DSi exploits

From DSiBrew
Revision as of 21:26, 19 July 2020 by WinterMute (talk | contribs) (remove nonsense section)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

Type of exploits

Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.

NTR/NDS-Mode Exploits

These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as NTR. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

Name Description Author Source
FIFA NDS Every single FIFA game on the Nintendo DS has been exploited. Everyone CTurt's Source Code
Bangai-O-Sploit A primary entrypoint for the game, Bangai-O Spirit, on the Nintendo DS. This game was successfully exploit through sound. smealum Install
NDS-ILH-Save-Exploit "I Love Horses" Nintendo DS save exploit mojobojo Install
ABR-NDS-SaveExploit A stack smash savegame exploit for the game "Asterix Brain Trainer" Weml0 Install
HaxxStation DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application. shutterbug2000, Gericom, and Apache Thunder See Here
BreakingNews A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names). ChampionLeake Install


TWL/DSi-Enhanced Cart Exploits

These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as TWL. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

Name Description Author Source
The Biggest Losers Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode. st4rk Install

WinterMute's dslink

Cookhack DSi Cooking Coach exploit WinterMute PoC

dslink

Classichack DSi Classic Word Games exploit WinterMute PoC

dslink

SystemFlaaw The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw zoogie Install


DSiWare(True DSi-Mode) Exploits

These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

Name Description Author Source
Sudokuhax One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched. TeamTwiizer, yellows8 Install
grtpwn A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour! yellows8 Install
exidiahax A Gameloft DSiWare savegame exploit for the game, Legend of Exidia! yellows8 Install
fieldrunhax A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS! yellows8 Install
4swordhax A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition! yellows8 Install
Flipnote( ͡° ͜ʖ ͡°) or ugopwn A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit. shutterbug2000, WinterMute, fincs, zoogie Install
UNO*pwn A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game! ChampionLeake Install
MemoryPit A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit. shutterbug2000 See Here
petit-compwner The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long. zoogie Release

ARM7 Exploits

These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.

Name Description Author Source
RocketLauncher One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4! ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt Writeup


Bootcode Exploits:

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's title.tmd. At the moment, nocash's exploit, Unlaunch is the only known exploit.

Name Description Author Source
Unlaunch Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions! NoCash Install & Writeup

DSi-mode exploits

Team Twiizers released a DSi-mode exploit called Sudokuhax that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [1]. Additionally more DSiWare savegame exploits were released for the last time: [2]. Copying these savegame exploits to NAND via system settings is blocked on the latest system version.

shutterbug2000 has created an exploit for Flipnote Studio, which uses a modified flipnote that you have to paste 122 times exactly. The exploit can be used with fwtool to downgrade the dsi to be able to use Sudokuhax or things like it. wintermute and fincs simple 1 paste exploit can be found here [3].

ChampionLeake has released an exploit for UNO, a regular DSiWare savegame exploit. Instructions to installing the exploit are here: [4]

The source of the majority of the old dsiware exploits can be found on yellows8's github page [5]

An incomplete list of all DSi exploits are here: List of DSi Exploits

DSi Enhanced exploits

Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [6] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [7]

The cooking coach and classic word games savegame exploits are blocked on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND pins to a MMC reader/writer, then extract dev.kp for DSiWareHax.

It is also possible for homebrew to be loaded through an Action Replay DSi flashcart. If an nds file is saved onto a micro SD card, and then that micro SD is inserted into the Action Replay, the file can be executed by going to the Files menu.

New flipnote studio lennyface exploit released allowing someone to run the new custom firmware Hiya CFW allowing people to run homeprew software from their SD card.

DS-mode exploits

This type of exploit is undesirable because all DSi functionality, such as usage of the cameras, is unavailable to homebrew.

Gericom has exploited the "DS Download Station" application which works on all DS family consoles. Runs commercial homebrew via download station. Here you can have the details about it.

Blasteh (Blasty) has posted a video on Youtube showing code being run in DS mode on the DSi using Fifa '08.