1. marine5422

    marine5422 Advanced Member
    Newcomer

    Joined:
    Feb 8, 2007
    Messages:
    93
    Country:
    United States
    I just temporary give up for brute forcing the Console ID / EMMC CID.
    Last night, check the emmc_cid brute-force, but I can not found correct value within 'Known range'.

    Code:
    Checked Console ID range
    
    08A00-08A59
    08200-08249
    08000-08009
    08100-08109
    08300-08309
    08B00-08B19
    08C00-08C19
    08D00-08D19
    08E00-08E19
    08F00-08F19
    

    Code:
    twlbf_mbedtls console_id_bcd [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
    twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
    twlbf_mbedtls emmc_cid [Console ID range that I posted] 1D00000000034D303046504100001500 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000
    
    7 days effort: NO RESULT

    I think this region has quite different security layer or somewhat.
    (in the Wii hacking-era, korean wii has a different common-key, unlike the J/U/E region. it was discovered later, Maybe Korean DSi is same.)

    So I just give up. If anyone interested in, I'll upload some sample here:

    eMMC NAND raw dump: *snip*
    (1.4.1K korean dsi launch model.)

    NAND print: SAMSUNG 001 KMAPF0000M-S998 N258GA34
    (so emmc cid should be 1D xx xx xx xx + manufacture code, but somewhat strangly it didn't match)



    And note that, there is no way to get CID/Console ID from end-user level without brute-force.
    (No pre-installed or exportable Dsiware / No compatible dsi-enhanced/exploitable cartridge like the The Biggest Loser)
     
    Last edited by porkiewpyne, May 9, 2018
  2. redunka

    redunka GBAtemp Fan
    Member

    Joined:
    Nov 26, 2014
    Messages:
    392
    Country:
    Russia
    Looks like the reason why you couldn't get anything, @marine5422, is because you've been using incorrect command (or rather incorrect tool) for bruteforcing Console ID. :)
    Here's what it should've looked like (twlbf doesn't support bruteforcing two unknown ID's, so bfcl is required):
    Code:
    bfcl console_id_bcd [Console ID] [offset0] [src0] [verify0] [offset1] [src1] [verify1]
    So, in case of your dump it was:
    Code:
    bfcl console_id_bcd 0820100000000100 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa 0000 30012DE8B6C8085D5A294EE0B3456210 00000000000000000000000000000000
    Then you could've used regular command for bruteforcing eMMC CID (twlbf also should be enough here):
    Code:
    bfcl emmc_cid <full known Console ID here> 001f BED729A4F229B7BD16DD354A90FBC68C 000000000000000000000000000055aa
    Yes, I've grabbed your dump before mods removed it, so I've actually managed to brurteforce your Console ID and CID. :ph34r:
    Should I just post full ID's here for you, or would you still like to try to get them yourself?
    I was going to PM you about it, but ,apparently, you've restricted PM's from users. :blush:
     
    Last edited by redunka, May 9, 2018
    marine5422 likes this.
  3. redunka

    redunka GBAtemp Fan
    Member

    Joined:
    Nov 26, 2014
    Messages:
    392
    Country:
    Russia
    Okay, I guess nothing bad should happen if I post those Console ID and eMMC CID…
    Please, @marine5422, let me know if you don't want me to post them publicly, and I'll edit them. :blush:

    Console ID: 08201xxxxxxxx1xx

    eMMC CID:
    1Dxxxxxxxx034D303046504100001500

    I've already tried decrypting that NAND dump with them, they're indeed valid.

    Edit: I'm paranoid, so I edited them for now, I'll send you the full ones via PM, I'm really sorry for the inconvenience.
     
    Last edited by redunka, May 9, 2018
    marine5422 likes this.
  4. marine5422

    marine5422 Advanced Member
    Newcomer

    Joined:
    Feb 8, 2007
    Messages:
    93
    Country:
    United States


    Uh.... ... Wow... I didn't know that...

    Only the bfcl support brute-force them both...?

    I feel as a jerk. :P

    Anyway, Thank for share info. (And I didn't know that restricted the PM function. Thanks for notify. :) )
    And I think that it just okay to share some of info that already posted (of course not all of them).
     
    redunka likes this.
  5. Cmdutka86

    Cmdutka86 Member
    Newcomer

    Joined:
    Jul 12, 2015
    Messages:
    14
    Country:
    Can any one help me with brute forcing my eMMC ID. I think I'm in over my head

    I have my nand dumped via Hardmod and managed to get my Console ID by extracting it from dsiware.

    However this command line stuff is beyond me . I have tried to work out how to do it myself and have got nowhere.

    I've been using the following command

    twlbf emmc_cid [Console ID] [EMMC CID] [offset] [src] [verify]

    But nothing happens when I attempted to fill it in with what I assume are the correct values from my nand dumped etc and press enter.

    When I click the .exe itself it says I'm missing a .DLL file. After googling I found it was an OpenSSL file. I've checked my OpenSSL directory and the file is there so where do I need to put this file for it to work?

    If/when IIget past that obstacle can someone confirm for me what is offset? Src? Verify? And where I should be getting these values from.

    Also should I put anything in the [eMMC ID] section.

