Hacking Hacking DSi 2015?

[reprep]

There's no way to get around buying a game for this. I tested injecting one srl over a different title's, no good.

i am totally fine with buying game but hw mod makes me worried.

 

[Gadorach]

i am totally fine with buying game but hw mod makes me worried.

Trust me, as long as you use flux, and a fine-tipped soldering iron at 25w+, you'll have no issues at all. If you have a DSi XL, use my modified diagram, and don't touch the bloody resistor array. Else, I bet @hundshamer would be willing to offer the service. Speaking of which, why isn't he all up here in this thread by now anyway?

 

[atkfromabove]

So the reason for the hardmod is to update to the latest firmware to buy a copy of one of the games from the dsi shop then downgrade back to 1.4 with the game license?

 

[zoogie]

So the reason for the hardmod is to update to the latest firmware to buy a copy of one of the games from the dsi shop then downgrade back to 1.4 with the game license?

Probably, it's just to copy over an existing save with a hacked save.

 

[Deleted-355425]

is it not possible any other way if i have ver1.4.1 dsi xl ?

 

[WulfyStylez]

So the reason for the hardmod is to update to the latest firmware to buy a copy of one of the games from the dsi shop then downgrade back to 1.4 with the game license?

Nope, the purpose of the hardmod is to be able to modify your system NAND. The DSi's crypto is completely broken atm. You can downgrade titles (whitelist will let more carts run, system settings will allow the old method of dsiwarehax injection), directly inject saves for dsiware, etc.

Basically, DSi system version doesn't matter at all any more.

 

[Apache Thunder]

There's no way to get around buying a game for this. I tested injecting one srl over a different title's, no good.

Yeah. As I recall injecting a different title over a game only works on TWL mode of the 3DS because of how the 3DS handles TWL mode. But not the case with the DSi I'm afraid.

With the DSi, I think you can only replace a SRL/Game with an older version of the same game.

 

[Gadorach]

Ok, so, after a bit of research, I figured out the 0000FEFE usually means that there's a NVRAM issue. @WulfyStylez know of any ways to re-write the NVRAM manually? I did check the resistor array and it has proper continuity and resistance along the circuit, so that's probably not the issue. I can still read and write the NAND properly right now, but 0000FEFE is killing me, ha ha

Yup, popped off the WiFi chip, and it sits at a black screen until I pop the chip back on, and it instantly 0000FEFEs. I have an original DS capable of installing FlashMe, and actually has FlashMe installed currently. Could you look into making a restore app for DSi NVRAM?

 

[WhoAmI?]

Ok, so, after a bit of research, I figured out the 0000FEFE usually means that there's a NVRAM issue. @WulfyStylez know of any ways to re-write the NVRAM manually? I did check the resistor array and it has proper continuity and resistance along the circuit, so that's probably not the issue. I can still read and write the NAND properly right now, but 0000FEFE is killing me, ha ha

Yup, popped off the WiFi chip, and it sits at a black screen until I pop the chip back on, and it instantly 0000FEFEs. I have an original DS capable of installing FlashMe, and actually has FlashMe installed currently. Could you look into making a restore app for DSi NVRAM?

May we see a picture of your DSi NAND mod? Pretty please?

 

[hundshamer]

Trust me, as long as you use flux, and a fine-tipped soldering iron at 25w+, you'll have no issues at all. If you have a DSi XL, use my modified diagram, and don't touch the bloody resistor array. Else, I bet @hundshamer would be willing to offer the service. Speaking of which, why isn't he all up here in this thread by now anyway?

WhO sUmMoNs Me! LOL

I wasn't aware of the turn this tread took until you alerted me. I'm willing to give it a shot,but don't have a DSi to test for myself.

 

[Gadorach]

May we see a picture of your DSi NAND mod? Pretty please?

Just a picture of it installed and working? Sure, but it's not pretty and everything yet, not until I get my new JST headers in and can actually hook it up all pretty-like.
I'll solder it back on and take a picture for you in a little bit.

