https://dsibrew.org/w/api.php?action=feedcontributions&user=Yellows8&feedformat=atomDSiBrew - User contributions [en]2024-03-29T13:05:15ZUser contributionsMediaWiki 1.35.8https://dsibrew.org/w/index.php?title=DSiBrew:News&diff=2099893DSiBrew:News2023-08-27T19:29:46Z<p>Yellows8: /* News */</p>
<hr />
<div><noinclude><br />
==Adding an item==<br />
* Log in to the wiki. Editing is disabled if you don't have an account.<br />
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.<br />
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''<br />
<br />
==Archives==<br />
For older news, see the [[DSiBrew:News/Archive|news archive]].<br />
<br />
=== News ===<br />
<!-- Add news below --></noinclude><br />
*'''18 Apr 23''' [https://devkitpro.org/ devkitPro] has announced [https://devkitpro.org/viewtopic.php?f=13&t=9450#p17439 devkitARM release 60]<br />
*'''10 Jan 23''' Nathan Farlow has released [https://github.com/nathanfarlow/stylehax stylehax], a new browserexploit<br />
*'''2 Feb 22''' [https://devkitpro.org devkitPro] have announced [https://devkitpro.org/viewtopic.php?f=13&t=9308#p17221 devkitARM release 57]<br />
*'''11 Mar 21''' The full [https://gbatemp.net/threads/dsi-the-full-arm7-bootrom-has-been-dumped.584700/ DSi ARM7 BootROM] has been dumped</div>Yellows8https://dsibrew.org/w/index.php?title=Main_Page/Navigation&diff=2099688Main Page/Navigation2022-12-19T20:06:54Z<p>Yellows8: </p>
<hr />
<div>{{Main page box|Navigation|Main Page/Navigation}}<br />
<div style="margin: -.3em -1em -1em -1em;"><br />
{| width="100%" bgcolor="#fff" border="0" cellpadding="2px" cellspacing="2px" style="margin:auto;"<br />
|- align="center" bgcolor="#e7eef6"<br />
! width="33%" | '''General'''<br />
! width="34%" | '''DSi hardware'''<br />
! width="33%" | '''DSi software'''<br />
|- valign="top" style="background: #F5FAFF;"<br />
| <br />
*[[DSiBrew:Contests|Contests]]<br />
*[[DSi exploits]]<br />
*[[DSi system flaws]]<br />
*[[Glossary]]<br />
*[[FAQ]]<br />
|<br />
*[[Hardware|DSi Hardware]]<br />
*[[Card hardware]]<br />
*[[Cameras]]<br />
| <br />
*[[Nintendo Software]]<br />
*[[NDS Format]]<br />
*[[Title list]]<br />
*[[Title metadata]]<br />
*[[SD Filesystem]]<br />
*[[Flash Filesystem]]<br />
*[[Bootloader]]<br />
*[[Exporting Apps]]<br />
*[[ES block encryption]]<br />
*[[PXI]]<br />
|}<br />
</div><br />
{{box-footer-empty}}</div>Yellows8https://dsibrew.org/w/index.php?title=Homebrew_Menu&diff=2099687Homebrew Menu2022-12-19T19:49:33Z<p>Yellows8: </p>
<hr />
<div>{{Infobox homebrew<br />
| author = devkitPro team<br />
| type = loader<br />
| source = https://github.com/devkitPro/nds-hb-menu<br />
| download = https://github.com/devkitPro/nds-hb-menu/releases/tag/v0.7.1<br />
}}<br />
The '''Homebrew Menu''' ('''hbmenu''') is a text-based user interface that can be used to load homebrew. See [[DSi_exploits]] for methods of launching this.<br />
<br />
NDS homebrew apps should be placed in <code>SD:/nds</code>.</div>Yellows8https://dsibrew.org/w/index.php?title=List_of_DSi_Exploits&diff=2099686List of DSi Exploits2022-12-19T19:46:04Z<p>Yellows8: redirect</p>
<hr />
<div>#REDIRECT [[DSi_exploits]]</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_system_flaws&diff=2099682DSi system flaws2022-12-19T19:05:53Z<p>Yellows8: /* Hardware */</p>
<hr />
<div>= Hardware =<br />
Flaws in this category pertain to the underlying hardware that powers the DSi. This includes [[Stage1]], [[AES_Engine]], etc.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| [[AES_Engine]] allows partial key overwrite<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
The 3DS TWL AES engine is also [https://www.3dbrew.org/wiki/3DS_System_Flaws affected].<br />
| <br />
| <br />
| 2011<br />
| <br />
| {{User|Yellows8}}<br />
|-<br />
| Undefined instruction/abort exception handler backed by RAM not cleared on reset<br />
| Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]].<br />
| <br />
| <br />
| June 2016<br />
| <br />
| {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021)<br />
|-<br />
| ARM7 ROM controls lockout of both boot ROMs<br />
| After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting <i>another</i> glitch, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM.<br />
| <br />
| <br />
| 2021-2022<br />
| <br />
| Theorized to be possible by {{User|PoroCYon}} in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by {{User|PoroCYon}}.<br />
|-<br />
| [[Stage2]] binary load region not validated<br />
| [[Stage1]] doesn't validate the the load address/size for [[Stage2]] binaries. If all RSA / hash checks pass and the binary were located in memory used by [[Stage1]], this would allow running code under the context of [[Stage1]]. This is currently useless due to RSA however.<br />
This is somewhat similar to [https://www.3dbrew.org/wiki/3DS_System_Flaws 3DS] bootROM issues, however 3DS does attempt validation at least.<br />
| <br />
| <br />
| 2022<br />
| December 19, 2022<br />
| {{User|Yellows8}}<br />
|}<br />
<br />
= Software =<br />
== Stage2 ==<br />
Flaws in this category pertain to [[Stage2]]. There is no known updated version of Stage2 post-launch.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Poor [[System Menu]] [[TMD]] size check<br />
| [[Stage2]] loads the System Menu's TMD for verification and loading, and it attempts to check the size. However, instead of checking if <code>size > capacity</code>, it checks if <code>size > size</code>, which is always false, resulting in a buffer overflow.<br />
| None<br />
| <br />
| August 2017<br />
| <br />
| {{User|Nocash}}<br />
|}<br />
<br />
== System Menu ==<br />
Flaws in this category pertain to [[System Menu]].<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| DS games are not patched to verify overlays<br />
| While the System Menu checks all cartridge overlays to prevent unauthorized software, no such check exists when the overlays are actually loaded, despite an [https://wiibrew.org/wiki/MIOS MIOS]-like patcher being possible to implement. By changing the overlay after it is checked, it is possible to run arbitrary code.<br />
| <br />
| <br />
| January 2010<br />
| <br />
| Datel, and {{User|blasty}} by reverse engineering Datel's [[Action Replay]]<br />
|}<br />
<br />
== Applications ==<br />
Flaws in this category pertain to applications launched by [[System Menu]]. See also [[DSi_exploits]].</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_system_flaws&diff=2099681DSi system flaws2022-12-19T18:44:24Z<p>Yellows8: Import an issue from 3dbrew.</p>
<hr />
<div>= Hardware =<br />
Flaws in this category pertain to the underlying hardware that powers the DSi. This includes [[Stage1]], [[AES_Engine]], etc.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| [[AES_Engine]] allows partial key overwrite<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
The 3DS TWL AES engine is also [https://www.3dbrew.org/wiki/3DS_System_Flaws affected].<br />
| <br />
| <br />
| 2011<br />
| <br />
| {{User|Yellows8}}<br />
|-<br />
| Undefined instruction/abort exception handler backed by RAM not cleared on reset<br />
| Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]].<br />
| <br />
| <br />
| June 2016<br />
| <br />
| {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021)<br />
|-<br />
| ARM7 ROM controls lockout of both boot ROMs<br />
| After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting <i>another</i> glitch, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM.<br />
| <br />
| <br />
| 2021-2022<br />
| <br />
| Theorized to be possible by {{User|PoroCYon}} in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by {{User|PoroCYon}}.<br />
|}<br />
<br />
= Software =<br />
== Stage2 ==<br />
Flaws in this category pertain to [[Stage2]]. There is no known updated version of Stage2 post-launch.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Poor [[System Menu]] [[TMD]] size check<br />
| [[Stage2]] loads the System Menu's TMD for verification and loading, and it attempts to check the size. However, instead of checking if <code>size > capacity</code>, it checks if <code>size > size</code>, which is always false, resulting in a buffer overflow.<br />
| None<br />
| <br />
| August 2017<br />
| <br />
| {{User|Nocash}}<br />
|}<br />
<br />
== System Menu ==<br />
Flaws in this category pertain to [[System Menu]].<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| DS games are not patched to verify overlays<br />
| While the System Menu checks all cartridge overlays to prevent unauthorized software, no such check exists when the overlays are actually loaded, despite an [https://wiibrew.org/wiki/MIOS MIOS]-like patcher being possible to implement. By changing the overlay after it is checked, it is possible to run arbitrary code.<br />
| <br />
| <br />
| January 2010<br />
| <br />
| Datel, and {{User|blasty}} by reverse engineering Datel's [[Action Replay]]<br />
|}<br />
<br />
== Applications ==<br />
Flaws in this category pertain to applications launched by [[System Menu]]. See also [[DSi_exploits]].</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_system_flaws&diff=2099680DSi system flaws2022-12-19T18:34:08Z<p>Yellows8: Use wiki tables.</p>
<hr />
<div>= Hardware =<br />
Flaws in this category pertain to the underlying hardware that powers the DSi. This includes [[Stage1]], [[AES_Engine]], etc.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Undefined instruction/abort exception handler backed by RAM not cleared on reset<br />
| Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]].<br />
| <br />
| <br />
| June 2016<br />
| <br />
| {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021)<br />
|-<br />
| ARM7 ROM controls lockout of both boot ROMs<br />
| After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting <i>another</i> glitch, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM.<br />
| <br />
| <br />
| 2021-2022<br />
| <br />
| Theorized to be possible by {{User|PoroCYon}} in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by {{User|PoroCYon}}.<br />
|}<br />
<br />
= Software =<br />
== Stage2 ==<br />
Flaws in this category pertain to [[Stage2]]. There is no known updated version of Stage2 post-launch.<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Poor [[System Menu]] [[TMD]] size check<br />
| [[Stage2]] loads the System Menu's TMD for verification and loading, and it attempts to check the size. However, instead of checking if <code>size > capacity</code>, it checks if <code>size > size</code>, which is always false, resulting in a buffer overflow.<br />
| None<br />
| <br />
| August 2017<br />
| <br />
| {{User|Nocash}}<br />
|}<br />
<br />
== System Menu ==<br />
Flaws in this category pertain to [[System Menu]].<br />
<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with system version<br />
! Newest system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| DS games are not patched to verify overlays<br />
| While the System Menu checks all cartridge overlays to prevent unauthorized software, no such check exists when the overlays are actually loaded, despite an [https://wiibrew.org/wiki/MIOS MIOS]-like patcher being possible to implement. By changing the overlay after it is checked, it is possible to run arbitrary code.<br />
| <br />
| <br />
| January 2010<br />
| <br />
| Datel, and {{User|blasty}} by reverse engineering Datel's [[Action Replay]]<br />
|}<br />
<br />
== Applications ==<br />
Flaws in this category pertain to applications launched by [[System Menu]]. See also [[DSi_exploits]].</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2099679Stage22022-12-19T17:40:31Z<p>Yellows8: </p>
<hr />
<div>[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (32 kilobytes per core), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning (that warning is displayed by the sysmenu).<br />
<br />
The [[stage1|first stage bootloader]] reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
There's two header sectors [[NAND|following]] this, however stage1 ignores these.<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved (zerofilled)<br />
|-<br />
| 0x20<br />
| 0x4<br />
| ARM9 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x24<br />
| 0x4<br />
| ARM9 Bootcode, Size "Actual decompressed binary size"<br />
|-<br />
| 0x28<br />
| 0x4<br />
| ARM9 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x2C<br />
| 0x4<br />
| ARM9 Bootcode, Size (compressed, if compression is used) rounded up to multiple of 0x200<br />
|-<br />
| 0x30<br />
| 0x4<br />
| ARM7 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x34<br />
| 0x4<br />
| ARM7 Bootcode, Size "Actual decompressed binary size"<br />
|-<br />
| 0x38<br />
| 0x4<br />
| ARM7 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x3C<br />
| 0x4<br />
| ARM7 Bootcode, Size (compressed, if compression is used) rounded up to multiple of 0x200<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved (zerofilled)<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Option flags (see below). Mostly used for NAND and NVRAM boots, only a single bit is checked for game cartridge boots! Typically 0x0C for NAND boots. NVRAM sets this to 0x80 to signal a NAND boot.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 Data Block<br />
|-<br />
| 0x180<br />
| 0x14<br />
| Global MBK1..MBK5 Slot Settings<br />
|-<br />
| 0x194<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM9 Side<br />
|-<br />
| 0x1A0<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM7 Side<br />
|-<br />
| 0x1AC<br />
| 0x4<br />
| Global MBK9 Slot Master Setting<br />
|-<br />
| 0x1B0<br />
| 0x50<br />
| Reserved (zerofilled)<br />
|}<br />
<br />
Note that the above format roughly resembles the [[DSi Cartridge Header]] (entries 0x20-0x3F are roughly similar, and entries 0x180-0x1AF appear to be same as in cart header).<br />
<br />
The option byte at +0xff has the following flags:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Bit<br />
! Mask<br />
! Description<br />
|-<br />
| 0<br />
| 0x01<br />
| Use LZ77 decompression for the ARM9 binary (game cartridge boots ignore this flag and always treat binaries as uncompressed)<br />
|-<br />
| 1<br />
| 0x02<br />
| Use LZ77 decompression for the ARM7 binary (game cartridge boots ignore this flag and always treat binaries as uncompressed)<br />
|-<br />
| 2<br />
| 0x04<br />
| Run the ARM9 at 133 MHz when performing RSA verification and SHA1 hash calculation (it starts out at 66 MHz). This is the only flag checked during a game cartridge boot.<br />
|-<br />
| 3<br />
| 0x08<br />
| Use the IPC FIFO to send compressed payloads to the ARM9, and have the ARM9 decompress them. If not selected, the ARM7 will decompress the payload, then map it to the ARM9 using the MBK registers. Has no effect for uncompressed payloads (and thus game cartridge boots).<br />
|-<br />
| 4<br />
| 0x10<br />
| Unknown, doesn't seem to be used. Always 0.<br />
|-<br />
| 5<br />
| 0x20<br />
| Unknown, doesn't seem to be used. Always 0.<br />
|-<br />
| 6<br />
| 0x40<br />
| When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.<br />
|-<br />
| 7<br />
| 0x80<br />
