Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

[StarTrekVoyager]

Well, this is getting really interesting. Unfortunately my red DSiXL is on v1.4.5 and the only eShop titles I have are the browser, Kawashima Express: Arts&Litterature and the 6-in-1 Dictionnary...

 

[windwakr]

Also, is there any way we could extract launcher v256 (and whitelist v0 if it exists) from the NAND dump of a launch model DSi thats has never been updated?

You may be able to extract older versions of titles even from a system that has been updated. Like how deleted factory versions of firmware have been recovered from 3DS systems that have had numerous updates applied.

 

[Razor83]

Your chart seems a bit off. I have 1.4 FW and I checked v512 Launcher downloaded from NUS. It is identical to the one I already have. So v512 is the 1.4 version of Launcher. If I could get my hands on a 1.3 version of Launcher I could test to see how it behaves. I was not aware 1.3 did not have a white list implemented?

Maybe yoru chart is for the JPN/Europe version of Launcher. But USA consoles had 1.4 use v512 Launcher.

I based the chart of the USA/EUR updates, since JPN started on either 1.0 or 1.1 (Conflicting reports online)

Are you sure your actual launcher is from system menu 1.4? Because the versiondata title is what determines the version you see in system settings, and does not appear to be directly related to the launcher title version:-
http://dsibrew.org/wiki/Version_Data

bytes 0 and 1 are the major version number, bytes 2 and 3 are the minor version number, and the rest of the file is the human-readable UCS-2 version number displayed in the Settings menu as the "System Menu Version".

DSi launch systems in USA/EUR came with 1.2 from the factory, so the first system update to 1.3 must have come with launcher v512, which means 1.2 must equal launcher v256, (Which is the launcher update JPN got, but was never released on the USA/EUR region update severs because we started on 1.2)

I hope that makes sense? Its a shame we dont have any earlier system update reports than 1.4.3 to check

<EDIT> Just to add, this GBAtemp thread from 2009 confirms it was DSi system update 1.4 that started blocking flash carts:-
https://gbatemp.net/threads/dsi-update-flashcard-which-will-work.146321/
Now there could still have been a v0 whitelist on 1.2/1.3, but it obviously must not have blocked DSi flash carts at the time.

 

[Apache Thunder]

I checked. The .app downloaded by NUS is identical to the one from the 1.4 NAND image I have. So v512 appears to be 1.4 Launcher.

 

[Razor83]

I checked. The .app downloaded by NUS is identical to the one from the 1.4 NAND image I have. So v512 appears to be 1.4 Launcher.

Well that doesnt seem to make any sense!?

I updated the chart to take JPN 1.1 into account:-

(In case anyone wonders why update 1.4.3 has an X for launcher, its because I read on DSibrew that 1.4.3 only updated the whitelist)

Now if we rearrange the launcher versions so that update 1.4 = launcher v512 it would look like this:-

Obviously we cant have two different version 0's, so i'm not sure what to make of this?
@Apache Thunder Are you certain your 1.4 NAND dump was untouched?

 

[Apache Thunder]

Pretty sure. It was given to me by someone who dumped it with a nand mod. He hadn't made any changes to it. I used it to downgrade from 1.4.3 to 1.4 and Launcher was one of the titles I downgraded to match his.


EDIT:

I looked at the TMD. Title version in the TMD is listed as this in hex at offset 0x1DC:

02 00

And the version offset in the SRL (0x1E) matches this as well. Not sure what version string that translates to however...

Note that 1.4.5's Launcher has this as title version:

07 00

 

[Shicky256]

Nintendo tends to not put stuff that was preloaded on NUS, so unless some cool guy uploaded that somewhere you may have to find a DSi on 1.2 or 1.3 (pretty sure the only difference was that 1.2 wouldn't let you access data management or DSi shop unless you updated). Anyway here's a table I came up with using data from this analysis of 1.4.2 as an additional source. I'm guessing with the earlier versions, but due to the whole "title key didn't come out until 2011" thing, it's hard to find earlier information.

edit: wow nvm, guess I should really refresh more often
edit 2: According to GBATEK, the whitelist existed as early as 1.3, it just didn't have the second and third portions (so only the one with the ID "NDHT").

