1. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    With the release of TWLTool, by @WulfyStylez, we now have the ability to downgrade our DSi consoles and install the old DSiWare hacks that were originally released by Team Twiizers. This is achieved by recovering our DSis per-console keys.

    To outline the process, I'll divide it into a few sections. First, you must recover your keys and install an exploitable DSiWare game from the DSi Store. Next, you must backup your NAND with a hardware tool, and use the keys to decrypt it, modify it, and re-encrypt it. And last, you need to set up your SD card for running these exploits.

    1) You need a DSi or DSi XL
    2) You need to install an exploitable DSiWare game from the DSi Store. I recommend SUDOKU.
    3) You need either a Raspberry Pi, or a copy of The Biggest Loser, an original DS/Lite, and a flashcart.
    4) You must be comfortable soldering to pads that are as small as 0.5mm in diameter.
    5) You need a pencil-tipped soldering iron, and very fine wire, 28AWG or smaller, preferable 30AWG+.
    6) An SD to Micro-SD adapter.
    7) An SD card reader able to read eMMC chips running in single data-line mode.

    You're going to need some software to do this as well. Here's a package with all the software you'll need to downgrade your console.

    Extract that to your desktop for now.

    You will need to find the DSi Common Key for yourself, but a convenient tool for generating your dsikey.bin has been included, along with the expected MD5 hash of a proper dsikey.bin.

    Your ConsoleID is a unique 8-bit (16 character) long string, used as part of the key to sign titles to your console. It is also part of your NAND's encryption key. We will need to recover it before we can continue.

    If you've taken care of the requirements, you should already have a copy of one of the exploit games. Here's what you need to do next.

    First, on your DSi, make sure you've downloaded and installed the exploit game you bought. Next, open the "System Settings" app, and enter "Data Management". Under "System Memory", find your exploit game. Tap on it, and if you have your SD card installed, you will get a prompt to copy the game to your SD card. Choose "Copy", and wait for it to finish.

    Next, remove the SD card from your DSi, and put it into your PCs SD reader. Open the SD card, and navigate to "private/ds/title". You will find your copied game there, in a Bin file.

    SUDOKU will show up as "4B344445.bin", and Fieldrunners will show up as "4B464445.bin"

    Copy this into the "DSi Downgrade Package" folder, and into the "SRL Extractor" folder.

    If you are running Windows Vista or newer, you can simply hold the [Shift] key, and right-click in the folder, in an empty space. When the options come up, they will include "Open command window here". Do this inside the "SRL Extractor" folder, and a command window will open. In this window, you will need to paste the following line of code, but you must modify it to suit your bin file, if it isn't included.

    For Fieldrunners:
    Code:
    dsi_srl_extract.exe --basename=FIELDRUNNERS 4B464445.bin
    For SUDOKU:
    Code:
    dsi_srl_extract.exe --basename=SUDOKU 4B344445.bin
    For Others (template):
    Code:
    dsi_srl_extract.exe --basename=[Game Name] [.bin Name].bin
    Once it completes, you will have a lot of extra files in your directory. You will need a hex editor for this part. I recommend HxD, as it's free and easy to use, but you can use anything you like, really. For the sake of this guide though, I'll be assuming that you're using HxD.

    Open the [Game Name].footer file that shows up in your folder with HxD. In HxD's main window, look for "Root-CA00000001-MS00000008" in the ASCII window. You will find "TWxxxxxxxx-yyyyyyyyyyyyyyyy" either directly, or shortly after that, with the "x"s and "y"s showing your unique codes. All we need is the data after the dash, so, the "y"s. That 16 character long string is your ConsoleID. Save that to a text file and keep it for later, that's the first part we need for decrypting our NAND.

    Getting your CID is a bit more tricky than getting your ConsoleID. CID stands for "Card Identifier", and is a unique code assigned to your eMMC NAND chip at the factory. To read it, we need to either read it from RAM using an exploited DSi-mode game, or directly access the NAND chip, and read the CID through specialized hardware. For now, I'll be covering using "The Biggest Loser", an old DSi-Enhanced exploitable game, to read your CID. I'll later cover using the Raspberry Pi, and other methods, as I have time to write them up.

