DSi unlaunch (bootcode exploit)

Discussion of development of software for any "obsolete" computer or video game system. See the WSdev wiki and ObscureDev wiki for more information on certain platforms.
Post Reply
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

DSi unlaunch (bootcode exploit)

Post by nocash »

Just released unlaunch.dsi v1.0. The unlaunch exploit bypasses the DSi's official launcher (boot menu & healthsafety screen), and does instead allow to boot your own software from SD card slot, almost instantly after power up. That, with full access rights to all hardware registers.
http://problemkaputt.de/unlaunch.htm
Alongsides, I've also uploaded two more updates: no$gba v2.9a (gba/nds/dsi emulator/debugger) and wifiboot v2.2 (for wifi uploading software from pc to dsi). Links are found on the above webpage - using that three projects together is giving a nice development environment (eg. use unlaunch to boot wifiboot, and then wifi upload your homebrew dsi software from no$gba to dsi).

Code: Select all

unlaunch.dsi v1.0 - 24 Jul 2018
 - co-releases: no$gba v2.9a and wifiboot v2.2
 - webpage: new unlaunch.htm page, with more installation info, new forum, etc.
 - speedup: uses DMA for SD/MMC-read, SDIO-write, and AES-read/write, ROM read
 - rearranged EXMEMCNT init, ensures ARM9 IPC IRQ enabled before waiting for it
 - installer: uses fill_copy_list (instead of relying on carthdr copy in ram)
 - installer: stores no$gba footer at eMMC offset FF800h (if it's zerofilled)
 - installer: omits FAT writing if FAT unchanged (as so on unlaunch updating)
 - installer: disables BPTWL powerbutton auto-reset during install_now
 - sdmmc/sdio: removed pre-wait and soft-timeouts, instead checks hw error bits
 - initializes SOUNDBIAS (maybe better in case games don't do that themselves)
 - moved GIFs to separate non-lz77 memory block (avoid double compression)
 - verifies camera chip id and emmc cid/csd with warning if unknown hardware
 - added Y button hotkey: load NDS/DSi title from ROM-cartridge slot
 - rom loader: cartpower, romctrl, 4004012h/14h, load chip id and secure areas
 - rom speedup: uses 1000h-byte blocksize for faster 1t-rom loading
 - rom speedup: forces fast mrom timings for mrom carts with wrong cart header
 - rom speedup: forces less slow 1t-rom timings for actual 1t-rom carts
 - rom speedup: forces reduced secure area delay of 8ms for 1t-rom carts
 - rom speedup: uses slot-swap-reset-trick (instead slow power-off/on)
 - rom speedup: crops hardcoded cart power-on delays to 1ms/1ms/0ms/1ms
 - more accurate modcrypt (old was overcomplicated, and bugged on size=0)
 - supports place_aes_keys (maybe needed for jpg/camera or verdata stuff)
 - sets POSTFLG register (needed for NDS titles like EragonDemo, DownloadPlay)
 - moved twlcfg/wlfirm/hwinfo elsewhere (reloc to 2000400h only for DSi titles)
 - resumes default BPTWL powerbutton mode (unless when booting nds-titles)
 - enter_nds_mode: reloc 2FFFxxxh to 23FFxxxh, set 4MB-RAM, NDS-ROM, ARM9 67MHz
 - enter_nds_mode: set NDS-TSC-touchscr mode, init NDS-Wifi, NDS-SNDEXCNT

Code: Select all

wifiboot v2.2 - 24 Jul 2018
 - renamed asm source/binaries from dslink+dswifi to wifiboot+wificore
 - rearranged EXMEMCNT init, ensures ARM9 IPC IRQ enabled before waiting for it
 - adjusts BPTWL powerbutton mode for wifiboot itself and booted nds/dsi titles
 - enter_nds_mode: reloc 2FFFxxxh to 23FFxxxh, set 4MB-RAM, NDS-ROM, ARM9 67MHz
 - enter_nds_mode: set NDS-TSC-touchscr mode, NDS-SNDEXCNT

