Hacking Hacking DSi 2015?

[WhoAmI?]

Interesting. Although some system apps from DSi do work on 3DS. I tested some. (you just have to launch them with FBI, because only the web browser showed up on Home Menu. Everything else is a system app and I guess Home Menu only expected DSi system apps like DS INTERENT and DS Download Play to be installed so it hides all DSi system apps) I recall DSi Web Browser, eShop (though it gets a connection error when it connects to internet. Probably because missing info from TWLN partition?), DSi Sound, and DSi Camera app booted just fine. (and aside from eShop, they operate just as they would on a DSi)

DSi System Settings almost boots. But gets a black screen error. (but the black screen error isn't the one that occurs from CTR Arm9. It's the DSi Black screen error. I even hear the DSi system settings menu music for a quick instant before the error pops up) That also is probably because of missing data on the TWLN partition that a real DSi normally has but is not on a 3DS.

DSi Launcher (what I assumed was the Home Menu itself?) doesn't boot at all. It crashes with black screen error while still in CTR mode or during the transition into TWL mode. Maybe because boot2 doesn't work with it or it's not encrypted in a way 3DS was expecting. That or also because of missing stuff on TWLN/hardware compatibility) I'm just throwing out guesses at this point.

But say I replicated 99% of DSi NAND on 3DS TWLN partition. Could that improve the chances that Boot2 from DSi would work on 3DS if everything a DSi normally has is present on the 3DS or is there some hardware differences or clash with how TWL_FIRM sets things up that gets in the way?

I can imagine one thing is the fact that normally Slot-1 is not enabled in TWL mode if a DSi app was booted (and visa versa if a Slot-1 TWL title was booted), so DSi Home Menu might have issues trying to access Slot-1 since the 3DS TWL_FIRM would assume it's a normal DSi app and there be no Slot-1. Unless DSi Boot2 could possibly resolve that.

Are you able to get Pictochat? Everyone loves that 0u0 Would it be possible to extract it from the DSi and inject into the 3DS?

 

[Apache Thunder]

Pictochat can be downloaded from NUS, but a common ticket isn't available for it last I checked, so the one from NUS is encrypted and it can't be made into a CIA.

Unless you want to dump the SRL for it from your DSi NAND and pass it along. Just not here of coarse.

 

[WhoAmI?]

Pictochat can be downloaded from NUS, but a common ticket isn't available for it last I checked, so the one from NUS is encrypted and it can't be made into a CIA.

Unless you want dump the SRL for it from your DSi NAND and pass it along. Just not here of coarse.

Awwee!!!! I want it sooo badly!!! I don't even own the required DSiWare or the know how to mod my DSi 0~0. You think that you could slip that file onto that certain website? I know you're a regular, there pppllleeaaassee. It's pictochat 0u0

 

[Apache Thunder]

I don't own a DSi, so no can do. Sorry.

I might have to try and bum a DSi nand dump from someone if I want to test out any of my crazier ideas.

 

[WhoAmI?]

I don't own a DSi, so no can do. Sorry.

I might have to try and bum a DSi nand dump from someone if I want to test out any of my crazier ideas.

Awe. I wish I could help with that. Hopefully you can get a copy I've realised that you certainly do the craziest of stunts (looking at the things that you've told me in PM and your contributuons to CakeHax).

I ordered a soldering iron, if I don't destroy my DSi I'll give you a dump

 

[Gadorach]

I don't own a DSi, so no can do. Sorry.

I might have to try and bum a DSi nand dump from someone if I want to test out any of my crazier ideas.

I'd give you a dump of mine, but it's apparently useless until I can get it to boot and export an app to get the CID. No CID = No Decrypt.
I did manually dump the NVRAM from my WiFi chip with an old DS, and confirmed it was good. So yeah, resistor array is the only option.

Oh, and just an aside here...

If you have a NAND backup of your DSi, and its CID
And the backup of another DSi, that has an exploit game installed
You can probably clone the system and have the exploit for "free". I say "free" because the eShop would probably not work anymore after that.
Then again, the license files might rely on the console private key as part of the signature, so it might not work after all.

Just sharing the possibility.

