Notes from inside your Wii

HackMii header image 2

Final DSiWareHax

August 25th, 2011 by yellows8 · 87 Comments

The final DSiWareHax is now available, goto the exploitslist for the list of exploited DSiWare and the usage instructions for the exploits. The updated Sudokuhax is now available as well, the main change is faster boot.nds loading. You can only copy the new DSiWareHax to your DSi if you’re on 1.4.1 or below, and already have one of the exploited games, since 1.4.2+ blocks copying DSiWare exploits to your DSi “internal memory”. Likewise for obtaining the updated Sudokuhax, you must be on 1.4.1 and have the original Sudoku version.

The procedure for obtaining the new DSiWareHax and the updated Sudokuhax is identical to the original Sudokuhax, as described in the Sudokuhax post and the client software README. The client software was updated as well, updating to this version is required since the server doesn’t support client sw v1.0 anymore.

Hence the title and the 1.4.2 post, this is the last new DSiWareHax that will ever be released, since there’s no way to copy DSiWare exploits to DSi “internal memory” on 1.4.2+ without your system certs.

Tags: dsi

87 responses so far ↓

  • 1 gothicpinku // Aug 25, 2011 at 12:43 pm

    Just saying DSi shop is in maintenance right now. I guess they watch this blog closely lol.

  • 2 yellows8 // Aug 25, 2011 at 12:58 pm

    Yeah, apparently planned maintenance on the shop was announced in UK a few days ago.

  • 3 yellows8 // Aug 25, 2011 at 2:50 pm

    “This old protocol version is not supported, aborting.” This error has been fixed. EDIT: (This was a server-side bug, the client sw archive wasn’t updated for this)

  • 4 winmaster // Aug 25, 2011 at 6:31 pm

    Wow, two HackMii posts in the same month.

    @yellows8: Will you be working on other DSi exploits, or will you be moving on to the 3DS?

  • 5 yellows8 // Aug 25, 2011 at 7:31 pm

    Can’t really do much with 3DS myself atm, since all code is encrypted.(Which is why I still work on DSi stuff)

  • 6 ron975 // Aug 25, 2011 at 8:20 pm

    So this spells the end of any more DSi exploits of any kind?

  • 7 yellows8 // Aug 25, 2011 at 9:25 pm

    DSiWareHax means DSiWare savegame exploits, those exploits are finished. No idea if other exploitable vulns will ever be found.

  • 8 davr // Aug 25, 2011 at 10:45 pm

    wait so even if i have 1.4.1, but i never bought those particular games, there’s no hope?

    The dsi shop wants me to update to 1.4.2 before it’ll let me buy anything :'( :'( :'(

  • 9 yellows8 // Aug 25, 2011 at 11:29 pm

    @davr: Yeah, you can’t use these exploits when you don’t have any of these games and are on 1.4.1 or below.

  • 10 davr // Aug 26, 2011 at 10:30 am

    My dsi isn’t compatible with the cooking/word coach exploits either (wifi chip is write protected). I guess my only hope is soldering to the DSi, or soldering to the eeprom on the cooking coach game. But that sounds like a hassle.

  • 11 magu // Aug 27, 2011 at 4:00 am

    I have the original sudokuhax still working on my DSi updated to 1.4.2. Is it possible via a DSi-mode homebrew app to extract the TWCert from NAND for future use?

  • 12 Muzer // Aug 27, 2011 at 5:08 am

    That’s a point – would this be feasible, or is it not possible?

    A save game exploit that contains a bit of code to extract the TWCert from NAND, then you put that TWCert into some web interface along with DSiWare and it gives you a nicely-packaged bit of DSiWare?

  • 13 magu // Aug 27, 2011 at 5:23 am

    @Muzer: My thought exactly. Modify the client binary to take the TWCert as an additional argument. Then you could always upgrade any hack or install new ones on a particular device, despite having upgraded it, as long as you have extracted the cert earlier.

  • 14 Muzer // Aug 27, 2011 at 9:14 am

    @magu: Not only that, but I wonder if you could use a savegame exploit for an actual DSi game (cookhack or whatever it’s called), to extract the TWCert… or would that be impossible due to lack of permissions or something?

