Nintendo DSi: Unblocking unofficial NTR carts!

Channel:
United States Apache Thunder
Subscribers:
1,640
Published on ● Video Link: https://www.youtube.com/watch?v=bjh_Dk1Y8jI


Duration: 3:58
1,979 views
28

It has been documented by gbetek that v1.4E on DSi did not do RSA checking of any of the sections of the DS Cart Whitelist used for verifying NTR mode carts in slot-1.

Because of this it is possible to extract the SHA1-HMAC keys from Launcher (that's real easy, gbatek pretty much tells you where to find them in the SRL) and hash the header/arm9/arm7 and icon for addition to the cart white list.

The DS cart white list is separated into 3 sections. The third section operates mostly as a blacklist for flashcarts that pretend to be other games. (this section is the part that is frequently updated in fw updates). Simply removing all title listings from that section and setting "Number of titles" in the header of that section to 0 effectively removes that functionality from the white list so blocked flashcarts that pretended to be other games will work again.

But the real magic shown here is ADDING new game codes to the white list and hashing them using the SHA-1 HMAC keys. Assuming your flashcart does not use overlays/NitroFS this is pretty easy.

Section 1 has the Phase 1 and 2 hashes. The second hash for your title can be all zero if your flashcart does not use NitroFS/Overlays.

The first hash is over the header (first 0x160h bytes of the header) + arm9 + arm7 binaries (load them into a file in that order and hash it).

Arm9 binary must be hashed while the secure area is encrypted FYI.

The section section only hashes the icon/banner of the cart. That one is easy. Note that this section uses a seperate hmac key then the first section. Simply hash the 0x840h size NTR icon/banner data the cart uses.

That pretty much explains the jist of adding new carts to the white list. Scripts for genning the hashes and such may be released at a later date.

A nand mod is NOT required though recommended to do this. All you need is a standard entry point like sudokuhax and fwtool to allow dumping NAND and importing a modified one. I will not go into detail for that here. Google/gbatemp forums is your friend here.



Other Videos By Apache Thunder


2017-09-23Battlefield Heroes: Riverside Rush Night (version 2.0!)
2017-09-22Battlefield Heroes: Victory Village Night
2017-08-01Legend of Zelda: Breath of the Rock
2017-07-24Nintendo DSi: First CFW with RSA patched Launcher!
2017-07-22RocketLauncher: Custom Launcher now working!
2017-07-15RocketLauncher: Retail Cart Support Finished!
2017-07-14RocketLauncher: Will support using Retail Carts!
2017-07-02Nintendo DSi: Announcing a new exploit!
2017-06-25Nintendo DSi: Coming soon™
2017-06-22Nintendo DSi: Autoboot is still a thing. ( ͡° ͜ʖ ͡°)
2017-05-08Nintendo DSi: Unblocking unofficial NTR carts!
2017-01-17Smeargle: The cancer of Pokémon FFAs
2017-01-14Bootstrap: Save support for compatible DS games!
2017-01-11My new old laptop. :P
2016-12-21nds-bootstrap initial support for retail games off SD!
2016-11-30Battle Egg and Mega Mimikyu...
2016-11-22Wondertrade shenanigans...Gen 7 edition
2016-11-15Status of "Egg" in Gen 7...
2016-10-03Custap Gluttony Snorlax is a force to be reckoned with...
2016-09-20Just a normal Wondertrade...I swear!
2016-09-05NTR Launcher - TWL Clocks speeds for NTR mode!


Tags:
Nintendo DSi
Sudokuhax
DS Cart White List
Exploit
Hack
Hax
NAND
Firmware