GBATemp DSi modding help thread and guide​

NOTE 1: This guide is not complete without a way to dump the BIOSDSI7.ROM and BOSDSI9.ROM files! If you have a way to legitimately dump these files, leave me a comment below. Also leave a comment if you find a typo or mistake.
NOTE 2: Ugopwn, the exploit used in this guide, is USA-only. If your console is not a USA-region DSi, you will need another exploit. You can check if your console is a USA console by opening system settings and checking what letter your System version ends with (if it ends with a U, its a USA console).
NOTE 3: This guide is SOFTMOD ONLY! If you want hardmod instructions, look here.


With the new developments of the DSi scene, I felt it was time to get a modern guide that would save users the time needed to find all info across various sources. This post is intended to be a standalone page without the need of additional instructions or info, and is intended to be easy to understand even for beginners.

This post is not so much an original guide as it is a compilation of other guides into one. As such, I will always provide credit to the author and link to the source. Should you see some of your content on this guide and wish for it to be removed, please leave a comment and I will get rid of it.

As of the beginning of November of 2017, the upcoming RocketLauncher exploit that takes over the highest security levels on the DSi has not been released yet. Until it is released, this guide will focus on regular DSiWarehax installation in order to boot into the DSi hombrew in userland. Even though full CFW is not possible without RocketLauncher, homebrew access still allows for a lot of cool stuff. Here are some of the possibilities:

- NAND backup/restore
- Launching nds cart dumps through nds-bootstrap
- NDS homebrew games and utilities
- Emulators

Without any further ado, here are the sections this guide will divided into: obtaining a NAND backup and IDs through FWTool, obtaining a NAND backup and IDs through a hardmod, decrypting a NAND backup, injecting DSiWarehax saves and apps, and testing a NAND backup through No$gba (and flashing it back).



Section 1: Obtaining a Nand backup and IDs through FWTool
For this section, you’ll need to have a way to boot into homebrew in DSi-mode. In the case of this guide, we will boot homebrew using ugopwn, an exploit for Flipnote Studio, but you can follow along and substitute any other exploit for ugopwn. You’ll also need a hex editor on your computer (if you don’t have one, get one here).

The build of FWTool that we will use is the FWTool safety mod, since I believe it checks for the presence of encryption when reflashing, which reduces the possibility of bricking. Find it in the Section 1 pack below. If you’re using a newer exploit, such as 4swordhax or any other payload that may need a "payload.dat" file, check out this post for a payload that should make this FWTool compatible with your exploit. Do note that if you are using the modified payload.dat, you should be using an SDHC card (4 - 32 GB). This is based on my own testing, and if someone got the modified payload to work on a card smaller this please leave me a comment. Directions:

Section 1 instructions

1. Get FWTool from the guide pack on your SD card as 2222.nds.
2. Grab the latest release of ugopwn from here.
3. Extracr the zip file onto the root of your DSi's SD card
4. Create a new folder in the root of your SD card called private
5. Go inside that folder and create a new folder called ds
6. Go inside that folder and create a new folder called 4B475545
7. Go back to the SD's root and copy the ugopwn folder.
8. Navigate back to the 4B475545 directory.
9. Paste the ugopwn folder inside the 4B475545 directory.
10. Delete the ugopwn folder on the root of your SD card.
11. Put your SD card back in your DSi.
12. Turn on the DSi.
13. Find the application named "Flipnote Studio" and open it.
14. Choose "view flipnote", then choose "SD card"
15. Choose "select folder", then choose "user" instead of "normal"
16. Open the ugopwn folder
17. Click on the note with the red bottom half, then choose "edit"
18. Once you are on the editing page, click on the flipnote frog icon in the bottom left
19. Click on the film roll icon, then choose "copy"
20. Choose "back", then "exit"
21. Click on the second note, then choose "edit"
22. Click on the flipnote frog icon in the bottom left
23. Click on the film roll icon
24. Click on the single right arrow (the next to last arrow icon) two times. You should see a new frame be created.
25. Now comes the hard part: Click on the paste button exactly 122 times
26. Click the erase button, then the paste button
27. Wait for FWTool to load. If it does not, you may have not renamed FWTool to 2222.nds, or you may have clicked "paste" an incorrect number of times. If errors keep persisting, make sure your SD card is SDHC
28. Choose “Dump CID”, and then “Dump BIOS” (the BIOS files will be necessary for section 4)
29. Finally, choose “Dump nand_dsi.bin” and wait. The Nand backup should be ready after a few minutes.
30. After the dump is made, choose the “Exit” option. This should turn off your DSi.
31. Turn it back on and go to System Settings.
32. Go to the Data Management and choose any DSiWare (simply copy down the name of the DSiWare you used exactly as it appears on the console). Choose copy to transfer it to your SD card. Make sure it’s the only one on the SD card.
33. Turn off the DSi and insert the SD card back into the computer. Go to the private/ds/title directory and copy the .bin file named with random letters/numbers.
34. Extract the SRLExtractor folder from the guide pack and paste the .bin file into it.
35. Open the .bat file in a text editor and replace “DSiWare_Title” with the name of your DSiWare as it appears on the console and “FILENAME” with the name of the .bin file (without the file extension).
36. If you are in Windows, save and run the .bat file. If you aren’t, copy the command into the Terminal and run it.
37. Open the .footer file with the name of your DSiWare in your hex editor. Look for the TW#############-############ in the text window. Copy the 16 characters after the dash into a text file and name it “Console ID.txt”.

