- Joined
- Jul 14, 2011
- Messages
- 305
- Trophies
- 1
- Location
- Somewhere
- Website
- www.tozeleal.orgfree.pt
- XP
- 1,380
- Country
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
With the release of TWLTool, by @WulfyStylez, we now have the ability to downgrade our DSi consoles and install the old DSiWare hacks that were originally released by Team Twiizers. This is achieved by recovering our DSis per-console keys.
To outline the process, I'll divide it into a few sections. First, you must recover your keys and install an exploitable DSiWare game from the DSi Store. Next, you must backup your NAND with a hardware tool, and use the keys to decrypt it, modify it, and re-encrypt it. And last, you need to set up your SD card for running these exploits.
1) You need a DSi or DSi XL
2) You need to install an exploitable DSiWare game from the DSi Store. I recommend SUDOKU.
3) You need either a Raspberry Pi, or a copy of The Biggest Loser, an original DS/Lite, and a flashcart.
4) You must be comfortable soldering to pads that are as small as 0.5mm in diameter.
5) You need a pencil-tipped soldering iron, and very fine wire, 28AWG or smaller, preferable 30AWG+.
6) An SD to Micro-SD adapter.
7) An SD card reader able to read eMMC chips running in single data-line mode.
You're going to need some software to do this as well. Here's a package with all the software you'll need to downgrade your console.
Extract that to your desktop for now.
You will need to find the DSi Common Key for yourself, but a convenient tool for generating your dsikey.bin has been included, along with the expected MD5 hash of a proper dsikey.bin.
Your ConsoleID is a unique 8-bit (16 character) long string, used as part of the key to sign titles to your console. It is also part of your NAND's encryption key. We will need to recover it before we can continue.
If you've taken care of the requirements, you should already have a copy of one of the exploit games. Here's what you need to do next.
First, on your DSi, make sure you've downloaded and installed the exploit game you bought. Next, open the "System Settings" app, and enter "Data Management". Under "System Memory", find your exploit game. Tap on it, and if you have your SD card installed, you will get a prompt to copy the game to your SD card. Choose "Copy", and wait for it to finish.
Next, remove the SD card from your DSi, and put it into your PCs SD reader. Open the SD card, and navigate to "private/ds/title". You will find your copied game there, in a Bin file.
SUDOKU will show up as "4B344445.bin", and Fieldrunners will show up as "4B464445.bin"
Copy this into the "DSi Downgrade Package" folder, and into the "SRL Extractor" folder.
If you are running Windows Vista or newer, you can simply hold the [Shift] key, and right-click in the folder, in an empty space. When the options come up, they will include "Open command window here". Do this inside the "SRL Extractor" folder, and a command window will open. In this window, you will need to paste the following line of code, but you must modify it to suit your bin file, if it isn't included.
For Fieldrunners:
Code:dsi_srl_extract.exe --basename=FIELDRUNNERS 4B464445.bin
For SUDOKU:
Code:dsi_srl_extract.exe --basename=SUDOKU 4B344445.bin
For Others (template):
Code:dsi_srl_extract.exe --basename=[Game Name] [.bin Name].bin
Once it completes, you will have a lot of extra files in your directory. You will need a hex editor for this part. I recommend HxD, as it's free and easy to use, but you can use anything you like, really. For the sake of this guide though, I'll be assuming that you're using HxD.
Open the [Game Name].footer file that shows up in your folder with HxD. In HxD's main window, look for "Root-CA00000001-MS00000008" in the ASCII window. You will find "TWxxxxxxxx-yyyyyyyyyyyyyyyy" either directly, or shortly after that, with the "x"s and "y"s showing your unique codes. All we need is the data after the dash, so, the "y"s. That 16 character long string is your ConsoleID. Save that to a text file and keep it for later, that's the first part we need for decrypting our NAND.
Getting your CID is a bit more tricky than getting your ConsoleID. CID stands for "Card Identifier", and is a unique code assigned to your eMMC NAND chip at the factory. To read it, we need to either read it from RAM using an exploited DSi-mode game, or directly access the NAND chip, and read the CID through specialized hardware. For now, I'll be covering using "The Biggest Loser", an old DSi-Enhanced exploitable game, to read your CID. I'll later cover using the Raspberry Pi, and other methods, as I have time to write them up.
The Biggest Loser is the only known exploitable DSi-Enhanced (DSi-Mode) game available that still runs on 1.4.5 Firmware. In order to install the exploit you will need to borrow an original DS, or DS Lite. You will also need a DS Flashcart that works on that DS or DS Lite.
