<<value)<br />
|-<br />
|}<br />
<br />
* Every block this table point to is written twice (concatenated). You can see that the offset to the next block is twice the length (except the data which always begin after 0x1000).<br />
<br />
The first partition's data starts at 0x2000. First comes the hashtable (usually start @ 0x40 into the partition) and then the filesystem.<br />
<br />
The hashtable entries' size is 2^x where x is the 'Hashed block size' from the IVFC block.<br />
<br />
'''Hash'''<br />
<br />
After the DIFI,IVFC & DPFS comes a 0x20 long hash, it is unknown what it's hashing.<br />
<br />
'''Summary Drawing'''<br />
<br />
[[File:Sfimg_drawing.png]]<br />
<br />
==== The SAVE partition ====<br />
<br />
* The SAVE filesystem works with a backup. There are two SAVE blocks inside the partition concatenated. Which SAVE block is the updated one is unknown yet.. (I'm guessing from experience that (image[0x100B] & 0x20) == 0x20 --> 1st SAVE --[[User:Elisherer|Elisherer]] 01:30, 18 October 2011 (CEST))<br />
<br />
'''Finding the folders table:'''<br />
* If DATA partition exists: At folder table exact offset from the SAVE struct (from the beginning of the struct).<br />
* Otherwise: The 'folder table offset' * 'folder table media' (=0x200) from the 'filestore offset'. (usually 0 from filebase)<br />
<br />
'''Finding the files table:'''<br />
* If DATA partition exists: At file table exact offset from the SAVE struct (from the beginning of the struct).<br />
* Otherwise: The 'file table offset' * 'file table media' (=0x200) from the 'filestore offset'.<br />
<br />
'''Detemining the filestore base:'''<br />
* If DATA partition exists: At file base from the DATA's DIFI struct into the DATA partition.<br />
* Otherwise: At the 'filestore offset' from the beginning of the SAVE struct.<br />
<br />
Folder's entry structure:<br />
<pre><br />
struct folder_entry {<br />
u32 parent_folder_index;<br />
u8 filename[0x10];<br />
u32 folder_index;<br />
u32 unk1; <br />
u32 last_file_index;<br />
u32 unk3; <br />
u32 unk4;<br />
}<br />
</pre><br />
<br />
File's entry structure:<br />
<pre><br />
struct file_entry {<br />
u32 parent_folder_index;<br />
u8 filename[0x10];<br />
u32 index;<br />
u32 unk1; // magic?<br />
u32 block_offset;<br />
u64 file_size;<br />
u32 unk2; // flags?<br />
u32 unk3;<br />
}<br />
</pre><br />
<br />
The first entry in both tables is the count of the table, the parent directory index will be the amount of table rows. The root includes itself, so there are the amount - 1 (minus one) folders in the root directory (or files). The entries that follow after the root are the actual folders/files.<br />
<br />
Reading the files out is as simple as taking the file base offset and adding (block_offset * 0x200) to it.<br />
<br />
Here's a follow-up example from the Legend of Zelda: Ocarina of Time 3D:<br />
<pre><br />
//FST entry = SAVE base + File base + (FST offset * 0x200) + (FST entry # * 0x30)<br />
//0x2600 = 0x2000 + 0x400 + (0x1 * 0x200) + (0x0 * 0x30)<br />
<br />
00002600: 03000000 09000000 00000000 00000000 ................<br />
00002610: 00000000 00000000 00000000 00000000 ................<br />
00002620: 00000000 00000000 00000000 00000000 ................<br />
00002630: 01000000 73797374 656D2E64 61740000 ....system.dat..<br />
00002640: 00000000 00000000 D57B1100 02000000 ........Õ{......<br />
00002650: 22000000 00000000 E8121500 00000000 ".......è.......<br />
00002660: 01000000 73617665 30302E62 696E0000 ....save00.bin..<br />
00002670: 00000000 01000000 69921100 03000000 ........i’......<br />
00002680: DC140000 00000000 04000000 00000000 Ü...............<br />
</pre><br />
<br />
{| class="wikitable"<br />
|-<br />
! Start<br />
! Length<br />
! Description<br />
|-<br />
| 0x00<br />
| 4<br />
| Magic ("SAVE")<br />
|-<br />
| 0x04<br />
| 4<br />
| Magic padding<br />
|-<br />
| 0x08<br />
| 8<br />
| Unknown<br />
|-<br />
| 0x10<br />
| 8<br />
| Partition Size [medias]<br />
|-<br />
| 0x18<br />
| 4<br />
| Partition Media Size<br />
|-<br />
| 0x1C<br />
| 8<br />
| Unknown<br />
|-<br />
| 0x24<br />
| 4<br />
| Unknown<br />
|-<br />
| 0x28<br />
| 8<br />
| FolderMap Offset<br />
|-<br />
| 0x30<br />
| 4<br />
| FolderMap Size<br />
|-<br />
| 0x34<br />
| 4<br />
| FolderMap Media Size<br />
|-<br />
| 0x38<br />
| 8<br />
| FileMap Offset<br />
|-<br />
| 0x40<br />
| 4<br />
| FileMap Size<br />
|-<br />
| 0x44<br />
| 4<br />
| FileMap Media Size<br />
|-<br />
| 0x48<br />
| 8<br />
| BlockMap Offset<br />
|-<br />
| 0x50<br />
| 4<br />
| BlockMap Size<br />
|-<br />
| 0x54<br />
| 4<br />
| BlockMap Media Size<br />
|-<br />
| 0x58<br />
| 8<br />
| File store offset (from SAVE)<br />
|-<br />
| 0x60<br />
| 4<br />
| File store length [medias]<br />
|-<br />
| 0x64<br />
| 4<br />
| File store media size<br />
|-<br />
| 0x68<br />
| 4/8<br />
| Folders Table offset (8 bytes in DATA)<br />
|-<br />
| 0x6C<br />
| 4<br />
| Folders Table Length (medias) (Only in no DATA)<br />
|-<br />
| 0x70<br />
| 4<br />
| Folders Table unknown<br />
|-<br />
| 0x74<br />
| 4<br />
| Folders Table Media size<br />
|-<br />
| 0x78<br />
| 4/8<br />
| Files Table offset (8 bytes in DATA)<br />
|-<br />
| 0x7C<br />
| 4<br />
| Files Table Length (medias) (Only in no DATA)<br />
|-<br />
| 0x80<br />
| 4<br />
| Files Table unknown<br />
|-<br />
| 0x84<br />
| 4<br />
| Files Table Media size<br />
|-<br />
|}<br />
<br />
* The FolderMap and FileMap still unknown. They are tables of uint32.<br />
* The BlockMap is a map of the blocks in the filestore. An entry in the BlockMap is 2 uint32: {uint32 start_block; uint32 end_block; }. This is still being researched. (You can use [[3DSExplorer]] to see those maps.<br />
<br />
'''Summary Drawing'''<br />
<br />
[[File:Sfsave_drawing.png]]<br />
<br />
=== La Inicialización ===<br />
<br />
Cuando un EEPROM save contiene todos los bloques xFFFF se asume sin inicializar los cartuchos y lo inicializa los datos por defecto en su lugar, sin preguntar al usuario. <br />
<br />
Tengo un juego nuevo SplinterCell3D-Pal y he descargado la partida guardada y era 128KB de 0xFF, excepto los primeros bytes 0x10, que fueron 'Z' (en mayúsculas) --[[User:Elisherer|Elisherer]] 22:41, 15 de octubre de 2011 (CEST)<br />
<br />
=== Fun Facts ===<br />
<br />
If you have facts that you found out by looking at the binary files please share them here:<br />
<br />
* From one save to another the game backups the last files that were in the partition and the entire image header in "random" locations.. --[[User:Elisherer|Elisherer]] 22:41, 15 October 2011 (CEST)</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Internet_Browser&diff=20575Internet Browser2018-01-23T21:08:17Z<p>Pigeon: </p>
<hr />
<div>The 3DS Internet Browser was added in the June 2011 Update for JPN/EUR/USA.<br />
<br />
From the Internet Browser help section:<br />
In compliance with the LGPL, the source code of the OSS is available via the Nintendo website.<br />
This source code can be downloaded here:<br />
[http://mediacontent.nintendo-europe.com/NOE/images/service/OpenSources.zip] [http://www.nintendo.co.jp/support/oss/index.html]<br />
<br />
The 3DS Internet Browser is [http://en.wikipedia.org/wiki/Netfront Netfront] Browser NX v1.0 based on [http://en.wikipedia.org/wiki/WebKit WebKit] engine.<br />
<br />
On O3DS the exheader name of this title is "SPIDER"; on N3DS, "SKATER".<br />
The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.<br />
<br />
A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]]. <br />
In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.<br />
<br />
==[[New 3DS]] Internet Browser==<br />
New3DS has a separate browser title, with the exheader name "SKATER".<br />
Unlike the Old3DS browser, the New3DS browser has videos+HTML5 support. <br />
<br />
This browser also has a filter enabled by default in the JPN version. <br />
Disabling it requires paying money with a credit-card, for [[NIM_Services|purchasing]] web-browser [[Title_list/DLC|DLC]].<br />
During startup the browser does various HTTPS comms. When visting an URL, the browser sends a plaintext HTTP POST here: [http://ars.ifuser.jp:20080/ars2/rating]. The raw POST data begins with "ARS/2.0\r\n\x00", the rest appears to be encrypted. The server reply content also has this ARS header + encrypted data. This appears to use a fixed xorpad, likely from a fixed encryption CTR/IV. The server content responses for allowed sites, and blocked sites, are fixed. When the server returns that the site is blocked, the browser goes to this page: [http://ars.ifuser.jp/filter/44.html](the Referrer header value is set to the same URL it's actually requesting).<br />
<br />
The WebKit source was updated since the Old3DS browser.<br />
The New3DS browser uses the following services: [[MVD_Services|mvd:STD]] and [[IR_Services|ir:rst]](DLC-related services are used too but those aren't New3DS specific).<br />
Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.<br />
<br />
=== Video / libstagefright ===<br />
The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP.<br />
<br />
HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check.<br />
<br />
===User-Agent and Browser Versions===<br />
Normal user-agent format: <code style="font-size:larger;">Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/<WebKit version> (KHTML, like Gecko) NX/<Netfront version> Mobile NintendoBrowser/<Mobile NintendoBrowser version>.<region></code><br />
<br />
<region> can be one of the following: "JP", "US", or "EU".<br />
<br />
Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Mobile NintendoBrowser version(displayed in browser settings)<br />
! Normal UA<br />
! CDN Title-version<br />
! Network-only system-update version<br />
! Notes<br />
|-<br />
| 1.0.9934<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region><br />
| v10<br />
| [[9.0.0-20]]<br />
| Initial version.<br />
|-<br />
| 1.1.9996<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region><br />
| v1027<br />
| [[9.3.0-21]]<br />
| See below regarding OSS changes.<br />
|-<br />
| 1.2.10085<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region><br />
| v2051<br />
| [[9.6.0-24]]<br />
| See below.<br />
|-<br />
| None<br />
| None<br />
| v3075<br />
| v9.9 CUP<br />
| v9.9 CUP dummy web-browser, see below.<br />
|-<br />
