From b4b93f457e8bd74788603d1e17862560e0f2ec7d Mon Sep 17 00:00:00 2001 From: Alexander Hartmann Date: Wed, 9 Mar 2016 11:16:57 +0100 Subject: [PATCH] Updated Readme --- README.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 435c1fb..68fbd8b 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,68 @@ -# arm9loaderhax for 3DS +# BootCTR9 - arm9loaderhax with bootloader for 3DS ## What this is -This is my personal implementation of the arm9loaderhax exploit, documented [here](http://3dbrew.org/wiki/3DS_System_Flaws) and also presented [in this conference](https://media.ccc.de/v/32c3-7240-console_hacking), which provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader. +This is my port of BootCTR9 to arm9loaderhax. There are two way to start it, the modded version of arm9loaderhax, or the bootloader loader arm9loaderhax.bin. +The arm9loaderhaxmod is based on **delibles** implementation of the arm9loaderhax exploit, documented [here](http://3dbrew.org/wiki/3DS_System_Flaws) and also presented [in this conference](https://media.ccc.de/v/32c3-7240-console_hacking), which provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader. + It works on both New and OLD 3DS. -This exploit was found by **plutoo** and **yellows8**, i do not own the idea. +The arm9loaderhax exploit was found by **plutoo** and **yellows8**, i do not own the idea. +The original [BootCTR](https://github.com/m45t3r/BootCtr) was developed by **m45t3r** ## Usage -It loads an **arm9loaderhax.bin** arm9 payload from the root of the sdcard at address 0x23F00000. +### Arm9loaderhax mod + +While also having support to load a "arm9loaderhax.bin" as fallback, it normaly loads the "arm9bootloader.bin" from you SDs "arm9loaderhax" folder, or directly out of your root directory. It will try it in the following order: +"arm9loaderhax/arm9bootloader.bin" -> "arm9bootloader.bin" -> "arm9loaderhax.bin" + +The **arm9bootloader.bin** will be loaded to address 0x24F00000, while the **arm9loaderhax.bin** arm9 payload will be loaded at address 0x23F00000. This means that it offers a BRAHMA-like setup, and as such has compatibility with every payload BRAHMA can run; you can also perform a firmlaunch by writing the ARM11 kernel entrypoint at address 0x1FFFFFF8. Screen initialization was implemented by [**dark-samus**' pull request](https://github.com/delebile/arm9loaderhax/pull/9) (thanks!). +### Bootloader loader + +This version is for all people who installed the normal arm9loaderhax. Its an arm9loaderhax.bin which is doing the same as the arm9loaderhax mod, exept it doesn't support the arm9loaderhax.bin fallback loading(since this would result in a recursiv try to load itself) and doesn't do the screen initialization. Simply copy it to the root of your sd-card and it will be usable + +### BootCTR9 + +After you set up one of the above loaders, you can start setting up BootCTR9. For this simply copy the "arm9bootloader.bin" and a "boot_config.ini" to your sd-cards "arm9loaderhax" or root folder. +While beeing backwardcompatible to BootCTRs "boot_config.ini", some additional settings got added. +These are the following for the payload configurations: +* screenEnabled + * This configures, if the screen shoud be enabled before jumping to the payload(default is 1) + * If its set to 0 while the screen was initalized before, the screen will be disabled before jumping to the payload + +Also there is a new configuration section named "BOOTCTR9". +This section includes some BootCTR9 only configurations: +* key_delay + * This sets the time in ms BootCTR9 waits for a key +* boot_splash + * This defines the splash type of the bootsplash(showen while waiting for the key) + * 0 -> Disabled + * 1 -> Splash Image + * 2 -> Ascii Splash +* boot_splash_image + * This defines the path, with filename, of the bootsplash. +* fileLog + * This configure if the logging to a log file is enabled + * 0 -> disabled + * 1 -> enabled +* screenLog + * This is the same as fileLog, but the log is showen on the bottom screen, instead of written to a file +* screenEnabled + * This configures if the screen should be enabled directly at boot + + ## How do I update it? An updater is currently in developement. You can test [**dark-samus' one**](https://gbatemp.net/attachments/installer-zip.40329/), but it's currently unfinished and unstable. -## Installation +## Installation arm9loaderhax mod The setup will provide a 3dsx installer that will work on system version 9.0-9.2, which should make the things easier.