DSi unlaunch (bootcode exploit)

Discussion of development of software for any "obsolete" computer or video game system. See the WSdev wiki and ObscureDev wiki for more information on certain platforms.
User avatar
Pk11
Posts: 4
Joined: Fri Jul 24, 2020 6:38 pm
Location: ^@ebh
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by Pk11 »

Hi!
Would you be able to add loading the background gifs from the SD card? On Discord some people realized you could replace the gif in the installer and then you could use a custom background, but it would be nice if you could add loading say "sd:/unlaunch/top.gif" and "sd:/unlaunch/bottom.gif" or something like that (or just one gif for both would be fine too). Or maybe add a file selector for custom gifs similar to the autoboot keys, I'm fine however you'd prefer to do it, just it would be a nice feature to have.

Also, while I'm asking about things, would you be able to add options for re-enabling sound and the boot animation in the options menu? Most people who uninstall do it to get those back so it would be nice if they didn't have to uninstall for that...
rob64bits
Posts: 1
Joined: Fri Aug 21, 2020 3:53 pm

Re: DSi unlaunch (bootcode exploit)

Post by rob64bits »

nocash wrote: Tue Jul 24, 2018 4:05 pm Just released unlaunch.dsi v1.0. The unlaunch exploit bypasses the DSi's official launcher (boot menu & healthsafety screen), and does instead allow to boot your own software from SD card slot, almost instantly after power up. That, with full access rights to all hardware registers.
http://problemkaputt.de/unlaunch.htm
Alongsides, I've also uploaded two more updates: no$gba v2.9a (gba/nds/dsi emulator/debugger) and wifiboot v2.2 (for wifi uploading software from pc to dsi). Links are found on the above webpage - using that three projects together is giving a nice development environment (eg. use unlaunch to boot wifiboot, and then wifi upload your homebrew dsi software from no$gba to dsi).

Code: Select all

unlaunch.dsi v1.0 - 24 Jul 2018
 - co-releases: no$gba v2.9a and wifiboot v2.2
 - webpage: new unlaunch.htm page, with more installation info, new forum, etc.
 - speedup: uses DMA for SD/MMC-read, SDIO-write, and AES-read/write, ROM read
 - rearranged EXMEMCNT init, ensures ARM9 IPC IRQ enabled before waiting for it
 - installer: uses fill_copy_list (instead of relying on carthdr copy in ram)
 - installer: stores no$gba footer at eMMC offset FF800h (if it's zerofilled)
 - installer: omits FAT writing if FAT unchanged (as so on unlaunch updating)
 - installer: disables BPTWL powerbutton auto-reset during install_now
 - sdmmc/sdio: removed pre-wait and soft-timeouts, instead checks hw error bits
 - initializes SOUNDBIAS (maybe better in case games don't do that themselves)
 - moved GIFs to separate non-lz77 memory block (avoid double compression)
 - verifies camera chip id and emmc cid/csd with warning if unknown hardware
 - added Y button hotkey: load NDS/DSi title from ROM-cartridge slot
 - rom loader: cartpower, romctrl, 4004012h/14h, load chip id and secure areas
 - rom speedup: uses 1000h-byte blocksize for faster 1t-rom loading
 - rom speedup: forces fast mrom timings for mrom carts with wrong cart header
 - rom speedup: forces less slow 1t-rom timings for actual 1t-rom carts
 - rom speedup: forces reduced secure area delay of 8ms for 1t-rom carts
 - rom speedup: uses slot-swap-reset-trick (instead slow power-off/on)
 - rom speedup: crops hardcoded cart power-on delays to 1ms/1ms/0ms/1ms
 - more accurate modcrypt (old was overcomplicated, and bugged on size=0)
 - supports place_aes_keys (maybe needed for jpg/camera or verdata stuff)
 - sets POSTFLG register (needed for NDS titles like EragonDemo, DownloadPlay)
 - moved twlcfg/wlfirm/hwinfo elsewhere (reloc to 2000400h only for DSi titles)
 - resumes default BPTWL powerbutton mode (unless when booting nds-titles)
 - enter_nds_mode: reloc 2FFFxxxh to 23FFxxxh, set 4MB-RAM, NDS-ROM, ARM9 67MHz
 - enter_nds_mode: set NDS-TSC-touchscr mode, init NDS-Wifi, NDS-SNDEXCNT