    The Biggest Loser is the only known exploitable DSi-Enhanced (DSi-Mode) game available that still runs on 1.4.5 Firmware. In order to install the exploit you will need to borrow an original DS, or DS Lite. You will also need a DS Flashcart that works on that DS or DS Lite.

    Insert your DS Flashcarts SD card into your computer, and copy either the file "TB_loser_inject_EU.nds", for the EU region, or "TB_loser_inject_US.nds", for the US region, to your flashcart. Put your flashcarts SD back in your flashcart, and put your flashcart in your DS/DSLite. Start your flashcart, and run the nds file you just copied. It will be named "SaveInjector" in most flashcart menus. It will prompt you to eject your flashcart, and insert your copy of "The Biggest Loser". Do that, and press [start] on your DS/DSLite to inject the hacked save. Once it finishes, turn off your DS/DSLite and eject your copy of "The Biggest Loser", and insert it into your DSi/XL. Start the game, and after the loading screens, you will be presented with your CID, displayed on-screen, in alternating colours. Type that into another text file, and save it for later. It is the second part of your console's NAND encryption.

    Full Guide coming soon!

    But, for those that already have used RPU to collect their CID, you must modify it like so:

    RPU's CID : Aa Bb Cc Dd Ee Ff Gg Hh Ii Jj Kk Ll Mm Nn Oo Pp

    Proper CID: Pp Oo Nn Mm Ll Kk Jj Ii Hh Gg Ff Ee Dd Cc Bb Aa

    Just match the pairs and you'll have the correct CID for TWLTool to work with.

    Coming Soon!

    The next step, and most involved, requires you to solder an SD card adapter to very small points on your DSis mainboard. Here are the diagrams, though they are also included in the archive you downloaded.

    [​IMG]
    [​IMG]
    [​IMG]

    You must solder an SD to microSD convertor to those points. Here is an example diagram.

    [​IMG]

    You must then plug that into a compatible SD/MMC reader. When Windows identifies it, it will ask you to format it. DO NOT DO THIS UNDER ANY CIRCUMSTANCES. You will permanently brick your console if you do.

    Here is a link to a known compatible reader.

    US: http://www.amazon.com/gp/product/B006T9B6R2

    Canada: http://www.amazon.ca/gp/product/B006T9B6R2

    Next, you must install "Win32DiskImager", found in the "Win32DiskImager" folder. Install it, open it, and click the button with the folder icon. It's right beside the "Device:" drop-down list. Browse to your desktop, and, in the "File Name" bar, type "NAND_0.bin". At the end of that bar, you'll see another drop-down list that says "Disk Images (*.img, *.IMG)". Change that to "*.*", and click the "Open" button.

    Now, if you haven't plugged in your NAND adapter, do so. When it identifies, remember the drive it identified as (E:, F:, Z:, etc.), and select it in the "Device:" drop-down list. The "Read" and "Write" buttons should now be available to you. Click the "Read" button, and stay away from the "Write" button for now. If you click it now, you could brick your console. When it finishes reading your NAND, change the file name in the image file bar to "NAND_1.bin", and read it again. When that finishes, change the name to "NAND_2.bin", and read it again. When that's done, open HxD, and open them all in the editor by dragging and dropping them into the main window. At the top of HxD, click "Analysis", click "File-compare", and click "Compare...". Next, select your "NAND_0.bin" in the top drop-down box, and your "NAND_1.bin" in the bottom drop-down box. Click "OK", and wait for it to finish. If it says "The chosen files are identical.", then open the file-compare box again, and this time choose "NAND_0.bin" and "NAND_2.bin", and click "OK". If they're all the same, and not all zeros, and all ~240MB (251,658,240 bytes exactly), then you can move on to the next step.

    If they don't all match, keep extracting your NAND with different names, until you have at least three matching NAND_X.bin files. You may need to adjust your wiring to achieve this.

    If you've been following this guide properly, you should have the following things:

    1) A backup of your NAND (NAND_0.bin)
    2) Your Console ID
    3) Your CID

    Congratulations, the hard part is over! Now, lets decrypt your NAND, so we can modify it.

