What is BootCTR9
BootCTR9 is an ARM9 bootloader for the 3DS System. It's based on BootCTR and its configuration, but with some additional features. It's currently for arm9loaderhax users only, but it should be possible to load it with any arm9payload loader, that allows the loading a payload from offset 0x0.
What it's able to do
- Boot ARM9 payloads(.dat and .bin)
- Setting a delay to be able to press the payloads button after powering the 3DS on
- Setting a boot delay, between the selection of the payload and running it, which allows to press the button combinations for the payload
- Enabling and disabling of the screen
- Setting the screen brightness for BootCTR9 and the payloads
- Show splashscreens
- Show bootanimations (based on BootAnim9)
- Detect softboots and skip the payload selection and splashscreen
- Path the payloads path in it's binary (currently only needed in LumaCFW)
What it's not able to do
- Boot .3dsx files
- Use the ZL and ZR buttons(maybe in the future)
Planned Features
- Arm9Companion support
- Support for the new BootAnim9 Animations
- An ARM11 API for ARM9 Payloads
How to build it
BootCTR9 Dev builds
BootCTR9 Dev Builds are frequently released on gbatemp, check out the arm9loaderhax technical discussion thread to find them.
Requirements
BootCTR9
- devkitARM r45
BootCTRs ARM9loaderhax fork
Software
- devkitARM r45
- libctru (ver. 1.0.0)
- Python 2.7 with PyCcrypto
- GCC or MinGW (Only needed to compile the buildt-in tool, you can download a pre-compiled windows build here, place it in common folder)
Files
Some files are needed in order to make the setup compilable, be sure to put the following files in the data_input folder, you have to find them on your own:
| Name | Description | SHA-256 |
|---|---|---|
| new3ds10.firm | New3DS NATIVE_FIRM from system version 10.2. | d253c1cc0a5ffac6b383dac1827cfb3b2d3d566c6a1a8e5254e389c2950623e5 |
| new3ds90.firm | New3DS NATIVE_FIRM from system version 9.0. | d7be76e1813f398dcea85572d0c058f7954761a1d5ea03b5eb5047ac63ac5d6b |
| secret_sector.bin | The New 3DS secret 0x96 key sector. | 82f2730d2c2da3f30165f987fdccac5cbab24b4e5f65c981cd7be6f438e6d9d3 |
| otp.bin | A dump of your console OTP data from region 0x10012000-0x10012100. Using other console's OTP will result in a brick. |
Build commands
- make : This will compile all the files
- make bootloader : This will only build BootCTR9 (arm9bootloader.bin) and the BootCTR9 loader (armloaderhax.bin)
- make hax : This will skip the 3DSX installer compilation
- make stage2_update : This will generate an updater pack with only the secondary payload, mainly for updating the exploit files.
How to use BootCTR9
General Information
There are two official supported way you could use BootCTR9, using the "arm9bootloader.bin" and BootCTR9s a9lh fork, or using the "arm9loaderhax.bin" for normal a9lh forks. Besides this it should be possible to use BootCTR9 with other ways to load arm9 payloads, if you are able to load it from payload address 0.
Beside the payload itself you need to always put an boot_config.ini in one of the supported folders on your SD-card. This configuration file is needed to tell BootCTR9 which payload it should load in which case, and to configure all the other features of BootCTR9. For more informations about the configuration file, check out its wiki page
Normal a9lh + arm9loaderhax.bin
This method allows you to use BootCTR9 with any normal a9lh fork, but you are forced to put the "arm9loaderhax.bin" in your SD-cards root directory. You also don't need to copy the "arm9bootloader.bin" to your SD-card, since it's already included in the "arm9loaderhax.bin"
BootCTR9s a9lh + arm9bootloader.bin
This method allows you to keep your root directory as clean as possible, because you don't need an "arm9loaderhax.bin" on your SD-cards root. For this method you need to copy the "arm9bootloader.bin" in one of the supported folders.
Supported Folders
There are some files, that you could only put in certain folder.
The supported folders are the following:
- /arm9loaderhax
- /a9lh
- /arm9bootloader
- /
Splashscreens and Animations
To use splashscreens and animations, you simple need to set "splash" for an payload splash and "boot_splash" for an generell BootCTR9 splash (check out the configuration Page for the values). After this set "splash_image" or "boot_splash_image" to the filepath of your splashimage or animation. For animations its also possible to set the framerate, for this the bootloader searches for a plaintext file named "[animationpath].cfg" or a binary file named "[animationpath].cfgb".
The first two characters of the plaintext configuration will be used for the framerate, and after that "lzd" will identify an compressed animation.
In an binary configuration, the first Byte will be used as Framerate, and setting the second byte to 1 will identify compressed animations.
