Homebrew TWLbf - a tool to brute force DSi Console ID or EMMC CID

marine5422

marine5422

Well-Known Member
Newcomer
Level 4
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
I just temporary give up for brute forcing the Console ID / EMMC CID.
Last night, check the emmc_cid brute-force, but I can not found correct value within 'Known range'.

Code: 
Checked Console ID range

08A00-08A59
08200-08249
08000-08009
08100-08109
08300-08309
08B00-08B19
08C00-08C19
08D00-08D19
08E00-08E19
08F00-08F19


Code: 
twlbf_mbedtls console_id_bcd [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000

7 days effort: NO RESULT

I think this region has quite different security layer or somewhat.
(in the Wii hacking-era, korean wii has a different common-key, unlike the J/U/E region. it was discovered later, Maybe Korean DSi is same.)

So I just give up. If anyone interested in, I'll upload some sample here:

eMMC NAND raw dump: *snip*
(1.4.1K korean dsi launch model.)

NAND print: SAMSUNG 001 KMAPF0000M-S998 N258GA34
(so emmc cid should be 1D xx xx xx xx + manufacture code, but somewhat strangly it didn't match)



And note that, there is no way to get CID/Console ID from end-user level without brute-force.
(No pre-installed or exportable Dsiware / No compatible dsi-enhanced/exploitable cartridge like the The Biggest Loser)
 
Last edited by porkiewpyne,
redunka

redunka

Well-Known Member
Member
Level 11
Joined
Nov 26, 2014
Messages
432
Trophies
0
Age
29
XP
2,548
Country
Russia
Looks like the reason why you couldn't get anything, @marine5422, is because you've been using incorrect command (or rather incorrect tool) for bruteforcing Console ID. :)
Here's what it should've looked like (twlbf doesn't support bruteforcing two unknown ID's, so bfcl is required):
Code: 
bfcl console_id_bcd [Console ID] [offset0] [src0] [verify0] [offset1] [src1] [verify1]
So, in case of your dump it was:
Code: 
bfcl console_id_bcd 0820100000000100 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000
Then you could've used regular command for bruteforcing eMMC CID (twlbf also should be enough here):
Code: 
bfcl emmc_cid <full known Console ID here> 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
Yes, I've grabbed your dump before mods removed it, so I've actually managed to brurteforce your Console ID and CID. :ph34r:
Should I just post full ID's here for you, or would you still like to try to get them yourself?
I was going to PM you about it, but ,apparently, you've restricted PM's from users. :blush:
 
Last edited by redunka,
  • Like
Reactions: marine5422
redunka

redunka

Well-Known Member
Member
Level 11
Joined
Nov 26, 2014
Messages
432
Trophies
0
Age
29
XP
2,548
Country
Russia
Okay, I guess nothing bad should happen if I post those Console ID and eMMC CID…
Please, @marine5422, let me know if you don't want me to post them publicly, and I'll edit them. :blush:

Console ID: 08201xxxxxxxx1xx

eMMC CID: 1Dxxxxxxxx034D303046504100001500

I've already tried decrypting that NAND dump with them, they're indeed valid.

Edit: I'm paranoid, so I edited them for now, I'll send you the full ones via PM, I'm really sorry for the inconvenience.
 
Last edited by redunka,
  • Like
Reactions: marine5422
marine5422

marine5422

Well-Known Member
Newcomer
Level 4
Joined
Feb 8, 2007
Messages
93
Trophies
0
XP
515
Country
United States
redunka said:
Looks like the reason why you couldn't get anything, @marine5422, is because you've been using incorrect command (or rather incorrect tool) for bruteforcing Console ID. :)
Here's what it should've looked like (twlbf doesn't support bruteforcing two unknown ID's, so bfcl is required):
Code: 
bfcl console_id_bcd [Console ID] [offset0] [src0] [verify0] [offset1] [src1] [verify1]
So, in case of your dump it was:
Code: 
bfcl console_id_bcd 0820100000000100 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000
Then you could've used regular command for bruteforcing eMMC CID (twlbf also should be enough here):
Code: 
bfcl emmc_cid <full known Console ID here> 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
Yes, I've grabbed your dump before mods removed it, so I've actually managed to brurteforce your Console ID and CID. :ph34r:
Should I just post full ID's here for you, or would you still like to try to get them yourself?
I was going to PM you about it, but ,apparently, you've restricted PM's from users. :blush:
Click to expand...



Uh.... ... Wow... I didn't know that...

Only the bfcl support brute-force them both...?

I feel as a jerk. :P

Anyway, Thank for share info. (And I didn't know that restricted the PM function. Thanks for notify. :) )
And I think that it just okay to share some of info that already posted (of course not all of them).
 
  • Like
Reactions: redunka
Cmdutka86

Cmdutka86

Member
Newcomer
Level 3
Joined
Jul 12, 2015
Messages
14
Trophies
0
Age
37
XP
251
Country
Can any one help me with brute forcing my eMMC ID. I think I'm in over my head

I have my nand dumped via Hardmod and managed to get my Console ID by extracting it from dsiware.

However this command line stuff is beyond me . I have tried to work out how to do it myself and have got nowhere.

I've been using the following command

twlbf emmc_cid [Console ID] [EMMC CID] [offset] [src] [verify]

But nothing happens when I attempted to fill it in with what I assume are the correct values from my nand dumped etc and press enter.

When I click the .exe itself it says I'm missing a .DLL file. After googling I found it was an OpenSSL file. I've checked my OpenSSL directory and the file is there so where do I need to put this file for it to work?

If/when IIget past that obstacle can someone confirm for me what is offset? Src? Verify? And where I should be getting these values from.

