Homebrew TWLbf - a tool to brute force DSi Console ID or EMMC CID

[nouvelle_adr]

Nice to meet you Koksi_90 !

I tryed what to gave me, and I have the same error

D:\04_DRIVERS\NDS\DSi\DSi Downgrade Package\Bruteforce>bfcl console_id_bcd 08A2000000000100 001f F1D626055FADB6D8DC3E7982D02F52F3 000000000000000000000000000055aa 0000 DBA820FD71C21F83F0C4E5E9C5BE7B66 00000000000000000000000000000000
ocl_assert: ocl_util.c, function ocl_get_device_info, line 78
clGetDeviceInfo(device_id, param_name, 0, NULL, &size)
error: invalid value

 

[AnKi]

Hi folks,

I want to collaborate (if still needed) with this awesome tool giving the first numbers from mi Console ID, it is a White Non-XL Japanese DSI
08A18

EDIT:
Well, after all I went through some trouble, but I sucessfully dencrypted my Black DSi's dump thanks to this bruteforce tool (I was putting the CID where the ConsoleID should be when going to de-encrypt and that's why it failed, dumb me)
I want to thank to JimmyZ for this tool and everyone in the comments that helped
My black DSi's ConsoleID starts with
08A16

AnKi

 

[Subnormalwater]

European DSi Black

NAND 1f0-200
E94B49C4CC3D63ABB1707E42D99E82C4

NAND 000-010
632A82119A6C2B536A056AF1AF81F3D7

console ID
08a2012608105101

CID
4c38b5012a034d303046504100001500

Just a help for newbies like me - I literally lost 45m reading all the thread to get an example of code to use, please add this or a better example code on first page: (thanks a lot ahezard almost quoting you, page 9 #172)

bfcl.exe console_id_bcd [5_digits_from_1st_post(example:08A20)]00000000100 001f [NAND_hex_from_1F0_to_200] 000000000000000000000000000055aa 0000 [NAND_hex_from_000_to_010] 00000000000000000000000000000000

bfcl.exe emmc_cid [console_id_you_just_got] [2_digits_from_1st_post(example:4c)]00000000034d303046504100001500 001f [NAND_hex_from_1F0_to_200] 000000000000000000000000000055aa

in my case it was:

bfcl.exe console_id_bcd 08A2000000000100 001f E94B49C4CC3D63ABB1707E42D99E82C4 000000000000000000000000000055aa 0000 632A82119A6C2B536A056AF1AF81F3D7 00000000000000000000000000000000

bfcl.exe emmc_cid 08a2012608105101 4c00000000034d303046504100001500 001f E94B49C4CC3D63ABB1707E42D99E82C4 000000000000000000000000000055aa

I have to thanks my R9 290X, it took less than 5m to bruteforce both
My GPU stats on bfcl:

Spoiler

selected device Hawaii on platform AMD Accelerated Parallel Processing
mbed TLS 2.6.0, AES-NI supported
AES Key: 0d0b8bd02564dd0351d7e415e6f23f36
randomize source buffer using RDRAND
1.468 seconds for preparing test data, 91.45 MB/s
0.848 seconds for OpenCL compiling
0.021 seconds for data upload, 6413.00 MB/s
# sha1_16_test on 128 MB
local work size: 256
0.010 seconds for OpenCL, 13075.28 MB/s
0.030 seconds for data download, 4432.85 MB/s
0.705 seconds for reference C(single thread), 190.30 MB/s
sha1_16_test: verification failed
difference @ 0x00000000/0x00800000:
        69 bc f5 08 1c 29 cc 93 3c 50 ad 5f 98 85 44 f5
        a8 51 73 9d d4 12 90 6c dc 9f c6 fe e2 73 0d 8a
        d9 18 41 51 73 b1 63 5f a2 30 44 ec 89 08 a7 a5
difference @ 0x00000010/0x00800000:
        cb 2c e4 05 c8 f5 48 5c 53 e5 94 46 c9 a7 4d de
        d7 8d 11 5c ae 77 99 19 fb 2c 72 db 3f 71 b3 13
        8e d6 aa d2 40 56 ee 6b 17 f0 2f 05 36 be 6a 4d
difference @ 0x00000020/0x00800000:
        81 57 0a 3a e7 5b 69 33 a5 a4 9b d7 8c 87 60 71
        5c ff d5 55 ff 93 b1 64 47 05 02 5f 6f 59 80 06
        bb 2d 33 ef 57 c2 27 30 c5 d3 fc c1 03 24 5e 50
difference @ 0x00000030/0x00800000:
        21 56 eb 18 cb 1a 46 81 1e 75 b3 22 b9 bb 79 b4
        bc c6 3a 80 13 70 08 76 d3 09 7e 0c 23 b3 8f 8b
        90 d0 dd b2 27 d6 7d c1 f3 b0 0b 0e e0 9c b4 11
difference @ 0x00000040/0x00800000:
        26 45 e0 0c 0f e9 74 70 09 76 e7 43 bb 13 0e 10
        7c 2b b9 a9 09 5b c0 be 1e b0 65 5b 52 61 0d df
        68 1c 60 ac 61 aa 85 03 1d a2 84 db 08 b4 3a a0
# aes_enc_128_test on 128 MB
local work size: 256
0.013 seconds for OpenCL, 10281.73 MB/s
0.015 seconds for data download, 9227.76 MB/s
0.286 seconds for reference C(single thread), 468.95 MB/s
aes_enc_128_test: succeed
# aes_dec_128_test on 128 MB
local work size: 256
0.015 seconds for OpenCL, 9231.57 MB/s
0.015 seconds for data download, 8974.17 MB/s
aes_dec_128_test: succeed

