Homebrew TWLbf - a tool to brute force DSi Console ID or EMMC CID

[DubMonster]

This isn't too bad:
http://problemkaputt.de/twl-core.jpg
R94 is 56R.

Yeah, but still the only thing it's showing is 0000FE00, i tried bridging the R94 just for giggles and no luck. Bit offtopic now

 

[gorgyrip]

Yeah, but still the only thing it's showing is 0000FE00, i tried bridging the R94 just for giggles and no luck. Bit offtopic now

If you can't find a smd resistor, use a regular one with a simillar value and wires.

 

[DubMonster]

If you can't find a smd resistor, use a regular one with a simillar value and wires.

For sure i would, but i'm hunting for DSi XL now...

 

[Ocelot124286]

So confusing! Could somebody give me a guide? I have a white DSi from the UK and a rasberry pi. Sorry for being a noob. I've only done Wii and Android.

 

[DubMonster]

So confusing! Could somebody give me a guide? I have a white DSi from the UK and a rasberry pi. Sorry for being a noob. I've only done Wii and Android.

So you are doing the hardmod? Go to the thread for it or start new

 

[Ocelot124286]

So you are doing the hardmod? Go to the thread for it or start new

Yes I am. I need to Brute Force the cid and console Id to decrypt the nand. I don't have any DSi ware to get the console Id. And I don't know how to get the cid with my rasberry pi.

 

[Ocelot124286]

We use this string as a template:
MY ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00; DSi CID KMAPF0000M-S998
MY ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00; DSi CID KLM5617EFW-B301
MY ss ss ss ss 03 47 31 30 43 4D 4D 00 01 11 00; 3DS CID
In order to determine the eMMC CID, you must first open your DSi and read the 3 characters to Samsung for the "MY" byte on the NAND chip.
For me that was, for example: 943 and that means:
943 means 43rd week in 2009, ie 43 weeks in 2009 -> December -> month code B, 2009 -> year code C. For the month code you need 43/4 = 10.75 -> 11 (either on or round off if necessary)
Convert this value to hex, so "B"
For the years code we take this scheme:
B - 2008
C - 2009
D - 2010
E - 2011
F - 2012
So BC for the MY byte (at my NAND) The "s" is replaced by "0"
It follows from me (Since I have a KMAPF ...... NAND chip): "BC00000000034D303046504100001500"
Now we have to search for the [src] key by opening your NAND dump with HxD and searching for the line "000001F0".

You now use the 16 couples as [src] in the command. If you have the console ID now, then we can get started:
bfcL emmc_cid [Console ID] [EMMC CID] [offset] [src] [verify]
That's what it looks like for me:
bfcl emmc_cid 0820154919126126 BC00000000034D303046504100001500 001f DB2D16975DACA90176014EB4CCCE87FB 000000000000000000000000000055aa
If there is got hit then everything fits and you have your eMMC CID



You only need your NAND.img for the hex part to bruteforce the CID

Yeah, and give me your numbers on the NAND Chip.
Send me a PM

Just like how you did for DubMonster, could you get my cid & Console id for me. I don't understand it one bit. I still need to solder my DSi but that might be done tomorrow. I will give you the NAND dump and the numbers on the chip.

 

[Koksi__]

Just like how you did for DubMonster, could you get my cid & Console id for me. I don't understand it one bit. I still need to solder my DSi but that might be done tomorrow. I will give you the NAND dump and the numbers on the chip.

yeah, but i only need the numbers from the NAND Chip.

 

[Ocelot124286]

yeah, but i only need the numbers from the NAND Chip.

Ok, it says

Samsung 907
KMAPF0000M S998


N1KHCZJH

 

[Koksi__]

Ok, it says

Samsung 907
KMAPF0000M S998


N1KHCZJH

Sorry, i forgot, i need the NAND Dump for the CID

 

[Ocelot124286]

Sorry, i forgot, i need the NAND Dump for the CID

Ok I will try to do it soon

 

[Ocelot124286]

Sorry, i forgot, i need the NAND Dump for the CID

Oh yeah, I have a rasberry pi if you know how I can get the cid with the rasberry pi.

 

[Koksi__]

Oh yeah, I have a rasberry pi if you know how I can get the cid with the rasberry pi.

No, i don't know, but i can bruteforce the CID and Console ID with the dump.
But you can also get those keys with a "The Biggest Loser" cart, a flashcard and one dsi app on the NAND, but you also need a exploitable DSi game.

