1. WulfyStylez

    OP WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States
    TWLTOOL: DSi Research and Hacking Multitool
    Hey all! Here's the newest thing I've been working on. TWLTool is the culmination of a ton of research into the DSi (TWL) platform,
    initially started on the 3DS (TWL_FIRM) and eventually moved over to real hardware.

    TWLTool has a good handful of features, most of which are brand new for public tools:

    NAND decryption/re-encryption
    Given only a consoleID (obtainable from any DSi export) and NAND CID (available from certain SD readers or included savegame hax)
    you can now completely decrypt and modify your DSi's NAND contents! This is useful for a ton of things, see below.

    SRL de/encryption
    Allows decrypting of the DSi-specific regions of DSi-exclusive and enhanced games/titles.

    boot2 decryption
    Decrypts the second-stage bootloader directly from a DSi NAND image, or from a TWL_FIRM boot2 image. This will output an arm7.bin
    and arm9.bin, ready for whatever analysis you want.

    More!
    eventually.

    Guides and such
    Basic NAND decryption
    DSi NAND images can be dumped with the following hardware pinouts (also available in the release zips):
    DSi:
    [​IMG]
    DSi XL:
    [​IMG]
    Tools such as Win32DiskImager (http://sourceforge.net/projects/win32diskimager/) can be used to read out your image once your setup works. Be sure to make more than one dump and verify!

    Once you've got that, you should grab your ConsoleID from a DSiWare export. Simply copy any game to your SD card and use dsi_srl_extractor with the option --basename=[name].
    Open [name].footer up in a hex editor and search for 'Root-CA00000001-MS00000008-TW[somenumber]-[anothernumber] .
    The number after the dash is your ConsoleID. It'll start with 08201 on DSi, 08202 on rev2 DSi, and 08A20 on DSi XL.

    Finally, you'll need to dump your CID from your NAND.
    This cannot be done with USB readers, but can be done with low-level SD readers like the Raspberry Pi (If someone can find an easy guide for this I'll link it here) or through a hacked save for the game The Biggest Loser.
    To run the hacked save, you'll need some way to restore a savegame onto a cart. This can be done through the Gateway 3DS menu, or SavSender for the original DS. You'll know the save worked if the game boots to a black screen with awful MIDI menu music.
    After running the hacked save, dump the savegame off your cart. Your CID will be at 0x800, ready to copy-paste into TWLTool.

    Once you've got all of this (and reliable backups!!) usage is simple:
    TWLTool nandcrypt --cid [16-byte-long hex cid] --consoleid [8-byte-long consoleID] --in [filename] (--out [filename])
    The exact same process is repeated to re-encrypt. Just run your decrypted NAND through the file again.

    From this point, you can actually mount your NAND and explore the files on it, as well as pull off a ton of useful hacks. For NAND mounting on Windows, I recommend OSFMount.

    Title downgrading
    It's possible to downgrade bits and pieces - or your entire system - once you've managed to decrypt your nand. The basic process is as follows:
    -Grab title and TMD from NUSDownloader (or elsewhere). Update your database too.
    Be sure to decrypt the title! NUSDownloader needs the DSi common key in a file named 'dsikey.bin' to do so.
    -Delete the existing title and TMD from the /title folder on your NAND. Replace them with your downloaded ones, being sure to rename the tmd to 'title.tmd'. (do NOT rename the .app!)
    -Re-encrypt nand and flash it to your system. Done!

    Re-enable classic DSiWarehax installation by downgrading System Settings
    By downgrading System Settings to v512 (I think!! If I'm wrong, tell me which it actually is and I'll update this), your system will be able to import DSiWare exploits signed by any system.
    This will let you run all the old DSiWarehax on any system, even on 1.4.5.

    Direct DSiWarehax injection (without settings downgrade)
    Arguably the better, and more future-proof, option: By injecting one of the included DSiWarehax saves to your NAND, you'll instantly have hax without any dependence on Team Twiizers servers or settings downgrades.
    To do so, rename a save to public.sav and move it to the appropriate /title/00030004/xxxxxxxx/data/ folder. Done.

    Flashcart re-enabling
    Downgrading the flashcart whitelist and/or menu will re-enable previously-blocked DSi-compatible flashcarts.

    More!
    The sheer shittiness of my eMMC reading/writing setup means I haven't fully explored all the possibilities of my own tool. There's
    certainly a ton more possible, if you're willing to dig a bit.


