DSiBrew - User contributions [en]

DSi exploits

2024-12-02T15:12:35Z

ChampionLeake: /* NTR/NDS-Mode Exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[FIFA NDS]]
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| [[Bangai-O-Sploit]]
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| [[NDS-ILH-Save-Exploit]]
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| [[ABR-NDS-SaveExploit]]
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| [[HaxxStation]]
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://github.com/Gericom/dspatch See Here]
|-
| [[BreakingNews]]
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|-
| [[NDS-FC2008-Save-Exploit]]
| A savegame exploit for the game "Führerschein Coach 2008".
| [https://github.com/toombaumarkt/ toombaumarkt]
| [https://github.com/toombaumarkt/NDS-FC2008-Save-Exploit Install]
|-
| [[WordJong-Overflow]]
| A buffer overflow exploit for the game WordJong DS (U).
| [https://github.com/Borgars/ Borgars]
| [https://github.com/Borgars/WordJong-Overflow Install]
|-
| [[CorruptedClues]]
| A stack smash savegame exploit for the game "Cate West: The Vanishing Files", resulted by unchecked string sizes from the highscore data.
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/CorruptedClues Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[The Biggest Losers]]
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| [[Cookhack]]
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[Classichack]]
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[SystemFlaaw]]
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare (True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Sudokuhax]]
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| [[grtpwn]]
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| [[exidiahax]]
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| [[fieldrunhax]]
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| [[4swordhax]]
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| [[Flipnote ( ͡° ͜ʖ ͡°)]] and [[ugopwn]]
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| [[UNO*pwn]]
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| [[Memory Pit]]
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432 Install], [https://github.com/ChampionLeake/BrokenPit Open-source]
|-
| [[petit-compwner]]
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
| zoogie
| [https://github.com/zoogie/petit-compwner/releases Release]
|-
| [[stylehax]]
| A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood).
| @0x1337cafe
| [https://github.com/nathanfarlow/stylehax Release], [https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser Writeup]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[RocketLauncher]]
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://github.com/ApacheThunder/RocketLauncher source]
|}

== Bootcode Exploits ==

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known usable exploit.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Unlaunch]]
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|-
| Unnamed modchip
| A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout.
| PoroCYon
| [https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 37c3 talk], [https://icosahedron.website/@pcy/111676158956228552 video], [https://github.com/dsi-modchip/guide DIY guide]
|}

DSi exploits

2024-12-02T10:54:50Z

ChampionLeake: /* DSiWare (True DSi-Mode) Exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[FIFA NDS]]
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| [[Bangai-O-Sploit]]
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| [[NDS-ILH-Save-Exploit]]
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| [[ABR-NDS-SaveExploit]]
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| [[HaxxStation]]
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://github.com/Gericom/dspatch See Here]
|-
| [[BreakingNews]]
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|-
| [[NDS-FC2008-Save-Exploit]]
| A savegame exploit for the game "Führerschein Coach 2008".
| [https://github.com/toombaumarkt/ toombaumarkt]
| [https://github.com/toombaumarkt/NDS-FC2008-Save-Exploit Install]
|-
| [[WordJong-Overflow]]
| A buffer overflow exploit for the game WordJong DS (U).
| [https://github.com/Borgars/ Borgars]
| [https://github.com/Borgars/WordJong-Overflow Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[The Biggest Losers]]
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| [[Cookhack]]
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[Classichack]]
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[SystemFlaaw]]
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare (True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Sudokuhax]]
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| [[grtpwn]]
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| [[exidiahax]]
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| [[fieldrunhax]]
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| [[4swordhax]]
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| [[Flipnote ( ͡° ͜ʖ ͡°)]] and [[ugopwn]]
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| [[UNO*pwn]]
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| [[Memory Pit]]
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432 Install], [https://github.com/ChampionLeake/BrokenPit Open-source]
|-
| [[petit-compwner]]
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
| zoogie
| [https://github.com/zoogie/petit-compwner/releases Release]
|-
| [[stylehax]]
| A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood).
| @0x1337cafe
| [https://github.com/nathanfarlow/stylehax Release], [https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser Writeup]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[RocketLauncher]]
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://github.com/ApacheThunder/RocketLauncher source]
|}

== Bootcode Exploits ==

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known usable exploit.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Unlaunch]]
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|-
| Unnamed modchip
| A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout.
| PoroCYon
| [https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 37c3 talk], [https://icosahedron.website/@pcy/111676158956228552 video], [https://github.com/dsi-modchip/guide DIY guide]
|}

