Palantine CFW

History of Appearance

At the end of 2013, when Gateway developers were thinking about how to ruin the consoles of ordinary users, three guys (Cruel Waffle, Xerpi, and Megazig) were reverse engineering their firmware. They even managed to develop something based on what Gateway had created.

On December 25, 2013, Cruel Waffle published a tool that launched an exploit chain from the Launcher.dat file (this file originally contained the firmware for the Gateway cartridge) and allowed dumping the RAM of the Nintendo 3DS.

This moment became the starting point for the appearance of custom firmware that was not tied to the Gateway flash cartridge.

Parallel to these events, Yellow8 and Derrek were communicating in the homebrew 3DS community and sharing their developments related to creating custom firmware.

And in April 2014, the BigBlueBox SDK Leak happened. Someone posted a set of tools for developing 3DS games version 6.2.0 online.

This set included the Dev Men program.

Dev Men is the Developer menu. A program created for developers that allowed installing and testing games. Despite the fact that Developer units had an encryption key check, it consisted only of zeros.

And a little later, interesting photos began to appear online showing the Dev Men program installed on a regular console.

As it turned out, St4rk took the old work of Yellow8 and Derrek, added Cruel Waffle's exploit, and assembled his version of custom firmware that allowed running a CIA server on the 3DS. This, in turn, allowed installing and running CIA images of 3DS games. A little later, St4rk shared his work with Ermilos. But...

Ermilos' computer was infected with the xRat trojan.

Govanify knew Ermilos and sent him a program for hacking the 3DS (CRRKeyGen.exe). This program contained a trojan that gave remote access to Ermilos' computer.

On Ermilos' desktop was the very firmware of St4rk.

After this, Govanify published the firmware on his website:

And, of course, at the moment of the firmware leak, a scandal broke out in the "noble family." St4rk and Ermilos accused Govanify of infecting the computer with a virus and stealing the firmware. In turn, Yellow8 and Derrek were furious that St4rk took their old code and made firmware with his name on it.

But there is one tricky point here. Govanify himself says that by the time he got the firmware, Ermilos had already deleted the virus and cleaned the computer. He downloaded it from the conversation between St4rk and Ermilos. Apparently, he means the IRC chat. Whether to believe him or not is up to you.

But the most interesting thing was something else. Govanify didn't just steal the firmware, but modified it in a special way. Normally, to install Dev Men, you had to run this process from a computer via Wi-Fi. Govanify made it so that you had to connect to his server to install it. At the same time, the console sent various data (user's IP address and other information) to his server. As you understand, this was not needed to install Dev Men. He was simply stealing your data.

On November 3, 2014, a user with the nickname Palantine released a firmware called Palantine CFW v1.0. This was the same modified firmware of Govanify, but without the code that sent him various data.

This firmware was very buggy. Just imagine, it never launched on the first try for me, and in the worst case, it only worked on the eleventh attempt.

It really allowed running 3DS games and was the first free custom firmware for Nintendo 3DS.

Preparation

We will need:

1. Nintendo 3DS or 3DS XL with firmware 4.5;

2. Any Nintendo DS (NOT 3DS) flash cartridge;

3. Download the archive: ropMultiloader.zip;

4. Download the archive: Palantine_CFW_v1.0.zip;

5. Download the archive: Hex.Workshop.Pro.zip.

Additionally, you need to download the GATEWAY ULTRA 3.7.2 BETA archive, which is located in the article: Gateway 3DS.

If during the launch of the run.bat file (we'll talk about it later) you encounter this error:

Then you also need to download the archive: MicrosoftVisualC2005-2013.zip

If you, like me, are interested in the historical aspect, I additionally provide the archive CFWversions.zip. It contains six variations of this CFW:

1. St4rk's firmware source code;

2. Firmware released by Govanify;

3. Dual_Emunand_Setup (can load two different emuNANDs);

4. Hemlock Grove CFW (supposedly more stable loading);

5. PBT CFW – Perfect Bricking Tool Custom Firmware (always loads in sysNAND, needed ONLY for updating system applications. For example, for installing the browser);

6. TRICK CFW (added a menu like Gateway).

ATTENTION!!! FIRMWARE № 5 IS VERY DANGEROUS! IT CAN BRICK YOUR CONSOLE!

Installation and Launch

1. Start by setting a static IP address for the console. If you do this before creating emuNAND, the network settings will be saved when emuNAND boots.

