forked from RocketRobz/dsiguide.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit_installation.html
440 lines (269 loc) · 20.1 KB
/
exploit_installation.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
<!DOCTYPE html>
<!-- saved from url=(0031)https://dsiguide.me/downgrading -->
<html lang="en" class=" js "><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- begin SEO -->
<title>Installing exploitable DSiWare - DSi Guide</title>
<meta name="description" content="DSi Homebrew Guide">
<meta property="og:locale" content="en_US">
<meta property="og:site_name" content="DSi Guide">
<meta property="og:title" content="Installing exploitable DSiWare">
<link rel="canonical" href="https://dsiguide.me/downgrading/">
<meta property="og:url" content="https://dsiguide.me/downgrading/">
<script type="application/ld+json">
{
"@context" : "http://schema.org",
"@type" : "Person",
"name" : "LukeHasAWii",
"url" : "https://dsiguide.me",
"sameAs" : null
}
</script>
<!-- end SEO -->
<!-- http://t.co/dKP3o1e -->
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script>
document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/g, '') + ' js ';
</script>
<!-- For all browsers -->
<link rel="stylesheet" href="https://dsiguide.me/assets/css/main.css">
<meta http-equiv="cleartype" content="on">
<!-- start custom head snippets -->
<!-- insert favicons. use http://realfavicongenerator.net/ -->
<script type="text/javascript">
var host = "dsiguide.me";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<link rel="apple-touch-icon" sizes="180x180" href="https://dsiguide.me/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://dsiguide.me/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="https://dsiguide.me/favicon-16x16.png">
<link rel="manifest" href="https://dsiguide.me/manifest.json">
<link rel="mask-icon" href="https://dsiguide.me/safari-pinned-tab.svg" color="#5bbad5">
<meta name="theme-color" content="#ffffff">
<!-- end custom head snippets -->
<style id="fit-vids-style">.fluid-width-video-wrapper{width:100%;position:relative;padding:0;}.fluid-width-video-wrapper iframe,.fluid-width-video-wrapper object,.fluid-width-video-wrapper embed {position:absolute;top:0;left:0;width:100%;height:100%;}</style></head>
<body class="layout--single" style="margin-bottom: 178px;">
<!--[if lt IE 9]>
<div class="notice--danger align-center" style="margin: 0;">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.</div>
<![endif]-->
<div class="masthead">
<div class="masthead__inner-wrap">
<div class="masthead__menu">
<nav id="site-nav" class="greedy-nav">
<ul class="visible-links">
<li class="masthead__menu-item masthead__menu-item--lg"><a href="https://dsiguide.me/">Guide</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/faq">FAQ</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/donations">Donations</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/homebrew-downloads">Homebrew Downloads</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/credits">Credits</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/troubleshooting">Troubleshooting</a></li>
<li class="masthead__menu-item"><a href="https://dsiguide.me/uninstall-cfw">Uninstall CFW</a></li>
</ul>
<ul class="hidden-links links-menu hidden"><li class="masthead__menu-item"><a href="https://dsiguide.me/site-navigation">Site Navigation</a></li></ul>
<button class="nav-selector" id="toggle-nav" count="1"><div class="navicon"></div></button>
</nav>
</div>
</div>
</div>
<!--script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
(adsbygoogle = window.adsbygoogle || []).push({
google_ad_client: "ca-pub-6670011780914577",
enable_page_level_ads: true
});
</script-->
<div id="main" role="main">
<article class="page" itemscope="" itemtype="http://schema.org/CreativeWork">
<meta itemprop="headline" content="Downgrading (Sudokuhax)">
<div class="page__inner-wrap">
<header>
<h1 class="page__title" itemprop="headline">Installing exploitable DSiWare
</h1>
</header>
<section class="page__content" itemprop="text">
<hr>
<div class="notice"><b>If you need help, ask the <a href="https://discord.gg/MWxPgEp">Nintendo Homebrew Discord!</a>.</b></div>
<div class="notice"><b>I worked hard on this guide! If you want, you can <a href="https://dsiguide.me/donations">donate</a> through <a href="https://www.paypal.me/lukehasawii/10">PayPal</a> or <a href="bitcoin:126mXsRyQ8qmuqYQ86X3fhTvXL5B3SH877">Bitcoin</a>!</b></div>
<!--hr>
<!--center>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Guide -->
<!--ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-6670011780914577"
data-ad-slot="2889110246"
data-ad-format="auto"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</center-->
<hr>
<!-- So this is where the good stuff goes-->
</p><div class="notice--danger">
JUST LIKE THE DOWNGRADE PROCEDURE, THIS PROCESS MAY RESULT IN A BRICK. MAKE SURE TO KEEP A NAND BACKUP HANDY AND FOLLOW ALL INSTRUCTIONS CAREFULLY. MOST IMPORTANTLY, DO NOT SKIP THE SECTION THAT DEALS WITH TESTING YOUR BACKUP, BECAUSE TESTING THE BACKUP IS THE EASIEST WAY TO PREVENT BRICKS.