    First, you'll need to fill in this command template.
    Code:
    twltool nandcrypt --cid [CID HERE] --consoleid [ConsoleID HERE] --in NAND_0.bin --out NAND_DEC.bin
    Replace [CID HERE] with you CID, and [ConsoleID HERE] with your ConsoleID.

    Open the TWLTool directory, and copy your NAND_0.bin into there. Like before, hold [Shift] and right-click inside an empty space in the folder. Select "Open command window here", and paste your modified command into the command prompt. Press [Enter], and wait for it to complete.

    You will now have a decrypted NAND image, that we can modify. When you finish editing the NAND image, simply replace that command with the following modified template, and run it again. TWLTool will claim to have succeeded in decrypting the NAND, but it actually did encrypt it, so don't worry about that prompt. Here's the command template.

    Code:
    twltool nandcrypt --cid [CID HERE] --consoleid [ConsoleID HERE] --in NAND_DEC.bin --out NAND_ENC.bin
    You will then have an encrypted NAND that you can flash back to your console with the "Write" button in Win32DiskImager. To do that, just select the "NAND_ENC.bin" when you click the folder button, instead of making a new file.

    You'll want to continue on to the next part before you encrypt and write your NAND back though, so keep going first.

    This is the real gem of decrypting your NAND. Now that you have a decrypted NAND, you can downgrade titles with ease. Downgrading titles allows you to re-enable copying of exploited save files, allow previously blocked flashcarts to run, and downgrade the patched version of SUDOKU with an exploitable version. You still need to have bought the original game though, as without it, your DSi will not have the required license files to run the game, and it will not start.

    If you haven't yet, go find the DSi Common Key from Google. As it's copyright protected code, we can't share it here. Once you have it, go to the "NUSDownloader_v19" folder, and open the "dsikey.bin Generator" application. Paste the common key into it, with no spaces, and click "Generate". The tool was originally made for the slot0x25keyX.bin, but it works just as well for this. Save the resulting file as "dsikey.bin", and make sure it's in the "NUSDownloader_v19" folder. Open NUS Downloader, and click "Database". In here, you'll need three files. Make sure you enable the checkbox at the bottom of the NUS Downloader window labeled "Create Decrypted Contents (*.app)" before you download these titles. They are as follows.

    1) Nintendo DS Cart Whitelist:

    [DS Icon] -> [System] -> [0003000f484e48XX - Nintendo DS Cart Whitelist] -> [41(All/System)] -> [v256]

    2) System Menu (Launcher):

    [DS Icon] -> [System] -> [00030017484e41XX - System Menu (Launcher)] -> [[Your Region Here]] -> [v512]

    3) System Settings

    [DS Icon] -> [System] -> [00030015484e42XX - System Settings] -> [[Your Region Here]] -> [v512]

    Next, once those are downloaded successfully, open the "OSFMount" folder, and install the version that matches your version of Windows. If you're using a 64 bit windows installation, use the 64 bit installer. Else, use the 32 bit installer.

    When the program has finished installing, open it, and click the "Mount new..." button. Select the "Image File" radio button, and click on the "..." button just below, inside the "Image File" section. In there, browse to, and open, your NAND_DEC.bin file. If it's legitimate, you should see a partition selection prompt. You'll want to select Partition 0, which is a little over 200MB in size, and click "OK". You'll return to the earlier window, and now your NAND will be selected. Go down to the "OK" button, and just above it, you'll see "Read-only drive"s checkbox enabled. Disable it, and click "OK". Once it finishes mounting, you can move on.

    Now, you'll need to open your computer, as autoplay isn't enabled for this drive. When you open "My Computer", you'll find a new ~200MB drive available. You can now explore it like any other drive, and modify it to your liking. Here's what to do for the basic steps though.

    To start with, you'll need delete the contents of "title\0003000f\484e48XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000001.app" and "tmd.256" from the "titles\0003000f484e48XX\256" folder in the "NUSDownloader_v19" folder, into the "title\0003000f\484e48XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.256" to "title.tmd".

    In all cases, "XX" represents your region identifier code.

