Notes from inside your Wii

HackMii header image 2

Final DSiWareHax

August 25th, 2011 by yellows8 · 87 Comments

The final DSiWareHax is now available, goto the exploitslist for the list of exploited DSiWare and the usage instructions for the exploits. The updated Sudokuhax is now available as well, the main change is faster boot.nds loading. You can only copy the new DSiWareHax to your DSi if you’re on 1.4.1 or below, and already have one of the exploited games, since 1.4.2+ blocks copying DSiWare exploits to your DSi “internal memory”. Likewise for obtaining the updated Sudokuhax, you must be on 1.4.1 and have the original Sudoku version.

The procedure for obtaining the new DSiWareHax and the updated Sudokuhax is identical to the original Sudokuhax, as described in the Sudokuhax post and the client software README. The client software was updated as well, updating to this version is required since the server doesn’t support client sw v1.0 anymore.

Hence the title and the 1.4.2 post, this is the last new DSiWareHax that will ever be released, since there’s no way to copy DSiWare exploits to DSi “internal memory” on 1.4.2+ without your system certs.

Tags: dsi

87 responses so far ↓

  • 1 jrk190 // Oct 11, 2011 at 8:13 am

    In according to an earlier post I read about a DS Download exploit, couldn’t an exploit be made on the 3DS so we could get a 3DS hbc?

  • 2 yellows8 // Oct 11, 2011 at 8:22 am

    @jrk190: (3)DS-mode dlplay is RSA-signed, *all* 3DS titles are RSA-signed as well…

  • 3 jrk190 // Oct 11, 2011 at 10:26 am

    Well, if a flashcard (such as Crown 3DS) is developed, could a homebrew application be run in 3DS Mode and allow us to inject a code or something into the RAM? Would good way to find out would to use the method of disassembling the 3DS and hooking it up to a board? I am sorry if I sound like I know nothing at all. I have though, been a member of GBAtemp and this blog for a while. I love reading it 🙂

  • 4 yellows8 // Oct 11, 2011 at 10:57 am

    That 3ds flashcard if it’s real at all would *only* run warez, do *not* mention it here. Ramhax is needed in order to really get anywhere with 3DS.

  • 5 dman2073 // Nov 23, 2011 at 10:42 am

    Any News?

  • 6 yellows8 // Nov 23, 2011 at 10:58 am

    I recently throughly reverse engineered the DSi sound title’s MPEG-4 code,(used for all the audio file formats it supports) and found nothing that could be controlled from the file and be exploited.
    Since Flipnote PPMs and those .lst files aren’t exploitable, that likely only leaves the photo/camera title now.(I haven’t found anything in that either)

  • 7 dman2073 // Nov 23, 2011 at 11:21 am

    thanks for the update; the anticipation is killing me

  • 8 dogger2001 // Nov 30, 2011 at 6:55 pm

    there should be a dsiware hack for asphalt 4 because everyone has it

  • 9 yellows8 // Nov 30, 2011 at 7:15 pm

    @dogger2001: DSiWareHax is *dead*…(prior to 1.4.2 when I was checking that save: it doesn’t have any strings, and I never bothered to try crashing it by overwriting the whole save)

    The only titles that can be targeted now is titles that directly access SD card.
    I gave up on opera since *every* public opera exploit/PoC which I tried either didn’t crash DSi opera, or the crash wasn’t exploitable.

  • 10 247a // Dec 23, 2011 at 5:48 am

    i have 3 theorys on how maybe you could put in your code once more:
    1)download free app from dsi-store (okay not the best but stay with me) save to sd (after you have you have your ds certs) decript then do some check to an other dsi’s to find differnce to find that dsi’s cert after a whil you may be able to build an auto cracker (okay lot of hard work there)
    2)use opra (okay you said your giving up on it but what i was thining was you trying to crack the software it’s self or use website code) make a page with javascript / php which can dump the memory to get the certs (but with it i have one question and that is dose nintendo ever updae the apps as i have never seen an update for them like it is on the wii as if not then have a look at the proper opera (pc) of the same version for vulms as it’s the same firm so then there may be something similer for the dsi)
    3)the final one would be sort of like a trogen for the camra/ recorder as you would put in the dsi loader in the picture/mp3 trogen so it insalls when jpg/mp3 loaded
    p.s. sorry for bad spelling

  • 11 yellows8 // Dec 23, 2011 at 9:25 am

    1) The ECDSA pubk/privk are completely random. When we tested deleting dev.kp from NAND so the shop generates a new dev.kp, the only things that changed besides the dev.kp signature is the random pubk/privk and the random ticket consoleID.

