3DS Kernel Time Machine + Exploit Information

Kernel Time Machine

JustPingo has released a W.I.P downgrader for the 3DS called Kernel Time Machine that lets you downgrade your 3DS using TPP files, you can check that out here:


Kernel Time Machine

So recently Smealum, derrek and Plutoo smoke at the CCC in Germany in regards to the security and exploits on the 3DS, below i will list them, the list is inspired by JustPingo’s article on GBATemp, which i will link below as the source.

New 3DS(N3DS) Only
snshax – This exploit was found by Smealum and lets you downgrade the N3DS without the need of a NAND backup.
arm9loaderhax – Discovered by Plutoo, this lets you inject into the N3DS bootrom.

All 3DS Variations
memchunkhax2 – This was a kernel11 exploit discovered by derrek, which lets you downgrade without NAND, play legit CIA’s and run homebrew.
ntrcardhax – Another found by Plutoo, this kernel9 exploit lets you run pirated software, but needs special hardware in order to get it running.

Source And FAQ

Leave A Comment Below Or Visit The Forum To Discuss The Story: 3DS Kernel Time Machine + Exploit Information

[Released] Language Emulation Plugin for NTR 1.0/2.2 – 3DS

File Name: Language Emulation Plugin for NTR 1.0/2.2
File Submitter: GregoryRasputin
File Submitted: 12 Apr 2015
File Category: 3DS
Developer: cell9
Source: https://gbatemp.net/threads/release-language-emulation-plugin-for-ntr-1-0-2-2.386543/

cell9 creator of NTR CFW for the 3DS, has released a language emulation plugin for it, here is a quote from the source:

Language Emulation Plugin for NTR 1.0/2.2

The language emulation plugin can solve the language issues which made some region-locked games failed to play in NTR mode, for example, Zelda Majoras Mask.

This plugin could also be used switch languages for games that have multiple language files. For example, the USA version of CRUSH 3D will display Japanese language when it was run on Japanese consoles, and it could be switched to the proper language by using the language emulation plugin.

1 find the plugin file you want (langemu_cn for Simp.Chinese, langemu_cht for Trad.Chinese, langemu_jp for Japanese, langemu_en for USA, langemu_en_europe for Europe).
2 copy the plugin file to pluginTITLEID on the sdcard, for example, plugin0040000000D0000
3 start the game and it will emulate the language automatically.

I have already made folders for several games including Majoras Mask eu/us in the package.

Click here to download this file

Visit The Forum To Discuss The Story: [Released] Language Emulation Plugin for NTR 1.0/2.2 – 3DS

[Released] Sky Army Knife

I will not go into how much i dislike reDRM devices and flash carts, you have all read me rant about them and as much as i try and discourage people from buying them, there are many people who still do buy them, it’s their money, their business.

Anyhow, for those of you who bought the Sky3DS Flash Cart, Foxi4 from GBATemp has released a tool for you guys, to explain what it is, here is a small quote:

Sky Army Knife

Q: What is this?
A: Sky Army Knife is a multitool for Sky3DS users I’m currently coding in C++ with a dash of .Net. In its current state (version 1.0) the tool is capable of generating relatively accurate Template Files for .3DS ROM files.

Q: That’s not much of a multitool, is it?
A: In the future I plan on expanding the feature set so that it encompasses most typical ROM-related tasks such as CARD-1 to CARD-2 conversion, SD Card management etc.

Q: Why release it now then?
A: Due to the recent Nintendo Network ban wave directed at flashcart users the need for a template generator became urgent. The current consensus is that the bans are caused by using public UniqueID’s present in the public templates provided by Sky3DS. While there are ways to inject UniqueID’s into pre-existing templates, they’re not easy to perform for newbies nor accurate.



Visit The Forum To Discuss The Story: [Released] Sky Army Knife

[W.I.P] KARL3DS – Kernel Access On N3DS

Deathracelord a member of GBATemp is working on getting kernel access on the new 3DS, here is a quote from his thread:

KARL3DS - Kernel Access On N3DS

The project is called KARL3DS(a bad acronym originally meant to stand for Kernel Anti-piracy Region-free Loader….3DS) – and its goal is to have usable kernel access on N3DS for Nand dumping and decrypting, cartridge dumping and decrypting and hopefully(!) the ability to launch a CFW that allows for the bypassing of region lock. A project outline is below.

1. Gathering of team and resources (the intent of this thread)

2a. Gaining kernel access from within Ninjhax

1. Memchunkhax to get Arm11 kernel access
2. Firmlaunchhax to Arm9 code execution

2b. Gaining Arm11 userland code execution

1. Porting Yifan Lu’s LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage)
2. Injecting the ported code to replace Ninjhax’s Thread 0 ROP
3. Testing with UVLoader(or some other publicly available code)

3b. Gaining kernel access from within userland

1. Converting Gateway’s Arm11 exploit to New3DS(as usual, using Yifan’s writeup and the info on 3dbrew) – fairly simple
2. Converting Gateway’s Arm9 exploit to New3DS(it is possible we could use Roxas’ work here, it’d probably be more work though) – quite difficult

4. Utilising our new-found power! (I haven’t thought too much about this to be honest, so just ideas)

1. Work out nand interface and dump nand
2. Work out cartridge interface and dump cartridge
3. Work out decryption and do that (maybe look at VOID?)
4. Figure out how to create and boot a region free REDNand
5. On the fly game patching
6. Modify Sysnand to boot into our kernel code
7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!)


Visit The Forum To Discuss The Story: [W.I.P] KARL3DS – Kernel Access On N3DS

Your Friendly Neighbourhood Hykem Needs Help

Below is a post from a forum thread created by zecoxao, in which he requests help for multi talented developer Hykem, from my understanding, all one would need to do is give Hykem remote access to the Wii U


So, hykem has everything he needs to dump the rest of the otp keys. everything, except a wii u.

Any caring soul willing to help the poor fellow?

Visit The Forum To Discuss The Story: Your friendly neighborhood Hykem needs help

1 2 3 17