DSi unlaunch (bootcode exploit)

Discussion of development of software for any "obsolete" computer or video game system. See the WSdev wiki and ObscureDev wiki for more information on certain platforms.
Robz8
Posts: 13
Joined: Sun Aug 05, 2018 12:52 pm

Re: DSi unlaunch (bootcode exploit)

Post by Robz8 »

nocash wrote:Hmmm, that seem to be all available only from those open source sites that are available only via https. I could try downloading them on another PC and then transfer them to my own computer... or is the power-button problem already fixed in v1.3?
Nope, the problem is not fixed.

btw, I uploaded DSiMenu++, since you are unable to access the site for it.
Attachments
DSiMenuPP.7z
DSiMenu++ v5.4.0 (Rev 01)
(3.28 MiB) Downloaded 521 times
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

XAYAH wrote:I've got an issue where the installer always says I've "discovered unknown camera chip IDs" when I go to install unlaunch. It says to check for a newer version, but I am already using 1.3. Does anyone know what is going on?
When saying "using 1.3" do you mean that you already installed 1.3 successfully, or that you are trying to install 1.3?
In latter case, see here: viewtopic.php?f=23&t=17581&start=30#p223062
XAYAH
Posts: 4
Joined: Thu Aug 09, 2018 12:57 pm

Re: DSi unlaunch (bootcode exploit)

Post by XAYAH »

I am trying to install 1.3 yes, however I'm not sure what is relevant to me in the post that you linked.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

XAYAH wrote:I am trying to install 1.3 yes, however I'm not sure what is relevant to me in the post that you linked.
Oh, sorry, asking if you were "trying to install" was misleading.

I meant this: If you are "trying to upgrade from an older unlaunch version" then the problem might be caused by a glitch in the older unlaunch version (and the linked post shows some workarounds). The problem there is that old unlaunch didn't empty the cache when loading bootcode.dsi (if your bootcode.dsi file contains the new unlaunch version, then the new version may fail to detect the cameras or run into other weird effects).

What are you using for using for installing unlaunch? Some exploit like Flipnote or Sudokuhax?

With some exploits it may be also helpful to insert hbmenu or wifiboot into the bootchain (ie. load one of that tools as boot.nds, and then use that tool to load the unlaunch installer).

All of the above is assuming that the unknown camera warning is shown only accidently. The other possibility would be that you do have uncommon camera hardware. All known consoles have two Aptina cameras (with ID=2280). The four values in the screenshot have this meaning:

Code: Select all

  FFFF   1st Aptina camera (usually 2280=the usual camera ID found in all known DSi's) (but your screenshot says FFFF=none)
  2280   2nd Aptina camera (usually 2280=the usual camera ID found in all known DSi's)
  FF     1st alternate camera from some other manufacturer (usually FF=none)
  FF     2nd alternate camera from some other manufacturer (usually FF=none)
Going by that values your console would contain only one working camera instead of two. But I doubt that that's true (unless you say that your hinge is broken and there are some broken cables dangling out of the console).

I think it's more likely that the detection went wrong; as happening when trying to upgrade from 1.2 to 1.3, which sometimes causes camera values FFFF,FFFF,FF,FF to be displayed. Your values are a bit different, but my first guess was that it's nethertheless related to the same issue.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Robz8 wrote:
nocash wrote:Hmmm, that seem to be all available only from those open source sites that are available only via https. I could try downloading them on another PC and then transfer them to my own computer... or is the power-button problem already fixed in v1.3?
Nope, the problem is not fixed.
btw, I uploaded DSiMenu++, since you are unable to access the site for it.
Got it downloaded, thanks!

