diff --git a/README.md b/README.md
index f4ac743..afa2a5c 100644
--- a/README.md
+++ b/README.md
@@ -45,5 +45,6 @@ Once everything is downloaded and installed, `git clone` this repository, naviga
 * [zacchi4k](https://github.com/zacchi4k): Creator of the GodMode9i logo used in v1.3.1 and onwards.
 * [Edo9300](https://github.com/edo9300): Save reading code from his save manager tool.
 * [JimmyZ](https://github.com/JimmyZ): NAND code from twlnf (with writing code stripped for safety reasons).
+* [zoogie](https://github.com/zoogie): Code from dumpTool to get ConsoleID.
 * [devkitPro](https://github.com/devkitPro): devkitARM, libnds, original nds-hb-menu code, and screenshot code.
 * [d0k3](https://github.com/d0k3): Original GM9 app and name for the Nintendo 3DS, which this is inspired by.
diff --git a/arm7/source/main.c b/arm7/source/main.c
index 65f8c58..af815be 100644
--- a/arm7/source/main.c
+++ b/arm7/source/main.c
@@ -28,8 +28,7 @@
 
 ---------------------------------------------------------------------------------*/
 #include <nds.h>
-
-//static u8 aesIvValues[0x10] = {0x80,0x6B,0xCF,0x4F,0x93,0xEE,0x6F,0x21,0xF9,0x86,0xDF,0x98,0x7D,0xE7,0xFD,0x07};
+#include <string.h>
 
 unsigned int * SCFG_EXT=(unsigned int*)0x4004008;
 
@@ -62,6 +61,32 @@ void powerButtonCB() {
 	exitflag = true;
 }
 
+void set_ctr(u32* ctr){
+	for (int i = 0; i < 4; i++) REG_AES_IV[i] = ctr[3-i];
+}
+
+// 10 11  22 23 24 25
+void aes(void* in, void* out, void* iv, u32 method){ //this is sort of a bodged together dsi aes function adapted from this 3ds function
+	REG_AES_CNT = ( AES_CNT_MODE(method) |           //https://github.com/TiniVi/AHPCFW/blob/master/source/aes.c#L42
+					AES_WRFIFO_FLUSH |				 //as long as the output changes when keyslot values change, it's good enough.
+					AES_RDFIFO_FLUSH | 
+					AES_CNT_KEY_APPLY | 
+					AES_CNT_KEYSLOT(3) |
+					AES_CNT_DMA_WRITE_SIZE(2) |
+					AES_CNT_DMA_READ_SIZE(1)
+					);
+					
+    if (iv != NULL) set_ctr((u32*)iv);
+	REG_AES_BLKCNT = (1 << 16);
+	REG_AES_CNT |= 0x80000000;
+	
+	for (int j = 0; j < 0x10; j+=4) REG_AES_WRFIFO = *((u32*)(in+j));
+	while(((REG_AES_CNT >> 0x5) & 0x1F) < 0x4); //wait for every word to get processed
+	for (int j = 0; j < 0x10; j+=4) *((u32*)(out+j)) = REG_AES_RDFIFO;
+	//REG_AES_CNT &= ~0x80000000;
+	//if (method & (AES_CTR_DECRYPT | AES_CTR_ENCRYPT)) add_ctr((u8*)iv);
+}
+
 //---------------------------------------------------------------------------------
 int main() {
 //---------------------------------------------------------------------------------
@@ -96,37 +121,36 @@ int main() {
 
 	setPowerButtonCB(powerButtonCB);
 
-	for (int i = 0; i < 8; i++) {
-		*(u8*)(0x2FFFD00+i) = *(u8*)(0x4004D07-i);	// Get ConsoleID
-	}
-	// Get ConsoleID
-	/*for (int i = 0; i < 0x10; i++) {
-		REG_AES_IV[i] = aesIvValues[i];
-	}
-	*(vu16*)0x4004406 = 1;*/
+	if (isDSiMode()) {
+		/*for (int i = 0; i < 8; i++) {
+			*(u8*)(0x2FFFD00+i) = *(u8*)(0x4004D07-i);	// Get ConsoleID
+		}*/
 
-	/* *(u32*)(0x4004104+(0*0x1C)) = REG_AES_RDFIFO;
-	*(u32*)(0x4004108+(0*0x1C)) = 0x2FFFD00;
-	
-	*(u32*)(0x4004110+(0*0x1C)) = 2;	
-	
-    *(u32*)(0x4004114+(0*0x1C)) = 0x1;
-	
-	*(u32*)(0x400411C+(0*0x1C)) = (1<<19 | 11<<28); */
+		// For getting ConsoleID without reading from 0x4004D00...
 
