HackMii

Notes from inside your Wii

HackMii header image 2

DSi System Update 1.4.2

May 19th, 2011 by yellows8 · 65 Comments

Update: 25/05/11 An updated Sudokuhax(final update) will be released at the same time as the final DSiWareHax, but if you already have Sudokuhax and want to copy this updated Sudokuhax to “internal memory” you must still be on 1.4.1.(or below) This updated Sudokuhax and the final DSiWareHax uses an updated SD card loader, changes include faster boot.nds loading among other things.

DSi system update 1.4.2 blocks copying all current and future DSiWare exploits to “internal memory”. Most of you won’t have the final DSiWareHax target, but don’t update for now anyway. Only people who already have the target game, and stay on system version 1.4.1(or below) until exploit release could copy the exploit to “internal memory”. DSiWare savedata exploits are dead with system update 1.4.2, after the release of this exploit later, there will be no more DSiWare savedata exploits.

The EC certificate APCert in the DSiWare on SD card signs the hashes stored in the DSiWare on SD card, this includes hashes of savedata among other things. This APCert is signed by the console-unique TWCert, this cert is signed by Nintendo. This TWCert is stored in NAND.

The initial system settings title verified the APCert with the TWCert contained in the DSiWare stored on SD card. This allowed us to modify DSiWare savedata, since we could resign the APCert with any TWCert from other systems. The new 1.4.2 system settings title verifies the APCert with TWCert stored in NAND. This stops us from modifying DSiWare savedata for arbitrary systems, as the only way to get those system certs is from NAND. When you don’t already have DSiWareHax, it’s impossible to obtain your system certs without soldering NAND. The new system settings will not allow any DSiWare on SD card signed by other systems to copy to “internal memory”.

Tags: dsi

65 responses so far ↓

  • 1 DacoTaco // May 19, 2011 at 11:39 pm

    that sucks ass.
    nintendo sure is paying more attention to their security these days o.o;

  • 2 rokujou // May 20, 2011 at 2:48 am

    What a shame… so unlike the Wii updates that took them 3 or 4 attempts to fix the security issues.

    Did you guys check to see if a similar exploit existed in the 3Ds firmware?

  • 3 NotAWiiHacker // May 20, 2011 at 3:07 pm

    What if…They Used the DS download play to exploit the system?

  • 4 pocket fish // May 21, 2011 at 2:16 pm

    I’m getting the impression from this post that a future DSiwarehax is planned (for those on 1.4.1), is that indeed the case?

  • 5 yellows8 // May 21, 2011 at 3:10 pm

    pocket fish: The post specifically says that. You must already have the target game and stay on 1.4.1 to get the dsiwarehax.

  • 6 j.zonneveld // May 21, 2011 at 3:18 pm

    @Yellows8
    Why don’t you say which game it is? Nintendo can only update that game with DSi on fw 1.4.2, because you can’t acress the DSi Shop with fw 1.4.1.

    By the way, great work!

  • 7 yellows8 // May 21, 2011 at 3:28 pm

    j.zonneveld: I don’t want the dsiwarehax to be specifically blocked on 3DS.(like only blocking that specific haxx)

  • 8 kmeisthax // May 21, 2011 at 11:24 pm

    So, in short, you can’t copy savegames between systems? That’s really, really, REALLY harsh. Not as bad as removing major system features for security reasons, but still really harsh.

  • 9 gnugeek // May 22, 2011 at 7:04 am

    Could be possible to get TWCert in NAND with a dsi support flashcart like cyclods?

  • 10 yellows8 // May 22, 2011 at 10:04 am

    kmeisthax: You couldn’t copy savegames/dsiware between systems at all in the first place before 1.4.2, that’s why they could change that APCert verification without effecting non-homebrewers at all.

    gnugeek: iEvo can’t access the SD Card/NAND sdmmc bus.

  • 11 oldtopman // May 22, 2011 at 2:46 pm

    @NotAWiiHacker

    DS download play is DS mode, not DSi mode.

  • 12 kmeisthax // May 22, 2011 at 3:17 pm

    yellows8: Really? I assumed that because we had savegame exploits, that savegames were transferrable. I actually don’t own a DSi and don’t plan on buying one for the time being.

  • 13 yellows8 // May 22, 2011 at 3:23 pm

    kmeisthax: Yeah, if you could copy dsiware .bin exports to any other DSi, we wouldn’t have to bother with injection software which you run on linux/mac/win32.(And if those .bins didn’t include copyrighted software)

  • 14 wiisixtyfour // May 24, 2011 at 3:46 pm

    So are there any plans for future DSi exploits?

