Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

[nocash123]

TMD's may or may not have certificates appended at the end of the file, so the filesize varies with/without certificate, see gbatek for details.

TMD's are included in the .bin file when exporting games to SD card (via DSi's Data Managment function) (and the DSi SRL extractor tool does/should probably have some commandline option for extracting the TMD), so it isn't strictly neccessary to download them before the shop closes - the stuff isn't lost, unless a game has been so unpopular that everybody deleted it from the console after playing it a few times (or unless nobody ever bought that game at all). NB. nobody ever said that SRL extractor requires hardmods or hacking (unless using commandline tools is considered to be hard hacking).

TMD's don't contain any meaningful data, and it's quite unclear what Nintendo had in mind with that files, essentially, they are just wasting FAT clusters. Maybe they would have some purpose for titles with "multiple contents", but as far as I know, all DSi titles do have only "one content". The version entry might help on finding the game's version specific filename, but apparently ahezard got "v0 sudoku .app" working with "with the v257 .tmd" (don't know with which .app filename though). And the size/sha1 entries, Nintendo would be definetely able to verify them, but doing so would be totally pointless.
The thing that they've got wrong is verifying the RSA for the (useless) .tmd file, instead of the RSA for the (console specific) .tik file. Concerning piracy that's a really big mistake, but, on the other hand, it's allowing to install sudoku- or 4sword-hax on every (hardmodded) DSi console, so I wouldn't complain too much about it.

The RSA option in no$gba affects only 80h-byte signatures that are verifyied via the BIOS SWI functions (and even then, you would still need a valid signature, the option does just allow to use unencrypted signatures (="raw" SHA1's with padding) alternately the RSA-encrypted ones). Anyways, the option won't affect 100h/200h-byte signatures, so you can be sure that emulator & hardware will behave exactly the same on them.

Oh, and one question: When manually installing extra titles, did't you need to modify the "wrap.bin" and/or "menusave.dat" file(s), or did the launcher allow to boot the new titles without modifying those files?

 

[redunka]

Maybe they would have some purpose for titles with "multiple contents", but as far as I know, all DSi titles do have only "one content".

Actually, Nintendo have made a couple of DSiWare titles with more than one content, just not for DSi.
There's two 3DS-exclusive DSiWare's: "Famicom Wars DS" and "WarioWare: Touched" (has three version, one for each region).
Both of them consist of two pieces: "content 0" is SRL and "content 1" is NCCH with e-Manual.

 

[FFT]

Apparently I have 1000 DSi points. Is there anything I should purchase for preservation? I already have Sudoku and Four Swords so I don't need an exploit game.

If I were you, I would spend that money on Shantae, but that's not for preservation.

 

[I pwned U!]

When manually installing extra titles, did't you need to modify the "wrap.bin" and/or "menusave.dat" file(s), or did the launcher allow to boot the new titles without modifying those files?

No, I was unsure at first, but Mario Calculator still showed up without those edits. As for Mario Clock, I believe that the filename was incorrect. Some titles were named 00000000.app, and some others were 00000001.app and 00000006.app.

Is there any pattern to which number is needed at the end of the filename, or is it just random and requiring trial and error to make it show up in the launcher?

 

[redunka]

No, I was unsure at first, but Mario Calculator still showed up without those edits. As for Mario Clock, I believe that the filename was incorrect. Some titles were named 00000000.app, and some others were 00000001.app and 00000006.app.

Is there any pattern to which number is needed at the end of the filename, or is it just random and requiring trial and error to make it show up in the launcher?

That number is content ID. It can be found in tmd file at 0x1E4.

 

[nocash123]

The filenames like 00000006.app are what I mention in previous post: They depend on the version number in the .tmd file. So you will either need the .tmd for the correct version, or if you don't have the correct .tmd, you can rename the .app to match the incorrect version (the latter is easier, but it's a bit messier).
You can also download the correct .tmd http://nus.cdn.t.shop.nintendowifi.net/ccs/download/000300tt4ggggggg/tmd.nn with gggggggg=gamecode, and nn=tmd version, which could be something like nn=0,1,256,257,512, or for the 00000006.app file it might 6*256, ie. nn=1536 or so. I don't really understand Nintendo's numbering scheme.

Good to know that "wrap.bin" and "menusave.dat" aren't needed. And also interesting the 3DS-exclusive DSiWare's can have multiple contents, if it's used for e-Manuals then the DSi probably doesn't support anything like that.

 

[nocash123]

That number is content ID. It can be found in tmd file at 0x1E4.

Yeah, looks right. The version number at tmd[1DCh..1DDh] is often similar, but not always (eg. DSi Browser has some other/higher number at tmd[1DCh..1DDh], but the four bytes at tmd[1E4h..1E7h] do match the 8-digit .app name).

 

[redunka]

Yeah, looks right. The version number at tmd[1DCh..1DDh] is often similar, but not always (eg. DSi Browser has some other/higher number at tmd[1DCh..1DDh], but the four bytes at tmd[1E4h..1E7h] do match the 8-digit .app name).

I mostly deal with 3DS stuff myself, and from what I've seen, each piece of content from CDN is always named after its content ID from TMD.
And it's usually hard to guess title version from content name if you don't know how many updates that title had, which title versions those previous updates used, how many content this title has, etc.
Like, for example: latest title version for a title "0004000e00177000" (patch for Euro version of "Zelda: Tri Force Heroes") is v3120, while content have names "00000002(.cxi)" and "00000003(.cfa)".
Is there any sense at all?

 

[Flashed]

DSi Shop have closed. I have just seen that

 

[redunka]

RIP DSi Shop.
It looks like NUS still works though.