DSi exploits

2024-12-02T10:50:22Z

ChampionLeake: /* DSiWare (True DSi-Mode) Exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[FIFA NDS]]
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| [[Bangai-O-Sploit]]
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| [[NDS-ILH-Save-Exploit]]
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| [[ABR-NDS-SaveExploit]]
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| [[HaxxStation]]
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://github.com/Gericom/dspatch See Here]
|-
| [[BreakingNews]]
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|-
| [[NDS-FC2008-Save-Exploit]]
| A savegame exploit for the game "Führerschein Coach 2008".
| [https://github.com/toombaumarkt/ toombaumarkt]
| [https://github.com/toombaumarkt/NDS-FC2008-Save-Exploit Install]
|-
| [[WordJong-Overflow]]
| A buffer overflow exploit for the game WordJong DS (U).
| [https://github.com/Borgars/ Borgars]
| [https://github.com/Borgars/WordJong-Overflow Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[The Biggest Losers]]
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| [[Cookhack]]
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[Classichack]]
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[SystemFlaaw]]
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare (True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Sudokuhax]]
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| [[grtpwn]]
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| [[exidiahax]]
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| [[fieldrunhax]]
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| [[4swordhax]]
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| [[Flipnote ( ͡° ͜ʖ ͡°)]] and [[ugopwn]]
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| [[UNO*pwn]]
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| [[Memory Pit]]
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://github.com/ChampionLeake/BrokenPit Open-source Here]
|-
| [[petit-compwner]]
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
| zoogie
| [https://github.com/zoogie/petit-compwner/releases Release]
|-
| [[stylehax]]
| A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood).
| @0x1337cafe
| [https://github.com/nathanfarlow/stylehax Release], [https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser Writeup]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[RocketLauncher]]
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://github.com/ApacheThunder/RocketLauncher source]
|}

== Bootcode Exploits ==

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known usable exploit.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Unlaunch]]
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|-
| Unnamed modchip
| A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout.
| PoroCYon
| [https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 37c3 talk], [https://icosahedron.website/@pcy/111676158956228552 video], [https://github.com/dsi-modchip/guide DIY guide]
|}

DSi exploits

2024-11-28T03:44:33Z

ChampionLeake: /* NTR/NDS-Mode Exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[FIFA NDS]]
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| [[Bangai-O-Sploit]]
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| [[NDS-ILH-Save-Exploit]]
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| [[ABR-NDS-SaveExploit]]
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| [[HaxxStation]]
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://github.com/Gericom/dspatch See Here]
|-
| [[BreakingNews]]
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|-
| [[NDS-FC2008-Save-Exploit]]
| A savegame exploit for the game "Führerschein Coach 2008".
| [https://github.com/toombaumarkt/ toombaumarkt]
| [https://github.com/toombaumarkt/NDS-FC2008-Save-Exploit Install]
|-
| [[WordJong-Overflow]]
| A buffer overflow exploit for the game WordJong DS (U).
| [https://github.com/Borgars/ Borgars]
| [https://github.com/Borgars/WordJong-Overflow Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[The Biggest Losers]]
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| [[Cookhack]]
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[Classichack]]
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| [[SystemFlaaw]]
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare (True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Sudokuhax]]
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| [[grtpwn]]
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| [[exidiahax]]
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| [[fieldrunhax]]
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| [[4swordhax]]
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| [[Flipnote ( ͡° ͜ʖ ͡°)]] and [[ugopwn]]
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| [[UNO*pwn]]
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| [[Memory Pit]]
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000, [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BrokenPit See Here]
|-
| [[petit-compwner]]
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
| zoogie
| [https://github.com/zoogie/petit-compwner/releases Release]
|-
| [[stylehax]]
| A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood).
| @0x1337cafe
| [https://github.com/nathanfarlow/stylehax Release], [https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser Writeup]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[RocketLauncher]]
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://github.com/ApacheThunder/RocketLauncher source]
|}

== Bootcode Exploits ==

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known usable exploit.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| [[Unlaunch]]
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|-
| Unnamed modchip
| A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout.
| PoroCYon
| [https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 37c3 talk], [https://icosahedron.website/@pcy/111676158956228552 video], [https://github.com/dsi-modchip/guide DIY guide]
|}

DSiBrew:News

2020-04-01T19:43:08Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''1 April 20''' zoogie has released [https://github.com/zoogie/petit-compwner/releases petit-compwner], a primary exploit for the DSiWare title, "Petit Computer".
*'''27 May 19''' Shutterbug2000 has released Memory Pit, a new DSi system applet exploit for the Nintendo DSi Camera.
*'''10 April 19''' zoogie has released [https://github.com/zoogie/SystemFlaaw SystemFlaaw], the (possibly) first public DSi-Exclusive Cart exploit for the game, [https://en.wikipedia.org/wiki/System_Flaw SystemFlaw].
*'''2 March 19''' ChampionLeake released [https://github.com/ChampionLeake/UNO-pwn UNO*pwn], a UNO DSiWare exploit to support USA, EUR, and JPN region consoles.