    SPECIAL THANKS
    Martin Korth, for the invaluable documentation on his resource GBATEK (http://problemkaputt.de/gbatek.htm). I wouldn't have been inspired to make this tool without having seen all his documentation on the system.

    CaitSith2, for the source to his tool dsi_srl_extractor. The DSi-oriented crypto libs from that program drive this one, and this program wouldn't have been possible without such a robust backend.

    Team Twiizers, for the actual savegame hax which drove me to build nand crypto tools.

    Yellows8, for occasionally dropping hints in random corners of the internet over the last 6 years, as well as (vaguely related) all his 3DS documentation. "Hey ninty/someone with sd_key."

    Neimod and 3DSGuy, for making CTRTOOL. I borrow some utils and such from there.

    Dazzozo and Shiny Quagsire; for moral support, tons of help with documentation, and salt.

    Changelog:
    v1.6 - 5/25/2016
    -CID and consoleID can now be loaded from files (just pass a filename instead of a hex ID)
    -TWL decryption now decrypts MBR and partitions (copying the rest) instead of annhilating unencrypted parts
    -3DS consoleID bruteforce is slightly faster and supports exporing ID to file on completion
    -System file crypto should support 3DS now

    v1.5 - 5/23/2016
    -Add support for dev.kp, ticket, etc decryption (ES block crypto with system (not TAD) key)

    v1.1 - 7/24/2015
    -Initial(ish) release

    DOWNLOADS - v1.6, 5/25/2016
    For the sake of making sure this tool stays available, I've both attached it to this post and made it available on Mega and Mediafire.
    MEGA
    MEDIAFIRE
     

    Attached Files:

    Last edited by WulfyStylez, May 26, 2016 - Reason: changelog
  2. Mazamin

    Mazamin GBAtemp Advanced Maniac
    Member

    Joined:
    Sep 4, 2014
    Messages:
    1,862
    Country:
    Italy
    So now we can extract pitchochat for using it on 3ds?
     
    kprovost7314, T3GZdev and Margen67 like this.
  3. einstein95

    einstein95 GBAtemp Regular
    Member

    Joined:
    Aug 31, 2013
    Messages:
    231
    Country:
    New Zealand
    If you build nusdownloader from source, it comes with the keys built-in so you don't need them (just a heads up).

    @Dr.Crygor 07: Yes.
     
    Last edited by einstein95, Jul 24, 2015
    Margen67 likes this.
  4. Gadorach

    Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    I'll go hunt down The Biggest Loser from my local shops, and see about making a video. Else, I'll look into getting the key read with my rPi.
    The DSiBrew Page has updated diagrams by the way, so it's easy to just read them there too.
     
    Margen67 likes this.
  5. Duo8

    Duo8 GBAtemp Psycho!
    Member

    Joined:
    Jul 16, 2013
    Messages:
    3,579
    Country:
    Vietnam
    I'll go look for my DSi now.
     
  6. Mazamin

    Mazamin GBAtemp Advanced Maniac
    Member

    Joined:
    Sep 4, 2014
    Messages:
    1,862
    Country:
    Italy
    It's possible to share pitchochat on this site or is it against the rules?
     
  7. Gadorach

    Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    @WulfyStylez Just a heads up, but you put the eMMC diagrams for the DSi up twice, and used my first diagram, instead of the updated one for the DSi XL. You should grab them from DSiBrew instead, it's more reliable than the puu.sh links I uploaded to originally.


    Probably the nicest part about the XL, is that you don't have to take the motherboard out of the case at all to access any pins, or unplug anything at all. There's also more room for the micro-JST port to be installed, without any external indication of it being installed.

    And to top it all off, you should be able to read the CID with the current build of RPU, just use the "(S)afe Run (Query Only)" option in the menu, and it will print your CID along with all the other eMMC data. I'll test it myself later today when I get the chance.

    Also, the Arduino-based unbricker found here has all the required code, but no useful way to execute it in the order we want. I'll modify it in a bit for our purposes. I have both an UNO with a SD shield, and a Teensy++ 2.0 with 3.3v enabled, so I'll test on both.

    For the record, it should work if you run it under the "v - VERNAM CYPHER UNLOCK" option, as the CID-read code happens before the unlock attempts, and therefore will display regardless of if the unlock code fails, which it will, of course. I take no responsibility if this bricks your NAND though, not that there's any code in that function that would anyway.
     
    Last edited by Gadorach, Jul 24, 2015
    Margen67 and ariankordi like this.
  8. WhoAmI?

    WhoAmI? PASTA's dirty animal
    Member

    Joined:
    Mar 15, 2015
    Messages:
    1,276
    Country:
    Jeez this girl is amazing. Thank you!
     