Power button doesn't work because the IRQ isn't enabled in GPIO registers. From what I can see, the Launcher seems to enable that for you (and I'll do so in next unlaunch version, too). Additionally, commercial games seem to also enable the IRQ themselves (and should be perfectly legit if do that in homebrew titles too, ie. write [4004C02h]=4000h, so you won't need to wait for next update and/or want to have your program working like official games).
The exact official code in firmware v1.4E looks as so:

Code: Select all

037B0F30 E1A04000 mov     r4,r0
037B0F34 EBFEAD1E bl      375C3B4h ;lau7_cpsr_disable_irq
037B0F38 E1A05000 mov     r5,r0
037B0F3C EBFEB43D bl      375E038h ;lau7_get_gpio_irq_config    ;\
037B0F40 E3C00040 bic     r0,r0,40h                             ;
037B0F44 E1A00800 mov     r0,r0,lsl 10h                         ; enable
037B0F48 E1A00820 mov     r0,r0,lsr 10h                         ; powerbutton
037B0F4C E3800901 orr     r0,r0,4000h    ;power.butt.irq        ; irq
037B0F50 E1A00800 mov     r0,r0,lsl 10h                         ;
037B0F54 E1A00820 mov     r0,r0,lsr 10h                         ;
037B0F58 EBFEB432 bl      375E028h ;lau7_set_gpio_irq_config    ;/
037B0F5C E3A00901 mov     r0,4000h  ;mask                         ;\set powerbutton
037B0F60 E3A01000 mov     r1,0h     ;set (none, aka clear)        ; direction
037B0F64 EBFEB419 bl      375DFD0h ;lau7_read_modify_gpio_data_io ;/to 0=input
037B0F68 E1A00005 mov     r0,r5
037B0F6C EBFEAD15 bl      375C3C8h ;lau7_cpsr_restore_irq
Touchscreen doesn't work, too (as far as I remember you mentioned that somewhere, too). One think that looks wrong is your cartheader entry [1BFh], that's setting the touchscreen to NDS mode, or is that intended as so? Once when it's in NDS mode, I don't know of way to switch touchscreen back DSi mode (except by issueing a Reset with complete reboot).
User avatar
Apache Thunder
Posts: 24
Joined: Tue Jul 24, 2018 6:28 pm

Re: DSi unlaunch (bootcode exploit)

Post by Apache Thunder »

nocash wrote:Touchscreen doesn't work, too (as far as I remember you mentioned that somewhere, too). One think that looks wrong is your cartheader entry [1BFh], that's setting the touchscreen to NDS mode, or is that intended as so? Once when it's in NDS mode, I don't know of way to switch touchscreen back DSi mode (except by issueing a Reset with complete reboot).

Yeah I believe they intentionally do that to ensure touch screen works once NTR mode games are running. They tried to mode switch the touchscreen some time back. I recall there was issues so right now they don't do that anymore. Right now the only downside is lack of touch control in the menu. If only libnds allowed forcing ntr mode touchscreen code in TWL mode.... :P
XAYAH
Posts: 4
Joined: Thu Aug 09, 2018 12:57 pm

Re: DSi unlaunch (bootcode exploit)

Post by XAYAH »

It's not an upgrade at all, I'm trying to install unlaunch for the first time on this console. I guess it's possible that one of the cameras has been disconnected, I have had to take it apart once or twice due to some screen issues. The camera app does crash when I try to open the camera so that would make sense. I am trying to install using flipnote, which is already booting hbmenu which I am using to open the unlaunch installer.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

XAYAH wrote:It's not an upgrade at all, I'm trying to install unlaunch for the first time on this console. I guess it's possible that one of the cameras has been disconnected, I have had to take it apart once or twice due to some screen issues. The camera app does crash when I try to open the camera so that would make sense. I am trying to install using flipnote, which is already booting hbmenu which I am using to open the unlaunch installer.
Ah, okay, if the official DSi camera tool doesn't work either then it's apparently really a hardware issue, not a bug in unlaunch.

You could install unlaunch v0.8 (which didn't have the camera check), I think/hope that v1.3 is a bit more stable when v0.8, but v0.8 seems to have worked okay for most or all people, so it should be quite safe, too. Or you could install v1.3 manually (eg. via hardmod). Or I could maybe add something for detecting your broken hardware, and let it pass to the installer for that specific situation.