| Boot medium selection flag: if 1, boot from NAND. If 0, boot from NVRAM. Not applicable for game cartridge boots (which use a magic key combination).<br />
|}<br />
<br />
The RSA public keys (the one for 3DS and the other one for DSi) for the below signature _for NAND boots_ can be obtained from 3DS TWL_FIRM Process9 (this is required for getting the binaries' keyY). It is also found in the DSi's ARM9 boot ROM, but this is never copied to some place outside the boot ROM. (The bootroms copy _some_ keys to WRAM/ITCM, but not this one.) Public keys for NVRAM and game cartridge boots are only available from the DSi ARM9 boot ROM, and all differ from the NAND RSA public key.<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]].<br />
|-<br />
| 0x60<br />
| 0x14<br />
| SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).<br />
|}<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified (see [[stage1]]).<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] with mode AES-CTR to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the above binary size aligned to 0x200-bytes:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblk->binblocksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
ctr[3] = AES block offset (starts at 0)<br />
<br />
=== Stage2 operations ===<br />
<br />
After Stage 2 is loaded:<br />
# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.<br />
# The status registers of the BPTWL are read to check whether this is a warmboot. The powerbutton action of the BPTWL is reset as well.<br />
# The NAND flash is partially re-initialized<br />
# Various hardware components, such as the touchscreen/sound controller, Wifi chip, etc. are initialized. (Cameras aren't initialized, though.)<br />
# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata is in FAT16 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 2-2435-8325" || Invalid Firmware<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Talk:System_Menu&diff=2099020Talk:System Menu2020-01-13T16:58:55Z<p>Yellows8: /* Possible mistake regarding lauch dates on SW 1.4.1 */</p>
<hr />
<div>Does it use anything similiar to IOS? (--ChuckBartowski)<br />
:No. It has some pieces of IOS (parts of ES) compiled into it, though. -- [[User:Bushing|Bushing]] 02:40, 12 September 2009 (UTC)<br />
<br />
== Technically accurate way of describing versions ==<br />
<br />
This page is not correctly describing the versions of the system software components. The user-visible version number (e.g. 1.4) is contained in one title -- HNL_ aka "verdata" -- which is just a bundle with some bits of random data (certs and such). When Nintendo announces that they have updated the "System Menu", they really mean that they have changed that version number as well as one or more other system components, which may not actually include the System Menu itself.<br />
<br />
For example, the only changes between "System Menu 1.3" and "System Menu 1.4" were new versions of HNDA (dlplay), HNHA (whitelist), HNKE (DS Sound), HNIE (photo channel). Neither HNAE (System Menu) nor HNFE (Settings menu) were updated. --[[User:Bushing|Bushing]] 02:53, 12 September 2009 (UTC)<br />
<br />
== Possible mistake regarding lauch dates on SW 1.4.1 ==<br />
<br />
Basically the system.log on my DSi states the following<br />
<br />
Days of board initialization/setup from 29 of july of 2010 to 30 of july of 2010, installed software version 1.4.1, according to this wiki that version was released on September of that year, i mean 2 months after these dates... did they had access to software versions before being publicly released? is there a way to see the build date/release date of different software versions?<br />
<br />
I don't want to change the wiki info before asking to see if there's a reason to this contradiction tbh<br />
<br />
Release-dates here are for the CDN release, nothing more (see [https://en-americas-support.nintendo.com/app/answers/detail/a_id/4514 here], or [https://yls8.mtheall.com/ninupdates/reports.php ninupdates] for newer sysupdates). "is there a way ..." [[Version_Data]] perhaps, would have to check that for 1.4.1 yourself though. [[User:Yellows8|Yellows8]] ([[User talk:Yellows8|talk]])</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098795Stage22015-04-21T04:11:50Z<p>Yellows8: /* Stage 2 */</p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved (zerofilled)<br />
|-<br />
| 0x20<br />
| 0x4<br />
| ARM9 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x24<br />
| 0x4<br />
| ARM9 Bootcode, Size "Actual binary size"<br />
|-<br />
| 0x28<br />
| 0x4<br />
| ARM9 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x2C<br />
| 0x4<br />
| ARM9 Bootcode, Size rounded up to multiple of 0x200<br />
|-<br />
| 0x30<br />
| 0x4<br />
| ARM7 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x34<br />
| 0x4<br />
| ARM7 Bootcode, Size "Actual binary size"<br />
|-<br />
| 0x38<br />
| 0x4<br />
| ARM7 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x3C<br />
| 0x4<br />
| ARM7 Bootcode, Size rounded up to multiple of 0x200<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved (zerofilled)<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF? (actually, this is appears to be always 0Ch, not FFh?)<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 Data Block<br />
|-<br />
| 0x180<br />
| 0x14<br />
| Global MBK1..MBK5 Slot Settings<br />
|-<br />
| 0x194<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM9 Side<br />
|-<br />
| 0x1A0<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM7 Side<br />
|-<br />
| 0x1AC<br />
| 0x4<br />
| Global MBK9 Slot Master Setting<br />
|-<br />
| 0x1B0<br />
| 0x50<br />
| Reserved (zerofilled)<br />
|}<br />
<br />
Note that the above format resembles the [[DSi Cartridge Header]] (entries 0x20-0x3F are roughly similar, and entries 0x180-0x1AF appear to be same as in cart header).<br />
<br />
The RSA pubks(the one for 3DS and the other one for DSi) for the below signature can be obtained from 3DS TWL_FIRM Process9(this is required for getting the binaries' keyY). It's unknown(?) if the DSi bootrom(s) copy this modulo to anywhere outside of bootrom.<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). This works with the bootloader contained in TWL_FIRM, however it's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] with mode AES-CTR to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the above binary size aligned to 0x200-bytes:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblk->binblocksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata is in FAT16 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Talk:Stage2&diff=2098792Talk:Stage22015-04-18T18:34:47Z<p>Yellows8: /* RSA and Bootsector decryption? */</p>
<hr />
<div>== RSA and Bootsector decryption? ==<br />
<br />
Where is that RSA info from? Is it possible to decrypt the RSA block on DSi, or on 3DS, or both?<br />
Any hints how to do that? Are DSi and 3DS using the same RSA key?<br />
<br />
The notice about keyX being same as for "Tad" sounds good... until one figures out that the "srl extract" utility contains only a normal "key" (not a keyX/Y pair), so decrypting isn't possible even when knowing keyY.<br />
Of course, whomever has found the normal key, should be also able to find the keyX/Y values, but I've no idea how that could be done (it will certainly not work with cooking coach which has all keyslots erased, so it might require main ram hacks in worst case).<br />
<br />
The part about ''"binblk->binblocksize" is the actual binary size'' is confusing. If '''binblk->binblocksize''' is known, then what is '''binblksize''' in the formula? Or is that a typo, and it means same as '''binblk->binblocksize'''?[[User:Nocash|Nocash]] 14:27, 27 March 2015 (CET)<br />
<br />
* 1/3) See last page edit.<br />
* 2) One can easily obtain the keyX^keyY key with F_XY_reverse(<any normalkey>) from that tool, but of course that's rather pointless without a keyX/keyY to XOR with that. Besides ramhaxx, the only other way to obtain the keyX/keyY for that yourself is to just get it from the 3DS [http://3dbrew.org/wiki/Memory_layout#ARM9_ITCM DSi-key-stash] @ 0x01FFD000(essentially *all* DSi keys are stored in there + TWL_FIRM Process9).<br />
--[[User:Yellows8|Yellows8]] 06:00, 7 April 2015 (CEST)<br />
<br />
:4.1) Okay, decrypting the RSA stuff is possible, and it's just me not knowing how to. Are you saying that the RSA key is contained in the TWL_FIRM executable? So one could simply "copy/paste" it from the TWL_FIRM files? Or is the key elsewhere, and TWL_FIRM is just using it during boot? So one would need some exploit to hack TWL_FIRM during boot-up? Sorry, but I don't have a 3DS, and know absolutely nothing about that console.<br />
<br />
:4.3) I've edited it myself (see last page edit). I hope that wasn't wrong.<br />
<br />
:5) Yeah, reversing KeyX without KeyY won't work (I can confirm that). If that Tad KeyX is one of the "known" DSi keys (those relocated from DSi BIOS ROM to TCM/WRAM during booting), then everything would be fine. And otherwise, one would need some 3DS exploit to get that DSi-key-stash... supposedly some special kernel exploit which isn't available to normal 3DS programmers?<br />
:PS. I've added some contact info on my wiki/user page (just in case) --[[User:Nocash|Nocash]] 22:56, 14 April 2015 (CEST)<br />
<br />
::Yes, those two RSA pubks are stored in the TWL_FIRM Process9 binary itself. When one has TWL_FIRM decrypted one can just extract those keys from there. There's public exploit(s)+tools for that, including arm9hax which is required for dumping the DSi keys from 3DS ARM9 ITCM. The common tad-keyX is written to the AES engine keyslot for it by bootrom, AFAIK it doesn't get copied elsewhere(the keyY for it is copied to the keystorage area near the end of ARM7 memory, but of course that area gets cleared when games are booted). --[[User:Yellows8|Yellows8]] 20:34, 18 April 2015 (CEST)<br />
<br />
== Bootloader Error Photos ==<br />
<br />
[[File:1124101052.jpg|200px|thumb|left]]<br />
[[File:1124101051.jpg|200px|thumb|left]]<br />
[[File:1124101051a.jpg|200px|thumb|left]]<br />
<br />
Here are some shots of my DSi with what I think is a bootloader error. --[[User:The2Banned2One|The2Banned2One]] 17:25, 24 November 2010 (CET)<br />
<br />
----<br />
<br />
'''Discuss here:'''</div>Yellows8https://dsibrew.org/w/index.php?title=Talk:Stage2&diff=2098786Talk:Stage22015-04-07T04:00:18Z<p>Yellows8: /* RSA and Bootsector decryption? */</p>
<hr />
<div>== RSA and Bootsector decryption? ==<br />
<br />
Where is that RSA info from? Is it possible to decrypt the RSA block on DSi, or on 3DS, or both?<br />
Any hints how to do that? Are DSi and 3DS using the same RSA key?<br />
<br />
The notice about keyX being same as for "Tad" sounds good... until one figures out that the "srl extract" utility contains only a normal "key" (not a keyX/Y pair), so decrypting isn't possible even when knowing keyY.<br />
Of course, whomever has found the normal key, should be also able to find the keyX/Y values, but I've no idea how that could be done (it will certainly not work with cooking coach which has all keyslots erased, so it might require main ram hacks in worst case).<br />
<br />
The part about ''"binblk->binblocksize" is the actual binary size'' is confusing. If '''binblk->binblocksize''' is known, then what is '''binblocksize''' in the formula? Or is that a typo, and it means same as '''binblk->binblocksize'''?[[User:Nocash|Nocash]] 14:27, 27 March 2015 (CET)<br />
<br />
* 1/3) See last page edit.<br />
* 2) One can easily obtain the keyX^keyY key with F_XY_reverse(<any normalkey>) from that tool, but of course that's rather pointless without a keyX/keyY to XOR with that. Besides ramhaxx, the only other way to obtain the keyX/keyY for that yourself is to just get it from the 3DS [http://3dbrew.org/wiki/Memory_layout#ARM9_ITCM DSi-key-stash] @ 0x01FFD000(essentially *all* DSi keys are stored in there + TWL_FIRM Process9).<br />
--[[User:Yellows8|Yellows8]] 06:00, 7 April 2015 (CEST)<br />
<br />
== Bootloader Error Photos ==<br />
<br />
[[File:1124101052.jpg|200px|thumb|left]]<br />
[[File:1124101051.jpg|200px|thumb|left]]<br />
[[File:1124101051a.jpg|200px|thumb|left]]<br />
<br />
Here are some shots of my DSi with what I think is a bootloader error. --[[User:The2Banned2One|The2Banned2One]] 17:25, 24 November 2010 (CET)<br />
<br />
----<br />
<br />
'''Discuss here:'''</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098785Stage22015-04-07T03:34:45Z<p>Yellows8: </p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved (zerofilled)<br />
|-<br />
| 0x20<br />
| 0x4<br />
| ARM9 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x24<br />
| 0x4<br />
| ARM9 Bootcode, Size "Actual binary size"<br />
|-<br />
| 0x28<br />
| 0x4<br />
| ARM9 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x2C<br />
| 0x4<br />
| ARM9 Bootcode, Size rounded up to multiple of 0x200<br />
|-<br />
| 0x30<br />
| 0x4<br />
| ARM7 Bootcode, eMMC Source Offset<br />
|-<br />
| 0x34<br />
| 0x4<br />
| ARM7 Bootcode, Size "Actual binary size"<br />
|-<br />
| 0x38<br />
| 0x4<br />
| ARM7 Bootcode, RAM Destination Address and Entrypoint<br />
|-<br />
| 0x3C<br />
| 0x4<br />
| ARM7 Bootcode, Size rounded up to multiple of 0x200<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved (zerofilled)<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF? (actually, this is appears to be always 0Ch, not FFh?)<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 Data Block<br />
|-<br />
| 0x180<br />
| 0x14<br />
| Global MBK1..MBK5 Slot Settings<br />
|-<br />
| 0x194<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM9 Side<br />
|-<br />
| 0x1A0<br />
| 0xC<br />
| Local MBK6..MBK8 Settings for ARM7 Side<br />
|-<br />
| 0x1AC<br />
| 0x4<br />
| Global MBK9 Slot Master Setting<br />
|-<br />
| 0x1B0<br />
| 0x50<br />
| Reserved (zerofilled)<br />
|}<br />
<br />
Note that the above format resembles the [[DSi Cartridge Header]] (entries 0x20-0x3F are roughly similar, and entries 0x180-0x1AF appear to be same as in cart header).<br />
<br />
The RSA pubks(the one for 3DS and the other one for DSi) for the below signature can be obtained from 3DS TWL_FIRM Process9(this is required for getting the binaries' keyY). It's unknown(?) if the DSi bootrom(s) copy this modulo to anywhere outside of bootrom.<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). This works with the bootloader contained in TWL_FIRM, however it's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the above binary size aligned to 0x200-bytes:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata is in FAT16 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098776Stage22015-03-09T18:19:24Z<p>Yellows8: </p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved<br />
|-<br />
| 0x20<br />
| 0x10*2<br />
| Two binary-block headers: first one is for the ARM9 binary, second one for the ARM7 binary.<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 signature<br />
|-<br />
| 0x180<br />
| 0x80<br />
| Unknown<br />
|}<br />
<br />