Code: Select all

no$gba v2.9a - 24 Jul 2018
 - emu/dsi/clk: supports ARM9 134MHz mode (but waitstates are too fast for now)
 - bios/help: swi waitbyloop timings for arm7/arm9 rom/cache nds/dsi 67mhz/134mhz
 - cart/emu: supports ds cart reset tricks (via toggling scfg_mc_msb or exmemcnt)
 - dsi/emu/help: scfg_clk.bit7 is read-only on arm9 (value mirrored from arm7)
 - dsi/help: added notes on 'flipnote lenny (or whatever it is called)' exploit
 - dsi/help: solved unknown last bytes in boot info block (SHA1 on 60h-byte area)
 - dsi/mmc-image: alternately accepts no$gba-footer at emmc offset FF800h
 - nds/dsi/cart/help: romctrl notes on (in-)official ways to reset cartridges
 - nds/dsi/cart/help: romctrl notes on wrong and slow 1t-rom timings cart header
 - dsi/debug: reformatted scfg7/scfg9 iomap windows, with new scfg details
 - dsi/teak/help: added offical names for bits in ar/arp/stt/mod (from .dll)
 - dsi/teak/help: many new stt/mod/ar/arp/cfgi/a0e/vtr details (thanks wwylele)
PS. I've originally released earlier unlaunch versions in this forum, http://4dsdev.kuribo64.net/thread.php?id=171 then switched to this forum, http://forum.gbadev.org/viewtopic.php?t=18147 (and then switched back). Well, and after unexpected troubles in both forums, the project finally ended up in nesdev other retro dev section : )
User avatar
Apache Thunder
Posts: 24
Joined: Tue Jul 24, 2018 6:28 pm

Re: DSi unlaunch (bootcode exploit)

Post by Apache Thunder »

I attempted to install Unlaunch via bootcode.dsi (haven't tried if it works via hbmenu/other exploits yet. I do recall 0.9 installer would black screen if booted with anything other then Unlaunch bootcode.dsi) and I get this screen. Photo attached as attachment. Using a DSi XL (USA region) so nothing special.

Does this screen only occur on the installer phase? Safe to install manually?

EDIT: Booting unlaunch.dsi via hbmenu with exploit games like Sudoku works again on 1.0. But still get the unknown EMMC message.
Attachments
snapshot20180724202621.jpg
SLKun
Posts: 1
Joined: Wed Jul 25, 2018 2:25 am

Re: DSi unlaunch (bootcode exploit)

Post by SLKun »

Wonderful work.
It works on a Japan NDSi Console with 1.4.5J.
Boot speed observably speed up to about 3s.
In constract, it will spend about 10s at v0.9.

edited: Test DSi browser works well.
Of course, you have to configure link info at dsi system settings and turn on wifi because of settings check.

What's more, flashcard like supercard dstwo cannot be booted by pressing button B.
Attachments
IMG_20180725_171227.jpg
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Released unlaunch v1.1 at http://problemkaputt.de/unlaunch.htm (only difference is removing the warning for unknown CSD in KLM5617EFW type eMMC chips).
Apache Thunder wrote:I attempted to install Unlaunch via bootcode.dsi (haven't tried if it works via hbmenu/other exploits yet. I do recall 0.9 installer would black screen if booted with anything other then Unlaunch bootcode.dsi) and I get this screen. Photo attached as attachment.
EDIT: Booting unlaunch.dsi via hbmenu with exploit games like Sudoku works again on 1.0. But still get the unknown EMMC message.
Thanks, looks like a KLM5617EFW chip, the CID for that chip was already known, but the CSD is a good bit different compared to older KMAPF0000M chips:

Code: Select all

Known CSD's for DSi eMMC chips (excluding CRC in LSB, padded 00 in MSB)
  8  16 24 32 40 48 56 64 72 80 88 96 104112120pad ;<--bit numbers
  40 40 96 E9 7F DB F6 DF 01 59 0F 2A 01 26 90 00  ;DSi CSD KMAPF0000M-S998
  40 40 8E FF 03 DB F6 DF 01 59 0F 32 01 27 90 00  ;DSi CSD KLM5617EFW-B301
  ?                                            00  ;DSi CSD blurb?
  ?                                            00  ;3DS CSD
And the differences are...
  bit     name           KMAPF0000M  KLM5617EFW
  112-119 TAAC           26h=1.5ms   27h=15ms
  96-103  TRAN_SPEED     2Ah=20MHz   32h=25MHz
  42-46   ERASE_GRP_SIZE 1Fh=32x32   00h=1x32
  32-36   WP_GRP_SIZE    09h=10      1Fh=32
  26-28   R2W_FACTOR     05h=32x     03h=8x
Not sure if that values are really correct, or if the manufacturer has screwed up some bits. TAAC being 10x slower in newer chips looks weird, 20MHz would be for 1bit MCC (whilst 4bit MMCplus/MMCmobile should support 26MHz), erase group 32x32x512 bytes would somewhat require 512Kbyte clusters, write protect group size 10 decimal looks a bit odd (though it could be true), and well, faster writing in newer chips looks plausible.