  • 15 mattXPO // Aug 27, 2011 at 11:09 am

    I don’t think it’s possible with a cartridge exploit since if I recall correctly, Slot-1 cards cannot access the NAND where the certs are stored. Of course I could be wrong but I recall someone saying that at least soldering is neccessary to dump the required certs from the NAND.

    Then again, how many people are able to do this?

  • 16 yellows8 // Aug 27, 2011 at 9:49 pm

    Yeah, only DSiWareHax not gamecard hybrid exploits could access NAND. My dev.kp/syscerts dumper app is rather unreliable on Sudokuhax v1.0 for whatever reason,(works fine on v1.1) loaded fine when I tested it with v1.0 but v1.0 randomly fails to load it for other people somehow.(which is why I didn’t bother working on releasing that, can’t release an app which randomly fails to load.)

  • 17 sciencematthew // Aug 28, 2011 at 8:06 am

    THANK YOU SO MUCH!!!! I still have guitar rock tour!

  • 18 sciencematthew // Aug 28, 2011 at 9:17 am

    My favorite part of the guitar rock tour has is that you can still play the game!

  • 19 sciencematthew // Aug 28, 2011 at 10:34 am

    In some home-brews the power button won’t work, I have to take out the battery to fix, I am thinking of wiring a hard reset into the PCB.

  • 20 yellows8 // Aug 28, 2011 at 11:59 am

    You do _not_ ever need to take the battery out, just hold down the power button down longer…..

    As for still playing GRT, don’t play anything which would overwrite the records for Guitar->Easy scores or Drums->Easy – be careful with still playing that, I’m not really sure if you can break the hax if you avoid the above or not.(Likewise with fieldrunners iirc, don’t play the first level since that’s where the hax string record is.)

    Once you have dsiwarehax, you can copy it from DSi to SD card if needed. Since that would be signed by your DSi you could re-import it whenever without 1.4.2+ stopping you.

  • 21 Downloaded to Log Book. // Aug 29, 2011 at 1:39 pm

    Nice one…

    Anyways, couldn’t we use a “Hombrewed” Wii to send exploits to the DS, the same way the Ninty channel can send demos to the DS…

    Just sayin’…

  • 22 yellows8 // Aug 29, 2011 at 8:18 pm

    DS-mode exploits are rather boring imo – to send an exploitable WMB bin from Wii you’d have to patch NinCh’s URLs in the dol to broadcast “demos” from another server.(And I’m not aware of any WMB second-stage loader binary exploits other than mine own, which I’m not interested in releasing due to copyright issues.)

  • 23 Tux // Aug 30, 2011 at 4:36 am

    Very good work ! 😉

    Unfortunately for me, I don’t have any of these DSiWare :(

    Could you find another way to exploit, please ?

    Btw, I found a file called pit.bin (in /private/ds/app/somehexnumber/). It is created and checked when going to the “SD card” tab in the DSi camera app. It contains IMO the photos attributes, the calendar data, and some code (?) ( i think there is a checksum at word located at offset 0x14). Is it exploitable ?

    And why Nintendo hasn’t implemented a “Mailbox” feature in DSi ? :(

  • 24 yellows8 // Aug 30, 2011 at 10:00 am

    @Tux: http://dsibrew.org/wiki/Private/ds/app/484E94*/pit.bin

    Pit.bin isn’t exploitable afaik – haven’t found any exploitable crashes in any titles(including free ones) so far.(crashes in free titles were found but none of those are exploitable afaict)

  • 25 Tux // Aug 30, 2011 at 11:19 am

    @yellows8 : ah … Btw, it seems that the related “checksum fixer” produces invalid chacksums :(

    Anyways, I suppose that the Data Management isn’t exploitable (like Bannerbomb for the Wii) either …

  • 26 yellows8 // Aug 30, 2011 at 11:26 am

    CRC != checksum. Never looked at that CRC calc code for the photo/camera title, so I’m not exactly sure what’s wrong with that.

    “Data Management isn’t exploitable ” Yeah, that’s not exploitable.

  • 27 Tux // Aug 30, 2011 at 11:46 am

    Something exploitable that have access to the NAND (especially certs), and that isn’t a DSiWare which requires to use DSi Shop : it seems that I doesn’t exist …

    @yellows8 : so, what are you going to do after DSiWare exploits ?

