Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool
- Thread starter WulfyStylez
- Start date
- Views 187,621
- Replies 728
- Likes 51
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,787
- Country
Wrap.bin is located at shared/Launcher/wrap.bin
And menusave is located in the private.sav of retail launcher (located at title/0030017/484e4145/data/private.sav. it's a fat12 container so an app like WinImage is recommended for extracting/injecting the menusave.dat file properly. Though I guess you could get away with using hex editor. The offsets will be different. The container it self isn't signed. So you don't need a special program assuming you don't attempt to change the file size of the file contained within it)
I tested this in No$GBA. I can add an icon this way, but the app i tried it on (hbmenu) showed up as a white icon. (I guess because the emulator doesn't patch out RSA sig checks...even though I enabled that option...Sigh guess I can't test homebrew this way. It blackscreen errors if I attempt to boot it. Maybe RSA check is removed in emulator but the HMAC SHA CRC things for the arm7/arm9 and icon sections in the DSi Extended Header aren't patched out in emulation?)
I was able to get the icon to show up by simply adding the TID for the new app to the list in wrap.bin/menusave.dat using a hex editor, so you don't need some fancy patcher for this I assume.
But perhaps on hardware an with unmodified SRLs you could get this to work. You may need a valid TMD file for the game you want to install. Not sure if Retail Launcher checks ticket/TMD though. You may have a hard time generating a valid ticket for your console (as that's console unique). TMDs are not console specific though as far as I can tell. So you'd need a minimum a legit TMD of the game provided by someone who had installed it from eShop.
Maybe there's something that can generate the ticket for you. But I'm not aware of it. TWLTool does this? I recall it may have had a feature relating to that added recently.
EDIT:
Found Wulfy's relevent post about the tickets:
This is the last required step to install game you did not acquire from eShop. It's possible to make a ticket. I guess by "TAD" Wulfy means the file that gets saved to SD when you export a game to SD from DSi System Settings. This file had additional layers of protection on 3DS, but it's just a normal TAD on DSi? The same kind of TADs the SDK used for twlNmenu? That's a dev app though so can't be used on retail hardware. But maybe "TAD" files used by DSI System Settings for importing apps back to nand are the same?
There is no tools for this yet I guess? And now that I think about it, if one can make a "TAD" that DSi System Settings can import you won't have to mess around with wrap.bin/menusave.dat anyways.
DSi System Settings will update that for you. But perhaps retail launcher doesn't check ticket on launch of already installed games? Someone has to grab a TMD/SRL of a game they never installed before and manually install them, then update the wrap.bin/menusave.bin to see if that's the case. Obviously if done this way, you will have to avoid using Data Management. Just as with 3DS, Data Management will nuke apps that don't have valid tickets.
And menusave is located in the private.sav of retail launcher (located at title/0030017/484e4145/data/private.sav. it's a fat12 container so an app like WinImage is recommended for extracting/injecting the menusave.dat file properly. Though I guess you could get away with using hex editor. The offsets will be different. The container it self isn't signed. So you don't need a special program assuming you don't attempt to change the file size of the file contained within it)
I tested this in No$GBA. I can add an icon this way, but the app i tried it on (hbmenu) showed up as a white icon. (I guess because the emulator doesn't patch out RSA sig checks...even though I enabled that option...Sigh guess I can't test homebrew this way. It blackscreen errors if I attempt to boot it. Maybe RSA check is removed in emulator but the HMAC SHA CRC things for the arm7/arm9 and icon sections in the DSi Extended Header aren't patched out in emulation?)
I was able to get the icon to show up by simply adding the TID for the new app to the list in wrap.bin/menusave.dat using a hex editor, so you don't need some fancy patcher for this I assume.
But perhaps on hardware an with unmodified SRLs you could get this to work. You may need a valid TMD file for the game you want to install. Not sure if Retail Launcher checks ticket/TMD though. You may have a hard time generating a valid ticket for your console (as that's console unique). TMDs are not console specific though as far as I can tell. So you'd need a minimum a legit TMD of the game provided by someone who had installed it from eShop.
Maybe there's something that can generate the ticket for you. But I'm not aware of it. TWLTool does this? I recall it may have had a feature relating to that added recently.
EDIT:
Found Wulfy's relevent post about the tickets:
This is the last required step to install game you did not acquire from eShop. It's possible to make a ticket. I guess by "TAD" Wulfy means the file that gets saved to SD when you export a game to SD from DSi System Settings. This file had additional layers of protection on 3DS, but it's just a normal TAD on DSi? The same kind of TADs the SDK used for twlNmenu? That's a dev app though so can't be used on retail hardware. But maybe "TAD" files used by DSI System Settings for importing apps back to nand are the same?
