Not to kill the mood or anything but you just need to compile an ARM9 payload to use along the rsa_verify request exploit.
The exploit has now been public for several days here
https://github.com/naehrwert/p3ds/blob/master/3dsploit.py
and addresses such as the ones for fopen, fwrite... can be bruteforced rather easily.
There should be about 20ish people that can run an ARM9 payload hanging around the #3dsdev channel right now.
All in all, I'd say your initial ram dumper (using ROPs) was a lot more impressive than this, as running an ARM9 payload was just a matter of following each ROP in the chain from the gateway Launcher.dat file once you had a valid ram dump.
What I find astonishing is the amount of people who do not know how the bug technically works, they know from the launcher.dat that they need to use specific ROP gadgets in a specific sequence to trigger the exploit, they know what some/most of the ROP gadgets do, they know where to paste their payload, but they don't know much beyond that, they don't know that the bug is actually tied to a huge rsa_verify request for which the lenght isn't checked, they don't know that the payload written by gateway's ROP chain at 0x080C3EE0 is copied somewhere in the 0x20000000 area by the kernel and what triggers it to jump to the code later on.
I just find it sad that so many people just reuse what's written by the Gateway engineers, only caring about the end result and not knowing how it actually works in the first place, even though it's very interesting from an educational standpoint.
Ok, that was just my 2 cents xD