  • 15 Hypershell // May 24, 2011 at 5:01 pm

    Ugh, I was hoping some vulnerability would remain until the 3DS e-Shop was out. Then I could transfer it all and use my DSi specifically for ‘brew.

    Then again, what I’m reading now is, “If you haven’t already downloaded a hackable game, you’re screwed.”, due to the inability to connect to the DSi’s shop without the latest firmware. And I don’t have much of a DSi library (a half dozen games), so the odds aren’t with me.

  • 16 yellows8 // May 24, 2011 at 5:45 pm

    wiisixtyfour: If you mean besides the currently unreleased DSiWareHax, I wouldn’t count on it.

    Hypershell: “Then again, what I’m reading now is, “If you haven’t already downloaded a hackable game, you’re screwed.” ” Exactly, no hax if you didn’t have the game before 1.4.2 was released. If you don’t already have the game on your DSi, I doubt you could get DSiWareHax on 3DS.

  • 17 Hypershell // May 25, 2011 at 5:45 pm

    yellows8:
    I have no intention at current to hack my 3DS, what I meant was to transfer my official content to 3DS before hacking my DSi.

    Either way, it seems to be a no-go. I sincerely doubt a system transfer will be possible without updating anyway. It seems DSiWare hacking is just too inaccessible; Nintendo fixed it surprisingly quickly. I missed out on Sudoku the first time around and was HOPING to catch another shot.

    Also, I just checked here:
    http://dsibrew.org/wiki/DSiWare_VulnList
    Of my 6 DSi games, 5 are invulnerable and 1 is unlisted. Looks like I’m SOL.

  • 18 yellows8 // May 25, 2011 at 6:20 pm

    Hypershell: “I sincerely doubt a system transfer will be possible without updating anyway.” Correct, a paper included with 3DS states that to transfer DSiWare to 3DS from DSi, you must download the “DSiWare transfer tool” from the DSi Shop.(which you can only dl /w 1.4.2 obviously)

    And yeah, DSiWare VulnList is over, there’s no point trying to analyze additional games due to 1.4.2.(as stated on that page)

  • 19 Rodrigo Davy // May 25, 2011 at 9:19 pm

    I have the Sudokuhax, but I lost there original Sudoku game. Is it possible for me to get the updated Sudokuhax? Is the original game necessary?

  • 20 yellows8 // May 25, 2011 at 11:00 pm

    If you’re still on 1.4.1 and don’t have the original Sudoku SD card export, running the dsiwarehaxinj client software with the Sudokuhax .bin to inject the new Sudokuhax(once released) should work fine.

  • 21 Rodrigo Davy // May 26, 2011 at 9:07 am

    That’s good, I hope you release it soon! By the way, will it be possible to get write acess on the sd card with this hax? It would be amazing if that happened.

  • 22 yellows8 // May 26, 2011 at 9:15 am

    “By the way, will it be possible to get write acess on the sd card with this hax?”
    That would eventually be done with a libnds update, if anyone ever manages to figure out how to properly delay for poking the clk register.

  • 23 yellows8 // Jun 2, 2011 at 8:43 am

    http://www.nintendo.co.jp/3ds/support/transfer/index.html From a translation of some text on that page:

    “You cannot move the saving data or the [nintendo] DSi point.In addition when you move, with [nintendo] DSi LL/DSi itself, also the saving data is eliminated in the software and simultaneous.”

    DSi->3DS DSiWare transfer was the only likely means of getting dsiwarehax on 3DS. :(

  • 24 rokujou // Jun 7, 2011 at 2:59 am

    Has anyone looked into how the CycloDS iEvolution achieves DSi Mode homebrew? Perhaps we could start with that and either use it to try and find another exploit or at least work out how they did it and open it up for all cart developers?

    Personally, I’d prefer “native” hombrew, but at least then we’d be making DSi homebrew more accessible.

  • 25 jackwho8 // Jun 7, 2011 at 4:46 am

    Speaking of carts, I recently noticed some kiosk in stores, showing a Demo Version of “Mario VS Donkey Kong: MiniLand Mayhem”: this particular demo version was running on a DSi XL and there was no obvious way to return to system menu: I tried soft-resetting the system and turning it off, waiting, then turning it on, but every single time the system would not display the “Health and Safety” screen, nor the System Menu screen, booting directly the game instead.

    Is this peculiar behavior already known and understood? In my experience as a gamer (and not, sadly, a homebrewer), I never found it possible to bypass the System Menu screen. Although I can not tell with 100% confidence whether the system was booting from a cart or an app stored in NAND, I guess it was a cart.

