1. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    Source code, and (a little) document on github:
    https://github.com/Jimmy-Z/TWLbf/
    windows binary download
    https://github.com/Jimmy-Z/TWLbf/releases
    https://github.com/Jimmy-Z/bfCL/releases OpenCL rewrite

    You'll need NAND dump and one of the ID to be possible to brute out the other one.
    update: with the brilliant idea from @dark_samus3, we are now able to brute with only the NAND dump, and EMMC CID brute can be dramatically faster. (this is only implemented in bfCL)

    Previous discussions and how this tool started:
    https://gbatemp.net/threads/any-hope-for-dsis-with-no-dsiware.481338/

    Performance notes about different versions:
    some (old) test numbers:

    TWLbf OpenSSL on i5-3450, single thread:
    1924 seconds for Console ID 10 BCD digits, 5.2 M/s
    914 seconds for Console ID 32bits, 4.7 M/s
    578 seconds for EMMC CID 32bits, 7.4 M/s​
    If you don't have a discrete GPU, you should use this for EMMC CID

    TWLbf mbed TLS on i5-3450, single thread
    745 seconds for Console ID 10 BCD digits, 13.4 M/s
    323 seconds for Console ID 32bits, 13.3 M/s
    612 seconds for EMMC CID 32bits, 7.0 M/s​
    If you don't have a discrete GPU, you should use this for Console ID

    bfCL on AMD HD7950, all around 350 M/s:
    29 seconds for Console ID 10 BCD digits
    12 seconds for Console ID 32 bits
    12 seconds for EMMC CID 32 bits​
    If you have a good discrete GPU, you should use this one.
    I also tested on an entry level card R7-250, around 90 M/s.

    If you don't know if your GPU is enough to be useful, run bfCL without parameters(double click it):
    Code:
    selected device Capeverde on platform AMD Accelerated Parallel Processing
    AES Key: 0d0b8bd02564dd0351d7e415e6f23f36
    randomize source buffer using RDRAND
    0.616 seconds for preparing test data, 217.88 MB/s
    0.593 seconds for OpenCL compiling
    0.046 seconds for data upload, 2917.27 MB/s
    # sha1_16_test on 128 MB
    local work size: 256
    0.036 seconds for OpenCL, 3770.37 MB/s
    0.029 seconds for data download, 4551.45 MB/s
    1.046 seconds for reference C(single thread), 128.31 MB/s
    sha1_16_test: succeed
    # aes_128_ecb_test on 128 MB
    local work size: 256
    0.097 seconds for OpenCL, 1385.86 MB/s
    0.015 seconds for data download, 9205.61 MB/s
    0.867 seconds for reference C(single thread), 154.87 MB/s
    aes_128_ecb_test: succeed
    Press any key to continue . . .
    
    Look at sha1_16/aes_128_ecb tests numbers, basically, if OpenCL speed > C speed * (your CPU's thread capability), it outperforms your CPU.

    TWLbf runs a single thread, you should run multiple instances according to your CPU's thread capability and how many templates you want to try on. for example: if you want to brute Console ID for a DSi XL on a Core i3 or higher, you should run 4 TWLbf mbed TLS each targeting 08201 08202 08203 08204. that should be done in about 15 minutes.

    bfCL on the other hand always saturate the best GPU in your system, so you shouldn't run multiple instances, and if your GPU is weak, the system becomes unresponsive while bfCL is running. Worst case if your GPU fan can't handle the heat, you system may hang, that's especially true for entry level GPUs, like the the R7-250 I tested, if the work is done in like ten seconds, it works, longer than that the system hang.


    Call for share/document:
    This tool can't brute force blindly, after all Console ID is 64 bits and EMMC CID is 120 bits, we need some pre-knowledge about them to make the brute forcing viable, if more people could collaborate on this, we could make this tool more useful.

