[W.I.P] KARL3DS – Kernel Access On N3DS

Deathracelord a member of GBATemp is working on getting kernel access on the new 3DS, here is a quote from his thread:

KARL3DS - Kernel Access On N3DS

The project is called KARL3DS(a bad acronym originally meant to stand for Kernel Anti-piracy Region-free Loader….3DS) – and its goal is to have usable kernel access on N3DS for Nand dumping and decrypting, cartridge dumping and decrypting and hopefully(!) the ability to launch a CFW that allows for the bypassing of region lock. A project outline is below.

1. Gathering of team and resources (the intent of this thread)

2a. Gaining kernel access from within Ninjhax

1. Memchunkhax to get Arm11 kernel access
2. Firmlaunchhax to Arm9 code execution

2b. Gaining Arm11 userland code execution

1. Porting Yifan Lu’s LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage)
2. Injecting the ported code to replace Ninjhax’s Thread 0 ROP
3. Testing with UVLoader(or some other publicly available code)

3b. Gaining kernel access from within userland

1. Converting Gateway’s Arm11 exploit to New3DS(as usual, using Yifan’s writeup and the info on 3dbrew) – fairly simple
2. Converting Gateway’s Arm9 exploit to New3DS(it is possible we could use Roxas’ work here, it’d probably be more work though) – quite difficult

4. Utilising our new-found power! (I haven’t thought too much about this to be honest, so just ideas)

1. Work out nand interface and dump nand
2. Work out cartridge interface and dump cartridge
3. Work out decryption and do that (maybe look at VOID?)
4. Figure out how to create and boot a region free REDNand
5. On the fly game patching
6. Modify Sysnand to boot into our kernel code
7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!)


Visit The Forum To Discuss The Story: [W.I.P] KARL3DS – Kernel Access On N3DS