| 1.3.10126<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region><br />
| v3077<br />
| [[9.9.0-26]]<br />
| See below.<br />
|-<br />
| 1.4.10138<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region><br />
| v4096<br />
| [[10.2.0-28]]<br />
| See below.<br />
|-<br />
| 1.5.10143<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region><br />
| v5121<br />
| [[10.4.0-29]]<br />
| See below.<br />
|-<br />
| 1.6.10147<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region><br />
| v6144<br />
| [[10.6.0-31]]<br />
| See below.<br />
|-<br />
| None<br />
| None<br />
| v7168<br />
| v10.7 CUP<br />
| v10.7 CUP dummy web-browser, see below.<br />
|-<br />
| 1.7.10150<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region><br />
| v7184<br />
| [[10.7.0-32]]<br />
| See below.<br />
|-<br />
| 1.8.10156<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region><br />
| v8192<br />
| [[11.1.0-34]]<br />
| See below.<br />
|-<br />
| None<br />
| None<br />
| v9217<br />
| v11.4 CUP<br />
| v11.4 CUP dummy web-browser, see below.<br />
|-<br />
| 1.9.10160<br />
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region><br />
| v9232<br />
| [[11.4.0-37]]<br />
| See below.<br />
|}<br />
<br />
Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.<br />
<br />
The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).<br />
<br />
==== OSS 9.0 and 9.3 diff ====<br />
The following is a diff of the OSS archives from [http://www.nintendo.co.jp/support/oss/index.html here], for v9.0 and v9.3.<br />
<br />
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp and NewNintendo3DS_OpenSources9.3.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp differ<br />
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebKit/WKC/webkit/WKCVersion.h and NewNintendo3DS_OpenSources9.3.0-/WKC/WebKit/WKC/webkit/WKCVersion.h differ<br />
<br />
WKC_CUSTOMER_RELEASE_VERSION was changed from "0.5.8" to "0.5.10".<br />
<br />
The following code was added to ResourceHandleManager::doRedirect(): curl_easy_setopt(d->m_handle, CURLOPT_SHARE, 0);<br />
<br />
==== v9.6 ====<br />
WebKit/OSS code was actually updated.<br />
ExeFS .code was updated. The following files in RomFS were updated:<br />
* "/banner/CN/Skater.icn" and "/banner/KR/Skater.icn".<br />
* "/browser/rootca.pem"<br />
* "/build/buildinfo.dat"<br />
* "/cairo.cro.lex" and "/.crr/static.crr"<br />
* "/lyt/Button/ButtonSelectHSearch.arc"<br />
* "/lyt/Kbd/Swkbd.arc"<br />
* "lyt/Kbd.arc"<br />
* "skater.msbt" under all of the "/message/<region>_<language>/" directories.<br />
* "/oss.cro.lex", "/peer.cro.lex", "/static.crs", and "/webkit.cro.lex".<br />
<br />
The following was added to RomFS:<br />
* "/favicon/naver.dat"<br />
* A "KO" directory under "/iwnn".<br />
<br />
==== v9.9 ====<br />
ExeFS:/.code was updated.<br />
<br />
The only RomFS changes is file-updating, all of the following files were updated:<br />
/browser/rootca.pem<br />
/build/buildinfo.dat<br />
/cairo.cro.lex<br />
/.crr/static.crr<br />
/message/CN_Simp_Chinese/skater.msbt<br />
/message/EU_Dutch/skater.msbt<br />
/message/EU_English/skater.msbt<br />
/message/EU_French/skater.msbt<br />
/message/EU_German/skater.msbt<br />
/message/EU_Italian/skater.msbt<br />
/message/EU_Portuguese/skater.msbt<br />
/message/EU_Russian/skater.msbt<br />
/message/EU_Spanish/skater.msbt<br />
/message/JP_Japanese/skater.msbt<br />
/message/KR_Hangeul/skater.msbt<br />
/message/TW_English/skater.msbt<br />
/message/TW_Trad_Chinese/skater.msbt<br />
/message/US_English/skater.msbt<br />
/message/US_French/skater.msbt<br />
/message/US_Portuguese/skater.msbt<br />
/message/US_Spanish/skater.msbt<br />
/oss.cro.lex<br />
/peer.cro.lex<br />
/static.crs<br />
/webkit.cro.lex<br />
<br />
See [https://gist.github.com/yellows8/9fb509fde4112339f342 here] for a diff of the OSS(WebKitLibraries/ is not included due to the massive cairo library diff). An exploitable security vuln(which was already known in the context of 3DS webkit) was fixed. [[User:Yellows8|Yellows8]]' private(at the time of writing) exploit for it is based on the PoC from [http://pastebin.com/ufBCQKda here](see the pastebin for the actual pastebin author).<br />
<br />
==== v10.2 ====<br />
The libstagefright build in the main SKATER codebin was updated to a version which fixed libstagefright vuln(s): the vuln used in [[browserhax|browserhax_fright]] at the time of sysupdate release was fixed. The *only* code changed in the main codebin, was code related to libstagefright.<br />
<br />
The only RomFS changes is file-updating, all of the following files were updated(see the forced-sysupdate section regarding what changed in the message files):<br />
/browser/rootca.pem<br />
/build/buildinfo.dat<br />
/.crr/static.crr<br />
/message/CN_Simp_Chinese/skater.msbt<br />
/message/EU_Dutch/skater.msbt<br />
/message/EU_English/skater.msbt<br />
/message/EU_French/skater.msbt<br />
/message/EU_German/skater.msbt<br />
/message/EU_Italian/skater.msbt<br />
/message/EU_Portuguese/skater.msbt<br />
/message/EU_Russian/skater.msbt<br />
/message/EU_Spanish/skater.msbt<br />
/message/JP_Japanese/skater.msbt<br />
/message/KR_Hangeul/skater.msbt<br />
/message/TW_English/skater.msbt<br />
/message/TW_Trad_Chinese/skater.msbt<br />
/message/US_English/skater.msbt<br />
/message/US_French/skater.msbt<br />
/message/US_Portuguese/skater.msbt<br />
/message/US_Spanish/skater.msbt<br />
/oss.cro.lex<br />
/static.crs<br />
/webkit.cro.lex<br />
<br />
OSS diff:<br />
diff --git a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
index 4543297..0860336 100644<br />
--- a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
+++ b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
@@ -29,7 +29,7 @@<br />
#define WKC_VERSION_CHECK(major, minor, micro) \<br />
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))<br />
<br />
-#define WKC_CUSTOMER_RELEASE_VERSION "0.5.15"<br />
+#define WKC_CUSTOMER_RELEASE_VERSION "0.5.17"<br />
<br />
#define WKC_WEBKIT_VERSION "536.30"<br />
<br />
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog<br />
index a5abb35..cf5a9fa 100644<br />
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog<br />
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog<br />
@@ -1,3 +1,12 @@<br />
+2013-11-05 Ryosuke Niwa <rniwa@webkit.org><br />
+<br />
+ Use-after-free in SliderThumbElement::dragFrom<br />
+ https://bugs.webkit.org/show_bug.cgi?id=123873<br />
+<br />
+ Reviewed by Andreas Kling.<br />
+<br />
+ Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b<br />
+<br />
2015-02-06 Maciej Stachowiak <mjs@apple.com><br />
<br />
REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).<br />
@@ -879,7 +888,7 @@<br />
* rendering/RenderLineBoxList.cpp:<br />
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):<br />
<br />
-2014-01-21 László Langó <llango.u-szeged@partner.samsung.com><br />
+2014-01-21 Laszlo Lango <llango.u-szeged@partner.samsung.com><br />
<br />
Assertion failure in Range::nodeWillBeRemoved<br />
https://bugs.webkit.org/show_bug.cgi?id=121694<br />
@@ -1879,7 +1888,7 @@<br />
<br />
2012-09-14 Simon Fraser <simon.fraser@apple.com><br />
<br />
- REGRESSION: transition doesnât always override transition-property<br />
+ REGRESSION: transition doesnft always override transition-property<br />
https://bugs.webkit.org/show_bug.cgi?id=96658<br />
<br />
Reviewed by Dean Jackson.<br />
@@ -3691,8 +3700,8 @@<br />
glyph with font data for the primary font, presumably to meet the SVG<br />
spec requirement: "If the references to alternate glyphs do not result<br />
in successful identification of alternate glyphs to use, then the<br />
- character(s) that are inside of the 窶åltGlyph窶?element are rendered as<br />
- if the 窶åltGlyph窶?element were a 窶?span窶?element instead."<br />
+ character(s) that are inside of the âaltGlyphâ?element are rendered as<br />
+ if the âaltGlyphâ?element were a â?spanâ?element instead."<br />
<br />
If the alt glyph is not then found we are in the case from the spec<br />
and indeed we should use the primary font. However, we end up replacing the GlyphPage<br />
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp<br />
index 484adec..d7e9e8d 100644<br />
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp<br />
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp<br />
@@ -164,7 +164,7 @@ void RangeInputType::handleMouseDownEvent(MouseEvent* event)<br />
ASSERT(element()->hasShadowRoot());<br />
if (targetNode != element() && !targetNode->isDescendantOf(element()->shadowTree()->oldestShadowRoot()))<br />
return;<br />
- SliderThumbElement* thumb = sliderThumbElementOf(element());<br />
+ RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element());<br />
if (targetNode == thumb)<br />
return;<br />
thumb->dragFrom(event->absoluteLocation());<br />
<br />
==== v10.4 ====<br />
The ExeFS codebin was updated, the only change was that the following code was updated in the actual NupCheck HTTPS request function:<br />
* Previous version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/2/%s", region);<br />
* Current version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/%d/%s", 3, region);<br />
<br />
libpng was updated from version 1.5.21 to 1.5.24.<br />
<br />
The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):<br />
/browser/rootca.pem<br />
/build/buildinfo.dat<br />
/cairo.cro.lex<br />
/.crr/static.crr<br />
/message/CN_Simp_Chinese/skater.msbt<br />
/message/EU_Dutch/skater.msbt<br />
/message/EU_English/skater.msbt<br />
/message/EU_French/skater.msbt<br />
/message/EU_German/skater.msbt<br />
/message/EU_Italian/skater.msbt<br />
/message/EU_Portuguese/skater.msbt<br />
/message/EU_Russian/skater.msbt<br />
/message/EU_Spanish/skater.msbt<br />
/message/JP_Japanese/skater.msbt<br />
/message/KR_Hangeul/skater.msbt<br />
/message/TW_English/skater.msbt<br />
/message/TW_Trad_Chinese/skater.msbt<br />
/message/US_English/skater.msbt<br />
/message/US_French/skater.msbt<br />
/message/US_Portuguese/skater.msbt<br />
/message/US_Spanish/skater.msbt<br />
/oss.cro.lex differ<br />
/peer.cro.lex differ<br />
/static.crs differ<br />
/webkit.cro.lex differ<br />
<br />
==== v10.6 ====<br />
The ExeFS codebin was updated.<br />
<br />
[[browserhax|browserhax_fright_tx3g]] was fixed. The code handling tx3g now matches the latest libstagefright git.<br />
<br />
Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).<br />
