Unlaunch.dsi bootcode exploit

Downloads

CAUTION: Backup your eMMC before installation. Pick a tested/stable unlaunch version (unless you have a hardmod for easy unbricking). Unlaunch modifies bootfiles - if installation goes wrong and you can neither boot the original firmware nor bootcode.dsi from SD card, then you'll need a hardmod to re-install your eMMC backup copy.

Related Stuff



wifiboot - a dslink/dswifi clone in ASM for wifi-uploading code from PC to NDS/DSi (for the PC side use no$gba utility/upload, or the .EXE from original dslink) magic floor - a search game with source code for GBA/NDS/DSi/eReader no$gba - GBA/NDS/DSi debugger/emulator gbatek.htm - GBA/NDS/DSi specifications (html version)

Donations

Donations would be very welcome. Unlaunch started as a quick 3 weeks hack, barely allowing to 'boot something'. That 3 weeks quickly turned into 3 months, and unlaunch has now envolved to a complete firmware replacement, fully supporting all those complicated hardware initializations needed to access things like wifi, sound, ram, and touchscreen hardware.

Concerning donations, I've got a little money that might pay off for the first 1-2 weeks, but it doesn't remotely cover the 3 months (and certainly not the preceeding 4-5 years that I had spent on DSi reverse-engineering), and even without special expenses, paying for food & rent can be often troublesome.

So, if you can share a few dollars - you would be welcome to share whatever you have!



Before Installation - make a backup

Make a backup of your eMMC chip. If you have a DSiware exploit, use the "Backup DSi NAND" function in fwtool.nds, for example. With hardmod, just dump the eMMC chip. Either way, backup the unmodified file in a safe place, you can use it to restore the console to working state if something goes wrong (if the console gets totally bricked then you'll need a hardmod to do this).

The eMMC contains some console-specific files with RSA signatures - if that files get lost then you've a problem - there is no way to replace them by using equivalent files from another console.

Automatic Installation (requires a working DSiware exploit)

Installation is easy if you have a console with Flipnote installed (the game came pre-installed on many consoles, and it was also available as free download when the DSi shop was still online). However, some people may have deleted or missed downloading it, and it wasn't released in CHN/KOR regions. Anyways, if you have flipnote, use this exploit:

Flipnote Lenny or whatever it is called flipnote exploit for USA/EUR/AUS/JAP regions (requires https and youtube)

Manual Installation (via hardmod)

This requires soldering four wires to DSi mainboard (eMMC signals CLK, CMD, DATA0, GND), attach the wires to a SD/MMC card reader, and use some tool like HxD or Win32diskimager to dump the eMMC content to a 240Mbyte file.

Next, you will need the CID and Console ID for decrypting the eMMC image. There are several to obtain that values, and it's also possible to brute-force one (or both) values.

Decrypt the eMMC image using a tool like TWLtool (requires 64bit windows; there's also an inoffical 32bit built) Mount it to your OS using OSFMount or the like. Locate 520-byte 'title.tmd' file in the following folder: 'title\00030017\484E41xx\content' (the 'xx' varies per region), append 81400-byte 'unlaunch.dsi' at the end of the tmd file (tmd filesize is then 81920 bytes). Set the Read-only attribute for all files in above folder (else some DSi system tools may automatically brick your console by the deleting all files in the modified folder). Re-encrypt the eMMC image.

Add a no$gba footer with CID and Console ID to the eMMC image, and run unlaunch.dsi in no$gba (with the eMMC named dsi-1.mmc) Note: Don't forget to enable DSi emulation, you may also need some further files like DSi BIOS rom images.

Hotkeys



Boot hotkeys can be changed by clicking OPTIONS in unlaunch filemenu. Button A+B are fixed, and will bring up the Unlaunch filemenu. Buttons None, A, B, X, Y can be assigned to anything you want, for example: Wifiboot (useful for developers) Unlaunch filemenu, or other homebrew filemenues, or official launcher DS Cartridge slot, or your favorite DSiware title(s)

Older unlaunch version did have fixed hotkeys:

None: Start sd:\bootcode.dsi (if present) Button A: Start original launcher and show unlaunch version number (default when bootcode.dsi not present) Button B: Start ROM cartridge Button X: Start sd:\bootthis.dsi (instead of bootcode.dsi) Button Y: Skip Wifi init Dpad Up: Show red/blue/green to indicate relauncher bootstages Dpad Down: Do NOT invalidate cache on startup of installer

Bootable Files

The bootcode.dsi (and bootthis.dsi) can be general nds/dsi files of following type:



Relative small self-contained titles (that are solely relying on the bootcode areas defined in their cart headers, without trying to load extra data) Homebrew NDS/DSi titles that are designed to load extra data from DSi SD/MMC slot (in many cases this may require something called "dldi" or so) (if it's a homebrew DSiware title then it should preferably use the Device List). Homebrew DSiware titles that access extra data by using the filenames from the incoming the Device List Not legit: Commercial DSiware titles (unless you have purchased them from DSi Shop when the shop was still online; but I think you didn't miss anything important if you didn't buy them) Not working: Games that load extra data from ROM cartridge slot instead of from SD/MMC slot (eg. ROM-images from commercial games)

SD Cards

Unlaunch supports SD/SDHC cards (max 32GB, preformatted as FAT16/FAT32). SDXC cards (above 32GB, preformatted as ExFAT) are not supported, neither by Unlaunch, nor by DSiware in general.

