DSiBrew - User contributions [en]

DSiWare VulnList

2011-02-03T23:45:32Z

Oldtopman: Undo revision 3451 by Oldtopman (talk)

This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.

It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched less than a week) if exploits for those were released.

DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi

For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 6
|-
| Done
| 10
|-
| DSiWare which probably aren't exploitable
| 26
|-
| Already have
| 2
|-
| All total
| 42
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name.
|-
| Frogger Returns
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Guitar Rock Hero
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata.
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| ?
| Has UCS-2 strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| My Notebook: Blue
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|}

DSiWare VulnList

2011-02-03T23:22:45Z

Oldtopman:

This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.

It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched less than a week) if exploits for those were released.

DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi

For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 6
|-
| Done
| 10
|-
| DSiWare which probably aren't exploitable
| 26
|-
| Already have
| 2
|-
| All total
| 42
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name.
|-
| Frogger Returns
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Guitar Rock Hero
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata.
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| My Notebook: Blue
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|}

User:Oldtopman

2011-02-02T00:20:25Z

Oldtopman:

{{userboxtop}}
{{Userbox DSi|1}}
{{Userbox system menu|1.4.1}}
{{userboxbottom}}

I am not very good at editing wikis, but I am here too keep the wiki up-to-date and someone may have to (sorry) come behind me and format things correctly.

DSi exploits

2011-01-28T13:22:55Z

Oldtopman: Whoops.

This page is dedicated to the listing of exploits used used to run homebrew on the Nintendo DSi. Anyone may contribute to this list, as long as any exploits added are explained and verifiable.

== DSi-mode exploits ==
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].

Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]

If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].

== DS-mode exploits ==

This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.

Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].

DSi exploits

2011-01-28T13:22:21Z

Oldtopman:

This page is dedicated to the listing of exploits used used to run homebrew on the Nintendo DSi. Anyone may contribute to this list, as long as any exploits added are explained and verifiable.

== DSi-mode exploits ==
Team Twiizers had relased a DSi-Mode Exploit called [[Sudokuhax]] that loads a homebrew from the SD card in DSi Mode. The exploit requires that you have purchased the Sudoku by EA game. More details and download at: [http://hackmii.com/2011/01/sudokuhax-release/].

Team Twiizers also have found a DSi-Mode Exploit and have managed to use it to run DSi Mode homebrew. However it has not yet been released. More details at : [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://drunkencoders.com/2009/08/dsi-hack-update/]

If you know of DSiWare that has English-only string input,(high-scores, player name, high-scores that use username from system settings, etc) go [[DSiWare_VulnList|here]].

== DSi-mode exploits ==

=Sudokuhax=
Sudokuhax decrypts the Sudoku game by Electronic Arts, patches it, then re-encrypts it. This is a confirmed DSi mode exploit [http://hackmii.com/2011/01/sudokuhax-release/ here].

== DS-mode exploits ==

This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.

Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].

User:Oldtopman

2011-01-28T13:09:14Z

Oldtopman: Created page with "I am not very good at editing wikis, but I am here too keep the wiki up-to-date and someone may have to (sorry) come behind me and format things correctly."

I am not very good at editing wikis, but I am here too keep the wiki up-to-date and someone may have to (sorry) come behind me and format things correctly.

List of DSi Homebrew

2011-01-28T13:08:12Z

Oldtopman: Added sudokuhax

This '''list''' is designed to be a updated collection of current DSi mode homebrew.

==Regarding the current state of DSi mode homebrew in general==
There is currently no practical way to run homebrew in DSi-mode. Save game hacks exist, but these have severe limitations:
* The SD slot and NAND flash are inaccessible.
* The amount of code space is limited to the available space in the game's save file. (A few kilobytes)
** This restriction can be lifted with external hardware like [[EEPUART]] or [[spime]]. This is how [http://svn.navi.cx/misc/trunk/nds/dsi/cookinject/ larger chunks of code] or [http://www.flickr.com/photos/micahdowty/3794878172/in/set-72157621023570420/ image files] have been loaded by developers so far.

==Exploits==
===The Drunken Coder's savegame exploit===
This exploit allows DSi homebrew coders to run unsigned ARM asm code in DSi-mode utilizing a buffer overflow in Cooking Coach. The hack can be found [http://drunkencoders.com/2009/08/dsi-hack-update/ here].

==Sudokuhax==
This exploit allows homebrew labeled boot.nds in the root of the SD card to be launched upon startup of the Sudoku game. This hack can be found [http://hackmii.com/2011/01/sudokuhax-release/ here]

===CookInject===
This is [[User:Scanlime]]'s exploit for Cooking Coach. It works with external hardware to bootstrap larger amounts of C code into system memory. Its primary feature is that it's possible to modify code from the game's ARM9 or ARM7 binaries, then return from the exploit back to the game. This allows insertion of hooks that modify or trace the game's normal behaviour. The code can be found [http://svn.navi.cx/misc/trunk/nds/dsi/cookinject/ here].

==Homebrew==

==Computer applications==