Structure of the binary-block headers:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Offset for this binary in NAND.<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Actual binary size.<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Binary load address in memory. This is also the binary entrypoint.<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Binary size aligned to 0x200-bytes.<br />
|}<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). This works with the bootloader contained in TWL_FIRM, however it's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the actual binary size:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098775Stage22015-03-09T06:04:20Z<p>Yellows8: /* Stage 2 */</p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved<br />
|-<br />
| 0x20<br />
| 0x10*2<br />
| Two binary-block headers: first one is for the ARM9 binary, second one for the ARM7 binary.<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 signature<br />
|-<br />
| 0x180<br />
| 0x80<br />
| Unknown<br />
|}<br />
<br />
Structure of the binary-block headers:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Offset for this binary in NAND.<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Actual binary size.<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Binary load address in memory. This is also the binary entrypoint.<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Binary size aligned to 0x200-bytes.<br />
|}<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). This works with the bootloader contained in TWL_FIRM, however it's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
The 3DS TWL_FIRM verifies all TWL RSA padding with the following. It's unknown whether the DSi Stage1 has the same code as TWL_FIRM for this, the RSA padding data(not the actual hashdata) contained in the DSi bootloader signature and TWL_FIRM bootloader are the same at least. This is different from how the main DSi "BIOS" RSA padding check code does it as well.<br />
* The first byte must be 0x0.<br />
* The second byte must be 0x1 or 0x2.<br />
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.<br />
* Returns an address for msg_curpos+1.<br />
With the code in 3DS TWL_FIRM, the actual "totalhashdatasize" in the RSA message must be <= <expected hashdata_size>(0x74 for bootloader). The 3DS TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the actual binary size:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098773Stage22015-03-09T02:30:27Z<p>Yellows8: /* Stage 2 */</p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved<br />
|-<br />
| 0x20<br />
| 0x10*2<br />
| Two binary-block headers: first one is for the ARM9 binary, second one for the ARM7 binary.<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 signature<br />
|-<br />
| 0x180<br />
| 0x80<br />
| Unknown<br />
|}<br />
<br />
Structure of the binary-block headers:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Offset for this binary in NAND.<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Actual binary size.<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Binary load address in memory. This is also the binary entrypoint.<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Binary size aligned to 0x200-bytes.<br />
|}<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). This works with the bootloader contained in TWL_FIRM, however it's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
The 3DS TWL_FIRM verifies TWL RSA padding with the following, which is also valid for this DSi bootloader padding:<br />
* The first byte must be 0x0.<br />
* The second byte must be 0x1 or 0x2.<br />
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.<br />
* Returns an address for msg_curpos+1.<br />
With the code in 3DS TWL_FIRM, the actual "totalhashdatasize" in the RSA message must be <=0x74. The 3DS TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the actual binary size:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098772Stage22015-03-09T02:06:19Z<p>Yellows8: /* Stage 2 */</p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved<br />
|-<br />
| 0x20<br />
| 0x10*2<br />
| Two binary-block headers: first one is for the ARM9 binary, second one for the ARM7 binary.<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 signature<br />
|-<br />
| 0x180<br />
| 0x80<br />
| Unknown<br />
|}<br />
<br />
Structure of the binary-block headers:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Offset for this binary in NAND.<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Actual binary size.<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Binary load address in memory. This is also the binary entrypoint.<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Binary size aligned to 0x200-bytes.<br />
|}<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). However, attempting to calculate the hash this way doesn't result in the right hash(even with the bootloader image contained in 3DS TWL_FIRM). It's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
The 3DS TWL_FIRM verifies TWL RSA padding with the following, which is also valid for this DSi bootloader padding:<br />
* The first byte must be 0x0.<br />
* The second byte must be 0x1 or 0x2.<br />
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.<br />
* Returns an address for msg_curpos+1.<br />
With the code in 3DS TWL_FIRM, the actual "totalhashdatasize" in the RSA message must be <=0x74. The 3DS TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the actual binary size:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Stage2&diff=2098771Stage22015-03-09T01:18:55Z<p>Yellows8: Added info from REing 3DS TWL_FIRM a long while ago.</p>
<hr />
<div>== Stage 1 ==<br />
<br />
[[Image:boot-stage1-error.jpeg|frame|When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.]]<br />
<br />
The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted+signed stages from [[NAND]] flash, starting with a plaintext offset table in the sector at offset 0x200.<br />
<br />
Not much is known about this bootloader yet, but it presumably knows how to:<br />
# Initialize the encryption hardware<br />
# Read the contents of [[NVRAM]]<br />
# Initialize both LCDs<br />
# Read blocks (but not files) from the [[NAND]] flash<br />
# Perform some variety of integrity check on all data it reads (signature, CRC, ?)<br />
# Display basic hexadecimal error codes<br />
# Possibly factory-programming the [[NAND]] flash?<br />
# Might also do basic power-on self test of peripherals <br />
<br />
Known error codes:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Error Code !! Description<br />
|-<br />
| 0000FE00 || Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)<br />
|-<br />
| 0000FEFC || Integrity error in first block of Stage 2 (address at 0x220)<br />
|-<br />
| 0000FEFD || Integrity error in second block of Stage 2 (address at 0x230)<br />
|-<br />
| 0000FEFE || Boot sector integrity error (Sector 0x200 not valid), or error in [[NVRAM]] contents.<br />
|}<br />
<br />
== Stage 2 ==<br />
<br />
[[Image:boot-stage2-error.jpeg|frame|This may have been a Stage 2 bootloader error.]]<br />
<br />
Unlike the stage1 bootloader, which must be small enough to fit in ROM (probably several kilobytes), the stage2 bootloader has about a megabyte of NAND flash reserved for it. The stage2 bootloader understands partitions and filesystems, and it is capable of loading the DSi menu. It also must understand the encryption used on filesystem blocks in the NAND, and it must understand how to load and validate title metadata.<br />
<br />
The Stage 2 loader was not modified by the [[System Menu 1.4]] update. This is still earlier in the boot process than the "Health and Safety" warning(that warning is displayed by the sysmenu).<br />
<br />
The first stage bootloader reads the sector at offset 0x200 in order to find a table of offsets to the Stage 2 bootloader:<br />
<br />
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|<br />
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|<br />
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
<br />
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.<br />
<br />
Structure of this header:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20<br />
| Reserved<br />
|-<br />
| 0x20<br />
| 0x10*2<br />
| Two binary-block headers: first one is for the ARM9 binary, second one for the ARM7 binary.<br />
|-<br />
| 0x40<br />
| 0xBF<br />
| Reserved<br />
|-<br />
| 0xFF<br />
| 0x1<br />
| Unknown, value 0xFF.<br />
|-<br />
| 0x100<br />
| 0x80<br />
| RSA-1024 signature<br />
|-<br />
| 0x180<br />
| 0x80<br />
| Unknown<br />
|}<br />
<br />
Structure of the binary-block headers:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Offset for this binary in NAND.<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Actual binary size.<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Binary load address in memory. This is also the binary entrypoint.<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Binary size aligned to 0x200-bytes.<br />
|}<br />
<br />
Structure of the 0x74-byte "hash-data" stored in the RSA message:<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| [[AES_Engine]] keyY used for the ARM9/ARM7 binaries crypto.<br />
|-<br />
| 0x10<br />
| 0x14<br />
| SHA1 hash. Going by 3DS TWL_FIRM this seems to calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header(following the signature). However, attempting to calculate the hash this way doesn't result in the right hash(even with the bootloader image contained in 3DS TWL_FIRM). It's unknown how the first part is handled on DSi.<br />
|-<br />
| 0x24<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM9 binary, with the actual binary size.<br />
|-<br />
| 0x38<br />
| 0x14<br />
| SHA1 hash over the plaintext ARM7 binary, with the actual binary size.<br />
|-<br />
| 0x4C<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|-<br />
| 0x60<br />
| 0x14<br />
| Unknown, not used by 3DS TWL_FIRM.<br />
|}<br />
<br />
The 3DS TWL_FIRM verifies TWL RSA padding with the following, which is also valid for this DSi bootloader padding:<br />
* The first byte must be 0x0.<br />
* The second byte must be 0x1 or 0x2.<br />
* Executes a while(<value of byte at current pos in RSA message>). When the second_byte in the message is 0x1, the byte at curpos must be 0xFF(otherwise the non-zero value of the byte at curpos doesn't matter). This loop must find a zero byte before offset 0x7F in the message otherwise an error is returned.<br />
* Returns an address for msg_curpos+1.<br />
With the code in 3DS TWL_FIRM, the actual "totalhashdatasize" in the RSA message must be <=0x74. The 3DS TWL_FIRM code copies the RSA "hashdata" to the output buffer, using the actual size of the RSA "hashdata".<br />
<br />
Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.<br />
<br />
After loading+verifying the the above header, the ARM7 binary is loaded+verified, then the ARM9 binary is loaded+verified.<br />
<br />
Whereas the filesystem data in NAND is encrypted using a unique key for every DSi, the stage2 bootloader is identical on every DSi tested so far. The stage2 bootloader binaries are not encrypted with any console-unique keys.<br />
<br />
Stage1 uses the [[AES_Engine]] to decrypt each ARM9/ARM7 binary, where keyY is from the above signature. The [[AES_Engine]] keyslot used here is the same one used for the shared areas for [[Tad]], therefore the keyX is the same as the one used for that. The following is used for the CTR, where "binblk->binblocksize" is the actual binary size:<br />
<br />
unsigned int ctr[4];<br />
memset(ctr, 0, 16);<br />
<br />
ctr[0] = binblk->binblocksize;<br />
ctr[1] = (unsigned int)(-binblksize);<br />
ctr[2] = ~binblk->binblocksize;<br />
<br />
=== Stage2 operations ===<br />
After Stage 2 is loaded:<br />
# The NAND flash is partially re-initialized<br />
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.<br />
# The MBR signature and the type of the first partition are verified.<br />
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.<br />
# Multiple files are loaded from the filesystem. The exact read addresses will vary depending on your DSi's firmware version and the state of its filesystem when you performed the last firmware update. On a brand new DSi, it appears that the DSi Menu itself is loaded from 0xb20000 after two small metadata files are read from 0xb1c000 and 0x7a0000.<br />
<br />
All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
! Text !! Description<br />
|-<br />
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.<br />
|-<br />
| "Error: 3-2435-8325" || DSi Menu integrity checks failed<br />
|-<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=DSiWare_VulnList&diff=1905718DSiWare VulnList2014-05-12T07:19:40Z<p>Yellows8: </p>
<hr />
<div>== Total listed DSiWare ==<br />
<br />
Total DSiWare in below lists.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! List<br />
! Total<br />
|-<br />
| Incomplete<br />
| 20<br />
|-<br />
| Done<br />
| 18<br />
|-<br />
| DSiWare which probably aren't exploitable<br />
| 59<br />
|-<br />
| Already have<br />
| 3<br />
|-<br />
| All total<br />
| 100<br />
|}<br />
<br />
== DSiWare with incomplete analysis ==<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Name<br />
! Input type(s)<br />
! Status<br />
! Description<br />
|-<br />
| Academy: Tic-Tac-Toe<br />
| Player name<br />
| None<br />
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.<br />
|-<br />
| Advanced Circuits<br />
| Profile names<br />
| Started<br />
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.<br />
|-<br />
| Arcade Bowling<br />
| High-Scores<br />
| None<br />
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?<br />
|-<br />
| Art Academy: First Semester<br />
| None?<br />
| None<br />
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?<br />
|-<br />
| Bejeweled Twist<br />
| High-scores<br />
| None<br />
| Checksum is unknown, save has ASCII strings.<br />
|-<br />
| Bounce & Break<br />
| High-scores<br />
| Started<br />
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.<br />
|-<br />
| Card games<br />
| Player name<br />
| None<br />
| Has ASCII player names, checksum is unknown.<br />
|-<br />
| Chess Challenge<br />
| Profile names<br />
| None<br />
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.<br />
|-<br />
| Crazy Sudoku<br />
| Player name<br />
| None<br />
| Has ASCII strings for player name.<br />
|-<br />
| Crystal Monsters<br />
| Player name<br />
| Started<br />
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.<br />
|-<br />
| Elemental Masters<br />
| Player name?<br />
| None<br />
| Has ASCII strings but the checksum is unknown.<br />
|-<br />
| Faceez<br />
| Player name?<br />
| None<br />
| Has ASCII string but the checksum is unknown.<br />
|-<br />
| Field Runners<br />
| High-Scores<br />
| Started<br />
| The xml .plist the game uses for storing savedata contains high-scores strings.<br />
|-<br />
| Guitar Rock Tour<br />
| High-Scores<br />
| Started<br />
| Has ASCII high-scores.<br />
|-<br />
| Legends of Exidia<br />
| Player name<br />
