Homebrew [RELEASE] TWLTool - DSi downgrading, save injection, etc multitool

[TDotFlame]

You can only use flashcards that are compatible with the 3DS. I don't think the TTDS is even compatible with the DSi.

oh ok thank you

 

[WulfyStylez]

Updated to 1.5! TWLTool now supports de/encrypting system files using ES file encryption, including tickets and dev.kp. Thanks to nocash for documenting how that's done!

Theoretically, having your decrypted dev.kp should allow you to reinstall DSiWarehax forever, since you can sign tad files. This gets around the check added in 1.4.something where you can't install TADs signed by another system. I don't know if the actual tools are quite there yet, I may look into it soon.

 

[Apache Thunder]

Oh nice. I could have used this a few months ago when I was installing DSi system apps to my n3DS TWL nand. I had DSi System Settings do a system update. Which I eventually succeeded in doing so. I just had to manually swap out pending files to their correct locations so it can move on to the next one. I almost got system menu to boot, but it appears I'd have to get retail launcher to load from twlBg, but haven't found away of doing that since i don't know how to change where it's loaded in the .code since retail launcher is larger then dev launcher. (it would either have to be moved to the end or redirected to NAND/SD somehow)

I wonder if a dev.kp could be created for a 3DS...I always have to use one from a DSi which may still prove to be a road block to system menu booting in the end...

 

[WulfyStylez]

Oh nice. I could have used this a few months ago when I was installing DSi system apps to my n3DS TWL nand. I had DSi System Settings do a system update. Which I eventually succeeded in doing so. I just had to manually swap out pending files to their correct locations so it can move on to the next one. I almost got system menu to boot, but it appears I'd have to get retail launcher to load from twlBg, but haven't found away of doing that since i don't know how to change where it's loaded in the .code since retail launcher is larger then dev launcher. (it would either have to be moved to the end or redirected to NAND/SD somehow)

I wonder if a dev.kp could be created for a 3DS...I always have to use one from a DSi which may still prove to be a road block to system menu booting in the end...

You'd need to assert TWL_FIRM's setup is sufficient for retail bootchain (TWL_FIRM uses a boot2 rigged to load an SRL, signed + encrypted with dev rsakey), then you may have some luck with retail boot2 + retail launcher. I believe TWL launch copies out keys where they're expected though, for either launcher.

What I'd do is modify a TWL image to have retail boot2 and mess with that until it boots under no$gba. You should be able to add all titles and tickets by hand with TWLtool at this point. I feel like you're going to run into a ton of issues due to lacking /sys files (HWINFO_S.bin, HWINFO_N.bin, HWID.sgn) though?

dev.kp can't be created for 3DS since that's dependent on not only consoleID but HWID.sgn, which I believe is system-unique and isn't present on 3DS.

 

[Apache Thunder]

It may be easier to patch out checks in retail launcher and create a custom HWID.sgn I suppose. I thought launcher was boot2. I wasn't aware there was one for 3DS. How would I go about obtaining DSi boot2 and putting it in twlBg?

Thing is, I don't think Arm11 has TWLN/NAND access (which is where twlBg is loaded I think), so I'm not sure how a DSi Boot2 will help since I think it would attempt to access Launcher from TWLN and fail to do so.

 

[WulfyStylez]

It may be easier to patch out checks in retail launcher and create a custom HWID.sgn I suppose. I thought launcher was boot2. I wasn't aware there was one for 3DS. How would I go about obtaining DSi boot2 and putting it in twlBg?

Thing is, I don't think Arm11 has TWLN/NAND access (which is where twlBg is loaded I think), so I'm not sure how a DSi Boot2 will help since I think it would attempt to access Launcher from TWLN and fail to do so.

I just checked and it seems HWID.sgn isn't used by the launcher - it's probably just for online features to varying degrees.
DSi boot2 is at the beginning of eMMC, see here.
ARM11 doesn't do anything relevant to this besides just copying out boot2 and the loader SRL for process9. TwlBg is effectively a completely separate system running at the same time as ARM9/ARM7 are in legacy mode in order to talk to the GPU and handle home button events, etc. All of its code (kernel loader, kernel, process) comes from the FIRM binary.
TWL_FIRM acts as the ARM7+ARM9 bootrom from TWL. To that end it properly initializes keyslots, copies blocks of keys into memory, and decrypts+verifies+loads boot2. Once all this is done, the system is switched into legacy mode and boot2 is executed on ARM7 and ARM9, loads the launcher SRL from memory, and that boots whatever title has been requested.

 

[Apache Thunder]

Interesting. I suppose boot2 is also in .code of twlBg? That makes sense. Arm11 loads it to a specific location (in FCRAM I guess?) before the mode switch. That makes sense. Does that mean twlBg can be modified to redirect where it loads boot2/dev launcher from? that would make modifying them a lot easier. I would think trying to modify the twlBg CXI is more trouble then it's worth.

