My SD adapter arrived and I was able to install Fieldrunners and the exploit save to the DSi without bricking it. A couple things I did differently than "I pwned u!":
Instead of hex editing off the certs at the end of the tmd file, I used NUS downloader to get it
Instead of adding 13/37 as the ID in the ticket, I just changed the title ID and re-encrypted
My copy of Fieldrunners was purchased from the eShop, not downloaded off Freeshop (IDK if there's a difference, but I figured I'd mention it)
Whatever the case, I'm glad I can join the lucky 100 or so people with DSiwarehax installed.
EDIT: It seems nocash123 was correct in his guess. When you download a DSi game legitimately or not, it creates a blank public.sav file. Here's my process for injecting stuff:
1. Copy the "4xxxxxx" folder from the 3DS TWL nand to the DSi nand (in the 300004 folder, i could be off a couple zeroes), delete the 0000000.tmd file and cmd folder. Make sure you copy over both the "content" and "data" folders
2. Look up the title ID in that giant TMD archive, cut off the end so HxD says the length is 208, save and rename to title.tmd
3. Look at offset 1E7 on the tmd, rename the .app's last digit to the last digit listed.
4. Decrypt any ticket in the ticket/300004 folder, change title ID to your injected app's title id, encrypt ticket and save. Note that I was able to install a few games that were never preloaded on a DSi by modifying the DSi Browser ticket, so it doesn't seem that there's a lot of verification going on there.
Somewhat humorously, this fools the DSi shop into thinking that you have the title installed, so it may be possible to just make the ticket change and download your game from there rather than going through all the effort.
Edit 2: I tried deleting Cave Story and redownloading it from the shop, but got a 201022 error. It doesn't seem like it revoked my ticket or anything, as I was able to copy the game back onto the console afterwards.