The Home Menu will probably have to be taken to IDA and HexRays and see what's going on. That and perhaps the bootloader.
Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool
- Thread starter WulfyStylez
- Start date
- Views 188,023
- Replies 728
- Likes 51
I was mostly just interested in if the stage2 bootloader did basic tmd checking on titles before launching them. Not doing that could potentially let you run your own code with menu-level privileges (by booting through a dsiwarehax game and launching stuff from there.) Evidently, it does.
To be fair, even if it did allow that high-level of code exec, I doubt anyone would end up coding a menu replacement/patched menu. There's a lot of prerequisites to it, including restoring a bunch of bootloader-set data before launching the menu.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
The entire header of any title is RSA signed, and that header includes hashes for sections including the icon and banner. So, nope.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
@hundshamer you find a DSi/XL yet? You've got interested customers man, ha ha
It's just as easy as the 3DS, or maybe even easier, just saying.
I had an offer if I could cover shipping, but I don't really have it. I will offer service, but it's hard to put a price on labor if I don't know what's involved as far as time is concerned. At this point I'm considering a $30-$50 range, but cannot narrow it down further until I have the experience. I'm sure it cant be much harder than doing the clk on an o3DS.
There's only one harder point, and you just have to scratch off the solder mask, or use the resistor array, though I don't recommend it. I have diagrams for both in my guide, and there's room under the battery door for the micro-JST port on the XL. The regular DSi can have it placed in the strap-slot, or a case cut made, both work. Use a bit of extra grounding for the DSi's internal points, the DSiXL doesn't need it though.
I personally went with a $35.00 CAD price-point so far, considering work. Just installing the mod takes up to an hour, but if you're doing the title downgrading too, it takes around two hours, at most. I'd charge extra to do the title downgrading, but recovering the CID is a joke, and you should just throw that in with the main service.
Anyway, hope to see you offering the service soon. There's plenty of interest from what I've seen.
EDIT: Oh, yeah, and you don't even need to take the screws out of the mainboard, just the back screws. All the points are easily accessible on the open side.
Last edited by Gadorach,
I'm not sure if anyone's looked into it as of yet, but if it hasn't yet, I'll look into region-changing the system once I get my system back from @Gadorach. It'd be nice to remove this region lock just like the DSi had, or at least allow for multiple region NANDs so that you can play out-of-market games that have been imported by flashing different-region NAND images.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
In my end, I think I will have fun with hex editors xD
Sending my dsi to Gadorach later today for hard mod too.
Whew, what's happening now... more than two people interested in DSi hacking? Well, great. Very nice that there are utilities & tutorials for nand dumping now. And very good to know that title downgrading is actually working without issues (I've never tried it myself, and desoldered my nand-to-card-reader wires ages ago, but knowing that it's possible is motivating for re-attaching that wires). Also interesting that one can combine new (working) DSi Shop version with old System Menu/Settings!
Btw. you are all using 1-bit data mode (only 3 signals, plus GND)? I was afraid that some/many card readers might insist on 4-bit data mode (with 6 signals, plus GND). Or is it safe to assume that most or all readers work in 1-bit mode? (just in case somebody has tried different readers, and can give some stats on the results).
Btw. you are all using 1-bit data mode (only 3 signals, plus GND)? I was afraid that some/many card readers might insist on 4-bit data mode (with 6 signals, plus GND). Or is it safe to assume that most or all readers work in 1-bit mode? (just in case somebody has tried different readers, and can give some stats on the results).
Can you try to replace Flipnote by Sudoku? If it should be working... then it might be also possible from SD card, without needing soldering (on older firmwares, at least).
Is that are general issue, wifi disabled in sudoku? Or could it be related to DSi's with newer/older wifi daughterboards? Older daughterboards have separate Mitsumi+Atheros chips, and one could use either one. Newer boards have only one chip, and - I suspect - one may need to switch into Mitsumi mode somehow in order to get DS wifi working (or figure out how to use DSi wifi, which would be better, but quite difficult).
I had success in 1-bit mode. You don't have to hook up CD/DAT3 for 1-bit mode, either. Hooking it up actually made it not work. This was on a second-revision DSi (TWL-CPU-10) motherboard with an undocumented, different eMMC chip. Should apply to the other one too, though.
I've tried swapping out SRLs without any luck. The launcher will actually detect and show the icon/banner for the game, but it'll fail to load. swapping out both the SRL and tmd will cause it to not show up at all.
The purpose of the CD/DAT3 pin isn't too clear, theoretically it could have triple purpose,
1) detecting SPI mode (by the memory card)
2) detecting card presence (by the card reader) (but the signal would be quite weak, I doubt many readers rely on it)
3) data3 in 4-bit mode
maybe the third one caused the problem: the card reader tried to use 4bit mode when seeing more than one data line connected, or whatever.