    Margen67, ShonenJump and zoogie like this.
  9. einstein95

    einstein95 GBAtemp Regular
    Member

    Joined:
    Aug 31, 2013
    Messages:
    231
    Country:
    New Zealand
    Against the rules I'd say, but not in other places with ISO of 3DS in the name.
     
    Margen67, ariankordi, Mazamin and 2 others like this.
  10. ShonenJump

    ShonenJump Creator of "Color Fever" Comic
    Member

    Joined:
    Mar 14, 2009
    Messages:
    492
    Country:
    Netherlands
    Wow with this tool we can dig deeper and maybe make later a easier version for the people who find this hard to do.
     
  11. Gadorach

    Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    Step one is to make a comprehensive, "beginner-friendly" guide to get this stuff done, including downgrading SUDOKU. Wulfy's great at programming, but not so great at write-ups, ha ha
     
    Margen67, Wolfgange and ShonenJump like this.
  12. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08
    Member

    Joined:
    Mar 17, 2010
    Messages:
    19,176
    Country:
    Norway
    Wow, impressive. I honestly didn't think there was enough interest left in the DSi for anything new to happen in regards to hacking it.
    It will be interesting to see what more features you can add. Got any specific plans?
     
  13. nastys

    nastys ナースティス
    Member

    Joined:
    Aug 5, 2014
    Messages:
    1,710
    Country:
    Italy
    There are some errors in the source code that prevent the program from being compiled on *NIX systems.
    In dsi.h, it should be:
    Code:
    #include "polarssl/aes.h"
    not
    Code:
    #include "polarssl\aes.h"
    and in main.c:
    Code:
    #include <sys/timeb.h>
    not
    Code:
    #include <sys\timeb.h>
    Then run:
    Code:
    make clean
    make
    and it will build just fine.

    I attacched the fixed source code, the Linux (32 bit and 64 bit) binaries and the other things :)
     

    Attached Files:

  14. Gadorach

    Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    So, I'm a bit confused. I grabbed dsi_srl_extract from the provided link, opened CMD, typed "dsi_srl_extract.exe 4B464445.bin --basename=FIELDRUNNERS" and all it did was extract the .nds file, nothing else. I made sure "no_mod_crypt = 0" was set in the ini too, just to be sure, but nothing changes between 1 and 0. Any heads up guys, or is it just working for all of you?

    EDIT: Read through the source code, and it's backwards and shit. Proper way is this:

    dsi_srl_extract.exe --basename=FIELDRUNNERS 4B464445.bin
     
    Last edited by Gadorach, Jul 24, 2015
    WhoAmI? likes this.
  15. WhoAmI?

    WhoAmI? PASTA's dirty animal
    Member

    Joined:
    Mar 15, 2015
    Messages:
    1,276
    Country:
    Has anyone managed to dump Pictochat, yet?
     
    Margen67 likes this.
  16. Gadorach

    Gadorach Electronics Engineering Technologist
    Member

    Joined:
    Jan 22, 2014
    Messages:
    965
    Country:
    Canada
    These things... They take time...

    But seriously, I'm still working on getting this stuff working. I'll PM you when it's done.
     
    Margen67 and WhoAmI? like this.
  17. WhoAmI?

    WhoAmI? PASTA's dirty animal
    Member

    Joined:
    Mar 15, 2015
    Messages:
    1,276
    Country:
    Okey doke :)
     
    emuashui and Margen67 like this.
  18. Coto

    Coto -
    Member

    Joined:
    Jun 4, 2010
    Messages:
    2,666
    Country:
    Chile
    this is definitely interesting.. very impressive- The NDS has lots of unused potential, so SD access, proper NAND fs + 802.11 wpa2 + more RAM will be handy.
     
    Margen67 and ariankordi like this.
  19. Feroz El Mejor

    Feroz El Mejor GBAtemp Fan
    Member

    Joined:
    Jan 26, 2014
    Messages:
    379
    Country:
    Spain
    It's possible do this without mod some day? I have Guitar Hero Tour, but IDK how to do that...
     
  20. loco365

    loco365 GBAtemp Guru
    Member

    Joined:
    Sep 1, 2010
    Messages:
    5,457
    You need the nand mod so you can decrypt everything, inject the haxx, then reflash. I'm waiting on someone to offer such services before I do this because I cannot solder for my life, having only had about a month's worth of experience almost three years ago.
     
    Margen67 likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - downgrading, [RELEASE], injection