| Started<br />
| Has ASCII player name.<br />
|-<br />
| Lets golf<br />
| Player name<br />
| None<br />
| Has ASCII player name checksum is unknown.<br />
|-<br />
| Mixed Messages<br />
| Player name and other text<br />
| None<br />
| Uses ASCII for player name and other text input, but the checksum is unknown.<br />
|-<br />
| Number Battle<br />
| Player name<br />
| None<br />
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.<br />
|-<br />
| Pop Superstar: Road to celebrity<br />
| Player name<br />
| None<br />
| Has ASCII strings.<br />
|-<br />
| UNO<br />
| Player name and high-scores<br />
| Started<br />
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.<br />
|}<br />
<br />
== DSiWare with finished analysis ==<br />
<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Name<br />
! Input type(s)<br />
! Description<br />
|-<br />
| 5 in 1 Solitaire<br />
| Profile names<br />
| Game didn't crash with a long profile string.<br />
|-<br />
| Airport Mania: Non Stop Flights<br />
| High-Scores<br />
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.<br />
|-<br />
| Arcade Hoops Basketball<br />
| High-Scores, names via settings<br />
| Has ASCII high-scores with null terminated strings, no string bugs.<br />
|-<br />
| Army Defender<br />
| High-scores<br />
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.<br />
|-<br />
| Bloons<br />
| Profile names<br />
| Has some profile names but they're all in one tiny savfile.<br />
|-<br />
| Bookworm<br />
| High-scores and word list<br />
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )<br />
|-<br />
| Dark Void Zero<br />
| High-Scores<br />
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.<br />
|-<br />
| Digger Dan & Kaboom<br />
| Player name<br />
| The ASCII player names aren't exploitable, but the save is <10KB anyway.<br />
|-<br />
| Dracula<br />
| No manual input<br />
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.<br />
|-<br />
| Escapee Go<br />
| None<br />
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.<br />
|-<br />
| Frogger Returns<br />
| High-Scores<br />
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.<br />
|-<br />
| Mario Calculator<br />
| None<br />
| No savedata at all in the tad.<br />
|-<br />
| Paul's Shooting Adventure<br />
| High-Scores<br />
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.<br />
|-<br />
| Prehistorik Man<br />
| Password text<br />
| Has some ASCII password text for continuing, but there's less than 10KB free.<br />
|-<br />
| Primrose<br />
| High-scores<br />
| Has English-only high-scores and a trivial checksum, not exploitable.<br />
|-<br />
| Soul of Darkness<br />
| Player name<br />
| Has ASCII player name with 3 profiles.<br />
|-<br />
| Sudoku<br />
| Player name<br />
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].<br />
|-<br />
| Rayman<br />
| Player name<br />
| No overflow, with a long string the game only displays one extra character.<br />
|}<br />
<br />
== DSiWare that probably don't have vulnerabilities ==<br />
<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Name<br />
! Input type(s)<br />
! Description<br />
|-<br />
| 24/7 Solitaire<br />
| None<br />
| No high-scores or string input.<br />
|-<br />
| Absolute Reversi<br />
| None<br />
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)<br />
|-<br />
| A Little Bit of... All-Time Classics: Card Classics<br />
| None<br />
| No strings<br />
|-<br />
| A Little Bit of... All-Time Classics: Family Games<br />
| None<br />
| No strings<br />
|-<br />
| A Little Bit of... All-Time Classics: Strategy Games<br />
| None<br />
| No strings<br />
|-<br />
| Alpha Bounce<br />
| None<br />
| No strings<br />
|-<br />
| Asphalt 4<br />
| None<br />
| No strings<br />
|-<br />
| Aquia: Art Style Series<br />
| None<br />
| No strings<br />
|-<br />
| Aura Aura Climber<br />
| None<br />
| No strings<br />
|-<br />
| Birds & Beans<br />
| No strings<br />
| No strings in savedata.<br />
|-<br />
| Boom Boom Squaries<br />
| No strings<br />
| No strings in savedata.<br />
|-<br />
| Bomberman Blitz<br />
| Name<br />
| Has UCS-2 strings.<br />
|-<br />
| Boxlife<br />
| None<br />
| No strings.<br />
|-<br />
| Blackjack<br />
| None<br />
| No strings.<br />
|-<br />
| Brain Age Express: Arts & Letters<br />
| None<br />
| No strings in savedata.<br />
|-<br />
| Brain Age Express: Math<br />
| None<br />
| No strings in savedata.<br />
|-<br />
| Brain Drain<br />
| None<br />
| No strings in save.<br />
|-<br />
| Castle of Magic<br />
| None<br />
| No strings<br />
|-<br />
| Cave Story<br />
| None<br />
| No strings<br />
|-<br />
| Countdown Calender<br />
| None<br />
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.<br />
|-<br />
| Crash Course Domo<br />
| None<br />
| No strings.<br />
|-<br />
| Chronos Twins<br />
| None<br />
| No strings.<br />
|-<br />
| Dictionary 6 in 1<br />
| None<br />
| No strings in savedata.<br />
|-<br />
| DIGIDRIVE: Art Style Series<br />
| None<br />
| No strings.<br />
|-<br />
| DodoGo! Robo<br />
| None<br />
| No strings<br />
|-<br />
| Dr. Mario Express<br />
| None<br />
| No strings.<br />
|-<br />
| Earthworm Jim<br />
| None<br />
| No strings.<br />
|-<br />
| Extreme Hangman<br />
| None<br />
| No strings in savedata.<br />
|-<br />
| Little Red Riding Hood's Zombie BBQ<br />
| None<br />
| No strings<br />
|-<br />
| FIZZ<br />
| High-scores<br />
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.<br />
|-<br />
| Flipper<br />
| None<br />
| No strings.<br />
|-<br />
| Frenzic<br />
| High-scores<br />
| Has UCS-2 high-scores.<br />
|-<br />
| Gene Labs<br />
| None<br />
| Small savedata with no strings.<br />
|-<br />
| Glory Days - Tactical Defense<br />
| No strings<br />
| Saves only scores not strings.<br />
|-<br />
| GO Series: 10 Second Run<br />
| None<br />
| No strings.<br />
|-<br />
| Metal Torrent<br />
| Player name<br />
| Uses a UCS-2 string.<br />
|-<br />
| Master of Illusion Express: Psychic Camera<br />
| None<br />
| Tiny savfile no strings.<br />
|-<br />
| My Notebook: Blue<br />
| None<br />
| No strings.<br />
|-<br />
| My Notebook: Pearl<br />
| None<br />
| No strings.<br />
|-<br />
| My Sims: Camera<br />
| None<br />
| No strings.<br />
|-<br />
| Mighty Flip Champs<br />
| None<br />
| No strings.<br />
|-<br />
| My Exotic Farm<br />
| Player name<br />
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.<br />
|-<br />
| Paper Airplane Chase<br />
| None<br />
| The size of both files in the savedata are only 8 bytes, no strings.<br />
|-<br />
| PiCOPiCT: Art Style series<br />
| None<br />
| No strings.<br />
|-<br />
| PiCTOBiTS: Art Style series<br />
| None<br />
| No strings.<br />
|-<br />
| Plants Vs. Zombies<br />
| None<br />
| No strings, uses system user name for player name.<br />
|-<br />
| Pop Island<br />
| None<br />
| No strings.<br />
|-<br />
| Pyoro<br />
| None<br />
| 16-byte savedata no strings.<br />
|-<br />
| Photo Clock<br />
| None<br />
| Small savedata, no strings at all.<br />
|-<br />
| Photo Dojo<br />
| Handwritten character name via stylus<br />
| Savedata only contains .jpg files and some tiny "save"/"info" files.<br />
|-<br />
| Shantae: Risky's Revenge<br />
| None<br />
| Has 3 save slots but no string input.<br />
|-<br />
| Simply Minesweeper<br />
| None<br />
| No strings.<br />
|-<br />
| Sokomania<br />
| None<br />
| No strings.<br />
|-<br />
| Sparkle Snapshots<br />
| None<br />
| No strings.<br />
|-<br />
| Starship Defense<br />
| None<br />
| No strings.<br />
|-<br />
| Tetris Party Live<br />
| None<br />
| Zero text input, not enough payload space anyway.<br />
|-<br />
| WarioWare: Snapped<br />
| None<br />
| No high-scores or string input.<br />
|-<br />
| ZENGAGE: Art Style Series<br />
| None<br />
| No strings.<br />
|-<br />
| Zenonia<br />
| None<br />
| No strings.<br />
|}<br />
<br />
== DSiWare that were already obtained for analysis ==<br />
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Name<br />
! Text format<br />
|-<br />
| Flipnote Studio<br />
| UCS-2<br />
|-<br />
| Mario Vs. Donkey Kong: Minis March Again<br />
| UCS-2<br />
|-<br />
| Opera<br />
| The savedata is private NAND-only, no savedata is copied to SD card.<br />
|}</div>Yellows8https://dsibrew.org/w/index.php?title=Title_database&diff=4311Title database2012-12-12T03:11:46Z<p>Yellows8: Added 1.4.5 updated titles.</p>
<hr />
<div>The Nintendo DSi uses the same title scheme and introduces separate DSi update servers; Also introduced was a new common-key for DSi title decryption. <br />
<br />
As with the Wii, the [[title metadata]] aka "TMD" for these titles can be found on the Nintendo Update Servers.<br />
<br />
Each title specific url uses a 4 ASCII character code denoting what type of title it is and what region it comes from.<br />
<br />
Titles can be downloaded and decrypted with [http://wiibrew.org/wiki/NUS_Downloader NUS Downloader], a program that allows titles to be fetched from the Nintendo Update Servers.<br />
<br />
== Title codes ==<br />
<br />
=== Region Codes ===<br />
<br />
Region codes are used to determine what region a title belongs to. They are at the end of a Title ID. Eg. XXXA, XXXJ<br />
<br />
{| class="wikitable sortable" width="55%"<br />
|-<br />
! ASCII<br />
! HEX<br />
! Region<br />
|-<br />
| A<br />
| 41<br />
| Region Independent<br />
|-<br />
| C<br />
| 43<br />
| China<br />
|-<br />
| E<br />
| 45<br />
| North America<br />
|-<br />
| H<br />
| 48<br />
| Belgium / Netherlands (DSiWare Only)<br />
|-<br />
| J<br />
| 4A<br />
| Japan<br />
|-<br />
| K<br />
| 4B<br />
| Korea<br />
|-<br />
| O<br />
| 4F<br />
| Unknown<br />
|-<br />
| P<br />
| 50<br />
| Australia and other PAL regions (System and DSiWare)<br />
|-<br />
| T<br />
| 54<br />
| Unknown<br />
|-<br />
| U<br />
| 55<br />
| Australia and New Zealand<br />
|-<br />
| V<br />
| 56<br />
| Europe (DSiWare Only)<br />
|-<br />
| X<br />
| 58<br />
| Unknown<br />
|}<br />
<br />
=== System Codes ===<br />
<br />
System codes are used to determine what type of title it is. They are at the beginning of a Title ID. Eg. KXXX. HXXX<br />
<br />
{| class="wikitable sortable" width="50%"<br />
|-<br />
! ASCII<br />
! HEX<br />
! Type<br />
|-<br />
| K<br />
| 4B<br />
| DSiWare Title<br />
|-<br />
| H<br />
| 48<br />
| System \ Channel<br />
|}<br />
<br />
== Title Database ==<br />
<br />
=== DSiWare (00030004) ===<br />
<br />
DSiWare is an online service available on the [[Nintendo DSi Shop]] to download DSi applications.<br />
<br />
==== Europe ====<br />
<br />
The official list of DSi Ware Europe titles is located on [http://www.nintendo.co.uk/NOE/en_GB/games/nintendo_dsiware_11805.html the Nintendo Europe website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KNRV (4B4E5256)<br />
| A Little Bit of... Brain Training™: Maths Edition<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KD9V (4B443956)<br />
| A Little Bit of... Dr. Mario™<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KM9P (4B4D3950)<br />
| A Little Bit of... Magic Made Fun™: Deep Psyche<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMFP (4B4D4650)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMSP (4B4D5350)<br />
| A Little Bit of... Magic Made Fun™: Shuffle Games<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWGV (4B574756)<br />
| [[Nintendo DSi Calculator|Animal Crossing Calculator]]<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWCV (4B574356)<br />
| [[Nintendo DSi Clock|Animal Crossing Clock]]<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAV (4B414156)<br />
| Art Style: AQUITE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KADV (4B414456)<br />
| Art Style: CODE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAKV (4B414B56)<br />
| Art Style: KuBos<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KASV (4B415356)<br />
| Art Style: NEMREM<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAPV (4B415056)<br />
| Art Style: PiCOPiCT<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KA4V (4B413456)<br />
| Asphalt 4: Elite Racing<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KGRV (4B475256)<br />
| Guitar Rock Tour<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KLEV (4B4C4556)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMMV (4B4D4D56)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAMV (4B414D56)<br />
| Paper Plane<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KPOV (4B504F56)<br />
| Pop Superstar!: Road to Celebrity<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KP6V (4B503656)<br />
| Pyoro<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KS9V (4B533956)<br />
| Real Football 2009<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| K4DE (4B344445)<br />
| Sudoku<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KSMV (4B534D56)<br />
| SUDOKU 150! For Challengers<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KUWV (4B555756)<br />
| WarioWare: Snapped!<br />
| 500 Nintendo Points<br />
|}<br />
<br />
==== Japan ====<br />
<br />
The official list of DSi Ware Japan titles is located on [http://www.nintendo.co.jp/ds/dsiware/titlelist.html the Nintendo japanese website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KMSJ (4B4D534A)<br />
| 3-tsu no Shuffle Game<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAJ (4B41414A)<br />
| Art Style: AQUARIO<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KADJ (4B41444A)<br />
| Art Style: DECODE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAPJ (4B41504A)<br />
| Art Style: PICOPICT<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KASJ (4B41534A)<br />
| Art Style: SOMNIUM<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KTPJ (4B54504A)<br />
| Asobi Taizen<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KNRJ (4B4E524A)<br />
| Brain Training - Science version<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KD9J (4B44394A)<br />
| A Little Bit of... Dr. Mario™<br />
| 500 Nintendo Points<br />
|-<br />
| Application<br />
| KDGJ (4B44474A)<br />
| Dokodemo [http://en.wikipedia.org/wiki/Wii_no_Ma Wiinoma]<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KMFJ (4B4D464A)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAMJ (4B414D4A)<br />
| Kami Hikouki<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KLEJ (4B4C454A)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMMJ (4B4D4D4A)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KM9J (4B4D394A)<br />
| Osoroshii Suuji<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KP6J (4B50364A)<br />
| Tori to Mame<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KGUJ (4B47554A)<br />
| Ugoku Memo Chou<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KUWJ (4B55574A)<br />
| Utsutsu! Made in Wario<br />
| 500 Nintendo Points<br />
|-<br />
|}<br />
<br />
==== United States ====<br />
<br />
The official list of DSi Ware US titles is located on [http://www.nintendo.com/games/guide#qhardware=DS&qesrbRating=&qplay=dsiware&qgenre=&qrelease=&panel=qplay the Nintendo US website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KM9E (4B4D3945)<br />