DSiBrew:News/Archive

2020-04-01T19:41:15Z

ChampionLeake:

*'''23 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9d], even more further improvements for DSi debugging and added 3DS register specs.
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).
*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi
*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9c], even more further improvements for DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/͡-͜ʖ-͡/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles,
*'''23 April 18''' Nocash released [https://problemkaputt.de/unlaunch.htm Unlaunch], The first ever (released) bootcode exploit for the DSi, It gives full SCFG_EXT access rights on boot.
*'''08 November 17''' shutterbug2000 re-released [https://gbatemp.net/threads/release-ugopwn.488702/ Ugopwn], a DSi homebrew exploit with NAND access (and 1.4.5 support!!) first DSi homebrew exploit in AGES
*'''23 July 17''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], further improving DSi support.
*'''02 July 17''' Apache Thunder announced [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ RocketLauncher], the vapourware exploit with unlocked Arm7, and also the first DSi exploit in years!
*'''01 June 15''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], allowing to run the whole DSi boot process in the emulator/debugger.
*'''11 February 15''' WinterMute released updated [http://davejmurphy.com/dsi-homebrew-redux/ dslink]. Now working with [[System Menu 1.4.5]].
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.

*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.

*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.
*'''5 April 09:''' The Nintendo DSi has been released in North America.
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.
*'''3 April 09:''' The Nintendo DSi has been released in Europe.
*'''2 April 09:''' The Nintendo DSi has been released in Australia.
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].

DSi exploits

2020-04-01T17:48:00Z

ChampionLeake: /* DSiWare(True DSi-Mode) Exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| FIFA NDS
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| Bangai-O-Sploit
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| NDS-ILH-Save-Exploit
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| ABR-NDS-SaveExploit
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| HaxxStation
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ See Here]
|-
| BreakingNews
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| The Biggest Losers
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| Cookhack
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| Classichack
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| SystemFlaaw
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare(True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Sudokuhax
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| grtpwn
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| exidiahax
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| fieldrunhax
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| 4swordhax
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| Flipnote( ͡° ͜ʖ ͡°) or ugopwn
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| UNO*pwn
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| MemoryPit
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432/ See Here]
|-
| petit-compwner
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
| zoogie
| [https://github.com/zoogie/petit-compwner/releases Release]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| RocketLauncher
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ Writeup]
|}

== Bootcode Exploits: ==
These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known exploit.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Unlaunch
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|}

== DSi-mode exploits ==
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.

shutterbug2000 has created an exploit for Flipnote Studio, which uses a modified flipnote that you have to paste 122 times exactly. The exploit can be used with fwtool to downgrade the dsi to be able to use [[Sudokuhax]] or things like it. wintermute and fincs simple 1 paste exploit can be found here [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/].

ChampionLeake has released an exploit for UNO, a regular DSiWare savegame exploit. Instructions to installing the exploit are here: [https://github.com/ChampionLeake/UNO-pwn#installing-unopwn]

The source of the majority of the old dsiware exploits can be found on yellows8's github page [https://github.com/yellows8/dsi]

An incomplete list of all DSi exploits are here: [[List of DSi Exploits]]

== DSi Enhanced exploits ==
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://davejmurphy.com/dslink/]

The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND [[Hardware#NAND_pinout|pins]] to a MMC reader/writer, then extract dev.kp for DSiWareHax.

It is also possible for homebrew to be loaded through an Action Replay DSi flashcart. If an nds file is saved onto a micro SD card, and then that micro SD is inserted into the Action Replay, the file can be executed by going to the Files menu.

New flipnote studio lennyface exploit released allowing someone to run the new custom firmware Hiya CFW allowing people to run homeprew software from their SD card.

== DS-mode exploits ==

This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.

Gericom has exploited the "DS Download Station" application which works on all DS family consoles. Runs commercial homebrew via download station. [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ Here] you can have the details about it.

Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].

== List of ideas for exploitation/hacking of the latest DSi system version ==
Rules

→Do not remove ideas, only add

→Do not delete this section

→If your idea is 'Epic' mark it with * [only do this if it will certainly work]

→You must research whether your idea will work or not

Just an idea, but couldn't we make a .gif file that Flipnote could read, then the GIF could crash Flipnote and somehow load up the DSi homebrew?

We could try to connect to the DSi using the DS Download Play software, like the Wii and other DS can? I suggest connecting a PC via Bluetooth, push over an exploit program and run it.--[[User:Bernd L|Bernd L]] 16:18, 21 February 2017 (CET)
: [[User:Bernd L|Bernd L]] Long time, no answer. "Don't worry, there will be an exploit coming soon for Flipnote Studio/DSi Browser that will allow you to downgrade to 1.4." [[User:Abequinn|Abequinn]] 23:46, 14 August 2017 (CEST)

DSi exploits

2020-03-23T01:44:07Z

ChampionLeake: /* Bootcode Exploits: */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| FIFA NDS
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| Bangai-O-Sploit
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| NDS-ILH-Save-Exploit
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| ABR-NDS-SaveExploit
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| HaxxStation
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ See Here]
|-
| BreakingNews
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| The Biggest Losers
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| Cookhack
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| Classichack
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| SystemFlaaw
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare(True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Sudokuhax
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| grtpwn
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| exidiahax
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| fieldrunhax
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| 4swordhax
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| Flipnote( ͡° ͜ʖ ͡°) or ugopwn
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| UNO*pwn
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| MemoryPit
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432/ See Here]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| RocketLauncher
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ Writeup]
|}

== Bootcode Exploits: ==
These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known exploit.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Unlaunch
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|}

== DSi-mode exploits ==
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.

shutterbug2000 has created an exploit for Flipnote Studio, which uses a modified flipnote that you have to paste 122 times exactly. The exploit can be used with fwtool to downgrade the dsi to be able to use [[Sudokuhax]] or things like it. wintermute and fincs simple 1 paste exploit can be found here [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/].

