Toggle sidebar

Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

  • Thread starter Thread starter WulfyStylez
  • Start date Start date
  • Views Views 211,475
  • Replies Replies 729
  • Likes Likes 51
Can someone please explain to me how I can extract a save from a DSiWare game and how to inject one too?
I can't seem to find any info related to that.
 
@WulfyStylez I have a DSi XL which has the boot code error 0000FEFE. From reading these pages:-

http://dsibrew.org/wiki/Bootloader
dsibrew said:
0000FEFE - Boot sector integrity error (Sector 0x200 not valid), or error in NVRAM contents.
Click to expand...
http://dsibrew.org/wiki/WiFi_Module
dsibrew said:
If this module is disconnected the DSi turns on to a black screen, because it can't read the NVRAM. If the DSi doesn't like the data contained on the module it will give either error 0000FEFE or 0000FE00 at poweron.
Click to expand...
http://dsibrew.org/wiki/NVRAM
dsibrew said:
any changes between 0x00 and 0x27, yields bootloader error 0000FEFE

NVRAM u8 0x1FD is used by launcher to determine which binary to load from the wififw title content, that id *must* match one of the entries in that title content otherwise launcher will display a black error screen while booting. Apparently there are two options for DSi 1.4.4: 01 and 02. Perhaps this is used to identify DWM-W015 vs DWM-W024.
Click to expand...

I'm unsure if this error code means there is a problem with the bootloader, or if the NVRAM on the WiFi module is corrupt - so I just had a couple of quesions if you dont mind;

-Is it possible to dump the NAND from this DSi and use TWLTool to repair the bootloader, even if the system doesnt boot?
-Is there any homebrew which can reflash the NVRAM on the DWM-015 and DWM-024 WiFi modules?

I have read you can use hardware to reflash a DWM-015 module through SPI, but it would be much easier if it were possible to reflash the NVRAM in system (Maybe by hot swapping the defective modules to a working system after its booted?) Also, there doesnt appear to be any documentation about the "5A32" NVRAM chip used on the DWM-024 module?
 
Last edited by Razor83,
Alright, I'm about to try this on my 1.4 U DSi that has been collecting dust for awhile, I have my laptop which has a built in reader that exposes the device (under Linux) as an mmcblk device... I'm wondering if it is possible to use that to get the NAND CID, and if so, how?
 
  • Like
Reactions: Deleted member 356526
dark_samus3 said:
Alright, I'm about to try this on my 1.4 U DSi that has been collecting dust for awhile, I have my laptop which has a built in reader that exposes the device (under Linux) as an mmcblk device... I'm wondering if it is possible to use that to get the NAND CID, and if so, how?
Click to expand...
Thing is, you must update so you can install an updated entrypoint application, so you'll probably be better off updating to the latest DSi firmware, getting the needed application(s) from the DSi Shop, then performing your NAND dump, decrypt it (After getting needed keys, although there's a couple of ways if memory serves), then inject the older versions of the entrypoint applications.
 
Team Fail said:
Thing is, you must update so you can install an updated entrypoint application, so you'll probably be better off updating to the latest DSi firmware, getting the needed application(s) from the DSi Shop, then performing your NAND dump, decrypt it (After getting needed keys, although there's a couple of ways if memory serves), then inject the older versions of the entrypoint applications.
Click to expand...

Can you point me to a list of entrypoint apps? I may have one already... Also I'm mostly concerned with getting my NAND CID atm, after I have a NAND dump and CID I'll be happy to do whatever I need
 
dark_samus3 said:
Can you point me to a list of entrypoint apps? I may have one already... Also I'm mostly concerned with getting my NAND CID atm, after I have a NAND dump and CID I'll be happy to do whatever I need
Click to expand...
SUDOKU by EA and Fieldrunners are both exploitable titles. I had both of them installed when I sent my DSi to @Gadorach before Canada Post lost it. Both should be good to work with.
 
Team Fail said:
SUDOKU by EA and Fieldrunners are both exploitable titles. I had both of them installed when I sent my DSi to @Gadorach before Canada Post lost it. Both should be good to work with.
Click to expand...

Didn't Sudoku get patched?

Let's say I have none of the applications needed, is there any way I can install them? Sorry I'm usually a bit more well read on subjects like this haha, thanks for the help
 
dark_samus3 said:
Didn't Sudoku get patched?

Let's say I have none of the applications needed, is there any way I can install them? Sorry I'm usually a bit more well read on subjects like this haha, thanks for the help
Click to expand...
They are patched, but you can un-patch them so to speak, hence the need to update. What you do is after you've dumped your NAND and decrypted it, you replace the newer versions of those games with older ones so that you can run them (They must be the right ones, because the tickets for the applications are needed or else you can't run them period), then re-encrypt the NAND image and flash it back to your system.

This means that yes, you do need to purchase them, but 1000 points should be more than enough for the two titles.
 
Team Fail said:
They are patched, but you can un-patch them so to speak, hence the need to update. What you do is after you've dumped your NAND and decrypted it, you replace the newer versions of those games with older ones so that you can run them (They must be the right ones, because the tickets for the applications are needed or else you can't run them period), then re-encrypt the NAND image and flash it back to your system.

This means that yes, you do need to purchase them, but 1000 points should be more than enough for the two titles.
Click to expand...

Awesome, thanks I think I have some left over points, hopefully that will be enough, can't wait to try this out.