I don't know what 3DS's boot2 looks like. That and I assume boot2 of DSi is encrypted differently then the version for 3DS? (perhaps it's not encrypted at all)

 

[WulfyStylez]

Updated to 1.6!
-CID and consoleID can now be loaded from files (just pass a filename instead of a hex ID)
-TWL decryption now decrypts MBR and partitions (copying the rest) instead of annhilating unencrypted parts
-3DS consoleID bruteforce is slightly faster and supports exporing ID to file on completion
-system file crypto should support 3DS now

 

[Cornholio309]

A bit of a novice question, but I'm a bit confused:

A while ago, I splurged and bought a brand new Nintendo DSi Matte Blue I found at a GameStop for 60 dollars. I've used it every now and again, but haven't checked out the DSiWare shop or connected to the internet with it at all.

I recently checked and the system came with Version 1.4.4U. Can I use TWLTool with this?

From what I gather in the first post, I either have the option of hardmodding the DSi in order to get it's NAND and downgrade it, or I can just inject the DSiWare Hax save with this tool (which seems like the better option). Is this correct, or do I still have to downgrade? Would upgrading to 1.4.5U be worth it?

 

[loco365]

Nice to see this tool still getting updates. I got my DSi back from @Gadorach and I haven't had too much time to play with my DSi yet because of work, but I also need to find my USB SD reader - the one on my laptop doesn't seem to play nice.

 

[Xanthe]

Is it possible to inject GBA games with this?

 

[Ella879]

Is it possible to inject GBA games with this?

nope

 

[Xanthe]

nope

FUCK

 

[WulfyStylez]

The DSi hardware sits in a weird place with GBA support. The cart memory range and similar status registers and such basically act as if no cart is inserted, and it seems that there's not even hardware support for reintroducing the GBA slot.
This is sorta weird because DS obviously supports GBA, and 3DS also natively supports GBA by mapping memory in place of the cart slot (as well as doing hardware-based save memory emulation). DSi is the only post-GBA console to not support it in hardware.

 

[dark_samus3]

The DSi hardware sits in a weird place with GBA support. The cart memory range and similar status registers and such basically act as if no cart is inserted, and it seems that there's not even hardware support for reintroducing the GBA slot.
This is sorta weird because DS obviously supports GBA, and 3DS also natively supports GBA by mapping memory in place of the cart slot (as well as doing hardware-based save memory emulation). DSi is the only post-GBA console to not support it in hardware.

I take it we can't manipulate the memory range and status registers? (Or can we?) If we can, it might be possible, with some tricks, to get it working properly (ofc it's not easy)

 

[WulfyStylez]

I take it we can't manipulate the memory range and status registers? (Or can we?) If we can, it might be possible, with some tricks, to get it working properly (ofc it's not easy)

Well, memory accesses return 0xFF instead of open bus values. That implies they're probably pulled high inside the SoC and thus inoperable. It's actually more likely that you'd be able to get the second DS cart slot working than the GBA slot, as the pins for it seem to still exist on the retail SoC, albeit not connected and not utilized by existing software.

 

[dark_samus3]

Well, memory accesses return 0xFF instead of open bus values. That implies they're probably pulled high inside the SoC and thus inoperable. It's actually more likely that you'd be able to get the second DS cart slot working than the GBA slot, as the pins for it seem to still exist on the retail SoC, albeit not connected and not utilized by existing software.

AH, damn... thanks

 

[Cornholio309]

A bit of a novice question, but I'm a bit confused:

A while ago, I splurged and bought a brand new Nintendo DSi Matte Blue I found at a GameStop for 60 dollars. I've used it every now and again, but haven't checked out the DSiWare shop or connected to the internet with it at all.

I recently checked and the system came with Version 1.4.4U. Can I use TWLTool with this?

From what I gather in the first post, I either have the option of hardmodding the DSi in order to get it's NAND and downgrade it, or I can just inject the DSiWare Hax save with this tool (which seems like the better option). Is this correct, or do I still have to downgrade? Would upgrading to 1.4.5U be worth it?

Does anybody know anything about this?

 

[Gadorach]

Does anybody know anything about this?

You absolutely do have to have your console properly ticketed to inject hacked saves and downgraded apps. What that means is that you need to update the console to the latest firmware and buy the hackable game from the DSi Shop, while it's still available.

The Nintendo DSi Shop will no longer allow the buying of DSi Points after September 30th, 2016. You must buy the hackable game before then if you intend to use these exploits.

 

[Jeliwickle]

Hey, I know that probably no one will use this forum anymore but I need help, I don't actually know what to do or how to work this can someone please help u really need to downgrade my dsi because my iedge card won't work, I'm only 13 and don't understand what I'm supposed to do with this tool and I really want my iedge card to work again