I think the best option is to do a hardmod.
It is not that hard, only 4 solder points.
Don't solder with too much heat and use flux, so it should no problem

 

[Ocelot124286]

So I need some thinner wire for the hardmod, but I don't understand the diagrams for the hardmod from https://gbatemp.net/threads/dsi-downgrading-the-complete-guide.393682/

No, i don't know, but i can bruteforce the CID and Console ID with the dump.
But you can also get those keys with a "The Biggest Loser" cart, a flashcard and one dsi app on the NAND, but you also need a exploitable DSi game.

I think the best option is to do a hardmod.
It is not that hard, only 4 solder points.
Don't solder with too much heat and use flux, so it should no problem

Ok thanks. On the diagram for the soldering. It's a bit confusing. Do you know which exact points I should do?

 

[Koksi__]

Ok thanks. On the diagram for the soldering. It's a bit confusing. Do you know which exact points I should do?

https://puu.sh/jePkp/79bb5b1008.png
This is for the normal DSi (not XL)
you only need DAT0 (you can use the alternative point if you want), CMD, CLK and GND from the cartridge slot.

Solder those points to a Micro SD Card Adapter and dump it with win32 disk imager (DONT KLICK AT THE FORMAT PROMPT FROM WINDOWS, BECAUSE YOU WILL BRICK)

 

[Ocelot124286]

https://puu.sh/jePkp/79bb5b1008.png
This is for the normal DSi (not XL)
you only need DAT0 (you can use the alternative point if you want), CMD, CLK and GND from the cartridge slot.

Solder those points to a Micro SD Card Adapter and dump it with win32 disk imager (DONT KLICK AT THE FORMAT PROMPT FROM WINDOWS, BECAUSE YOU WILL BRICK)

Where is GND? And also, does wires from old earbuds work? There seems two be a red and a blue copper wire in each silicone wrapped wire.

 

[Matrice666]

maaaan. im trying to get my CID a console id ... the command line i got should be

bfcl console_id_bcd 0820100000000100 001f B1F43D7963FC7B89A040E21A87085483 000000000000000000000000000055aa 0000 A10C0D2499F29404D28426A92005FE9F 00000000000000000000000000000000

but im getting an error i believe due to my gpu's old age. Could anyone help me with that?

 

[Koksi__]

maaaan. im trying to get my CID a console id ... the command line i got should be

bfcl console_id_bcd 0820100000000100 001f B1F43D7963FC7B89A040E21A87085483 000000000000000000000000000055aa 0000 A10C0D2499F29404D28426A92005FE9F 00000000000000000000000000000000

but im getting an error i believe due to my gpu's old age. Could anyone help me with that?

yeah, i will do that, but you have to wait 18 hours.

 

[Matrice666]

yeah, i will do that, but you have to wait 18 hours.

thanks man. let me know if you're missing anything.



...man you know what .. im pretty sure i messed that up.
i have the chip info and the NAND though

samsung 846 so: BB
kmapf000m which I believe would make it: 03 4D 30 30 46 50 41 00 00 15 00
S998

0000001f0: B1F43D7963FC7B89A040E21A87085483
00000000: A10C0D2499F29404D28426A92005FE9F

so if my calculations are correct i should runthis in CMD: bfcl console_id_bcd 08A1900000000000 001f B1F43D7963FC7B89A040E21A87085483 000000000000000000000000000055aa 0000 A10C0D2499F29404D28426A92005FE9F 00000000000000000000000000000000

but yeah... still not working for me.

 

[mightywii]

Oh yeah, I have a rasberry pi if you know how I can get the cid with the rasberry pi.

You boot a copy of Linux that boots from a ramdisk like TinyCore so the boot SD card can be removed and replaced with the DSi. You can then use a command like this to get the CID:
sudo cat /sys/block/mmcblk0/device/cid
You can use the dd command to image the card, both to get your dump and flash your modified nand.

 

[mightywii]

Oh yeah, I have a rasberry pi if you know how I can get the cid with the rasberry pi.

You boot a copy of Linux that boots from a ramdisk like TinyCore so the boot SD card can be removed and replaced with the DSi. You can then use a command like this to get the CID:
sudo cat /sys/block/mmcblk0/device/cid
You can use the dd command to image the card, both to get your dump and flash your modified nand.