 

[WulfyStylez]

TWLTool coming fairly soon. Features:
-NAND (de)cryption given only a CID and ConsoleID
-SRL de/remodcrypting
-Boot2 decryption and dumping by section

NAND decryption works for both DSi and 3DS TWL partitions given the necessary input data. The 3DS has a bug where it only has 31 bits of ConsoleID entropy, so it's planned to have something to bruteforce that fairly quickly. That'd allow dsiwarehax injection on any system up to the newest firmware and beyond.
Boot2 decryption supports both DSi and TWL_FIRM (3DS) decryption, and extracts them cleanly out to arm7.bin and arm9.bin.
SRL modcrypting is good for reverse-engineering, not much to say beyond that.

You'll need a way to dump your DSi or 3DS's eMMC CID register. This can't be done over USB readers, but can be done with more direct interfaces like RasPis. I personally dumped mine through a custom Biggest Loser savegame that I'll be including on release (both US and EU regions.) More savegames might be available too (Cooking Coach), we'll see. The Biggest Loser is ideal since it works up to 1.4.5, though. ConsoleID can come from any exported DSiWare title, including the free ones.

The release thread will have some brief guides on stuff including title downgrading and save injection.

 

[Gadorach]

Vids of my DSi XL NAND mod installed and working:





Enjoy!

Also, I've been trying to edit the hardware page of the DSiBrew Wiki, but I keep failing the "special question" check. Unless the server the wiki is hosted on is in a weird time zone, or broken, then my answer should be correct. It's just Bash after all, and it worked once to let me create an account. No fucking wonder the wiki is so bare if the auth only works a 50th of the time.

PS, here's the challenge: "What is the output of 'date -u +%F | sha1sum | head -c8; echo' ?"
Which, right now, for me is "fd1b81bb".

Anyway, if anyone wants to try their hand at editing the page, here's the modified page:

Spoiler: Wiki Edits

{{stub}}

== Specifications ==

*[[Cameras|Includes (2) 0.3 Megapixel VGA Cameras]]
*240MB(+16MB probably reserved for wear leveling purposes (e.g. replacing bad blocks)) Internal Flash Memory - Samsung kmapf0000m-S998 MOVI [[NAND]] - MMC Interface
*16MB RAM - NEC uPD 46128512AF1 - DDR SRAM or a Fujitsu 128-Mbit FCRAM 82DBS08164D-70L (datasheet: http://edevice.fujitsu.com/fj/DATASHEET/e-ds/e511454.pdf mirror:[[Media:E511454.pdf]]
*(2) 256 x 192 3.25 Inch Displays, one of which has a resistive touch screen
*Backwards compatible with Nintendo DS games but not GBA games due to the lack of a gameboy cartridge port.
*Integrated ARM7/ARM9 cores clocked at 133mhz in real mode and downclocked to 66mhz for compatibility mode.
*PAIC3000D Sound Chip - possibly a TI codecs: AIC3    ????
*Mitsumi (MM3317A) or TI 72071B0 - Power supply and charger circuit ????
*SD/SDHC Card slot
*[[WiFi_Module]] with integrated 128KB SPI Flash for [[NVRAM]], WiFi settings

== Hardware Revisions ==
* DSi
** board C/TWL-CPU-01 (Original rev, all pictures below)
** CPU: TWL.  The latest date code picture I could find online was "0836 1m" as shown below, however other pictures with CPU covered show the NAND codes as late as 916, so...
** Suspect this is the only board where WiFi chip is available in Hybrid games like CookingCoach
** Wireless card DWM-W015

* DSi RevA
** board C/TWL-CPU-10 (Newer model, can someone provide a date or serial # range?)
** CPU: TWL A.  Mine is "0940  2m".  My US Serial # is ~ TW71848???[5].  If yours is earlier, please update this.
[[Image:TWL-CPU-10.png]]


* DSi XL
** board C/UTL-CPU-01
** CPU is TWL A
** Wireless card DWM-W024

== Images ==

=== Front ===

[[Image:Twl_front.jpg]]
[[Image:Twl_front_traces.jpg|600px]]

The socket to the left of the ARM processor is the wifi chip socket.