There is no tools for this yet I guess? And now that I think about it, if one can make a "TAD" that DSi System Settings can import you won't have to mess around with wrap.bin/menusave.dat anyways.
DSi System Settings will update that for you. But perhaps retail launcher doesn't check ticket on launch of already installed games? Someone has to grab a TMD/SRL of a game they never installed before and manually install them, then update the wrap.bin/menusave.bin to see if that's the case. Obviously if done this way, you will have to avoid using Data Management. Just as with 3DS, Data Management will nuke apps that don't have valid tickets.
Last edited by Apache Thunder,
The wrap.bin & menusave files are containing CRC16 checksums, you can probably key in the correct checksums in a hex editor, though you didn't mention if you did so (?) or did it work even without the checksum (???) Icons are displayed regardless of the RSA signature (for DSi cartridge ROMs at least), if there's no icon displayed then there's probably something else wrong. TAD is some slang from the dsibrew wiki (and also used in gbatek).
No$gba has some option to allow "unencrypted RSA signatures", allowing to emulate homebrew without having Nintendo's private RSA key. But of course, the unencrypted signature must be there, as well as all the other SHA1's and SHA1-HMAC's in header & hash tables, plus all the flags, filetype, and config stuff in cart header, etc. If you want to do that, I would highly recommend to make a cartridge ROM-image version first, and after getting that working, change the type from "ROM" to "DSiware", and then try to install it in the eMMC-image and to add it to wrap.bin & menusave.
Are you sure that tickets are console specific? I have only one console, and never compared my tickets against other consoles... At least free "cetk" tickets can be downloaded even from PCs (=without console ID in the free tickets). And shop titles can be also downloaded from PC (=without console ID in the shop's encrypted title/executable). So at least downloading & decrypting works fine regardless of console IDs... it would be quite a (nasty) surprise if there's a console-ID signature check before actually starting the executable.
I don't have my console at hand at the moment... What are the CRC32's for, say, Sudoku US, and Sudoku EUR ticket files? And can somebody confirm having the same files with same CRC's on another console?
Oh, and instead of installing new titles, it may be easier to try to delete .tik, .tmd, or data\.sav files from already installed titles to see which files are really needed for launching the title; just make a backup before deleting them.
No$gba has some option to allow "unencrypted RSA signatures", allowing to emulate homebrew without having Nintendo's private RSA key. But of course, the unencrypted signature must be there, as well as all the other SHA1's and SHA1-HMAC's in header & hash tables, plus all the flags, filetype, and config stuff in cart header, etc. If you want to do that, I would highly recommend to make a cartridge ROM-image version first, and after getting that working, change the type from "ROM" to "DSiware", and then try to install it in the eMMC-image and to add it to wrap.bin & menusave.
Are you sure that tickets are console specific? I have only one console, and never compared my tickets against other consoles... At least free "cetk" tickets can be downloaded even from PCs (=without console ID in the free tickets). And shop titles can be also downloaded from PC (=without console ID in the shop's encrypted title/executable). So at least downloading & decrypting works fine regardless of console IDs... it would be quite a (nasty) surprise if there's a console-ID signature check before actually starting the executable.
I don't have my console at hand at the moment... What are the CRC32's for, say, Sudoku US, and Sudoku EUR ticket files? And can somebody confirm having the same files with same CRC's on another console?
Oh, and instead of installing new titles, it may be easier to try to delete .tik, .tmd, or data\.sav files from already installed titles to see which files are really needed for launching the title; just make a backup before deleting them.
Last edited by nocash123,
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,787
- Country
Hmm I just added them to the files. I didn't check for CRCs. I'm pretty sure the tickets are console specific. I can try deleting one to see if the associated app still works. But I would need a matching TMD file if I were to try to install a homebrew app....Not sure how I'd go about doing that.
It did show the icon for the app I added. But it was a homebrew app and didn't have a valid hash for the banner. So I guess that's why the icon was white with no name.
EDIT: Sadly there does appear to be a ticket check. Deleted the tickets and tried to launch a title. Black screen error.
So Retail Launcher does check for tickets. A new ticket can be made from dev.kp I guess but not sure how to do that right now.
It did show the icon for the app I added. But it was a homebrew app and didn't have a valid hash for the banner. So I guess that's why the icon was white with no name.
EDIT: Sadly there does appear to be a ticket check. Deleted the tickets and tried to launch a title. Black screen error.
So Retail Launcher does check for tickets. A new ticket can be made from dev.kp I guess but not sure how to do that right now.
Last edited by Apache Thunder,
I've looked closer into my own .tik documentation in gbatek, and yeah, the 4-byte "Console ID" entry seems to be console specifc (it's taken from the "TWxxxxxxxx" string in dev.kp file). Accordingly, the 100h-byte signature in the .tik file is probably also different on each console (to reflect the different 4-byte ID). And, the whole .tik file is encrypted with a console specific key, so, when looking at the encrypted file, ALL bytes will appear to be different.