    Apologies if this makes no sense I am trying.
    Thanks in advance .
     
    chronoss likes this.
  6. manu_jedi

    manu_jedi Newbie
    Newcomer

    Joined:
    May 19, 2018
    Messages:
    5
    Country:
    Austria
    DSi XL, E, Dark Brown
    Console ID: 08201....1XX

    NAND chip is
    SAMSUNG 946 KMAPF0000M-S998
    bc00000000034d303046504100001500

    PM me if you want the nand dump
     

    Attached Files:

    Antonio2311 likes this.
  7. MrPresident

    MrPresident Newbie
    Newcomer

    Joined:
    Apr 11, 2018
    Messages:
    6
    Country:
    Italy
    DSi EU white
    ConsoleID: 08A21...1XX
    CID: 1C3C061860034D303046504100001500
    NAND chip: Samsung KMAPF0000M-S998
     
  8. ahezard

    ahezard GBAtemp Regular
    Member

    Joined:
    Feb 17, 2016
    Messages:
    115
    Country:
    France
    IS-TWL-DEBUGGER (dev dsi, any region)
    ConsoleID: 08A21...1XX
    CID: 2c35911670034d303046504100001500

    DSI XL JPN green
    ConsoleID: 08201...1XX
    CID: 4D400715D0034D303046504100001500
     
    Last edited by ahezard, May 23, 2018
  9. Antonio2311

    Antonio2311 Member
    Newcomer

    Joined:
    Feb 16, 2017
    Messages:
    38
    Country:
    Mexico
    Ok so I got a public NAND dump in MMC format and I don't know the Console ID nor CID or anything, can this help me to decrypt it?
     
    Last edited by Antonio2311, May 28, 2018
  10. ahezard

    ahezard GBAtemp Regular
    Member

    Joined:
    Feb 17, 2016
    Messages:
    115
    Country:
    France
    bfCL is able to brute force both ConsoleID and CID even if you do not have one of them. It is pretty fast but requires an opencl compatible gpu.
    https://github.com/Jimmy-Z/bfCL/releases
     
    Antonio2311 and chronoss like this.
  11. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,469
    Country:
    Congo, Republic of the
    And how to do please ?
     
  12. ahezard

    ahezard GBAtemp Regular
    Member

    Joined:
    Feb 17, 2016
    Messages:
    115
    Country:
    France
    For the console id, here is the command I used for a dsi XL :
    bfcl.exe console_id_bcd 0820100000000100 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa 0000 6E1CF232319C287CD4D7BBC45BDF9166 00000000000000000000000000000000

    0820100000000100 worked for a dsi xl but you may have to modify the 5 first digit (see first post)
    076F005F6FEF14234015FBB77BA43AC8 are the hexadecimal bytes between 1F0 and 200 of my nand dump, replace with yours
    6E1CF232319C287CD4D7BBC45BDF9166 are the hexadecimal bytes between 000 and 010 of my nand dump, replace with yours

    For the CID I used this command :
    bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
    2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)
     
    Last edited by ahezard, May 28, 2018
  13. ahezard

    ahezard GBAtemp Regular
    Member

    Joined:
    Feb 17, 2016
    Messages:
    115
    Country:
    France
    For the CID I used this command :
    bfcl.exe emmc_cid [console id you just got] 2c00000000034d303046504100001500 001f 076F005F6FEF14234015FBB77BA43AC8 000000000000000000000000000055aa
    2c00000000034d303046504100001500 worked for a dsi xl but you may have to modify the first 2 digits (see first post)
     
    chronoss likes this.
  14. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,469
    Country:
    Congo, Republic of the
    How to get these hexa number ?
     
  15. MrPresident

    MrPresident Newbie
    Newcomer

    Joined:
    Apr 11, 2018
    Messages:
    6
    Country:
    Italy
    You need any HEX editor like HxD.
     
    chronoss likes this.
  16. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,469
    Country:
    Congo, Republic of the
    Ok great, thanks !
     
  17. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,469
    Country:
    Congo, Republic of the
    Is it normal ?
    [​IMG]
     
  18. ahezard

    ahezard GBAtemp Regular
    Member

    Joined:
    Feb 17, 2016
    Messages:
    115
    Country:
    France
    You need to tune the console ID mask, In your case I got a match with 08204. Here is your console ID : 0820467219089125
    The command I used : bfcl.exe console_id_bcd 0820400000000100 001f 3F7EF9F4866458C4A9786FDD6E440DF9 000000000000000000000000000055aa 0000 51F5D50B04B4F103CDB12F4EF64007E5 00000000000000000000000000000000
     
    chronoss likes this.
  19. chronoss

    chronoss GBAtemp Addict
    Member

    Joined:
    May 26, 2015
    Messages:
    2,469
    Country:
    Congo, Republic of the
    I make the same command but it stuck a the same screen... And yes, it's the console ID "0820467219089125"

    The nand must be named how ?
     
  20. MrPresident

    MrPresident Newbie
    Newcomer

    Joined:
    Apr 11, 2018
    Messages:
    6
    Country:
    Italy
    It does not read from NAND. It's based on the offsets
     
    chronoss likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Console, TWLbf, brute