B9sTool 3DS: Difference between revisions

From GameBrew
(Created page with "{{Infobox-3DS-Homebrews | title = b9sTool | image = https://dlhb.gamebrew.org/3dshomebrew/b9sTool-3DS.jpg|250px | type = Exploits | version = v6.0.1 | lastupdated = 2020/11/07...")
 
m (Text replacement - "|discussion=" to "|donation=")
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Infobox-3DS-Homebrews
{{#seo:
| title = b9sTool
|title=https://www.gamebrew.org/index.php?title=List_of_3DS_homebrew_loaders&action=edit&section=3 (Exploits) - GameBrew
| image = https://dlhb.gamebrew.org/3dshomebrew/b9sTool-3DS.jpg|250px
|title_mode=append
| type = Exploits
|image=b9stool3ds.png
| version = v6.0.1
|image_alt=b9sTool
| lastupdated = 2020/11/07
| licence = Mixed
| author = zoogie
| website = https://github.com/zoogie/b9sTool/
| download = https://dlhb.gamebrew.org/3dshomebrew/b9sTool-3DS.rar
| source = https://github.com/zoogie/b9sTool/
}}
}}
<youtube></youtube>
{{Infobox 3DS Homebrews
 
|title=b9sTool
Instructions
|image=b9stool3ds.png
 
|description=boot.nds'  to use the ""FIRM partitions known-plaintext"" exploit for DSi mode firm writing on 3ds.
https://3ds.hacks.guide/
|author=zoogie
 
|lastupdated=2023/02/24
WARNING: Never, under any circumstance, use this homebrew in conjunction with a youtube/video guide of any kind!
|type=Exploits
|version=v7.0.0
|license=MIT
|download=https://dlhb.gamebrew.org/3dshomebrews/b9stool3ds.7z
|website=https://github.com/zoogie/b9sTool/
|source=https://github.com/zoogie/b9sTool
|donation=
}}
B9sTool is a tool that utilizes the "FIRM partitions known-plaintext" exploit to enable DSi mode firm writing on the 3DS. It achieves this by using a 'boot.nds' file.


General Info
== General Info ==
 
* This app only writes to FIRM0, not FIRM1, so it should be safe given your FIRM1 is not corrupt or a9lh'd.
This app only writes to FIRM0, not FIRM1, so it should be safe given your FIRM1 is not corrupt or a9lh'd.
* Never use this if sighax/b9s/arm9loaderhax is already installed (on any firmware)! There are measures in place to try to prevent anything bad from happening if this is done, but it is still not intended.
Never use this on anything but 3DS FIRM 11.15.0-YZ
Never use this if sighax/b9s is already installed (on any firmware)! The result will be a sloppy uninstallation at best and a brick at worst
Be cautious when using this with arm9loaderhax installed, as the special handling for it is still experimental


Compiling:
Compiling:


Just supply the current decrypted FIRMs for both new/old 3ds and put them in the firm_new and firm_old directories respectively. Then place the newest boot9strap.firm payload in the payload directory. You will also need to supply a clean secret_sector.bin in the a9lh_files/secret_sector directory if you want the arm9loaderhax handling to work on n3ds systems without a the user supplying that file. Then compile with make FIRM_INFO="11.10 only" or whatever is actually the firmware range of the current native firm. The user does not have to supply any extra files like in previous versions. Needs the latest libfat version.
* Simply clone, checkout the submodule, supply a <code>boot9.bin</code> and the latest <code>boot9strap.firm</code> in the <code>embedded_files</code> directory, then compile with <code>make</code>. Needs the latest libfat version.


Important b9sTool 5.X.X differences to 4.X.X
Firmware info:
 
BACKUP.bin:
 
This has been removed. This feature was made in the interest of safety, but the realization that the update trick can reliably restore corrupted firms made it redundant.
It was also a pain in the ass.
 
xorpad_0123ABCD.bin
 
This is dumped to your boot9strap folder when b9s is installed. It isn't used now but may be useful in the future. Don't delete it.
The hex number in the filename is the first 4 bytes of the file's SHA1.