 

[Apache Thunder]

Awe. I wish I could help with that. Hopefully you can get a copy I've realised that you certainly do the craziest of stunts (looking at the things that you've told me in PM and your contributuons to CakeHax).

I ordered a soldering iron, if I don't destroy my DSi I'll give you a dump

lol well in the interests in lowering the chance of a DSi not dying a horrible death, try and find someone that can do it for you if you can. hundshamer does nand mods for 3DS and might soon be able to do DSi's too as he posted in this thread expressing interest in doing it. He just doesn't have a test DSi to try one with. If you can't find anyone, perhaps offer yours up to him as the guinea pig. I would bet your odds of getting a working DSi back are better then if you tried it yourself. Especially if you never done nand mods before or have no soldering experience.

 

[Gadorach]

lol well in the interests in lowering the chance of a DSi not dying a horrible death, try and find someone that can do it for you if you can. hundshamer does nand mods for 3DS and might soon be able to do DSi's too as he posted in this thread expressing interest in doing it. He just doesn't have a test DSi to try one with. If you can't find anyone, perhaps offer yours up to him as the guinea pig. I would bet your odds of getting a working DSi back are better then if you tried it yourself. Especially if you never done nand mods before or have no soldering experience.

This. It you look at the videos I posted, you should know I took them through a magnifying glass. If you look at the keys on my keyboard, you'll get a good idea of the size of the points you're soldering to.

 

[WhoAmI?]

lol well in the interests in lowering the chance of a DSi not dying a horrible death, try and find someone that can do it for you if you can. hundshamer does nand mods for 3DS and might soon be able to do DSi's too as he posted in this thread expressing interest in doing it. He just doesn't have a test DSi to try one with. If you can't find anyone, perhaps offer yours up to him as the guinea pig. I would bet your odds of getting a working DSi back are better then if you tried it yourself. Especially if you never done nand mods before or have no soldering experience.

Yeah, you're right. I'd give him it if I had the money for P&P. He could keep it, too. All I want is to have a decrypted NAND dump since I'm just really curious

 

[Apache Thunder]

Yeah, you're right. I'd give him it if I had the money for P&P. He could keep it, too. All I want is to have a decrypted NAND dump since I'm just really curious

If you straight up give it to him, he might pay for the shipping. It never hurts to ask him.

 

[WhoAmI?]

If you straight up give it to him, he might pay for the shipping. It never hurts to ask him.

Yeppers Will do. I'll check the pricing with the post office to see how much it would cost to ship to him. If he's okay with it, then he can most certainly keep it. I'll PM him and let him know

 

[Duo8]

This thread reminds me that I have a DSi as well. It's pretty broken though.

 

[loco365]

PS, here's the challenge: "What is the output of 'date -u +%F | sha1sum | head -c8; echo' ?"
Which, right now, for me is "fd1b81bb".

If my memory is correct, keep that box empty and continue registering. I think that was some kind of trick thing they did.

-SRL de/remodcrypting

Along with this do you also intend to do TAD installation?

 

[WulfyStylez]

[lots of words that got mangled by the text editor]

It makes sense that you can't launch the launcher from the launcher - a bunch of stuff gets disabled and data is purposefully destroyed while LAUNCHER cleans up. The white screen behavior is the same as the retail LAUNCHER loading an application. Also, literally all the behavior you're attributing to boot2 is from launcher, not boot2. In general it's not worth trying to run the old-world stuff on 3DS. TWL_FIRM doesn't perfectly simulate the bootrom.

It is teeechnically possible to crack the CID, but my estimate for time on that is like 4 hours. And that's 8 threads, hardware AES, on Haswell at 4.5GHz. A typical quad-core without hardware AES instructions could likely take upwards of a day of 100% cpu usage.

Along with this do you also intend to do TAD installation?

This can't be done without RSA-signed tickets for your console.

 

[GhostLatte]

Will I able to do things with Sudokuhax without a NAND mod?

 

[Duo8]

It makes sense that you can't launch the launcher from the launcher - a bunch of stuff gets disabled and data is purposefully destroyed while LAUNCHER cleans up. The white screen behavior is the same as the retail LAUNCHER loading an application. Also, literally all the behavior you're attributing to boot2 is from launcher, not boot2. In general it's not worth trying to run the old-world stuff on 3DS. TWL_FIRM doesn't perfectly simulate the bootrom.