    2) Dev.kp and any other keys are *never* left anywhere in memory when non-system titles are running.(system titles being launcher, settings, shop, 3ds systransfer)
    Can’t really dump memory at all without code exec in the first place… I already said this here somewhere before: *all* the public opera PoCs/exploits for the opera version DSi uses either did nothing, or weren’t exploitable. DSiWare does get updated, but it’s very rare.

    3) DSi doesn’t support MP3… Their MP4 code used for all the formats the sound title supports isn’t exploitable AFAICT. I haven’t managed to RE all their JPEG code but the code I already looked at is not exploitable.

  • 12 OpToCo // Dec 26, 2011 at 7:07 pm

    Nintendo Video normally receives video through Nintendo right? Well if you ever have jailbroken an iDevice you would have to save your SHSH blobs to Cydia by spoofing the DNS server. Now the 3DS has options to change DNS. You know what I am thinking. Possibly we spoof Nintendo Video’s downloads. To download a video/TIFF exploit. Now remember, Nintendo Video delivers 3D Video right? 3DS Mode, right there!

  • 13 yellows8 // Dec 27, 2011 at 11:19 pm

    @OpToCo: 3DS only supports JPG not TIFF… I doubt NVideo is exploitable, but you won’t know for sure without reverse engineering it.(which we can’t do yet) Also, if SpotPass content is RSA-signed, then you could only attack the extdata not the HTTP download.

  • 14 HurpDurp // Dec 28, 2011 at 9:47 pm

    So, I just updated my DSi that was on system menu 1.3u since the day I got it just a few minutes ago. I had an error occur during it and now I’m still on system menu 1.3 still… but I have access to the DSishop.

    Any idea what happened and/or has anyone else experienced this?

  • 15 yellows8 // Dec 28, 2011 at 9:57 pm

    @HurpDurp: Your DSi failed to download a title and aborted the update, already downloaded titles were installed already. If I remember right, the download+install order is: launcher/sysmenu, settings, shop, etc. Since the download failed before verdata was updated, you won’t see the updated version displayed in settings.
    Therefore, when you can access the shop,(regardless of what version is displayed in settings) you have the latest settings and launcher.

  • 16 Rodrigo Davy // Feb 5, 2012 at 2:40 pm

    I was just wandering… In the case of the 3ds, is it possible to make a hack using modified save file in a 3ds game cartridge? Some 3ds games uses Streetpass/Spotpass content and I’m not sure but I think this content is stored in the sd card. In this case it would be possible to have 3ds mode with sd card access. There is a device called NDS adaptor plus that can extract/restore the save data inside the cartridge, so there is a way to do it and Nintendo wouldn’t make a firmware update to block a original game.

  • 17 yellows8 // Feb 5, 2012 at 3:44 pm

    Eventually modifying 3ds savegames stored on gamecard should be possible, but not atm. Yeah, SpotPass/StreetPass content is stored in extdata.
    “Nintendo wouldn’t make a firmware update to block a original game.” Erm, they could add code to check for savegame haxx and have that delete the save.(which wouldn’t block the “original game”)

  • 18 macweirdo // Feb 12, 2012 at 10:44 pm

    so is anything happening anymore in the wonderful world of hackmii?
    you’re probably still working on an exploit right?
    in any case, can you at least make a post about, say, wiring the RAM of the 3DS up to a debugger or something? the more people you can get working on something, the faster it’ll go, right?

    (also, I remember when this was the first blog I checked, ever, because of the cool technical stuff about the Wii; now there’s no new content 🙁

  • 19 MortalKombat // Apr 14, 2012 at 9:32 am

    hi someone from hackmii, well can a DSI crash from a game via flashcart to an exploit? well, i think i have found a crash in the 3ds on DSI mode in pokemon black, so when i get a cam or find my cellphone i will make a video, is there any contact to someone from here? (doesn’t matter, facebook, skype real/fake ones but i think i just crashed my 3ds on dsi mode

  • 20 MortalKombat // Apr 14, 2012 at 10:03 am

    sorry but when i saved the game the save corrected itself and the level 150 shiny snivy changed to level 6 shiny snivy and it won’t crash anymore 🙁

  • 21 MortalKombat // Apr 14, 2012 at 10:18 am

    oh dude! good news i made it crash again, sorry for keeping responding here…


  • 22 yellows8 // Apr 14, 2012 at 11:07 am

    MortalKombat: Gameplay crashes are not exploitable, only crashes caused by modified savegames etc. Hybrid DSi-mode games like that one don’t have access to the SD card bus either.

