[RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

Discussion in 'NDS - Emulation and Homebrew' started by WulfyStylez, Jul 24, 2015.

  1. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    TWLTOOL: DSi Research and Hacking Multitool
    Hey all! Here's the newest thing I've been working on. TWLTool is the culmination of a ton of research into the DSi (TWL) platform,
    initially started on the 3DS (TWL_FIRM) and eventually moved over to real hardware.

    TWLTool has a good handful of features, most of which are brand new for public tools:

    NAND decryption/re-encryption
    Given only a consoleID (obtainable from any DSi export) and NAND CID (available from certain SD readers or included savegame hax)
    you can now completely decrypt and modify your DSi's NAND contents! This is useful for a ton of things, see below.

    SRL de/encryption
    Allows decrypting of the DSi-specific regions of DSi-exclusive and enhanced games/titles.

    boot2 decryption
    Decrypts the second-stage bootloader directly from a DSi NAND image, or from a TWL_FIRM boot2 image. This will output an arm7.bin
    and arm9.bin, ready for whatever analysis you want.

    More!
    eventually.

    Guides and such
    Basic NAND decryption
    Warning: Spoilers inside!

    Title downgrading
    Warning: Spoilers inside!

    Re-enable classic DSiWarehax installation by downgrading System Settings
    Warning: Spoilers inside!

    Direct DSiWarehax injection (without settings downgrade)
    Warning: Spoilers inside!

    Flashcart re-enabling
    Downgrading the flashcart whitelist and/or menu will re-enable previously-blocked DSi-compatible flashcarts.

    More!
    The sheer shittiness of my eMMC reading/writing setup means I haven't fully explored all the possibilities of my own tool. There's
    certainly a ton more possible, if you're willing to dig a bit.


    SPECIAL THANKS
    Martin Korth, for the invaluable documentation on his resource GBATEK (http://problemkaputt.de/gbatek.htm). I wouldn't have been inspired to make this tool without having seen all his documentation on the system.

    CaitSith2, for the source to his tool dsi_srl_extractor. The DSi-oriented crypto libs from that program drive this one, and this program wouldn't have been possible without such a robust backend.

    Team Twiizers, for the actual savegame hax which drove me to build nand crypto tools.

    Yellows8, for occasionally dropping hints in random corners of the internet over the last 6 years, as well as (vaguely related) all his 3DS documentation. "Hey ninty/someone with sd_key."

    Neimod and 3DSGuy, for making CTRTOOL. I borrow some utils and such from there.

    Dazzozo and Shiny Quagsire; for moral support, tons of help with documentation, and salt.

    Changelog:
    Warning: Spoilers inside!

    DOWNLOADS - v1.6, 5/25/2016
    For the sake of making sure this tool stays available, I've both attached it to this post and made it available on Mega and Mediafire.
    MEGA
    MEDIAFIRE
     

    Attached Files:

    Last edited by WulfyStylez, May 26, 2016 - Reason: changelog
  2. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,711
    634
    Sep 4, 2014
    Italy
    So now we can extract pitchochat for using it on 3ds?
     
    kprovost7314, T3GZdev and Margen67 like this.
  3. einstein95

    einstein95 GBAtemp Regular

    Member
    228
    138
    Aug 31, 2013
    New Zealand
    If you build nusdownloader from source, it comes with the keys built-in so you don't need them (just a heads up).

    @Dr.Crygor 07: Yes.
     
    Last edited by einstein95, Jul 24, 2015
    Margen67 likes this.
  4. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    961
    697
    Jan 22, 2014
    Canada
    Canada
    I'll go hunt down The Biggest Loser from my local shops, and see about making a video. Else, I'll look into getting the key read with my rPi.
    The DSiBrew Page has updated diagrams by the way, so it's easy to just read them there too.
     
    Margen67 likes this.
  5. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    I'll go look for my DSi now.
     
  6. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,711
    634
    Sep 4, 2014
    Italy
    It's possible to share pitchochat on this site or is it against the rules?
     
  7. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    961
    697
    Jan 22, 2014
    Canada
    Canada
    @WulfyStylez Just a heads up, but you put the eMMC diagrams for the DSi up twice, and used my first diagram, instead of the updated one for the DSi XL. You should grab them from DSiBrew instead, it's more reliable than the puu.sh links I uploaded to originally.


    Probably the nicest part about the XL, is that you don't have to take the motherboard out of the case at all to access any pins, or unplug anything at all. There's also more room for the micro-JST port to be installed, without any external indication of it being installed.

    And to top it all off, you should be able to read the CID with the current build of RPU, just use the "(S)afe Run (Query Only)" option in the menu, and it will print your CID along with all the other eMMC data. I'll test it myself later today when I get the chance.

