Hacking Would it be possible to exploit DS Download Play as an entrypoint for wireless homebrew?


Well-Known Member
Oct 9, 2019
United Kingdom
Is it possible to use the DS Download Play feature on the DS(lite) as an entrypoint to loading homebrew on the system without the use of R4 cards?
I've had this idea for a long time, and it seems very plausible to me.
I was thinking that I could spoof an exploit as a legitimate program, allowing it to run wirelessly. I've seen similar exploits with the 3ds, so I believe something identical could be done on the DS(lite).
The exploited DS Download software could be hosted from a computer (or even a phone!) and spoof the device as a beacon for the DS to connect to.
Maybe we could modify those DS Download Stations they used back in the day?


aka Ricochet Otter
Jun 2, 2007
United States
Before I say anything, note I have not at all looked into the Haxxstation. Just wanted to comment on the OP's question.

What's funny, Kordru, is that you're not at all far off from what actually happened in the very first days of DS Homebrew. It's gonna be hard to explain concisely since most of the online resources I'd normally link to are now gone, so I'll try to keep this brief.

Originally there were no slot-1 flash carts like the R4. Early DS homebrew was done by flashing a traditional slot-2 GBA flash cart with a DS binary file, then tricking the DS into booting from slot-2 somehow. There were two major ways this trickery was done.

The first was a hardware solution called PassMe where you'd plug the PassMe into slot-1, an official DS game cartridge into the PassMe, and it would use the official cart's authentication to boot the system and then hijack code execution to slot-2 instead.

The other way was called WifiMe. This used a very specific model Ralink wifi adapter popular at the time, specifically because it had the ability to broadcast unmodified raw wifi packets. You'd run the server program and it would start acting like a Download Play station running on your computer. This program used a hacked version of the official Super Mario 64 DS "download play" rom that somehow passed the DS's security check (never did learn how they managed that). You'd load up the Download Play section on the DS, start downloading from your computer, and then the hacked SM64DS rom redirected code execution to slot-2, essentially acting as a wireless version of the PassMe.

However, note that both of these methods still require a slot-2 GBA flash cart with the DS file of your choice flashed to it. This would soon change however:

Once you got either of those methods working at least once, you could have the DS run flashme.nds to install FlashMe, the replacement firmware for the DS. This required you to use an insulated metal tool to short the metal contacts of a specific part underneath the battery cover. Once done, FlashMe acted identical to the regular DS firmware except that it removed the security check for Download Play files. This meant you could now send over ANY file less than 4MB in size, not just the officially-signed Nintendo demo images. Great for quickly testing and debugging your homebrew programs. This right here is what I imagine you're thinking of.

The ability to do this became less and less useful over time, as DS homebrew moved in a direction where devices suddenly started having SD cards and filesystems and overcoming the 4MB filesize limit. This method won't work for most current DS homebrew programs for that reason, as they're expecting a filesystem that doesn't exist when it's just a standalone *.nds file loaded into RAM. Maybe with the "fcsr" fake filesystem builder thing it might be possible but this post is already long enough without speculating.
  • Like
Reactions: Kordru

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: @SylverReZ, @Psionic Roshambo https://youtu.be/A5mRx3wcouw