Code: Select all

wifiboot v2.2 - 24 Jul 2018
 - renamed asm source/binaries from dslink+dswifi to wifiboot+wificore
 - rearranged EXMEMCNT init, ensures ARM9 IPC IRQ enabled before waiting for it
 - adjusts BPTWL powerbutton mode for wifiboot itself and booted nds/dsi titles
 - enter_nds_mode: reloc 2FFFxxxh to 23FFxxxh, set 4MB-RAM, NDS-ROM, ARM9 67MHz
 - enter_nds_mode: set NDS-TSC-touchscr mode, NDS-SNDEXCNT

Code: Select all

no$gba v2.9a - 24 Jul 2018
 - emu/dsi/clk: supports ARM9 134MHz mode (but waitstates are too fast for now)
 - bios/help: swi waitbyloop timings for arm7/arm9 rom/cache nds/dsi 67mhz/134mhz
 - cart/emu: supports ds cart reset tricks (via toggling scfg_mc_msb or exmemcnt)
 - dsi/emu/help: scfg_clk.bit7 is read-only on arm9 (value mirrored from arm7)
 - dsi/help: added notes on 'flipnote lenny (or whatever it is called)' exploit
 - dsi/help: solved unknown last bytes in boot info block (SHA1 on 60h-byte area)
 - dsi/mmc-image: alternately accepts no$gba-footer at emmc offset FF800h
 - nds/dsi/cart/help: romctrl notes on (in-)official ways to reset cartridges
 - nds/dsi/cart/help: romctrl notes on wrong and slow 1t-rom timings cart header
 - dsi/debug: reformatted scfg7/scfg9 iomap windows, with new scfg details
 - dsi/teak/help: added offical names for bits in ar/arp/stt/mod (from .dll)
 - dsi/teak/help: many new stt/mod/ar/arp/cfgi/a0e/vtr details (thanks wwylele)
PS. I've originally released earlier unlaunch versions in this forum, http://4dsdev.kuribo64.net/thread.php?id=171 then switched to this forum, http://forum.gbadev.org/viewtopic.php?t=18147 (and then switched back). Well, and after unexpected troubles in both forums, the project finally ended up in nesdev other retro dev section : )
Hi, I'm asking if there is a way to show the DSi Health Warning screen and also activate the DSi Menu Music. I'm desperate, it's been 1 year since i tried to get this work, please help me. Thanks
jorgetech
Posts: 1
Joined: Mon Dec 07, 2020 9:47 am

Re: DSi unlaunch (bootcode exploit)

Post by jorgetech »

cosarara wrote: Fri Oct 26, 2018 12:26 pm Hello there,
I installed unlaunch 1.7 using flipnote, following the guide on https://dsi.cfw.guide/installing-unlaunch and a 4GB SD card. This is an European DSi XL.
With unlaunch installed I can't get to the system menu ("an error has occurred" screen) - it doesn't matter if I hold A or not, or if the SD card is in the DSi or not.
I've tested in no$gba using my nand backup that the same thing happens - the nand backup works, and when I install unlaunch I stop being able to use the system menu. If I set up a bootcode.dsi with the unlaunch installer, I can uninstall it, and then it goes back to normal.
On no$gba I've also tried to use 0.8 and 1.4, with the same results.
The system is on version 1.4.2E.
Hi nocash, I think there is a regression in Unlaunch versions newer than 1.8 since I'm encountering the issue where I cannot boot the NAND system menu with Unlaunch installed (tested in 1.9 and 2.0), it shows the black warning screen, the only way I can fix it is by uninstalling Unlaunch and using 1.8. I'm also using an European DSi XL running firmware 1.4.2E, I still have to test if the same thing happens with no$gba.