</div>
<p class="notice--info">We will now install an exploitable DSiWare on your DSi. Before starting, look at the table below and choose one of the DSiWares for your region. If you have already gotten one of these on your DSi or on a 3DS, choose that one. If not, choose Sudoku, which is the only one still purchaseable on the 3DS eshop. After choosing a DSiWare, write down its short and long IDs.
<table>
<!colgroup>
<col span="1" style="width: 20%;" />
<col span="1" style="width: 20%;" />
<col span="1" style="width: 20%;" />
</colgroup>
<thead>
<tr>
<th style="text-align: center">DSiWare/Application</th>
<th style="text-align: center">Short ID</th>
<th style="text-align: center">Long ID</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center; font-weight: bold;">Sudoku</td>
<td style="text-align: center; font-weight: bold;">USA: 4b344445<br />EUR: 4b344456</td>
<td style="text-align: center; font-weight: bold;" colspan="2">USA: 000300044b344445<br />EUR: 000300044b344456</td>
</tr><tr>
<td style="text-align: center; font-weight: bold;">Fieldrunners</td>
<td style="text-align: center; font-weight: bold;">USA: 4b464445<br />EUR: 4b464456</td>
<td style="text-align: center; font-weight: bold;" colspan="2">USA: 000300044b464445<br />EUR: 000300044b464456</td>
</tr>
<td style="text-align: center; font-weight: bold;">Legends of Exidia</td>
<td style="text-align: center; font-weight: bold;">USA: 4b4c4545<br />EUR: 4b4c4556<br />JAP: 4b4c454a</td>
<td style="text-align: center; font-weight: bold;" colspan="2">USA: 000300044b4c4545<br />EUR: 000300044b4c4556<br />JAP: 000300044b4c454a</a></td>
</tr><tr>
<td style="text-align: center; font-weight: bold;">The Legend of Zelda: Four Swords Anniversary Edition</td>
<td style="text-align: center; font-weight: bold;">USA: 4b513945<br />EUR: 4b513956</td>
<td style="text-align: center; font-weight: bold;" colspan="2">USA: 000300044b513945<br />EUR: 000300044b513956</td>
</tr><tr>
</tbody>
</table>
<p class="notice--warning"> We do not condone the use of piracy to obtain a copy of one of these DSiWare applications, and strongly encourage you to buy Sudoku on the 3DS eshop instead of resorting to piracy (seriously, it's only $2).