TWL CPU pinout map: [[File:Twl_cpu_pinout.pdf]] (WIP)

=== Back ===

[[Image:Twl_back.jpg]]

=== DSi NAND pinout ===
[[Image:Dsi_nand.jpg|600px]]
[[Image:Dsi_nanddat.png|600px]]

=== DSi NAND Diagram ===

[[Image:DSi_NAND_Pinout.jpg|600px]]

=== DSi XL NAND Diagram ===
[[Image:DSiXL_NAND_Pinout.png|600px]]

=== PCB overlay ===
[[Image:Nintendo DSi PCB Layered.jpg|600px]]
=== CPU with new ram ===

[[Image:CPUv2.jpg]]

=== Glamor Shot ===

[[Image:Nintendo-dsi-Glamor-Shot.jpg]]

== References ==

# http://en.wikipedia.org/wiki/Nintendo_DSi
# http://insidetronics.blogspot.com/2008/11/new-nintendo-dsi-teardown.html
# http://techon.nikkeibp.co.jp/english/NEWS_EN/20081111/161077/
# http://games.gearlive.com/playfeed/article/q408-nintendo-dsi-announced-larger-screens-dual-cameras-dsi-shop-store/
# http://www.ifixit.com/Guide/First-Look/Nintendo-DSi/714/1

 

[Apache Thunder]

TWLTool coming fairly soon. Features:
*snipped*
Boot2 decryption supports both DSi and TWL_FIRM (3DS) decryption, and extracts them cleanly out to arm7.bin and arm9.bin.
*snipped*

Boot2 exists on 3DS? Did not know that. Will it support re-encryption and reimport of it? I always thought all TWL firmware type stuff was on the TWL_FIRM CXI stored on CTR_NAND. Guess I was wrong. I don't suppose it could be possible to downgrade Boot2 to something from the DSi to allow older DS flashcarts on the 3DS without downgrading TWL_FIRM on CTR_NAND? Or is there going to be major differences with how Boot2 is used on 3DS where this would just break things? (althought it may not even be Boot2 responsible for blocking flashcarts anyways. DS Cart White list handles some things, but then others I assumed was blocked by TWL FIRM itself. But then you mentioned Boot2...so now I'm unsure. )

Though I would love to see the DSi Home Menu/Boot Logo show up on the 3DS. That would be trippy if someone ever got that to work.

The usual "nostalgia" patch on AGB_FIRM has no effect on DSi I believe. I modified the extracted pre-patched BIN rxTools uses and it had no effect in how it booted up.

 

[WhoAmI?]

Vids of my DSi XL NAND mod installed and working:





Enjoy!

Also, I've been trying to edit the hardware page of the DSiBrew Wiki, but I keep failing the "special question" check. Unless the server the wiki is hosted on is in a weird time zone, or broken, then my answer should be correct. It's just Bash after all, and it worked once to let me create an account. No fucking wonder the wiki is so bare if the auth only works a 50th of the time.

PS, here's the challenge: "What is the output of 'date -u +%F | sha1sum | head -c8; echo' ?"
Which, right now, for me is "fd1b81bb".

Anyway, if anyone wants to try their hand at editing the page, here's the modified page:

Spoiler: Wiki Edits

{{stub}}

== Specifications ==

*[[Cameras|Includes (2) 0.3 Megapixel VGA Cameras]]
*240MB(+16MB probably reserved for wear leveling purposes (e.g. replacing bad blocks)) Internal Flash Memory - Samsung kmapf0000m-S998 MOVI [[NAND]] - MMC Interface
*16MB RAM - NEC uPD 46128512AF1 - DDR SRAM or a Fujitsu 128-Mbit FCRAM 82DBS08164D-70L (datasheet: http://edevice.fujitsu.com/fj/DATASHEET/e-ds/e511454.pdf mirror:[[Media:E511454.pdf]]
*(2) 256 x 192 3.25 Inch Displays, one of which has a resistive touch screen
*Backwards compatible with Nintendo DS games but not GBA games due to the lack of a gameboy cartridge port.
*Integrated ARM7/ARM9 cores clocked at 133mhz in real mode and downclocked to 66mhz for compatibility mode.
*PAIC3000D Sound Chip - possibly a TI codecs: AIC3    ????
*Mitsumi (MM3317A) or TI 72071B0 - Power supply and charger circuit ????
*SD/SDHC Card slot
*[[WiFi_Module]] with integrated 128KB SPI Flash for [[NVRAM]], WiFi settings

== Hardware Revisions ==
* DSi
** board C/TWL-CPU-01 (Original rev, all pictures below)
** CPU: TWL.  The latest date code picture I could find online was "0836 1m" as shown below, however other pictures with CPU covered show the NAND codes as late as 916, so...
** Suspect this is the only board where WiFi chip is available in Hybrid games like CookingCoach
** Wireless card DWM-W015

* DSi RevA
** board C/TWL-CPU-10 (Newer model, can someone provide a date or serial # range?)
** CPU: TWL A.  Mine is "0940  2m".  My US Serial # is ~ TW71848???[5].  If yours is earlier, please update this.
[[Image:TWL-CPU-10.png]]


* DSi XL
** board C/UTL-CPU-01
** CPU is TWL A
** Wireless card DWM-W024

== Images ==

=== Front ===

[[Image:Twl_front.jpg]]
[[Image:Twl_front_traces.jpg|600px]]

The socket to the left of the ARM processor is the wifi chip socket.

TWL CPU pinout map: [[File:Twl_cpu_pinout.pdf]] (WIP)

=== Back ===

[[Image:Twl_back.jpg]]

=== DSi NAND pinout ===
[[Image:Dsi_nand.jpg|600px]]
[[Image:Dsi_nanddat.png|600px]]

=== DSi NAND Diagram ===

[[Image:DSi_NAND_Pinout.jpg|600px]]

=== DSi XL NAND Diagram ===
[[Image:DSiXL_NAND_Pinout.png|600px]]

=== PCB overlay ===
[[Image:Nintendo DSi PCB Layered.jpg|600px]]
=== CPU with new ram ===

[[Image:CPUv2.jpg]]

=== Glamor Shot ===

[[Image:Nintendo-dsi-Glamor-Shot.jpg]]

== References ==

# http://en.wikipedia.org/wiki/Nintendo_DSi
# http://insidetronics.blogspot.com/2008/11/new-nintendo-dsi-teardown.html
# http://techon.nikkeibp.co.jp/english/NEWS_EN/20081111/161077/
# http://games.gearlive.com/playfeed/article/q408-nintendo-dsi-announced-larger-screens-dual-cameras-dsi-shop-store/
# http://www.ifixit.com/Guide/First-Look/Nintendo-DSi/714/1

NEAT!

 

[WulfyStylez]

Boot2 exists on 3DS? Did not know that. Will it support re-encryption and reimport of it? I always thought all TWL firmware type stuff was on the TWL_FIRM CXI stored on CTR_NAND. Guess I was wrong. I don't suppose it could be possible to downgrade Boot2 to something from the DSi to allow older DS flashcarts on the 3DS without downgrading TWL_FIRM on CTR_NAND? Or is there going to be major differences with how Boot2 is used on 3DS where this would just break things? (althought it may not even be Boot2 responsible for blocking flashcarts anyways. DS Cart White list handles some things, but then others I assumed was blocked by TWL FIRM itself. But then you mentioned Boot2...so now I'm unsure. )

Though I would love to see the DSi Home Menu/Boot Logo show up on the 3DS. That would be trippy if someone ever got that to work.