Section 2: Decrypting and mounting a Nand Backup
For this section we will be using WulfyStylez’s TWLTool to decrypt the Nand backup you got, and OSFMount (or its equivalent for your computer) to mount it. You’ll need the Nand backup and IDs you should have already dumped to continue (they should be in a folder that starts with FW). You’ll also need a hex editor.

Section 2 instructions

1. Open your CID.bin from Section 1 in a hex editor and copy all 16 hex pairs into a text editor, Delete the spaces between the hex pairs, and copy the resulting text.
2. Open the decrypt nand.bat from the guide pack’s TWLTool folder in a text editor and replace CID_BLANK with your CID.
3. Open Console ID.txt from Section and copy your Console ID. Replace ConsoleID_BLANK with your console ID in the decrypt nand.bat.
4. Drag nand_dsi from the folder in the SD card into the TWLTool folder.
5. Run decrypt nand.bat if you’re on a Windows computer, or copy the command into a Terminal window otherwise.
6. After a while, you should get a file called NAND_DEC.bin.
7. Open OSFMount or its equivalent for your system. For the following steps, I’ll assume you’re using OSFMount but they shouldn’t be too different for other programs .
8. Click “Mount New” and in the next window click on the button next to the “Image File” field. Navigate to where you have your NAND_DEC.bin file and selected.
9. You should be prompted to choose one of a few partitions. Click Partition 0, the one with 200 or so megabytes. Click OK to select the partition.
10. Deselect the Read-only drive option and click OK. The Nand file will be mounted and will appear as if it’s a drive plugged in to your system.

Section 3: Injecting DSiWarehax saves and games
We finally got to the exciting part! Getting you a way to boot into DSi homebrew was the goal of this guide, after all. First thing, however, we’ll need to install an exploitable app. Because the DSi shop is completely dead at this point in time, we’ll need to install the app through a nonconventional way. If you have already installed the game you plan to boot into homebrew through, you do not need to do these next few plarts and can just skip straight into the hacked save installation. For those of you who don’t, you’ll need to do these next few steps.

First, pick one of the following DSiWare games for you to exploit (If you already have one or some of these on your DSi or on a 3DS, pick it/those):



Write down the short and long IDs of your game.

First things first, you’ll need to obtain the .app version of your game if you don’t have it installed. To do that, we need a .cia version of the DSiWare. If you don't have a .cia versio of your DSiWare, check out FunKeyCIA, which can get them straight from the 3DS eShop using an existing enctitlekeys.bin file, which you can get from your 3ds using Godmode9 or Decypt9WIP and will work with any titles you have purchased. Do not ask for an enctitlekeys.bin here, as they are copyrighted content and should not be distributed. If you have any questions about downloading .cia files, please ask them in the FunKeyCIA thread.

DSiWare CIA extraction instructions

1. Download this release of ctrtool.
2. Extract ctrtool into its own folder and put your .cia file in that folder. Rename your .cia file to "dsiware.cia".
3. Run extract.bat. You should get two files, one of which will have a size of 0 kb. Delete the 0 kb file.
4. Rename the other file to 00000000.app (that's eight 0s).
5. Create a folder and give it the same name as the short ID of your DSiWare.
6. Create two subfolders inside the folder you just created. Name them "content" and "data".
7. Put the 00000000.app inside the content folder.