<h4 id="what-you-need">What you need</h4>
<ul>
<li>A way to boot into FWTool, such as ugopwn (incompatible with non-USA consoles) </li>
<li>A decrypted Nand backup of the DSi you are installing an exploit to</li>
<li>A .app or .cia version of the DSiWare you want to install</li>
<li>The latest release of <a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/ctrtool.zip">ctrtool</a></li>
<li>The <a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/sudoku%20patch%20pack.zip">sudoku patch pack</a></li>
<li>The <a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/tmds_for_DSihax.zip">tmds for exploitable DSiWares</a></li>
<li>The latest release of <a href="https://mh-nexus.de/en/downloads.php?product=HxD">HxD</a>, or some other hex editor </li>
<li>The latest release of <a href="https://www.osforensics.com/tools/mount-disk-images.html">OSFMount</a> </li>
<li>The latest release of <a href="https://mega.nz/#!sm4BWKoQ!KgHd58CzKknqmGQO2nicnn-JYcYixB9YZdqQz4Lm-Z8">TWLTool</a> </li>
<li><a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/ticket_handling.zip">ticket-handling.zip</a></li>
<li>The <a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/DSiWareHax%20saves%20pack.zip">DSiWareHax Saves pack</a></li>
<li>The latest release of <a href="http://problemkaputt.de/gba.htm">No$GBA</a> </li>
<li>The <a href="http://emulation.gametechwiki.com/index.php/Emulator_Files#Nintendo_DS">Nintendo DSi BIOS</a></li>
<li>The <a href="https://github.com/dsiguide/dsiguide.github.io/raw/master/files/dsi%20footer%20template.bin">DSi footer template</a></li>
<li>The latest release of <a href="https://mega.nz/#!AzYlHQ4Q!Ok4krwUPXcvPC2f0tgC4W1PA_0SPnTMAVXUFP3GfM3c">fwTool</a></li>
</ul>
<h4 id="instructions">Instructions</h4><ol>
<h5 id="section-i---.cia conversion">Section I - Converting your .cia to a .app</h5>
<hr>
<li>You don't need to follow this section if you already have your DSiWare installed, or if you already have a .app version of your DSiWare.</li>
<li>If you don't have a .cia version of the DSiWare you want to install, use <a href="https://gbatemp.net/threads/release-funkeycia-make-good-cias-from-eshop-content-no-tickets-needed.423025/">FunkeyCIA</a> or <a href="https://gbatemp.net/threads/release-villain3ds-basically-freeshop-but-runs-on-your-pc.488127/">Villain3DS</a> to get one using the eshop data of a 3DS console that has bought one of these apps (if you haven't bought one yet, Sudoku is the only one still on the eShop).</li>
<li>Download and extract the contents of the </em> <code class="highlighter-rouge">crtool release</code> to a new folder</li>
<li>Place your .cia file in the crtool folder and rename it to </em> <code class="highlighter-rouge">dsiware.cia</code></li>
<li>Run </em> <code class="highlighter-rouge">extract.bat</code>. You should get a file called </em> <code class="highlighter-rouge">00000000.app</code>, which is the .app version of your DSiWare.</li>
<hr>
<h5 id="section-ii---Patching Sudoku">Section II - Patching Sudoku</h5>
<hr>
<li>You do not need to follow this section if the DSiWare app you are exploiting is not Sudoku. If you have Sudoku on your DSi already but bought after 2011, you should still follow this section and the next one, because you probably have the version that cannot execute the exploit.</li>
<li>Download the <code class="highlighter-rouge">sudoku patch pack</code> and extract it to a new folder.</li>
<li>Place your .app version of sudoku in that folder. (If you have sudoku on your DSi already, you can find it in the <code class="highlighter-rouge">title/00030004/XXXXXXXX/content folder</code> of your decrypted nand backup, with XXXXXXXX being the short ID of your version of Sudoku.</li>
<li>Open Lunar IPS. Select "Apply IPS patch".</li>
<li>Select the .ips file corresponding to your DSi's region.</li>