ChampionLeake has released an exploit for UNO, a regular DSiWare savegame exploit. Instructions to installing the exploit are here: [https://github.com/ChampionLeake/UNO-pwn#installing-unopwn]

The source of the majority of the old dsiware exploits can be found on yellows8's github page [https://github.com/yellows8/dsi]

An incomplete list of all DSi exploits are here: [[List of DSi Exploits]]

== DSi Enhanced exploits ==
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://davejmurphy.com/dslink/]

The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND [[Hardware#NAND_pinout|pins]] to a MMC reader/writer, then extract dev.kp for DSiWareHax.

It is also possible for homebrew to be loaded through an Action Replay DSi flashcart. If an nds file is saved onto a micro SD card, and then that micro SD is inserted into the Action Replay, the file can be executed by going to the Files menu.

New flipnote studio lennyface exploit released allowing someone to run the new custom firmware Hiya CFW allowing people to run homeprew software from their SD card.

== DS-mode exploits ==

This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.

Gericom has exploited the "DS Download Station" application which works on all DS family consoles. Runs commercial homebrew via download station. [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ Here] you can have the details about it.

Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].

== List of ideas for exploitation/hacking of the latest DSi system version ==
Rules

→Do not remove ideas, only add

→Do not delete this section

→If your idea is 'Epic' mark it with * [only do this if it will certainly work]

→You must research whether your idea will work or not

Just an idea, but couldn't we make a .gif file that Flipnote could read, then the GIF could crash Flipnote and somehow load up the DSi homebrew?

We could try to connect to the DSi using the DS Download Play software, like the Wii and other DS can? I suggest connecting a PC via Bluetooth, push over an exploit program and run it.--[[User:Bernd L|Bernd L]] 16:18, 21 February 2017 (CET)
: [[User:Bernd L|Bernd L]] Long time, no answer. "Don't worry, there will be an exploit coming soon for Flipnote Studio/DSi Browser that will allow you to downgrade to 1.4." [[User:Abequinn|Abequinn]] 23:46, 14 August 2017 (CEST)

DSi exploits

2020-03-23T01:41:40Z

ChampionLeake: /* Type of exploits */

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

== Type of exploits ==
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
== NTR/NDS-Mode Exploits ==
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| FIFA NDS
| Every single FIFA game on the Nintendo DS has been exploited.
| Everyone
| [https://github.com/CTurt/Dara CTurt's Source Code]
|-
| Bangai-O-Sploit
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
| smealum
| [https://github.com/smealum/bangai-o-sploit Install]
|-
| NDS-ILH-Save-Exploit
| "I Love Horses" Nintendo DS save exploit
| [https://github.com/mojobojo/ mojobojo]
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
|-
| ABR-NDS-SaveExploit
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
| [https://github.com/WemI0/ Weml0]
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
|-
| HaxxStation
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
| shutterbug2000, Gericom, and Apache Thunder
| [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ See Here]
|-
| BreakingNews
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/BreakingNews/ Install]
|}

== TWL/DSi-Enhanced Cart Exploits ==
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| The Biggest Losers
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
| st4rk
| [https://github.com/st4rk/The-Biggest-Loser Install]
[https://davejmurphy.com/dslink/ WinterMute's dslink]
|-
| Cookhack
| DSi Cooking Coach exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| Classichack
| DSi Classic Word Games exploit
| WinterMute
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
[https://davejmurphy.com/dslink/ dslink]
|-
| SystemFlaaw
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
| zoogie
| [https://github.com/zoogie/SystemFlaaw Install]
|}

== DSiWare(True DSi-Mode) Exploits ==
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Sudokuhax
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
| TeamTwiizer, yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
|-
| grtpwn
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
|-
| exidiahax
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
|-
| fieldrunhax
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
|-
| 4swordhax
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
| yellows8
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
|-
| Flipnote( ͡° ͜ʖ ͡°) or ugopwn
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
| shutterbug2000, WinterMute, fincs, zoogie
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
|-
| UNO*pwn
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/UNO-pwn Install]
|-
| MemoryPit
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
| shutterbug2000
| [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432/ See Here]
|}

== ARM7 Exploits ==
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| RocketLauncher
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
| [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ Writeup]
|}

== Bootcode Exploits: ==
These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known exploit.
{| class="wikitable" border="1"
! Name
! Description
! Author
! Source
|-
| Unlaunch
| Possibly one of the first bootcode exploit for the Nintendo DSi!
| NoCash
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
|}

== DSi-mode exploits ==
Team Twiizers released a DSi-mode exploit called [[Sudokuhax]] that loads homebrew from the SD card in DSi-mode. The exploit requires that you have purchased EA's Sudoku game. More details and download: [http://hackmii.com/2011/01/sudokuhax-release/]. Additionally more DSiWare savegame exploits were released for the last time: [http://hackmii.com/2011/08/final-dsiwarehax/]. Copying these savegame exploits to NAND via system settings is [[System_Menu_1.4.2#Global_Update|blocked]] on the latest system version.

shutterbug2000 has created an exploit for Flipnote Studio, which uses a modified flipnote that you have to paste 122 times exactly. The exploit can be used with fwtool to downgrade the dsi to be able to use [[Sudokuhax]] or things like it. wintermute and fincs simple 1 paste exploit can be found here [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/].