  • 28 yellows8 // Aug 30, 2011 at 12:05 pm

    “so, what are you going to do after DSiWare exploits ?” Same DSi stuff(since not much can be done with 3DS atm) that I’m already working on: Reverse engineering system software stuff, RE for supporting hw stuff, RE/working on stuff related to looking for free-title vulns sometimes, etc.

  • 29 Tux // Aug 30, 2011 at 12:17 pm

    Good luck :)

    Even if I can understand some (ARM/Thumb) assembler, I don’t know which register corresponds to each “variable” …

  • 30 mattXPO // Aug 30, 2011 at 3:22 pm

    Sorry for the off-topic question, but regarding the 3DS, is anyone from team twiizers currently working on getting an encryption key – perhaps via RAM sniffing?

  • 31 NotAWiiHacker // Aug 31, 2011 at 4:45 pm

    This is probably a bad idea, as it will most likely require a round trip ticket through hell to accomplish, but..
    What if you create a “DSi Shop Server” on your home network, download a DSiWare app that Dumps Certs or whatever and go from there?

    (Similar to the GameCube hack with the broadband adapter)

  • 32 yellows8 // Aug 31, 2011 at 5:34 pm

    @NotAWiiHacker: …No, google SSL.(And if by “DSiWare app” you mean a homebrew app installed to NAND, DSi .nds are RSA-signed…)

    @mattXPO: 3DS ramhax is *a lot* _harder_ than DSi ramhax, it will likely be a long while before anyone manges to do it.

  • 33 Tux // Sep 1, 2011 at 5:40 am

    @yellows8 : SSL security leaks exists, AFAIK … (perhaps they are fixed ?)

    If a fake Nintendo DSi server was available, I’ll make exploitable DSiWare available for 0 point, and prevent System Update

  • 34 yellows8 // Sep 1, 2011 at 7:58 am

    @Tux: Yeah I know, but the only SSL flaw that Nintendo servers/software had which I managed to find, is that EUR NZone SSL Auth Gap flaw.(which was fixed in only a few hours after the HTTP TRACE) http://dsibrew.org/wiki/Nintendo_Zone#Server_exploits (and that only happened because that server wasn’t updated to fix that at the time – all their other servers don’t have this flaw.)

    Also, many of those SSL attacks require you to get a server-cert signed by a root CA that the target SSL client trusts, which is impossible with Nintendo stuff since they have their on root CA.

  • 35 Tux // Sep 1, 2011 at 9:46 am

    So, that’s dead :(

    The only thing left is the System Menu and the base “channels” (Sound, Camera, launcher (?) )

    Can the username of the DSi be used to exploit ?

  • 36 yellows8 // Sep 1, 2011 at 11:23 am

    “Can the username of the DSi be used to exploit ?” Uh, that’s stored in NAND @ /shared1/TWLCFG0.dat, which you can’t write to without some prior exploit with nand-access or hw nand mmc-breakout. Doubt that data can be exploited.

  • 37 yellows8 // Sep 1, 2011 at 11:26 am

    The only thing left is the System Menu and…” “launcher (?)” Launcher is sysmenu, “LAUNCHER” is the gametitle field in that title’s header @ offset 0x0.

  • 38 NotAWiiHacker // Sep 1, 2011 at 7:34 pm

    I’m also guessing that Browser Based attacks are dead?
    What all types of things have NAND Access? (Access which would have the Certs in a readable region)

    Do (Slot-1) Games ever get NAND access?

  • 39 yellows8 // Sep 1, 2011 at 8:09 pm

    “I’m also guessing that Browser Based attacks are dead?” Find a public opera exploit/PoC which crashes DSi then come back.
    All DSi-mode titles installed on NAND have sdmmc bus(nand/sdcard) access. Retail hybrid slot-1 games with sdmmc access don’t exist afaik.

  • 40 Tux // Sep 5, 2011 at 11:10 am

    In DSi Browser, when using Google directly (resarch tab), and staying some time at the results page, my DSi freezes. Is it normal ?

  • 41 yellows8 // Sep 5, 2011 at 11:18 am

    @Tux: Yeah I heard of DSi opera freezing/crashing while using Google, not exploitable of-course.