 

[JimmyZ]

Good to hear it works for you.

If anyone would like to help with document, feel free to send me a pull request on github.

European DSi Black

NAND 1f0-200
E94B49C4CC3D63ABB1707E42D99E82C4

NAND 000-010
632A82119A6C2B536A056AF1AF81F3D7

console ID
08a2012608105101

CID
4c38b5012a034d303046504100001500

Just a help for newbies like me - I literally lost 45m reading all the thread to get an example of code to use, please add this or a better example code on first page: (thanks a lot ahezard almost quoting you, page 9 #172)

bfcl.exe console_id_bcd [5_digits_from_1st_post(example:08A20)]00000000100 001f [NAND_hex_from_1F0_to_200] 000000000000000000000000000055aa 0000 [NAND_hex_from_000_to_010] 00000000000000000000000000000000

bfcl.exe emmc_cid [console_id_you_just_got] [2_digits_from_1st_post(example:4c)]00000000034d303046504100001500 001f [NAND_hex_from_1F0_to_200] 000000000000000000000000000055aa

in my case it was:

bfcl.exe console_id_bcd 08A2000000000100 001f E94B49C4CC3D63ABB1707E42D99E82C4 000000000000000000000000000055aa 0000 632A82119A6C2B536A056AF1AF81F3D7 00000000000000000000000000000000

bfcl.exe emmc_cid 08a2012608105101 4c00000000034d303046504100001500 001f E94B49C4CC3D63ABB1707E42D99E82C4 000000000000000000000000000055aa

I have to thanks my R9 290X, it took less than 5m to bruteforce both
My GPU stats on bfcl:

Spoiler

selected device Hawaii on platform AMD Accelerated Parallel Processing
mbed TLS 2.6.0, AES-NI supported
AES Key: 0d0b8bd02564dd0351d7e415e6f23f36
randomize source buffer using RDRAND
1.468 seconds for preparing test data, 91.45 MB/s
0.848 seconds for OpenCL compiling
0.021 seconds for data upload, 6413.00 MB/s
# sha1_16_test on 128 MB
local work size: 256
0.010 seconds for OpenCL, 13075.28 MB/s
0.030 seconds for data download, 4432.85 MB/s
0.705 seconds for reference C(single thread), 190.30 MB/s
sha1_16_test: verification failed
difference @ 0x00000000/0x00800000:
        69 bc f5 08 1c 29 cc 93 3c 50 ad 5f 98 85 44 f5
        a8 51 73 9d d4 12 90 6c dc 9f c6 fe e2 73 0d 8a
        d9 18 41 51 73 b1 63 5f a2 30 44 ec 89 08 a7 a5
difference @ 0x00000010/0x00800000:
        cb 2c e4 05 c8 f5 48 5c 53 e5 94 46 c9 a7 4d de
        d7 8d 11 5c ae 77 99 19 fb 2c 72 db 3f 71 b3 13
        8e d6 aa d2 40 56 ee 6b 17 f0 2f 05 36 be 6a 4d
difference @ 0x00000020/0x00800000:
        81 57 0a 3a e7 5b 69 33 a5 a4 9b d7 8c 87 60 71
        5c ff d5 55 ff 93 b1 64 47 05 02 5f 6f 59 80 06
        bb 2d 33 ef 57 c2 27 30 c5 d3 fc c1 03 24 5e 50
difference @ 0x00000030/0x00800000:
        21 56 eb 18 cb 1a 46 81 1e 75 b3 22 b9 bb 79 b4
        bc c6 3a 80 13 70 08 76 d3 09 7e 0c 23 b3 8f 8b
        90 d0 dd b2 27 d6 7d c1 f3 b0 0b 0e e0 9c b4 11
difference @ 0x00000040/0x00800000:
        26 45 e0 0c 0f e9 74 70 09 76 e7 43 bb 13 0e 10
        7c 2b b9 a9 09 5b c0 be 1e b0 65 5b 52 61 0d df
        68 1c 60 ac 61 aa 85 03 1d a2 84 db 08 b4 3a a0
# aes_enc_128_test on 128 MB
local work size: 256
0.013 seconds for OpenCL, 10281.73 MB/s
0.015 seconds for data download, 9227.76 MB/s
0.286 seconds for reference C(single thread), 468.95 MB/s
aes_enc_128_test: succeed
# aes_dec_128_test on 128 MB
local work size: 256
0.015 seconds for OpenCL, 9231.57 MB/s
0.015 seconds for data download, 8974.17 MB/s
aes_dec_128_test: succeed

