Untitled

There are 2 installation methods

AUTOMATIC via DSIware exploits
simply start unlaunch.dsi and
select Install now in the menu.

MANUAL INSTALL via hardmods
locate 520-byte title.tmd file
in the following folder:
title\00030017\484E41xx\content
(the xx varies per region)
append 81400-byte unlaunch.dsi
at the end of the tmd file (tmd
filesize is then 81920 bytes)

Both methods are working on all
retail DSi models, regardless
of region or firmware version.
For uninstallation truncate the
tmd file back to 520-byte size.
When installed, unlaunch takes
control almost immediately afterpower-up, before even executing
the boot menu (aka launcher).

If SD:\BOOTCODE.DSI exists,
then it will immediately
execute that file with all
access rights, for example,
rename DSLINK.NDS accordingly,
so you can wifi-upload your
game from PC to DSi.

Otherwise, if the file doesn't
exist, it will resume normal
booting, with some improvements
-Without Healthsafety+bootmusic
-No Region+RSA+Whitelist checks
-ARM7+9 SCFG_EXT.BIT31 kept set
Even old NDS flash carts will
maintain SCFG_EXT access rights
(but are probably unable to
re-enter DSi touchscreen mode).


Bootstage 2 is loading the
launcher's TITLE.TMD file to
memory, that's done without any
FILESIZE>LIMIT check (it's only
checking FILESIZE>FILESIZE).

That is allowing to load about
80Kbytes of useful code, and to
overwrite a task switching
structure, causing ARM9 to
execute the loaded code, which
can then tweak ARM7 to execute
custom code by remapping some
portions of shared WRAM.

Yup, it's actually that simple.
The bigger problem has been to
find this exploit within the
400,000 lines of code that
bootstages 2 and 3 consist of.