    Could there possibly be a way to bypass the System Menu? More interestingly, would it be possible to boot a cart with System Menu-like privileges (that is, unrestricted access to both Slot1 and NAND/SD bus)?

    Thanks in advance to anyone who is willing to enlighten me on the matter.

  • 26 yellows8 // Jun 7, 2011 at 8:20 am

    rokujou: AFAIK no-one managed to dump/sniff the ievo EEPROM, but it would be just a clone of the cooking coach ROM with CookHack(EEPROM savedata exploit) modified to load a payload from ROM somewhere.

    jackwho8: AFAIK NAND titles can’t be auto-booted, but gamecards can be auto-booted.(This uses bit flags separate from DS)
    “would it be possible to boot a cart with System Menu-like privileges (that is, unrestricted access to both Slot1 and NAND/SD bus)?” Access to the former seems to be always enable for gamecards, and also always disabled for all NAND titles. While NAND/SD card bus access is determined by bits in the header, which you can’t modify since it’s RSA-signed.

  • 27 Memedan // Jun 7, 2011 at 8:42 am

    Can someone confirm that the DSiWare-Transfer-Tool won’t block my Sudokuhax or brick my DSi when I have the Hax? I don’t want to brick it, I only want to transfer some other titles, not the Sudokuhax. But mabe it will find the Hax and block it?

  • 28 yellows8 // Jun 7, 2011 at 7:18 pm

    Memedan:
    The transfer tool doesn’t specifically check for any hax, nor will it specially remove hax.(Savegames are deleted from the DSi after transfer though) Just don’t turn power-off during downloading the transfer tool from DSi Shop even when it hangs.

    As I said before, DSiWareHax can’t be transferred to 3DS with that tool. And also, they changed the keys/format of DSiWare exported to SD card from 3DS.(doubt we could resign that dsiware with other systems’ certs even if we would have the key(s), due to DSi sysupdate 1.4.2.)

  • 29 Sektor // Jun 10, 2011 at 7:41 am

    Did Nintendo add the 1.4.2 security to the DSi mode on 3DS? They’d be stupid not to but has it been tested.

  • 30 yellows8 // Jun 10, 2011 at 9:00 am

    Sektor: No idea but I’d assume so, I mentioned above your comment that they changed keys for DSiWare exported to SD card.

  • 31 sciencematthew // Jun 15, 2011 at 8:37 am

    I am on 1.4.1 and have 9 Pages of DSi Ware on My SD card I hope I have the target one, Faceez or Guitar Rock Tour

    Could you hack My Sims Camera(stupid app) I got it becouse I thought you could load a corrupted JPG onto it , it has SD Acess, [Mod: merged comments]
    There is a slot machine game it has usernames with a charecter limit in the USA shop
    I wonder what the target game is.

  • 32 yellows8 // Jun 16, 2011 at 6:13 pm

    sciencematthew: “My Sims Camera” The savefile for that is only 12 bytes, no way to exploit that. Never was aware of any DSiWare that used SD card besides flipnote. All DSi software using jpeg seems to use the same libjpeg, no-one bothered with that very much.

    “There is a slot machine game” http://dsibrew.org/wiki/DSiWare_VulnList “Since system update 1.4.2 blocks copying *all* dsiwarehax, do not contact us about your dsiware anymore at all. “

  • 33 ron975 // Jun 18, 2011 at 7:15 pm

    If the target game is not in your system, then will there be another dsi hack that doesn’t exploit another aspect of the software?

  • 34 yellows8 // Jun 18, 2011 at 7:41 pm

    ron975: I assume you mean haxx for software other than DSiWare. Dunno no-one ever managed to get anywhere with system sw.

  • 35 ron975 // Jun 19, 2011 at 6:48 am

    I’m just grasping at straws here, but would it be possible to use sudokuhaxx or another DSiWare Haxx to sniff out and map the DSi’s certs and keys?

  • 36 yellows8 // Jun 19, 2011 at 10:13 am

    “DSiWare Haxx to sniff out and map the DSi’s certs and keys?” Hm? That was done with ramhax. If you mean for dumping system certs for resigning DSiWareHax, software run from DSiWareHax can dump that from NAND.(But of course you need dsiwarehax in the first place)

  • 37 winmaster // Jun 19, 2011 at 9:22 pm

    @yellows8

    In the past, I have asked if DS Download Play (the non 3DS one) was going to be exploited. You said that you developed something along those lines, but it would not be released because of the complexities of configuring one’s router to work with it. I have a few more questions regarding this topic.

    1. Could the Wii be used to distribute DS Download exploits in a similar manner to how the Nintendo Channel distributes demos?