 

[Subnormalwater]

Super duper important message here:

If you get Error 483 in Win32diskImager while trying to write don't be mad, I lost all last night figuring out: you just have to set the little plastic tab on the sd to "unlock" it, if you removed it, put it back on

You can also check your nand by using NO$GBA and some dsi bios files that you won't be able find searching for dsi firmware files on google - guide: threads/gbatemp-dsi-modding-help-thread-and-guide.481118/

 

[Koksi__]

Here is my german DSi Guide:
https://psxtools.de/index.php/Thread/76009-DSI-Hardmod-mit-Unlaunch-Hiya-CFW-und-SR-Loader/

 

[nouvelle_adr]

Hi It's me again

I am at the step : NAND test by No$GBA
When I load my NAND, the first time I haven't see Sudoku installed, I have only seen few basic apps

==> but now Solved thanks to Koksi_90, (just because of some files to update)

 

[froggestspirit]

I got a light blue DSi U that Ahezard cracked for me, the beginning bytes were 08A24 (Which I thought would be out of range)
Also just cracked my black DSi U, with 08A21.

 

[JimmyZ]

I got a light blue DSi U that Ahezard cracked for me, the beginning bytes were 08A24 (Which I thought would be out of range)
Also just cracked my black DSi U, with 08A21.

That list is only a guideline, it's not complete.

 

[nouvelle_adr]

Hello,
bfcl command gives me an error, so I used the twlbf_mbedtls command. Then I tryed to bruteforce my DSi with the following command (with affinity 1,2,4 and 8), but at the end it doesn't give a CID !, is it written in a specific file ? or it means that this bruteforce doesn't find any result ?.

here is my bruteforce commandand its output:

D:\DSi\00_Bruteforce TWLbf>@echo off
start /b /belownormal /affinity 1 twlbf_mbedtls console_id_bcd 0820100000000000 6C6778e02d034d303046504100001500 001f CC95DCE8D1FA893F65D5125AE0F357B6 000000000000000000000000000055aa
start /b /belownormal /affinity 2 twlbf_mbedtls console_id_bcd 0820200000000000 6C6778e02d034d303046504100001500 001f CC95DCE8D1FA893F65D5125AE0F357B6 000000000000000000000000000055aa
start /b /belownormal /affinity 4 twlbf_mbedtls console_id_bcd 0820300000000000 6C6778e02d034d303046504100001500 001f CC95DCE8D1FA893F65D5125AE0F357B6 000000000000000000000000000055aa
start /b /belownormal /affinity 8 twlbf_mbedtls console_id_bcd 0820400000000000 6C6778e02d034d303046504100001500 001f CC95DCE8D1FA893F65D5125AE0F357B6 000000000000000000000000000055aa
mbed TLS 2.5.1, AES-NI supported
testing 082010???????1??
@Echo on