<br />
The following RomFS files were updated:<br />
/build/buildinfo.dat<br />
/static.crs<br />
<br />
==== v10.7 ====<br />
Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check [[3DS_Userland_Flaws|bypass]] was publicly disclosed.<br />
<br />
cat v7184/00000025_romfs/build/buildinfo.dat<br />
10150<br />
applet<br />
2016-03-02 18:25<br />
<br />
==== v11.1 ====<br />
The ExeFS codebin was updated. The following files in RomFS were updated:<br />
<br />
/build/buildinfo.dat<br />
/.crr/static.crr<br />
/oss.cro.lex<br />
/static.crs<br />
/webkit.cro.lex<br />
<br />
cat v8192/00000026_romfs/build/buildinfo.dat<br />
10156<br />
applet<br />
2016-08-26 19:47<br />
<br />
Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)<br />
<br />
Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"<br />
<br />
This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.<br />
<br />
The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".<br />
<br />
==== v11.4 ====<br />
The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.<br />
<br />
The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.<br />
<br />
cat v9232/00000027_romfs/build/buildinfo.dat<br />
10160<br />
applet<br />
2017-03-08 19:44<br />
<br />
=== New3DS Browser Specifications ===<br />
[http://www.nintendo.co.jp/3ds/new/features/modal_net.html]<br />
<br />
English version:<br />
* "Browser engine: NetFront® Browser NX v3.0"<br />
* "User agent: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML and like Gecko) NX/3.0.*.*.* Mobile NintendoBrowser/1.0.**** JP<br />
* ** Version information is stated.<br />
* *** When using the “Mobile version request” function, it differs from the above-mentioned character string"<br />
* "Supported protocols: HTTP1.0/HTTP1.1/SSL3.0/TLS1.0/TLS1.1/TLS1.2"<br />
* "Web standard: HTML4.01 / HTML5 / XHTML1.1 / Fullscreen API / Gamepad API / SVG / WebSocket / Video Subtitle / WOFF / Web Messaging / Server-Sent / Web Storage (partial) / XMLHttpRequest / Canvas element / Video / DOM Levels 1-3 / ECMAScript / CSS1 / CSS2.1 / CSS3 (partial)"<br />
* "Image format: bmp / gif / ico / jpeg / png / svg (There are, however, possibilities that some images won't display.)"<br />
* "Image preview: mpo / jpeg (There are, however, possibilities that some images won't display.)"<br />
* "Video format: MP4, M3U8 + TS (HTTPLiveStreaming) (There are, however, some videos that may not be played.)"<br />
* "Video codec: H.264 - MPEG-4 AVC Video (max 854x480 at level 3.2, 3D compatible) (There are, however, some videos that can not be played.)"<br />
* "Audio codec: AAC - ISO / IEC 14496-3 MPEG-4AAC, MP3 (There are, however, some videos that can not be played.)"<br />
* "Format for uploading 3D videos: .mkv (In order to be played, videos must be converted to the appropriate format within the site you are uploading to. In some cases, the video will not play even if converted.)"<br />
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"<br />
* "Active Rating System filtering: provided by Digital Arts, Inc.. Access to web content can be limited based on its category information, restricting access to web content that may result inappropriate."<br />
* "Websites can be requested to provide the mobile version (However, if the web page does not have a mobile version, it won't change the way it's displayed.)"<br />
<br />
MJPEG + .avi is also supported.<br />
<br />
==== Notes ====<br />
* The html "color" <input> type is not supported.<br />
<br />
== Old3DS browser ==<br />
<br />
<br />
=== Old3DS Browser Specifications ===<br />
* "Browser engine: NetFront® Browser"<br />
* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"<br />
* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"<br />
* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"<br />
* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"<br />
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"<br />
<br />
Old3DS browser doesn't support events "focusin" and "focusout"<br />
<br />
=== User-Agent and Browser Versions ===<br />
User-agent format: <code style="font-size:larger;">Mozilla/5.0 (Nintendo 3DS; U; ; <lang>) Version/<version>.<region></code>.<br />
<br />
<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>.<br />
{| class="wikitable" border="1"<br />
|-<br />
! Browser version<br />
! CDN Title-version<br />
! Network-only system-update version<br />
! Notes<br />
|-<br />
| 1.7412<br />
| v6<br />
| [[2.0.0-2|2.0.0-2]]<br />
| This was the initial version.<br />
|-<br />
| 1.7455<br />
| v1024<br />
| [[2.1.0-4]]<br />
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too.<br />
|-<br />
| 1.7498<br />
| v2050<br />
| [[4.0.0-7]]<br />
| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.<br />
|-<br />
| 1.7538<br />
| v0<br />
| [[4.2.0-9]]<br />
| First version of the KOR browser. The CROs are different from the USA/EUR/JPN [[4.0.0-7]] browser.<br />
|-<br />
| 1.7552<br />
| v3075<br />
| [[5.0.0-11]]<br />
| ExeFS .code and icon were updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.<br />
|-<br />
| 1.7552<br />
| v3088<br />
| [[7.0.0-13]]<br />
| The main NCCH wasn't updated at all(same TMD contentID/content-hash as the previous version), only the manual CFA for this title was updated.<br />
|-<br />
| 1.7567<br />
| v4096<br />
| [[7.1.0-16]]<br />
| The CXI .code was updated, some data in the RomFS was updated(none of the CROs such as webkit.cro were updated). The manual CFA was updated too.<br />
|-<br />
| 1.7585<br />
| v5121<br />
| [[9.5.0-23]]<br />
| The CXI .code was updated, and the manual CFA was updated. RomFS changes:<br />
* "/browser/rootca.pem" updated<br />
* "/cro/oss.cro" updated<br />
* "/cro/static.crs" updated<br />
* "/cro/webkit.cro" updated<br />
* "/.crr/static.crr" updated<br />
* "/layout/dialogheader/WirelessSwitchOff.arc" was removed<br />
* "/layout/favorite/favicondata/KOR.arc" updated<br />
<br />
A vuln used in a public(at the time of this sysupdate) webkit exploit for spider was fixed, which also fixed the removewinframe exploit from [https://github.com/yellows8/3ds_webkithax here].<br />
|-<br />
| None<br />
| v6147<br />
| v9.9 CUP<br />
| v9.9 CUP dummy web-browser, see below.<br />
|-<br />
| 1.7610<br />
| v6149<br />
| [[9.9.0-26]]<br />
| See below.<br />
|-<br />
| 1.7616<br />
| v7168<br />
| [[10.2.0-28]]<br />
| See below.<br />
|-<br />
| 1.7622<br />
| v8192<br />
| [[10.6.0-31]]<br />
| See below.<br />
|-<br />
| None<br />
| v9216<br />
| v10.7 CUP<br />
| v10.7 CUP dummy web-browser, see below.<br />
|-<br />
| 1.7625<br />
| v9232<br />
| [[10.7.0-32]]<br />
| See below.<br />
|-<br />
| 1.7630<br />
| v10240<br />
| [[11.1.0-34]]<br />
| See below.<br />
|}<br />
<br />
=== Heap ===<br />
The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.<br />
<br />
=== Old3DS v9.9 ===<br />
ExeFS:/.code was updated.<br />
<br />
The only changes in RomFS were file-updating, the following files were updated:<br />
/browser/rootca.pem<br />
/cro/oss.cro<br />
/cro/static.crs<br />
/cro/webkit.cro<br />
/.crr/static.crr<br />
/message/CN_Simp_Chinese/spider.msbt<br />
/message/EU_Dutch/spider.msbt<br />
/message/EU_English/spider.msbt<br />
/message/EU_French/spider.msbt<br />
/message/EU_German/spider.msbt<br />
/message/EU_Italian/spider.msbt<br />
/message/EU_Portuguese/spider.msbt<br />
/message/EU_Russian/spider.msbt<br />
/message/EU_Spanish/spider.msbt<br />
/message/JP_Japanese/spider.msbt<br />
/message/KR_Hangeul/spider.msbt<br />
/message/TW_English/spider.msbt<br />
/message/TW_Trad_Chinese/spider.msbt<br />
/message/US_English/spider.msbt<br />
/message/US_French/spider.msbt<br />
/message/US_Portuguese/spider.msbt<br />
/message/US_Spanish/spider.msbt<br />
<br />
OSS diff for v9.5 and v9.9, without the .dox changes:<br />
<br />
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
index be5ff09..55a7274 100644<br />
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
@@ -29,7 +29,7 @@<br />
#define WKC_VERSION_CHECK(major, minor, micro) \<br />
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))<br />
<br />
-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.14"<br />
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"<br />
<br />
#define WKC_WEBKIT_VERSION "532.7"<br />
<br />
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp<br />
index da4127e..d03403e 100644<br />
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp<br />
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp<br />
@@ -305,23 +305,23 @@ int RenderBox::scrollHeight() const<br />
<br />
int RenderBox::scrollLeft() const<br />
{<br />
- return hasOverflowClip() ? layer()->scrollXOffset() : 0;<br />
+ return layer() && hasOverflowClip() ? layer()->scrollXOffset() : 0;<br />
}<br />
<br />
int RenderBox::scrollTop() const<br />
{<br />
- return hasOverflowClip() ? layer()->scrollYOffset() : 0;<br />
+ return layer() && hasOverflowClip() ? layer()->scrollYOffset() : 0;<br />
}<br />
<br />
void RenderBox::setScrollLeft(int newLeft)<br />
{<br />
- if (hasOverflowClip())<br />
+ if (hasOverflowClip() && layer())<br />
layer()->scrollToXOffset(newLeft);<br />
}<br />
<br />
void RenderBox::setScrollTop(int newTop)<br />
{<br />
- if (hasOverflowClip())<br />
+ if (hasOverflowClip() && layer())<br />
layer()->scrollToYOffset(newTop);<br />
}<br />
<br />
=== Old3DS v10.2 ===<br />
The slider vuln from [https://github.com/yellows8/3ds_webkithax here] was fixed in the Old3DS browser.<br />
<br />
The main codebin .text only increased by 0x10-bytes.<br />
<br />
The only changes in RomFS was that the following files were updated:<br />
/cro/oss.cro<br />
/cro/static.crs<br />
/cro/webkit.cro<br />
/.crr/static.crr<br />
<br />
OSS diff:<br />
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
index 55a7274..fc153c4 100644<br />
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h<br />
@@ -29,7 +29,7 @@<br />
#define WKC_VERSION_CHECK(major, minor, micro) \<br />
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))<br />
<br />
-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"<br />
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17"<br />
<br />
#define WKC_WEBKIT_VERSION "532.7"<br />
<br />
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp<br />
index b2f5cef..1dd3dbd 100644<br />
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp<br />
