TWLbf - a tool to brute force DSi Console ID or EMMC CID

I just temporary give up for brute forcing the Console ID / EMMC CID.
Last night, check the emmc_cid brute-force, but I can not found correct value within 'Known range'.

Code:

Checked Console ID range

08A00-08A59
08200-08249
08000-08009
08100-08109
08300-08309
08B00-08B19
08C00-08C19
08D00-08D19
08E00-08E19
08F00-08F19

Code:

twlbf_mbedtls console_id_bcd [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000

7 days effort: NO RESULT

I think this region has quite different security layer or somewhat.
(in the Wii hacking-era, korean wii has a different common-key, unlike the J/U/E region. it was discovered later, Maybe Korean DSi is same.)

So I just give up. If anyone interested in, I'll upload some sample here:

eMMC NAND raw dump: *snip*
(1.4.1K korean dsi launch model.)

NAND print: SAMSUNG 001 KMAPF0000M-S998 N258GA34
(so emmc cid should be 1D xx xx xx xx + manufacture code, but somewhat strangly it didn't match)



And note that, there is no way to get CID/Console ID from end-user level without brute-force.
(No pre-installed or exportable Dsiware / No compatible dsi-enhanced/exploitable cartridge like the The Biggest Loser)

 

Looks like the reason why you couldn't get anything, @marine5422, is because you've been using incorrect command (or rather incorrect tool) for bruteforcing Console ID.
Here's what it should've looked like (twlbf doesn't support bruteforcing two unknown ID's, so bfcl is required):

Code:

bfcl console_id_bcd [Console ID] [offset0] [src0] [verify0] [offset1] [src1] [verify1]

So, in case of your dump it was:

Code:

bfcl console_id_bcd 0820100000000100 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000

Then you could've used regular command for bruteforcing eMMC CID (twlbf also should be enough here):

Code:

bfcl emmc_cid <full known Console ID here> 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa

Yes, I've grabbed your dump before mods removed it, so I've actually managed to brurteforce your Console ID and CID.
Should I just post full ID's here for you, or would you still like to try to get them yourself?
I was going to PM you about it, but ,apparently, you've restricted PM's from users.

 

Okay, I guess nothing bad should happen if I post those Console ID and eMMC CID…
Please, @marine5422, let me know if you don't want me to post them publicly, and I'll edit them.

Console ID: 08201xxxxxxxx1xx

eMMC CID: 1Dxxxxxxxx034D303046504100001500

I've already tried decrypting that NAND dump with them, they're indeed valid.

Edit: I'm paranoid, so I edited them for now, I'll send you the full ones via PM, I'm really sorry for the inconvenience.

 

Uh.... ... Wow... I didn't know that...

Only the bfcl support brute-force them both...?

I feel as a jerk.

Anyway, Thank for share info. (And I didn't know that restricted the PM function. Thanks for notify. )
And I think that it just okay to share some of info that already posted (of course not all of them).

 

Can any one help me with brute forcing my eMMC ID. I think I'm in over my head

I have my nand dumped via Hardmod and managed to get my Console ID by extracting it from dsiware.

However this command line stuff is beyond me . I have tried to work out how to do it myself and have got nowhere.

I've been using the following command

twlbf emmc_cid [Console ID] [EMMC CID] [offset] [src] [verify]

But nothing happens when I attempted to fill it in with what I assume are the correct values from my nand dumped etc and press enter.

When I click the .exe itself it says I'm missing a .DLL file. After googling I found it was an OpenSSL file. I've checked my OpenSSL directory and the file is there so where do I need to put this file for it to work?

If/when IIget past that obstacle can someone confirm for me what is offset? Src? Verify? And where I should be getting these values from.

Also should I put anything in the [eMMC ID] section.

Apologies if this makes no sense I am trying.
Thanks in advance .

 

DSi XL, E, Dark Brown
Console ID: 08201....1XX

NAND chip is
SAMSUNG 946 KMAPF0000M-S998
bc00000000034d303046504100001500

PM me if you want the nand dump

 

DSi EU white
ConsoleID: 08A21...1XX
CID: 1C3C061860034D303046504100001500
NAND chip: Samsung KMAPF0000M-S998

 

IS-TWL-DEBUGGER (dev dsi, any region)
ConsoleID: 08A21...1XX
CID: 2c35911670034d303046504100001500

DSI XL JPN green
ConsoleID: 08201...1XX
CID: 4D400715D0034D303046504100001500

 

Ok so I got a public NAND dump in MMC format and I don't know the Console ID nor CID or anything, can this help me to decrypt it?

 

bfCL is able to brute force both ConsoleID and CID even if you do not have one of them. It is pretty fast but requires an opencl compatible gpu.
https://github.com/Jimmy-Z/bfCL/releases

 

And how to do please ?

 

For the console id, here is the command I used for a dsi XL :
bfcl.exe console_id_bcd 0820100000000100 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa 0000 6E1CF232319C287CD4D7BBC45BDF9166 00000000000000000000000000000000

0820100000000100 worked for a dsi xl but you may have to modify the 5 first digit (see first post)
076F005F6FEF14234015FBB77BA43AC8 are the hexadecimal bytes between 1F0 and 200 of my nand dump, replace with yours
6E1CF232319C287CD4D7BBC45BDF9166 are the hexadecimal bytes between 000 and 010 of my nand dump, replace with yours

For the CID I used this command :
bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)

 

For the CID I used this command :
bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)

 

How to get these hexa number ?

 

You need any HEX editor like HxD.

 

Ok great, thanks !

 

Is it normal ?

 

You need to tune the console ID mask, In your case I got a match with 08204. Here is your console ID : 0820467219089125
The command I used : bfcl.exe console_id_bcd 0820400000000100 001f 3F7EF9F4866458C4A9786FDD6E440DF9 000000000000000000000000000055aa 0000 51F5D50B04B4F103CDB12F4EF64007E5 00000000000000000000000000000000

 

I make the same command but it stuck a the same screen... And yes, it's the console ID "0820467219089125"

The nand must be named how ?

 

It does not read from NAND. It's based on the offsets