Installing exploitable DSiWare


If you need help, ask the Nintendo DSiBrew Discord!
I worked hard on this guide! If you want, you can donate through PayPal or Bitcoin!

This page still works fine, however, it is quite outdated and complicated. Follow here for an updated Sudoku+sudokuhax guide. Sudokuhax is really the only exploit you need.


JUST LIKE THE DOWNGRADE PROCEDURE, THIS PROCESS MAY RESULT IN A BRICK. MAKE SURE TO KEEP A NAND BACKUP HANDY AND FOLLOW ALL INSTRUCTIONS CAREFULLY. MOST IMPORTANTLY, DO NOT SKIP THE SECTION THAT DEALS WITH TESTING YOUR BACKUP, BECAUSE TESTING THE BACKUP IS THE EASIEST WAY TO PREVENT BRICKS.

We will now install an exploitable DSiWare on your DSi. Before starting, look at the table below and choose one of the DSiWares for your region. If you have already gotten one of these on your DSi or on a 3DS, choose that one. If not, choose Sudoku, which is the only one still purchaseable on the 3DS eshop. After choosing a DSiWare, write down its short and long IDs.

DSiWare/Application Short ID Long ID
Sudoku USA: 4b344445
EUR: 4b344456
USA: 000300044b344445
EUR: 000300044b344456
Fieldrunners USA: 4b464445
EUR: 4b464456
USA: 000300044b464445
EUR: 000300044b464456
Legends of Exidia USA: 4b4c4545
EUR: 4b4c4556
JAP: 4b4c454a
USA: 000300044b4c4545
EUR: 000300044b4c4556
JAP: 000300044b4c454a
The Legend of Zelda: Four Swords Anniversary Edition USA: 4b513945
EUR: 4b513956
USA: 000300044b513945
EUR: 000300044b513956

We do not condone the use of piracy to obtain a copy of one of these DSiWare applications, and strongly encourage you to buy Sudoku on the 3DS eshop instead of resorting to piracy (seriously, it's only $2).

What you need

Instructions

    Section I - Converting your .cia to a .app

  1. You don't need to follow this section if you already have your DSiWare installed, or if you already have a .app version of your DSiWare.
  2. If you don't have a .cia version of the DSiWare you want to install, use FunkeyCIA or Villain3DS to get one using the eshop data of a 3DS console that has bought one of these apps (if you haven't bought one yet, Sudoku is the only one still on the eShop).
  3. Download and extract the contents of the crtool release to a new folder
  4. Place your .cia file in the crtool folder and rename it to dsiware.cia
  5. Run extract.bat. You should get a file called 00000000.app, which is the .app version of your DSiWare.

  6. Section II - Patching Sudoku

  7. You do not need to follow this section if the DSiWare app you are exploiting is not Sudoku. If you have Sudoku on your DSi already but bought after 2011, you should still follow this section and the next one, because you probably have the version that cannot execute the exploit.
  8. Download the sudoku patch pack and extract it to a new folder.
  9. Place your .app version of sudoku in that folder. (If you have sudoku on your DSi already, you can find it in the title/00030004/XXXXXXXX/content folder of your decrypted nand backup, with XXXXXXXX being the short ID of your version of Sudoku.
  10. Open Lunar IPS. Select "Apply IPS patch".
  11. Select the .ips file corresponding to your DSi's region.
  12. Switch the file view from "Most Common ROM Files" to "All files (*.*)".
  13. Select your .app file. It will then be turned into the original Sudoku.