Didn't knew that v0.9 didn't boot up from within hbmenu, but if it's working with v1.0 up then it's all fine.
Btw. when booting unlaunch.dsi directly (renamed as boot.nds) from within 4swordhax... does that still have problems?
SLKun wrote:Boot speed observably speed up to about 3s.
In constract, it will spend about 10s at v0.9.

edited: Test DSi browser works well.
Of course, you have to configure link info at dsi system settings and turn on wifi because of settings check.
What's more, flashcard like supercard dstwo cannot be booted by pressing button B.
Oops, 10 seconds boot time shouldn't have happened. And 3 seconds shouldn't happen either (normally it should be around 0.5s).
The 10 seconds might have been because the old version didn't use DMA and such stuff (so loading a very large bootcode.dsi file from SD card may have been pretty slow).
And the remaining 3 seconds, that might include extra overload that occurs after loading+starting your bootcode.dsi file (ie. if it's loading further data after it got started).
I am normally using wifiboot.nds renamed to bootcode.dsi, and the "WIFIBOOT" message pops up "almost instantly". The biggest bottleneck is uploading the wifi firmware (done upon coldboot by unlaunch, not by wifiboot), that takes around 400ms on older W015 wifi boards (with W024 boards it's much faster, and upon warmboot it takes only around 50ms to init the wifi hardware on either W015 and W024). The other bottleneck might be large files (bootcode could be up to 6.25MByte for DSi titles, and hardware transfer speed is about 8Mbyte/s for SD/MMC, so that could eat up almost one second... or longer if I've still screwed up something). And well, the final slowdown is that, I think, most people are currently using unlaunch to reload the patched/original firmware so loading speed would be about as slow as without unlaunch.

DSi browser is working when booting it directly (eg. when loading it as bootcode.dsi and bootcode.prv files)? Then my code for wifi firmware uploading seems to be actually working (for initializing the new atheros hardware for commercial DSi titles).

I haven't tested with flashcarts yet. I have a "acekard2i" somewhere. And I could test other flashcarts (of somebody donates one for testing). At the moment I could only guess that the problem might be related to uncommon chip id, or romctrl values, or missing support for 1000h-byte blocks, or requirements for additional delays.

Speaking of ROM cartridges, the NDS-era carts are booting quite fast (less than 1s, about 0.3s or so), but I've been pretty shocked and scared when trying to boot DSi-era carts (using the official loading procedure it took up to 4s for cooking coach). Reasons are that newer carts are using cheaper/slower 1T-ROM chips (instead older/faster MROM), with unneccessary slow timings/delays declared in cart header (even for some MROM carts, that are accidently assigned to use slow 1T-ROM timings), lack of support for 1000h-byte block loading in firmware, doing switching cart-power off/on between loading nds and dsi areas, and simply more bloated code in newer cartridges.

I've tweaked a bunch of things to get that newer carts booted at reasonable speed, it should be at least twice as fast as with original firmware. But maybe one of that tweaks is causing issues with flashcarts (though most of the tweaks should be probably working there, too, so I wouldn't want to remove all tweaks just for the reason that some of them might cause issues).

Oh, and there are also some ROM carts that I don't know if they are working. Especially those with "NAND" memory, or with "IR" ports.
Last edited by nocash on Wed Jul 25, 2018 10:31 am, edited 1 time in total.
edo9300
Posts: 33
Joined: Wed Jul 25, 2018 6:34 am

Re: DSi unlaunch (bootcode exploit)

Post by edo9300 »

I tried to update from unlaunch 0.8 to the latest release and even if it installs fine, when i boot the console it just freezes on the unlaunch logo if booted with no bootcode/by pressing a, while if i try to run hiya via bootcode it freezes on a black screen, i tried the version between the 0.8 nd the 1.1 and those too have the same freeze issue. The only things i can run are the homebrew that doesn't access the system menu, like hb browser. I'm on a dsi xl with firmware 1.4.5 e
User avatar
Apache Thunder
Posts: 24
Joined: Tue Jul 24, 2018 6:28 pm

Re: DSi unlaunch (bootcode exploit)

Post by Apache Thunder »

Yeah booting directly as boot.nds from 4swordhax still doesn't work. I believe I tried that when trying to get around the unknown emmc error.

Also 1.1 works now for my DSI XL. Tested the new cart loader. Blackscreens when trying to boot my Cyclo iEvolution flashcart if the cart is in TWL mode. Is able to boot my R4 but not my DS-Xtreme. (same issue, blackscreens).

I tested Mario Kart DS booted from R4 from your new cart loader. Game hangs the moment I go the multiplayer menu. Seems like Wifi is incorrect state?

It also fails the same way from my Acekard 2i so likely not an issue with the cart I used. Booted Mario 64 DS directly as well. It also hangs when trying to use the multiplayer menu.