    2. Could a homebrew .nds be paired with the necessary data from an official DS Download application by an program run by the end user (to eliminate distribution of copyrighted Nintendo code?)

    2b. Could official DS Download applications be saved with homebrew. For instance, could a homebrew Wii application connect to a DSi distributing the settings transfer app and save said app to SD card for future use?

    2c. Could the demos available on the Nintendo Channel be downloaded with homebrew?

    3. Could this be used to dump NAND files over Wi-Fi?

    4. If anybody did release a DS Download Play exploit, could Nintendo patch it on the DSi and 3DS without breaking compatibility with DS games that use single cartridge multiplayer?

    It seems like DS Download exploits could be useful because it would open up all DS, DSi, and 3DS consoles to homebrew (albeit in DS mode). I also would think that this should be especially beneficial to 3DS hackers who want to explore its filesystem.

  • 38 yellows8 // Jun 19, 2011 at 9:56 pm

    winmaster: The main problem is that I can’t really release copyrighted Nintendo software.(it’s free but w/e) And it’s only DS-mode so not much use there. “also would think that this should be especially beneficial to 3DS hackers who want to explore its filesystem.” Erm, DS-mode = zero access to DSi/3DS hw including NAND.

    1: Sure for hosting official signed WMB binaries, that’s how I use my ds-station hax.(Just patch the https urls in the NinCh dol to use http /w a clone server, with alternate .bin files for demos etc)

    2: Sounds like you want to modify signed WMB bins, that won’t work unless the client is a DS /w FlashMe.

    2b: No-one ever managed to figure out how to use WD for WMB hosting.(And IIRC WD only does hosting not DS wlan client.) “connect to a DSi distributing the settings transfer app” You mean the DS-mode WFC config transfer from system settings? You could grab that from system settings NTR FS from NUS.

    2c: http://wiibrew.org/wiki/Ninchdl-listext (I really need to release another version supporting newest NinCh version, committed support for it long while ago but just never bothered.)

    3: See above.

    4: I guess so but I doubt they’d bother.(They’d add code to the download play client title(s)) FWIW my haxx is _very_ easy to fix server-side.

    [EDIT:] If you haven’t already found it, there’s info+src link for my hax on the DSiBrew Nintendo_Zone page.(can’t be used with Nintendo Zone though)

  • 39 winmaster // Jun 20, 2011 at 7:27 am

    @yellows8

    Thanks you for responding to my questions.

    So in DS mode, NAND is inaccessable then? How do DS games access Wi-Fi settings and Nintendo WFC data, is this stored somewhere else?

  • 40 yellows8 // Jun 20, 2011 at 7:51 am

    winmaster: All WFC config stuff including 802.11g/”Advanced settings” are stored in NVRAM, same SPI device as DS.

  • 41 winmaster // Jun 20, 2011 at 9:23 pm

    @yellows8

    Thanks for answering yet another n00b question. Wikipedia said the original DS had a 256 kB NAND, so I assumed that’s where Wi-Fi data was stored.

  • 42 ron975 // Jun 22, 2011 at 7:02 pm

    Would it be possible to hack/modify the sysmenu?

  • 43 yellows8 // Jun 23, 2011 at 10:00 am

    No. http://dsibrew.org/wiki/NDS_Format “The first 0xE00 bytes of the NDS header is signed with an 1024-bit RSA signature.” (header includes hashes of binaries and ntr fs hash-table info/master hash)

  • 44 pocket fish // Jun 25, 2011 at 4:16 pm

    Any update on the final Sudokuhax’s release?

    Sorry to bother. : )

  • 45 yellows8 // Jun 28, 2011 at 6:58 pm

    pocket fish: There’s some delays, but new dsiwarehax will be released eventually when it’s done.

  • 46 theyodj445 // Jun 29, 2011 at 4:29 am

    one question… HOW DO YOU DOWNLOAD THE NEW VERSION IF YOU JUST KNEW ABOUT IT?

  • 47 theyodj445 // Jun 29, 2011 at 4:32 am

    and does you get arrested for using this? like after you get on the internet?

  • 48 yellows8 // Jun 29, 2011 at 7:53 am

    theyodj445: If you mean the new Sudokuhax version, you’d just run the client software same way as before to get latest Sudokuhax once released. Arrested for using this? Certainly not, homebrew is not illegal.

  • 49 Clookster // Jul 10, 2011 at 6:50 pm

    So, this project is dead now or what?

    I don’t know if you noticed, but we’re on DSi 1.43 already.

    It would be really kind if you’d tell people what’s happening next. If nothing is going to happen that’s OK. But we really need some information about that now.