You need to set a static IP address for the console. If you are not very familiar with network settings, press (on your computer) Win + R. In the window that appears, type CMD and launch the command line. In it, type ipconfig and press Enter.

Here is all the data we need.

Go to the Nintendo 3DS settings.

Press Internet Settings – Connection Settings – Active connection (in my case, it's number two, if you don't have anything, connect to Wi-Fi in automatic mode, and then continue from this point).

Next, select Change Settings – press the right arrow – select IP Address.

In the window that appears, select No and press Detailed Setup. Fill in the data and press OK.

This data can be taken from the command line. The IP Address is something you come up with, the main thing is that the last three digits do not overlap with devices connected to Wi-Fi. In my case, I added 084 (it turned out to be taken, so I chose 113). Subnet Mask – "subnet mask". Gateway – "default gateway".

When everything is filled in, press OK. We are told that we need to fill in the DNS. Press Set Up, select No, press Detailed Setup, and fill in the Primary DNS (insert the data from the "default gateway" line).

Press OK and then Save. Agree to the network test and wait for a positive result.

If it says Connection Test successful, then everything is fine. If not, look for the problem.

Turn off the console.

2. Start the main process by launching the Gateway 3DS MSET exploit and entering the Launcher.dat menu. For details, read the article Gateway 3DS.

You should get to this menu:

3. When you get there, you need to create emuNAND and back up sysNAND.

Note! Format emuNAND will format the memory card! So first do this, and then create a sysNAND backup.

4. Turn off the console and turn it on again. Wait for the 3DS to create its files on the memory card.

5. Turn off the console again and copy the sysNAND backup to your computer (after step 3, the NAND.BIN file appeared on the console's memory card).

6. Go to the memory card. Then go to the ID1 folder, then ID2, and create a dbs folder. In this folder, create two empty files: title.db and import.db.

7. Insert the memory card into the console and turn it on. Go to Settings – Data Management – Nintendo 3DS – Software.

An error appears: «The SD Card software management information is corrupted. Reset it now? This will delete all software and save data».

Press Reset and wait.

8. Turn off the console, remove the memory card, and insert it into the computer.

9. Unzip Hex.Workshop.Professional.6.8.0.5419.zip and install the program.

Run Hex Workshop as administrator.

In the top menu, press Disk and Open Drive. A window will open where you need to select the memory card. Pay attention not to the logical drive (in my case L:), but to the Physical Disk. Look at the disk size.

Press Ok.

If a window opens and says «GATEWAYNAND – THIS IS DUMMY SECTOR, SEARCH FOR “NCSD” FOR REAL SECTOR», then you are in the right place.

In the top menu, press Disk again and select Restore Sectors. This menu will open:

In the top window, select the sysNAND dump file that we created earlier. In the Starting Sector field, enter 1. Press Ok and wait for the process to finish.

After the process is finished, close the program.

10. Unzip the ropMultiloader.zip archive and copy the rop_multiloader.nds file to the memory card of the NDS FLASH CARTRIDGE.

11. Unzip Palantine_CFW_v1.0.zip. Go to the SD Card folder and copy the following files to the root of the CONSOLE memory card: arm9_code.bin, arm11_code.bin, boot.bin, Launcher.dat (this file overwrites the one that was on the memory card).

12. Return all memory cards to their places. Turn on the console and launch the rop_multiloader.nds program from the NDS flash cartridge.

Select Homebrew Launcher.dat 4x. And agree to turn off the console.

Turn on the console again. And get ready for the hardest part.

13. Go to Settings – Other Settings – Profile – HOLD THE L BUTTON – press Nintendo DS Profile.

If we did everything correctly, the following should happen: the top screen will turn turquoise, and the bottom screen will first turn black, then white, and then black again. All this will happen in about 3 seconds. After that, both screens will turn black, and the console will boot into the custom firmware.

What's the problem here? This exploit doesn't work the first time. You may have to repeat step 13 many times. My record is eleven attempts.

If the bottom screen doesn't flash white within 5 seconds, you can turn off the console and not wait.

14. Put the console aside and return to the computer. Go to the Palantine_CFW_v1.0 folder. Find the run.bat file and open it with Notepad.

Change the line to the console's IP address that we set in step 1.

In my case, the IP address 192.168.1.84 was not unique, so I changed it to 192.168.1.113.

Save and run this file.

A command prompt will open, and the Dev Men installation process will begin.

If everything went well, the command prompt will look like this:

15. Turn off the console, turn it on, and repeat step 13.

When you enter the firmware, you will see that a new program has appeared – Dev Men.