What other eMMC does your DSi have? Different type/manufacturer... and different CID? At the moment, I know only two CID's:
dd ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00 ;CID for DSi and DSi XL
dd ss ss ss ss 03 47 31 30 43 4D 4D 00 01 11 00 ;CID for 3DS
Too bad. Looks as if it compares the titleid in the binary against the titleid of the folder, or against the lists of installed titleid's. Oddly, from what I've heard, the 3DS doesn't seem to do that. But good to know that it won't work on DSi, now I am convinced that I need to buy DSi points, upgrade the firmware, download sudoku, rewire the card reader, and then downgrade back to what I did had before upgrading - but, with additional/working SD/MMC access :- )
I'll try 1bit mode this time. That should be a lot more comfortable than wiring all four data lines (which has been the most complicated part - especially as the four tiny solder pads were located close together).
Last edited by nocash123,
Speaking of title downgrading, I'm awaiting my DSi from Gadorach so that I can test out region changing (And possibly region-free if the checksums can be corrected) so that the Japanese DSi Shop (And European one as well) can be accessed from any system. (That's actually the reason I'm wanting to get the DSi BIOS files for No$GBA is so I can tinker around with the NAND files and see if I can get anywhere quickly since at least the Main Menu can run, which means I don't have to constantly flash my NAND to test a change ehehehe...) Additionally No$GBA was really helpful in me writing my level viewer, I even credited you because it was so helpful!
I've got dd ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00, and this is with a Samsung KLM5617EFW-B301 eMMC chip on a TWL-CPU-10 board.
I thiiink the DSi pulls region info from something vaguely similar to SecureInfo, including RSA signing, for what it's worth.
I'll have to look into that then. The eMMC image I have is already decrypted, but I'm unsure if it's stored on the NAND or not, although it's quite likely. I'd look on DSiBrew, but most of the pages are stubs or spam, so finding anything on there is nigh impossible.
Edit: Additionally, if the region check can be patched in the HNA* launcher application (Assuming it does the checks, although I'm quite sure it would at least initiate it) and have its RSA signature corrected so that the modified launcher boots properly, at least the cartridge checks will no longer be an issue. Although figuring out how to access other region shops would be nice.
Last edited by loco365,
Good to know! Should be also interesting to anybody trying to brute-force CID's.
Don't want to spoil the fun, but I think the region is stored here (and cannot be changed):
Code:
FAT16:\sys\HWINFO_S.dat (aka Serial/Barcode) (16Kbytes)
0000h 80h RSA-SHA1-HMAC across entries [0088h..00A3h]
(with RSA key from Launcher)
(with SHA1-HMAC key = SHA1([4004D00h..4004D07h])
0080h 4 Header, Version or so (00000001h)
0084h 4 Header, Size of entries at [0088h..00A3h] (0000001Ch)
0088h 4 Bitmask for Supported Languages (3Eh for Europe) (as wifi_flash)
0088h 4 Unknown (00,00,00,00) (bit0=flag for 4004020h.bit0 ?)
0090h 1 Console Region (0=JPN, 1=USA, 2=EUR, 3=AUS, 4=CHN, 5=KOR)
0091h 12 Serial/Barcode (ASCII, 11-12 characters; see console sticker)
009Dh 3 Unknown (00,00,3C) ;"<"
00A0h 4 String "PANH" (aka HNAP=Launcher spelled backwards?)
00A4h 3F5Ch Unused (FFh-filled)
Entries [0088h..009Fh] are copied to [2FFFD68h..2FFFD7Fh].Patching the launcher or other executables won't work either (since they are RSA signed, too). Only chance would be finding an exploit in the launcher or other system utilities (eg. corruping a .sav or .jpg file, which could be done since that files aren't RSA signed). I am hoping that no$gba might get useful for that stuff.
Even two months after the last release, I am still totally unable to get no$gba launching executables selected in bootmenu :- / all I figured out is that the launcher is hitting three errors. The last (and probably most serious one) is FATAL_ERROR_CHECK_TITLE_LAUNCH_RIGHTS_FAILED which I am not sure what is causing that error (I've dumped my eMMC and console IDs right from real hardware, so I should have all rights needed to launch games). My only theory is that it's somehow caused by the other two errors, which are WLFIRM related (ie. related to uploading the wifi firmware to the wifi daughterboard, and emulating that part of hardware looks more and more difficult).
Nice to see you here nocash!, Just do you're best with what fixes that can be done 4 now 
You're next release all will be grateful! .
You're next release all will be grateful! .
That error sounds like a ticket check failing somewhere - be it verification or just not existing.
I personally can't get my eMMC image to boot. I get notyet32s on ConsoleID reading (which i assume is intended behavior since all the AES keys check out, including the ConsoleID-using ones) and then boot2 throws 'Error: 1-2345-8325'.
EDIT: nevermind! Got it to boot after nopping out the AES keysetting instructions in boot2 that were dependent on the consoleID registers. They were setting bad AES words (0 xor the two different values they xor the consoleID against).
Last edited by WulfyStylez,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
K3Nv2:
Aw shit sonics got that orange cloud circle whatever the hell they call it out rip cholesterol -
@
Psionic Roshambo:
I think the Mister is cool and all, but honestly I have seen some video's exploring the difference between hardware and software emulation and the advantages of both.... I would pick software over FPGA, wouldn't mind some sort of hybrid approach but I can only imagine how complex that would be and how expensive. -
-
-
-
-
-
-
-