<li>Switch the file view from "Most Common ROM Files" to "All files (*.*)".</li>
<li>Select your .app file. It will then be turned into the original Sudoku.</li>
<hr>
<h5 id="section-ii---downgrading">Section III - Installing the DSiWare app to a nand backup</h5>
<hr>
<li>If your DSi already has the app you're trying to install an exploit to, you can skip this section (this only applies if that app is not Sudoku, refer to Section II for why that is).</li>
<li>Create a new folder with a name that matches the short ID of the game you are trying to install. From now on, this guide will refer to that folder as the "short ID folder".</li>
<li>Inside the short ID folder, create two new folders, called "content" and "data".</code></li>
<li>Put the .app version of your DSiWare in the "content folder".</li>
<li>Download the <code class="highlighter-rouge">tmd pack</code> and drag the .tmd file corresponding to your DSiWare into the content folder. </li>
<li>Rename it to <code class="highlighter-rouge">title.tmd</code>.</li>
<li>Open title.tmd in a hex editor. Go to offset 208 (Row 20, column 08). Delete it and everything after it, shortening the file. </li>
<li>Go to offset 1E7. Write down the two numbers you see there.</li>
<li>Rename your .app file to <code class="highlighter-rouge">000000XX.app</code>, with XX being the two numbers you got in the previous step.</li>
<li>Make a copy of your decrypted nand backup, and use OSFMount to mount it.</li>
<li>Open the <code class="highlighter-rouge">title</code> folder, and then open the <code class="highlighter-rouge">00030004</code> folder inside it. </li>
<li>Move the short ID folder into the <code class="highlighter-rouge">00030004</code> folder.</li>
<li>Go back to the root of the mounted nand backup, then open the <code class="highlighter-rouge">ticket</code> folder. </li>
<li>Open the <code class="highlighter-rouge">00030004</code> folder inside the <code class="highlighter-rouge">ticket</code> folder. </li>
<li>Copy any of the .tik files you see there to another folder on your computer.</li>
<li>Download <code class="highlighter-rouge">TWLTool.zip</code> and extract it into a new folder.</li>
<li>Move the .tik file you got in the previous steps to the TWLTool folder. </li>
<li>Download the <code class="highlighter-rouge">ticket-handling.zip</code> and extract the two .bat files into the TWLTool folder.</li>
<li>Open <code class="highlighter-rouge">decrypt ticket.bat</code> in a text editor and replace "ConsoleID_BLANK" with your DSi's Console ID.</li>
<li>Save and run <code class="highlighter-rouge">decrypt ticket.bat</code>. You should get a file called <code class="highlighter-rouge">dec_ticket.tik</code>.</li>
<li>Open <code class="highlighter-rouge">dec_ticket.tik</code> in a hex editor.</li>
<li>Go to offset 1DC and replace it (and the next 8 offsets) with the long ID of your DSiWare, then save the file.</li>
<li>Open the other .bat file, <code class="highlighter-rouge">encrypt ticket.bat</code>, in a text editor and replace "ConsoleID_BLANK" with your DSi's Console ID.</li>
<li>Save and run <code class="highlighter-rouge">encrypt ticket.bat</code>. You should get a file called <code class="highlighter-rouge">enc_ticket.tik</code>.</li>
<li>Rename it to <code class="highlighter-rouge">XXXXXXXX.tik</code>, with XXXXXXXX being your DSiWare's short ID. </li>
<li>Move that .tik file to the <code class="highlighter-rouge">ticket/00030004 folder</code> of your Nand backup. </li>
<hr>
<h5 id="section-4---exploiting">Section IV - Installing the exploited save</h5>
<hr>
<li>If you haven't already done so, mount your decrypted Nand backup</li>
<li>Download and open the <code class="highlighter-rouge">DSiWareHax saves pack</code>.</li>
<li>Choose the folder for your DSiWare and region and open it. You should see a “title” folder inside it.</li>