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp<br />
@@ -221,6 +221,7 @@ RenderSlider::~RenderSlider()<br />
{<br />
if (m_thumb)<br />
m_thumb->detach();<br />
+ m_thumb = 0;<br />
}<br />
<br />
int RenderSlider::baselinePosition(bool, bool) const<br />
@@ -493,7 +494,8 @@ void RenderSlider::forwardEvent(Event* event)<br />
}<br />
}<br />
<br />
- m_thumb->defaultEventHandler(event);<br />
+ if (m_thumb)<br />
+ m_thumb->defaultEventHandler(event);<br />
}<br />
<br />
bool RenderSlider::inDragMode() const<br />
<br />
=== Old3DS v10.6 ===<br />
[[browserhax|spider28hax]] was fixed. The "2^32 characters long string" vuln described [[3DS_Userland_Flaws|here]] was ''finally'' fixed.<br />
<br />
''A lot'' of WebKit issues/vulns were fixed, see [https://gist.github.com/yellows8/b1e10caa1d8bb8a46316 here] for the changes.<br />
<br />
libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.<br />
<br />
The .text size increased by 0x478-bytes.<br />
<br />
The only changes in RomFS was that the following files were updated:<br />
/cro/oss.cro<br />
/cro/static.crs<br />
/cro/webkit.cro<br />
/.crr/static.crr<br />
/manual/Manual.bcma<br />
<br />
=== Old3DS v10.7 ===<br />
''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].<br />
<br />
=== Old3DS v11.1 ===<br />
Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:<br />
/cro/oss.cro<br />
/cro/webkit.cro<br />
/.crr/static.crr<br />
<br />
== Forced system-update ==<br />
The Old3DS/New3DS Internet Browser updated with [[9.9.0-26]] added the following message strings:<br />
In order to use the Internet <br />
browser, a system update <br />
is required.<br />
To perform a system update, <br />
select System Update from Other<br />
Settings in System Settings.<br />
<br />
The Internet browser cannot be<br />
used at this time.<br />
Please check your network<br />
environment or try again later.<br />
<br />
For whatever reason, the above ''message strings'' were removed with New3DS-browser v10.2, then re-added with v10.4. This does not apply to the Old3DS browser. Whenever v10.2 New3DS browser tries to use these message-strings for displaying a browser-update-related message, it will crash due to an assert failing since the message-strings are missing. Hence, if/when the v10.2 update-check page is ever updated where the browser tries to display a message for it, or when accessing that page fails, the browser will automatically crash.<br />
<br />
This wasn't enforced(web-browser displaying the above message when the installed browser isn't the latest version) until October 26, 2015.<br />
<br />
This message only triggers when attempting to load a web-page. This is only handled the first time the browser accesses a web-page, during this browser session.<br />
<br />
The browser codebins starting with v9.9 now contain the following URL strings:<br />
* Old3DS: <nowiki>"https://cbvc.cdn.nintendo.net/CTR/1/<region>"</nowiki><br />
* New3DS: <nowiki>"https://cbvc.cdn.nintendo.net/SNAKE/1/<region>"</nowiki><br />
<br />
The <region> string is one of the following:<br />
* "JPN"<br />
* "USA"<br />
* "EUR"<br />
* "KOR"<br />
<br />
Starting with the browser from [[10.2.0-28]], the "1" in the above URLs were changed to "2". With the New3DS browser from [[10.4.0-29]], it's now "3".<br />
<br />
As of October 26, 2015, the "1" URLs return the browser-version for v9.9(decimal number as a string without any "."), while the "2" URLs returns 0.<br />
<br />
if(internal_browserver > server_browserver)<br />
{<br />
<safe><br />
}<br />
else<br />
{<br />
<update message><br />
}<br />
<br />
Hence, internal_browserver == server_browserver will trigger the sysupdate message, which appears to be the normal way to indicate that the current browser is outdated(see above).<br />
<br />
There is a cache for this in savedata. The request is only done when at least 24-hours have passed since the last time the request was done(see the below savedata section).<br />
<br />
It is still possible to guard against this update by blocking the previous URLs using a proxy. <br />
It is not possible to remove the update message by entering the [[Recovery Mode]].<br />
<br />
=== Page request ===<br />
For this request, all root-CAs bundled with the browser are trusted, in addition to two of the SSL module builtin Nintendo root-CAs.<br />
<br />
The browser(with New3DS at least) does the following with [[HTTP_Services|HTTPC]] for requesting the above page:<br />
* Initializes the HTTP context and uses [[HTTPC:InitializeConnectionSession]] + [[HTTPC:SetProxyDefault]].<br />
* Uses [[HTTP_Services|HTTPC]] command 0x250080 twice with cmd[1]=contexthandle: first time cmd[2]=0x3, second time cmd[2]=0x6.<br />
* Then [[HTTPC:AddTrustedRootCA]] is used 48 times to setup 48 trusted root CAs. This appears to be every cert in the browser "romfs:/browser/rootca.pem" file converted to DER, in the same order from there(in other words, every single root CA the browser trusts by default for normal web-browsing).<br />
* Then [[HTTPC:BeginRequest]] is used.<br />
* Then [[HTTPC:ReceiveDataTimeout]] is used, the recv-size seems to be fixed to 0x20.<br />
* Then [[HTTPC:GetResponseStatusCodeTimeout]] is used.<br />
* Then [[HTTPC:GetDownloadSizeState]] is used.<br />
* Then the HTTP context is closed.<br />
<br />
Raw request data(New3DS USA v10.2 browser):<br />
000000: 47 45 54 20 2f 53 4e 41 4b 45 2f 32 2f 55 53 41 GET /SNAKE/2/USA<br />
000010: 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1.1..Host:<br />
000020: 20 63 62 76 63 2e 63 64 6e 2e 6e 69 6e 74 65 6e cbvc.cdn.ninten<br />
000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....<br />
<br />
=== v10.7 ===<br />
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].<br />
<br />
== Dummy web-browser ==<br />
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".<br />
<br />
Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).<br />
<br />
Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.<br />
<br />
== Savedata ==<br />
=== New3DS ===<br />
On newer SKATER versions, it appears *all* NAND savedata is stored under the [[System_SaveData|0x000200BB]] savedata.<br />
<br />
==== 0x000200BB savedata ====<br />
This only contains "t.bin" with filesize 0xadf80, the format is below.<br />
<br />
The timestamp format used here is the number of milliseconds since January 1, 2000(local-time).<br />
<br />
When using the "Initialize savedata" option in the browser, that deletes this savedata file/image then exits the browser. This file is then re-created when the browser gets started again.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x68<br />
| 0x4?<br />
| This counter is incremented each time the savedata is written.<br />
|-<br />
| 0x70<br />
| 0x8<br />
| Timestamp for when the savedata was last written.<br />
|-<br />
| 0x94<br />
| 0x15?<br />
| This is all-zeros on non-JPN systems. On JPN systems where the browser filter is disabled, this is a string in the following format: "4110-%016llX".<br />
|-<br />
| 0xD8<br />
| 0x8<br />
| s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.<br />
|}<br />
<br />
==APT Parameters==<br />
The URL to load can optionally be loaded from char[] string [[APT:SendParameter|paramblk+0]]. This is used when scanning URL QR-codes in Home Menu / etc.<br />
<br />
==Errors==<br />
"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.<br />
<br />
==Other details==<br />
<br />
*It scored 90/100 on [http://acid3.acidtests.org/ Acid3] test<br />
*Images from the Internet can be saved to the [[SD Filesystem|SD Card]] and viewed using the [[Nintendo 3DS Camera]] application.<br />
*Images saved to an [[SD Filesystem|SD Card]] or to the Nintendo 3DS system memory can be uploaded to blogs or other sites that allow the uploading of photos using :<br />
<input type="file" /><br />
* HTML5Test.com say that Drag and drop is supported but it's not (code on WebKit is ready, but it's not implemented on interface of browser)<br />
<br />
==Tips==<br />
<br />
=== Detect User Agent ===<br />
<br />
To detect if the user agent is Nintendo 3DS Browser :<br />
<br />
<script type="text/javascript"><br />
if (navigator.userAgent.indexOf('Nintendo 3DS') == -1) { //If the UserAgent is not "Nintendo 3DS"<br />
location.replace('http://www.3dbrew.org'); //Redirect to an other page<br />
}<br />
</script><br />
<br />
* You can check <em>navigator.platform=="Nintendo 3DS"</em> as well.<br />
<br />
=== Scrolling ===<br />
<br />
Scrolling can be altered by modifying <em>document.body.scrollTop</em> and <em>document.body.scrollLeft</em>. However, there are drawbacks related to working with these properties:<br />
<br />
* Both properties return 0 when accessed<br />
* Setting one property resets the other property's scroll position<br />
<br />
In order to set both at the same time (without either resetting to 0), use <em>window.scrollTo</em>.<br />
<br />
=== Events ===<br />
==== Key Events ====<br />
The following buttons trigger the <em>onkeydown</em>, <em>onkeypress</em> and <em>onkeyup</em> events:<br />
<br />
{|class="wikitable" width="20%"<br />
! Code !! Button <br />
|-<br />
| 13 || A<br />
|-<br />
| 37 || Left<br />
|-<br />
| 38 || Up<br />
|-<br />
| 39 || Right<br />
|-<br />
| 40 || Down<br />
|}<br />
<br />
The events cannot have their default action cancelled. Other buttons do not trigger key events.<br />
<br />
==== Touch/Mouse Events ====<br />
<em>onmousedown</em>, <em>onmouseup</em> & <em>onclick</em> are all triggered by the browser. However, the <em>onmousedown</em> event doesn't trigger until you lift the stylus or you've held it on the screen for ~2 seconds—which is when text selection mode is activated—making it pretty much the same as <em>onmouseup</em>. The events cannot have their default action cancelled.<br />
<br />
The <em>onmousemove</em> and common touch/gesture events are not supported.<br />
<br />
== Screen Resolution ==<br />
<br />
The up screen resolution is 400×240. However, the viewable area in the browser is only <b>400×220</b>.<br />
<br />
The touch screen resolution is 320×240. However, the viewable area in the browser is only <b>320×212</b>.<br />
<br />
You can have a page span both screens. However, the browser will behave as if the bottom screen is the only active screen and the top screen is scrolled off. This is important when computing CSS coordinates. Items positioned from "bottom" will be positioned based on 220px and not the full 432px of both screens.<br />