My Sonic Classic Collection cart is also bootable. It's a TWL cart too but can't tell if it's in TWL mode or not. It's hard to tell with that cart though but I guess it is? I don't really have any other TWL carts so wouldn't know. I assume you do detect if it's a TWL cart and boot it in TWL mode with the extended binaries loaded and everything.

I think the DS-Xtreme might be failing to boot due to secure area check fail. I recall having to disable that check in NTR Launcher to get that cart to boot. But not sure if you're code is doing the same. There's no error handling with your cart handler. At least nothing it will display. Just blackscreens on the carts it failed to boot. DS-Xtreme is a bit wierd though. It's header loads arm9 binary from odd location in rom. At 0x100000 or so instead of the normal 0x4000. Even patched Launcher fails to boot it. :P

On that subject I hope you at least open source parts of your Unlaunch. Maybe the DSiWare and cart loading part can be open source? NTR Launcher I would love to add TWL cart support to. But the cart loading code it uses is ancient (uses same code from Nitrohax) and I don't understand the code well enough to fix it myself. :(

Oh one more thing. I noticed I was able to boot my Acekard 2i despite having ntrboothax installed to it. So it seems your card init code can trigger Acekard to use the first rom region instead of the retail rom region. So that's cool. ntrboothax users can still use Acekard 2i as a normal flashcart with Unlaunch if booted directly. NTR Launcher still causes it to try using retail rom region.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

edo9300 wrote:I tried to update from unlaunch 0.8 to the latest release and even if it installs fine, when i boot the console it just freezes on the unlaunch logo if booted with no bootcode/by pressing a, while if i try to run hiya via bootcode it freezes on a black screen, i tried the version between the 0.8 nd the 1.1 and those too have the same freeze issue. The only things i can run are the homebrew that doesn't access the system menu, like hb browser. I'm on a dsi xl with firmware 1.4.5 e
But it did work with unlaunch v0.8? And if you take a copy of eMMC, does the eMMC image work in no$gba, or does it freeze there, too?
If not: Are you sure that you have the launcher installed? You need both .tmd and .app files for launcher (just mentioning because unlaunch v0.6 didn't write-protect both files, so data managment may have deleted the .app file) (also .app and .tmd must be for the same firmware version, and matching your console region; just in case you tried to replace the file(s) by a different version?).
Rua
Posts: 1
Joined: Wed Jul 25, 2018 12:57 pm

Re: DSi unlaunch (bootcode exploit)

Post by Rua »

I can confirm that my device, which also failed to run Unlaunch0.9, has an issue 1.1. It is running 1.4.5A, which is a firmware on which many have had issues with 0.9. However, unlike with 0.9, I can boot into HiyaCFW. I just can't get to the regular DSi System Menu. On 0.9, neither was possible, though we could still run other bootcode.dsi files such as the installer for 0.8.
No such issue on my device running 1.4.2A, complete functionality as far as I can tell.
I'll be testing both of these eMMCs with no$gba soon and will report back.
edo9300
Posts: 33
Joined: Wed Jul 25, 2018 6:34 am

Re: DSi unlaunch (bootcode exploit)

Post by edo9300 »

nocash wrote:
edo9300 wrote:I tried to update from unlaunch 0.8 to the latest release and even if it installs fine, when i boot the console it just freezes on the unlaunch logo if booted with no bootcode/by pressing a, while if i try to run hiya via bootcode it freezes on a black screen, i tried the version between the 0.8 nd the 1.1 and those too have the same freeze issue. The only things i can run are the homebrew that doesn't access the system menu, like hb browser. I'm on a dsi xl with firmware 1.4.5 e
But it did work with unlaunch v0.8? And if you take a copy of eMMC, does the eMMC image work in no$gba, or does it freeze there, too?
If not: Are you sure that you have the launcher installed? You need both .tmd and .app files for launcher (just mentioning because unlaunch v0.6 didn't write-protect both files, so data managment may have deleted the .app file) (also .app and .tmd must be for the same firmware version, and matching your console region; just in case you tried to replace the file(s) by a different version?).
i tried running 2 backups, one with unlaunch 0.8 and the other with unlaunch 1.1, the result is the same as on the ds, the one with 0.8 boots fine, the one with 1.1 doesn't
robzombie91
Posts: 2
Joined: Wed Jul 25, 2018 8:00 pm

Re: DSi unlaunch (bootcode exploit)

Post by robzombie91 »