    To start with, you'll need delete the contents of "title\00030017\484e41XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000002.app" and "tmd.512" from the "titles\00030017484e41XX\512" folder in the "NUSDownloader_v19" folder, into the "title\00030017\484e41XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.512 to "title.tmd".

    In all cases, "XX" represents your region identifier code.

    To start with, you'll need delete the contents of "title\00030015\484e42XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000002.app" and "tmd.512" from the "titles\00030015484e42XX\512" folder in the "NUSDownloader_v19" folder, into the "title\00030015\484e42XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.512 to "title.tmd".

    In all cases, "XX" represents your region identifier code.

    To start with, you'll need delete the "00000001.app" from "title\00030004\4b3444XX\content" in the newly mounted NAND. Next, you'll need to rename the old version of the decrypted SUDOKU app to "00000001.app", and copy it into the "title\00030004\4b3444XX\content" folder on your NAND. After that, you can optionally copy the "sudokuhax.sav", renamed to "public.sav", from the "DSiWareHax - Team Twiizers" folder, to the "title\00030004\4b3444XX\data" folder on your NAND, to inject the Sudokuhax exploit.

    You must obtain the older version of SUDOKU on your own, as it is copyright protected content, and cannot be shared here.

    In all cases, "XX" represents your region identifier code.

    When you're finished modifying your NAND, simply open the OFSMount window, select your mounted NAND, and click "Dismount". You can then click exit, and return to the last part of the last step to re-encrypt and write your NAND back to your DSi/XL.

    Assuming all has gone as planned, here's some video examples of how your console will act.



    That's all there is to it, in as many words as possible. Enjoy, and happy downgrading!


    PS. I'm sure I've forgotten some stuff, so just let me know and I'll add it as I have time.


    TWLTool - WulfyStylez
    SRL Extracter - CaitSith2
    The Biggest Loser CID Tools - zoogie
    DSiWareHax - Team Twiizers
    NUSDownloader - NUSD Team (givememystuffplease & gb.luke)

    Pinout Diagrams - Gadorach (base images from iFixIt and DSiBrew)
    THIS GUIDE - Gadorach
     
    Last edited by Gadorach, Aug 4, 2015
    pork_qpine, SkilLP, JSMastah and 26 others like this.
  2. reprep

    reprep GBAtemp Advanced Fan
    Member

    Joined:
    Jul 5, 2012
    Messages:
    937
    Country:
    Thanks a lot, i bookmarked it. I already bought Sudoku and Fieldrunners from DSiWare Shop. I will use this guide when my The Biggest Loser arrives and i find someone to hard-mod my DSi XL.
     
    alivebacon and Gadorach like this.
  3. jonthedit

    jonthedit GBAtemp Advanced Maniac
    Member

    Joined:
    May 30, 2011
    Messages:
    1,682
    Country:
    Bangladesh
    Excellent work! I will get started and might get into DSi homebrew coding.
     
    dAVID_ and T3GZdev like this.
  4. justinbug2

    justinbug2 GBAtemp Advanced Fan
    Member

    Joined:
    Jun 9, 2015
    Messages:
    566
    Country:
    United States
    so what does hacking on the dsi do like install pirated dsiware orr? just seems bare to me...
     
    Margen67 likes this.
  5. loco365

    loco365 GBAtemp Guru
    Member

    Joined:
    Sep 1, 2010
    Messages:
    5,457
    No. It allows people to downgrade existing applications, although downgrading Sudoku requires a pirated copy since the original was patched. It enables DSi mode access, but you cannot pirate because you need tickets for the applications to even be visible on the Home Menu.
     
    THYPLEX, leerz and Margen67 like this.
  6. justinbug2

    justinbug2 GBAtemp Advanced Fan
    Member

    Joined:
    Jun 9, 2015
    Messages:
    566
    Country:
    United States
    so its just a really hard way of running ds homebrew?
     
  7. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    For anyone interested, here's approximately what the hard-mod will look like installed. Mind you, it was a test fit, so the hole is larger than it it needs to be to get the positioning right on the board below.