Might be worth opening the console and check what's wrong with it. But the ribbon cables for the two cameras are both connected to the same connector (P9), and (apart from the camera LED) both cameras are sharing the exact same signals, so the issue is probably not caused by a loose connector (as that would affect both cameras). I would be afraid that it's a broken ribbon cable, or some damage to the actual camera, ie. things that are quite impossible to repair (unless it's something simple like some metal junk touching the camera contacts & producing a shortcut; or maybe a blown fuse, if there are any fuses in there). Quite possible that you would need to replace the whole ribbon cables with attached cameras and connector.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Apache Thunder wrote:Yeah I believe they intentionally do that to ensure touch screen works once NTR mode games are running. They tried to mode switch the touchscreen some time back. I recall there was issues so right now they don't do that anymore. Right now the only downside is lack of touch control in the menu. If only libnds allowed forcing ntr mode touchscreen code in TWL mode.... :P
Yeah, libnds should probably support that, at least Nintendo is apparently supporting DSi titles to use NDS-TSC mode (don't know if they've every released any titles doing that though).
On the other hand, switching to NDS-TSC mode just requires the following code (which will also fix the power button issue) (the init list & send list functions are found in the dsloader.a22 source code file in wifiboot.zip available on the unlaunch webpage) (for NDS titles that do not have an actual DSi header, make sure that you set dsi header [1BCh] to 00000000h).

Code: Select all

 ldr  r1,=__DSiHeader                   ;\
 ldr  r0,[r1,1bch] ;hdr[1BCh]           ; switch to NDS TSC mode
 tst  r0,1000000h ;bit24=tsc mode       ; (if requested in cart header)
 ldr  r1,=nds_mode_tsc_init_list        ;
 bleq send_tsc_list_r1                  ;/
 ldr  r1,=4004C00h   ;GPIO              ;\
 ldr  r0,=8080h   ;bit7 dta+dir         ; REQUIRED for flipnote SOUND output
 strh r0,[r1]     ;set new              ;/
 ldr  r1,=4004C02h   ;GPIO              ;\REQUIRED for homebrew titles
 ldr  r0,=4000h   ;powerbutt irq enable ; (commercial titles do that themselves,
 strh r0,[r1]     ;set new              ;/incoming value from launcher is 4000h)
Last edited by nocash on Sun Aug 12, 2018 10:31 am, edited 1 time in total.
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

edo9300 wrote:I first modded the dsi when the 0.9 version was out, even if i didn't install it because of the various issues and used the 0.8, later i tried installing the 0.9 and noticed it wasn't booting, after that i tried installing some older versions of unlaunch and i installed the 0.7 and the 0.6, and checked if they were working or not, the 0.6 did, but i then returned to the 0.8, i have 2 nand backups i'm testing with no$gba. The first from when i reported the issue in this forum and you told me to check (that backup had unlaunch 0.8 installed), the second when the 1.2 came out after it didn't boot (that had unlaunch 1.2 installed) on both the backups, both the 1.2 and 1.3 works. I installed the 1.3 on both the backups from no$gba. As for the files in the backup, they're there, both the app and title tmd, with the correct size.
Thanks for the screenshots. Yes, looks as if you really have no$gba configured as needed. I am running out of ideas why it isn't working the same way on real hardware. Except, you could try to dump CURRENT eMMC content (as far as I understand you've installed v1.3 independently on hardware and in no$gba, so the dump may be still slightly different than real hardware).

If you had v0.9 installed first, then the launcher files were already write-protected (so later use of v0.6 won't cause any harm).

Did you try to hold down button Y in v1.3 to skip wifi init (or both Y+A, if you have sd card inserted)? Maybe that helps, though I wouldn't know why, unless you have some different wifi hardware than most people. Maybe it's really time to look at the mainboard and chipset. Aside from different wifi boards, there seem to be different BPTWL chips, and different sound/touchscreen controllers.