Insert your DS Flashcarts SD card into your computer, and copy either the file "TB_loser_inject_EU.nds", for the EU region, or "TB_loser_inject_US.nds", for the US region, to your flashcart. Put your flashcarts SD back in your flashcart, and put your flashcart in your DS/DSLite. Start your flashcart, and run the nds file you just copied. It will be named "SaveInjector" in most flashcart menus. It will prompt you to eject your flashcart, and insert your copy of "The Biggest Loser". Do that, and press [start] on your DS/DSLite to inject the hacked save. Once it finishes, turn off your DS/DSLite and eject your copy of "The Biggest Loser", and insert it into your DSi/XL. Start the game, and after the loading screens, you will be presented with your CID, displayed on-screen, in alternating colours. Type that into another text file, and save it for later. It is the second part of your console's NAND encryption.
Full Guide coming soon!
But, for those that already have used RPU to collect their CID, you must modify it like so:
RPU's CID : Aa Bb Cc Dd Ee Ff Gg Hh Ii Jj Kk Ll Mm Nn Oo Pp
Proper CID: Pp Oo Nn Mm Ll Kk Jj Ii Hh Gg Ff Ee Dd Cc Bb Aa
Just match the pairs and you'll have the correct CID for TWLTool to work with.
Coming Soon!
The next step, and most involved, requires you to solder an SD card adapter to very small points on your DSis mainboard. Here are the diagrams, though they are also included in the archive you downloaded.
You must solder an SD to microSD convertor to those points. Here is an example diagram.
You must then plug that into a compatible SD/MMC reader. When Windows identifies it, it will ask you to format it. DO NOT DO THIS UNDER ANY CIRCUMSTANCES. You will permanently brick your console if you do.
Here is a link to a known compatible reader.
US: http://www.amazon.com/gp/product/B006T9B6R2
Canada: http://www.amazon.ca/gp/product/B006T9B6R2
Next, you must install "Win32DiskImager", found in the "Win32DiskImager" folder. Install it, open it, and click the button with the folder icon. It's right beside the "Device:" drop-down list. Browse to your desktop, and, in the "File Name" bar, type "NAND_0.bin". At the end of that bar, you'll see another drop-down list that says "Disk Images (*.img, *.IMG)". Change that to "*.*", and click the "Open" button.
Now, if you haven't plugged in your NAND adapter, do so. When it identifies, remember the drive it identified as (E:, F:, Z:, etc.), and select it in the "Device:" drop-down list. The "Read" and "Write" buttons should now be available to you. Click the "Read" button, and stay away from the "Write" button for now. If you click it now, you could brick your console. When it finishes reading your NAND, change the file name in the image file bar to "NAND_1.bin", and read it again. When that finishes, change the name to "NAND_2.bin", and read it again. When that's done, open HxD, and open them all in the editor by dragging and dropping them into the main window. At the top of HxD, click "Analysis", click "File-compare", and click "Compare...". Next, select your "NAND_0.bin" in the top drop-down box, and your "NAND_1.bin" in the bottom drop-down box. Click "OK", and wait for it to finish. If it says "The chosen files are identical.", then open the file-compare box again, and this time choose "NAND_0.bin" and "NAND_2.bin", and click "OK". If they're all the same, and not all zeros, and all ~240MB (251,658,240 bytes exactly), then you can move on to the next step.
If they don't all match, keep extracting your NAND with different names, until you have at least three matching NAND_X.bin files. You may need to adjust your wiring to achieve this.
If you've been following this guide properly, you should have the following things:
1) A backup of your NAND (NAND_0.bin)
2) Your Console ID
3) Your CID
Congratulations, the hard part is over! Now, lets decrypt your NAND, so we can modify it.
First, you'll need to fill in this command template.
Code:twltool nandcrypt --cid [CID HERE] --consoleid [ConsoleID HERE] --in NAND_0.bin --out NAND_DEC.bin
Replace [CID HERE] with you CID, and [ConsoleID HERE] with your ConsoleID.
Open the TWLTool directory, and copy your NAND_0.bin into there. Like before, hold [Shift] and right-click inside an empty space in the folder. Select "Open command window here", and paste your modified command into the command prompt. Press [Enter], and wait for it to complete.
You will now have a decrypted NAND image, that we can modify. When you finish editing the NAND image, simply replace that command with the following modified template, and run it again. TWLTool will claim to have succeeded in decrypting the NAND, but it actually did encrypt it, so don't worry about that prompt. Here's the command template.