You should now have a folder with the name as your game’s short ID. Inside, you should have a content folder with a .app file and a data folder that is empty.

In order to actually install the DSiWare onto your DSi, follow these steps (or don’t, if you already have the app installed on your DSi):

DSiWare installation instructions

1. Make sure your decrypted Nand file is mounted and appears as a drive plugged into your console (it should be if you followed section 2).
2. Make sure to have the folder named after the game’s short ID open (the folder you got in the first procedure of Section 3). From now on, I will refer to this folder as “short ID folder”.
3. Go into the tmds folder of the guide pack and find a file with the name of your game’s long ID and a random (and irrelevant) file extension.
4. Drag it into the content subfolder of the short ID folder and rename it to “title.tmd”.
5. Open it in a hex editor and go to offset 208 (row 200 and column 08).
6. Highlight that offset and everything after it. Then delete it.
7. Go to offset 1E7. Write down the two digits that appear there.
8. Go into the short ID folder’s content subfolder. Delete the last two digits of the .app file’s name and replace them with the two digits you found. (so, for example, if your file is named is 00000000.app and your digits are 33, rename your file to 00000033.app).
9. Extract the TWLTool folder of the section 3 pack. (you don’t need to do this if you have TWLTool from the Section 2 pack, it’s the same folder).
10. In your mounted Nand, go into the ticket/00030004 folder and copy any of the .tik files you see there into the extracted TWLTool folder. Rename it to ticket.tik.
11. Open decrypt ticket.bat and encrypt ticket.bat in a text editor. Replace ConsoleID_BLANK with your console ID.
12. Save encrypt ticket.bat. Save and run decrypt ticket.bat or copy the command into a Terminal window.
13. Open the resulting dec_ticket.tik file in a hex editor.
14. Go to offset 1DC and replace it (and the next 8 offsets) with the long ID of your game.
15. Run encrypt.bat or copy the command into a Terminal window.
16. Rename the resulting enc_ticket.tik so it has the same name as the short ID of your game (make sure to include the .tik extension).
17. Drag it into the ticket/00030004 folder in your mounted nand.

After you have followed these steps, you should have the app installed on your DSi’s Nand image. Now, all we have to is install the hacked save onto the save. Follow these steps:

Exploit installation instructions

1. Open the DSiWareHax saves folder in the Section 3 pack.
2. Choose the folder for your game and region and open it. You should see a “titles” folder.
3. Drag that “titles” folder onto the root of your Nand image. Accept if it asks if you want to merge the folder and overwrite the public.sav file already there.

Before we finish off this section, there is one final procedure for those who plan to run homebrew with Sudoku. After the initial sudokuhax exploit was released, a patched version of Sudoku was introduced to the DSi Shop (and eShop) in order to prevent its use for hacking purposes. Because of this, if you just installed Sudoku (or bought it after March 2011) you should follow this short procedure to revert back to the original, exploitable, Sudoku. Here are the steps:

Sudokuhax downgrade instructions

1. Download WinRAR and Lunar IPS, as well as the patch for your version of Sudoku and the sudoku patch 002 pack.
2. Install WinRAR, and make sure to associate the .001 extension with it if asked.
3. Make a new folder called "sudoku patching" (or whatever you want), and extract your sudoku patch and the 002 file corresponding to it into that folder.
4. With both of those files in the same folder, open the 001 file with WinRAR. You should see a .ips file. Extract it to the folder.
5. Run lunar IPS and click apply IPS patch.
6. Navigate to the .ips file you just extracted and select it.
7. In the next window, change the file type Lunar IPS is looking for from "Most Common ROM Files" to "All files (.)".
8. Go to your decrypted nand, and go to the title/00030004/XXXXXXX folder (XXXXXXX is the short ID of your Sudoku version).
9. Open the content folder and choose 000000.app.
10. Your sudoku version will now be patched and changed to the exploitable version.

Finally, we’re going to unmount and re-encrypt our Nand image, and Section 3 will be over. Follow these steps:

Re-encrypt Nand instructions

1. Open OSFMount and close all file explorer windows. Select the NAND_DEC.bin file and click dismount.
2. Drag the NAND_DEC.bin file into your TWLTool folder.
3. Open encrypt nand.bat in a text editor and make sure it has your own CID and console ID (if it doesn’t, replace CID_BLANK and ConsoleID_BLANK with them).
4. Run encrypt nand.bat. The resulting NAND_ENC.bin is your re-encrypted, and fully working, hacked Nand.