-	/*REG_AES_WRFIFO = 0xFFFFFFFF;
-	REG_AES_WRFIFO = 0xEEEEEEEE;
-	REG_AES_WRFIFO = 0xDDDDDDDD;
-	REG_AES_WRFIFO = 0xCCCCCCCC;
-	REG_AES_CNT = (AES_RDFIFO_FLUSH | AES_CNT_DMA_READ_SIZE(1) | AES_CNT_KEY_APPLY | AES_CNT_KEYSLOT(3) | AES_CNT_MODE(0) | AES_CNT_IRQ | AES_CNT_ENABLE);
-	*/
-	/* *(u32*)(0x2FFFD00) = REG_AES_RDFIFO;
-	for (int i = 0; i < 3; i++) {
-		*(u32*)(0x2FFFD04) = REG_AES_RDFIFO;
-	}*/
-	/*for (int i = 0; i < 4; i++) {
-		*(u8*)(0x2FFFD04+i) = *(u8*)(0x40044EC+i);
-	}*/
+		u8 base[16]={0};
+		u8 in[16]={0};
+		u8 iv[16]={0};
+		u8 *scratch=(u8*)0x02300200; 
+		u8 *out=(u8*)0x02300000;
+		u8 *key3=(u8*)0x40044D0;
+		
+		aes(in, base, iv, 2);
+
+		//write consecutive 0-255 values to any byte in key3 until we get the same aes output as "base" above - this reveals the hidden byte. this way we can uncover all 16 bytes of the key3 normalkey pretty easily.
+		//greets to Martin Korth for this trick https://problemkaputt.de/gbatek.htm#dsiaesioports (Reading Write-Only Values)
+		for(int i=0;i<16;i++){  
+			for(int j=0;j<256;j++){
+				*(key3+i)=j & 0xFF;
+				aes(in, scratch, iv, 2);
+				if(!memcmp(scratch, base, 16)){
+					out[i]=j;
+					//hit++;
+					break;
+				}
+			}
+		}
+	}
 
 	fifoSendValue32(FIFO_USER_03, *SCFG_EXT);
 	fifoSendValue32(FIFO_USER_07, *(u16*)(0x4004700));
diff --git a/arm9/source/f_xy.c b/arm9/source/f_xy.c
new file mode 100644
index 0000000..d6cddd3
--- /dev/null
+++ b/arm9/source/f_xy.c
@@ -0,0 +1,92 @@
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
+#include <stdint.h>
+#include "tonccpy.h"
+
+//#define DEBUG
+
+
+void n128_lrot(uint64_t *num, uint32_t shift)
+{
+	uint64_t tmp[2];
+
+	tmp[0] = num[0]<<shift;
+	tmp[1] = num[1]<<shift;
+	tmp[0] |= (num[1]>>(64-shift));
+	tmp[1] |= (num[0]>>(64-shift));
+
+	num[0] = tmp[0];
+	num[1] = tmp[1];
+}
+void n128_rrot(uint64_t *num, uint32_t shift)
+{
+	uint64_t tmp[2];
+
+	tmp[0] = num[0]>>shift;
+	tmp[1] = num[1]>>shift;
+	tmp[0] |= (num[1]<<(64-shift));
+	tmp[1] |= (num[0]<<(64-shift));
+
+	num[0] = tmp[0];
+	num[1] = tmp[1];
+}
+
+void n128_add(uint64_t *a, uint64_t *b)
+{
+	uint64_t *a64 = a;
+	uint64_t *b64 = b;
+	uint64_t tmp = (a64[0]>>1)+(b64[0]>>1) + (a64[0] & b64[0] & 1);
+	 
+	tmp = tmp >> 63;
+        a64[0] = a64[0] + b64[0];
+        a64[1] = a64[1] + b64[1] + tmp;
+}
+
+void n128_sub(uint64_t *a, uint64_t *b)
+{
+	uint64_t *a64 = a;
+	uint64_t *b64 = b;
+	uint64_t tmp = (a64[0]>>1)-(b64[0]>>1) - ((a64[0]>>63) & (b64[0]>>63) & 1);
+        
+	tmp = tmp >> 63;
+        a64[0] = a64[0] - b64[0];
+        a64[1] = a64[1] - b64[1] - tmp;
+}
+
+void F_XY(uint32_t *key, uint32_t *key_x, uint32_t *key_y)
+{
+	int i;
+	unsigned char key_xy[16];
+
+	toncset(key_xy, 0, 16);
+	toncset(key, 0, 16);
+	for(i=0; i<16; i++)key_xy[i] = ((unsigned char*)key_x)[i] ^ ((unsigned char*)key_y)[i];
+
+	key[0] = 0x1a4f3e79;
+	key[1] = 0x2a680f5f;
+	key[2] = 0x29590258;
+	key[3] = 0xfffefb4e;
+
+	n128_add((uint64_t*)key, (uint64_t*)key_xy);
+	n128_lrot((uint64_t*)key, 42);
+}
+
+//F_XY_reverse does the reverse of F(X^Y): takes (normal)key, and does F in reverse to generate the original X^Y key_xy.
+void F_XY_reverse(uint32_t *key, uint32_t *key_xy)
+{
+	uint32_t tmpkey[4];
+	toncset(key_xy, 0, 16);
+	toncset(tmpkey, 0, 16);
+	tonccpy(tmpkey, key, 16);
+
+	key_xy[0] = 0x1a4f3e79;
+	key_xy[1] = 0x2a680f5f;
+	key_xy[2] = 0x29590258;
+	key_xy[3] = 0xfffefb4e;
+
+	n128_rrot((uint64_t*)tmpkey, 42);
+	n128_sub((uint64_t*)tmpkey, (uint64_t*)key_xy);
+	tonccpy(key_xy, tmpkey, 16);
+}
+
diff --git a/arm9/source/f_xy.h b/arm9/source/f_xy.h
new file mode 100644
index 0000000..c5485a9
--- /dev/null
+++ b/arm9/source/f_xy.h
@@ -0,0 +1,16 @@
+#ifndef _H_F_XY
+#define _H_F_XY
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void F_XY(uint32_t *key, uint32_t *key_x, uint32_t *key_y);
+void F_XY_reverse(uint32_t *key, uint32_t *key_xy);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/arm9/source/nandio.c b/arm9/source/nandio.c
index 6bc750a..6f0d6bf 100644
--- a/arm9/source/nandio.c
+++ b/arm9/source/nandio.c
@@ -5,6 +5,8 @@
 #include <stdio.h>
 #include "crypto.h"
 #include "sector0.h"
+#include "tonccpy.h"
+#include "f_xy.h"
 
