3DS: ShadowNAND, CFW right into your NAND

3DS Arm9LoaderHax MasterraceI guess the Title says it all right? ShadowNAND is a payload which can be injected into the 3DS FIRM partition if you have either arm9loaderhax already installed or grabbed your OTP. If you don’t have Arm9LoaderHax installed or want to grab your OTP you can dump your OTP with the Tutorial by Plailect. Just make sure to save your OTP in a safe place after dumping because it’s easy to loose the file and then you’ll have to dump it again.

Now back to ShadowNAND. As already said it installs a payload into the 3DS Firm Partition and makes use of the same bug that Arm9LoderHax uses. But instead of looking for a payload on the SDCard it can also boot without an SDCard inserted. This is not meant to replace CFWs like Luma or SaltFW but rather be a fallback in case your SDCard slot gets broken or some other things. As of now it has the most needed features like Firm Protection which means that you can just update your Firmware and it will keep the update from overwriting the modified Firm partitions, a built-in safety net in case something really fucks up your Firm and Patched Signature checks which will allow to start unsigned software just like I’ve shown here:
https://twitter.com/Darthsternie/status/745702035291521024
This is still work in Progress (pre-Alpha)  though and bugs could happen and many features aren’t implemented yet. So if you decide to install it it is your fault if something should happen to your 3DS. In case you’re scared now If you got through dumping your OTP you like CAN’T fuck up your 3DS. The Developers have put so many Security Checks inside every program now that it is nearly impossible to brick your 3DS by doing this. But let’s get to the installation process now. First, if you ever downgraded your 3DS with Gateway you’ll need to do a few steps before installing ShadowNAND. Fo you never downgraded your 3DS with Gateway you’re good to go 😀

1. After downgrading with Gateway it leaves some leftover files inside the system which can cause problems with ShadowNAND. I downgraded my old3DS once with Gateway and had problems at the first boot with the main parts not working but after doing this everything worked perfectly. This is only for old3DS though sadly because I couldn’t find anything for New3DS (I don’t know why anyone should’ve downgraded on New3DS either, there wasn’t any way to downgrade on New3DS anyway ^^). You will only need to follow this guide closely. DON’T FLASH THE WRONG FILES!!! and everything should work as it’s supposed to.

2. Installing ShadowNAND
1. Download ShadowNAND, ShadowNAND Installer and the required files which you can find in the ReadMe here.
2. Put your 3DS SDCard into your PC and create a folder called “homebrew” without the quotation marks on the root of the SDCard. Extract ShadowNAND, ShadowNAND Installer and the required files. Copy the a9lh folder from the required files into the homebrew folder. After that copy the payload files from the ShadowNAND folder into the a9lh folder. Now you will only have to copy your OTP.bin inside the a9lh folder and you’re done preparing the payload files. Next copy all the files from ShadowNAND Installer to the root of your SDCard. If you already have Arm9LoaderHax installed rename ShadowNAND_Installer.bin to arm9loaderhax.bin. Now there are two ways to install ShadowNAND. If you are still on Firmware 2.1 use way 2.1 and if you already have Arm9LoaderHax installed use 2.2.
2.1 If you are new to A9LH and not sure just follow Plailects Tutorial normally and then do 2.2.
Follow this through to the end with a tiny exception. Instead of using arm11.bin and arm9.bin from SafeA9LHInstaller you need to use the arm11.bin and arm9.bin from ShadowNANDInstaller. For the rest of the tutorial, you will have to change the payload names and other things so that they will work with ShadowNAND. After installing ShadowNAND that way and setting everything back up again you can then tex´st if it’ll boot without an SDCard and maybe adjust a few folders so everything works correctly after this.


2.2 
Just shutdown your 3DS and let it boot the arm9loaderhax.bin. Tap select to install ShadowNAND and another button to shutdown your 3DS. You now have ShadowNAND installed and can test right away if it can boot without an SDCard. You will only need to adjust some files later so that you can boot your CFW again.

3. Now the last thing to do is adjust your CFW Files so that they will be able to work with ShadowNAND. Even though the built-in CFW patches Firms , if you load a CFW through either boot.bin or safe_mode.bin it will NOT automatically have firms patched. So don’t update on sysNAND if your CFW doesn’t patch the Firms// EDIT: since version 0.8 normal boot has the firm overwrite patch(Pretty much every CFW does this though nowadays except for one, I’m looking at you Gateway >.>) .
ShadowNAND boots .bin files from the following locations: /homebrew/boot.bin (This is the normal automatically booted payload) or /homebrew/safe_mode.bin (Booted by holding DPad Down)(This loads another payload in safe mode and currently you’ll need to use this CTRBootManager to load something with it) If you use Luma make sure to use the pathchanger on the payload so that it now redirects to /homebrew/boot.bin or /homebrew/safe_mode.bin. This is pretty much it and everything should work again 😀

Big thanks to Shadowhand for ShadowNAND and Aurora Wright for the many patches and helpful tips she gave to him. Also big thanks to everyone who helped to bring Arm9LoaderHax to this stage and functionality 😀

I hope I was able to help you install ShadowNAND on your 3DS. If you have any questions don’t hesitate to ask in the comments.
Source: GBATemp

 

About Darthsternie

Interested in everything Technical. Loves self-repairing Tech. Collector of Firmwares. Enthusiast Gamer and Anime Fan ^^

Check Also

Hardware Review: EZ Flash Parallel for NDS

I’m going to start by being entirely transparent at the beginning. I’m reviewing a product …

3 comments

  1. 1)Booting a CFW that doesn’t protect firms as boot.bin will still not protect the firm. That is not limited to safe_mode.bin.

    2) My name is Shadowhand (not ShadowHand).

    3) I’d like to mention that this is pre-alpha software and nobody but the owner of the device is to blame if anything goes wrong.

  2. I’m sorry. I’ll add this as soon as I’m back home 🙂