About the "you can recover lost tiles from NAND" thing that windwakr said, I'd be kind of interested in that, since my DSi came on 1.2 and I upgraded it fairly recently (I know, stupid decision). Is there any process for doing that besides running Recuva or something on the mounted image?

 

[Apache Thunder]

That explains why Acekard could have a custom icon. The second section was responsible for hashing the icon. If that section wasn't implemented until 1.4 then that makes sense then.



Also I counted back from 07 00 to 02 00 and arrived to 1.4. So assuming each update incremented the title version by one for the first hex pair, then if you count back from 07 until you reach 02 on the chart there with 1.4.5 being 07, you end up on 1.4.

 

[Razor83]

Also I counted back from 07 00 to 02 00 and arrived to 1.4. So assuming each update incremented the title version by one for the first hex pair, then if you count back from 07 until you reach 02 on the chart there with 1.4.5 being 07, you end up on 1.4.

It just seems so strange! If 1.4 = v512, then what launcher versions did 1.1 and 1.2 use?

@Apache Thunder Out of curiousity which versiondata is on the 1.4 NAND image?

 

[Apache Thunder]

DSi Firmware Versions
1.0 22 Oct 2008 First Update to Japanese Region DSi System Menu
1.2 18 Dec 2008 Second Update to Japanese Region DSi System Menu
1.3 03 Apr 2009 Launch Day (USA, EUR, AUS), new "start DSi Camera" button
1.4 29 Jul 2009 Blocks NDS flashcarts, Facebook support to share photos
1.4.1 07 Sep 2010 Blocks more NDS flashcarts
1.4.2 10 May 2011 Blocks DSiWare exploits on SD card (sudokuhax etc.)
1.4.3 29 Jun 2011 Blocks more NDS flashcarts (only whitelist was updated)
1.4.4 21 Mar 2012 Blocks DSi cart exploits (CookingCoach/ClassicWordGames)
1.4.5 11 Dec 2012 Blocks more NDS flashcards

1.2/1.1 does not exist for USA/Europe/Australia at all. Consoles were released in those regions with 1.3. Only Japan saw the older revisions. Note that Gamecode/TID for Japan's Launcher is different from USA version. (Europe version also had it's own TID), so title versions did not conflict on NUS.

As for the version.bin contained in the version data SRL:

 

[Shicky256]

Actually, Nintendo's official page (and I guess gbatek) is wrong about that. US launch DSi consoles came with 1.2. Here's a screenshot of an unboxing video from 2009 that shows a DSi with 1.2:

1.2 was kind of a "stub firmware" in that it wouldn't let you access the shop or Data Management unless you updated to a newer firmware, so I don't know how it would react to having titles sideloaded, but it does exist. If you want to buy a DSi with 1.2, look for 6 or 7 dots on the bottom screen, since they didn't have Flipnote or Browser preloaded.

 

[Razor83]

Yeah I have a European launch DSi with version 1.2E, and I didnt think there was any reason to consider hardmodding it until now.

Also i'm not sure if 1.0 ever existed, since this review of a Japanese launch DSi shows version 1.1J at 3m42s:-

(pretty sure the only difference was that 1.2 wouldn't let you access data management or DSi shop unless you updated)

Actually the option for Data Management only appears once you have accessed the DSi Shop at least once:-
https://www.nintendo.co.uk/Support/...s/Data-Management/Data-Management-242015.html

Please Note: The "Data Management" setting will not be displayed until you connect online and enter the Nintendo DSi Shop for the first time. After you have entered the Nintendo DSi Shop, "Data Management" will appear in System Settings Page 1.

I have a DSi XL that came with 1.4 and it doesnt have a data management option. So 1.2 may have had a data managment option, but it wasnt visable/accessible until you accessed the DSi Shop, which of course requires a system update.

 

[Apache Thunder]

Mine didn't have Data Management either. I manually updated eShop so it would attempt to connect. (the 1.4 eShop would stop at the same update notice, but failed to add Data Management option to System Settings). After exiting, Data Management was available.

 

[Shicky256]

make sure you have these files present in your No$GBA folder:

bios7i.bin
bios9i.bin
BIOSDSI7.ROM
BIOSDSI9.ROM
BIOSNDS7.ROM
BIOSNDS9.ROM

I can dump the rest of the stuff with Fwtool, but how'd you dump biosdsi7.rom and biosdsi9.rom? There's no publicly available method and even the no$gba help file (turns out the full version's only on the debug edition of no$gba) says that it's not fully dumpable.

 

[Apache Thunder]

I forgot where I got them. I think I got them from 3DS's TWL_FIRM?

 

[Razor83]

Anyway here's a table I came up with using data from this analysis of 1.4.2 as an additional source. I'm guessing with the earlier versions, but due to the whole "title key didn't come out until 2011" thing, it's hard to find earlier information.

Thanks to this info which confirms the versions for 1.4.1 and 1.4.2, along with Apache Thunder's info that 1.4 uses launcher v512, it becomes clear that DSibrew has a number of mistakes So if we disregard DSibrew and use only the confirmed information we end up with this:-

I have extended the chart to also show the system settings and versiondata info as well. This means Nintendo must not have updated certain titles with every system update.
If anyone has NAND dumps from 1.0/1.1/1.2/1.3 it would be great to fill in the blanks. (I'm going to try and get a hardmod for my 1.2E system sometime)

I managed to confirm that 1.0J did exist:-
http://av.watch.impress.co.jp/docs/20081101/ninten.htm

(As a side note its really annoying that people make video unboxings of items they have already opened/setup and then just repackaged for the video)

Also from gbatemp's own video it appears that even 1.1J was able to have the data management option once it had accessed the DSi Shop:-

 

[Shicky256]

If anyone has NAND dumps from 1.0/1.1/1.2/1.3 it would be great to fill in the blanks. (I'm going to try and get a hardmod for my 1.2E system sometime)

The problem with that is that it's kind of a catch-22. You can't hardmod your DSi without getting access to Data Management and a program that can be copied from NAND to the SD card (you need that stuff to get your ConsoleID from the .bin file on your SD card, which is needed for decryption). Apache Thunder's workaround won't work because you already need access to the decrypted NAND to add an updated Shop (so I kinda wonder how he managed to do that stuff in the first place).
Knowing Nintendo's poor security track record with the DSi (not actually checking anything in tickets besides title ID, for example) it wouldn't surprise me if the console would boot without the whitelist file or with the second and third sections of it removed. However, since I don't have a permanent hardmod I can't personally test this (don't want to have to solder to those tiny points a third time).

 

[I pwned U!]

You can't hardmod your DSi without getting access to Data Management and a program that can be copied from NAND to the SD card (you need that stuff to get your ConsoleID from the .bin file on your SD card, which is needed for decryption).

Actually, you can hardmod it on a low and/or stock firmware and make a NAND dump, but you just cannot decrypt that NAND dump until you update it to 1.4.5 to access Data Management.

 

[Apache Thunder]

Yeah you can update to latest firmware to get Data Management. As long as you made your nand dump before you did, you simply flash it back once you updated, used eShop, then gained access to Data Management to export something to SD.

Once you did that you flash back your backup image. That's how you'd retrieve the needed keys and then you can decrypt the nand backup after all of that.

 

[Razor83]

The problem is the DSi Shop is now dead and only offers the 3DS Transfer Tool, so even once you have access to Data Management there is no DSiWare you can transfer to the SD card to get the ConsoleID

Is there still absolutely no other way to obtain the ConsoleID? Is it impossible for cartridge save exploits to access the ConsoleID as well as the CID? What ever happened to DSi Soundhax?