1,-—bootroom, the starting foundation of 3ds.
Bootrom is used in 3ds from pressing the power supply to loading the system. The function of this thing is to verify the encrypted signature of firmware file in firm, and then load it into memory. Simply put, it is similar to unlocking the iPhone. You can click on your fingerprint to enter the main interface. The firmware of 3ds is divided into two parts, firm0 and firm01. Because the number arrangement in electronics starts from 0, firm0 is the first firmware, and Firm01is the second firmware. When bootrom starts loading, it first checks the first firmware, and if there are any problems, it will load the contents of the second firmware. Bootrom has a loophole, that is, when the first firmware fails to pass the verification, the data in the memory will not be cleared, so that the attack command related to cracking can be left in the memory. When bootrom is loaded into firm 1 instead, the attack command will work with the firmware in firm 1 to load the files we need. So we need to gain control of the bootrom and load the files we need in the order we need.
2. Functions of ARM 9 processor &; And BOOTROM.
Two things. First of all, there are two CPUs on the 3ds motherboard, one is ARM9 and the other is ARM 1 1. The underlying encryption and decryption operations are handled by ARM9 (including unlocking the bootroom). Second, the bootroom is very powerful, but it is encrypted and can be decrypted by the ARM9 processor, thus gaining control of the bootrom. The lock of the control entrance of ARM9 can be unlocked by a set of hash values of 16 bytes, which we call OTP area. Once you get otp.bin, you can further control the ARM9 processor.
3. Why did you downgrade to 2. 1?
First of all, under the 2. 1 system, Nintendo did not lock the otp area or change the startup priority. Secondly, in version 2. 1, there is a browser vulnerability "2xrsa", which can be used to start OTPHelper and export every unique OTP file of 3ds. The ultimate goal of the above is to solidify arm9loaderhax containing otp information into firmware, which can run before most system files run, and control bootrom to load the luma3ds real system we need (that is, the legendary self-made firmware).
To sum up, if you want to cure A9LH successfully, you need to downgrade it to 9.2, and use the vulnerability of arm9 kernel to downgrade it to 2. 1, then export the otp file through otphelper, and then restore the real system to 9.2 by restoring the backup, finally install arm9loaderhax and Luma3DS, and finally permanently crack the SysNAND real system.
Simply put, A9 is to directly crack 3ds on the basis of hardware, which is much more advanced than software cracking. In addition, I updated 1 1.3 a few days ago, which blocked most of the loopholes. A9 is intact. Just update luma to 6.6, and then update the host body, you can connect to the Internet. Anyway, I haven't seen anything that says that updating system A9 will be gone. Is the 3ds you bought a fake A9 or a seller? In order to save trouble, I made a theme to crack my 3ds. A9 Although the real system moves casually, it separates when you get used to the virtual system. If you are not at ease, you can do it again. There are many tutorials now, so we can't do it step by step.