  • 50 yellows8 // Jul 10, 2011 at 7:08 pm

    It’s not “dead” yet, final dsiwarehax wasn’t released yet. I knew about 1.4.3(only blocks flashcards no dsiwarehax affected of course) the instant it was available, since my SOAP scripts are running very frequently.

    If by “what’s happening next” you mean whether final dsiwarehax will be released, of course it will be eventually, it’s just that supporting JP region for dsiwarehax is difficult due to 1.4.2+.(main delay atm) :(

  • 51 sciencematthew // Jul 25, 2011 at 6:46 pm

    any ETAs or % of completion??? cant wait for the final release, and If I do have the Hax on my system can you make a filebrowser to look at the native OS and maby even theme it.

    thank you for your great work!!!

  • 52 sciencematthew // Jul 25, 2011 at 6:49 pm

    another random but dumb question, is it possible to change the URL or source of the DSi Ware Shop to somewhere where you can download Homebrew for the DSi, mainly for the people on 1.4.1 or the people too scared to updated?

  • 53 yellows8 // Jul 25, 2011 at 8:07 pm

    I’d like to have dsiwarehax support JP, that’s the main thing delaying release. One game exploited for USA/EUR has the bug fixed for JP. For supporting JP another exploitable bug in the JP region of that game would need to be found, or exploit another JP game.(both are really difficult)

    “and If I do have the Hax on my system can you make a filebrowser to look at the native OS and maby even theme it.” a) Use hbmenu. b) Use someone else’s loader or write your own.

    “is it possible to change the URL or source of the DSi Ware Shop to somewhere where you can download Homebrew for the DSi” …It uses HTTPS, and all titles are RSA-signed of-course.

  • 54 Coto // Jul 26, 2011 at 8:47 am

    Hi guys thanks for your awesome job all these years!

    You see, I’ve been wondering this since some time but here’s anyway, I do have a 1.41 DSi, but I don’t have any of the target games (sudoku..) but rather the default ones (Opera web br, flipnote studio, camera..).

    So my question is:

    Would DSiWare hax still work on my DSi even if it doesn’t have the required target game?

  • 55 yellows8 // Jul 26, 2011 at 8:54 am

    Coto: No.

  • 56 2600 // Aug 15, 2011 at 7:33 am

    I am unable to download the code. I put in MAC address and captcha code and then choose red or blue wire. A second later all details I filled in are wiped out and “The exploit will only work if you enter your Wii’s MAC address.”
    TIA

  • 57 yellows8 // Aug 15, 2011 at 8:17 am

    2600: Wrong post.

  • 58 Rodrigo Davy // Aug 16, 2011 at 10:43 am

    When you release the new DSihack, are you gonna make a brand new post on the site, or you’re just gonna update this one? Are you having any progress with the JP regions problem? Also, are there any plans to, who knows, a 3ds hack?

  • 59 yellows8 // Aug 16, 2011 at 11:47 am

    @Rodrigo Davy:
    Of course, it would be announced via another post.

    And with that one game, I found several more bugs which are also present in the JP version, which includes string buffer overflows. But those buffer overflows are rather difficult to exploit, so far it has only crashed on stuff which isn’t exploitable.

  • 60 Memedan // Aug 19, 2011 at 11:53 am

    Will the new sudokuhax have write-access to SD-card if it comes? The new libNDS 1.5.3 will allow this and also allow you to use SDhc-cards. :) So will the new sudokuhax and dsiware-hax base on libNDS 1.5.3???

  • 61 yellows8 // Aug 19, 2011 at 12:01 pm

    @Memedan: The apps loaded from DSiWareHax already can write to SD card, the exploit itself doesn’t need to write to SD card. DSiWareHax already had the new sdmmc IRQs code before my libnds patch was submitted.(which made loading boot.nds somewhat faster)

  • 62 jpedro9966 // May 28, 2012 at 6:39 am

    Why don’t use the SLOT-1 to create a exploit, too? Maybe this will work. Do like the Wii; make an exploit, then get the CERT, and create an new exploit to others updated consoles.

  • 63 yellows8 // May 28, 2012 at 6:43 am

    This is not Wii. You can’t access the SD/NAND bus from gamecard titles. Basically only titles which use NAND can access it.

  • 64 jpedro9966 // May 28, 2012 at 6:43 am

    Yeah, and maybe you can short the exploit’s commands, to fit on others games.

  • 65 yellows8 // May 28, 2012 at 6:46 am

    The size of the exploit doesn’t matter when it couldn’t access the SD bus from gamecard titles in the first place…

You must log in to post a comment.