While its in theory possible to use animations with high framerates, the SD-cards read-speed is very limited, so that its possible that you need to use a lower framerate for your animation.
To stop an animation before it's finished, you jest need to press [START]+[SELECT].
File structure
Besides the payload and configuration file, you are completely free to organize your files, the way you want to, but a good way to do it would be something like this:
- /(arm9loaderhaxfolder)/Payloads/
- /(arm9loaderhaxfolder)/Splashscreens/
- /(arm9loaderhaxfolder)/Animations/
- /(arm9loaderhaxfolder)/boot_config.ini
- /(arm9loaderhaxfolder)/arm9bootloader.bin (if needed)
The configuration file
To know what it should load and do, BootCTR9 needs a configuration file, that's based on BootCTR ones.
BootCTR9s main configuration
The main option of BootCTR9 itself are in the [BOOTCTR9] region of your configuration
| Name | Description | Default Value |
|---|---|---|
| key_delay | Time in ms to wait for a button press | 100 |
| bootPassword | The password needed to load a non default payload. The max-length should be arround 10 Keys. The password needs to by defined by KEY_* seperated by a space. example: KEY_X KEY_X KEY_A | |
| enableAutosoftboot | Enable or disable the automatic selection of the latest selected configuration on softboot (for example KEY_UP) | 0 |
| enableArm9CompanionBoot | Enables or disables the autoatic booting of an payload defined in the "COMPANION" section. This payload will be renamed after execution to PAYLOADNAME.old. This aption is mostly ineressting for developers of arm9 Payloads. | |
| enableSoftbootSplash | Enable or disable splashes and animation on softboot | 0 |
| boot_splash | Enables or disables the splash or animation that is shown while waiting for a button press. This also defines the type of media that is shown | 0 |
| boot_splash_image | Path to the image or animation you want to use as boot splash | |
| fileLog | Enables or disables the logging to a file | 0 |
| screenLog | Enable or disable the printing of debug output to the screen | 0 |
| screenEnabled | Enable or disable the Screen at boot | 1 |
| screenBrightness | Set the screen brightness used while BootCTR9 is running. List of available brightnesslevels | 0xFF |
Payload configuration
This category allows you to define on which buttonpress which payload is loaded. It also defines how BootCTR9 should load it.
Tip: To make it easier to boot luma config additionaly add KEY_SELECT for the luma payload (read the example configuration at the end for more).
| Name | Description | Default Value |
|---|---|---|
| path | The path of the payload BootCTR9 should load | |
| delay | The delay between loading the payload and jumping to it | 0 |
| payload | The payload time, this is only left in for backwards compatibility with BootCTRs configution, to show error messages of the user tries to load a .3dsx file | -1 |
| offset | The payloads arm9 binary offset, for arm9loaderhax payloads this should be 0, for .dat payloads its normaly 0x12000 | 0x0 |
| enableSoftbootSplash | Enables or disables the splashscreen or animation on Softboot | 0 |
| splash | Enables or disables the splash or animation that is shown before the delay and jumping to the payload. This also defines the type of media that is shown | 0 |
| splash_image | Path to the image or animation you want to use as splash image for the payload | |
| screenEnabled | Enables or disables the screen when jumping to the screen | 1 |
| screenBrightness | Sets the payloads screen brightness. List of available brightnesslevels | 0xFF |
| enablePathFix | This got included mainly for LumaCFW and allows you to simple drag and drop lumas payload to your SD-card, without the need to always use the path changer. | 0 |
Splash types
| Value | Result |
|---|---|
| 0 | The splash screen is disabled |
| 1 | A Splash image is used |
| 2 | An ASCII splash is shown |
| 3 | A Splash image is used, if its not loadable, an ASCII splash is used as fallback |
| 4 | An animation is used, if its not loadable, an ASCII splash is used as fallback |
Available configuration sections
| Section name | Description |
|---|---|
| [BOOTCTR9] | This is the configuration for the bootloader itself |
| [GLOBAL] | This allows to override default values for all payload sections |
| [DEFAULT] | Default Configuration, used when no button is pressed |
| [COMPANION] | This section is used for a9lh netloader companion payload configurations |
| [KEY_X] | This section is loaded when pressing button X. |
Available Keys:
- Common keys: KEY_A, KEY_B, KEY_X, KEY_Y, KEY_L, KEY_R, KEY_SELECT, KEY_START
- D-PAD: KEY_DUP, KEY_DDOWN, KEY_DLEFT, KEY_DRIGHT.
Example configuration
;Comments starts with ";" or "#", so you need to remove it first to the
;line actually do something.