Encrypting/decrypting the .tik file should work with TWLTOOL (if you have 64bit Windows8 or something). The private key for the signature is most likely not stored on the console, so there should be no way to match the signature to your console ID. I am not sure if/when the DSi is verifying the signature, maybe it's checked only after downloading, not when starting titles (?) one could probably check that by decrypting the .tik with TWLTOOL, destroying some signature byte(s), and then re-encrypting the .tik with TWLTOOL, and then check if the game is still working. I am afraid that I can't do that on my old PC, but if it somebody wants to give it try: Go ahead!
If that doesn't work out, then there's probably really a problem with installing dsiware exploits with the dsi shop no longer working. Only chance would be using free tickets (which don't have the 4-byte Console ID, the ID field is just set to 00000000h), ie. finding exploits in system tools or browser/flipnote or in that zelda four swords anniversary game. I haven't checked if all of those "free" titles really have tickets without Console ID... can somebody check that?
Encrypting/decrypting the .tik file should work with TWLTOOL (if you have 64bit Windows8 or something). The private key for the signature is most likely not stored on the console, so there should be no way to match the signature to your console ID. I am not sure if/when the DSi is verifying the signature, maybe it's checked only after downloading, not when starting titles (?) one could probably check that by decrypting the .tik with TWLTOOL, destroying some signature byte(s), and then re-encrypting the .tik with TWLTOOL, and then check if the game is still working. I am afraid that I can't do that on my old PC, but if it somebody wants to give it try: Go ahead!
If that doesn't work out, then there's probably really a problem with installing dsiware exploits with the dsi shop no longer working. Only chance would be using free tickets (which don't have the 4-byte Console ID, the ID field is just set to 00000000h), ie. finding exploits in system tools or browser/flipnote or in that zelda four swords anniversary game. I haven't checked if all of those "free" titles really have tickets without Console ID... can somebody check that?
Last edited by nocash123,
Yellows8 is working on a DSiWare hack for 3DS. I'm sure you guys know this, but that involves installing a DSiWare exploit on a 3DS in order to enable nand backups. The project can be found here:
https://github.com/yellows8/dsi/tree/master/exploits
Im not well versed in this at all, but a part of the project is something called fourswordshax, which I assume to be an exploit involving the Zelda four swords DSiWare game. Could we possibly use that in a normal DSi?
https://github.com/yellows8/dsi/tree/master/exploits
Im not well versed in this at all, but a part of the project is something called fourswordshax, which I assume to be an exploit involving the Zelda four swords DSiWare game. Could we possibly use that in a normal DSi?
P
PaiiNSteven
Guest
I don't think a DSi can receive a system transfer (even from another DSi).
Yellows8 has officially released 4swordshax. Any chance someone could update the SRL Extractor to dump our ConsoleID with it?
This seems really cool, but would be 20x more useful as an .nds file we could run from a flash cart, or in 3DS mode as a .cia, just sayin.
Yeah, well, the reason why I was mentioning 4swords was that it was originally available as free download, so it might have come with a "free" ticket (without console ID in the .tik file).
The problem is that, if nobody checks if the decrypted .tik file does/doesn't contain a console ID... then it's more or less pointless to release exploits for that game.
Twltool probably still doesn't work with 32bit windows... so everything depends on people with hex editors and 64bit windows:
Decrypt your .tik files, and check if they contain console IDs or not (especially for the 4swords tik... if you have 4swords). Or if you have two DSi's, you could try to copy your .tik's from one console to another, and check if it's still working, and if not: you could try to change the tik's console ID to match your actual console ID (which might work theoretically, if the tik's signature isn't verified at time when starting titles).
Or did somebody already try that things?
Last edited by nocash123,
There's probably more people than you think who have 4swords. It was available for free - twice.
I've got legit copies on 2 3ds's and a dsi.
I'm honestly surprised nobody's made a homebrew version of the System Transfer app that doesn't require online use at all. Just moves stuff from console 1 to console 2, and that's that. (Assuming they're both hacked already, of course)
Haven't been here in a while. Don't suppose there's any software way to downgrade the dsi yet eh?
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
-
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal -
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
-
-
-
-
-
-
-
-
-
-
@
Sicklyboy:
@Xdqwerty, Osu! Tatakae! Ouendan! is the Japanese version of the game, different settings/characters/songs but otherwise identical mechanics. I played that before I knew about Elite Beat Agents lol. Both fantastic games https://en.wikipedia.org/wiki/Osu!_Tatakae!_Ouendan+1 -
-
-
