Toggle sidebar

Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

  • Thread starter Thread starter WulfyStylez
  • Start date Start date
  • Views Views 211,424
  • Replies Replies 729
  • Likes Likes 51
Oleboy555 said:
Can someone maybe briefly explain this thread?
Click to expand...
With a hardmod (or a DSiware exploit plus the "fwtool" DSi homebrew), you can obviously backup and restore your nand.

With at least one DSiware installed that you can copy to SD,
PLUS at least one device capable of reading the CID (most internal laptop SD drives that appear in Linux as /dev/mmcblk*, appropriate sotware for Arduino/Raspberry, or a secondary exploit for the DSi enhanced game "Biggest Loser"),
you can decrypt the backup and edit the contents.

With the ability to edit the contents of the nand, considering also a large number of shortcuts taken in the DSi's system software, you can:
- Downgrade any installed title (especially the launcher and the whitelist to unlock flashcards blocked after launch)
- Inject .app files (better known as .srl or .nds) into any executable title, where they will run with the permissions of the original software
- Install """backups""" of most DSiware, thanks to the TMDs dumped in the last days by a kind gbatemp member
- Backup, restore, and trade DSiware saves (including installing exploits even if you have the system settings app that came with 1.4.2+)
- If you're using 1.4.0 system apps, actually edit the whitelist to unlock some non-DSi flashcards!
 
  • Like
Reactions: emuashui, ahezard and Oleboy555
Ryccardo said:
With a hardmod (or a DSiware exploit plus the "fwtool" DSi homebrew), you can obviously backup and restore your nand.

With at least one DSiware installed that you can copy to SD,
PLUS at least one device capable of reading the CID (most internal laptop SD drives that appear in Linux as /dev/mmcblk*, appropriate sotware for Arduino/Raspberry, or a secondary exploit for the DSi enhanced game "Biggest Loser"),
you can decrypt the backup and edit the contents.

With the ability to edit the contents of the nand, considering also a large number of shortcuts taken in the DSi's system software, you can:
- Downgrade any installed title (especially the launcher and the whitelist to unlock flashcards blocked after launch)
- Inject .app files (better known as .srl or .nds) into any executable title, where they will run with the permissions of the original software
- Install """backups""" of most DSiware, thanks to the TMDs dumped in the last days by a kind gbatemp member
- Backup, restore, and trade DSiware saves (including installing exploits even if you have the system settings app that came with 1.4.2+)
- If you're using 1.4.0 system apps, actually edit the whitelist to unlock some non-DSi flashcards!
Click to expand...
Thanks!
 
So hang on, I have SudokuHax installed on my system from when it first launched. How do I dump my firmware without a hardmod? It's also on 1.4.5, however I can still boot into the Homebrew Channel
 
Last edited by 8BitWalugi,
8BitWalugi said:
So hang on, I have SudokuHax installed on my system from when it first launched. How do I dump my firmware without a hardmod? It's also on 1.4.5, however I can still boot into the Homebrew Channel
Click to expand...
"fwtool" is the homebrew you're looking for; but according to Apache Thunder it may be incompatible with the original sudokuhax due to artificial restrictions in that exploit

I guess creating a backup and trying to decrypt it is safe and (almost) free...

https://gbatemp.net/threads/how-wou...c-and-wifi-flash-with-sudokuhax.390019/page-2
 
Ryccardo said:
"fwtool" is the homebrew you're looking for; but according to Apache Thunder it may be incompatible with the original sudokuhax due to artificial restrictions in that exploit

I guess creating a backup and trying to decrypt it is safe and (almost) free...

https://gbatemp.net/threads/how-wou...c-and-wifi-flash-with-sudokuhax.390019/page-2
Click to expand...
Hm I see... was there an exploit that was compatible? Just wondering. When I boot SudokuHax it says 1.0, so I doubt there'd be much hope on that front.

Edit: running it now, it's dumping block ~900/3840. Is... Is it working?
 
Last edited by 8BitWalugi,
8BitWalugi said:
Hm I see... was there an exploit that was compatible? Just wondering. When I boot SudokuHax it says 1.0, so I doubt there'd be much hope on that front.
Click to expand...
I'm not very familiar with DSiware exploits themselves; given that at least the 4 Swords one is open source I would bet more on that, but I haven't actually checked the code (mostly assembly)
 
8BitWalugi said:
Even then, I don't know if it'd work on 1.4.5
Click to expand...
The DSi doesn't have a background operating system actively blocking exploits; rather, the version of system settings that came with 1.4.2+ blocks the installation of any DSiware save not signed by your own console (therefore including exploits you didn't install in another way - older settings version or nand editing)!
 
