Source code, and (a little) document on github:
https://github.com/Jimmy-Z/TWLbf/
windows binary download
https://github.com/Jimmy-Z/TWLbf/releases
https://github.com/Jimmy-Z/bfCL/releases OpenCL rewrite
You'll need NAND dumpand one of the ID to be possible to brute out the other one.
update: with the brilliant idea from @dark_samus3, we are now able to brute with only the NAND dump, and EMMC CID brute can be dramatically faster. (this is only implemented in bfCL)
Previous discussions and how this tool started:
https://gbatemp.net/threads/any-hope-for-dsis-with-no-dsiware.481338/
Performance notes about different versions:
some (old) test numbers:
TWLbf OpenSSL on i5-3450, single thread:
TWLbf mbed TLS on i5-3450, single thread
bfCL on AMD HD7950, all around 350 M/s:
I also tested on an entry level card R7-250, around 90 M/s.
If you don't know if your GPU is enough to be useful, run bfCL without parameters(double click it):
Look at sha1_16/aes_128_ecb tests numbers, basically, if OpenCL speed > C speed * (your CPU's thread capability), it outperforms your CPU.
TWLbf runs a single thread, you should run multiple instances according to your CPU's thread capability and how many templates you want to try on. for example: if you want to brute Console ID for a DSi XL on a Core i3 or higher, you should run 4 TWLbf mbed TLS each targeting 08201 08202 08203 08204. that should be done in about 15 minutes.
bfCL on the other hand always saturate the best GPU in your system, so you shouldn't run multiple instances, and if your GPU is weak, the system becomes unresponsive while bfCL is running. Worst case if your GPU fan can't handle the heat, you system may hang, that's especially true for entry level GPUs, like the the R7-250 I tested, if the work is done in like ten seconds, it works, longer than that the system hang.
Call for share/document:
This tool can't brute force blindly, after all Console ID is 64 bits and EMMC CID is 120 bits, we need some pre-knowledge about them to make the brute forcing viable, if more people could collaborate on this, we could make this tool more useful.
Although, sharing those IDs directly might be risky. so specifically, I(we) want to know:
Current list:
Console ID first 5 digits, so far the rest are always in BCD range, and the 14th digit is always "1".
EMMC CID 1 byte month/year date code + 10 bytes manufacturer/product code, the last byte is always 00 according to GBATEK
Open your DSi(XL/LL) and read the EMMC label:
Thanks:
https://github.com/Jimmy-Z/TWLbf/
windows binary download
https://github.com/Jimmy-Z/TWLbf/releases
https://github.com/Jimmy-Z/bfCL/releases OpenCL rewrite
You'll need NAND dump
update: with the brilliant idea from @dark_samus3, we are now able to brute with only the NAND dump, and EMMC CID brute can be dramatically faster. (this is only implemented in bfCL)
Previous discussions and how this tool started:
https://gbatemp.net/threads/any-hope-for-dsis-with-no-dsiware.481338/
Performance notes about different versions:
some (old) test numbers:
TWLbf OpenSSL on i5-3450, single thread:
1924 seconds for Console ID 10 BCD digits, 5.2 M/s
914 seconds for Console ID 32bits, 4.7 M/s
578 seconds for EMMC CID 32bits, 7.4 M/s
If you don't have a discrete GPU, you should use this for EMMC CID914 seconds for Console ID 32bits, 4.7 M/s
578 seconds for EMMC CID 32bits, 7.4 M/s
TWLbf mbed TLS on i5-3450, single thread
745 seconds for Console ID 10 BCD digits, 13.4 M/s
323 seconds for Console ID 32bits, 13.3 M/s
612 seconds for EMMC CID 32bits, 7.0 M/s
If you don't have a discrete GPU, you should use this for Console ID323 seconds for Console ID 32bits, 13.3 M/s
612 seconds for EMMC CID 32bits, 7.0 M/s
bfCL on AMD HD7950, all around 350 M/s:
29 seconds for Console ID 10 BCD digits
12 seconds for Console ID 32 bits
12 seconds for EMMC CID 32 bits
If you have a good discrete GPU, you should use this one.12 seconds for Console ID 32 bits
12 seconds for EMMC CID 32 bits
I also tested on an entry level card R7-250, around 90 M/s.
If you don't know if your GPU is enough to be useful, run bfCL without parameters(double click it):
Code:
selected device Capeverde on platform AMD Accelerated Parallel Processing
AES Key: 0d0b8bd02564dd0351d7e415e6f23f36
randomize source buffer using RDRAND
0.616 seconds for preparing test data, 217.88 MB/s
0.593 seconds for OpenCL compiling
0.046 seconds for data upload, 2917.27 MB/s
# sha1_16_test on 128 MB
local work size: 256
0.036 seconds for OpenCL, 3770.37 MB/s
0.029 seconds for data download, 4551.45 MB/s
1.046 seconds for reference C(single thread), 128.31 MB/s
sha1_16_test: succeed
# aes_128_ecb_test on 128 MB
local work size: 256
0.097 seconds for OpenCL, 1385.86 MB/s
0.015 seconds for data download, 9205.61 MB/s
0.867 seconds for reference C(single thread), 154.87 MB/s
aes_128_ecb_test: succeed
Press any key to continue . . .