<br />
== Using Both Screens ==<br />
<br />
Generally the easiest way to accomplish the correct layout is to create HTML elements that "contain" the top and bottom screens. Here's an example:<br />
<br />
<!DOCTYPE html><br />
<html><br />
<head><br />
<meta name="viewport" content="width=400"><br />
<style><br />
body{margin:0px;}<br />
#topscreen{width:400px;height:220px;overflow:hidden;}<br />
#bottomscreen{width:320px;height:212px;overflow:hidden;margin:0 auto;}<br />
</style><br />
</head><br />
<body><br />
&lt;div id="topscreen">Top Screen&lt;/div><br />
&lt;div id="bottomscreen">Bottom Screen&lt;/div><br />
</body><br />
</html><br />
<br />
This scheme allows the page to be easily manipulated through JavaScript. In order to have the window snap to the correct position, use the following JavaScript code:<br />
<br />
window.setInterval(function () {<br />
window.scrollTo(40, 220); <br />
}, 50);<br />
<br />
This automatically resets the position if the user accidentally scrolls the page.<br />
<br />
==Example Sites==<br />
<!-- If you have a website that demonstrates these techniques, place it here! --><br />
* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser.<br />
* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)<br />
* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Bootloader&diff=20574Bootloader2018-01-23T02:06:49Z<p>Pigeon: Fixed grammar</p>
<hr />
<div>The bootloader is the binary code stored in the ARM9 and ARM11 boot ROMs and hence is ran when the 3DS is powered on. Its purpose is initializing hardware and loading the [[FIRM|system firmware]] from the internal [[Flash_Filesystem|NAND memory]]..<br />
<br />
Besides NATIVE_FIRM, the bootloader is also capable of booting other firmwares (such as TWL_FIRM and AGB_FIRM). However, this will result either in a Japanese error screen or a system shutdown, directly after FIRM Launching.<br />
<br />
== Boot ROM ==<br />
Upon boot, parts of the ARM9 and ARM11 boot ROMs are protected by writing to [[CONFIG#CFG_SYSPROT9|CFG_SYSPROT9]] and [[CONFIG#CFG_SYSPROT11|CFG_SYSPROT11]], respectively. The ARM9 and ARM11 boot ROMs are identical for all 3DS consoles (3DS, 3DS XL, 2DS, New 3DS, New 3DS XL, New 2DS XL)<br />
<br />
== NAND FIRM boot ==<br />
Boot9 is not hardcoded to only handle 2 FIRM partitions: it parses all 8 NCSD partitions for this. Boot9 will attempt to use every partition listed in the NCSD which is an actual FIRM partition, in the same order listed in the NCSD, until booting one of them succeeds. Among the not-yet-processed partitions, the FIRM which has the highest value at u32 firmhdr+4 will have a FIRM-boot attempted first. Since that value is normally 0x0, the order of FIRM-partition processing is normally identical to the order of the NCSD partitions.<br />
<br />
Boot9 is hard-coded for using [[AES_Registers|AES]] keyslot 0x6 for NAND crypto.<br />
<br />
== Non-NAND FIRM boot ==<br />
Boot9 can also boot from non-NAND. For this, a different set of RSA pubks are used(separate pubks for retail/devunit like NAND). The spiflash FIRM image for this is also encrypted with AES-CBC using a normal key stored in prot_boot9(separate for retail/devunit). This encryption is basically used instead of what is used for NAND-firm-partitions. This encryption is only used for the FIRM sections, the FIRM header is used raw. The AES keyslot for this is only overwritten afterwards when booting from non-NAND fails. AES keyslot 0x3F is used for this.<br />
<br />
CTR_word[0] = firmimageoffset;//FIRM section offset from FIRM header<br />
CTR_word[1] = outbufaddr;//FIRM section load addr<br />
CTR_word[2] = readsize;//FIRM section size<br />
CTR_word[3] = readsize;//FIRM section size<br />
<br />
When booting from NAND fails, boot9 will then attempt to boot from Wifi SPI-flash(this only triggers when the wifi module hw is properly accessible/connected, which is normally the case). The base offset for spiflash FIRM is 0x400. Note that this region(all data prior to offset 0x1F300) is write-protected by the spiflash(not writable from 3DS-mode / DS-mode).<br />
<br />
Additionally, if the shell is closed and a special key combination (Start + Select + X) is held, boot9 will attempt to boot from an inserted NTR cartridge before booting from NAND. Note: While normally on O3DS/2DS the console will not turn on if the shell is closed (or this is faked by holding a magnet to the console), when this special key combination is held holding down the power button will cause boot to occur anyway.<br />
<br />
For non-NAND booting, NCSD / FIRM-backup is not used.<br />
<br />
== SDMMC ==<br />
<br />
Boot9 has code implemented for using SD(HC) cards, but the input deviceids used by boot9 for those functions are hard-coded for NAND. However, it is possible to use an SD(HC) card in place of the NAND if the NAND chip is first disconnected, and an SD card connected to the bus. Due to the CID being different, partitions will need to be re-encrypted and TWL mode will not work, due to the MBR being in the NCSD header. Using sighax, it may be possible to replace the NCSD header.<br />
<br />
== Boot9 RSA keyslots ==<br />
<br />
The following are initialized during main() startup, by initialize_rsakeyslots_pubk(). Each of these, for the ones which are actually set, have different keydata for retail/devunit.<br />
* 0: Not set.<br />
* 1: Used for the NAND FIRM signature.<br />
* 2: Used for the non-NAND-FIRM signature.<br />
* 3: Used for the NAND-NCSD FIRM signature.<br />
<br />
When FIRM loading is successful, initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk() is called, right before calling the final function in main(). Besides ITCM writing, this overwrites all 4 RSA keyslots with modulus + private-exponents loaded from boot9 data.<br />
<br />
initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk():<br />
This initializes the 4 0x100-byte/0x200-byte chunks at 0x07ffb800+0x500(0x07ffbd00)/0x07ffb800+0x900(0x07ffc100). End address of the first section is 0x07ffc100(start addr of the second section), end address of the second section is 0x07ffc900. Hence, the first section total size is 0x400-bytes, while the second section total size is 0x800-bytes.<br />
<br />
These are initialized using via the boot9 data image, with ptrs from DTCM. Seperate keydata is used for retail/devunit.<br />
<br />
When initializing the first ITCM area: rsa_setkeyslot_privk() is called for all 4 RSA keyslots. The modulo for each one is also copied to (index*0x100) + 0x07ffb800 + 0x500. The private exponent is not copied into ITCM.<br />
<br />
The second ITCM area is initialized by copying 4 0x200-byte entries in a loop. These are RSA pubks+privks, which Boot9 doesn't use itself at all besides this copy loop.<br />
<br />
== Boot9 image data memory layout ==<br />
0xffffb088 is the beginning of the boot9 image data section.<br />
<br />
* 0xffffb088 size 0x38-bytes: This is the array used during FIRM-section-loading for the memory-range blacklist for FIRM sections.<br />
* 0xffffb0c0(end-addr of the above area) size 0x20-bytes: Unknown.<br />
* 0xffffb0e0(end-addr of the above area) size 0x2f80-bytes: This is *all* of the keys stored in the image.<br />
* 0xffffe060(end addr of the above key-area) size 0x230-bytes: This is the initial DTCM image @ 0xFFF00000, see below.<br />
* 0xffffe290(DTCM_image_end) - {boot9 image end}: All-zero.<br />
<br />
Layout of the 0x2f80-byte key-area at 0xffffb0e0:<br />
* 0xffffb0e0 size 0x2600-bytes: This is the RSA key-data, see below.<br />
* 0xffffd6e0(end-addr of the above area) size 0x40-bytes: This is the keydata used for crypting the entire OTP with keyslot 0x3f, used by main(). The first 0x20-bytes is for retail, the remaining 0x20-bytes starting at 0xffffd700 is for devunit. Chunk+0(retail=0xffffd6e0 devunit=0xffffd700) is the normalkey, chunk+0x10(retail=0xffffd6f0 devunit=0xffffd710) is the AES-IV.<br />
* ...<br />
* 0xffffd760: size 0x100-bytes: First 0x80-bytes is for retail, the remaining 0x80-bytes at 0xffffd7e0 is for devunit. This 0x80-byte block is copied to 0x07ffcd00 by a Boot9 function, however, that code actually does the copy in two 0x40-bytes chunks.<br />
* 0xffffd860(end-addr of the above area) size 0x400-bytes: This is the bootrom_dataptr passed to the aes-keyinit function for retail. See the below Tools section for how this is processed.<br />
* 0xffffdc60(end-addr of the above area) size 0x400-bytes: This is the devunit version of the above the 0x400-byte chunk. This is very last chunk of data in the boot9 data-section key-area: end addr for this area is 0xffffe060.<br />
<br />
Layout of the 0x2600-byte RSA key-data at 0xffffb0e0: <br />
First 0x1300-bytes is for retail, the remaining 0x1300-bytes starting at 0xffffc3e0 is for devunit.<br />
* +0x0 retail=0xffffb0e0 devunit=0xffffc3e0: RSA modulo for keyslot3, initialized by initialize_rsakeyslots_pubk().<br />
* +0x100 retail=0xffffb1e0 devunit=0xffffc4e0: RSA modulo for keyslot1, initialized by initialize_rsakeyslots_pubk().<br />
* +0x200 retail=0xffffb2e0 devunit=0xffffc5e0: RSA modulo for keyslot2, initialized by initialize_rsakeyslots_pubk().<br />
* +0x300 size 0x200, retail=0xffffb3e0 devunit=0xffffc6e0: First 0x100-bytes is the RSA modulo, then the following 0x100-bytes is the RSA privk(private-exponent). This is for RSA-engine keyslot0 with initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), which also copies this modulo to the array starting at 0x07ffbd00.<br />
* +0x500 size 0x200, retail=0xffffb5e0 devunit=0xffffc8e0: Used the same as the above block except for slot1.<br />
* +0x700 size 0x200, retail=0xffffb7e0 devunit=0xffffcae0: Used the same as the above block except for slot2.<br />
* +0x900 size 0x200, retail=0xffffb9e0 devunit=0xffffcce0: Used the same as the above block except for slot3.<br />
* +0xb00 size 0x200, retail=0xffffbbe0 devunit=0xffffcee0: First 0x100-bytes is the RSA modulo, then the following 0x100-bytes is the RSA privk(private-exponent). The 0x200-bytes here is copied to slot0 in the array at 0x07ffc100 by initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk().<br />
* +0xd00 size 0x200, retail=0xffffbde0 devunit=0xffffd0e0: Used the same as the above block except for slot1.<br />
* +0xf00 size 0x200, retail=0xffffbfe0 devunit=0xffffd2e0: Used the same as the above block except for slot2.<br />
