The idea popped up somewhere in the blargSNES thread, when someone pointed me to Myria's libkhax. A library for gaining ARM11 kernel access from userland, and getting access to all the services. And all without too much side effects on the system. Pretty cool shit.


People have been embedding it in their homebrews to gain CSND access or other fun things. It's nice, but we're doing it wrong. Exploits are the homebrew loader's job. Homebrew apps should be built to run in all the possible scenarios. Not to mention the issues there are with that.


The base idea here is to combine Ninjhax and libkhax to provide such an environment. Hence the name of the project-- I'm not doing anything awesome really, I'm merely playing Lego with existing code. smealum and Myria deserve most of the credit.


How will it work?

We first use Ninjhax's first two stages -- CubicNinja exploit and gspwn -- to load the secondary payload.
Secondary payload uses libkhax to gain all the needed access. Loads a process that will basically be an adapted implementation of the HB service (service responsible for loading .3dsx files, among other fun things). Then uses it to launch the Homebrew Launcher, and kills the CubicNinja process.

Details may vary depending on potential roadblocks I'd encounter, but this is the basic process.


What changes over Ninjhax?

More possibilities, since you aren't tied to the browser's permissions. Also, a saner homebrew environment, free of some of Ninjhax's side effects (like breaking most of APT).

Other than that, most things will remain the same. Legohax will run on the same firmwares as Ninjhax, that is, no hax for 9.3 and up. (the exploit used by libkhax was fixed in this firmware version)

You will just be getting the QR codes from a different place. Oh also, it should also be possible to provide little apps for switching to Legohax or to Ninjhax if you already have one of them installed. The initial payload will remain mostly the same.


What are the possibilities exactly?

Access to all the SVCs. Including SVC 0x7B (kernel-mode backdoor) if you want to get fancy, and the oh-so-useful SVC 0x74.

Maybe access to all the services, if that is stable (it involves patching the process's PID to zero-- not sure how it'd work with multiple processes having the same PID). Otherwise, we will compile a satisfying service list (think https://github.com/StapleButter/blargSnes/blob/master/cci/cia.rsf#L168 plus New3DS services).

Hopefully working APT shit!

Oh, and some other funny shit we could do:

* ranged cache invalidate/flush, could be useful for the dynarec-powered emulators out there (probably faster than trashing the whole caches)
* patching the DSP service to allow loading unsigned binaries (not useful until one is made, though)
* rainbow ponies


when do you release azgafsgaefgaefgs

When it's done.


I will let you guys know.

Posted by Da_GPer

I hope this site stays clean and professional and doesnt fall to the pits full of dumb kids like GBATemp has gone to.

Posted by Daggdroppen

Are there any notable differences between 3dsx and cia version? I have only played with the 3dsx version. But with Pasta it would be possible to install blargSNES as an CIA..