  • 42 CT_Bolt // Sep 12, 2011 at 12:31 am

    So I missed it again? Ahh, that sucks… anyone help me out here:
    My DSI XL is on 1.4U but… I didn’t get the game in time it would appear, when I goto the shop channel it wants me to update my system. Is there any way at all around this?

    Also I own an EZFlash Vi. (if that would help)

  • 43 pocket fish // Sep 14, 2011 at 1:16 pm

    A friendly request: could somebody post a y-tube video of the final Sudokuhax in action so other users can decide if it’s worth upgrading to? Thx!

  • 44 jsa005 // Sep 17, 2011 at 12:55 pm

    Would it be possible to modify (or extract -> inject) the TWCert (fool the DSi that your homebrew title is a genuine title like Flashlight (It’s useless anyway) by replacing the genuine code with homebrew code, leaving the TWCert, title, and icon intact? (For this I’d use a PC program and ONLY have the title to hack on the SD card!)
    Would that be possible?
    You could just insert the homebrew’s title, icon, and a dummy TWCert for the program to replace with the genuine app’s.
    1) Backup your SD card (on PC)
    2) Copy the title to hack to the SD card (on DSi)
    3) Launch the injector program (on PC)
    3a) Load genuine title
    3b) Load homebrew title
    3c) Extract title, icon, and TWCert from genuine title
    3d) Replace homebrew app’s title, icon, and dummy TWCert with genuine app’s
    3e) Replace genuine app file with homebrew
    4) Copy app from SD card (on DSi)
    5) Run app!

  • 45 yellows8 // Sep 18, 2011 at 1:28 pm

    @pocket fish: “other users” who can get the updated Sudokuhax since they’re on 1.4.1 should just update their Sudokuhax.(it’s significantly faster over the old version with loading the .nds)

  • 46 sciencematthew // Sep 28, 2011 at 6:33 pm


    A demo video of GRTPWN 1.1, and working Homebrew.

    @Yellow8 thanks for the hack works great, no problems with the hack!

  • 47 sciencematthew // Sep 28, 2011 at 6:49 pm

    Can you make a Homebrew app that enables you do download the and backup the files needed to update the hack on 1.4.2.+ for people who already have the hack, similar to SHSH blobs for iOS?

  • 48 yellows8 // Sep 28, 2011 at 7:25 pm

    @CT_Bolt: Nope.

    @jsa005: http://dsibrew.org/wiki/Tad The hashes signed by the APCert which is signed by the NAND TWCert, is described there. The ECDSA signed hashes include the .srl/.nds game binary. Even if you had your dev.kp/TWCert you still can’t do that, the SRL/NDS is RSA-signed. http://dsibrew.org/wiki/NDS_Format

    @sciencematthew: I’m not really interested in improving my dev.kp/TWCert dumper for release currently, in the past *every* person that ever used it practically had trouble with it not working right. But it’s very rare when it fails for me, so it’s a pain to test for that.(IIRC several people had trouble with sdcard writing not working right but this was before that was implemented properly. There were a few other issues too.)
    I’m not really interested in releasing *only* a dev.kp dumper at this point.

  • 49 jsa005 // Oct 6, 2011 at 12:57 pm

    I don’t know that much about this stuff. Did you see what I was thinking though? – Rarely getting DSi Points and being worried about bricking my DSi are the 2 main factors stopping me. And I update my DSi when the shop tells me to. It’s a shame that we can’t get homebrew on 1.4.2+ DSi systems.
    If you could tell me if ANY apps on my DSi are hackable, here is the list:
    Note some are on my SD card, but I bought them all on the DSi Shop!
    MY DSi:
    TWL-001 (EUR)
    Asphalt 4: Elite Racing
    A Topsy Turvy Life: Turvy Drops
    A little bit of Dr. Mario
    A little bit of Magic Made Fun: Matchmaker
    Bejeweled Twist
    Dictionary 6 in 1
    Electroplankton: Nanocarp
    Flipnote Studio
    Mario Clock
    Mario Calculator
    Mario vs DK: Minis March Again
    MySims Camera
    Nintendo Countdown Calendar
    Nintendo 3DS Transfer Tool
    Nintendo DSi Browser
    Paper Plane
    Photo Dojo
    Photo Clock
    Sleep Clock
    Tetris Party Live
    Zelda: Four Swords Anniversary Edition