Section 4: Checking your Nand with No$GBA and reflashing it
This part is technically optional, but strongly recommended. What we will do in this section is use a DSi emulator, No$GBA, in order to check that our Nand is working correctly. You could very well skip this section and try to flash your Nand without testing but that would very much be stupid, and is the easiest way to brick. Unless you’re willing to take that risk, follow this procedure.

Before we start however, you will need a few files I cannot link you to. They are called the DSi firmware files, and are named as individually as follows:

- bios7i.bin
- bios9i.bin
- BIOSNDS7.ROM
- BIOSNDS9.ROM
- BIOSDSI7.ROM
- BIOSDSI9.ROM

The first two can be dumped by FWTool, and the next two can be dumped using this tool, preferably on a DS Lite/phat (although dumps from a DSi have worked for me). All you have to is put the tool on a flashcart and run it, and the files will appear on the cart’s microSD.

I have not found any way to dump the last two however. Please tell me if you know of a way to dump the BIOSDSI.ROM files!

Once you have these files, follow these steps:

No$GBA emulation instructions

1. Download the latest release of No$GBA (I recommend the gaming version).
2. Extract No$GBA into a folder and put the BIOS files on that same folder.
3. Make a copy of NAND_ENC.bin from Section 3 and rename it to DSi-1.mmc.
4. Get the dsi footer template from the guide pack and put it in the no$GBA folder.
5. Open the footer template in a hex editor.
6. Replace the AA pairs with your console’s CID.
7. Open up your Console ID.txt. Put spaces after every two characters. Your Console ID should now be made up of 8 pairs of characters (16 characters total).
8. Replace the BB pairs with your console ID, but with the order of the character pairs reversed. For example, if your console ID starts with the character pair 08, and ends with the character pair 26, you will type in 26 first and 08 last.
9. Save the dsi footer (but don’t close it yet).
10. Copy all of the dsi footer’s hex data, then open DSi-1.mmc in a hex editor.
11. Scroll down to the bottom, and at the end of the file paste the dsi footer’s hex data.
12. Save and close DSi-1.mmc and open No$GBA
13. Go to options and then Emulation setup.
14. In the Emulation tab, set “Reset/Startup Entrypoint” to “GBA/NDS BIOS (Nintendo logo)” and NDS Mode Colors to “DSi (retail/16MB)”.
15. Click Save Now and then OK.
16. Go to File, Cartridge Menu (FileName), and then open any .nds file (such as FWTool).
17. You should now see an emulated version of your DSi. If you don’t, something went wrong.
18. Go past the startup screen into the DSi menu. If you just installed an exploitable game, you’ll find it gift wrapped as a blue icon. Whether you just installed it or not, boot up your exploitable game.
19. Trigger your game’s exploit. If it is working correctly, No$GBA should error out. If you do not see an error, find what went wrong. If you do see an error, proceed.

You should now have tested and verified that your NAND works correctly. Follow these last few steps to flash your modified NAND to your DSi.

Re-flashing instructions

1. Put your DSi SD card into your computer.
2. Copy your original NAND_ENC.bin onto your SD card (DO NOT copy the DSi-1.mmc file that you added your footer to, or risk bricking).
3. Drag NAND_ENC to the folder FWTool made that contains your original NAND backup.
4. If you still have your original nand_dsi.bin file there, rename it to clean_nand.bin.
5. Rename NAND_ENC.bin to nand_dsi.bin.
6. Boot into FWTool by following steps 13-27 of section 1.
7. Choose restore nand_dsi.bin, and press start and select to begin flashing your NAND.
8. Wait for the flashing to come to a stop. After the process is complete, choose Exit. If doing so does not turn off your console, turn it off.
9. Turn it back on and verify that your DSi successfully boots. Afterwards, check that the exploit you installed is working.

And that’s all there is to it! If you have any questions, feel free to ask on this thread.

Credits:

- @Gadorach for the DSi downgrade guide
- @WulfyStylez for TWLTool
- @Ryccardo for his DSiWare installation guide
- @ihaveamac for pointing out that ctrtool had been updated with the 3DS boot9 keys used to extract .cia files.
- u/ndizzle over on r/emulation for his No$GBA DSi guide
- Plailect’s 3DS guide for info on the DSi exploit games
- @billy Acuña for compiling and posting 4swordshax and the modified payload.dat