ChampionLeake has released an exploit for UNO, a regular DSiWare savegame exploit. Instructions to installing the exploit are here: [https://github.com/ChampionLeake/UNO-pwn#installing-unopwn]

The source of the majority of the old dsiware exploits can be found on yellows8's github page [https://github.com/yellows8/dsi]

An incomplete list of all DSi exploits are here: [[List of DSi Exploits]]

== DSi Enhanced exploits ==
Team Twiizers also have found a DSi-mode exploit in cooking coach and have managed to use it to run DSi-mode homebrew. However it has not yet been released. More details at: [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/] The additional hardware is just required to get a connection to a computer so that things like ram dumps can be created.

Wintermute has made available an open source DSi hack. The exploit works on DSi enhanced games, allowing you to run custom code from a save file. Instructions for using the exploit can be found here: [http://davejmurphy.com/dslink/]

The cooking coach and classic word games savegame exploits are [[System_Menu_1.4.4|blocked]] on the latest system version. Therefore, the only way to get DSi-mode homebrew running with the latest system version, is with a hardware workaround for the blocked DSi-mode gamecard exploits. Additionally, one could solder the NAND [[Hardware#NAND_pinout|pins]] to a MMC reader/writer, then extract dev.kp for DSiWareHax.

It is also possible for homebrew to be loaded through an Action Replay DSi flashcart. If an nds file is saved onto a micro SD card, and then that micro SD is inserted into the Action Replay, the file can be executed by going to the Files menu.

New flipnote studio lennyface exploit released allowing someone to run the new custom firmware Hiya CFW allowing people to run homeprew software from their SD card.

== DS-mode exploits ==

This type of exploit is undesirable because all DSi functionality, such as usage of the [[cameras]], is unavailable to homebrew.

Gericom has exploited the "DS Download Station" application which works on all DS family consoles. Runs commercial homebrew via download station. [https://gbatemp.net/threads/haxxstation-ds-download-station-exploit.473648/ Here] you can have the details about it.

Blasteh (Blasty) has posted a [http://www.youtube.com/watch?v=7QHO7ctWuZ8 video on Youtube] showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08].

== List of ideas for exploitation/hacking of the latest DSi system version ==
Rules

→Do not remove ideas, only add

→Do not delete this section

→If your idea is 'Epic' mark it with * [only do this if it will certainly work]

→You must research whether your idea will work or not

Just an idea, but couldn't we make a .gif file that Flipnote could read, then the GIF could crash Flipnote and somehow load up the DSi homebrew?

We could try to connect to the DSi using the DS Download Play software, like the Wii and other DS can? I suggest connecting a PC via Bluetooth, push over an exploit program and run it.--[[User:Bernd L|Bernd L]] 16:18, 21 February 2017 (CET)
: [[User:Bernd L|Bernd L]] Long time, no answer. "Don't worry, there will be an exploit coming soon for Flipnote Studio/DSi Browser that will allow you to downgrade to 1.4." [[User:Abequinn|Abequinn]] 23:46, 14 August 2017 (CEST)

DSiBrew:News/Archive

2019-05-27T16:59:10Z

ChampionLeake:

*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).
*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi
*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9c], even more further improvements for DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/͡-͜ʖ-͡/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles,
*'''23 April 18''' Nocash released [https://problemkaputt.de/unlaunch.htm Unlaunch], The first ever (released) bootcode exploit for the DSi, It gives full SCFG_EXT access rights on boot.
*'''08 November 17''' shutterbug2000 re-released [https://gbatemp.net/threads/release-ugopwn.488702/ Ugopwn], a DSi homebrew exploit with NAND access (and 1.4.5 support!!) first DSi homebrew exploit in AGES
*'''23 July 17''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], further improving DSi support.
*'''02 July 17''' Apache Thunder announced [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ RocketLauncher], the vapourware exploit with unlocked Arm7, and also the first DSi exploit in years!
*'''01 June 15''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], allowing to run the whole DSi boot process in the emulator/debugger.
*'''11 February 15''' WinterMute released updated [http://davejmurphy.com/dsi-homebrew-redux/ dslink]. Now working with [[System Menu 1.4.5]].
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.

*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.

*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.
*'''5 April 09:''' The Nintendo DSi has been released in North America.
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.
*'''3 April 09:''' The Nintendo DSi has been released in Europe.
*'''2 April 09:''' The Nintendo DSi has been released in Australia.
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].