  • 50 yellows8 // Oct 6, 2011 at 1:21 pm

    jsa005: Sounds like you’re on 1.4.2+, so there’s no way for you to get DSiWareHax. “worried about bricking my DSi” DSiWareHax itself *can’t* brick your DSi, only apps writing to NAND or certain regions of NVRAM could.(and atm there’s *zero* homebrew apps that need to write to NAND)

  • 51 jrk190 // Oct 11, 2011 at 8:13 am

    In according to an earlier post I read about a DS Download exploit, couldn’t an exploit be made on the 3DS so we could get a 3DS hbc?

  • 52 yellows8 // Oct 11, 2011 at 8:22 am

    @jrk190: (3)DS-mode dlplay is RSA-signed, *all* 3DS titles are RSA-signed as well…

  • 53 jrk190 // Oct 11, 2011 at 10:26 am

    Well, if a flashcard (such as Crown 3DS) is developed, could a homebrew application be run in 3DS Mode and allow us to inject a code or something into the RAM? Would good way to find out would to use the method of disassembling the 3DS and hooking it up to a board? I am sorry if I sound like I know nothing at all. I have though, been a member of GBAtemp and this blog for a while. I love reading it :)

  • 54 yellows8 // Oct 11, 2011 at 10:57 am

    That 3ds flashcard if it’s real at all would *only* run warez, do *not* mention it here. Ramhax is needed in order to really get anywhere with 3DS.

  • 55 dman2073 // Nov 23, 2011 at 10:42 am

    Any News?

  • 56 yellows8 // Nov 23, 2011 at 10:58 am

    I recently throughly reverse engineered the DSi sound title’s MPEG-4 code,(used for all the audio file formats it supports) and found nothing that could be controlled from the file and be exploited.
    Since Flipnote PPMs and those .lst files aren’t exploitable, that likely only leaves the photo/camera title now.(I haven’t found anything in that either)

  • 57 dman2073 // Nov 23, 2011 at 11:21 am

    thanks for the update; the anticipation is killing me

  • 58 dogger2001 // Nov 30, 2011 at 6:55 pm

    there should be a dsiware hack for asphalt 4 because everyone has it

  • 59 yellows8 // Nov 30, 2011 at 7:15 pm

    @dogger2001: DSiWareHax is *dead*…(prior to 1.4.2 when I was checking that save: it doesn’t have any strings, and I never bothered to try crashing it by overwriting the whole save)

    The only titles that can be targeted now is titles that directly access SD card.
    I gave up on opera since *every* public opera exploit/PoC which I tried either didn’t crash DSi opera, or the crash wasn’t exploitable.

  • 60 247a // Dec 23, 2011 at 5:48 am

    i have 3 theorys on how maybe you could put in your code once more:
    1)download free app from dsi-store (okay not the best but stay with me) save to sd (after you have you have your ds certs) decript then do some check to an other dsi’s to find differnce to find that dsi’s cert after a whil you may be able to build an auto cracker (okay lot of hard work there)
    2)use opra (okay you said your giving up on it but what i was thining was you trying to crack the software it’s self or use website code) make a page with javascript / php which can dump the memory to get the certs (but with it i have one question and that is dose nintendo ever updae the apps as i have never seen an update for them like it is on the wii as if not then have a look at the proper opera (pc) of the same version for vulms as it’s the same firm so then there may be something similer for the dsi)
    3)the final one would be sort of like a trogen for the camra/ recorder as you would put in the dsi loader in the picture/mp3 trogen so it insalls when jpg/mp3 loaded
    p.s. sorry for bad spelling

  • 61 yellows8 // Dec 23, 2011 at 9:25 am

    1) The ECDSA pubk/privk are completely random. When we tested deleting dev.kp from NAND so the shop generates a new dev.kp, the only things that changed besides the dev.kp signature is the random pubk/privk and the random ticket consoleID.

    2) Dev.kp and any other keys are *never* left anywhere in memory when non-system titles are running.(system titles being launcher, settings, shop, 3ds systransfer)
    Can’t really dump memory at all without code exec in the first place… I already said this here somewhere before: *all* the public opera PoCs/exploits for the opera version DSi uses either did nothing, or weren’t exploitable. DSiWare does get updated, but it’s very rare.