It is teeechnically possible to crack the CID, but my estimate for time on that is like 4 hours. And that's 8 threads, hardware AES, on Haswell at 4.5GHz. A typical quad-core without hardware AES instructions could likely take upwards of a day of 100% cpu usage.


This can't be done without RSA-signed tickets for your console.

Well, at least it's not centuries. And what doesn't have hardware AES these days?
What's CID? Chip ID? As long as you have a "real" card reader you should be able to get it.

Oh and what's TAD?

 

[Apache Thunder]

It makes sense that you can't launch the launcher from the launcher - a bunch of stuff gets disabled and data is purposefully destroyed while LAUNCHER cleans up. The white screen behavior is the same as the retail LAUNCHER loading an application. Also, literally all the behavior you're attributing to boot2 is from launcher, not boot2. In general it's not worth trying to run the old-world stuff on 3DS. TWL_FIRM doesn't perfectly simulate the bootrom.

It is teeechnically possible to crack the CID, but my estimate for time on that is like 4 hours. And that's 8 threads, hardware AES, on Haswell at 4.5GHz. A typical quad-core without hardware AES instructions could likely take upwards of a day of 100% cpu usage.


This can't be done without RSA-signed tickets for your console.

I have a gen 1 Intel i7 quad core running at 3.2 GHz. A full day trying to crack NAND encryption I would be willing to try. Of coarse the issue is I don't have any software that would do this.

 

[st4rk]

TWLTool coming fairly soon. Features:
-NAND (de)cryption given only a CID and ConsoleID
-SRL de/remodcrypting
-Boot2 decryption and dumping by section

NAND decryption works for both DSi and 3DS TWL partitions given the necessary input data. The 3DS has a bug where it only has 31 bits of ConsoleID entropy, so it's planned to have something to bruteforce that fairly quickly. That'd allow dsiwarehax injection on any system up to the newest firmware and beyond.
Boot2 decryption supports both DSi and TWL_FIRM (3DS) decryption, and extracts them cleanly out to arm7.bin and arm9.bin.
SRL modcrypting is good for reverse-engineering, not much to say beyond that.

You'll need a way to dump your DSi or 3DS's eMMC CID register. This can't be done over USB readers, but can be done with more direct interfaces like RasPis. I personally dumped mine through a custom Biggest Loser savegame that I'll be including on release (both US and EU regions.) More savegames might be available too (Cooking Coach), we'll see. The Biggest Loser is ideal since it works up to 1.4.5, though. ConsoleID can come from any exported DSiWare title, including the free ones.

The release thread will have some brief guides on stuff including title downgrading and save injection.

wow, good to knows my exploits was useful at least : ), I bought two copies of game(well one is not much useful now, I was trying EEPROM hardware haxx ), anyway good work !.

 

[WulfyStylez]

Well, at least it's not centuries. And what doesn't have hardware AES these days?
What's CID? Chip ID? As long as you have a "real" card reader you should be able to get it.

Oh and what's TAD?

CID is only referenced on a veeery low level, so the only USB card readers which will be able to read it are expensive purpose-made ones. A raspi would be cheaper, and The Biggest Loser would be even cheaper than that.

BTW, starting a bit of work on 3DS CID bruteforcing for twlnand injection. It takes about 30 seconds for me to successfully get a lock on my CID, which is pretty rad.

 

[Gadorach]

I pulled that resistor array, it's 271ohm all the way across. I'll have to replace it, though. The bootloader sits at a black screen with it gone, no errors or anything, just blue light and nothing. On the upside, NAND is still accessible in this state.

As for CID cracking, @WulfyStylez you should PM me a program to do it for my DSi XL, and I'll set my server to crack mine and test it. Not the fasted little server, but I won't have to worry about not being able to use my main while it's cracking the CID. Not like I can use the DSi XL until a new array comes in anyway, ha ha

Edit: Though, I do have a rPi, so if that'll do the trick, I can go that path too.

 

[Plstic]

Sweet. Now I can have sudohax on my DSi XL. I only have it on my regular DSi and I can't believe I just bought the biggest loser hahaha