| A Little Bit of... Magic Made Fun™: Deep Psyche<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMFE (4B4D4645)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMSE (4B4D5345)<br />
| A Little Bit of... Magic Made Fun™: Shuffle Games<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAE (4B414145)<br />
| Art Style: AQUIA<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KP6E (4B503645)<br />
| Bird & Beans<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KD9E (4B443945)<br />
| Dr. Mario Express<br />
| 500 Nintendo Points<br />
|-<br />
| Application<br />
| KGUE (4B475545)<br />
| Flipnote Studio<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KGRE (4B475245)<br />
| Guitar Rock Tour<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KLEE (4B4C4545)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Application<br />
| KWBE (4B574245)<br />
| Mario Calculator<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWFE (4B574645)<br />
| Mario Clock<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KDME (4B444D45)<br />
| Mario vs. Donkey Kong: Minis March Again!<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMME (4B4D4D45)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAME (4B414D45)<br />
| Paper Airplane Chase<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KPBE (4B504245)<br />
| Photo Dojo<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KS9E (4B533945)<br />
| Real Football 2009<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| K4DE (4B344445)<br />
| Sudoku<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KUWE (4B555745)<br />
| WarioWare: Snapped!<br />
| 500 Nintendo Points<br />
|}<br />
<br />
=== System ===<br />
<br />
System Titles are all system applications or files used by the Nintendo DSi.<br />
<br />
====All Regions====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030005<br />
| HNDA (484e4441)<br />
| DS Download Play<br />
| 256<br />
| 256<br />
|-<br />
| 00030005<br />
| HNEA (484e4541)<br />
| Pictochat<br />
| 0<br />
| Not Available<br />
|-<br />
| 0003000f<br />
| HNCA (484e4341)<br />
| WiFi Firmware<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNHA (484e4841)<br />
| [[Nintendo DS Cart Whitelist]]<br />
| 256, 512, 768, 1024, 1280, 1536<br />
| 256, 512, 768, 1024, 1280, 1536<br />
|}<br />
<br />
====Japan====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGJ (484e474a)<br />
| [[Nintendo DSi Browser]]<br />
| 0, 512, 768<br />
| 0, 512, 768<br />
|-<br />
| 00030005<br />
| HNIJ (484e494a)<br />
| [[Nintendo DSi Camera]]<br />
| 256, 768, 1024<br />
| 256, 768, 1024<br />
|-<br />
| 00030005<br />
| HNJJ (484e4a4a)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKJ (484e4b4a)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLJ (484e4c4a)<br />
| [[Version Data]]<br />
| 1, 2, 3, 4, 5, 6, 7, 8, 9<br />
| 1, 2, 3, 4, 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNOJ (484e4f4a)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBJ (484e424a)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFJ (484e464a)<br />
| [[Nintendo DSi Shop]]<br />
| 1024, 1280, 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1024, 1280, 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAJ (484e414a)<br />
| [[System Menu]] (Launcher)<br />
| 256, 512, 768, 1024, 1280, 1536, 1792<br />
| 256, 512, 768, 1024, 1280, 1536, 1792<br />
|}<br />
<br />
====United States====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGE (484e4745)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIE (484e4945)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJE (484e4a45)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKE (484e4b45)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLE (484e4c45)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8, 9<br />
| 3, 4, 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNOE (484e4f45)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBE (484e4245)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFE (484e4645)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAE (484e4145)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
|}<br />
<br />
====Europe====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGP (484e4750)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIP (484e4950)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJP (484e4a50)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKP (484e4b50)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLP (484e4c50)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8, 9<br />
| 3, 4, 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNOP (484e4f50)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBP (484e4250)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFP (484e4650)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAP (484e4150)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
|}<br />
<br />
====Australia and New Zealand====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGU (484e4755)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIU (484e4955)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJU (484e4a55)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKU (484e4b55)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLU (484e4c55)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8, 9<br />
| 3, 4, 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNOU (484e4f55)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBU (484e4255)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFU (484e4655)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1536, 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAU (484e4155)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
| 512, 768, 1024, 1280, 1536, 1792<br />
|}<br />
<br />
====China====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 0003000f<br />
| HNLC (484e4c43)<br />
| [[Version Data]]<br />
| 4, 5, 6, 7, 8, 9<br />
| 4, 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNFC (484e4643)<br />
| [[Nintendo DSi Shop]]<br />
| 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAC (484e4143)<br />
| [[System Menu]] (Launcher)<br />
| 768, 1024, 1280, 1536, 1792<br />
| 768, 1024, 1280, 1536, 1792<br />
|-<br />
| 00030015<br />
| HNBC (484e4243)<br />
| [[System Settings]]<br />
| 768<br />
| 768<br />
|}<br />
<br />
====Korea====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 0003000f<br />
| HNLK (484e4c4b)<br />
| [[Version Data]]<br />
| 5, 6, 7, 8, 9<br />
| 5, 6, 7, 8, 9<br />
|-<br />
| 00030015<br />
| HNFK (484e464b)<br />
| [[Nintendo DSi Shop]]<br />
| 1792, 2048, 2304, 2560, 2816, 3072<br />
| 1792, 2048, 2304, 2560, 2816, 3072<br />
|-<br />
| 00030017<br />
| HNAK (484e414b)<br />
| [[System Menu]] (Launcher)<br />
| 768, 1024, 1280, 1536, 1792<br />
| 768, 1024, 1280, 1536, 1792<br />
|-<br />
| 00030015<br />
| HNBK (484e424b)<br />
| [[System Settings]]<br />
| 768<br />
| 768<br />
|}<br />
<br />
== See also ==<br />
<br />
* [[Title metadata|Title metadata (TMD)]]<br />
* [http://wiibrew.org/wiki/NUS_Downloader NUS Downloader]<br />
* [[Nintendo DSi Shop]]<br />
* [[Nintendo Software]]<br />
* [[System Menu]]</div>Yellows8https://dsibrew.org/w/index.php?title=DSiBrew:News&diff=4310DSiBrew:News2012-12-12T00:44:31Z<p>Yellows8: /* News */</p>
<hr />
<div><noinclude><br />
==Adding an item==<br />
* Log in to the wiki. Editing is disabled if you don't have an account.<br />
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.<br />
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''<br />
<br />
==Archives==<br />
For older news, see the [[DSiBrew:News/Archive|news archive]].<br />
<br />
=== News ===<br />
<!-- Add news below --></noinclude><br />
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].<br />
*'''21 March 12''' Nintendo released [[System Menu 1.4.4]], updating [[Nintendo_DSi_Camera|Nintendo DSi Camera]], blocking Cooking Coach/Classic Word Games savedata exploits, and blocking flashcards.<br />
*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].<br />
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.</div>Yellows8https://dsibrew.org/w/index.php?title=DSiBrew:News/Archive&diff=4309DSiBrew:News/Archive2012-12-12T00:44:07Z<p>Yellows8: </p>
<hr />
<div>*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)<br />
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.<br />
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.<br />
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.<br />
<br />
*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.<br />
<br />
*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.<br />
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]<br />
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.<br />
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.<br />
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.<br />
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]<br />
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.<br />
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.<br />
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.<br />
*'''5 April 09:''' The Nintendo DSi has been released in North America.<br />
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.<br />
*'''3 April 09:''' The Nintendo DSi has been released in Europe.<br />
*'''2 April 09:''' The Nintendo DSi has been released in Australia.<br />
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.<br />
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.5&diff=43081.4.52012-12-12T00:43:22Z<p>Yellows8: Created page with "System Menu 1.4.5 was released on 11 December 2012 for all regions. == Changelog == * Blocks flash cards == See also == * System Menu * Nintendo Software {{System Me..."</p>
<hr />
<div>System Menu 1.4.5 was released on 11 December 2012 for all regions.<br />
<br />
== Changelog ==<br />
<br />
* Blocks flash cards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4302DSi exploits2012-09-29T04:18:05Z<p>Yellows8: Emulation doesn't help at all with exploits when one has zero vulns in the first place.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.<br />
<br />
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND [[Hardware#NAND_pinout|pins]] to a MMC reader/writer, then extract dev.kp for DSiWareHax.<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of the latest DSi system version ==<br />
Rules<br />
<br />
1.→Do not remove ideas, only add<br />
<br />
2.→Do not delete this section<br />
<br />
3.→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
4.→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
5.→You must research whether your idea will work or not<br />
<br />
6.→nobody, not even the users on the rule 4. list can shorten a detailed idea.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4301DSi exploits2012-09-29T04:13:50Z<p>Yellows8: </p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.<br />
<br />
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND [[Hardware#NAND_pinout|pins]] to a MMC reader/writer, then extract dev.kp for DSiWareHax.<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest DSi version ==<br />
Rules<br />
<br />
1.→Do not Remove ideas, only add<br />
<br />
2.→Do not Delete this section<br />
<br />
3.→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
4.→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
5.→You must research whether your idea will work or not<br />
<br />
6.→nobody, not even the users on the rule 4. list can shorten a detailed idea.<br />
<br />
-An emulator/simulator,like the one for ipods. <br />
<br />
-This will help speed development of a hack. A full decryption of the entire dsi system[this is for hardcore devs].</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4300DSi exploits2012-09-26T05:12:10Z<p>Yellows8: /* DSi-mode exploits */</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.<br />
<br />
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version.<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
1.→Do not Remove ideas, only add<br />
<br />
2.→Do not Delete this section<br />
<br />
3.→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
4.→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
5.→You must research whether your idea will work or not<br />
<br />
6.→nobody, not even the users on the rule 4. list can shorten a detailed idea.<br />
<br />
-An emulator/simulator,like the one for ipods. <br />
<br />
-This will help speed development of a hack. A full decryption of the entire dsi system[this is for hardcore devs].<br />
<br />
-If a dsi even has ports [the stuff firewalls protect] a port scan.<br />
<br />
-*{warning...hardware mod} replace the dsi's main processer with the one from an ipod.<br />
<br />
-*{warning...hardware mod}replace the wifi chip/module, with one thats the same size, but better. Preferably one that requires less power or same amount of power. It certainly must perform better though [range,speed, etc.].<br />
<br />
-{warning...hardware hack}solder a conection from all: processor's, wifi-cards, memory-chips, and the flash card slot, too the sd card slot.<br />
<br />
-{warning...crazy mod}take the strongest magnet you have and wipe the dsi's memory clean with it[or just selected parts of dsi]. then reprogram it somehow without any homebrew security.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4297DSi exploits2012-09-26T04:36:47Z<p>Yellows8: "user is online" Text like this is not appropriate on a main wiki page.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
1.→Do not Remove ideas, only add<br />
<br />
2.→Do not Delete this section<br />
<br />
3.→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
4.→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
5.→You must research whether your idea will work or not<br />
<br />
6.→nobody, not even the users on the rule 4. list can shorten a detailed idea.<br />
<br />
-An emulator/simulator,like the one for ipods. <br />
<br />
-This will help speed development of a hack. A full decryption of the entire dsi system[this is for hardcore devs].<br />
<br />
-If a dsi even has ports [the stuff firewalls protect] a port scan.<br />
<br />
-{warning...hardware mod} replace the dsi's main processer with the one from an ipod.<br />
<br />
-{warning...hardware mod}replace the wifi chip/module, with one thats the same size, but better. Preferably one that requires less power or same amount of power. It certainly must perform better though [range,speed, etc.].</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4291DSi exploits2012-09-26T03:56:16Z<p>Yellows8: That requires RSA private keys as well.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not Remove ideas, only add<br />
<br />
→Do not Delete this section<br />
<br />
→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
→You must research whether your idea will work or not<br />
<br />
-An emulator.<br />
<br />