<li>Drag that “title” folder onto the root of your decypted Nand backup. Accept if it asks if you want to merge folders and overwrite the public.sav file already there. </li>
<li>Unmount your decrypted nand backup, then re-encrypt it with TWLTool.</li>
<hr>
<h5 id="section-v---testing">Section V - Testing Your NAND with NO$GBA</h5>
<hr>
<li>Download and extract NO$GBA to a directory.</li>
<li>Make a copy of the re-encrypted nand backup in your NO$GBA directory (make sure you have extracted the NO$GBA archive) and rename it to DSI-1.mmc</li>
<li>Extract the DSi BIOS files from the "DSi firmware files.zip" archive into the NO$GBA directory</li>
<li>Download the DSi footer template file and extract it to the NO$GBA directory. </li>
<li>Open it in HxD. </li>
<li>Replace the 16 bytes filed with AAs with your CID </li>
<li>Replace the 8 bytes filed with BBs with your Console ID, but reversed. This means that if your Console ID starts with the byte 26 and ends with 08, for example, it should now end with 26 and start with 08. </li>
<li>After you have inserted your CID and Console ID, highlight and copy the entire footer file. </li>
<li>Open DSi-1.mmc and scroll to the end of the file. At the end of the file, paste in the footer. </li>
<li>Save and close DSi-1.mmc and open No$GBA.</li>
<li>Go to options and then Emulation setup.</li>
<li>In the Emulation tab, set “Reset/Startup Entrypoint” to “GBA/NDS BIOS (Nintendo logo)” and NDS Mode Colors to “DSi (retail/16MB)”. Then click Save Now and then OK.</li>
<li>Go to File, Cartridge Menu (FileName), and then open any .nds file (such as FWTool).</li>
<li>Your NAND will now be emulated by NO$GBA. Go to the DSi main menu.</li>
<li>You should see a gift-wrapped icon. Tap it to reveal your newly-installed DSiWare. </li>
<li>Open the DSiWare you installed and trigger the exploit. You should see an error occur in NO$GBA.</li>
<li>If anything that was described above does not match what you saw, you made a mistake. Either try to find what it is or try this procedure again from the beginning.</li>
<li>If your encrypted NAND and exploit worl on NO$GBA, then rename the original re-encrypted nand backup to nand_dsi.bin (if it asks you to overwrite, you may want to move the other nand_dsi.bin somewhere else and try renaming it again)</li>
<li>Move the new nand_dsi.bin to the folder in your SD card with random letters (if it asks to overwrite, simply accept)</li>
<hr>
<h5 id="section-vi---installing">Section VI - Flashing your NAND</h5>
<hr>
<li>Open fwtool using any exploit you have on your DSi (if you only have ugopwn, follow steps 8-22 of the Downgrading page to open fwtool).</li>
<li>Once in FWTool again, select <code class="highlighter-rouge">Restore nand_dsi.bin</code> <em>(This may take a while. DO NOT EXIT FWTool until the restoration is complete.)</em></li>
<li>Exit FWTool. You should now have an exploited DSiWare installed!</li>
</li></ol>
<p class="notice--primary">If you would like to check out what DSi Homebrew you can now use, check out <a href="https://dsiguide.me/homebrew-downloads">the Homebrew Downloads page.</a>
<!--center>
<ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-6670011780914577"
data-ad-slot="7670623049"
data-ad-format="horizontal"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</center-->
</p></section>
<footer class="page__meta">
</footer>
</div>
</article>
</div>
<div class="page__footer">
<footer>
<!-- start custom footer snippets -->
<!-- end custom footer snippets -->
<div class="page__footer-copyright">© 2017 LukeHasAWii, <a href="https://www.dsiguide.me/credits#Developers">Developers</a>, Site Design Plailect - <a href="https://github.com/dsiguide/dsiguide.github.io">Source</a> - <a href="https://dsiguide.me/site-navigation">Site Navigation</a>
</div></footer>
</div>
<script src="./downgrading_files/main.min.js.download"></script>
</body></html>