TWLbf runs a single thread, you should run multiple instances according to your CPU's thread capability and how many templates you want to try on. for example: if you want to brute Console ID for a DSi XL on a Core i3 or higher, you should run 4 TWLbf mbed TLS each targeting 08201 08202 08203 08204. that should be done in about 15 minutes.
bfCL on the other hand always saturate the best GPU in your system, so you shouldn't run multiple instances, and if your GPU is weak, the system becomes unresponsive while bfCL is running. Worst case if your GPU fan can't handle the heat, you system may hang, that's especially true for entry level GPUs, like the the R7-250 I tested, if the work is done in like ten seconds, it works, longer than that the system hang.
Call for share/document:
This tool can't brute force blindly, after all Console ID is 64 bits and EMMC CID is 120 bits, we need some pre-knowledge about them to make the brute forcing viable, if more people could collaborate on this, we could make this tool more useful.
Although, sharing those IDs directly might be risky. so specifically, I(we) want to know:
- for Console ID:
- the first 5 digits
- if you're not comfortable to share, at least tell us if it's on the list already
- is the 14th(3rd from the right) digit "1"?
- are all the other digits in the 0~9 range(no a~f hex digits)
- the first 5 digits
- for EMMC CID:
- the 1st byte(2 digits)
- this is supposedly a Month/Year date code of the EMMC chip
- 10 bytes skipping the first 5 bytes(or 20 digits skipping the first 10 digits)
- this is supposedly a Manufacturer/Product code
- again, if you're not comfortable to share, tell us if it's on the list
- photo or transcript of the EMMC chip label if possilbe.
- the 1st byte(2 digits)
- model of the corresponding unit: DSi or DSi XL/LL, E or U or J
- if you have strange cases(violates rules above), and if you don't mind, PM me the entire Console ID + EMMC ID + first 512 bytes of the NAND/EMMC dump for me to test this tool.
Current list:
Console ID first 5 digits, so far the rest are always in BCD range, and the 14th digit is always "1".
Code:
08A15
DSi, from GBATEK
unknown
08A16
DSi, J, report from windwakr
08A18
DSi, U, Black, report from leratrad
DSi, U, Black, report from hutiu
08A19
DSi, U, Black, report dark_samus3(also noted in GBATEK)
DSi, U, Black, report from Abequinn
08A20
DSi, from GBATEK
08A21
DSi, U, Cyan, report from wsquan171
DSi, U, Light Blue, report from FFT.
08201
DSi XL, from GBATEK
DSi, U, Metallic Blue, report from friendsxix
DSi, U, White, report from friendsxix
DSi XL, U, Burgundy, report from friendsxix
DSi XL, U, Burgundy, report from kittensauce
DSi, E, Metallic Blue, report from Oleboy555
DSi XL, E, Dark Brown, report from FFT
DSi XL, U, Burgundy, report from Abequinn
08202
DSi XL, E, Blue and Black?, mine
DSi XL, U, Red, report from enderghast13
DSi XL, U, Burgundy, report from hutiu
08203
DSi XL, U, report from Apache Thunder
08204
DSi, U, Pink, report from Apache Thunder
DSi XL, U, Blue, report from enderghast13
DSi, U, Light Blue, report from MassExplosion213
Open your DSi(XL/LL) and read the EMMC label:
- MY code can be translated from the 3 digits after "SAMSUNG", for example:
- CC, DSi XL, U, Burgundy, report from kittensauce, SAMSUNG 949 KMAPF0000M-S998 N24N5GJB, I guess 949 means 2009 49th week, so 49th week -> december -> Month code C, 2009 -> Year code C.
- chip model to manufacture/product code:
- KMAPF0000M -> 03 4D 30 30 46 50 41 00 00 15 00
- KLM5617EFW -> 32 57 37 31 36 35 4D 00 01 15 00
Code:
MY ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00
unknown, DSi, from GBATEK, KMAPF0000M-S998
AB, DSi, U, Black, report from dark_samus3(also noted in GBATEK)
BB, DSi, U, Black, report from leratrad
2C, DSi, U, Cyan, MY: 2C, report from wsquan171
3C, DSi, U, Black, report from kittensauce
9C, DSi, E, Metallic Blue, report from Oleboy555
CC, DSi XL, U, Burgundy, report from kittensauce, SAMSUNG 949 KMAPF0000M-S998 N24N5GJB
5d, DSi XL, E, Dark Brown, report from FFT
5c, DSi, U, Light Blue, report from FFT
BB, DSi, U, Black, report from hutiu, SAMSUNG 846 KMAPF0000M-S998 N1GUTMC3
bc, DSi XL, U, Burgundy, report from Abequinn, SAMSUNG 946 KMAPF0000M-S998 N23A3MF6
bb, DSi, U, Black, report from Abequinn, SAMSUNG 846 KMAPF0000M-S998 N1HW8MC2
MY ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00
unknown, DSi, from GBATEK, KLM5617EFW-B301
3E, DSi XL, U, Blue, report from enderghast13
6E, DSi, U, Light Blue, report from MassExplosion213
9D, DSi XL, U, Burgundy, report from hutiu
Thanks:
- Martin Korth(@nocash123) for GBATEK
- @WulfyStylez/WinterMute for TWLTool
- mbed TLS and OpenSSL
- everyone shared their Console IDs and EMMC CIDs with us!
- and special thanks to @kittensauce and @WiiHomebrew+Snes
Last edited by JimmyZ,