    Also, the Arduino-based unbricker found here has all the required code, but no useful way to execute it in the order we want. I'll modify it in a bit for our purposes. I have both an UNO with a SD shield, and a Teensy++ 2.0 with 3.3v enabled, so I'll test on both.

    For the record, it should work if you run it under the "v - VERNAM CYPHER UNLOCK" option, as the CID-read code happens before the unlock attempts, and therefore will display regardless of if the unlock code fails, which it will, of course. I take no responsibility if this bricks your NAND though, not that there's any code in that function that would anyway.
     
    Last edited by Gadorach, Jul 24, 2015
    Margen67 and ariankordi like this.
  8. WhoAmI?

    WhoAmI? PASTA's dirty animal

    Member
    1,273
    1,009
    Mar 15, 2015
    Poké Ball
    Jeez this girl is amazing. Thank you!
     
    Margen67, dsionr4 and zoogie like this.
  9. einstein95

    einstein95 GBAtemp Regular

    Member
    228
    138
    Aug 31, 2013
    New Zealand
    Against the rules I'd say, but not in other places with ISO of 3DS in the name.
     
  10. dsionr4

    dsionr4 Gbatemp's Shonen Character

    Member
    374
    263
    Mar 14, 2009
    Netherlands
    Space
    Wow with this tool we can dig deeper and maybe make later a easier version for the people who find this hard to do.
     
  11. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    961
    697
    Jan 22, 2014
    Canada
    Canada
    Step one is to make a comprehensive, "beginner-friendly" guide to get this stuff done, including downgrading SUDOKU. Wulfy's great at programming, but not so great at write-ups, ha ha
     
    Margen67, Wolfgange and dsionr4 like this.
  12. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,531
    5,475
    Mar 17, 2010
    Norway
    Alola
    Wow, impressive. I honestly didn't think there was enough interest left in the DSi for anything new to happen in regards to hacking it.
    It will be interesting to see what more features you can add. Got any specific plans?
     
  13. nastys

    nastys ナースティス

    Member
    1,487
    864
    Aug 5, 2014
    Italy
    Earth
    There are some errors in the source code that prevent the program from being compiled on *NIX systems.
    How to fix the errors...

    I attacched the fixed source code, the Linux (32 bit and 64 bit) binaries and the other things :)
     

    Attached Files:

  14. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    961
    697
    Jan 22, 2014
    Canada
    Canada
    So, I'm a bit confused. I grabbed dsi_srl_extract from the provided link, opened CMD, typed "dsi_srl_extract.exe 4B464445.bin --basename=FIELDRUNNERS" and all it did was extract the .nds file, nothing else. I made sure "no_mod_crypt = 0" was set in the ini too, just to be sure, but nothing changes between 1 and 0. Any heads up guys, or is it just working for all of you?

    EDIT: Read through the source code, and it's backwards and shit. Proper way is this:

    dsi_srl_extract.exe --basename=FIELDRUNNERS 4B464445.bin
     
    Last edited by Gadorach, Jul 24, 2015
    WhoAmI? likes this.
  15. WhoAmI?

    WhoAmI? PASTA's dirty animal

    Member
    1,273
    1,009
    Mar 15, 2015
    Poké Ball
    Has anyone managed to dump Pictochat, yet?
     
    Margen67 likes this.
  16. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    961
    697
    Jan 22, 2014
    Canada
    Canada
    These things... They take time...

    But seriously, I'm still working on getting this stuff working. I'll PM you when it's done.
     
    Margen67 and WhoAmI? like this.
  17. WhoAmI?

    WhoAmI? PASTA's dirty animal

    Member
    1,273
    1,009
    Mar 15, 2015
    Poké Ball
    Okey doke :)
     
    emuashui and Margen67 like this.
  18. Coto

    Coto GBAtemp Addict

    Member
    2,385
    426
    Jun 4, 2010
    Chile
    this is definitely interesting.. very impressive- The NDS has lots of unused potential, so SD access, proper NAND fs + 802.11 wpa2 + more RAM will be handy.
     
    Margen67 and ariankordi like this.
  19. Feroz El Mejor

    Feroz El Mejor GBAtemp Fan

    Member
    326
    68
    Jan 26, 2014
    Spain
    Villa Raíz (Hoenn)
    It's possible do this without mod some day? I have Guitar Hero Tour, but IDK how to do that...
     
  20. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,675
    Sep 1, 2010
    You need the nand mod so you can decrypt everything, inject the haxx, then reflash. I'm waiting on someone to offer such services before I do this because I cannot solder for my life, having only had about a month's worth of experience almost three years ago.
     
    Margen67 likes this.