DSiBrew:News

2019-05-27T16:59:01Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''27 May 19''' Shutterbug2000 has released [https://gbatemp.net/threads/memory-pit-a-new-dsi-exploit-for-dsi-camera.539432/ Memory Pit], a new DSi system applet exploit for the Nintendo DSi Camera.
*'''10 April 19''' zoogie has released [https://github.com/zoogie/SystemFlaaw SystemFlaaw], the (possibly) first public DSi-Exclusive Cart exploit for the game, [https://en.wikipedia.org/wiki/System_Flaw SystemFlaw].
*'''2 March 19''' ChampionLeake released [https://github.com/ChampionLeake/UNO-pwn UNO*pwn], a UNO DSiWare exploit to support USA, EUR, and JPN region consoles.
*'''23 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9d], even more further improvements for DSi debugging and added 3DS register specs.

DSi exploits

2019-05-16T16:10:30Z

ChampionLeake: /* DSi-mode exploits */

DSi exploits

2019-05-16T16:06:40Z

ChampionLeake: /* Type of exploits */

DSiBrew:News

2019-04-21T02:36:31Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''10 April 19''' zoogie has released [https://github.com/zoogie/SystemFlaaw SystemFlaaw], the (possibly) first public DSi-Exclusive Cart exploit for the game, [https://en.wikipedia.org/wiki/System_Flaw SystemFlaw].
*'''2 March 19''' ChampionLeake released [https://github.com/ChampionLeake/UNO-pwn UNO*pwn], a UNO DSiWare exploit to support USA, EUR, and JPN region consoles.
*'''23 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9d], even more further improvements for DSi debugging and added 3DS register specs.
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).

DSiBrew:News/Archive

2019-04-10T20:49:11Z

ChampionLeake:

*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi
*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9c], even more further improvements for DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/͡-͜ʖ-͡/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles,
*'''23 April 18''' Nocash released [https://problemkaputt.de/unlaunch.htm Unlaunch], The first ever (released) bootcode exploit for the DSi, It gives full SCFG_EXT access rights on boot.
*'''08 November 17''' shutterbug2000 re-released [https://gbatemp.net/threads/release-ugopwn.488702/ Ugopwn], a DSi homebrew exploit with NAND access (and 1.4.5 support!!) first DSi homebrew exploit in AGES
*'''23 July 17''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], further improving DSi support.
*'''02 July 17''' Apache Thunder announced [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ RocketLauncher], the vapourware exploit with unlocked Arm7, and also the first DSi exploit in years!
*'''01 June 15''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], allowing to run the whole DSi boot process in the emulator/debugger.
*'''11 February 15''' WinterMute released updated [http://davejmurphy.com/dsi-homebrew-redux/ dslink]. Now working with [[System Menu 1.4.5]].
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.

*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.

*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.
*'''5 April 09:''' The Nintendo DSi has been released in North America.
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.
*'''3 April 09:''' The Nintendo DSi has been released in Europe.
*'''2 April 09:''' The Nintendo DSi has been released in Australia.
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].

DSiBrew:News

2019-04-10T20:46:42Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''10 April 19''' zoogie has released [https://https://github.com/zoogie/SystemFlaaw SystemFlaaw], the (possibly) first public DSi-Exclusive Cart exploit for the game, [https://en.wikipedia.org/wiki/System_Flaw SystemFlaw].
*'''2 March 19''' ChampionLeake released [https://github.com/ChampionLeake/UNO-pwn UNO*pwn], a UNO DSiWare exploit to support USA, EUR, and JPN region consoles.
*'''23 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9d], even more further improvements for DSi debugging and added 3DS register specs.
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).

DSiWare VulnList

2019-03-31T01:09:03Z

ChampionLeake: /* Total listed DSiWare */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 16
|-
| Done
| 27
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Jelly Car 2
| High Score name
| None
| Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-03-31T01:08:30Z

ChampionLeake: /* DSiWare with incomplete analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 15
|-
| Done
| 27
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Jelly Car 2
| High Score name
| None
| Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiBrew:News

2019-03-03T17:14:54Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''2 March 19''' ChampionLeake released [https://github.com/ChampionLeake/UNO-pwn UNO*pwn], a UNO DSiWare exploit to support USA, EUR, and JPN region consoles.
*'''23 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9d], even more further improvements for DSi debugging and added 3DS register specs.
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).
*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi.

DSiBrew:News/Archive

2019-03-03T17:14:32Z

ChampionLeake:

*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9c], even more further improvements for DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/͡-͜ʖ-͡/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles,
*'''23 April 18''' Nocash released [https://problemkaputt.de/unlaunch.htm Unlaunch], The first ever (released) bootcode exploit for the DSi, It gives full SCFG_EXT access rights on boot.
*'''08 November 17''' shutterbug2000 re-released [https://gbatemp.net/threads/release-ugopwn.488702/ Ugopwn], a DSi homebrew exploit with NAND access (and 1.4.5 support!!) first DSi homebrew exploit in AGES
*'''23 July 17''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], further improving DSi support.
*'''02 July 17''' Apache Thunder announced [https://gbatemp.net/threads/announcing-rocketlauncher-the-first-exploit-with-unlocked-arm7.476288/ RocketLauncher], the vapourware exploit with unlocked Arm7, and also the first DSi exploit in years!
*'''01 June 15''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], allowing to run the whole DSi boot process in the emulator/debugger.
*'''11 February 15''' WinterMute released updated [http://davejmurphy.com/dsi-homebrew-redux/ dslink]. Now working with [[System Menu 1.4.5]].
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.