  14. Section III - Installing the DSiWare app to a nand backup

  15. If your DSi already has the app you're trying to install an exploit to, you can skip this section (this only applies if that app is not Sudoku, refer to Section II for why that is).
  16. Create a new folder with a name that matches the short ID of the game you are trying to install. From now on, this guide will refer to that folder as the "short ID folder".
  17. Inside the short ID folder, create two new folders, called "content" and "data".
  18. Put the .app version of your DSiWare in the "content folder".
  19. Download the tmd pack and drag the .tmd file corresponding to your DSiWare into the content folder.
  20. Rename it to title.tmd.
  21. Open title.tmd in a hex editor. Go to offset 208 (Row 20, column 08). Delete it and everything after it, shortening the file.
  22. Go to offset 1E7. Write down the two numbers you see there.
  23. Rename your .app file to 000000XX.app, with XX being the two numbers you got in the previous step.
  24. Make a copy of your decrypted nand backup, and use OSFMount to mount it.
  25. Open the title folder, and then open the 00030004 folder inside it.
  26. Move the short ID folder into the 00030004 folder.
  27. Go back to the root of the mounted nand backup, then open the ticket folder.
  28. Open the 00030004 folder inside the ticket folder.
  29. Copy any of the .tik files you see there to another folder on your computer.
  30. Download TWLTool.zip and extract it into a new folder.
  31. Move the .tik file you got in the previous steps to the TWLTool folder.
  32. Download the ticket-handling.zip and extract the two .bat files into the TWLTool folder.
  33. Open decrypt ticket.bat in a text editor and replace "ConsoleID_BLANK" with your DSi's Console ID.
  34. Save and run decrypt ticket.bat. You should get a file called dec_ticket.tik.
  35. Open dec_ticket.tik in a hex editor.
  36. Go to offset 1DC and replace it (and the next 8 offsets) with the long ID of your DSiWare, then save the file.
  37. Open the other .bat file, encrypt ticket.bat, in a text editor and replace "ConsoleID_BLANK" with your DSi's Console ID.
  38. Save and run encrypt ticket.bat. You should get a file called enc_ticket.tik.
  39. Rename it to XXXXXXXX.tik, with XXXXXXXX being your DSiWare's short ID.
  40. Move that .tik file to the ticket/00030004 folder of your Nand backup.

  41. Section IV - Installing the exploited save

  42. If you haven't already done so, mount your decrypted Nand backup
  43. Download and open the DSiWareHax saves pack.
  44. Choose the folder for your DSiWare and region and open it. You should see a “title” folder inside it.
  45. Drag that “title” folder onto the root of your decypted Nand backup. Accept if it asks if you want to merge folders and overwrite the public.sav file already there.
  46. Unmount your decrypted nand backup, then re-encrypt it with TWLTool.

  47. Section V - Testing Your NAND with NO$GBA

  48. Download and extract NO$GBA to a directory.
  49. Make a copy of the re-encrypted nand backup in your NO$GBA directory (make sure you have extracted the NO$GBA archive) and rename it to DSI-1.mmc
  50. Extract the DSi BIOS files from the "DSi firmware files.zip" archive into the NO$GBA directory
  51. Download the DSi footer template file and extract it to the NO$GBA directory.
  52. Open it in HxD.
  53. Replace the 16 bytes filed with AAs with your CID
  54. Replace the 8 bytes filed with BBs with your Console ID, but reversed. This means that if your Console ID starts with the byte 26 and ends with 08, for example, it should now end with 26 and start with 08.
  55. After you have inserted your CID and Console ID, highlight and copy the entire footer file.
  56. Open DSi-1.mmc and scroll to the end of the file. At the end of the file, paste in the footer.
  57. Save and close DSi-1.mmc and open No$GBA.
  58. Go to options and then Emulation setup.
  59. In the Emulation tab, set “Reset/Startup Entrypoint” to “GBA/NDS BIOS (Nintendo logo)” and NDS Mode Colors to “DSi (retail/16MB)”. Then click Save Now and then OK.
  60. Go to File, Cartridge Menu (FileName), and then open any .nds file (such as FWTool).
  61. Your NAND will now be emulated by NO$GBA. Go to the DSi main menu.
  62. You should see a gift-wrapped icon. Tap it to reveal your newly-installed DSiWare.
  63. Open the DSiWare you installed and trigger the exploit. You should see an error occur in NO$GBA.
  64. If anything that was described above does not match what you saw, you made a mistake. Either try to find what it is or try this procedure again from the beginning.
  65. If your encrypted NAND and exploit works on NO$GBA, then rename the original re-encrypted nand backup to nand_dsi.bin (if it asks you to overwrite, you may want to move the other nand_dsi.bin somewhere else and try renaming it again)
  66. Move the new nand_dsi.bin to the folder in your SD card with random letters (if it asks to overwrite, simply accept)

  67. Section VI - Flashing your NAND

  68. Open fwtool using any exploit you have on your DSi (if you only have ugopwn, follow steps 8-22 of the Downgrading page to open fwtool).
  69. Once in FWTool again, select Restore nand_dsi.bin (This may take a while. DO NOT EXIT FWTool until the restoration is complete.)
  70. Exit FWTool. You should now have an exploited DSiWare installed!

If you would like to check out what DSi Homebrew you can now use, check out the Homebrew Downloads page.