Ryccardo said:
The DSi doesn't have a background operating system actively blocking exploits; rather, the version of system settings that came with 1.4.2+ blocks the installation of any DSiware save not signed by your own console (therefore including exploits you didn't install in another way - older settings version or nand editing)!
Click to expand...
Alright alright... I dumped my NAND.bin, what can I do with this? I can see something about a CID, how do I get this with my setup?

If I need to buy The Biggest Loser, I can

Edit: Even if I was to decrypt and modify my NAND, how would I reinject it into my system? I see nothing of the sort in the tool
 
Last edited by 8BitWalugi,
Razor83 said:
The problem is the DSi Shop is now dead and only offers the 3DS Transfer Tool, so even once you have access to Data Management there is no DSiWare you can transfer to the SD card to get the ConsoleID :(

Is there still absolutely no other way to obtain the ConsoleID? Is it impossible for cartridge save exploits to access the ConsoleID as well as the CID? What ever happened to DSi Soundhax?
Click to expand...
@nocash123 I was reading some of your threads and it seems you were looking into alternative ways to get the ConsoleID before discovering the 'DSiWare transferred to SD card' method. Might you have any idea how else we can acquire the ConsoleID now that the DSi Shop is closed?

Also, it doesn't seem like anyone has been archiving DSiWare as TAD files (The DSi equivalent of WAD or CIA) and I just wondered why? NUSdownloader has the option to "Pack WAD" but no option to "Pack TAD". Shouldn't we be archiving DSiWare in its proper format whilst we still have the ability to download it from the servers?

Also, has TwlNmenu (The DSi equivalent of 3DS DevMenu) been converted to use the retail DSi common key? If so is there any way we can install it on a retail DSi? I believe @Apache Thunder managed to get NandFiler working on a retail DSi, although i'm not sure how?
 
Last edited by Razor83,
8BitWalugi said:
Alright alright... I dumped my NAND.bin, what can I do with this? I can see something about a CID, how do I get this with my setup?

If I need to buy The Biggest Loser, I can

Edit: Even if I was to decrypt and modify my NAND, how would I reinject it into my system? I see nothing of the sort in the tool
Click to expand...
Fwtool has a "dump CID" option, as well as a "restore nand_dsi.bin" option.
 
Shicky256 said:
Fwtool has a "dump CID" option, as well as a "restore nand_dsi.bin" option.
Click to expand...
Whatever I used had neither of those

Edit: Does fwtool have a .nds version I can use with the Homebrew Channel?
Edit2: My fwtool (1.4.1) doesn't have either of those options
 
Last edited by 8BitWalugi,
ConsoleIDs are in this form:
08A20nnnnnnnn1nnh for DSi
08A19???????????h for some other DSi
08201nnnnnnnn1nnh for DSi XL
????????????????h for 3DS
with the "n" digits being in range 0..9 (no A..F digits). As far as I remember it took around 30 hours to brute-force the correct digits (that, doing the bruteforcing on a DSi console, it may be faster on other hardware). A tool for brute-forcing the CID would be probably more interesting (since most people already have the ConsoleID, and do only need to CID). As long as you know one of the two values it shouldn't be too difficult to brute-force the other value within reasonable time.

TAD is slang for BIN files on SD card, which isn't what you are downloading from the dsi shop. The BIN files are nice because they do also include a copy of the TMD, plus some personal data like game positions, and the ConsoleID.
 
Speaking of ConsoleID. I think I verified that the 4004D00h exists on 3DS in TWL mode. I checked the tickets that DSi System Settings generated after I managed to get it to finish a system update awhile back. I got my ConsoleID by pulling it out of itcm memory with GodMode9. Then tried decrypting tthe tickets with it....The result was valid tickets! So yeah, DSi System Settings is getting the correct ConsoleID which means 4004D00h operates the same way on 3DS.

I tried reading the port with some homebrew. Wasn't getting valid results though since I didn't have the right code for it. Was using an old test app Ahezard made. So I could only retrieve half the string from arm7 with the fifo code he had setup. Because of this it was also incorrect probably because of that. But I noticed that this register would be zero unless I booted from a homebrew app started as a system app. (I have a version of hbmenu installed with file category set to 15 in the TID). So looks like only system apps have access to that port. As gbatek documented it's write only for normal apps. :(

By the way the console ID DSi System Settings used for my tickets was "6B27D20002XXXXXX". (X used to censor out final digits) So a little different compared to the ones DSi uses.
 
Last edited by Apache Thunder,
  • Like
Reactions: I pwned U!

Site & Scene News

Go to forum More news

Popular threads in this forum

Tutorial  Build DSi NAND from scratch

Homebrew app  A-Pix DS 0.4 – Pixel art editor for Nintendo DS/DSi!

Hardware Misc  JIS or Phillips: What to use on a DSi?

If someone is interested in something, let me know :)

Hardware  After teardown nintendo dsi doesn't fit in its housing

Pokemon White

Hacking  Save File corruptes:(

using the ds's mic as a practical one?