The usual "nostalgia" patch on AGB_FIRM has no effect on DSi I believe. I modified the extracted pre-patched BIN rxTools uses and it had no effect in how it booted up.

It's all packed in TWL_FIRM. Boot2 has never been updated on either platform. The 3DS uses the devkit DSi LAUNCHER (menu), and twlnand varies way too much for stock system apps to work on it.

 

[WhoAmI?]

Nope, the purpose of the hardmod is to be able to modify your system NAND. The DSi's crypto is completely broken atm. You can downgrade titles (whitelist will let more carts run, system settings will allow the old method of dsiwarehax injection), directly inject saves for dsiware, etc.

Basically, DSi system version doesn't matter at all any more.

Where exactly are you going to post it? 0~0 In the 3DS Custom Firmware section or what? DSi doesn't have it's own forum page ;_;

 

[Gadorach]

Where exactly are you going to post it? 0~0 In the 3DS Custom Firmware section or what? DSi doesn't have it's own forum page ;_;

@Bortz You should fix that.

 

[Apache Thunder]

It's all packed in TWL_FIRM. Boot2 has never been updated on either platform. The 3DS uses the devkit DSi LAUNCHER (menu), and twlnand varies way too much for stock system apps to work on it.

Interesting. Although some system apps from DSi do work on 3DS. I tested some. (you just have to launch them with FBI, because only the web browser showed up on Home Menu. Everything else is a system app and I guess Home Menu only expected DSi system apps like DS INTERENT and DS Download Play to be installed so it hides all DSi system apps) I recall DSi Web Browser, eShop (though it gets a connection error when it connects to internet. Probably because missing info from TWLN partition?), DSi Sound, and DSi Camera app booted just fine. (and aside from eShop, they operate just as they would on a DSi)

DSi System Settings almost boots. But gets a black screen error. (but the black screen error isn't the one that occurs from CTR Arm9. It's the DSi Black screen error. I even hear the DSi system settings menu music for a quick instant before the error pops up) That also is probably because of missing data on the TWLN partition that a real DSi normally has but is not on a 3DS.

DSi Launcher (what I assumed was the Home Menu itself?) doesn't boot at all. It crashes with black screen error while still in CTR mode or during the transition into TWL mode. Maybe because boot2 doesn't work with it or it's not encrypted in a way 3DS was expecting. That or also because of missing stuff on TWLN/hardware compatibility) I'm just throwing out guesses at this point.

But say I replicated 99% of DSi NAND on 3DS TWLN partition. Could that improve the chances that Boot2 from DSi would work on 3DS if everything a DSi normally has is present on the 3DS or is there some hardware differences or clash with how TWL_FIRM sets things up that gets in the way?

I can imagine one thing is the fact that normally Slot-1 is not enabled in TWL mode if a DSi app was booted (and visa versa if a Slot-1 TWL title was booted), so DSi Home Menu might have issues trying to access Slot-1 since the 3DS TWL_FIRM would assume it's a normal DSi app and there be no Slot-1. Unless DSi Boot2 could possibly resolve that.

But even so if DSi Home Menu could boot on 3DS. That means one probably loses the ability to boot specific DSi titles from the Home Menu. If Boot2 from DSi works on 3DS, it would boot into TWL mode thinking it's a DSi and just show the DSi Home Menu everytime.

This also means it would behave more like a DSi so one couldn't inject different games over other games for things like Sudokuhax since it now handles tickets and signing completely on in TWL mode. Not sure if that's really worth it.

But I would like some way of getting a Nostalgia type patch for TWL. I do notice a "white screen" any time I boot into a DS/DSi game. It always shows it before transitioning into the game's first boot logo. I don't recall this being the case on a DS/DSi.

Perhaps the behavior to show the boot screen is still there, but just removed from 3DS boot2.

 

[zoogie]

Where exactly are you going to post it? 0~0 In the 3DS Custom Firmware section or what? DSi doesn't have it's own forum page ;_;

Since the dsi is a subset of every 3ds then 3ds it is -- zoogie logic™