;configuration with ascii boot Image
;You have also 1 sec to press the button for the payload you want to boot
[BOOTCTR9]
key_delay = 1000
boot_splash = 3
enableAutosoftboot = 1
enableArm9CompanionBoot = 1
;Section to allow a9lh net companion payload auto booting
[COMPANION]
path = /a9nc.bin
delay = 100
offset = 0
payload = -1
;luma with BootAnimation and enabled Pathfix
[DEFAULT]
path = /Payloads/luma.bin
delay = 1000
splash = 4
splash_image = /Animations/anim
screenBrightness = 0x30
enablePathFix = 1
;cakes.dat with splash screen and offset
[KEY_R]
path = /Cakes.dat
delay = 1000
offset = 0x12000
splash = 3
splash_image = /Splashes/splash.bin
;Reinand.dat with offset and ascii splash
[KEY_DUP]
path = /ReiNand.dat
delay = 1000
offset = 0x12000
splash = 1
;ARM9 Payloads
;Luma3DS CFW
[KEY_L]
path = /arm9loaderhax/Payloads/luma.bin
;Luma3DS CFW config (to easier boot the luma config)
[KEY_SELECT]
path = /arm9loaderhax/Payloads/luma.bin
;Decrypt9WIP
[KEY_X]
path = /arm9loaderhax/Payloads/Decrypt9WIP.bin
;EmuNAND9
[KEY_Y]
path = /arm9loaderhax/Payloads/EmuNAND9.bin
;Hourglass9
[KEY_START]
path = /arm9loaderhax/Payloads/Hourglass9.bin
;SafeMode9
[KEY_B]
path = /arm9loaderhax/Payloads/SafeMode9.bin
;Each key can be defined using a section, like the example below. Section
;names must be ALL caps, and between "[]". Valid keys:
;You MUST set at least "path" for each section, and it is the ONLY option you
;should set in the majority of cases.
;Double check the path, since it must be correct (including caps).
;Boot examples for almost every CFW out there.
;You can use only binary (.bin, .dat) payloads
;[KEY_A]
;path = /rxTools/sys/code.bin
;[KEY_B]
;path = /Cakes.dat
;[KEY_Y]
;path = /ReiNand.dat
;An important remark: the majority of CFWs set L button to show menu instead
;of autobooting. So it is generally a bad idea to set L button to CFW boot,
;but if you use a delay, you have time to release the key so the CFW menu will
;not be shown.Arm9loaderhax BootCTR9 Fork
This arm9loaderhax fork is based on delibles implementation of the arm9loaderhax exploit, documented here and also presented in this conference. It provides ARM9 code execution directly at the console boot, exploiting a vulnerability present in 9.6+ version of New3DS arm9loader.
It works on both New and OLD 3DS.
What it does
This fork of ARM9loaderhax supports the direct loading of an arm9bootloader.bin into the memory (address 0x24F00000). Besides this it supports loading a arm9loaderhax.bin as fallback (address 0x23F00000), and it will directly setup the ARM11 thread for the upcoming ARM11-API, so every arm9payload loaded after this is able to use it. If it fails to find one of the 2 files, the console will shutdown.
How to install it
After the compilation you'll have three files in the data_output directory:
- arm9loaderhax.3dsx
- arm9loaderhax.bin
- arm9loaderhax.pack
The .pack file contains all the content that will be installed (in case of a full package, your console-unique data too), and has to be placed in the root of your SD card.
The .bin file is an indipendent payload that can be launched from Brahma2, CakeHax, Arm9LoaderHax itself (mainly for update the exploit), and so on. It is the installeing software, once you find your way to launch it, just follow the instruction.
The .3dsx file is a pre-buildt Brahma2 3dsx that can be launched on consoles with firmware below 9.2 through the Homebrew Launcher. It is a loader for the .bin file, wich is included in the 3dsx.
Software Update
When some essential parts of the software will be released, you'll be able to update your setup with the installer by using .pack files that i will provide in future releases.
The ARM11-API
To allow arm9 payloads the easier use of the arm11 processor I'm currently working on an arm11 API. Its not recommend to use this API in a produktiv payload atm, because it still work in progress, and a future update could break the payloads support for it atm.
These people helped to create this
- Smealum and contributors for libctru
- Normmatt for sdmmc.c and .h, and also for .ld files and the log from XDS by ichfly that provided us some of the information needed to get screen init
- Christophe Devine for the SHA codes
- Archshift for i2c.c and .h
- Megazig for crypto.c and .h
- Patois for original BRAHMA code
- Smealum, Derrek, Plutoo for publishing the exploit
- Yellows8 and Plutoo as ideators of it
- 3dbrew community
- bilis/b1l1s for his screen init code, and work on inegrating it into stage 2
- dark_samus for work on integrating screen init into stage 2
- m45t3r for the base BootCTR version as .3dsx
- delibles for the base implementation of arm9loaderhax