I'm getting a wierd bug installing the newer versions of unlaunch. I have unlauch 0.8 on my dsi. I tried to install 0.9 when it was compatible with ndsbootmenu and every time i tried it installed correctly but when i go to reboot my system it said it was using 0.8 not 0.9. I tried doing the install several times but it did not work, robz8 said it may be a "phantom install" but im not 100% sure. So now i have tried installing the newest version 1.1 and im still getting the "phantom install" issue, everything says it installed correctly but its still showing that im using 0.8.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Hmmmm, okay, I see, the new patch added in v0.9 doesn't work for firmware v1.4.5. Added one more wildcard, so it'll find/patch the correct opcodes in next version. And I should be really more careful when adding new patches (but there are none planned at the moment anyways).
robzombie91 wrote:I'm getting a wierd bug installing the newer versions of unlaunch. I have unlauch 0.8 on my dsi. I tried to install 0.9 when it was compatible with ndsbootmenu and every time i tried it installed correctly but when i go to reboot my system it said it was using 0.8 not 0.9. I tried doing the install several times but it did not work, robz8 said it may be a "phantom install" but im not 100% sure. So now i have tried installing the newest version 1.1 and im still getting the "phantom install" issue, everything says it installed correctly but its still showing that im using 0.8.
The installer displays V1.1, but after installing & reboot, it's showing V0.8? Weird, sounds as if the eMMC writes are completely ignored, but I wouldn't know how/why that could happen. Or do you have the V0.8 installer on your SD card (renamed as bootcode.dsi)? Then it would reboot that file, asking you if you want to install V0.8.
Apache Thunder wrote:I tested Mario Kart DS booted from R4 from your new cart loader. Game hangs the moment I go the multiplayer menu. Seems like Wifi is incorrect state? ... Booted Mario 64 DS directly as well. It also hangs when trying to use the multiplayer menu.

I think the DS-Xtreme might be failing to boot due to secure area check fail. I recall having to disable that check in NTR Launcher to get that cart to boot. But not sure if you're code is doing the same. There's no error handling with your cart handler. At least nothing it will display. Just blackscreens on the carts it failed to boot. DS-Xtreme is a bit wierd though. It's header loads arm9 binary from odd location in rom. At 0x100000 or so instead of the normal 0x4000.
Don't know why the Mario games hang on multiplayer. I've tried Metroid demo cart multiplayer, that looks right (it doesn't hang, but I've no second cart for actually testing multiple players in there).
Didn't knew that there are carts with ARM9 code elsewhere than 4000h. If it's at 8000h or higher then the special 16Kbyte area is left unused, and the encryption for first 2Kbyte is also omitted (at least it's so on NDS, a DSi would probably refuse such carts completely).
I think that I've already implemented that case properly... except that I am still issuing dummy read commands for the special 16Kbyte area... maybe the flashcart doesn't support that commands at all and gets confused when receiving them - I can try to omit them on carts with ARM9 at 8000h or higher in next version.
robzombie91
Posts: 2
Joined: Wed Jul 25, 2018 8:00 pm

Re: DSi unlaunch (bootcode exploit)

Post by robzombie91 »

when i did the install i did it with the 1.1 unlaunch.dsi. i removed the 0.8 installer. But yeah it still displays 0.8 when booting
User avatar
Banshaku
Posts: 2417
Joined: Tue Jun 24, 2008 8:38 pm
Location: Japan
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by Banshaku »

@nocash

I will try to not derail this thread too much and ask a related question. What I would like to know if the wifiboot exist for something like the ds lite? I have a few of them amassing dust at home since the kids don't use them (and mostly destroyed them.. kids, you know :lol:) and the flash card I had mostly died in the first years I received it as a gift so I don't have much way to write anything for them anymore.

I didn't search on the subject yet since I'm not working on any related project but this thread got me interested to know more about it.
tepples
Posts: 22705
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by tepples »

There is WiFiMe, usable with a FlashMe'd DS (to skip DS Download Play's RSA check). But I think that requires a USB WLAN adapter with a certain Ralink chipset.
User avatar
Apache Thunder
Posts: 24
Joined: Tue Jul 24, 2018 6:28 pm

Re: DSi unlaunch (bootcode exploit)

Post by Apache Thunder »

Ok noticing a minor graphics issue when booting a cart via the cart loader. Best I just show it. I noticed this when my R4 boots up via the cart though that cart clears it out by the time WoodR4 is done booting. But this cart doesn't really recover. Yeah the Max Media Dock cart doesn't do much of anything on a DSI, but it was another cart I had so thought I'd test it with Unlaunch. :P

Don't think I've seen this occur with retail games, but it's abnormal since I don't see this when booting them normally so it might present unexpected issues with some carts perhaps?
Attachments
001.jpg
snapshot20180726181016.jpg
Post Reply