* +0x1100 size 0x200, retail=0xffffc1e0 devunit=0xffffd4e0: Used the same as the above block except for slot3.<br />
<br />
== Boot9 DTCM layout ==<br />
Most of this is just ptrs / other unknown data, not actual keys. However, there is an unknown 0x10-byte block @ +0x124(there's a ptr initialized for this block elsewhere).<br />
<br />
== Boot11 image data memory layout ==<br />
* 0x0001817c..0x000181f4 size 0x78-bytes: This is the bootrom error screen font gfx data. This begins at the exact end-address of the crt0 code, the rest of the protected boot11 code begins at this end-address(0x000181f4). To extract the font gfx data from there, the 30 dwords at this address need to be converted to big endian. The correct resolution (when displayed as raw) is 32x30x1. The bootrom font looks very similar to [https://robey.lag.net/2010/01/23/tiny-monospace-font.html this font].<br />
* 0x00019400 is the beginning of the boot11 data area, the first 8-bytes here are unknown.<br />
* 0x00019408..0x0001b498 size 0x2090-bytes: This is the blowfish keydata which gets copied to arm9itcm_twlkeydata+0x3e0 later.<br />
* 0x0001c498..0x0001c4f8 size 0x60-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x380.<br />
* 0x0001c4f8..0x0001c538 size 0x40-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x340.<br />
* 0x0001c538..0x0001c578 size 0x40-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x300.<br />
* 0x0001c578..0x0001c5f8 size 0x80-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x280.<br />
* 0x0001c5f8..0x0001c678 size 0x80-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x0.<br />
* 0x0001c678..0x0001c878 size 0x200-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x80.<br />
* 0x0001c878..0x0001d078 size 0x800-bytes: These are the 3DS RSA-2048 modulus which are eventually copied to arm9_itcm+0x4900: on retail the first 4 are copied there by boot9, on devunit the last 4 are copied to itcm.<br />
* 0x0001d078 size 0x120-bytes is the initial data for the .data section @ 0x1ffe8000, this is the very end of the protected arm11-bootrom.<br />
<br />
== AES keys ==<br />
See the Tools section for how Boot9 initializes the keyslots.<br />
<br />
See also [[AES_Registers|here]].<br />
<br />
For an issue with console-unique key-init, see [[OTP_Registers|here]].<br />
<br />
== BootROM Errors ==<br />
Sample error-screen(where firm0+firm1 RSA signatures were corrupted):<br />
<br />
BOOTROM 8046<br />
ERRCODE: 00F800FF<br />
DEDEFFFF FFFFFFFF<br />
00000000 00000000<br />
<br />
* 1st line is: <code>print_string(..., "BOOTROM %X", 0x8046);//This last param comes from the .pool.</code><br />
* 2nd line is: <code>print_string(..., "ERRCODE: %08X", *((unsigned int*)(0x1FFFE000+0xC)));//See below memory notes.</code><br />
* 3rd line is: <code>print_string(..., "%08X %08X", *((unsigned int*)(0x1FFFE000+0x10))`, `*((unsigned int*)(0x1fffe000+0x14)));//See below memory notes.</code><br />
* 4th line is: <code>print_string(..., "%08X %08X",*((unsigned int*)(0x1FFFE000+0x18))`, `*((unsigned int*)(0x1fffe000+0x1C)));//See below memory notes.</code><br />
<br />
== 0x1FFFE000 memory ==<br />
This memory is used by boot9 mainly for sending info to the arm11 for the error-screen. The data in this region is still stored in memory by the time the ARM9+ARM11 jumps to FIRM.<br />
<br />
Among boot9/boot11, the 3 words at 0x1FFFE000 seem to be ''only'' accessed by the boot11 function initializing those words.<br />
<br />
* u32 0x1FFFE000+0: ARM11 MPCore "Cycle Counter Register (CCNT)".<br />
* u32 0x1FFFE000+4: ARM11 MPCore "Count Register 0 (PMN0)".<br />
* u32 0x1FFFE000+8: ARM11 MPCore "Count Register 1 (PMN0)".<br />
* 8bit-entry-array 0x1FFFE000+0xC: 8bit status-codes initialized by boot9 main(), for the FIRM-boot devices. +0 is NAND, +1 is NTRCARD and +2 is wifi-spiflash.<br />
* ...<br />
* 8bit-entry-array 0x1FFFE000+0x10: Status-codes originally from nand_findfirmpartition_loadfirm(), for each of the 8 NCSD partitions.<br />
<br />
== BootROM Status Codes ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x00<br />
| Success<br />
|-<br />
| 0xEE(~17)<br />
| NCSD header validation function failed: NCSD magicnum is invalid or RSA verification failed.<br />
|-<br />
| 0xDE(~33)<br />
| FIRM header validation function failed: FIRM magicnum is invalid or RSA verification failed.<br />
|-<br />
| 0xDF(~32)<br />
| Failed to read sector data from the device.<br />
|-<br />
| 0xCF(~48)<br />
| FIRM section validation function failed: FIRM section is invalid.<br />
|-<br />
| 0xF7(~8)<br />
| A NAND FIRM from another partition was already found with a priority(firmhdr+4) >= to the value for the current partition's FIRM priority.<br />
|-<br />
| 0xF8(~7)<br />
| The FIRM magicnum(firmhdr+0) is invalid.<br />
|-<br />
| 0xFF(~0)<br />
| Initial value for each entry in the 8-entry array of status-codes for the NAND NCSD partitions. Indicates that the partition is not a FIRM partition(partition fs type isn't 0x3 or partition fs crypt-type isn't 0x2).<br />
|}<br />
<br />
== Boot9 startup ==<br />
<br />
0xffff0000 jumps to 0xffff8000. 0xffff8000 is crt0:<br />
* Very first thing this does is clear u8 register 0x10000002 ([[CONFIG_Registers#CFG_RST11|CFG_RST11]]) bit 0 to zero.<br />
* Then sp is initialized for each cpumode, IRQs/FIQs are disabled during the first mode-switch.<br />
* Order of mode-switches + sp initialization: svc-mode = 0xfff04000, irq-mode = 0xfff03f00, system-mode = 0xfff03b00. Hence, the rest of the code following this runs in system-mode.<br />
* Then L_ffff80cc/mpu_init() is called.<br />
* Then L_ffff0038() is called, which initializes the exception-handler addresses @ 0x08000000.<br />
* Then L_ffff81b8() is called(r4 + lr are saved on the DTCM stack), which after calling a memclear function which doesn't do anything, it then clears 0x08000030 size 0x10. Here the DTCM at 0xfff00000 size 0x4000 is cleared.<br />
* Then L_ffff81b4() is called, which branches to DTCM_init(). This copies the initial DTCM data from the Boot9 data image into boot9, then it clears 0xFFF00230 - 0xFFF01AC0.<br />
* Then LT_ffff8228/main is jumped to, with LR set to the address of an infinite-branch-loop instruction.<br />
<br />
mpu_init():<br />
* Bitmask 0x000f9005 is cleared in the cp15 control register. MCR instructions which do then following are then executed: flush entire instruction cache, flush entire data cache, and drain write buffer.<br />
* Then the 8 [[Memory_layout|MPU]] memregions are initialized.<br />
* ITCM memregion reg = 0x24: baseaddr=0x0, size = 128MB(0x08000000).<br />
* DTCM memregion reg = 0xfff0000a: baseaddr=0xfff00000, size=16KB(0x00004000).<br />
* Then instruction cachable and data cachable/bufferable bits for the MPU regions are setup.<br />
* Then the instruction/data access permissions for the MPU regions are setup.<br />
* Lastly bitmask 0x0005707d is orred in the cp15 control register.<br />
<br />
== Boot9 main() ==<br />
<br />
The following functions are called: LT_ffff2024(), LT_ffff1ff8(), pxi_init(), rsa_init(), initialize_rsakeyslots_pubk(), crypto_initialize(), and aesengine_reset().<br />
Then AES keyslot 0x3F is setup: aesengine_setnormalkey(0x3f, 5, ptr) is called. ptr on retail(CFG_UNITINFO check) is 0xffffd6e0, 0xffffd700 for devunit. Then essentially, aesengine_setctr(5, ptr+0x10) is executed.<br />
Then AES keyslot 0x3f is selected.<br />
When calling the following functions, if any of them return zero, it will immediately jump to setting ptr to 0x10012000(otp), otherwise when all of them return non-zero ptr = sp+0x94. otp_decrypt(sp+4), otp_verify(sp+4), initialize_consoleunique_itcm(sp+4, 0x07ffb800).<br />
Then the following is executed: initialize_aeskeys_wrap(ptr, 0x70);<br />
Then sp+4 size 0x100 is cleared to zero.<br />
<br />
...<br />
<br />
NAND firm-boot code-block is described below. Note that boot9 is basically hard-coded to use deviceid NAND, not SD.<br />
{<br />
timer_updatestoredstate() is called, then the AES keyslot for NAND-FIRM is selected(0x6).<br />
Then LT_ffff56c8() is called, if that returns non-zero the statuscode variable is set to ~2 then it jumps to NAND_BOOTEND.<br />
Then LT_ffff5774(0x201) is called, if that returns non-zero the statuscode variable is set to ~1 then it jumps to NAND_BOOTEND.<br />
Then fsdriver_setup_mmc() is called. Then nand_findfirmpartition_loadfirm(0) is called, with the statuscode variable set to the retval.<br />
Executes a loop which runs 8 times: write the output from get_errorcode_arrayentry_xfff005e8(loopindex) to u8 0x1fffe000+0x10+loopindex(copy the array of 32bit error-codes for all 8 NCSD partitions initialized by nand_findfirmpartition_loadfirm() to the array of 8bit entries at 0x1fffe000+0x10).<br />
<br />
NAND_BOOTEND:<br />
Then the statuscode variable is written to u8 0x1fffe000+0xc.<br />
Then LT_ffff5690(0x201, 0x1fffe018, 0x1fffe01c) is called.<br />
Then LT_ffff5644() is called.<br />
Then timer_updatestoredstate() is called.<br />
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it continues to the next code-block.<br />
}<br />
<br />
Wifi spi-flash firm-boot code-block, executed when no FIRM was loaded successfully so far.<br />
{<br />
timer_updatestoredstate() is called.<br />
<br />
Then spi_wififlash_cmdgetstatusreg(sp+0x100) is executed. When bit0 of the output u8 at sp+0x100 is clear, it will continue this code-block, otherwise it will set the statuscode variable to ~1 then jump to SPIFLASH_BOOTEND.<br />
Then fsdriver_setup_wififlash() is called.<br />
Here read_firmhdr_validate_loadfirm(0, 2) is called, with the statuscode variable set to the retval.<br />
<br />
SPIFLASH_BOOTEND:<br />
Then the statuscode variable is written to u8 0x1fffe000+0xe.<br />
Then timer_updatestoredstate() is called.<br />
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it executes writenormalkey_keyslot3f(), then jumps to FIRMLOAD_FAILURE.<br />
}<br />
<br />
FIRMLOAD_END:<br />
Here it calls firmhdr_getarm11_entrypoint() and firmhdr_getarm9_entrypoint(). Immediately after calling each function it checks if the retval is 0, if so it then jumps to FIRMLOAD_FAILURE.<br />
After calling initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), it jumps to FIRMLOAD_EXIT.<br />
<br />
FIRMLOAD_FAILURE:<br />
Here it clears 0x07ffb800 size 0x3c70 to zero, endaddr = 0x07fff470.<br />