By the way, I can confirm that on version 1.8 pressing the power button on the NAND system menu (and other apps like the settings) locks the system, this only happens when an SD card is inserted. Is this fixed in newer version? I haven't been paying attention to the latest changelogs and I can't test that on newer Unlaunch versions since I'm having the already mentioned problem.
James Pond 008
Posts: 2
Joined: Sun Aug 16, 2020 7:38 pm

Re: DSi unlaunch (bootcode exploit)

Post by James Pond 008 »

An iQue ROM of Dr. Mario Express isn't loading for me. It just hangs on a white screen after the iQue screen
heydootdoot
Posts: 1
Joined: Thu Feb 25, 2021 2:10 am

Re: DSi unlaunch (bootcode exploit)

Post by heydootdoot »

James Pond 008 wrote: Tue Feb 23, 2021 1:41 am An iQue ROM of Dr. Mario Express isn't loading for me. It just hangs on a white screen after the iQue screen
I also have the same problem, some DSiWare just doesn't work when played with Unlaunch. The case with iQue version of Dr. Mario Express is that it hangs on white screen after the iQue logo and information screen, other version of Dr. Mario Express that i tested works just fine.
Other DSiWare that also have the same problem booting is Photo Clock which also stuck on white screen but when i tested it on No$GBA it works just fine, also this time i have to hold the power button to turn it off because pressing it doesn't do anything so i think my DSi is still reading something but stuck.

My DSi is on firmware 1.4.5J btw with Unlaunch 2.0, HiyaCFW and TwilightMenu v18.5.0 installed, so i think my setup is all updated to the latest version and i don't know what else causing some DSiWare to not boot properly.
Guest

Re: DSi unlaunch (bootcode exploit)

Post by Guest »

There's a reason to why Dr. Mario Express (and certain other CHN/KOR games) won't boot on a system from another region, and this problem affects both DSi and 3DS.

Some games don't have their own internal fonts, they use shared system font file TWLFontTable.dat instead; and since Chinese and Korean consoles both have their own specific font files that are different from the one found in JPN/USA/EUR/AUS consoles, to play such games you would need to dump TWLFontTable.dat from either CHN or KOR console (depending on the game's original region) and replace the one in your system.

It is potentially possible to create a single universal font file that would work for all regions (I've successfully done that myself, actually), but it currently wouldn't be usable with real consoles due to the fact that none of custom firmwares have a patch to disable signature check for TWLFontTable.dat, as far as I'm aware.
User avatar
Pk11
Posts: 4
Joined: Fri Jul 24, 2020 6:38 pm
Location: ^@ebh
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by Pk11 »

Hi, I think I figured out at least one reason why uninstalling Unlaunch can brick the console. I have a NAND backup that bricks if I uninstall Unlaunch in no$gba and looking at its files I realized the launcher's title.tmd is all 00 before the Unlaunch part so when uninstalling it would notice that was wrong and brick.

I only have this one example so I'm not sure if this exact problem is the most common cause of bricking, but it might be good to make Unlaunch check for invalid launcher title.tmd files when uninstalling and either fix them or refuse to uninstall.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Is that a real problem, with anybody actually having bricked a real console with that?

Where do those 00's come from? The unlaunch installer shouldn't overwrite the first bytes of the tmd file with 00's... unless I got something terribly wrong... or is there somebody else releasing homebrew software that destroys the tmd file?

Detecting if the tmd contains 00's, yeah, I could do that. But then somebody might decide to overwrite it with 22's instead of 00's, or delete some system files, or smash some RSA signatures, install EUR files on a CHN console, or whatever. Auto-detecting (or even repairing) such things wouldn't be easy.

