We know both o3ds and n3ds share an internal processor aside from the main core. We know it's called arm9, we know it was in the original DS, we know it is used for retrocompatibility and as security processor in 3ds mode.
That "core", more specifically is an ARM946 SoC. A single hardware threaded arm core running at 134MHz with both data and instruction TCM integrated memories as we can see here:
ARM946 specifications
So, while creating a new thread for arm9 on boot
might be possible, once the system is up and running the arm9 core is being actively monopolized by the security engine of the system which by the way was not meant to be parallelized. That teach us two things:
1. To ensure system stability (hehe) we have to "halt" all the system at once and be able to restore everything afterwards.
2. There's an arm9 thread already running!
Wellp here's where we got lucky. There's a thing called PXI that handles service calls (svccalls). Service calls can in fact interrupt the whole arm11 system, run in arm9 core and can safely be resumed aftewards. Thing is, the svccalls are well defined and not editable from arm11. And if you get hold of arm9 for editing those what's the point of interrupting the system? That's seems hard to hack. Turns out it's not.
What happens if we call an invalid svccall from arm11?
What if we could write a new svccall?
What if we could put a code as a service call with the sole purpose of running another code as parameter? That effectively would be a runtime reprogramable svccall.
So we can pass arm9 code to pxi, pxi runs it for us and we return to arm11 like nothing happens? Yup. Mostly.
Even from a payload on sdcard? Yup.
And system/security system is sleeping while we do that? Well... not exactly. arm11 is waiting for our return. Security system holds locks on everything important. Those locks are up. Those locks can be removed/edited at this control level, sure, but no one knows what can happen with the system. Most probably kernel panic/unstability/brickland?.
Where is the catch? We need to patch the firm for this. We need arm9 control at least once in the system (like a9lh, in boot). This will never work on a official fw. This is only possible for cfws.
This is not my invention. Credits to b1l1s, Normatt and guys at cakey.