It looks like the guys at Hackmii have released an update on their progress on hacking the DSi.


DSi: ram hax
September 6th, 2009 by bushing

Some time has gone by, and we’ve made a little progress on the DSi — at least, enough for some people to notice — so maybe I should write a little bit about it.

I personally haven’t had much luck with my DSi. I tried to dump the flash on it, and managed to blow a fuse in the process (it’s hard to keep that battery aligned with the case removed…). I can’t run any of the savegame hacks, because there are no DSi-mode cartridge-based games for the Japanese DSi yet. I decided to get a bit more aggressive and see if we could sniff the RAM.


We have no grand master exploit, but have learned the following things:

* There is a considerable amount of ROM (128K+?) and RAM (1MB+?) inside the CPU

* The internal ROM is quite sophisticated, compared to that of the Starlet (boot0) — it is able to initialize both LCD panels, read from the SPI flash and the MMC NAND flash, and decrypt the contents of the 2nd-stage bootloader from NAND into internal RAM. If there is an error, it can display an error code on the top LCD.

* The second stage bootloader is analogous to boot2 on the Wii — it can read the TMD for the System Menu from the NAND filesystem and load the contents into memory. Like the Wii, the code seems to be stored in NAND unencrypted (inside an encrypted filesystem). Unlike the Wii, it seems to actually verify the contents and signature of the TMD before executing it.

* Most of the interesting keys seem to be stored inside internal RAM, safely out of reach from us. They are cleared when a cartridge is loaded, and probably even when a DSiWare app is loaded.


Read the entire post HERE.