D:\DSi\00_Bruteforce TWLbf>
D:\DSi\00_Bruteforce TWLbf>mbed TLS 2.5.1, AES-NI supported
testing 082020???????1??
mbed TLS 2.5.1, AES-NI supported
testing 082030???????1??
mbed TLS 2.5.1, AES-NI supported
testing 082040???????1??
testing 082031???????1??
testing 082041???????1??
testing 082021???????1??
testing 082011???????1??
testing 082042???????1??
testing 082032???????1??
testing 082022???????1??
testing 082012???????1??
testing 082043???????1??
testing 082033???????1??
testing 082023???????1??
testing 082013???????1??
testing 082044???????1??
testing 082034???????1??
testing 082024???????1??
testing 082014???????1??
testing 082045???????1??
testing 082035???????1??
testing 082025???????1??
testing 082015???????1??
testing 082046???????1??
testing 082036???????1??
testing 082026???????1??
testing 082016???????1??
testing 082047???????1??
testing 082037???????1??
testing 082027???????1??
testing 082017???????1??
testing 082048???????1??
testing 082038???????1??
testing 082028???????1??
testing 082018???????1??
testing 082049???????1??
testing 082039???????1??
testing 082029???????1??
testing 082019???????1??
721.00 seconds, 13.87 M/s
Appuyez sur une touche pour continuer... 723.00 seconds, 13.83 M/s
Appuyez sur une touche pour continuer... 730.00 seconds, 13.70 M/s
Appuyez sur une touche pour continuer... 739.00 seconds, 13.53 M/s
Appuyez sur une touche pour continuer...
D:\DSi\00_Bruteforce TWLbf>

 

[t3rminus]

Well, that was fun. I got my Console ID bruteforced thanks to this guide, but I was utterly stuck at the EMMC CID because my NAND is not made by Samsung, but rather it's made by ST, and thus has a completely different set of digits. Ended up buying a copy of The Biggest Loser... so here we go!

Console ID: 08203********1**
EMMC CID: CC ** ** ** ** 30 36 35 32 43 4D 4D 4E 01 FE 00

 

[gorgyrip]

I can't get bfcl to work. I'm trying to find the console id.
Can someone please run bfcl for me?
bfcl console_id_bcd 08A2000000000100 001f A7EE8F9548FF6F270B8DDF1311935160 000000000000000000000000000055aa 0000 9BCE6F029370131A2A00DCE49F8F141E 00000000000000000000000000000000

I'm not really sure if 08A2000000000100 is correct, I have a regular dsi, actually only the motherboard, I think it came from a metallic blue console.

 

[Koksi__]

I can't get bfcl to work. I'm trying to find the console id.
Can someone please run bfcl for me?
bfcl console_id_bcd 08A2000000000100 001f A7EE8F9548FF6F270B8DDF1311935160 000000000000000000000000000055aa 0000 9BCE6F029370131A2A00DCE49F8F141E 00000000000000000000000000000000

I'm not really sure if 08A2000000000100 is correct, I have a regular dsi, actually only the motherboard, I think it came from a metallic blue console.

got it.
Look at your Conversations

 

[Barawer]

When running bfcl i'm getting
ocl_assert: ocl_util.c, function ocl_get_platform_ids, line 52
clGetPlatformIDs(0, NULL, p_num_platforms)
error: platform not found
What am i missing?

 

[DubMonster]

Hey, just got my second DSi without Flipnote so i have to do hard mod to get HiyaCFW + TWiLight Menu++ onto it. I don't have any exploit-games like The Biggest Loser. I'm going to use SudokuHAX but thing stops at decrypting my NAND image. I don't have Console ID or CID, that's why i need to brute-force them with TWLbf. Next stumble-rock is... Yeah, how i use it? What commands i need to type in? Can somebody help total noob to use this tool, i appreciate help very much!

 

[ShiftCode]

000-010: E483E25338A71826E8EC0135CD4792C1
1F0-200: F3F46EA3C44481F1ADAA7C2323AE6DB6
Flash ID: KMAPF0000M
Flash MY: SAMSUNG 001
Got mine.

ConsoleID: 0820165524117123
CID: 1d776b0010034d303046504100001500

EUR DSi XL bordeaux red

 

[DubMonster]

Can somebody get me the CID and Console ID if i give the NAND dump file?

 

[Koksi__]

Can somebody get me the CID and Console ID if i give the NAND dump file?

Yeah, and give me your numbers on the NAND Chip.
Send me a PM

 

[DubMonster]

Yeah, and give me your numbers on the NAND Chip.
Send me a PM

Good, but i think i killed my DSi. It's showing 0000FE00 error, so it's basically dead now
Looks like i fried one resistor on board, CMD pin, R94 on board

 

[gorgyrip]

Good, but i think i killed my DSi. It's showing 0000FE00 error, so it's basically dead now
Looks like i fried one resistor on board, CMD pin, R94 on board

This isn't too bad:
http://problemkaputt.de/twl-core.jpg
R94 is 56R.