Found The Biggest Loser locally for a few bucks, and have it here now. I'll get right to work on a better write-up and all that jazz. I'll try to document the NAND-mod process as well.
Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool
- Thread starter WulfyStylez
- Start date
- Views 189,139
- Replies 728
- Likes 51
Sure.
Also, another heads up. The Biggest Loser won't have any kind of visual representation of having done its job. It'll start, there will be a black screen with music playing, and that's it. Wulfy didn't actually draw it to the screen, or even put a "Done!" message, just nothing, lmao.
Also, the exploit is a write-once, read-as-much-as-you-like kind of thing. You write in the hacked save, and it'll overwrite the contents of 0x800 -> 0x80F with the CID of the console you just put it in. You don't need to clear it each time.
Last edited by Gadorach,
@WulfyStylez mentioned it was totally possible to brute-force the CID, and it takes about a full day on an 8-threaded quad-core with hardware AES. No release on software to do it though. You should be able to do it with an Arduino UNO or Teensy++ 2.0 as well, but it's a bit more involved.
Additionally, more tricks-o-the-trade!
When reading and writing the NAND of the DSi, it doesn't actually need the battery present.
Plug in the console, plug in the SD reader, hold in the battery, power up to 0000FE00, and remove the battery. It'll stay on and RW will continue without needing to tape the battery on or hold it in place. No need to reassemble at all!
So many options for getting the CID. I have a raspberry pi and a teensy++ 2.0 just need info on what to do. Could just buy biggest loser but can't find it locally and don't want to wait for delivery.
I can write a script for that, but I need to know what happens (what's displayed on the terminal, the size of the output file) when the CID is correct and what happens when it's not...
P.S.: I do have an Arduino UNO (a clone, actually), so how could I get the CID with that?
Read the source for the 3DS Debricker build for Arduino: https://github.com/krisztian1997/3dsunbricker/blob/master/sd_raw_roland.cpp
You'll want to add a new option to the menu that only uses the CID read code found in the "v - VERNAM CYPHER UNLOCK" method. You will need either an SD shield, or you'll have to add voltage splitters to the IO pins. 5v will fry the eMMC.
For the rPi, use RPU: https://github.com/bkifft/RPU
When it starts up and gets to the menu, use the "(S)afe run (Query only)" option. It will read and display the CID register of the eMMC chip. You`ll have to type it in by hand in this case though, where as the Teensy and Arduino UNO have the Serial Monitor for the data to be directly copied.
I have successfully decrypted my DSi XL`s NAND though, and I'm in the middle of downgrading titles and injecting saves. I'm also doing that other thing that was requested.
- Joined
- Mar 15, 2015
- Messages
- 1,276
- Trophies
- 0
- Location
- Poké Ball
- Website
- lavanoid.github.io
- XP
- 1,279
- Country
I don't have an SD shield nor voltage splitters
I think I'll create the script. I only need to know:
- When the CID is wrong, if the output file exists and what's its size
- When the CID is correct, what's the size of the output file
Well, it's pretty simple. If the CID is correct, you'll be able to open the decrypted NAND.bin in WinImage. If it's not, you won't. The tool doesn't really have any checks, it just does its thing and that's it. Image size is the same as your input NAND.bin, regardless of right or wrong.I don't have an SD shield nor voltage splitters
I think I'll create the script. I only need to know:
- When the CID is wrong, if the output file exists and what's its size
- When the CID is correct, what's the size of the output file
And PS, you can make voltage splitters from a few resistors, it's not a fancy part. It's documented here: https://github.com/krisztian1997/3dsunbricker
and specifically here:https://arduinodiy.files.wordpress.com/2012/03/sd-card.jpg
Really? Then I'll wait until @WulfyStylez adds an option to brute-force (if you do, don't forget to save the CID somewhere...), unless there is a way to use a 3DS to get the key.
