Photo guide to installing DSiWare backups on real hardware and emulator

Discussion in 'NDS - Tutorials' started by Ryccardo, Jul 8, 2017.

  1. Ryccardo
    OP

    Ryccardo WiiUaboo

    Member
    2,647
    1,184
    Feb 13, 2015
    Italy
    Imola
    Steal Acquire some decrypted DSiware apps. A not terribly efficient (but pretty simple to do and understand) way is getting them from FreeShop on a modded 3DS, then copying twln:/title/00030004/* to the SD.

    Backup your console's NAND, CID, and ConsoleID using well documented methods.
    If you're using NO$GBA with a nand you didn't dump yourself, you can find the CID and the byteswapped ConsoleID by looking at the end of the dump with a hex editor.
    1 NOCASHNAND.PNG
    (Adding this block is also how you convert a raw backup for use with NO$GBA, just in case you didn't read the manual)

    Use TwlTool to decrypt the nand.
    2 nand decrypt.PNG

    Mount the 1st partition of the decrypted image with OSFMount (Linux equivalent: losetup + mount; Mac equivalent, hdiutil + mount I guess?).
    3 osfmount.PNG 4 osfmount.PNG

    Pick (any?) ticket from the NAND, preferably from the regular DSiware category = 00030004, and decrypt it with TwlTool. This will be a base for the edited tickets we will make.
    5 ticket crypto.PNG

    Open the folder with our dumped title. You will find a "content" folder, possibly a "data" folder, and a .ctx file if it came from a 3DS.
    Delete it, then go to the content folder.
    Remove the "cmd" folder, and the 3DS-format TMD.
    6 source.PNG 7 source content.PNG

    Search the TMD pack for the full TitleID of the DSiware; copy the TMD to the content folder, renaming it to "title.tmd".
    Open title.tmd in a hex editor.
    8 tmd.PNG

    Find offset 1E7; rename the .app file (better known as .srl or .nds) so that the last 2 digits are the ones written at 1E7.
    Find offset 208; delete everything from there to the end of the file. (A small number of tmds are already trimmed).
    Save the file.
    9 tmd edit.PNG

    Open the ticket we decrypted earlier in a hex editor.
    Find offset 1DC and replace the next 8 bytes with the TitleID of the app we're installing;
    Save the file with a name equal to the TitleID-low of the app.
    10 ticket edit.PNG 11 ticket save.PNG

    Use TwlTool to encrypt the ticket, and put it into the NAND.
    12 ticket crypto.PNG

    Copy the title's (content & data) folder to the NAND.
    13 app copy.PNG

    Unmount the NAND and re-encrypt it.
    14 unmount.PNG 15 nand crypt.PNG

    If you're using NO$GBA, you will have to re-add the footer since it will have been removed by TwlTool's NAND features.
    16 nand footer.PNG

    Enjoy your DSiWarez, and if you liked it, BUY THE ORIGINAL... oh wait, they closed the DSi shop
    17.PNG 18.PNG
     
    Last edited by Ryccardo, Jul 8, 2017


  2. slaphappygamer

    slaphappygamer GBAtemp Advanced Fan

    Member
    921
    119
    Nov 30, 2008
    United States
    California
    Nice guide! I would totally do this, but I don't have a dsiware exploitable title. :(

    Also, are all the games from the dsishop in the eshop?
     
  3. Robz8

    Robz8 Coolest of TWL

    Member
    6,190
    2,539
    Oct 1, 2010
    United States
    You're in luck, if you have Flipnote or DSi Browser.
    Most of them are in the eShop.
     
  4. Diego788

    Diego788 GBAtemp Regular

    Member
    281
    90
    Jun 27, 2014
    Chile
    Santiago, Chile
    i have a friend's DSi with Flipnote, can i extract the nand or something right now? or is an incoming exploit? XD
     
  5. Robz8

    Robz8 Coolest of TWL

    Member
    6,190
    2,539
    Oct 1, 2010
    United States
    Incoming.
     
  6. Diego788

    Diego788 GBAtemp Regular

    Member
    281
    90
    Jun 27, 2014
    Chile
    Santiago, Chile
    COOL:0 i'll wait for it
     
  7. slaphappygamer

    slaphappygamer GBAtemp Advanced Fan

    Member
    921
    119
    Nov 30, 2008
    United States
    California
    I have both! I can't wait.
     
    Last edited by slaphappygamer, Jul 9, 2017
    Diego788 likes this.
  8. Diego788

    Diego788 GBAtemp Regular

    Member
    281
    90
    Jun 27, 2014
    Chile
    Santiago, Chile
    same here, both, can't wait to try this :D
     
  9. Valery0p

    Valery0p GBAtemp Regular

    Member
    196
    77
    Jan 16, 2017
    Italy
    Thanks for the guide, We may also need a guide on how to downgrade very soon...
     
    Tenshi_Okami likes this.
  10. Flashed

    Flashed GBAtemp Regular

    Member
    172
    26
    Feb 3, 2016
    Madrid
    Good tutorial. I didn't know that a DSi NAND could be emulated using NO$GBA. The question is... how? Only thing I have is a NAND.bin I got. I can't find the CID/Console ID on my Dump since I can't find any 'DSi eMMC' as the image says
     
    Last edited by Flashed, Jul 9, 2017
  11. Ryccardo
    OP

    Ryccardo WiiUaboo

    Member
    2,647
    1,184
    Feb 13, 2015
    Italy
    Imola
    Of course, you have to add them yourself to tell the emulator :)
     
  12. Flashed

    Flashed GBAtemp Regular

    Member
    172
    26
    Feb 3, 2016
    Madrid
    Oh... I don't have them :P
     
  13. TheLegendofMario

    TheLegendofMario GBAtemp Regular

    Member
    135
    34
    May 15, 2016
    United States
    Theoretically couldn't we use this method of to install an exploitable DsiWare, and then transfer from the DSi to a 3DS and use the dsiware exploit to install b9s on another 3DS?
     
    BlastedGuy9905 and iAqua like this.
  14. BlastedGuy9905

    BlastedGuy9905 Ace Bricker

    Member
    696
    286
    Apr 13, 2017
    United States
    Outside your windows ᕙ(◔ᗜ◔)ᕗ
    OH MY GOD! I have both! How can I use them to exploit my system? (1.4.5E, I have a flashcart)
     
  15. Robz8

    Robz8 Coolest of TWL

    Member
    6,190
    2,539
    Oct 1, 2010
    United States
    Details won't be said 'til it's actual reveal.
     
  16. BlastedGuy9905

    BlastedGuy9905 Ace Bricker

    Member
    696
    286
    Apr 13, 2017
    United States
    Outside your windows ᕙ(◔ᗜ◔)ᕗ
    >"it"
    >reveal
    E X C I T E
     
    pandavova likes this.
  17. iAqua

    iAqua Shadow of Dark.

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,489
    1,787
    Dec 7, 2015
    Canada
    these work with systransfer > 3ds?
     
  18. Diego788

    Diego788 GBAtemp Regular

    Member
    281
    90
    Jun 27, 2014
    Chile
    Santiago, Chile
    probably yes :0
     
    BlastedGuy9905 likes this.
  19. Jay1Gamer

    Jay1Gamer Advanced Member

    Newcomer
    75
    24
    Apr 7, 2015
    United States
    DSi to 3DS deletes the save data and will only transfer if the app is also on the eshop, and it also updates the app.
     
  20. Diego788

    Diego788 GBAtemp Regular

    Member
    281
    90
    Jun 27, 2014
    Chile
    Santiago, Chile
    3DS to 3DS transfer don't delete DSi save data? lol i didn't remembered xd