Reformatting SD/SDHC cards isn't recommended, or it should be done only with dedicated SD card formatting tools (that maintain cluster size matched to physical sector size). However, reformatting SDXC cards may help to get rid of the weird ExFAT format.

I would be glad to receive any non-working SD/MMC cards, so I could either support them or at least add some meaningful error message for such cards.

Feedback / Contact

I haven't received too much feedback from too many people. I assume that a bunch of people are discussing unlaunch in chatrooms, without telling anybody else about their findings (although Apache Thunder seems to have forwarded some of that info to me, thanks there). Some people also published info about suspected unlaunch bugs on random webpages, but without giving any details on how to reproduce that bugs. Apart from bug reports, testing would be also interesting. Like knowing if DSi browser can be already booted as bootcode.dsi and bootcode.prv (if somebody can spare 5 minutes on that so I won't need to test it myself).

Official forum thread is in nesdev / other retro dev forum. You can also reach me per email email.



How it works

Bootstage 2 is loading the launcher's "title.tmd" file to memory, and it's doing that without any error checking for "filesize>limit" (instead, it's only doing a rather surreal "filesize>filesize" check). The defunct error checking is allowing to load about 80Kbytes of useful code to Main RAM and to overwrite a task switching structure, which is then causing ARM9 to execute the loaded code, and which can then tweak ARM7 to execute custom code by remapping some portions of shared WRAM.

Yup, it's actually that simple. The bigger problem has been to find this exploit within the 400,000 lines of code that bootstages 2 and 3 consist of (hence taking almost 10 years until somebody found a bootcode exploit).

The other issue is that bypassing the original firmware is leaving most of the hardware uninitialized (the DSi is often said not to have an operating system - which is true - but people tend to forget that things like wifi, wram, sound, touchscreen, and system variables won't work without extensive firmware initializations (not too mention booting nds/dsi titles from sd/mmc or cartridge slot also needing extensive loading and decryption functions).

That initialization stuff isn't exactly easy. It did help that I had already reproduced most of it when making no$gba in the past some years. As of unlaunch v1.0, I am quite confident that I got the firmware replacement working quite well - and that DSi consoles are now booting up ways faster than with original firmware.

The thing still missing would be a bootmenu for selecting titles from sd/mmc, though devrs will more likely stick with loading wifiboot/dslink directly from sdcard, so a bootmenu won't be of too much use (except maybe for gamers).

Artwork/Photos

Normally, I am avoiding to make bloated up software. In this case, triggering the exploit needed the file to be padded to a hefty size of 80 kbytes - so I have filled parts of that space by adding some background gif's, roughly themed around crashes or launch failures...

Unlaunch v1.5 through v1.7 are themed on the Past Greatness of the 1950's and 1960's where the USA lost at least one or two nuclear-bomb-carrying airplanes per year (or dropped off the bombs as a safety measure before emergency landings). The upper image shows some older Boeing B-50 Superfortress bombers, capable of carrying a single nuclear bomb. Later Boeing B-52 Stratofortress bombers had a capacity to losing 2-4 bombs per accident. The lower image is showing attempts to disarm and recover parts of a nuclear bomb from muddy underground near Goldsboro, USA. However, accidents occurred all over the northern hemisphere; covering Europe, North America, Japan, Mediterranean Sea, and Atlantic and Pacific oceans. Some bombs remain lost at unknown and/or inaccessible locations, other bombs have been recovered in whole or in parts, with ongoing plans for future decontamination of areas where the bombs had scattered into pieces.

Images in other unlaunch versions are showing Herzogin Cecilie. I've also considered Principessa Jolanda for actual launch failures, and the Skyluck for intentionally grounded vessels. But then, the photo with the half sunken ship's figurehead nearly kissing the waves is so strong that I've chosen that one (not to mention that I like the way how the lower image is mirroring the lines from the upper image).

Caution: Some people appear to be scared about the images with the sunken sailing ship (though maybe some of them will be more pleased with bombers). Be aware that the images will be displayed as boot message in place of the healthsafety screen (unless you know how to store a working bootcode.dsi file on SD card).

Release Notes