    [​IMG]

    It works as intended, of course, and will look better next time, now that I know the correct positioning. The original DSi will look different, of course, as there isn't room under the battery door on the original.

    To answer your question, it lets you re-enable all older flashcarts that were blocked, allows you to copy exploited DSiWare saves, that were disabled in 1.4.2FW, and allows you to use SUDOKU again as a DSiWare Exploit. This also makes your console brick-proof. Beyond that, you can install any homebrew you want to your SD card, and run it in DSi-Mode, with 4x the available RAM and 2x the available CPU speed. This makes homebrew run much better, and might just allow for a stable GBA emulator too. DSiWare and NDS backup loading through DSiWareHax might happen later, but right now, no, it's not supported.
     
    Last edited by Gadorach, Jul 29, 2015
    Margen67, siFippo, nxwing and 3 others like this.
  8. jonthedit

    jonthedit GBAtemp Advanced Maniac
    Member

    Joined:
    May 30, 2011
    Messages:
    1,682
    Country:
    Bangladesh
    Do you need another DSi [normal size] to figure out a perma-solution for non-XLs?
    Okay. Good luck!

    Think of it is a starting point. This could turn into something big.
    DSi homebrew never saw its day, now its finally starting.
     
    Last edited by jonthedit, Jul 29, 2015
    JSMastah likes this.
  9. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    I have two regular-sized DSi's right now, so I'm set. Thanks for the offer though.
     
  10. atkfromabove

    atkfromabove GBAtemp Fan
    Member

    Joined:
    Feb 9, 2015
    Messages:
    321
    Country:
    United States
    I'm interested in the arduino guide! I don't have a ds/lite or raspberry pi.
     
  11. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    I'll post it as soon as I figure it out completely. You'll need an SD shield though, just a fair heads up.
     
  12. CTurt

    CTurt Advanced Member
    Member

    Joined:
    May 3, 2015
    Messages:
    73
    Country:
    Margen67 likes this.
  13. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    Margen67 likes this.
  14. zoogie

    zoogie playing around in the dsiware
    Developer

    Joined:
    Nov 30, 2014
    Messages:
    8,049
    Country:
    Micronesia, Federated States of
    Last edited by zoogie, Jul 30, 2015
    Gadorach and Margen67 like this.
  15. atkfromabove

    atkfromabove GBAtemp Fan
    Member

    Joined:
    Feb 9, 2015
    Messages:
    321
    Country:
    United States
    I already have one! I've been trying to create a method to get it with the information available about CID and arduino but putting it all together is above what I understand. I don't have much experience with dev boards.
     
  16. DinohScene

    DinohScene Feed Dino to the Sharks
    Moderator

    Joined:
    Oct 11, 2011
    Messages:
    20,289
    Country:
    Antarctica
    DSi hacked via gamecard?
    Time to get The Biggest Loser retail.
     
  17. atkfromabove

    atkfromabove GBAtemp Fan
    Member

    Joined:
    Feb 9, 2015
    Messages:
    321
    Country:
    United States
    I decided to get a Raspberry Pi. I figured it's more useful than an Arduino is plus I've been wanting one for a while now. Is it easier to get the CID with a Pi than an Arduino?
     
  18. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    Considerably. Just install RPU (the 3DS unbricker) and run it in "(S)afe mode (Query only)". It'll output the CID onscreen, and you can then bit-flip it and use it with TWLTool.
     
    Margen67 likes this.
  19. Feroz El Mejor

    Feroz El Mejor GBAtemp Fan
    Member

    Joined:
    Jan 26, 2014
    Messages:
    379
    Country:
    Spain
    Do you really recomend I but that game? What we can do with that (not now, with the time) I'm from Spain IDK how costs the game if I buy from uk...
     
  20. Gadorach

    OP Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    The Biggest Loser, as an exploit game, is used exclusively for recovering your DSi's CID. The CID, or Chip Identification number, is used as part of your NAND's encryption, and is one of two parts of the encryption key. You can also recover the CID with a Raspberry Pi when you install your NAND reader. There's a few ways to get it, using "The Biggest Loser" is just one of them.
     
    Margen67 likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Downgrading, Complete, Guide