CID bruteforcing is a longterm goal. The idea is to do basically the same as the 3DS CID bruteforcer, except with the first five bytes of the CID. The idea is that the first byte only has some 48ish combinations, and the u32 after that is easily crackable. Given, my time estimates were done using openSSL. Doing it through the existing source would be quite a bit slower, I think.
Also, about the Biggest Loser save, I only actually had like 0x780 bytes to write all the exploit code in. Drawing to screen wasn't really an option, unfortunately.
Also, about the Biggest Loser save, I only actually had like 0x780 bytes to write all the exploit code in. Drawing to screen wasn't really an option, unfortunately.
You need to read the CID register from the eMMC chip. There's three available ways, and a fourth through the third.
1) The Biggest Loser
2) rPi via RPU
3) Arduino with SD shield or voltage divider via 3DSunbricker
3.1) Teensy++ 2.0 in 3v3 mode through Teensyduino and 3DSunbricker
Pick one, but the easiest is The Biggest Loser, followed by rPi.
Hopefully somebody will offer a service for this for the unfortunate souls who can't solder like me.
Alright, so SUDOKU is easy. Grab the decrypted old version from the same place as the 3DS thread. Open your decrypted NAND, and navigate to "title\00030004\4b344445\content", and replace the "00000001.app" with the old version, renamed to "00000001.app". No need to tinker with the TMD file, the one that's there is fine. Install the save the same way and you're golden.
For System Settings, grab the old version from NUSD (v512) and navigate to "title\00030015\484e4245\content" and delete the contents. Inject the "00000002.app", and the "tmd.512" renamed to "title.tmd". That's all.
For the DS Whitelist and Launcher (required to boot older Flashcarts), grab them both from NUSD (00030017484e4145 v512 (Launcher)) and (0003000f484e4841 v256 (Whitelist)).
Launcher goes in "title\00030017\484e4145\content" and Whitelist goes in "title\0003000f\484e4841\content". Make sure to rename tmds in both cases to "title.tmd", which replaces the one that was there.
For System Settings, grab the old version from NUSD (v512) and navigate to "title\00030015\484e4245\content" and delete the contents. Inject the "00000002.app", and the "tmd.512" renamed to "title.tmd". That's all.
For the DS Whitelist and Launcher (required to boot older Flashcarts), grab them both from NUSD (00030017484e4145 v512 (Launcher)) and (0003000f484e4841 v256 (Whitelist)).
Launcher goes in "title\00030017\484e4145\content" and Whitelist goes in "title\0003000f\484e4841\content". Make sure to rename tmds in both cases to "title.tmd", which replaces the one that was there.
Last edited by Gadorach,
Can I extract the save from the Four Swords DSiWare game from another 3DS and inject it into my N3DS Four Swords CIA in anyway by using this?
Good call, I did test it without it though, and there were no issues.
Else, that other thing is done, and those that asked have it, that I could PM, that is.
-
D @ diamondsofmayhem:Actually, finally found someone who was looking for the same thing. https://gbatemp.net/threads/lost-hyrule-warriors-legends-v1-6-0-ntr-plugin.628141/ to no avail.
-
-
-
-
-
-
-
-
-
-
-
-
-
@
BigOnYa:
You ask your questions there, create a new thread if its not already answered, then eventually a 3ds genius will respond. -
-
-
@
BigOnYa:
@K3Nv2 I got some cheapies at wallys, that are pretty good, already have lost a few expensive ones (one falls out and gone, can't find) while cutting grass so bought some cheap ones, and of course never lose these cheap ones. (Cheap meaning only $35, compared to air buds which I only have 1 of 2 now)
-
-
-
-
-
@
BigOnYa:
You would think, esp using bluetooth, not GPS, like a "your getting hot-er" meter on your phone.
-
@
BigOnYa:
I think they should tie up diddy, and let all the victims come and abuse him, we'll make a holiday of it every year. (jk, maybe)
-
-
