When RocketLauncher, the DSi Exploit by ApacheThunder, NoCash, Gericom, Normmatt and StuckPixel, got announced we were told that it would only support to be run from Flashcards where the Bootrom could be changed. This is the case for the Acekard2i and a few other flashcards, which is good for people who already own a compatible one, but the rest would either have to buy one of these compatible flashcards or they won’t be able to use the exploit. Thanks to a finding by ApacheThunder you won’t have to buy a DS flashcard to use this though. He mentions that using a flashcard is the superior method but RocketLauncher will also support to be run from Retail NDS Cards.
Of course for this to work you will need a few things. First of all your DSi needs to be on Firmware 1.4 and you will need an exploitable DSiWare Game. You may think now: What will this help me then? I don’t have that Firmware or an exploitable DSiWare Game.
That’s the part that will soon change. A new DSiWare exploit is currently being created which will allow you to use DSi Homebrew and also downgrade your DSi to Firmware 1.4. It will be either for the DSi Web browser or Flipnote Studio so create lot’s of backups of those titles and never delete them if you want easy homebrew access.
Now on how this new exploit works. I watched the Video by ApacheThunder several times and tried piecing together the things the exploit does and needs but it is always possible that I got something wrong. If you should find anything that I got wrong please tell me in the comments or on Twitter so that I can change this post accordingly :).
He mentions that the trick behind this is that he finds a random address in a game which contains the jump address of the payload in the DS Whitelist. Since it isn’t really possible to land on the exact spot that it needs to jump to he stores a minimum of 2 offcodes to a safe spot to make the ARM7 Processor jump a second time to the then correct offset.
This currently makes it jump into a Dummy Game entry in the DS Whitelist Section 2 which then makes ARM7 jump into the unused RSA Sections in Section 3. Since the RSA Checks in 1.4 are broken we can change these however we like. This RSA section contains the “Buzz” payload that RocketLauncher was teased with for testing purposes.
Now the last step to start the exploit is to use a homebrew app to autostart the Retail Card. Since Retail cards aren’t autoboot cards which get run at boot this is needed. This is possible thanks to a certain feature of the DSi which gets used by the TWLNMenu Devapp available on Devunits. This app is pretty much the equivalent to DevMenu on the 3DS and can install apps and also launch them. The difference here is that it can’t directly launch them but rather puts special code into the shared ARM9 and ARM7 RAM which makes the DSi autoboot the selected title. Of course, only the method is used and you won’t need TWLNMenu for this.
And then that’s it. The homebrew app will then autoboot into the game and start the payload. This can then allow you to use SRLoader without Audio Issues or maybe for even more things as more will hopefully be found out about the DSi.
ApacheThunder only tested this with Super Mario 64 for now but as he mentions in the Video it should also work on Mario Kart and I hope he gets it to work with it since I believe that even more people will Mario Kart which will then broaden the range of people who can use this.
I really hope that now, after the 3DS, the DSi will finally get the love it never really got and will maybe someday end up hacked like the 3DS and getting many new things and hacks to improve it.