    3) DSi doesn’t support MP3… Their MP4 code used for all the formats the sound title supports isn’t exploitable AFAICT. I haven’t managed to RE all their JPEG code but the code I already looked at is not exploitable.

  • 62 OpToCo // Dec 26, 2011 at 7:07 pm

    Nintendo Video normally receives video through Nintendo right? Well if you ever have jailbroken an iDevice you would have to save your SHSH blobs to Cydia by spoofing the DNS server. Now the 3DS has options to change DNS. You know what I am thinking. Possibly we spoof Nintendo Video’s downloads. To download a video/TIFF exploit. Now remember, Nintendo Video delivers 3D Video right? 3DS Mode, right there!

  • 63 yellows8 // Dec 27, 2011 at 11:19 pm

    @OpToCo: 3DS only supports JPG not TIFF… I doubt NVideo is exploitable, but you won’t know for sure without reverse engineering it.(which we can’t do yet) Also, if SpotPass content is RSA-signed, then you could only attack the extdata not the HTTP download.

  • 64 HurpDurp // Dec 28, 2011 at 9:47 pm

    So, I just updated my DSi that was on system menu 1.3u since the day I got it just a few minutes ago. I had an error occur during it and now I’m still on system menu 1.3 still… but I have access to the DSishop.

    Any idea what happened and/or has anyone else experienced this?

  • 65 yellows8 // Dec 28, 2011 at 9:57 pm

    @HurpDurp: Your DSi failed to download a title and aborted the update, already downloaded titles were installed already. If I remember right, the download+install order is: launcher/sysmenu, settings, shop, etc. Since the download failed before verdata was updated, you won’t see the updated version displayed in settings.
    Therefore, when you can access the shop,(regardless of what version is displayed in settings) you have the latest settings and launcher.

  • 66 Rodrigo Davy // Feb 5, 2012 at 2:40 pm

    I was just wandering… In the case of the 3ds, is it possible to make a hack using modified save file in a 3ds game cartridge? Some 3ds games uses Streetpass/Spotpass content and I’m not sure but I think this content is stored in the sd card. In this case it would be possible to have 3ds mode with sd card access. There is a device called NDS adaptor plus that can extract/restore the save data inside the cartridge, so there is a way to do it and Nintendo wouldn’t make a firmware update to block a original game.

  • 67 yellows8 // Feb 5, 2012 at 3:44 pm

    Eventually modifying 3ds savegames stored on gamecard should be possible, but not atm. Yeah, SpotPass/StreetPass content is stored in extdata.
    “Nintendo wouldn’t make a firmware update to block a original game.” Erm, they could add code to check for savegame haxx and have that delete the save.(which wouldn’t block the “original game”)

  • 68 macweirdo // Feb 12, 2012 at 10:44 pm

    so is anything happening anymore in the wonderful world of hackmii?
    you’re probably still working on an exploit right?
    in any case, can you at least make a post about, say, wiring the RAM of the 3DS up to a debugger or something? the more people you can get working on something, the faster it’ll go, right?

    (also, I remember when this was the first blog I checked, ever, because of the cool technical stuff about the Wii; now there’s no new content :(

  • 69 MortalKombat // Apr 14, 2012 at 9:32 am

    hi someone from hackmii, well can a DSI crash from a game via flashcart to an exploit? well, i think i have found a crash in the 3ds on DSI mode in pokemon black, so when i get a cam or find my cellphone i will make a video, is there any contact to someone from here? (doesn’t matter, facebook, skype real/fake ones but i think i just crashed my 3ds on dsi mode

  • 70 MortalKombat // Apr 14, 2012 at 10:03 am

    sorry but when i saved the game the save corrected itself and the level 150 shiny snivy changed to level 6 shiny snivy and it won’t crash anymore :(

  • 71 MortalKombat // Apr 14, 2012 at 10:18 am

    oh dude! good news i made it crash again, sorry for keeping responding here…


  • 72 yellows8 // Apr 14, 2012 at 11:07 am

    MortalKombat: Gameplay crashes are not exploitable, only crashes caused by modified savegames etc. Hybrid DSi-mode games like that one don’t have access to the SD card bus either.