 

[windwakr]

I mostly deal with 3DS stuff myself, and from what I've seen, each piece of content from CDN is always named after its content ID from TMD.
And it's usually hard to guess title version from content name if you don't know how many updates that title had, which title versions those previous updates used, how many content this title has, etc.
Like, for example: latest title version for a title "0004000e00177000" (patch for Euro version of "Zelda: Tri Force Heroes") is v3120, while content have names "00000002(.cxi)" and "00000003(.cfa)".
Is there any sense at all?

https://www.3dbrew.org/wiki/Titles#Versions

I'm guessing the situation with DSi versions is similar.

 

[tozevleal]

DSiShop Oficialy dead

 

[Shicky256]

If anyone else with a hardmodded US DSi wants to help me out, please PM me with a list of the DSiWare that you have. If you have titles that I do not have, we can test console ID edits on each other's tickets to see if they work on a different DSi!

I don't have a hardmod, but I have a 1.4.1 DSi with Clubhouse Games Express: Card Classics, a few Brain Age titles, and Photo Clock (I know, the dude on ebay who had it before me had shit taste), along with all the preinstalled junk. I also have a copy of The Biggest Loser, so I'm able to get all the IDs and stuff. It would interest me if you were able to modify exported SD card files (for example I have a copy of Fieldrunners on my 3ds, so it would be cool if you could switch out the .app file out with the one for Brain Age). Also, do you know if you need to have a ticket or whatever on your DS for Data Management to allow you to import the SD card file if everything else seems "legit"?

 

[nocash123]

Nintendo DSi Shop
Error code: 290502
Unable to connect to the server.
Please wait a moment and try again.

That's all? Wait a moment and try again...? Lame. But no, I don't get that message. The shop is still online, but it does solely offer downloading the 3DS Transfer Tool. It's also allowing to view two Important Information messages (which seem to be a bit outdated, merely saying that shop will close soon). My spare 1400 DSi points are also still shown - though I don't know what I can do with them now (as far as I remember, Nintendo announced that they haven't decided yet if or how they will refund customers with spare points).

I don't have a hardmod, but I have...

This whole thread is about what you can do when you have a hardmod.

 

[Flashed]

That's all? Wait a moment and try again...? Lame. But no, I don't get that message. The shop is still online, but it does solely offer downloading the 3DS Transfer Tool. It's also allowing to view two Important Information messages (which seem to be a bit outdated, merely saying that shop will close soon). My spare 1400 DSi points are also still shown - though I don't know what I can do with them now (as far as I remember, Nintendo announced that they haven't decided yet if or how they will refund customers with spare points).


This whole thread is about what you can do when you have a hardmod.

I think you would not be able to do anything with that DSi Points.

 

[FFT]

DSiShop Oficialy dead

@nocash123, it still works for me too, my lame amount of 100 Nintendo DSi Points is still here but only 3DS Transfer Tool is available. I wonder if they will get you some kind of refund, 1400 DSi Points is a lot...

 

[Shicky256]

This whole thread is about what you can do when you have a hardmod.

The main objective this tool helps you accomplish is downgrading from 1.4.5 to an exploitable firmware. My DS is already on 1.4.1, so the only difference is that it won't connect to the DSi shop (not much of a reason to do that these days anyway).

 

[Flashed]

@nocash123, it still works for me too, my lame amount of 100 Nintendo DSi Points is still here but only 3DS Transfer Tool is available. I wonder if they will get you some kind of refund, 1400 DSi Points is a lot...

Only 3DS Transfer tool!? What about if I want to download DSi Browser or Flipnote now?

 

[Shicky256]

I had some free time today so I tried a couple things (note: this is with a 1.4.1 DSi)
I was able to decrypt the "Clubhouse Games express" title, encrypt the resulting .nds file with TWLTool's "syscrypt" mode, and paste it back into the Tad .bin (note that the resulting file was completely different from the original). I could then copy the modified .bin file back onto the DS's internal memory. While all this is completely useless, it gives me confidence that it's possible to generate valid Tad files on a PC with a tedious enough procedure. Unfortunately, it seems like mine wasn't tedious enough, as it didn't work. It seems like it makes sort of sense, so it might be a good starting point for anyone smarter than me.
1. Download that giant TMD archive that was earlier in the thread
2. get a .bin SD card export from your DSi.
3. With a hex editor, delete everything over 208h from the TMD
4. Replace the title ID in the TMD with the one from whatever game you're injecting into
5. Use Twltool's syscrypt mode to encrypt the TMD, .app, and .sav files
6. Replace the stuff you modified in the original .bin (offsets on gbatek)
If there's anything I missed, please let me know. Also, are DSiware save files immediately after the .app in the Tad file, or are they at the end?

In sort of related news, it turns out that whoever downloaded every TMD file earlier in the thread did it correctly- the format seems exactly the same as actual DSiWare TMD files, except with extra garbage at the end. If you delete that stuff so it's the same length (208), it should work if you're injecting stuff into a hardmodded DSi.

 

[nocash123]

You cannot "Replace the title ID in the TMD" because the TMD is RSA signed. On the other hand, if you have that "giant TMD archive", then you could as well use the correct TMD with the correct title ID for the game. Either way, you'll need the hardmod to install a (faked) ticket.
Note: when you delete titles on the console, it'll keep the .tik's in the ticket folder, and delete only the game folders with the .app/.sav/.tmd files).
If you are trying, say, to use the .tik/.tmd from flipnote to install the sudodu .app file, I doubt that that could work because the .app file contains a different title ID in its RSA signed header.