-This will help speed development of a hack. A full decryption of the entire dsi system[this is for hardcore devs].</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4289DSi exploits2012-09-26T03:48:43Z<p>Yellows8: That was done a long while ago, minus the NAND bootloader.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not Remove ideas, only add<br />
<br />
→Do not Delete this section<br />
<br />
→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
-A simulator/emulator, like the one for ipod [speeds-up exploition development].<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store, with a dsi exploiting file, plus the game.<br />
<br />
-A DSi download-play hack.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4287DSi exploits2012-09-26T03:45:42Z<p>Yellows8: You need code running on the system in the first place for accessing NAND via PC<>DSi comms.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not Remove ideas, only add<br />
<br />
→Do not Delete this section<br />
<br />
→If your idea is 'Epic' mark it with * [only do this if it will certainly work]<br />
<br />
→Here is a list of users that can modify this page [delete ideas] cause they know whats possible and not possible:yellows8.<br />
<br />
-A simulator/emulator, like the one for ipod [speeds-up exploition development].<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store, with a dsi exploiting file, plus the game.<br />
<br />
-A DSi download-play hack.</div>Yellows8https://dsibrew.org/w/index.php?title=User_talk:Yellows8&diff=4284User talk:Yellows82012-09-26T03:35:26Z<p>Yellows8: </p>
<hr />
<div>== stop doing that ==<br />
<br />
ur not understanding what i am thinking, for example when i said delete all i meant to surge the device with as much power as possible and wipe all files<br />
:Which will not work, which is why those sections were deleted.(And then you'd have a brick) --[[User:Yellows8|Yellows8]] 05:35, 26 September 2012 (CEST)</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4282DSi exploits2012-09-26T03:24:09Z<p>Yellows8: DSiWareHax is impossible to copy to the NAND with system settings on the latest system version.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not remove ideas, only add<br />
<br />
→Do not delete this section<br />
<br />
→If your idea is 'epic' mark it with * [only do this if it will certainly work]<br />
<br />
-A simulator/emulator, like the one for ipod [speeds-up exploition development].<br />
<br />
-A costom headphone jack that plugs into computer [usb] and can access dsi files or softmod it using a computer program.<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store, with a dsi exploiting file, plus the game.<br />
<br />
-A DSi download-play hack.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4281DSi exploits2012-09-26T03:22:00Z<p>Yellows8: That requires private keys too. RSA public keys for the TWL header are embedded in the bootrom.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not remove ideas, only add<br />
<br />
→Do not delete this section<br />
<br />
→If your idea is 'epic' mark it with * [only do this if it will certainly work]<br />
<br />
-A simulator/emulator, like the one for ipod [speeds-up exploition development].<br />
<br />
-A costom headphone jack that plugs into computer [usb] and can access dsi files or softmod it using a computer program.<br />
<br />
-There is 4 game [dsi shop] exploits that work on all system versions, exept the latest update. Make many more of them[about 10-15].<br />
<br />
-A costom charger cord with usb that plugs into computer, and a program described below.<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store, with a dsi exploiting file, plus the game.<br />
<br />
-A DSi download-play hack.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4280DSi exploits2012-09-26T03:19:23Z<p>Yellows8: That requires Nintendo's RSA private keys.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
Rules<br />
<br />
→Do not remove ideas, only add<br />
<br />
→Do not delete this section<br />
<br />
→If your idea is 'epic' mark it with * [only do this if it will certainly work]<br />
<br />
-A simulator/emulator, like the one for ipod [speeds-up exploition development].<br />
<br />
-A costom headphone jack that plugs into computer [usb] and can access dsi files or softmod it using a computer program.<br />
<br />
-There is 4 game [dsi shop] exploits that work on all system versions, exept the latest update. Make many more of them[about 10-15].<br />
<br />
-A costom charger cord with usb that plugs into computer, and a program described below.<br />
<br />
-A program that detects if usb cord is attached or has a manual ability called 'select a usb port'. Then it sends a virus that enter's the dsi and deletes by force all security patches and replaces them with fakes/replacements. All security certificate's however, are left untouched.<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store, with a dsi exploiting file, plus the game.<br />
<br />
-A DSi download-play hack.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4273DSi exploits2012-09-26T02:46:52Z<p>Yellows8: All software is RSA-signed. And download-play is boring since that's DS-mode only.</p>
<hr />
<div>This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
rules<br />
→do not remove ideas, only add<br />
<br />
→do not delete this section<br />
<br />
-a simulator/emulator like the one for ipod [to help hacking development]<br />
<br />
-a costom headphone jack that plugs into computer [usb] and can access dsi files or softmod using a computer program<br />
<br />
-there is 4 game [dsi shop] exploits that work on all system versions exept the latest.make more of them.<br />
<br />
-a costom charger cord with usb that plugs into computer and a program described below<br />
<br />
-a program that detects if usb cord is attached or has a manual ability called 'select a usb port'. it then sends a virus that enter's the dsi and deletes by force all security patches and replaces them with fakes/replacements.all security certificate's however are left untouched.<br />
<br />
-Hack a game download from the dsi store . Replace the file thats downloaded from the dsi store with a dsi exploiting file, plus the game.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4269DSi exploits2012-09-26T02:14:45Z<p>Yellows8: </p>
<hr />
<div>This page is dedicated to the listing of exploits which already exist used to run homebrew on the Nintendo DSi. Anyone may contribute to this list.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].</div>Yellows8https://dsibrew.org/w/index.php?title=Talk:DSi_exploits&diff=4268Talk:DSi exploits2012-09-26T02:13:28Z<p>Yellows8: </p>
<hr />
<div>== Dub-T's Nintendo DSi Shop Hack ==<br />
<br />
Erm, doesn't this just follow from what I wrote on Hackmii? http://hackmii.com/2009/01/dsibrew/ --[[User:Bushing|Bushing]] 11:41, 20 April 2009 (UTC)<br />
<br />
== Kasu's Hack ==<br />
<br />
Fake ? Everyone can do that using a DSi flashcard and remove it after ! <br/><br />
If it isn't a fake show us how you load the code ! --[[User:Ludo6431|Ludo6431]] 16:39, 20 April 2009 (UTC)<br />
<br />
== DSi-only Game Exploit ==<br />
<br />
Well, there's the first DSi-only game out there ([http://www.amazon.fr/Mon-coach-personnel-recettes-plaisir/dp/B001VOV7XI french cooking crap]). Is that of any use? [[User:BlackNeedle|BlackNeedle]] 00:20, 12 July 2009 (UTC)<br/><br />
Mh, actually it's a hybrid game with extra functionality (camera) on DSi. [[User:BlackNeedle|BlackNeedle]] 00:22, 12 July 2009 (UTC)<br />
There is 2 others game like this :<br />
- My Cooking Coach : Prepare Healthy Recipes [EUR]<br />
- Classic Word Games [EUR]<br />
<br />
But I don't know if DSiDev Team (include loopy, darkfader and the others on IRC) are working on it ! <small>—Preceding unsigned comment added by [[User:Geniusdj|Geniusdj]] ([[User talk:Geniusdj|talk]] • [[Special:Contributions/Geniusdj|contribs]]) 10:29, 9 July 2009 (UTC)</small><br />
Oh ! Team Twiizers have find an exploit (semi hardware and software, I guess) !<br />
But you're right that was one of those game who served for the exploit (Classic Word Game). <small>—Preceding unsigned comment added by [[User:Geniusdj|Geniusdj]] ([[User talk:Geniusdj|talk]] • [[Special:Contributions/Geniusdj|contribs]]) 15:08, 9 July 2009 (UTC)</small><br />
<br />
:ahhh, happy day. I'll be watching this closely.--[[User:Funkamatic|<font face="Copperplate Gothic Light"><font color="red">FUNK<font color="black">A</font>MATIC</font></font>]][[User talk:Funkamatic|<font face="Impact"><font color="black"> ~talk</font></font>]] 17:28, 9 July 2009 (UTC)<br />
<br />
We could try modifying the files it copies onto the SD card from the DSi Applications. I've been trying to do this but with no success. If anyone wants to help me out email me at: the2banned2one@gmail.com . Any help would be much appreciated. If I can get anything from this I will post it and the files here. --[[User:The2Banned2One|<font color="red">The2Banned2One</font>]][[User talk:The2Banned2One| ~talk]] <s>17:21, 5 August 2009 (EST)</s> <span style="font-size: smaller;" class="autosigned">—Preceding undated comment added 21:24, 5 August 2009 (UTC).</span><!--Template:Undated--><br />
<br />
== BannerBomb Like Exploit ==<br />
<br />
Could we program something that can make the DSi Crash and load homebrew like the Wii's Bannerbomb?<br />
--[[User:TWLREECE|TWLREECE]] 18:35, 17 August 2009 (UTC)<br />
<br />
== Action Replay DSi ==<br />
<br />
The Action Replay DSi runs in DSi Mode, has a Micro SD Card slot, and can run homebrew applications in a .nds format, could an installer program be written to install a homebrew channel on the DSi?--DSiDude<br />
:I'd like to know this also, but how do you know it runs in DSi mode?--[[User:Funkamatic|<font face="Copperplate Gothic Light"><font color="red">FUNK<font color="black">A</font>MATIC</font></font>]][[User talk:Funkamatic|<font face="Impact"><font color="black"> ~talk</font></font>]] 22:38, 21 January 2010 (UTC)<br />
<br />
According to [[http://www.youtube.com/watch?v=y4etylDSHrw this video]] the Action Replay DSi shows up as a Game and Watch collection NDS game. <br />
This automatically means it cannot support DSi mode, and is running in normal DS mode. -- neimod<br />
<br />
That IS the DSi Mode, because if you use it on a DS, it just automatically boots up the Action Replay, without going to the DS menu. I have tried this. I don't know much about the DSi's workings but I'm pretty sure of this. --DSiDude<br />
<br />
:No, it means the DSi System Menu will see it as a NDS game, not as a DSi game. As such it will disable all DSi features and revert to DS compatibility mode. Just try to load a DSi game, and it should fail to load (DSi only), or have all DSi features disabled (DSi enhanced). -- neimod<br />
<br />
::Action Replay on a DS always just boots up, that doesn't have anything to do with DSi mode --[[User:Bg4545|bg4545]] 03:19, 24 January 2010 (UTC)<br />
<br />
== Flip Note studio bug ==<br />
<br />
i dunno if this is of ANY use to anyone, but i found a glitch in Flipnote studio. As you may know, it accesses the SD card to see if there are any animations. I noticed it also tries to access the SD card when youre in a flipnote. I was making an animation, and i go to the story board mode to delete some frames. It then gave me a pop-up saying The object in the SD card slot could not be read (or something like that). It gives me that particular message because i have an SD adapter thats supposed to hold a micro sd. Anyways, just trying to be helpful.<br />
<br />
That's only useless MMC hw fail. That isn't exploitable at all. --[[User:Yellows8|Yellows8]] 02:44, 26 November 2010 (CET)<br />
<br />
No, not that, just the odd timing of it trying to access the SD card was weird to me.<br />
<br />
== Team Cyclops flashcard ==<br />
<br />
It's called the CycloDsi, and i guess it can access DSi features. Should that go on this exploits page?<br />
[http://www.cyclopsds.com/cgi-bin/cyclods/engine.pl here's] their site.<br />
<br />
: The exploits page is only for homebrew exploits, _no_ flash cards. And if you look at recent changes a news entry for that flash card was removed. --[[User:Yellows8|Yellows8]] 00:00, 19 December 2010 (CET)<br />
<br />
: Only technical information regarding the internal workings of the card exploit is welcome. Just pointing to a site that claims to have built a flashcard that has access to DSi features is NOT useful. --[[User:Neimod|Neimod]] 04:48, 19 December 2010 (CET)<br />
<br />
== List of ideas for exploitation/hacking of latest dsi version ==<br />
<br />
iwantfun-a hack using download play<br />
<br />
iwantfun-an simulator/emulator like the one for ipod [this is to help hacking development]<br />
<br />
iwantfun-a costom headphone jack that plugs into computer [usb] and can access dsi files or softmod from a computer program<br />
<br />
iwantfun-there is 4 game [dsi shop] exploits that work on all system versions exept latest.make more of them.<br />
<br />
iwantfun-a costom charger cord with usb that plugs into computer and a program described below<br />
<br />
iwantfun-a program that detects if usb cord is attached or has a manual ability called 'select a usb port'. then it sends a virus that enter's the dsi [ or any unfortionate device u forgot to unplug] and deletes by force all security files and replaces them with fakes/replacements.all security certificate's however are left untouched.I am not liable for any damages caused by this on said 'unfortunate' devices.<br />
<br />
iwantfun-this is a likely to work method.using a different program then described above.this program deletes everything and replaces all of the files with any force neccesary.one way to ensure this is to make the program not interpret any of the data and give it all of the known unencryption keys, certificate's, and signature's in case it needs it. it would also have the administrative power [either though something fake,though hacking, or legit/real].it would replace the system with already hacked files, menu, etc.<br />
<br />
iwantfun-this will also likely work. hack a game download from the dsi store . replace the file thats downloaded from the dsi store with a dsi exploiting file, plus the game.</div>Yellows8https://dsibrew.org/w/index.php?title=DSi_exploits&diff=4267DSi exploits2012-09-26T02:13:23Z<p>Yellows8: </p>
<hr />
<div>This page is dedicated to the listing of exploits used to run homebrew on the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, including the removal of sub-sections.<br />
<br />
== DSi-mode exploits ==<br />
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].<br />
<br />
Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.<br />
<br />
<br />
Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]<br />
<br />
If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].<br />
<br />
== DS-mode exploits ==<br />
<br />
This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.<br />
<br />
Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].</div>Yellows8https://dsibrew.org/w/index.php?title=DSiBrew_talk:News&diff=4246DSiBrew talk:News2012-09-23T23:18:25Z<p>Yellows8: </p>
<hr />
<div>== Forbidden News / Material? ==<br />