*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.

*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.
*'''5 April 09:''' The Nintendo DSi has been released in North America.
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.
*'''3 April 09:''' The Nintendo DSi has been released in Europe.
*'''2 April 09:''' The Nintendo DSi has been released in Australia.
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].

DSiWare VulnList

2019-03-03T15:30:15Z

ChampionLeake: /* Total listed DSiWare */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 15
|-
| Done
| 27
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-03-03T15:25:20Z

ChampionLeake: /* DSiWare with incomplete analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 22
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-03-03T15:18:04Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 22
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiBrew:News/Archive

2019-02-15T02:45:22Z

ChampionLeake:

*'''06 June 18''' WinterMute released FlipNote ( ͡° ͜ʖ ͡°), a re-engineering of ugopwn to support eur/jpn & usa consoles,
*'''23 April 18''' Nocash released Unlaunch, The first ever (released) bootcode exploit for the DSi, It gives full SCFG_EXT access rights on boot.
*'''08 November 17''' shutterbug2000 re-released Ugopwn, a DSi homebrew exploit with NAND access (and 1.4.5 support!!) first DSi homebrew exploit in AGES
*'''23 July 17''' Martin Korth released no$gba v2.8b, further improving DSi support.
*'''02 July 17''' Apache Thunder announced RocketLauncher, the vapourware exploit with unlocked Arm7, and also the first DSi exploit in years!
*'''01 June 15''' Martin Korth released [http://problemkaputt.de/gba.htm no$gba v2.8b], allowing to run the whole DSi boot process in the emulator/debugger.
*'''11 February 15''' WinterMute released updated [http://davejmurphy.com/dsi-homebrew-redux/ dslink]. Now working with [[System Menu 1.4.5]].
*'''11 December 12''' Nintendo released [[System Menu 1.4.5]].*'''25 August 11''' Team Twiizers released the final [http://hackmii.com/2011/08/final-dsiwarehax/ DSiWareHax].
*'''29 June 11''' Nintendo released [[System Menu 1.4.3]] in all regions, blocking flash-cards.
*'''10 May 11''' Nintendo released a new system update, [[System Menu 1.4.2#Global_Update|System Menu 1.4.2]], globally. This blocks flash cards, and [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ blocks] copying all current and future DSiWare exploits to "internal memory".(A final Sudokuhax update will be [http://hackmii.com/2011/05/dsi-system-update-1-4-2/ released] at same time as the final DSiWareHax mentioned in that post)
*'''24 March 11''' An updated USA Sudoku was [http://hackmii.com/2011/01/sudokuhax-release/ released], which fixed all Sudoku string bugs. On roughly March 30 2011, EUR Sudoku was updated.
*'''28 January 11''' 19 and 24 hours after the Sudokuhax release Nintendo [http://hackmii.com/2011/01/sudokuhax-release/ removed] EA's Sudoku from the EUR/AU and USA DSi Shop.
*'''27 January 11''' Team Twiizers released DSiWare exploit [http://hackmii.com/2011/01/sudokuhax-release/ Sudokuhax], loads full DSi-mode homebrew from SD card.

*'''14 January 11''' The DSi Common key has been disclosed to the public. Please do not post it here.

*'''07 September 10''' Nintendo released [[System Menu 1.4.1]] in all regions except China where [[System Menu 1.4.2]] was released instead. This update blocks some flashcards.
*'''25 August 10''' Dave J Murphy (WinterMute) released DSi Link, allowing running larger DSi mode homebrew binaries [http://davejmurphy.com/dsi-mode-homebrew-anyone/]
*'''9 February 10''' Nintendo has released an update for the DSi System. The DSi [[Nintendo Zone]] client was updated to version 3.0, but the system still runs on [[System Menu 1.4]]. No other changes have been identified.
*'''3 August 09''' Nintendo has released [[System Menu 1.4]] in every supported country.
*'''2 August 09''' The Drunken Coders [http://drunkencoders.com/2009/08/dsi-hack-update/ have released] the exploit they are using to run unsigned code in DSi mode.
*'''9 July 09:''' Team Twiizers successfully ran DSi-Mode Homebrew. More details can be found over at [http://hackmii.com/2009/07/dsi-mode-homebrew-anyone/ HackMii]
*'''25 June 09:''' Voting has begun for the [[DSiBrew:Contests|DSiBrew logo]] contest! Please cast your vote '''[[DSiBrew talk:Contests#Voting time!|here]]'''.
*'''8 June 09:''' The [[DSiBrew:Contests|DSiBrew logo]] contest is now closed to submissions.
*'''12 April 09:''' A [[DSiBrew:Contests|DSiBrew logo]] contest has started.
*'''5 April 09:''' The Nintendo DSi has been released in North America.
*'''3 April 09:''' Nintendo has released [[System Update 1.3]]. DSi Shop is accessible. All DSi flashcarts still work. Added a button to start DSi Camera application when pressing L or R.
*'''3 April 09:''' The Nintendo DSi has been released in Europe.
*'''2 April 09:''' The Nintendo DSi has been released in Australia.
*'''19 February 09:''' [http://nintendo.co.uk/NOE/en_GB/news/2008/nintendo_dsi_arrives_in_europe_on_3_april_2009_11627.html Nintendo of Europe] and [http://www.nintendo.com/whatsnew/detail/Q5D4ti_bPqJO_I0Oup0AMFudaUOLz6C7 Nintendo of America] have announced that the DSi will be released on April 3 in Europe and April 5 in North America.
* '''25 January 09 ''': [[User:Bushing|Bushing]] from [http://www.hackmii.com Hackmii] created this wiki as a spinoff of the [http://wiibrew.org/wiki/Main_Page WiiBrew wiki].