  • 23 jpedro9966 // May 29, 2012 at 6:31 am

    My DSi is a 1.4.3u version. But my brother has a 1.4.1u DSi, but it’s new, and the ‘Data Management’ menu is disabled. There is a way to activate his ‘Data Management’? (And if possible, there is a way to create a program like WAD Manager for DSi, sounds cool if possible.)
    Hopes for all team.

  • 24 yellows8 // May 29, 2012 at 10:16 am

    Data management is only accessible when you accessed the DSi Shop at least once, which creates dev.kp. Since you can’t access the shop without updating, you can’t get DSiWareHax on that DSi.

  • 25 jpedro9966 // May 29, 2012 at 2:24 pm

    Before you stop making exploits forever for DSi, why you don’t make some reverse-engineering work on DSi? Like dumping the firmware, patching DSiWare, create a Homebrew Channel, NAND access, like has been made on Wii? Or maybe patch the Nintendo DSi Shop, to download new patches for the Sudokuhax, get everyone’s unique code to create new exploits. There’s much things that could help users, not just running homebrew from SD, but hacking the DSi Menu completely.

  • 26 yellows8 // May 29, 2012 at 2:33 pm

    I already quit working on DSi entirely months ago.
    “dumping the firmware” …That was done ages ago. “patching DSiWare” Patch it for what? “create a Homebrew Channel” A DSi HBC is basically impossible, unless you somehow exploit bootloader. The bootloader/bootrom was never fully dumped in the first place. “patch the Nintendo DSi Shop…” Which is impossible without DSiWareHax on your system in the first place.

  • 27 jkammueller // May 31, 2012 at 12:06 pm

    Here’s an idea: How about a fake nintendo update server containing a back door to loading homebrew. The dsi could connect to the server and an updated firmware could be installed via nintendo updates. Would it work? Since the firmware has been dumped, you can figure out how it connects and do the process offline wia wifi. What do you think?

  • 28 yellows8 // May 31, 2012 at 12:16 pm

    All titles are signed, that’s impossible. SSL is involved with system updates as well.

  • 29 jkammueller // May 31, 2012 at 10:08 pm

    could SSL be hosted on a local machine as well? This machine would be a system update host and contain a modified firmware.

  • 30 jkammueller // Jun 1, 2012 at 12:29 pm

    this modified firmware could then be sent via the system updates and we could then have any feature we want. we could even open some loopholes for homebrew code.

  • 31 yellows8 // Jun 1, 2012 at 12:37 pm

    jkammueller: Don’t you know what RSA-signed means? “All titles are signed, that’s impossible.”
    Also, DSi will only trust SSL server certs which were signed by Nintendo.

  • 32 KnightMario // Aug 15, 2012 at 7:54 am

    can you buy the app in latest version (dsiware app), copy to the sd card, take it out, format system memory, put sd in, run exploit?
    you would be on the first version of the dsi

  • 33 yellows8 // Aug 15, 2012 at 8:03 pm

    @KnightMario: The format system memory functionality in every Nintendo console only deletes all of your titles downloaded from the shop, and resets various user configuration. It does not touch system titles at all.

  • 34 KnightMario // Aug 16, 2012 at 7:11 am

    it says with no updates O.o
    have you tested it? (i bet you probably have and i sound like a [censored] right now, sorry if i do)

  • 35 yellows8 // Aug 16, 2012 at 8:10 am

    Other people tried doing a system format before, and as I said it doesn’t touch the system titles at all.

  • 36 anubis66679 // Aug 13, 2013 at 9:39 am

    Firmware dumping for 3ds/xl is relatively easy, but i was lucky and found a DSi XL that still has firmware Ver 1.4A. I was wondering if i could just as easily wire up up a dsi xl in a similar way and Dump it’s firmware to my PC?

  • 37 anubis66679 // Aug 13, 2013 at 9:45 am

    (That’s the 1st part) If that’s possible can i inject one of the game exploits into that firmware with some special software and then flash it back to my DSi xl with the newly added exploit? I own a flash cart but a softmod sounds more interesting. I really want to try find a way to transfer some exploit! Thanks in advance.

You must log in to post a comment.