    Although, sharing those IDs directly might be risky. so specifically, I(we) want to know:
    • for Console ID:
      • the first 5 digits
        • if you're not comfortable to share, at least tell us if it's on the list already
      • is the 14th(3rd from the right) digit "1"?
      • are all the other digits in the 0~9 range(no a~f hex digits)
    • for EMMC CID:
      • the 1st byte(2 digits)
        • this is supposedly a Month/Year date code of the EMMC chip
      • 10 bytes skipping the first 5 bytes(or 20 digits skipping the first 10 digits)
        • this is supposedly a Manufacturer/Product code
        • again, if you're not comfortable to share, tell us if it's on the list
      • photo or transcript of the EMMC chip label if possilbe.
    • model of the corresponding unit: DSi or DSi XL/LL, E or U or J
    • if you have strange cases(violates rules above), and if you don't mind, PM me the entire Console ID + EMMC ID + first 512 bytes of the NAND/EMMC dump for me to test this tool.

    Current list:

    Console ID first 5 digits, so far the rest are always in BCD range, and the 14th digit is always "1".
    Code:
    08A15
        DSi, from GBATEK
        unknown
    08A16
        DSi, J, report from windwakr
    08A18
        DSi, U, Black, report from leratrad
        DSi, U, Black, report from hutiu
    08A19
        DSi, U, Black, report dark_samus3(also noted in GBATEK)
        DSi, U, Black, report from Abequinn
    08A20
        DSi, from GBATEK
    08A21
        DSi, U, Cyan, report from wsquan171
        DSi, U, Light Blue, report from FFT.
    08201
        DSi XL, from GBATEK
        DSi, U, Metallic Blue, report from friendsxix
        DSi, U, White, report from friendsxix
        DSi XL, U, Burgundy, report from friendsxix
        DSi XL, U, Burgundy, report from kittensauce
        DSi, E, Metallic Blue, report from Oleboy555
        DSi XL, E, Dark Brown, report from FFT
        DSi XL, U, Burgundy, report from Abequinn
    08202
        DSi XL, E, Blue and Black?, mine
        DSi XL, U, Red, report from enderghast13
        DSi XL, U, Burgundy, report from hutiu
    08203
        DSi XL, U, report from Apache Thunder
    08204
        DSi, U, Pink, report from Apache Thunder
        DSi XL, U, Blue, report from enderghast13
        DSi, U, Light Blue, report from MassExplosion213
    
    EMMC CID 1 byte month/year date code + 10 bytes manufacturer/product code, the last byte is always 00 according to GBATEK
    Open your DSi(XL/LL) and read the EMMC label:
    • MY code can be translated from the 3 digits after "SAMSUNG", for example:
      • CC, DSi XL, U, Burgundy, report from kittensauce, SAMSUNG 949 KMAPF0000M-S998 N24N5GJB, I guess 949 means 2009 49th week, so 49th week -> december -> Month code C, 2009 -> Year code C.
    • chip model to manufacture/product code:
      • KMAPF0000M -> 03 4D 30 30 46 50 41 00 00 15 00
      • KLM5617EFW -> 32 57 37 31 36 35 4D 00 01 15 00
    If you can't read the label, then just try all of them, it's doable.
    Code:
    MY ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00
        unknown, DSi, from GBATEK, KMAPF0000M-S998
        AB, DSi, U, Black, report from dark_samus3(also noted in GBATEK)
        BB, DSi, U, Black, report from leratrad
        2C, DSi, U, Cyan, MY: 2C, report from wsquan171
        3C, DSi, U, Black, report from kittensauce
        9C, DSi, E, Metallic Blue, report from Oleboy555
        CC, DSi XL, U, Burgundy, report from kittensauce, SAMSUNG 949 KMAPF0000M-S998 N24N5GJB
        5d, DSi XL, E, Dark Brown, report from FFT
        5c, DSi, U, Light Blue, report from FFT
        BB, DSi, U, Black, report from hutiu, SAMSUNG 846 KMAPF0000M-S998 N1GUTMC3
        bc, DSi XL, U, Burgundy, report from Abequinn, SAMSUNG 946 KMAPF0000M-S998 N23A3MF6
        bb, DSi, U, Black, report from Abequinn, SAMSUNG 846 KMAPF0000M-S998 N1HW8MC2
    MY ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00
        unknown, DSi, from GBATEK, KLM5617EFW-B301
        3E, DSi XL, U, Blue, report from enderghast13
        6E, DSi, U, Light Blue, report from MassExplosion213
        9D, DSi XL, U, Burgundy, report from hutiu
    