Well, or I could make a version with additional boot status messages, or with blank red/green/blue screens during the patched-launcher boot stages. That'd help to find out where it's hanging exactly.

Ah, and did you try hiyacfw? As far as I know, that's also booting into the official launcher, with similar patches as in unlaunch. Does that hang, too?

PS. I do currently have firmeware v1.4E on my console, and tested v1.4.5E only in no$gba, so I didn't check if v1.4.5E would hang on my console, too. But I guess a lot of other people have tested that and it's working without problems... If somebody has firmware v1.4.5E and unlaunch v1.3 installed: Could you test/confirm if it's working or hanging (when ejecting the SD card, or holding down button A during boot)?
edo9300
Posts: 33
Joined: Wed Jul 25, 2018 6:34 am

Re: DSi unlaunch (bootcode exploit)

Post by edo9300 »

nocash wrote:
edo9300 wrote:I first modded the dsi when the 0.9 version was out, even if i didn't install it because of the various issues and used the 0.8, later i tried installing the 0.9 and noticed it wasn't booting, after that i tried installing some older versions of unlaunch and i installed the 0.7 and the 0.6, and checked if they were working or not, the 0.6 did, but i then returned to the 0.8, i have 2 nand backups i'm testing with no$gba. The first from when i reported the issue in this forum and you told me to check (that backup had unlaunch 0.8 installed), the second when the 1.2 came out after it didn't boot (that had unlaunch 1.2 installed) on both the backups, both the 1.2 and 1.3 works. I installed the 1.3 on both the backups from no$gba. As for the files in the backup, they're there, both the app and title tmd, with the correct size.
Thanks for the screenshots. Yes, looks as if you really have no$gba configured as needed. I am running out of ideas why it isn't working the same way on real hardware. Except, you could try to dump CURRENT eMMC content (as far as I understand you've installed v1.3 independently on hardware and in no$gba, so the dump may be still slightly different than real hardware).

If you had v0.9 installed first, then the launcher files were already write-protected (so later use of v0.6 won't cause any harm).

Did you try to hold down button Y in v1.3 to skip wifi init (or both Y+A, if you have sd card inserted)? Maybe that helps, though I wouldn't know why, unless you have some different wifi hardware than most people. Maybe it's really time to look at the mainboard and chipset. Aside from different wifi boards, there seem to be different BPTWL chips, and different sound/touchscreen controllers.

Well, or I could make a version with additional boot status messages, or with blank red/green/blue screens during the patched-launcher boot stages. That'd help to find out where it's hanging exactly.

Ah, and did you try hiyacfw? As far as I know, that's also booting into the official launcher, with similar patches as in unlaunch. Does that hang, too?

PS. I do currently have firmeware v1.4E on my console, and tested v1.4.5E only in no$gba, so I didn't check if v1.4.5E would hang on my console, too. But I guess a lot of other people have tested that and it's working without problems... If somebody has firmware v1.4.5E and unlaunch v1.3 installed: Could you test/confirm if it's working or hanging (when ejecting the SD card, or holding down button A during boot)?
Tested all those various things, but 1.3 is beheaving as the same way as 1.2, so cannot acess teh system nand, via unlaunch, or the sdnand via hiya cfw. There's still also the issue with games with wifi capabilities that are still not booting with b pressed, while the other are. Those games are pokemon platinum, pokemon white and yugioh gx spirit caller. the ones that boot instead are mario bros, lotr aragorn's quest and transformers the dark side of the moon autobots. Also i have a flashcard with wifi capabilities, with b pressed it boots, but as soon as i enter the wifi settings it freezes on a black screen.
edo9300
Posts: 33
Joined: Wed Jul 25, 2018 6:34 am

Re: DSi unlaunch (bootcode exploit)

Post by edo9300 »

Also in the dsi homebrew discord server, I noticed that I'm the only one with a dsi xl on 1.4.5 e that doesn't boot with unlaunch 1.3
Tradegirl2011
Posts: 1
Joined: Mon Aug 13, 2018 8:18 am