Code:twltool nandcrypt --cid [CID HERE] --consoleid [ConsoleID HERE] --in NAND_DEC.bin --out NAND_ENC.bin
You will then have an encrypted NAND that you can flash back to your console with the "Write" button in Win32DiskImager. To do that, just select the "NAND_ENC.bin" when you click the folder button, instead of making a new file.
You'll want to continue on to the next part before you encrypt and write your NAND back though, so keep going first.
This is the real gem of decrypting your NAND. Now that you have a decrypted NAND, you can downgrade titles with ease. Downgrading titles allows you to re-enable copying of exploited save files, allow previously blocked flashcarts to run, and downgrade the patched version of SUDOKU with an exploitable version. You still need to have bought the original game though, as without it, your DSi will not have the required license files to run the game, and it will not start.
If you haven't yet, go find the DSi Common Key from Google. As it's copyright protected code, we can't share it here. Once you have it, go to the "NUSDownloader_v19" folder, and open the "dsikey.bin Generator" application. Paste the common key into it, with no spaces, and click "Generate". The tool was originally made for the slot0x25keyX.bin, but it works just as well for this. Save the resulting file as "dsikey.bin", and make sure it's in the "NUSDownloader_v19" folder. Open NUS Downloader, and click "Database". In here, you'll need three files. Make sure you enable the checkbox at the bottom of the NUS Downloader window labeled "Create Decrypted Contents (*.app)" before you download these titles. They are as follows.
1) Nintendo DS Cart Whitelist:
[DS Icon] -> [System] -> [0003000f484e48XX - Nintendo DS Cart Whitelist] -> [41(All/System)] -> [v256]
2) System Menu (Launcher):
[DS Icon] -> [System] -> [00030017484e41XX - System Menu (Launcher)] -> [[Your Region Here]] -> [v512]
3) System Settings
[DS Icon] -> [System] -> [00030015484e42XX - System Settings] -> [[Your Region Here]] -> [v512]
Next, once those are downloaded successfully, open the "OSFMount" folder, and install the version that matches your version of Windows. If you're using a 64 bit windows installation, use the 64 bit installer. Else, use the 32 bit installer.
When the program has finished installing, open it, and click the "Mount new..." button. Select the "Image File" radio button, and click on the "..." button just below, inside the "Image File" section. In there, browse to, and open, your NAND_DEC.bin file. If it's legitimate, you should see a partition selection prompt. You'll want to select Partition 0, which is a little over 200MB in size, and click "OK". You'll return to the earlier window, and now your NAND will be selected. Go down to the "OK" button, and just above it, you'll see "Read-only drive"s checkbox enabled. Disable it, and click "OK". Once it finishes mounting, you can move on.
Now, you'll need to open your computer, as autoplay isn't enabled for this drive. When you open "My Computer", you'll find a new ~200MB drive available. You can now explore it like any other drive, and modify it to your liking. Here's what to do for the basic steps though.
To start with, you'll need delete the contents of "title\0003000f\484e48XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000001.app" and "tmd.256" from the "titles\0003000f484e48XX\256" folder in the "NUSDownloader_v19" folder, into the "title\0003000f\484e48XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.256" to "title.tmd".
In all cases, "XX" represents your region identifier code.
To start with, you'll need delete the contents of "title\00030017\484e41XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000002.app" and "tmd.512" from the "titles\00030017484e41XX\512" folder in the "NUSDownloader_v19" folder, into the "title\00030017\484e41XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.512 to "title.tmd".
In all cases, "XX" represents your region identifier code.
To start with, you'll need delete the contents of "title\00030015\484e42XX\content" from the newly mounted NAND. Next, you'll need to copy the "00000002.app" and "tmd.512" from the "titles\00030015484e42XX\512" folder in the "NUSDownloader_v19" folder, into the "title\00030015\484e42XX\content" folder on your NAND. And lastly, you'll have to rename the "tmd.512 to "title.tmd".
In all cases, "XX" represents your region identifier code.
To start with, you'll need delete the "00000001.app" from "title\00030004\4b3444XX\content" in the newly mounted NAND. Next, you'll need to rename the old version of the decrypted SUDOKU app to "00000001.app", and copy it into the "title\00030004\4b3444XX\content" folder on your NAND. After that, you can optionally copy the "sudokuhax.sav", renamed to "public.sav", from the "DSiWareHax - Team Twiizers" folder, to the "title\00030004\4b3444XX\data" folder on your NAND, to inject the Sudokuhax exploit.
You must obtain the older version of SUDOKU on your own, as it is copyright protected content, and cannot be shared here.