    Thanks:
     
    Last edited by JimmyZ, Jan 26, 2018
    ry755, Sirius64, chronoss and 26 others like this.
  2. wicksand420

    wicksand420 GBAtemp Addict
    Member

    Joined:
    Nov 13, 2016
    Messages:
    2,726
    Country:
    United States
    Awesome, Thanks for this, this should help out the DSi scene.
     
    JimmyZ likes this.
  3. JellyPerson

    JellyPerson https://discord.gg/BMVma8j
    Banned

    Joined:
    Jul 26, 2017
    Messages:
    1,164
    Country:
    Korea, North
    this will help out a lot for the people without dsiware, many thanks to you.
     
    JimmyZ likes this.
  4. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    Document updated extensively.

    — Posts automatically merged - Please don't double post! —

    Just realized I spelled the name wrong in the title and it seems I can't edit that :facepalm:
     
  5. GhostLatte

    GhostLatte GBAtemp's Official Van Master™
    Member

    Joined:
    Mar 26, 2015
    Messages:
    3,374
    Country:
    United States
    You can report the original post!
     
    JimmyZ likes this.
  6. Apache Thunder

    Apache Thunder I have cameras in your head!
    Member

    Joined:
    Oct 7, 2007
    Messages:
    4,272
    Country:
    United States
    Time to add a couple new constants to that list. My DSi XL USA console has this ConsoleID:

    0820310105092122

    Note the first 5 digits. My console ends in 3 not 1 or 2: 08203

    Also this is the first 5 digits of the USA region Pink non XL DSi I used to own:

    08204

    I won't reveal the full ID to that one as I have sold that to someone else now.
     
    Last edited by Apache Thunder, Aug 23, 2017
    Subtle Demise and JimmyZ like this.
  7. driverdis

    driverdis I am Justice
    Member

    Joined:
    Sep 21, 2011
    Messages:
    2,603
    Country:
    United States
    so, does this tool work for bruteforcing the ConsoleID while having the CID already dumped? I was lucky this time and was able to get Data management to show up on my DSi XL since I never used it (top screen is dark and inverted since the POT for it is broken) and was still able to get to the DSi Store for it to appear. I was able to get the ConsoleID afterward but bruteforcing would be nice in case I run across any DSi's that are missing Data Management and have broken WiFi.
     
  8. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    thanks, I'll add this to the list, a non XL with 0820 leading, that's new.
     
  9. Apache Thunder

    Apache Thunder I have cameras in your head!
    Member

    Joined:
    Oct 7, 2007
    Messages:
    4,272
    Country:
    United States
    It's probably a newer non XL. It did come with Flipnote Studio and I recall only some newer batches had it.
     
    JimmyZ likes this.
  10. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    Yes.
     
  11. Apache Thunder

    Apache Thunder I have cameras in your head!
    Member

    Joined:
    Oct 7, 2007
    Messages:
    4,272
    Country:
    United States
    Then again I picked up that console from a pawn shop. BUT Flipnote wasn't available for redownload from DSi Shop the time I checked for downloadable software on it (before I downgraded it) so I think it came preinstalled? :P
     
    JimmyZ likes this.
  12. Friendsxix

    Friendsxix Introspective Potato
    Member

    Joined:
    May 6, 2008
    Messages:
    260
    Country:
    United States
    I have a Matte Blue DSi (non-XL) with the Console ID 0820105505XXXXXX.

    EDIT: Oops, the official name is apparently "Metallic Blue." "Matte Blue" is a slightly different shade.
     
    Last edited by Friendsxix, Aug 23, 2017
    JimmyZ likes this.
  13. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    Thank you, and, are all the XXXXXX in 1~9 range? is the 3rd from the right "1", and region?
     
