< return

3DS Downgrading & A9HL

I've had a ton of fun with the 3DS, it's probably the best hacked console since the PSP. As of this post I've downgraded 6 systems from the latest firmware, and I always use the same SD card to do so. In this post I've added the files I used.

Downgrade Packs


3DS Homebrew

The first 3DS exploit I ran was probably Cubic Ninja on 9.2. Promptly sat and played the same games I emulate on every system, Earthbound and Pokemon Yellow. For me it's less about the piracy/homebrew/games in general and more about customization and learning about the exploit. Soon after Cubic Ninja came PastaCFW, then RxTools, which became the first autoboot CFW after MenuHax was released. I ran with that setup for a long time, menuhax>rxtools>emunand.

But then came A9LH, sysnand boot times on CFW, dream come true. So I sat down and read Plailect's Guide until I basically had it memorized. The day after I did it for the first time, I then did it again for 4 more systems. In total I've done about six thus far.

So basically, the zips attached to this post are prefab SD card setup for downgrading all the way from 11.1 > 10.4 > 2.10 and then back again. I'll try to keep them updated as I can, but as of uploading this I'm already behind. I just wanted to make sure the resource is here should anything happen to my backups.

Oh, and obviously steps are included in the zip. But here's a basic rundown of the process:

Part one, downgrading to 10.4

The 3DS has different 'modes' depending on what kind of title you are playing. The only important mode here is DS/DSi mode, TWL_FIRM. Because in this mode, DSiWare games have access to the systems NAND memory, where the OS is installed.

This is great news as it means an exploited DSiWare game can allow homebrew with NAND access, meaning downgrades! But how do you exploit a DSiWare game without access to the NAND in the first place? Thankfully Nintendo has us covered. When you do a system transfer DSiWare games AND saves are copied to the target system, meaning the game and exploit is copied over.

So all you really need now is an already exploited 3DS, with an exploitable DSiWare game, and an exploit for the game. In this case, I have fieldrunners installed on my 3DS, with an exploited save that loads 'boot.nds' from the SD card. The 'boot.nds' in this case is dgTool - which allows partial 10.4 downgrade, enough to allow 3DS homebrew downgrading.

Part two, Downgrading to 9.2

Now that we can get downgrading in normal 3DS homebrew, it's time to boot up the hombrew loader and see the content we have access to. First things first, go into sysupdateverifier and verify that the downgrade pack on your SD card is valid. Having invalid or broken CIA's can break the update and brick your 3DS, not something you want to do.

Once the verifier is complete, you can then continue to downgrade the system to 9.2, it's that easy thanks to the hard work of 3DS devs. What you're doing here is essentially overwriting the 3DS OS/firmware with older versions, 9.2 specifically because it has access to exploits needed for the third part of the process.


Part three, Downgrading to 2.10

Now we want to get to 2.10. This is important as 2.10 was the last firmware (until recent discoveries) that could be manipulated to hand over the consoles unique key, or OTP.

The OTP is the key (literally) to unlocking the 3DS, it is used in the boot process to decrypt the 3DS firmware and protect the 3DS from running unsigned code. See a more technical description here

To downgrade to 2.10, you'll want to run the 9.2 browser exploit, the easiest way to do this is to open the browser and go to http://go.gateway-3ds.com. This will trigger Launcher.dat on your 3DS to load, which in this case is Decrypt9WIP.

Decrypt9WIP allows for CTRTansfer, which is basically a non console-specific NAND transfer. Which was not possible until very recently, truly amazing work too. When in Decrypt9WIP, choose AUTO CTRTRANSFER which should pick up the relevant firm files on the SD card and start the process.


Part four, Installing a9LH

The final step in the process. With OTP keys available on 2.10 firmware, we can use boot time exploits to get lightening fast arm9 code execution. this is known as arm9loaderhax or A9LH.

Thankfully, yet again this process is vastly streamlined for public use, we justr need to execute the arm11.bin code on the SD card, so simply open the web browser and navigate to http://dukesrg.github.io/2xrsa.html?arm11.bin (anyone else know this URL by heart yet?) which is another spider/browser exploit page.

This will kick you into the A9LH installer, pressing select will install a9LH, done.

What now?

This is basically where I just went back to playing Pokemon and Yokai Watch. There's tons of good homebrew out there and plenty of nice CFW features like cheats and streaming.

One thing to do for sure, is backup your NAND and OTP bin/sha files. Which should be on your SD card.