In all cases, "XX" represents your region identifier code.
When you're finished modifying your NAND, simply open the OFSMount window, select your mounted NAND, and click "Dismount". You can then click exit, and return to the last part of the last step to re-encrypt and write your NAND back to your DSi/XL.
Assuming all has gone as planned, here's some video examples of how your console will act.
That's all there is to it, in as many words as possible. Enjoy, and happy downgrading!
PS. I'm sure I've forgotten some stuff, so just let me know and I'll add it as I have time.
TWLTool - WulfyStylez
SRL Extracter - CaitSith2
The Biggest Loser CID Tools - zoogie
DSiWareHax - Team Twiizers
NUSDownloader - NUSD Team (givememystuffplease & gb.luke)
Pinout Diagrams - Gadorach (base images from iFixIt and DSiBrew)
THIS GUIDE - Gadorach
Why do you need one of the exploit games to get the Console ID? Why can't you use a different title, or why is there no other method? also, can you use this if one of the exploit games doesn't currently have an exploit save installed?
This guide was written eons ago, there's surely better ways to collect that information now. RocketLauncher can retrieve the CID for one, though it's not out yet.
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
do you mean the CID or the console ID? and either way I wouldn't be able to use RocketLauncher since I'm on 1.4.5 U. I'm going to try using flipnote instead, and if that doesn't work I'll just have to wait until A new exploit comes out and use fwTool : P
Since we cannot more get dsiware, is it always possible to get the ConsoleID?
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
I think you've been confusing Console ID and Card Identifier?
Too bad RL needs 1.4.0 in order to do that. Now we need to either downgrade or upgrade to 1.4.0. I would really like this guide to be cleaned up and add more thing with TWLTool and other exploitable cart games that can work with older firmware. Maybe more hardmod information would be a good idea too.
I just don't have time right now, I'm working on Vita stuff at the moment. If I have time over the next couple of weeks, I'll try to update the guide.
I'm not sure at 100% but I think I found the ConsoleID of my DSi with a non-exploit DSiWare (Brain Age to be specific).... I'm not sure but I followed the step and it seem to give me something legit...
Last edited by mariogamer,
For getting the id, you can use any dsiware, i've done it with 4 swords for example.
The expoitable one is for launching fwtool 1.6 to get the CID if you don't have access to the cooking cartridge (can't remember the name)
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
I don't think that would work as i think it would recognize it as a TWL game, but I haven't tested it.
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
Also, are the only things stopping someone from making a DSLink compatible way to dump the NAND are that it would take forever to dump and verify the nand, and if you do end up dumping it and when you send it back to the DS if it fails the only way to save your system is with hardmod? or is the nand not accessible from TBL?
Well I already dumped a save from a ds game and I'll try to restore it.... But how "recognized as a TWL game"? I mean injecting with TWLSaveTool
Also are the sav file the same than there: https://github.com/St4rk/The-Biggest-Loser ?
Last edited by mariogamer,
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
Well every single way I tried to install the save on a DSi it wouldn't work, so I figured it would be the same on a 3DS but I'm not sure since I don't have access to mine right now to test with TWLSaveTool. But as for the save files yes I believe they are the same.
You can inject the save with a 3DS just fine, there's no "TWL mode" for writing a save, it's just writing a save.
- Joined
- May 4, 2016
- Messages
- 640
- Trophies
- 1
- Age
- 39
- Location
- Floridia
- Website
- www.lucar.io
- XP
- 2,787
- Country
I never really found fwtool 1.6 is it the one used in the old 3ds guide?
EDIT: Self answer, yes it is/was. I found the version here: https://gbatemp.net/threads/srloader-nds-app-for-dsi.472200/page-2#post-7349430
Last edited by mariogamer,
Similar threads
-
- Article
-
-
-
-
-
-
-
-
@
Psionic Roshambo:
But 10 bucks a month for phone and 1Gbps internet and make like 4K+ a month... I will work for the devil lol -
-
-
-
-
-
-
-
-
-
@
Psionic Roshambo:
Honestly, after like 100Mbps unless you have more than a couple of people in your house it really doesn't matter
-
@
Psionic Roshambo:
I have 500Mbps right now and I can't tell the difference than the 1Gbps I had before.
-
-
-
-
-
-
I @ I-need-help-with-wup-wiiu:i have an issue with loading games on usb with usbloadergx on vwii. Is there anyone that can respond to my thread pretty please?
I
@
I-need-help-with-wup-wiiu:
i have an issue with loading games on usb with usbloadergx on vwii. Is there anyone that can...