DSiBrew:News

2019-02-15T02:39:44Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).
*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi.
*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.9c], even more further improvements for DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles.

DSiBrew:News

2019-02-15T02:36:59Z

ChampionLeake: /* News */

<noinclude>
==Adding an item==
* Log in to the wiki. Editing is disabled if you don't have an account.
* Add the news event to the top of the list, using this format for the date: <tt><nowiki>'''</nowiki>{{#time: d F y}}<nowiki>''' </nowiki></tt>. Please include the application's creator, version number, and a link to a page on DSiBrew about the application. No external links please.
* '''Move the last entry to the [[DSiBrew:News/Archive|news archive]]. There should be no more than 4 entrees in the list.'''

==Archives==
For older news, see the [[DSiBrew:News/Archive|news archive]].

=== News ===
</noinclude>
*'''12 February 19''' ChampionLeake announces/teases [https://www.youtube.com/watch?v=XN4YDSVuPwQ UNO*pwn], a UNO DSiWare exploit that's coming to all regions (US, EUR, & JPN).
*'''08 February 19''' shutterbug2000 announces/teases [https://www.youtube.com/watch?v=e4Tg7JN3U2M failZone], a upcoming DSiWare System Applet exploit for Nintendo Zone DSi.
*'''08 February 19''' nocash released [http://problemkaputt.de/gba.htm no$gba v2.8b], further improving DSi support.
*'''06 June 18''' WinterMute released [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ FlipNote ( ͡° ͜ʖ ͡°)], a re-engineering of ugopwn to support eur/jpn & usa consoles.

DSiWare VulnList

2019-01-16T17:48:38Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 22
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-01-16T17:47:36Z

ChampionLeake: /* Total listed DSiWare */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 22
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-01-16T17:46:33Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 18
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-01-10T02:18:59Z

ChampionLeake: /* DSiWare with incomplete analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 18
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2019-01-10T02:18:23Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 18
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crazy Sudoku
| Player name
| None
| Has ASCII strings for player name.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2018-06-19T23:14:07Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 18
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crazy Sudoku
| Player name
| None
| Has ASCII strings for player name.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSiWare VulnList

2018-06-18T17:07:08Z

ChampionLeake: /* DSiWare with finished analysis */

== Total listed DSiWare ==

Total DSiWare in below lists.

{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 20
|-
| Done
| 18
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}

== DSiWare with incomplete analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Status
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crazy Sudoku
| Player name
| None
| Has ASCII strings for player name.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Field Runners
| High-Scores
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
| Guitar Rock Tour
| High-Scores
| Started
| Has ASCII high-scores.
|-
| Legends of Exidia
| Player name
| Started
| Has ASCII player name.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|-
| UNO
| Player name and high-scores
| Started
| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}

== DSiWare with finished analysis ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|}

== DSiWare that probably don't have vulnerabilities ==

{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}

== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}

DSi exploits

2018-06-10T19:54:29Z

ChampionLeake: /* DS-mode exploits */

DSi exploits

2018-06-10T18:53:14Z

ChampionLeake: /* DSi-mode exploits */

DSi exploits

2018-06-10T18:49:00Z

ChampionLeake: /* DSi-mode exploits */

DSi exploits

2018-01-19T23:38:46Z

ChampionLeake: /* Type of exploits */

DSi exploits

2018-01-19T23:34:44Z

ChampionLeake: Added a glossary for type of ds exploits.

DSi exploits

2018-01-19T23:19:18Z

ChampionLeake: /* DSi-mode exploits */

User:ChampionLeake

2018-01-19T23:08:14Z

ChampionLeake: Created page with "I'm just a guy who likes to exploit stuff on the DS/DSi x) Find my github page [https://github.com/ChampionLeake here]"

I'm just a guy who likes to exploit stuff on the DS/DSi x)

Find my github page [https://github.com/ChampionLeake here]