<br />
I'm trying to be a general maintenance guy around here, editing links into things and organizing and whatnot, and I realized that some of the articles that are getting pulled from the front page didn't send up red flags to me. I mean, the DS download service one was pretty obviously against everything moral, but the carts didn't throw up a red flag because I personally *use* an R4 for homebrew, and the idea of using it for piracy doesn't immediately come to mind. (I don't, never have.)<br />
<br />
So what exactly do we not allow here? Clearly anything that's blatantly for piracy is out. Since the DSi is likely going to get some kind of SD card loader, do we want to avoid flash cart in general here? What should definitely not be here? --[[User:Thegamefreak0134|Thegamefreak0134]] 18:28, 22 August 2009 (UTC)<br />
<br />
I'm mulling over the update history, someone needs to ban that kid. ^_^ --[[User:Thegamefreak0134|Thegamefreak0134]] 12:47, 26 August 2009 (UTC)<br />
<br />
: Do not post claims or announcements about DSi exploits or homebrew flashcards that at the time cannot be verified.[[User:Neimod|Neimod]] 10:30, 27 December 2010 (CET)<br />
<br />
== Yellows8 ==<br />
.:SOLUTION?:.<br />
I think i know a solution for downloading Homebrew onto the NDS when it's made.<br />
I've noticed that a group called Pokemon Fan Centre has made an edit to a wi-fi place in the pokemon games.they did it by doing this:<br />
<br />
In your DS's wifi settings,<br />
http://gts.determinismsucks.net/gtsinstruct2.png<br />
assuming you've already got a connection to your local wireless network set up, click the settings for that connection.<br />
http://gts.determinismsucks.net/gtsinstruct3.png<br />
Scroll down a bit and, where it says something about the "DNS", change Autoconnect to "No",<br />
http://gts.determinismsucks.net/gtsinstruct4a.png<br />
and manually enter "X.X.X.X" as the primary DNS server.<br />
http://gts.determinismsucks.net/gtsinstruct5.png<br />
Save your settings.<br />
<br />
So i think it would be a good idea to set up a DNS server and using it on the DSi Shop to dowload DSiBrew. 9:08, 8 April 2010.<small>By FireGrey</small><br />
<br />
DNS redirection can't be used with the shop to install a homebrew title. The shop uses only https, we can't send anything with https, as DS will reject our certificates. --[[User:Yellows8|Yellows8]] 20:57, 8 April 2010 (UTC)<br />
<br />
Going along the idea of DNS redirection, could Wireshark be used to capture the SSL certificate? --[[User:Shawnbusker|Shawnbusker]] 03:49, 23 September 2012 (CEST)<br />
:You'd obtain exactly the same cert that your browser would receive that way. You can't obtain the server privk either. The cert is signed by Nintendo, the root CA cert is stored in [[Version Data]]. --[[User:Yellows8|Yellows8]] 01:18, 24 September 2012 (CEST)<br />
<br />
I'm so happy they find an exploit but does it coming to be realased ? <small>—Preceding unsigned comment added by [[User:Geniusdj|Geniusdj]] ([[User talk:Geniusdj|talk]] • [[Special:Contributions/Geniusdj|contribs]]) 15:07, 9 July 2009 (UTC)</small></div>Yellows8https://dsibrew.org/w/index.php?title=Talk:Nintendo_DSi_Shop&diff=4245Talk:Nintendo DSi Shop2012-09-23T23:11:30Z<p>Yellows8: </p>
<hr />
<div>should we link to a list of the current titles or should we keep our own?<br />
<br />
"it appears that the DSi may have SSL certificates required to do so, and that these may be present in the DSi Shop Channel contents when decrypted." - I have checked the contents of the Shop Channel through NUSDownloader and dsbuff and there were not any SSL certificates in the .app. Perhaps it's in the NAND? Also, I tried browsing https://tss.t.shop.nintendowifi.net/ through the opera browser and it didn't seem to have the certificate available to the application. --shawnbusker<br />
:The SSL client cert and client privk are stored encrypted in [[Version Data]]. --[[User:Yellows8|Yellows8]] 01:11, 24 September 2012 (CEST)</div>Yellows8https://dsibrew.org/w/index.php?title=System_update&diff=4193System update2012-05-24T00:07:42Z<p>Yellows8: added missing sysupdate, though the versions are on the title_list.</p>
<hr />
<div>[[Image:Dsisystemmenu.png|thumb|right|223px|The DSi System Menu with a title inserted.]]<br />
<br />
The System Menu (DSi Menu) is software shipped pre-installed on every DSi which allows the launching of games from official Nintendo certified game carts, "channels", or DSiWare titles. It runs a GUI similar to the Wii's "Wii Menu".<br />
The DSi runs in permission modes similar to the Wii, where running in backwards compatibility mode turns off extra hardware and down-clocks the CPU.<br />
Using the power button you can soft reset to return to the menu while in game (or in a DSi application), similar to the "Home Menu" on the Wii. <br />
Game carts can also be hot-swapped while in the menu. <br />
<br />
The Nintendo DSi "System Menu" updates are made up of newer components of one or more system titles, as well as a new version of the [[Version Data]] bundle (which contains the user-visible version number).<br />
== Versions ==<br />
<br />
{| class="wikitable" width="100%"<br />
|-<br />
! Version <br />
! Release date <br />
! Changelog<br />
|-<br />
| 1.0<br />
| October 22, 2008<br />
| First Update to Japanese Region DSi System Menu<br />
|-<br />
| [[System Menu 1.2|1.2]]<br />
| December 18, 2008<br />
| Second Update to Japanese Region DSi System Menu<br />
|-<br />
| [[System Menu 1.3|1.3]]<br />
| Launch Day (USA, EUR, AUS)<br />
| Added a "start DSi Camera" button [[System Menu 1.3#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4|1.4]]<br />
| July 29, 2009 (JAP); July 30, 2009 (EUR, AUS); August 3, 2009 (USA)<br />
| Facebook support to share photos [[System Menu 1.4#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.1|1.4.1]]<br />
| September 7, 2010 (All Regions)<br />
| Features Behind-the-Scenes improvements to system performance [[System Menu 1.4.1#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2|1.4.2]]<br />
| September 11, 2010 (CHN)<br />
| Features Behind-the-Scenes improvements to system performance [[System Menu 1.4.2#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2#Global_Update|1.4.2]]<br />
| May 10, 2011 (All Regions Except CHN)<br />
| Blocks copying all current and future DSiWare exploits to "internal memory" [[System Menu 1.4.2#Global_Update|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2#Global_Update|1.4.3C]]<br />
| May 10, 2011 (CHN)<br />
| Blocks copying all current and future DSiWare exploits to "internal memory" [[System Menu 1.4.2#Global_Update|[more here]]]<br />
|-<br />
| 1.4.3<br />
| June 29, 2011 (All Regions Except CHN)<br />
| Blocks flashcards.(Only whitelist was updated)<br />
|-<br />
| 1.4.4C (CHN)<br />
| June 29, 2011<br />
| Blocks flashcards.(Only whitelist was updated)<br />
|-<br />
| [[System Menu 1.4.4|1.4.4]]<br />
| March 21, 2012 (All Regions Except CHN)<br />
| Updates the Nintendo DSi Camera to fix an issue when sending pictures to Facebook, Features Behind-the-Scenes improvements to system <br />
performance, blocks Flashcarts except the R4i Gold Pro, Blocks the Cooking Coach and Classic Word Games savedata exploits [[System_Menu_1.4.4#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.4|1.4.5C]]<br />
| March 21, 2012 (CHN)<br />
| Updates the Nintendo DSi Camera to fix an issue when sending pictures to Facebook, Features Behind-the-Scenes improvements to system <br />
performance, blocks Flashcarts except the R4i Gold Pro, Blocks the Cooking Coach and Classic Word Games savedata exploits [[System_Menu_1.4.4#Changelog|[more here]]]<br />
|}<br />
<br />
== See also ==<br />
<br />
* [[Nintendo Software]]</div>Yellows8https://dsibrew.org/w/index.php?title=System_update&diff=4190System update2012-03-23T17:41:04Z<p>Yellows8: fix copy-paste</p>
<hr />
<div>[[Image:Dsisystemmenu.png|thumb|right|223px|The DSi System Menu with a title inserted.]]<br />
<br />
The System Menu (DSi Menu) is software shipped pre-installed on every DSi which allows the launching of games from official Nintendo certified game carts, "channels", or DSiWare titles. It runs a GUI similar to the Wii's "Wii Menu".<br />
The DSi runs in permission modes similar to the Wii, where running in backwards compatibility mode turns off extra hardware and down-clocks the CPU.<br />
Using the power button you can soft reset to return to the menu while in game (or in a DSi application), similar to the "Home Menu" on the Wii. <br />
Game carts can also be hot-swapped while in the menu. <br />
<br />
The Nintendo DSi "System Menu" updates are made up of newer components of one or more system titles, as well as a new version of the [[Version Data]] bundle (which contains the user-visible version number).<br />
== Versions ==<br />
<br />
{| class="wikitable" width="100%"<br />
|-<br />
! Version <br />
! Release date <br />
! Changelog<br />
|-<br />
| 1.0<br />
| October 22, 2008<br />
| First Update to Japanese Region DSi System Menu<br />
|-<br />
| [[System Menu 1.2|1.2]]<br />
| December 18, 2008<br />
| Second Update to Japanese Region DSi System Menu<br />
|-<br />
| [[System Menu 1.3|1.3]]<br />
| Launch Day (USA, EUR, AUS)<br />
| Added a "start DSi Camera" button [[System Menu 1.3#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4|1.4]]<br />
| July 29, 2009 (JAP); July 30, 2009 (EUR, AUS); August 3, 2009 (USA)<br />
| Facebook support to share photos [[System Menu 1.4#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.1|1.4.1]]<br />
| September 7, 2010 (All Regions)<br />
| Features Behind-the-Scenes improvements to system performance [[System Menu 1.4.1#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2|1.4.2]]<br />
| September 11, 2010 (CHN)<br />
| Features Behind-the-Scenes improvements to system performance [[System Menu 1.4.2#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2#Global_Update|1.4.2]]<br />
| May 10, 2011 (All Regions Except CHN)<br />
| Blocks copying all current and future DSiWare exploits to "internal memory" [[System Menu 1.4.2#Global_Update|[more here]]]<br />
|-<br />
| [[System Menu 1.4.2#Global_Update|1.4.3C]]<br />
| May 10, 2011 (CHN)<br />
| Blocks copying all current and future DSiWare exploits to "internal memory" [[System Menu 1.4.2#Global_Update|[more here]]]<br />
|-<br />
| [[System Menu 1.4.4|1.4.4]]<br />
| March 21, 2012 (All Regions Except CHN)<br />
| Updates the Nintendo DSi Camera to fix an issue when sending pictures to Facebook, Features Behind-the-Scenes improvements to system <br />
performance, blocks Flashcarts except the R4i Gold Pro, Blocks the Cooking Coach and Classic Word Games savedata exploits [[System_Menu_1.4.4#Changelog|[more here]]]<br />
|-<br />
| [[System Menu 1.4.4|1.4.5C]]<br />
| March 21, 20121 (CHN)<br />
| Updates the Nintendo DSi Camera to fix an issue when sending pictures to Facebook, Features Behind-the-Scenes improvements to system <br />
performance, blocks Flashcarts except the R4i Gold Pro, Blocks the Cooking Coach and Classic Word Games savedata exploits [[System_Menu_1.4.4#Changelog|[more here]]]<br />
|}<br />
<br />
== See also ==<br />
<br />
* [[Nintendo Software]]</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41871.4.42012-03-22T21:29:52Z<p>Yellows8: /* Changelog */</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]], from Nintendo's update page: "This update resolves an issue that could have created connection problems when uploading photos to Facebook."<br />
* Blocks the Cooking Coach and Classic Word Games savedata exploits. These EEPROM exploits are dead, the only way around this is to return fake data to launcher when it reads EEPROM.<br />
* Blocks flashcards<br />
<br />
Launcher checks whether the byte in the saveslot name string where the null-terminator would be is non-zero, when non-zero it's regarded as "corrupted". The Cook-Coach code checks several other things in the first saveslot data,(the same saveslot where the only player name is stored) while the Classic Word Games code only checks the string in both saveslots. When launcher finds that the saveslot is "corrupted", it overwrites the saveslot with garbage.<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41861.4.42012-03-22T21:07:16Z<p>Yellows8: /* Changelog */</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]], from Nintendo's update page: "This update resolves an issue that could have created connection problems when uploading photos to Facebook."<br />
* Blocks the Cooking Coach and Classic Word Games savedata exploits. These EEPROM exploits are dead, the only way around this is to return fake data to launcher when it reads EEPROM.<br />
* Blocks flashcards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41851.4.42012-03-22T21:04:50Z<p>Yellows8: /* Changelog */</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]], from Nintendo's update page: "This update resolves an issue that could have created connection problems when uploading photos to Facebook."<br />
* Blocks the Cooking Coach and Classic Word Games savedata exploits. These EEPROM exploits are dead, the only way around this is to return garbage to launcher when it reads EEPROM.<br />
* Blocks flashcards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=DSiBrew:News&diff=4184DSiBrew:News2012-03-22T16:40:14Z<p>Yellows8: /* News */</p>
<hr />
<div><noinclude><br />
==Adding an item==<br />
* Log in to the wiki. Editing is disabled if you don't have an account.<br />
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.<br />
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''<br />
<br />
==Archives==<br />
For older news, see the [[DSiBrew:News/Archive|news archive]].<br />
<br />
=== News ===<br />
<!-- Add news below --></noinclude><br />
*'''21 March 12''' Nintendo released [[System Menu 1.4.4]], updating [[Nintendo_DSi_Camera|Nintendo DSi Camera]], blocking Cooking Coach/Classic Word Games savedata exploits, and blocking flashcards.<br />
*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].<br />
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.<br />
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41831.4.42012-03-22T16:36:53Z<p>Yellows8: /* Changelog */</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]], from Nintendo's update page: "This update resolves an issue that could have created connection problems when uploading photos to Facebook."<br />
* Blocks the Cooking Coach and Classic Word Games savedata exploits<br />
* Blocks flashcards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41821.4.42012-03-22T15:42:27Z<p>Yellows8: /* Changelog */</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]], from Nintendo's update page: "This update resolves an issue that could have created connection problems when uploading photos to Facebook."<br />
* Blocks flashcards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8https://dsibrew.org/w/index.php?title=Title_database&diff=4181Title database2012-03-22T01:40:16Z<p>Yellows8: 1.4.4 update</p>
<hr />
<div>The Nintendo DSi uses the same title scheme and introduces separate DSi update servers; Also introduced was a new common-key for DSi title decryption. <br />