Re: DSi unlaunch (bootcode exploit)

Post by Tradegirl2011 »

After several emails with nocash about unkown emmc/cid errors with unlaunch, he asked me to upload a picture of my nand here.
Attachments
DSCN0194.JPG
nocash
Posts: 1405
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: DSi unlaunch (bootcode exploit)

Post by nocash »

Thank you! Good to see how that chip looks like for real! If somebody else is reading this: The CID/CSD values shown in unlaunch's unknown hardware warning, for this chip on the above phote are:

Code: Select all

1D XX XX XX XX 31 36 35  ;\CID
32 43 4D 4D 4E 01 FE 00  ;/
00 40 8A E0 BF FF 7F F5  ;\CSD
80 59 0F 32 01 2F 90 00  ;/
80 80 FF 80 00 04 00 00
00 00 00 00 01 00 01 00
00 00 00 00 00 00 00 00
00 09 00 00 00 01 D0 40
00 00 01 00
And, about a hour later after receiving that values, I got screenshot with similar values from somebody else: https://i.imgur.com/embuZyj.jpg (with same values as above, except with date code CC instead of 1D in first byte).

That chips are almost same as this one viewtopic.php?f=23&t=17581&start=15#p222497 discovered a few weeks ago. The difference (apart from date code) is the 6th byte of the CID being 31h instead of 30h. That byte is supposed to contain the chip revision number. The values are looking like ASCII for rev1 and rev0... although going by official MMC specs they suppose to be BCD values, with 31h and 30h meaning rev3.1 and rev3.0.
Anyways, they are different revisions. Ah, and one reason for mentioning those difference here is that people without Flipnote will often need to brute-force their CID before installing code on the DSi console, so the above will help them to find out which values they are searching for.

Just looking at the chip photo, I can't see anything indicating the revision number on them. The first lines with "ST, NAND02G, AH0LZC5" are same, the next line contains some different letters/digits, and the last 3 digits in last line are also different (those might be a YWW date code with year/week values, but, if so, then the YWW value on the chip is several weeks older than the month/year value in the CID).
Last edited by nocash on Mon Aug 13, 2018 6:48 pm, edited 1 time in total.
XAYAH
Posts: 4
Joined: Thu Aug 09, 2018 12:57 pm

Re: DSi unlaunch (bootcode exploit)

Post by XAYAH »

nocash wrote:
XAYAH wrote:It's not an upgrade at all, I'm trying to install unlaunch for the first time on this console. I guess it's possible that one of the cameras has been disconnected, I have had to take it apart once or twice due to some screen issues. The camera app does crash when I try to open the camera so that would make sense. I am trying to install using flipnote, which is already booting hbmenu which I am using to open the unlaunch installer.
Ah, okay, if the official DSi camera tool doesn't work either then it's apparently really a hardware issue, not a bug in unlaunch.

You could install unlaunch v0.8 (which didn't have the camera check), I think/hope that v1.3 is a bit more stable when v0.8, but v0.8 seems to have worked okay for most or all people, so it should be quite safe, too. Or you could install v1.3 manually (eg. via hardmod). Or I could maybe add something for detecting your broken hardware, and let it pass to the installer for that specific situation.

Might be worth opening the console and check what's wrong with it. But the ribbon cables for the two cameras are both connected to the same connector (P9), and (apart from the camera LED) both cameras are sharing the exact same signals, so the issue is probably not caused by a loose connector (as that would affect both cameras). I would be afraid that it's a broken ribbon cable, or some damage to the actual camera, ie. things that are quite impossible to repair (unless it's something simple like some metal junk touching the camera contacts & producing a shortcut; or maybe a blown fuse, if there are any fuses in there). Quite possible that you would need to replace the whole ribbon cables with attached cameras and connector.
I opened it and didn't see anything obviously wrong with the cameras or the ribbon cable so it is probably something wrong inside one of them or something. I just installed 0.8 and it is working! Thank you :)
Post Reply