  14. CatmanFan

    CatmanFan Anxious and regretful
    Member

    Joined:
    Aug 14, 2016
    Messages:
    1,951
    Country:
    Morocco
    Is it possible to bruteforce the CID if you already have the Console ID?
     
  15. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    "You'll need NAND dump and one of the ID to be possible to brute out the other one."
     
    Billy Acuña likes this.
  16. windwakr

    windwakr GBAtemp Fan
    Member

    Joined:
    Sep 13, 2009
    Messages:
    494
    Country:
    United States
    08A16... console ID on a non-XL Japanese DSi
     
    JimmyZ likes this.
  17. Friendsxix

    Friendsxix Introspective Potato
    Member

    Joined:
    May 6, 2008
    Messages:
    260
    Country:
    United States
    They are in the 0~9 range, the third character from the right is a 1, and it is an American unit.
     
    JimmyZ likes this.
  18. enderghast13

    enderghast13 Newbie
    Newcomer

    Joined:
    Jun 8, 2017
    Messages:
    5
    Country:
    United States
    Blue DSi XL Console ID:
    First 5 digits are 08204.
    3rd digit from the right is a 1.
    Every digit is 0-9.

    Blue DSi XL CID:
    First 2 bytes are 3E.
    Last 22 digits are 3257373136354D00011500
    I can't get a photo of the EMMC chip label.

    Red DSi XL Console ID:
    First 5 digits are 08202.
    3rd digit from the right is 1.
    Every digit is 0-9.
    I don't have the CID for this one.

    — Posts automatically merged - Please don't double post! —

    Can we also post Console IDs from 3ds's?
     
    JimmyZ likes this.
  19. JimmyZ

    OP JimmyZ Sarcastic Troll
    Member

    Joined:
    Apr 2, 2009
    Messages:
    681
    Country:
    Zimbabwe
    Thanks to all of you for sharing!

    Thank you for the detailed report and our first EMMC CID report! I assume they're all US region based on your location?

    I don't know much about that, aren't 3DS like totally hacked already?
    And this tool actually doesn't support 3DS TWL FIRM, they're encrypted differently according to GBATEK and TWLTool.
    I could add support to this if such needs arise though.
     
    enderghast13 likes this.
  20. nocash123

    nocash123 GBAtemp Regular
    Member

    Joined:
    Aug 4, 2015
    Messages:
    133
    Country:
    Afghanistan
    I've had a look at polarssl and openssl some years ago when trying to "understand how AES works"... openssl looked very confusing, and polarssl looked a bit straighter (but still very confusing and overcomplicated)... anyways, as far as I remember polarssl did support AES hardware acceleration, too. So both might be same as long as you have a PC with AES-NI support (which seems to have been invented in 2010). For multi-core CPUs, I wonder if each core is having its own AES hardware? If not, then multi-threading won't actually speedup the calculations.

    Is that using an "optimized" SHA1 function? One older optimization mentioned here https://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1 uses gerneral-purpose SSSE3 instructions (this should be also implemented in openssl). And newer intel processors should have extra opcodes SHA1RNDS4, SHA1NEXTE, SHA1MSG1/2 (not sure if/when/where that's supported, intel announced that stuff in 2013, but some other webpage mentioned it not being implemented until 2016, or so).
    And, another (small) optimization would be appending the sha1-end-byte and sha1-padding-bytes to the CID, and then passing that directly to the 64-byte-sha1-core function (ie. avoiding the same padding to be repeated on each calculation).

    I thought the MBR and DSi partitions are using the same encryption on 3DS? That should be somewhat required to be so for DSi backwards compatibility. The MBR may contain different/extra data on 3DS (so brute forcing may fail when searching for certain "fixed" values in the MBR).
    For the ConsoleID, I think the 3DS does have it's own "3DS ID" (for whatever 3DS things), and separate/crippled "DSi ID" (for DSi-style eMMC encryption). The latter one being reported to be 6B27D20002000000h on one n3DS console.
     
    Last edited by nocash123, Aug 24, 2017
    dragon_from_iso, JimmyZ and Coto like this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Console, TWLbf, brute