Then it continues to FIRMLOAD_EXIT.<br />
<br />
FIRMLOAD_EXIT:<br />
Here firmboot() is called, which should never return. The instruction after this bl is a call for panic().<br />
<br />
== Boot11 ==<br />
<br />
* ...<br />
<br />
main():<br />
LT_1263c();<br />
...<br />
LT_13944()<br />
...<br />
pxi_init();<br />
initializefuncptr_firmboot_start(firmbootbegin_funcptr);<br />
firmboot();<br />
return;<br />
<br />
LT_12220/initializefuncptr_firmboot_start<br />
inr0=funcptr<br />
This writes inr0 to address 0x1ffe8028, then returns.<br />
This initializes the funcptr which firmboot() can call after the very first func-call.<br />
<br />
LT_13944<br />
if([[I2C_Registers|i2cmcu_readregf]](sp+0)==0)<br />
{<br />
return (*((u8*)0x10147000) >> 4) & 1;//Reads [[GPIO_Registers|GPIO]] when reading I2C fails.<br />
}<br />
Here it basically does "return <byte loaded from sp+0> ^ 0x2". Hence in this case, it will return 0x2 when the system shell is closed(sleep-mode), otherwise 0x0 is returned.<br />
<br />
LT_12454/firmboot<br />
This is the arm11 version of the boot9 firmboot() function, like boot9 this is the final function called from main(). The functionality for these two functions are identical, minus addresses.<br />
ptr = firmboot_loadentrypoint11();<br />
funcptr = *(0x1ffe8028);<br />
if(funcptr)funcptr(ptr);<br />
LT_11ffc(ptr);<br />
return;<br />
<br />
== Boot Procedure ==<br />
<br />
* 0 seconds - unit is powered on. The ARM9 and ARM11 [[Memory_layout|bootroms]] begin execution.<br />
* <= ~1 second - BootROMs fully run, load FIRM, etc. The loaded FIRM begins running.<br />
**The ARM11 sysmodules included with FIRM are launched by ARM11-kernel, etc.<br />
**The [[Process_Manager_Services|PM]] module launches [[NS]].<br />
**If [[Home_Menu#Auto-Boot_Function|auto-booting]] is needed, NS will [[NS#Auto-boot|auto-boot]] titles.<br />
**Otherwise, NS will instead launch [[ErrDisp]] and the [[Configuration Memory#ACTIVEMENUTID|current active menu]] via the PM module. For retail units, this menu is usually the [[Home Menu]]. Note that the PM module first launches the module dependencies when launching a process, prior to actually launching the process.<br />
**The further Home Menu startup process is described [[Home_Menu#Home_Menu_startup|here]]. This includes Home Menu manually launching various sysmodules.<br />
<br />
* 4 seconds - the LCD screens are initialized.<br />
<br />
* 7 seconds - [[Home Menu]] is fully initialized/loaded.<br />
<br />
== NAND Reads during Boot ==<br />
During a successful boot on 6.x, the bootloader (and firm) reads the following sectors from NAND (in this order):<br />
00000000 (NCSD Partition Table)<br />
<br />
Only verify 'FIRM' magic? (A second Header-read will be attempted even if everything except the magic is 0xFF...)<br />
0B130000 (FIRM Partition)<br />
0B530000 (Secondary FIRM Partition)<br />
<br />
Verify RSA signature and parse Header:<br />
0B130000 (FIRM: Header)<br />
0B130200 (FIRM: Section 1)<br />
0B163E00 (FIRM: Section 2)<br />
0B193E00 (FIRM: Section 3)<br />
<br />
00013000 .. Below is probably NATIVE_FIRM booting ..<br />
00014000<br />
00015000<br />
00016000<br />
00017000<br />
<br />
09011A00<br />
09011C00<br />
09012000<br />
09012400<br />
...<br />
<br />
== Error Codes ==<br />
When the 3DS does not find the NAND chip, the following error is displayed:<br />
<br />
[[Image:CTR_Bootrom_Error.jpg|240px]]<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Error<br />
! Description<br />
|-<br />
| <tt>00F800FE 00000000 00000000 00000200 00000000</tt><br />
| Error when having SD-card reader connected to NAND during boot.<br />
|-<br />
| <tt>00F800FE 00000000 00000000 00000400 00000000</tt><br />
| NAND not found error (?)<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000080 00800000</tt><br />
| NAND error when DAT1 was used as DAT0.<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000005 00800000</tt><br />
| NAND error when DAT2 was used as DAT0.<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000005 00000000</tt><br />
| NAND error when DAT3 was used as DAT0.<br />
|-<br />
| <tt>00F800FF F8F8FFFF FFFFFFFF 00000000 00000000</tt><br />
| Both the firm0 and firm1 partitions are corrupt (failed signature checks).<br />
|-<br />
| <tt>00F800EE FFFFFFFF FFFFFFFF 00000000 00000000</tt><br />
| [[NCSD]] header in sector 0 is corrupt (failed signature check).<br />
|}<br />
<br />
== Tools ==<br />
* [https://github.com/yellows8/boot9_tools boot9_tools]</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Launcher&diff=20573Homebrew Launcher2018-01-23T02:02:45Z<p>Pigeon: Updated link</p>
<hr />
<div>The Homebrew Launcher is an open-source launcher for 3DS homebrew.<br />
<br />
The source code is available on [https://github.com/fincs/new-hbmenu Github].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=ACU:GetConnectingSsidLength&diff=20572ACU:GetConnectingSsidLength2018-01-23T01:57:10Z<p>Pigeon: </p>
<hr />
<div>=Request=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code [0x00350000]<br />
|}<br />
<br />
=Response=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code<br />
|-<br />
| 1<br />
| Result code<br />
|-<br />
| 2<br />
| Length <br />
|}<br />
<br />
=Description=<br />
Gets the length of the SSID of the WiFi the 3DS is currently connected to.</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Games&diff=20448Games2017-11-05T01:39:23Z<p>Pigeon: Tomodachi Life</p>
<hr />
<div>This page lists off many 3DS games and info about them, as well info about the product code and serial format. If the list is missing a game, and you have info about it, feel free to add it to the list.<br />
<br />
Some of these games also have a savegame dumped, which can be downloaded under the Savegame column of the table. Info about the savegames' filesystem can be found on the [[Savegames]] page.<br />
<br />
See [[Titles_With_Code_Symbols|here]] for games/titles containing ExeFS codebin symbols.<br />
<br />
== Game list ==<br />
Note the [DEMO] in the title name denotes that the game is a demo. Also, when adding games, please keep them in alphabetical order, keeping demos at the start of the list. The [DEV] in the title name denotes that the title is a developer encrypted application, and may not follow retail serial/product code conventions. The 'X' at the end of the Serials and Product codes of the below, takes the place of the region identifier, so there is not more than one entry per game.<br />
<br />
<br />
Remember if you have any of these games, dump your savegame (preferably after you save for the first time) and upload it somewhere and edit the page with the link.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! width="35%" | Title<br />
! width="12%" | [[Serials|Serial]]<br />
! width="12% | [[Serials#Product Code|Product Code]]<br />
! width="5%" | EUR (P)<br />
! width="5%" | USA (E)<br />
! width="5%" | JPN (J)<br />
! width="5%" | ROM Size<br />
! width="5%" | FLASH Size<br />
! width="5%" | FLASH ID<br />
! width="5%" | FLASH Chip #<br />
! width="6%" | Savegame<br />
|-<br />
| [DEMO][DEV] Mario Kart 7 (E3)<br />
| ?<br />
| CTR-P-AMKU<br />
| No<br />
| No<br />
| No<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO][DEV] Super Mario 3D Land (E3)<br />
| ?<br />
| CTR-P-CTAP<br />
| No<br />
| No<br />
| No<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] Nintendogs + Cats<br />
| LNZ-CTR-ADAX<br />
| CTR-P-ADAX<br />
| Yes<br />
| ?<br />
| ?<br />
| ?<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| [DEMO] Pokémon Omega Ruby And Alpha Sapphire Special Demo<br />
| ?<br />
| CTR-N-NAHA<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 1MByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] Steel Diver <br />
| LNZ-CTR-ASDX<br />
| CTR-P-ASDX<br />
| Yes<br />
| No<br />
| No<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] Super Mario 3D Land <br />
| LNZ-CTR-AREX<br />
| CTR-P-AREX <br />
| Yes<br />
| No<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] Super Smash Bros.<br />
| LNA-CTR-NXCX<br />
| CTR-P-NXCX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] Super Smash Bros. Special Demo Version<br />
| LNA-CTR-NXCX<br />
| CTR-P-NXCX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2Gbit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [DEMO] The Legend Of Zelda: Ocarina Of Time 3D<br />
| LNZ-CTR-AQEX<br />
| CTR-P-AQEX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Animal Crossing: New Leaf<br />
| LNA-CTR-EGDX<br />
| CTR-P-EGDX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 10MByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Asphalt 3D<br />
| LNA-CTR-ASFX<br />
| CTR-P-ASFX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 128kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Cubic Ninja<br />
| LNA-CTR-AQNX<br />
| CTR-P-AQNX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 1GBit<br />
| 128kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Dead Or Alive - Dimensions<br />
| LNA-CTR-ADDX<br />
| CTR-P-ADDX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Lego Star Wars III: The Clone Wars<br />
| LNA-CTR-ALGX<br />
| CTR-P-ALGX<br />
| Yes<br />
| Yes<br />
| No<br />
| 4GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Mario And Luigi: Dream Team Bros.<br />
| LNA-CTR-AYMX<br />
| CTR-P-AYMX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Mario Kart 7<br />
| LNA-CTR-AMKX<br />
| CTR-P-AMKX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Nintendogs + Cats: French Bulldog And New Friends<br />
| LNA-CTR-ADBX<br />
| CTR-P-ADBX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 512kByte<br />
| 0xC22213<br />
| 25L4001<br />
| ?<br />
|-<br />
| One Piece: Unlimited Cruise SP<br />
| LNA-CTR-ALFX<br />
| CTR-P-ALFX<br />
| No<br />
| No<br />
| Yes<br />
| 4GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Pilotwings Resort<br />
| LNA-CTR-AWAX<br />
| CTR-P-AWAX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 1GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Pokémon Mystery Dungeon: Gates To Infinity<br />
| LNA-CTR-APDX<br />
| CTR-P-APDX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Pokémon Y<br />
| LNA-CTR-EK2X<br />
| CTR-P-EK2A<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 1MByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Puzzle Bobble Universe<br />
| LNA-CTR-ABBX<br />