  • 73 jpedro9966 // May 29, 2012 at 6:31 am

    My DSi is a 1.4.3u version. But my brother has a 1.4.1u DSi, but it’s new, and the ‘Data Management’ menu is disabled. There is a way to activate his ‘Data Management’? (And if possible, there is a way to create a program like WAD Manager for DSi, sounds cool if possible.)
    Hopes for all team.

  • 74 yellows8 // May 29, 2012 at 10:16 am

    Data management is only accessible when you accessed the DSi Shop at least once, which creates dev.kp. Since you can’t access the shop without updating, you can’t get DSiWareHax on that DSi.

  • 75 jpedro9966 // May 29, 2012 at 2:24 pm

    Before you stop making exploits forever for DSi, why you don’t make some reverse-engineering work on DSi? Like dumping the firmware, patching DSiWare, create a Homebrew Channel, NAND access, like has been made on Wii? Or maybe patch the Nintendo DSi Shop, to download new patches for the Sudokuhax, get everyone’s unique code to create new exploits. There’s much things that could help users, not just running homebrew from SD, but hacking the DSi Menu completely.

  • 76 yellows8 // May 29, 2012 at 2:33 pm

    I already quit working on DSi entirely months ago.
    “dumping the firmware” …That was done ages ago. “patching DSiWare” Patch it for what? “create a Homebrew Channel” A DSi HBC is basically impossible, unless you somehow exploit bootloader. The bootloader/bootrom was never fully dumped in the first place. “patch the Nintendo DSi Shop…” Which is impossible without DSiWareHax on your system in the first place.

  • 77 jkammueller // May 31, 2012 at 12:06 pm

    Here’s an idea: How about a fake nintendo update server containing a back door to loading homebrew. The dsi could connect to the server and an updated firmware could be installed via nintendo updates. Would it work? Since the firmware has been dumped, you can figure out how it connects and do the process offline wia wifi. What do you think?

  • 78 yellows8 // May 31, 2012 at 12:16 pm

    All titles are signed, that’s impossible. SSL is involved with system updates as well.

  • 79 jkammueller // May 31, 2012 at 10:08 pm

    could SSL be hosted on a local machine as well? This machine would be a system update host and contain a modified firmware.

  • 80 jkammueller // Jun 1, 2012 at 12:29 pm

    this modified firmware could then be sent via the system updates and we could then have any feature we want. we could even open some loopholes for homebrew code.

  • 81 yellows8 // Jun 1, 2012 at 12:37 pm

    jkammueller: Don’t you know what RSA-signed means? “All titles are signed, that’s impossible.”
    Also, DSi will only trust SSL server certs which were signed by Nintendo.

  • 82 KnightMario // Aug 15, 2012 at 7:54 am

    can you buy the app in latest version (dsiware app), copy to the sd card, take it out, format system memory, put sd in, run exploit?
    you would be on the first version of the dsi

  • 83 yellows8 // Aug 15, 2012 at 8:03 pm

    @KnightMario: The format system memory functionality in every Nintendo console only deletes all of your titles downloaded from the shop, and resets various user configuration. It does not touch system titles at all.

  • 84 KnightMario // Aug 16, 2012 at 7:11 am

    it says with no updates O.o
    have you tested it? (i bet you probably have and i sound like a [censored] right now, sorry if i do)

  • 85 yellows8 // Aug 16, 2012 at 8:10 am

    Other people tried doing a system format before, and as I said it doesn’t touch the system titles at all.

  • 86 anubis66679 // Aug 13, 2013 at 9:39 am

    Firmware dumping for 3ds/xl is relatively easy, but i was lucky and found a DSi XL that still has firmware Ver 1.4A. I was wondering if i could just as easily wire up up a dsi xl in a similar way and Dump it’s firmware to my PC?

  • 87 anubis66679 // Aug 13, 2013 at 9:45 am

    (That’s the 1st part) If that’s possible can i inject one of the game exploits into that firmware with some special software and then flash it back to my DSi xl with the newly added exploit? I own a flash cart but a softmod sounds more interesting. I really want to try find a way to transfer some exploit! Thanks in advance.

You must log in to post a comment.