Cycling firm types:
* 7.0.0 and above work on any firmware from 3.0 and above.
* Previous versions of b9stool only worked on certain firmware versions, don't use those without a very good reason.


When you install boot9strap multiple times, the standard behavior is that it will cycle between b9s and stock firm.
==Instructions==
Don't count on this though, it's just a property of xoring operations and really isn't intended.
Use https://3ds.hacks.guide/.
It is recommended you only install boot9strap once.
 
Firmware info:


6.0.1 is for firmware 11.15 ONLY (always check the firmware in the app menu to be sure as this can change as new firmwares are released!)
'''WARNING: Never, under any circumstance, use this homebrew in conjunction with a youtube/video guide of any kind!'''
5.0.2 - 6.0.0 is for firmware 11.13
4.0.1 - 5.0.1 is for firmwares 11.8 to 11.10 or 11.11(eur) ONLY
4.0.0 is for firmwares 11.4 to 11.7 ONLY
Be careful using b9sTool between firmware updates - only use b9sTool on the firmware it's intended for.


Credits
==Changelog==
'''7.0.0'''
Special Thanks to [https://github.com/aspargas2 @aspargas2] for these changes:<br>
* A safety feature that searches everywhere I could think of on the SD and locations in NAND for the system's OTP, and if it finds it it'll use software AES to encrypt the target firm and write it to firm0 regardless of what was in there to begin with. I have dubbed this &quot;safe mode&quot;.
* If the OTP is not found, then instead of doing the traditional XOR attack, it will modify the system's NAND header to create 5 firm partitions, each only 0x200 bytes big, and all within the region of NAND that firm0 would usually occupy. (It leaves firm1 untouched in doing this, so technically the system has 6 firm partitions in this state). It then does the known-plaintext attack 5 times, trying to write [https://github.com/aspargas2/minfirm a minimal, 0x200-byte firm payload] to each of the firm partitions. This lets it get 5 guesses at the current contents of firm0. But because only a 0x200 byte subsection of the firm needs to match with our guess, we can actually support very large ranges of firms at once. Specifically, the attached build should be able to use the XOR attack to install b9s over any native firm 3.0 or newer, any release boot9strap version, any release Fastboot3DS version other than 1.0, and any release Luma3DS version up to 11.0. Really, only native firm should need to be in this list because any system that has already been touched by sighax will hopefully have an OTP dumped somewhere and trigger the safe install. XOR support for other firms is just a &quot;because I could&quot; thing that will hopefully never be used.
* In both of these cases, a [https://github.com/aspargas2/SafeB9SInstaller custom build of safeb9sinstaller] is chainloaded to cleanly install boot9strap to both firm partitions, not just firm0.
* The old special handling for a9lh systems has been removed entirely; it is now handled fine in regular XOR mode.
* b9stool now builds with -Wall -Wextra -Wpedantic -Werror, and I have done some tweaking to the build_headers.py script to hopefully make it less frustrating to use going forward.


zoogie, aspargas2, plailect
To summarize the benefits of this over current b9stool:
* No risk of something going wrong when running b9stool with CFW already installed, as long as OTP is found
* One b9stool version supports almost all native firm versions, and is unlikely to need to be updated in the event of a native firm update
* Users can safely use b9stool on a9lh, and don't have to do anything weird with launching it twice
* The system is left with boot9strap in both firm partitions instead of just firm0, which is good for a few reasons
* Less copyright violation I guess, as only a 0x200 block from native firm needs to be embedded. There are now also some boot9 keys though.