Thanks @WulfyStylez for all the hard work
 
ok, so I've used the srl extractor... but the number doesn't match what Wulfy said... 08a19 is what I have.... it's a non XL model, so unless something didn't decrypt properly I'm not sure what's going on here :huh:
 
when building the sd -> nand adapter, as the pinout shows 0-3 DAT and clk + cmd points. but in the pictures of peoples mod, they only use DAT0 CLK CMD and GND. are all the dat lines required here? because i attempted this with just dat 0 and with all the DAT lines, both on two diff card readers and i get stuck b4 win32diskimager because when i plugin the reader to the pc it shows a drive but "insert drive.... blah" pops up like it doesnt have a media (nand) available.
0000FE00 error as well. any suggestions?
 
CyrusMainTea said:
when building the sd -> nand adapter, as the pinout shows 0-3 DAT and clk + cmd points. but in the pictures of peoples mod, they only use DAT0 CLK CMD and GND. are all the dat lines required here? because i attempted this with just dat 0 and with all the DAT lines, both on two diff card readers and i get stuck b4 win32diskimager because when i plugin the reader to the pc it shows a drive but "insert drive.... blah" pops up like it doesnt have a media (nand) available.
0000FE00 error as well. any suggestions?
Click to expand...

Speaking from my experience from NAND modding my 3DS you only need DAT0 CMD CLK and GND... Put the SD card into the reader but don't plug the reader in and power the DS on, then plug the reader into the PC and you should be able to dump with Win32Diskimager
 
dark_samus3 said:
Speaking from my experience from NAND modding my 3DS you only need DAT0 CMD CLK and GND... Put the SD card into the reader but don't plug the reader in and power the DS on, then plug the reader into the PC and you should be able to dump with Win32Diskimager
Click to expand...
and nothing changed. its mounting it as a MTP drive? media not inserted... its not my soldering, tried 4 times 2 were on alt points
NVM GOT IT ^^
 
Last edited by CyrusMainTea,
I've dumped my eMMC with an old DELL laptop with internal SD card reader, and, on the same laptop, with an even older external SD card reader. With all four data lines, both worked. With only one data line, only the internal reader worked. I've used a normal ribbon cable (30 cm length, without shielding or other specials), plus short (3 cm) very thin wires between the ribbon cable and mainboard. When connecting to resistors on the mainboard, I would recommend using the resistor pin closest to the eMMC chip, so you get full signal strength. Good solder points are shown in gbatek sd card pinouts chapter.
For dumping, best power up the dsi without wifi daughterboard, then connect it to your PC. Due to the encrypted MBR, the PC should see it as an unformatted drive, though, I think, it shouldn't prompt you to "insert drive". For testing the connection, I've used the "hxd" hex editor (see extras, open disk, open physical disk). The first 200h bytes on the drive are encrypted, but, if your connection is working, then the following 600h bytes should show up with some visible header data.
 
@nocash123 I'n not sure if this was asked before but is it possible to add a DSi header to an ordinary DS rom (and maybe patch something else) so it can be installed?
I just have no idea if DSi code is significantly different from regular DS code.
 
Do you mean retail ROMs or homebrew ROMs, and do you mean real ROM cartridges, or SD/MMC files?

About DSi headers: They contain RSA signatures, making it impossible to create or patch DSi executables. The existing exploits allow to boot homebrew executables, but I think they are merely supporting DS headers, and all the extra entries in DSi headers are still ignored.

DS code and DSi code is 99% identical. Most DS homebrew code will probably work in DSi mode, too. There is a bit more RAM at 2000000h and 3000000h, which might be a problem if you try to happen to access the same memory cell via different/mirrored addresses. Touchscreen/microphone access works different in DSi mode. The NDS ROM cartridge slot is powered off when booting via DSiware exploits.

DS Wifi works on old DSi (with AR6002G chips on wifi board), I am still trying to find out if it works on newer DSi's (with AR6013G chips) and on 3DS (in DSi mode, with AR6014G chips). It might work (or maybe one would first need to somehow switch the AR6013G/AR6014G chips into DS wifi mode). If it would work, then you could boot "dslink" via your exploit, and then use dslink to boot your actual homebrew code via wifi. Did anybody test that yet?
 
  • Like
Reactions: k66 and I pwned U!
nocash123 said:
Do you mean retail ROMs or homebrew ROMs, and do you mean real ROM cartridges, or SD/MMC files?

About DSi headers: They contain RSA signatures, making it impossible to create or patch DSi executables. The existing exploits allow to boot homebrew executables, but I think they are merely supporting DS headers, and all the extra entries in DSi headers are still ignored.

DS code and DSi code is 99% identical. Most DS homebrew code will probably work in DSi mode, too. There is a bit more RAM at 2000000h and 3000000h, which might be a problem if you try to happen to access the same memory cell via different/mirrored addresses. Touchscreen/microphone access works different in DSi mode. The NDS ROM cartridge slot is powered off when booting via DSiware exploits.

DS Wifi works on old DSi (with AR6002G chips on wifi board), I am still trying to find out if it works on newer DSi's (with AR6013G chips) and on 3DS (in DSi mode, with AR6014G chips). It might work (or maybe one would first need to somehow switch the AR6013G/AR6014G chips into DS wifi mode). If it would work, then you could boot "dslink" via your exploit, and then use dslink to boot your actual homebrew code via wifi. Did anybody test that yet?
Click to expand...
Yeah, homebrew would be cool but I meant especially NDS retail roms. I wondered it it was possible to add headers and convert them into an "eshop-compatible" format (even if an unlikely or challenging process) so we could pack them into CIA and install into exploited 3DS consoles like the legitimate dumped DSi titles.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Tutorial  Build DSi NAND from scratch

Homebrew app  A-Pix DS 0.4 – Pixel art editor for Nintendo DS/DSi!

Hardware Misc  JIS or Phillips: What to use on a DSi?

If someone is interested in something, let me know :)

Hardware  After teardown nintendo dsi doesn't fit in its housing

Pokemon White

Hacking  Save File corruptes:(

using the ds's mic as a practical one?