| CTR-P-ABBX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| [[Raving Rabbids: Travel In Time 3D]]<br />
| LNA-CTR-ARBX<br />
| CTR-P-ARBX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| [http://dl.dropbox.com/u/7830918/3DS%20Upload/decrypted.bin de]/[http://dl.dropbox.com/u/7830918/3DS%20Upload/encrypted.bin en]<br />
|-<br />
| Ridge Racer 3D<br />
| LNA-CTR-ARRX<br />
| CTR-P-ARRX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 512kByte<br />
| 0xC22213<br />
| 25L4001<br />
| ?<br />
|-<br />
| Samurai Warriors - Chronicles<br />
| LNA-CTR-A66X<br />
| CTR-P-A66X<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16GBit<br />
| 512kByte<br />
| 0xC22213<br />
| 25L4001<br />
| ?<br />
|-<br />
| Sonic: Lost World<br />
| LNA-CTR-ARVX<br />
| CTR-P-ARVX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16GBit<br />
| 128kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Splinter Cell 3D<br />
| LNA-CTR-ASCX<br />
| CTR-P-ASCX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16Gbit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Steel Diver<br />
| LNA-CTR-ASDX<br />
| CTR-P-ASDX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 512kByte<br />
| 0xC22213<br />
| 25L4001<br />
| [http://dl.dropbox.com/u/32759832/3DS_saves/Steel_Diver/decrypted.sav de]/[http://dl.dropbox.com/u/32759832/3DS_saves/Steel_Diver/encrypted.sav en]<br />
|-<br />
| Super Mario 3D Land<br />
| LNA-CTR-AREX<br />
| CTR-P-AREX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Super Monkey Ball 3D PAL<br />
| LNA-CTR-ASMX<br />
| CTR-P-ASMX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Super Smash Bros.<br />
| LNA-CTR-NXCX<br />
| CTR-P-NXCX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16GBit<br />
| 512kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| Super Street Fighter IV - 3D Edition<br />
| LNA-CTR-ASSX<br />
| CTR-P-ASSX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 16GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| The Legend Of Zelda: A Link Between Worlds<br />
| LNA-CTR-BZLX<br />
| CTR-P-BZLX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 8GBit<br />
| 128kByte<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| [[The Legend Of Zelda: Ocarina Of Time 3D]]<br />
| LNA-CTR-AQEX<br />
| CTR-P-AQEX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| [http://dl.dropbox.com/u/32759832/3DS_saves/Zelda_OoT/decrypted.sav de]/[http://dl.dropbox.com/u/32759832/3DS_saves/Zelda_OoT/encrypted.sav en]<br />
|-<br />
| The Sims 3<br />
| LNA-CTR-AS3X<br />
| CTR-P-AS3X<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 4GBit<br />
| 512kByte<br />
| 0xC22213<br />
| 25L4001<br />
| ?<br />
|-<br />
| Tom Clancy's Ghost Recon: Shadow Wars<br />
| LNA-CTR-AGRX<br />
| CTR-P-ARGX<br />
| Yes<br />
| Yes<br />
| Yes<br />
| 2GBit<br />
| 128kByte<br />
| 0xC22211<br />
| 25L1001<br />
| ?<br />
|-<br />
| Tomodachi Life<br />
| LNA-CTR-EC6X<br />
| CTR-P-EC6X<br />
| Yes<br />
| Yes<br />
| Yes<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
|}<br />
<br />
Elisherer's Savefile collection: [http://sherer.co.il/saves http://sherer.co.il/saves]<br />
<br />
== SD Savegames ==<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! Title<br />
! Savegame<br />
|-<br />
| Crashmo<br />
| [https://dl.dropbox.com/u/20520664/crashmo_usa.sav cleartext]<br />
|}</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=11.6.0-39&diff=2040411.6.0-392017-10-15T16:42:33Z<p>Pigeon: Chinese changelog</p>
<hr />
<div>The Old3DS+New3DS 11.6.0-39 system update was released on September 18, 2017. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN.<br />
<br />
Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.<br />
<br />
==Change-log==<br />
[http://en-americas-support.nintendo.com/app/answers/detail/a_id/667/p/430/c/267 Official] USA change-log:<br />
* Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience<br />
<br />
[http://www.ique.com/3ds/support/update/3dsxlupdate.html Official] China change-log:<br />
* 改善了运行性能和安全保护<br />
** 为了能让用户更舒适地使用我公司的产品,改善了系统的运行性能和安全保护。<br />
<br />
==System Titles==<br />
<fill this in (manually) later><br />
<br />
=== NS ===<br />
For .(ro)data, all 3 regions of "Flipnote Studio 3D" was added to the [[APT:IsTitleAllowed]] list, or at least next to it.<br />
<br />
EUR Flipnote v1056 (1.2.0) is blacklisted from launching.<br />
<br />
=== Friends ===<br />
fpdver version string bumped to 0xB<br />
<br />
=== Mint applet (in-app purchases) ===<br />
<!-- was also updated in WiiU 5.5.2 for unclear reasons --><br />
<br />
=== Error string CFA ===<br />
Only for JPN, USA, EUR, KOR<br />
<br />
romfs:\180000.bin<br />
<br />
romfs:\{RGN_Language}\180000_msbt_LZ.bin<br />
<br />
Added errors 018-0311, 018-0312, 018-0701, 018-0702 about the use of an [[Title_list/Patches|outdated application]] on your console (018-0??1) or other players' (018-0??2)<br />
<br />
==See Also==<br />
System update report(s):<br />
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-17_08-00-39&sys=ctr]<br />
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-17_08-00-44&sys=ktr]</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20346Homebrew Exploits2017-09-24T06:33:42Z<p>Pigeon: More updates. Credit: https://gbatemp.net/threads/update-11-6-and-homebrew.484454/</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only if installed before August 28, 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.6.0-X''', for '''X''' up to and including 39.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.6.0-X''', for '''X''' up to and including 39.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.<br />
| An eShop-install of Pixel Paint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20341Homebrew Exploits2017-09-23T20:05:23Z<p>Pigeon: Apparently Painthax does work on 11.6. Sorry for the mistake.</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only if installed before August 28, 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.<br />
| An eShop-install of Pixel Paint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20339Homebrew Exploits2017-09-22T23:22:34Z<p>Pigeon: Updates</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.6.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only if installed before August 28, 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| An eShop-install of Pixel Paint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20326Homebrew Exploits2017-09-19T22:38:37Z<p>Pigeon: </p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only if installed before August 28, 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| An eShop-install of Pixel Paint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=User:Pigeon&diff=20283User:Pigeon2017-09-04T00:05:36Z<p>Pigeon: Replaced content with "hi"</p>
<hr />
<div>hi</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=User:Pigeon&diff=20282User:Pigeon2017-09-04T00:04:01Z<p>Pigeon: Created page with "hi File:https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQNiQoyAy1qX1u4TBnxQq-nol6EEsRvLjeBVJ9odkmb_0KAc2eMMw"</p>
<hr />
<div>hi<br />
<br />
[[File:https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQNiQoyAy1qX1u4TBnxQq-nol6EEsRvLjeBVJ9odkmb_0KAc2eMMw]]</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=FRDU:GetMyFavoriteGame&diff=20276FRDU:GetMyFavoriteGame2017-09-03T04:41:24Z<p>Pigeon: Added description</p>
<hr />
<div>=Request=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code [0x000D0000]<br />
|}<br />
<br />
=Response=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code<br />
|-<br />
| 1<br />
| Result code<br />
|-<br />
| 2<br />
| u64 Title ID<br />
|}<br />
<br />
=Description=<br />
Obtains the favorite game set by the console.</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20265Homebrew Exploits2017-09-01T05:57:44Z<p>Pigeon: Added a space between "Pixel" and "Paint".</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only of installed before August 28 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.5.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| An eShop-install of Pixel Paint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeonhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=20264Homebrew Exploits2017-09-01T05:47:21Z<p>Pigeon: Changed status for Painthax</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''<br />
| From '''9.0.0-7''' up to and including '''11.3.0-36''', '''11.4.0-37''' .<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.5.X'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.4.0-37'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/nedwill/soundhax soundhax]<br />
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.<br />
| A USA, EUR, JPN or KOR system.<br />
| nedwill<br />
| [http://soundhax.com Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|-<br />
| style="background: darkorange" | Only of installed before August 28 2017<br />
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]<br />
| From '''9.0.0-X'''(?) up to and including '''11.5.0-X'''.<br />
| An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/rpwng/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A copy of Steel Diver: Sub Wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.3.0-X''', for '''X''' up to and including 36.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.3.0-X''', '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/svanheulen/genhax genhax]<br />
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.<br />
| svanheulen<br />
| [https://github.com/svanheulen/genhax_installer Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/painthax painthax]<br />
| From '''9.0.0-X''' up to and including '''11.4.0-X'''.<br />
| An eShop-install of PixelPaint.<br />
| MrNbaYoh<br />
| [https://github.com/MrNbaYoh/painthax/releases/latest install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]<br />
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.<br />
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/ctpkpwn/releases Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]<br />
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.<br />
| An eShop-install of Swapdoodle.<br />
| MrNbaYoh<br />
| [https://mrnbayoh.github.io/doodlebomb/ Install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: salmon" | No, still usable pre-v11.4.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Pigeon