== Credits ==
* zoogie, aspargas2, and plailect for contributing to b9stool directly
* [https://github.com/kokke/tiny-AES-c tiny-AES-c] for the AES library code
* [https://github.com/intel/tinycrypt tinycrypt] for the SHA256 library code
* luigoalma for the [https://github.com/luigoalma/3ds_keyscrambler keyscrambler implementation]
* [https://www.3dbrew.org/wiki 3dbrew] for being a great resource for all things 3DS


[[Category:3DS homebrew loaders]]
[[Category:Exploits for 3DS]]
[[Category:Exploits for 3DS]]

Latest revision as of 13:26, 13 August 2023

b9sTool
B9stool3ds.png
General
Authorzoogie
TypeExploits
Versionv7.0.0
LicenseMIT License
Last Updated2023/02/24
Links
Download
Website
Source

B9sTool is a tool that utilizes the "FIRM partitions known-plaintext" exploit to enable DSi mode firm writing on the 3DS. It achieves this by using a 'boot.nds' file.

General Info

  • This app only writes to FIRM0, not FIRM1, so it should be safe given your FIRM1 is not corrupt or a9lh'd.
  • Never use this if sighax/b9s/arm9loaderhax is already installed (on any firmware)! There are measures in place to try to prevent anything bad from happening if this is done, but it is still not intended.

Compiling:

  • Simply clone, checkout the submodule, supply a boot9.bin and the latest boot9strap.firm in the embedded_files directory, then compile with make. Needs the latest libfat version.

Firmware info:

  • 7.0.0 and above work on any firmware from 3.0 and above.
  • Previous versions of b9stool only worked on certain firmware versions, don't use those without a very good reason.

Instructions

Use https://3ds.hacks.guide/.

WARNING: Never, under any circumstance, use this homebrew in conjunction with a youtube/video guide of any kind!

Changelog

7.0.0 Special Thanks to @aspargas2 for these changes:

  • A safety feature that searches everywhere I could think of on the SD and locations in NAND for the system's OTP, and if it finds it it'll use software AES to encrypt the target firm and write it to firm0 regardless of what was in there to begin with. I have dubbed this "safe mode".
  • If the OTP is not found, then instead of doing the traditional XOR attack, it will modify the system's NAND header to create 5 firm partitions, each only 0x200 bytes big, and all within the region of NAND that firm0 would usually occupy. (It leaves firm1 untouched in doing this, so technically the system has 6 firm partitions in this state). It then does the known-plaintext attack 5 times, trying to write a minimal, 0x200-byte firm payload to each of the firm partitions. This lets it get 5 guesses at the current contents of firm0. But because only a 0x200 byte subsection of the firm needs to match with our guess, we can actually support very large ranges of firms at once. Specifically, the attached build should be able to use the XOR attack to install b9s over any native firm 3.0 or newer, any release boot9strap version, any release Fastboot3DS version other than 1.0, and any release Luma3DS version up to 11.0. Really, only native firm should need to be in this list because any system that has already been touched by sighax will hopefully have an OTP dumped somewhere and trigger the safe install. XOR support for other firms is just a "because I could" thing that will hopefully never be used.
  • In both of these cases, a custom build of safeb9sinstaller is chainloaded to cleanly install boot9strap to both firm partitions, not just firm0.
  • The old special handling for a9lh systems has been removed entirely; it is now handled fine in regular XOR mode.
  • b9stool now builds with -Wall -Wextra -Wpedantic -Werror, and I have done some tweaking to the build_headers.py script to hopefully make it less frustrating to use going forward.

To summarize the benefits of this over current b9stool:

  • No risk of something going wrong when running b9stool with CFW already installed, as long as OTP is found
  • One b9stool version supports almost all native firm versions, and is unlikely to need to be updated in the event of a native firm update
  • Users can safely use b9stool on a9lh, and don't have to do anything weird with launching it twice
  • The system is left with boot9strap in both firm partitions instead of just firm0, which is good for a few reasons
  • Less copyright violation I guess, as only a 0x200 block from native firm needs to be embedded. There are now also some boot9 keys though.

Credits

Retrieved from ‘https://www.gamebrew.org/index.php?title=B9sTool_3DS&oldid=130221

Advertising: