Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool
- Thread starter WulfyStylez
- Start date
- Views 187,571
- Replies 728
- Likes 51
With a hardmod (or a DSiware exploit plus the "fwtool" DSi homebrew), you can obviously backup and restore your nand.
With at least one DSiware installed that you can copy to SD,
PLUS at least one device capable of reading the CID (most internal laptop SD drives that appear in Linux as /dev/mmcblk*, appropriate sotware for Arduino/Raspberry, or a secondary exploit for the DSi enhanced game "Biggest Loser"),
you can decrypt the backup and edit the contents.
With the ability to edit the contents of the nand, considering also a large number of shortcuts taken in the DSi's system software, you can:
- Downgrade any installed title (especially the launcher and the whitelist to unlock flashcards blocked after launch)
- Inject .app files (better known as .srl or .nds) into any executable title, where they will run with the permissions of the original software
- Install """backups""" of most DSiware, thanks to the TMDs dumped in the last days by a kind gbatemp member
- Backup, restore, and trade DSiware saves (including installing exploits even if you have the system settings app that came with 1.4.2+)
- If you're using 1.4.0 system apps, actually edit the whitelist to unlock some non-DSi flashcards!
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
So hang on, I have SudokuHax installed on my system from when it first launched. How do I dump my firmware without a hardmod? It's also on 1.4.5, however I can still boot into the Homebrew Channel
Last edited by 8BitWalugi,
"fwtool" is the homebrew you're looking for; but according to Apache Thunder it may be incompatible with the original sudokuhax due to artificial restrictions in that exploit
I guess creating a backup and trying to decrypt it is safe and (almost) free...
https://gbatemp.net/threads/how-wou...c-and-wifi-flash-with-sudokuhax.390019/page-2
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
Hm I see... was there an exploit that was compatible? Just wondering. When I boot SudokuHax it says 1.0, so I doubt there'd be much hope on that front.
Edit: running it now, it's dumping block ~900/3840. Is... Is it working?
Last edited by 8BitWalugi,
I'm not very familiar with DSiware exploits themselves; given that at least the 4 Swords one is open source I would bet more on that, but I haven't actually checked the code (mostly assembly)
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
The DSi doesn't have a background operating system actively blocking exploits; rather, the version of system settings that came with 1.4.2+ blocks the installation of any DSiware save not signed by your own console (therefore including exploits you didn't install in another way - older settings version or nand editing)!
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
Alright alright... I dumped my NAND.bin, what can I do with this? I can see something about a CID, how do I get this with my setup?
If I need to buy The Biggest Loser, I can
Edit: Even if I was to decrypt and modify my NAND, how would I reinject it into my system? I see nothing of the sort in the tool
Last edited by 8BitWalugi,
@nocash123 I was reading some of your threads and it seems you were looking into alternative ways to get the ConsoleID before discovering the 'DSiWare transferred to SD card' method. Might you have any idea how else we can acquire the ConsoleID now that the DSi Shop is closed?The problem is the DSi Shop is now dead and only offers the 3DS Transfer Tool, so even once you have access to Data Management there is no DSiWare you can transfer to the SD card to get the ConsoleID
Is there still absolutely no other way to obtain the ConsoleID? Is it impossible for cartridge save exploits to access the ConsoleID as well as the CID? What ever happened to DSi Soundhax?
Also, it doesn't seem like anyone has been archiving DSiWare as TAD files (The DSi equivalent of WAD or CIA) and I just wondered why? NUSdownloader has the option to "Pack WAD" but no option to "Pack TAD". Shouldn't we be archiving DSiWare in its proper format whilst we still have the ability to download it from the servers?
Also, has TwlNmenu (The DSi equivalent of 3DS DevMenu) been converted to use the retail DSi common key? If so is there any way we can install it on a retail DSi? I believe @Apache Thunder managed to get NandFiler working on a retail DSi, although i'm not sure how?
Last edited by Razor83,
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
Whatever I used had neither of those
Edit: Does fwtool have a .nds version I can use with the Homebrew Channel?
Edit2: My fwtool (1.4.1) doesn't have either of those options
Last edited by 8BitWalugi,
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
- Joined
- Mar 22, 2008
- Messages
- 3,458
- Trophies
- 1
- Location
- Side 7
- Website
- www.twitter.com
- XP
- 1,588
- Country
Ah. lol. Thank youCheck the first post of this thread
Edit: uhh... There's no .nds in there. Also this is TWLTool, not fwtool...
Last edited by 8BitWalugi,
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,784
- Country
ConsoleIDs are in this form:
08A20nnnnnnnn1nnh for DSi
08A19???????????h for some other DSi
08201nnnnnnnn1nnh for DSi XL
????????????????h for 3DS
with the "n" digits being in range 0..9 (no A..F digits). As far as I remember it took around 30 hours to brute-force the correct digits (that, doing the bruteforcing on a DSi console, it may be faster on other hardware). A tool for brute-forcing the CID would be probably more interesting (since most people already have the ConsoleID, and do only need to CID). As long as you know one of the two values it shouldn't be too difficult to brute-force the other value within reasonable time.
TAD is slang for BIN files on SD card, which isn't what you are downloading from the dsi shop. The BIN files are nice because they do also include a copy of the TMD, plus some personal data like game positions, and the ConsoleID.
08A20nnnnnnnn1nnh for DSi
08A19???????????h for some other DSi
08201nnnnnnnn1nnh for DSi XL
????????????????h for 3DS
with the "n" digits being in range 0..9 (no A..F digits). As far as I remember it took around 30 hours to brute-force the correct digits (that, doing the bruteforcing on a DSi console, it may be faster on other hardware). A tool for brute-forcing the CID would be probably more interesting (since most people already have the ConsoleID, and do only need to CID). As long as you know one of the two values it shouldn't be too difficult to brute-force the other value within reasonable time.
TAD is slang for BIN files on SD card, which isn't what you are downloading from the dsi shop. The BIN files are nice because they do also include a copy of the TMD, plus some personal data like game positions, and the ConsoleID.
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,784
- Country
Speaking of ConsoleID. I think I verified that the 4004D00h exists on 3DS in TWL mode. I checked the tickets that DSi System Settings generated after I managed to get it to finish a system update awhile back. I got my ConsoleID by pulling it out of itcm memory with GodMode9. Then tried decrypting tthe tickets with it....The result was valid tickets! So yeah, DSi System Settings is getting the correct ConsoleID which means 4004D00h operates the same way on 3DS.
I tried reading the port with some homebrew. Wasn't getting valid results though since I didn't have the right code for it. Was using an old test app Ahezard made. So I could only retrieve half the string from arm7 with the fifo code he had setup. Because of this it was also incorrect probably because of that. But I noticed that this register would be zero unless I booted from a homebrew app started as a system app. (I have a version of hbmenu installed with file category set to 15 in the TID). So looks like only system apps have access to that port. As gbatek documented it's write only for normal apps.
By the way the console ID DSi System Settings used for my tickets was "6B27D20002XXXXXX". (X used to censor out final digits) So a little different compared to the ones DSi uses.
I tried reading the port with some homebrew. Wasn't getting valid results though since I didn't have the right code for it. Was using an old test app Ahezard made. So I could only retrieve half the string from arm7 with the fifo code he had setup. Because of this it was also incorrect probably because of that. But I noticed that this register would be zero unless I booted from a homebrew app started as a system app. (I have a version of hbmenu installed with file category set to 15 in the TID). So looks like only system apps have access to that port. As gbatek documented it's write only for normal apps.
By the way the console ID DSi System Settings used for my tickets was "6B27D20002XXXXXX". (X used to censor out final digits) So a little different compared to the ones DSi uses.
Last edited by Apache Thunder,