Also should I put anything in the [eMMC ID] section.

Apologies if this makes no sense I am trying.
Thanks in advance .
 
  • Like
Reactions: chronoss
M

manu_jedi

Member
Newcomer
Level 7
Joined
May 19, 2018
Messages
18
Trophies
0
Age
27
XP
1,240
Country
Austria
DSi XL, E, Dark Brown
Console ID: 08201....1XX

NAND chip is
SAMSUNG 946 KMAPF0000M-S998
bc00000000034d303046504100001500

PM me if you want the nand dump
 

Attachments

  • nand_chip.png
    nand_chip.png
    32.3 KB · Views: 292
  • Like
Reactions: Antonio2311
ahezard

ahezard

Well-Known Member
Member
Level 7
Joined
Feb 17, 2016
Messages
116
Trophies
0
XP
1,130
Country
France
IS-TWL-DEBUGGER (dev dsi, any region)
ConsoleID: 08A21...1XX
CID: 2c35911670034d303046504100001500

DSI XL JPN green
ConsoleID: 08201...1XX
CID: 4D400715D0034D303046504100001500
 
Last edited by ahezard,
ahezard

ahezard

Well-Known Member
Member
Level 7
Joined
Feb 17, 2016
Messages
116
Trophies
0
XP
1,130
Country
France
  • Like
Reactions: Antonio2311 and chronoss
ahezard

ahezard

Well-Known Member
Member
Level 7
Joined
Feb 17, 2016
Messages
116
Trophies
0
XP
1,130
Country
France
chronoss said:
And how to do please ?
Click to expand...
For the console id, here is the command I used for a dsi XL :
bfcl.exe console_id_bcd 0820100000000100 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa 0000 6E1CF232319C287CD4D7BBC45BDF9166 00000000000000000000000000000000

0820100000000100 worked for a dsi xl but you may have to modify the 5 first digit (see first post)
076F005F6FEF14234015FBB77BA43AC8 are the hexadecimal bytes between 1F0 and 200 of my nand dump, replace with yours
6E1CF232319C287CD4D7BBC45BDF9166 are the hexadecimal bytes between 000 and 010 of my nand dump, replace with yours

For the CID I used this command :
bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)
 
Last edited by ahezard,
ahezard

ahezard

Well-Known Member
Member
Level 7
Joined
Feb 17, 2016
Messages
116
Trophies
0
XP
1,130
Country
France
ahezard said:
For the console id, here is the command I used for a dsi XL :
bfcl.exe console_id_bcd 0820100000000100 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa 0000 6E1CF232319C287CD4D7BBC45BDF9166 00000000000000000000000000000000

0820100000000100 worked for a dsi xl but you may have to modify the first 5 digits (see first post)
076F005F6FEF14234015FBB77BA43AC8 are the hexadecimal bytes between 1F0 and 200 of my nand dump, replace with yours
6E1CF232319C287CD4D7BBC45BDF9166 are the hexadecimal bytes between 000 and 010 of my nand dump, replace with yours
Click to expand...

For the CID I used this command :
bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)
 
  • Like
Reactions: chronoss
chronoss

chronoss

Well-Known Member
Member
Level 15
Joined
May 26, 2015
Messages
3,007
Trophies
1
XP
4,887
Country
Congo, Republic of the
ahezard said:
076F005F6FEF14234015FBB77BA43AC8 are the hexadecimal bytes between 1F0 and 200 of my nand dump, replace with yours
6E1CF232319C287CD4D7BBC45BDF9166 are the hexadecimal bytes between 000 and 010 of my nand dump, replace with yours
Click to expand...
How to get these hexa number ?
 
ahezard

ahezard

Well-Known Member
Member
Level 7
Joined
Feb 17, 2016
Messages
116
Trophies
0
XP
1,130
Country
France
chronoss said:
Is it normal ?
6d5174feb15df1229e6eb1c82cb6b678.png
Click to expand...

You need to tune the console ID mask, In your case I got a match with 08204. Here is your console ID : 0820467219089125
The command I used : bfcl.exe console_id_bcd 0820400000000100 001f 3F7EF9F4866458C4A9786FDD6E440DF9 000000000000000000000000000055aa 0000 51F5D50B04B4F103CDB12F4EF64007E5 00000000000000000000000000000000
 
  • Like
Reactions: chronoss
chronoss

chronoss

Well-Known Member
Member
Level 15
Joined
May 26, 2015
Messages
3,007
Trophies
1
XP
4,887
Country
Congo, Republic of the
ahezard said:
You need to tune the console ID mask, In your case I got a match with 08204. Here is your console ID : 0820467219089125
The command I used : bfcl.exe console_id_bcd 0820400000000100 001f 3F7EF9F4866458C4A9786FDD6E440DF9 000000000000000000000000000055aa 0000 51F5D50B04B4F103CDB12F4EF64007E5 00000000000000000000000000000000
Click to expand...
I make the same command but it stuck a the same screen... And yes, it's the console ID "0820467219089125"

The nand must be named how ?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hardware Review  EZ Flash Parallel Warning - Power Strobe When DS Shut

Testing the new EZ-Flash Parallel

What is this strange flashcart? (Ninja DS SmartCard)

Best DS flash Cart?

ROM Hack  Mario Kart DS - Custom Tracks Grand Prix NITRO (CTGP NITRO) v1.1.0 Release

Do Nintendo DS Games Go To Sleep If Not Used For Years?

EZ-Flash Parallel Question (Sav files and where to put them)

Gaming  Relocator: HG not being able to access save data

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/@legolambs