<br />
As with the Wii, the [[title metadata]] aka "TMD" for these titles can be found on the Nintendo Update Servers.<br />
<br />
Each title specific url uses a 4 ASCII character code denoting what type of title it is and what region it comes from.<br />
<br />
Titles can be downloaded and decrypted with [http://wiibrew.org/wiki/NUS_Downloader NUS Downloader], a program that allows titles to be fetched from the Nintendo Update Servers.<br />
<br />
== Title codes ==<br />
<br />
=== Region Codes ===<br />
<br />
Region codes are used to determine what region a title belongs to. They are at the end of a Title ID. Eg. XXXA, XXXJ<br />
<br />
{| class="wikitable sortable" width="55%"<br />
|-<br />
! ASCII<br />
! HEX<br />
! Region<br />
|-<br />
| A<br />
| 41<br />
| Region Independent<br />
|-<br />
| C<br />
| 43<br />
| China<br />
|-<br />
| E<br />
| 45<br />
| North America<br />
|-<br />
| H<br />
| 48<br />
| Belgium / Netherlands (DSiWare Only)<br />
|-<br />
| J<br />
| 4A<br />
| Japan<br />
|-<br />
| K<br />
| 4B<br />
| Korea<br />
|-<br />
| O<br />
| 4F<br />
| Unknown<br />
|-<br />
| P<br />
| 50<br />
| Australia and other PAL regions (System and DSiWare)<br />
|-<br />
| T<br />
| 54<br />
| Unknown<br />
|-<br />
| U<br />
| 55<br />
| Australia and New Zealand<br />
|-<br />
| V<br />
| 56<br />
| Europe (DSiWare Only)<br />
|-<br />
| X<br />
| 58<br />
| Unknown<br />
|}<br />
<br />
=== System Codes ===<br />
<br />
System codes are used to determine what type of title it is. They are at the beginning of a Title ID. Eg. KXXX. HXXX<br />
<br />
{| class="wikitable sortable" width="50%"<br />
|-<br />
! ASCII<br />
! HEX<br />
! Type<br />
|-<br />
| K<br />
| 4B<br />
| DSiWare Title<br />
|-<br />
| H<br />
| 48<br />
| System \ Channel<br />
|}<br />
<br />
== Title Database ==<br />
<br />
=== DSiWare (00030004) ===<br />
<br />
DSiWare is an online service available on the [[Nintendo DSi Shop]] to download DSi applications.<br />
<br />
==== Europe ====<br />
<br />
The official list of DSi Ware Europe titles is located on [http://www.nintendo.co.uk/NOE/en_GB/games/nintendo_dsiware_11805.html the Nintendo Europe website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KNRV (4B4E5256)<br />
| A Little Bit of... Brain Training™: Maths Edition<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KD9V (4B443956)<br />
| A Little Bit of... Dr. Mario™<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KM9P (4B4D3950)<br />
| A Little Bit of... Magic Made Fun™: Deep Psyche<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMFP (4B4D4650)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMSP (4B4D5350)<br />
| A Little Bit of... Magic Made Fun™: Shuffle Games<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWGV (4B574756)<br />
| [[Nintendo DSi Calculator|Animal Crossing Calculator]]<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWCV (4B574356)<br />
| [[Nintendo DSi Clock|Animal Crossing Clock]]<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAV (4B414156)<br />
| Art Style: AQUITE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KADV (4B414456)<br />
| Art Style: CODE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAKV (4B414B56)<br />
| Art Style: KuBos<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KASV (4B415356)<br />
| Art Style: NEMREM<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAPV (4B415056)<br />
| Art Style: PiCOPiCT<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KA4V (4B413456)<br />
| Asphalt 4: Elite Racing<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KGRV (4B475256)<br />
| Guitar Rock Tour<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KLEV (4B4C4556)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMMV (4B4D4D56)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAMV (4B414D56)<br />
| Paper Plane<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KPOV (4B504F56)<br />
| Pop Superstar!: Road to Celebrity<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KP6V (4B503656)<br />
| Pyoro<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KS9V (4B533956)<br />
| Real Football 2009<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| K4DE (4B344445)<br />
| Sudoku<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KSMV (4B534D56)<br />
| SUDOKU 150! For Challengers<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KUWV (4B555756)<br />
| WarioWare: Snapped!<br />
| 500 Nintendo Points<br />
|}<br />
<br />
==== Japan ====<br />
<br />
The official list of DSi Ware Japan titles is located on [http://www.nintendo.co.jp/ds/dsiware/titlelist.html the Nintendo japanese website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KMSJ (4B4D534A)<br />
| 3-tsu no Shuffle Game<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAJ (4B41414A)<br />
| Art Style: AQUARIO<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KADJ (4B41444A)<br />
| Art Style: DECODE<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAPJ (4B41504A)<br />
| Art Style: PICOPICT<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KASJ (4B41534A)<br />
| Art Style: SOMNIUM<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KTPJ (4B54504A)<br />
| Asobi Taizen<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KNRJ (4B4E524A)<br />
| Brain Training - Science version<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KD9J (4B44394A)<br />
| A Little Bit of... Dr. Mario™<br />
| 500 Nintendo Points<br />
|-<br />
| Application<br />
| KDGJ (4B44474A)<br />
| Dokodemo [http://en.wikipedia.org/wiki/Wii_no_Ma Wiinoma]<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KMFJ (4B4D464A)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAMJ (4B414D4A)<br />
| Kami Hikouki<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KLEJ (4B4C454A)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMMJ (4B4D4D4A)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KM9J (4B4D394A)<br />
| Osoroshii Suuji<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KP6J (4B50364A)<br />
| Tori to Mame<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KGUJ (4B47554A)<br />
| Ugoku Memo Chou<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KUWJ (4B55574A)<br />
| Utsutsu! Made in Wario<br />
| 500 Nintendo Points<br />
|-<br />
|}<br />
<br />
==== United States ====<br />
<br />
The official list of DSi Ware US titles is located on [http://www.nintendo.com/games/guide#qhardware=DS&qesrbRating=&qplay=dsiware&qgenre=&qrelease=&panel=qplay the Nintendo US website]<br />
<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Price<br />
|-<br />
| Game<br />
| KM9E (4B4D3945)<br />
| A Little Bit of... Magic Made Fun™: Deep Psyche<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMFE (4B4D4645)<br />
| A Little Bit of... Magic Made Fun™: Funny Face<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KMSE (4B4D5345)<br />
| A Little Bit of... Magic Made Fun™: Shuffle Games<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KAAE (4B414145)<br />
| Art Style: AQUIA<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KP6E (4B503645)<br />
| Bird & Beans<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KD9E (4B443945)<br />
| Dr. Mario Express<br />
| 500 Nintendo Points<br />
|-<br />
| Application<br />
| KGUE (4B475545)<br />
| Flipnote Studio<br />
| 0 Nintendo Points<br />
|-<br />
| Game<br />
| KGRE (4B475245)<br />
| Guitar Rock Tour<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KLEE (4B4C4545)<br />
| Legends of Exidia<br />
| 800 Nintendo Points<br />
|-<br />
| Application<br />
| KWBE (4B574245)<br />
| Mario Calculator<br />
| 200 Nintendo Points<br />
|-<br />
| Application<br />
| KWFE (4B574645)<br />
| Mario Clock<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KDME (4B444D45)<br />
| Mario vs. Donkey Kong: Minis March Again!<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| KMME (4B4D4D45)<br />
| Mixed Message<br />
| 500 Nintendo Points<br />
|-<br />
| Game<br />
| KAME (4B414D45)<br />
| Paper Airplane Chase<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KPBE (4B504245)<br />
| Photo Dojo<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KS9E (4B533945)<br />
| Real Football 2009<br />
| 800 Nintendo Points<br />
|-<br />
| Game<br />
| K4DE (4B344445)<br />
| Sudoku<br />
| 200 Nintendo Points<br />
|-<br />
| Game<br />
| KUWE (4B555745)<br />
| WarioWare: Snapped!<br />
| 500 Nintendo Points<br />
|}<br />
<br />
=== System ===<br />
<br />
System Titles are all system applications or files used by the Nintendo DSi.<br />
<br />
====All Regions====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030005<br />
| HNDA (484e4441)<br />
| DS Download Play<br />
| 256<br />
| 256<br />
|-<br />
| 00030005<br />
| HNEA (484e4541)<br />
| Pictochat<br />
| 0<br />
| Not Available<br />
|-<br />
| 0003000f<br />
| HNCA (484e4341)<br />
| WiFi Firmware<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNHA (484e4841)<br />
| [[Nintendo DS Cart Whitelist]]<br />
| 256, 512, 768, 1024, 1280<br />
| 256, 512, 768, 1024, 1280<br />
|}<br />
<br />
====Japan====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGJ (484e474a)<br />
| [[Nintendo DSi Browser]]<br />
| 0, 512, 768<br />
| 0, 512, 768<br />
|-<br />
| 00030005<br />
| HNIJ (484e494a)<br />
| [[Nintendo DSi Camera]]<br />
| 256, 768, 1024<br />
| 256, 768, 1024<br />
|-<br />
| 00030005<br />
| HNJJ (484e4a4a)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKJ (484e4b4a)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLJ (484e4c4a)<br />
| [[Version Data]]<br />
| 1, 2, 3, 4, 5, 6, 7, 8<br />
| 1, 2, 3, 4, 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNOJ (484e4f4a)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBJ (484e424a)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFJ (484e464a)<br />
| [[Nintendo DSi Shop]]<br />
| 1024, 1280, 1536, 1792, 2048, 2304, 2560, 2816<br />
| 1024, 1280, 1536, 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAJ (484e414a)<br />
| [[System Menu]] (Launcher)<br />
| 256, 512, 768, 1024, 1280, 1536<br />
| 256, 512, 768, 1024, 1280, 1536<br />
|}<br />
<br />
====United States====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGE (484e4745)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIE (484e4945)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJE (484e4a45)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKE (484e4b45)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLE (484e4c45)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8<br />
| 3, 4, 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNOE (484e4f45)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBE (484e4245)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFE (484e4645)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAE (484e4145)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536<br />
| 512, 768, 1024, 1280, 1536<br />
|}<br />
<br />
====Europe====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGP (484e4750)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIP (484e4950)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJP (484e4a50)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKP (484e4b50)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLP (484e4c50)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8<br />
| 3, 4, 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNOP (484e4f50)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBP (484e4250)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFP (484e4650)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAP (484e4150)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536<br />
| 512, 768, 1024, 1280, 1536<br />
|}<br />
<br />
====Australia and New Zealand====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 00030004<br />
| HNGU (484e4755)<br />
| [[Nintendo DSi Browser]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNIU (484e4955)<br />
| [[Nintendo DSi Camera]]<br />
| 768, 1024<br />
| 768, 1024<br />
|-<br />
| 00030005<br />
| HNJU (484e4a55)<br />
| [[Nintendo Zone]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030005<br />
| HNKU (484e4b55)<br />
| [[Nintendo DSi Sound]]<br />
| 256, 512<br />
| 256, 512<br />
|-<br />
| 0003000f<br />
| HNLU (484e4c55)<br />
| [[Version Data]]<br />
| 3, 4, 5, 6, 7, 8<br />
| 3, 4, 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNOU (484e4f55)<br />
| [http://www.nintendo.co.jp/ds/dsiware/hnoj/index.html Nintendo 3DS Transfer Tool]<br />
| 0<br />
| 0<br />
|-<br />
| 00030015<br />
| HNBU (484e4255)<br />
| [[System Settings]]<br />
| 512, 768<br />
| 512, 768<br />
|-<br />
| 00030015<br />
| HNFU (484e4655)<br />
| [[Nintendo DSi Shop]]<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
| 1536, 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAU (484e4155)<br />
| [[System Menu]] (Launcher)<br />
| 512, 768, 1024, 1280, 1536<br />
| 512, 768, 1024, 1280, 1536<br />
|}<br />
<br />
====China====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 0003000f<br />
| HNLC (484e4c43)<br />
| [[Version Data]]<br />
| 4, 5, 6, 7, 8<br />
| 4, 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNFC (484e4643)<br />
| [[Nintendo DSi Shop]]<br />
| 1792, 2048, 2304, 2560, 2816<br />
| 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAC (484e4143)<br />
| [[System Menu]] (Launcher)<br />
| 768, 1024, 1280, 1536<br />
| 768, 1024, 1280, 1536<br />
|-<br />
| 00030015<br />
| HNBC (484e4243)<br />
| [[System Settings]]<br />
| 768<br />
| 768<br />
|}<br />
<br />
====Korea====<br />
{| class="wikitable sortable" width="100%"<br />
|-<br />
! Type<br />
! Title ID<br />
! Name<br />
! Versions<br />
! CDN Availability<br />
|-<br />
| 0003000f<br />
| HNLK (484e4c4b)<br />
| [[Version Data]]<br />
| 5, 6, 7, 8<br />
| 5, 6, 7, 8<br />
|-<br />
| 00030015<br />
| HNFK (484e464b)<br />
| [[Nintendo DSi Shop]]<br />
| 1792, 2048, 2304, 2560, 2816<br />
| 1792, 2048, 2304, 2560, 2816<br />
|-<br />
| 00030017<br />
| HNAK (484e414b)<br />
| [[System Menu]] (Launcher)<br />
| 768, 1024, 1280, 1536<br />
| 768, 1024, 1280, 1536<br />
|-<br />
| 00030015<br />
| HNBK (484e424b)<br />
| [[System Settings]]<br />
| 768<br />
| 768<br />
|}<br />
<br />
== See also ==<br />
<br />
* [[Title metadata|Title metadata (TMD)]]<br />
* [http://wiibrew.org/wiki/NUS_Downloader NUS Downloader]<br />
* [[Nintendo DSi Shop]]<br />
* [[Nintendo Software]]<br />
* [[System Menu]]</div>Yellows8https://dsibrew.org/w/index.php?title=1.4.4&diff=41801.4.42012-03-22T01:00:16Z<p>Yellows8: Created page with "System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China) == Changelog == * Updated Nintendo DSi Camera * Blocks flash..."</p>
<hr />
<div>System Menu 1.4.4 was released on 21 March 2012 for all regions.(Known as 1.4.5C for China)<br />
<br />
== Changelog ==<br />
<br />
* Updated [[Nintendo_DSi_Camera|Nintendo DSi Camera]]<br />
* Blocks flashcards<br />
<br />
== See also ==<br />
<br />
* [[System Menu]]<br />
* [[Nintendo Software]]<br />
<br />
{{System Menu Navigation}}</div>Yellows8