PS. Even after uninstalling, all newer unlaunch versions should leave a copy of the CID and Console ID stored at eMMC offset 000FF800h..000FF83Fh, so one could use that info to decrypt & repair things via hardmod, there is also a tool for brute-forcing that values, and people should have made a backup anyways. With hardmod, one could unbrick almost anything.
homepage - patreon - you can think of a bit as a bottle that is either half full or half empty
User avatar
Pk11
Posts: 4
Joined: Fri Jul 24, 2020 6:38 pm
Location: ^@ebh
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by Pk11 »

nocash wrote: Wed May 19, 2021 5:46 pmIs that a real problem, with anybody actually having bricked a real console with that?
Yeah, it's hard to know the exact details because people don't often report when uninstalling doesn't brick their console, but I've heard of at least a few other people bricking when using the Unlaunch installer to uninstall between Discord, GBAtemp, and Reddit. I don't know for sure what caused everyone else's bricks as no one else has had a backup to check as far as I know, but I do at least know that my DSi that this backup is from bricked when uninstalling and I have this backup from shortly before at least.
Where do those 00's come from? The unlaunch installer shouldn't overwrite the first bytes of the tmd file with 00's... unless I got something terribly wrong... or is there somebody else releasing homebrew software that destroys the tmd file?
I'm not really sure, I never did anything particularly dangerous to that DSi's NAND. I did use most versions of Unlaunch from v0.8 to v1.8 (which was the latest at the time) so it's possible one of them caused it? Or maybe it could just be a bug with the official software somehow? Maybe even just the NAND chip going bad? I'm afraid I don't really know when or why it got overwritten just that it somehow did.
Detecting if the tmd contains 00's, yeah, I could do that. But then somebody might decide to overwrite it with 22's instead of 00's, or delete some system files, or smash some RSA signatures, install EUR files on a CHN console, or whatever. Auto-detecting (or even repairing) such things wouldn't be easy.
Yeah, I wish I knew what caused other people to brick, but unfortunately this is the only example I have. Nothing intentionally malicious was done to this DSi so this problem seems to at least potentially be a common cause of bricking when uninstalling Unlaunch. The error it gives in no$gba with the bad tmd is "Error: 1-2435-8325", I'm not 100% sure what error it had on console as it only showed it once before just showing black screens and I didn't pay enough attention to which error, but I think it was the same one.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Oh, so you have bricked a real console, not just the mmc image in no$gba. I hope you got it repaired!

For the source of the 00's... the unlaunch installer is writing to the tmd file, and the unlaunch options are also stored in the tmd file... and you mentioned something about patching the background gif, although that seems to be done by patching the installer (which is hopefully still working thereafter), rather than directly patching the tmd file.

Can you post of a copy of the tmd file (before uninstall) as attachment? Eg. in no$gba: click Window --> Filesystem --> select the tmd file --> Save file.
homepage - patreon - you can think of a bit as a bottle that is either half full or half empty
User avatar
Pk11
Posts: 4
Joined: Fri Jul 24, 2020 6:38 pm
Location: ^@ebh
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by Pk11 »

I've attached the pre-uninstall title.tmd to this post.

This was before we figured out you can patch the GIF so no weird patching was done to Unlaunch on this DSi as far as I can remember. My soldering skills aren't good enough to do a hardmod but I did have a full spare motherboard from another DSi that was otherwise dead so I was able to just swap those and get back to a working DSi at least.
Attachments
title.tmd.zip
(59.48 KiB) Downloaded 116 times
schm1dtxbox
Posts: 1
Joined: Mon Dec 20, 2021 3:55 pm

Re: DSi unlaunch (bootcode exploit)

Post by schm1dtxbox »

Hey there, I'm curious to know as to whether it'd be possible to forcibly change the backdrop colour that Unlaunch uses when it hasn't been autoloaded with a colour set at 2000800h, eg: via hex-patching the installer manually.
I'm mainly interested in this as I'd personally prefer to use a white backdrop colour for it instead, which'd make soft-reset transitions between an app and the DSi launcher look how it would on an unmodified DSi.
Post Reply