 //#define SECTOR_SIZE 512
 #define CRYPT_BUF_LEN 64
@@ -24,6 +26,25 @@ void nandio_set_fat_sig_fix(u32 offset) {
 	fat_sig_fix_offset = offset;
 }
 
+void getConsoleID(u8 *consoleID){
+	u8 *fifo=(u8*)0x02300000; //shared mem address that has our computed key3 stuff
+	u8 key[16]; //key3 normalkey - keyslot 3 is used for DSi/twln NAND crypto
+	u8 key_xy[16]; //key3_y ^ key3_x
+	u8 key_x[16];////key3_x - contains a DSi console id (which just happens to be the LFCS on 3ds)
+	u8 key_y[16] = {0x76, 0xDC, 0xB9, 0x0A, 0xD3, 0xC4, 0x4D, 0xBD, 0x1D, 0xDD, 0x2D, 0x20, 0x05, 0x00, 0xA0, 0xE1}; //key3_y NAND constant
+	
+	tonccpy(key, fifo, 16);  //receive the goods from arm7
+
+	F_XY_reverse((uint32_t*)key, (uint32_t*)key_xy); //work backwards from the normalkey to get key_x that has the consoleID
+
+	for(int i=0;i<16;i++){
+		key_x[i] = key_xy[i] ^ key_y[i];             //''
+	}
+
+	tonccpy(&consoleID[0], &key_x[0], 4);             
+	tonccpy(&consoleID[4], &key_x[0xC], 4);
+}
+
 bool nandio_startup() {
 	if (!nand_Startup()) return false;
 
@@ -44,8 +65,17 @@ bool nandio_startup() {
 		}
 	}
 
+	u8 consoleID[8];
+	u8 consoleIDfixed[8];
+
+	// Get ConsoleID
+	getConsoleID(consoleID);
+	for (int i = 0; i < 8; i++) {
+		consoleIDfixed[i] = consoleID[7-i];
+	}
+
 	// iprintf("sector 0 is %s\n", is3DS ? "3DS" : "DSi");
-	dsi_crypt_init((const u8*)0x2FFFD00, (const u8*)0x2FFD7BC, is3DS);
+	dsi_crypt_init((const u8*)consoleIDfixed, (const u8*)0x2FFD7BC, is3DS);
 	dsi_nand_crypt(sector_buf, sector_buf, 0, SECTOR_SIZE / AES_BLOCK_SIZE);
 	parse_mbr(sector_buf, is3DS, 0);