NDStool now can generate PassMe vhdl sourcecode and SRAM file from an nds rom file.
Here's the full Changelog.
Compiling the vhdl sourcecode requires Xilinx ISE, so I will look for a less tedious way to create a programming file since it's technically possible.
Xilinx project files and a readme can be found here.
I will soon update the nds rom database page with more info, functionality and download links for programming and SRAM files.
Wednesday, November 02, 2005
Tuesday, October 11, 2005
DSbrick trojan
I've added some information on the DSbrick trojan on my intro page.
Bad news I'm afraid. Perhaps more to come or nothing at all.
Bad news I'm afraid. Perhaps more to come or nothing at all.
Friday, June 17, 2005
NDStool, CompactFlash adapter
NDStool now includes a PassMe loader by default, so you don't need to add a special loader in front of it. Again not very useful, except when developing perhaps or when you don't want an extra cartridge offset. It uses the WMB logo data area, so that will look like garbage.
I've put up the schematic for the homebrew CompactFlash adapter and also Eagle files for it. I don't know where to buy small reversed CF sockets. I'll leave that up to the person who is crazy enough to make PCB out of that design :) For single pieces, GBA Movie Player is cheaper. So someone could mass produce them. Perhaps it needs more functionality though.
Dang... I really want to get perpendicular and get a 10GB microdrive :P
Also finally uploaded that Lights Out Cube to my page.
I've put up the schematic for the homebrew CompactFlash adapter and also Eagle files for it. I don't know where to buy small reversed CF sockets. I'll leave that up to the person who is crazy enough to make PCB out of that design :) For single pieces, GBA Movie Player is cheaper. So someone could mass produce them. Perhaps it needs more functionality though.
Dang... I really want to get perpendicular and get a 10GB microdrive :P
Also finally uploaded that Lights Out Cube to my page.
Friday, May 13, 2005
Firmware recovery
I have successfully recovered the firmware of two DSes using the parallel port of my laptop. A bunch of wires, one cut trace on the PCB, external power supply and a piece of software did the trick. Source/executable available as "ppflash.zip".
Thursday, April 21, 2005
FlashMe
I made the FlashMe web page (PHP, registration stuff... yay) to download Loopy's firmware patch. Currently located at http://ds.gcdev.com/dsfirmware/. It's currently in betatesting phase and it seems like it works allright.
Friday, April 15, 2005
CompactFlash adapter
I've made my own CompactFlash adapter by reusing a GBA cartridge (F-ZERO) and a CF connector of an old mainboard. Cut down the connector pins, prepare one side with wires and solder all pins to be grounded together onto the GBA edge connector. Connectors glued into the cartridge case and then started wiring the rest. It's a bit crampy and the cartridge doesn't go in the GBA slot all the way but it's barely visisble. Then I took some old Flash Advance Linker sourcecode and modified it for testing some IDE commands. So far, I could read a sector with it.
Anyway, it looks nicer and cheaper than getting a movie player cartridge. I hope I can use it with new DS firmware/software.
Anyway, it looks nicer and cheaper than getting a movie player cartridge. I hope I can use it with new DS firmware/software.
Saturday, April 09, 2005
My PassMe's arrived
The PassMe Natrium42 sent, have arrived. Now I finally don't have to program my FPGA each time :) I soldered my own connector on it. Also made a picture to compare against another PassMe version which someone else made. This one fits in an original cartridge case. The makers of this one might mold some cases for it.
Friday, April 08, 2005
Opened my PSP
Today, I opened my PSP. Turned it on with just the battery and button PCB with the power button on it. Wrote down some partnumbers and found two I/O pins for configuring the clockchip. Perhaps I'm going to capture that and then slow down the PSP or whatever.
Wednesday, April 06, 2005
NDS tool v1.07
NDS tool allows you to unpack/pack both commercial and homebrew NDS files.
[edit]
Source: http://cvs.sourceforge.net/viewcvs.py/devkitpro/tools/nds/ndstool/
Binary: http://cvs.sourceforge.net/viewcvs.py/ndslib/ndslib/examples/tools/ndstool.exe (not the latest version!)
[/edit]
New features:
Planned for next version:
Costis is writing a NDS loader that allows you to put multiple games on one GBA cartridge!
[edit]
Source: http://cvs.sourceforge.net/viewcvs.py/devkitpro/tools/nds/ndstool/
Binary: http://cvs.sourceforge.net/viewcvs.py/ndslib/ndslib/examples/tools/ndstool.exe (not the latest version!)
[/edit]
New features:
- add/extract header
- create filesystem
Planned for next version:
- Build-in icon converter
Costis is writing a NDS loader that allows you to put multiple games on one GBA cartridge!
Welcome PSP dev!
Yay! I received my PSP!
Although my main focus is the Nintendo DS, I might still give a small try... but I do not want to break it or anything. And PSP is so much more secure. (I think)
Although my main focus is the Nintendo DS, I might still give a small try... but I do not want to break it or anything. And PSP is so much more secure. (I think)
DS flash cartridge?
Will DS flash cartridges be a reality soon?
I think someone is making one. But how will it work? :)
Mysterious...
I think someone is making one. But how will it work? :)
Mysterious...
Tuesday, February 22, 2005
100% dump
I now dumped the secure area correctly of the Metroid demo. The CRC for that reports OK (0xC44D). I have put the tests on idle, since I don't know if they will be of any more use. Still need to figure out how the encryption on the first few commands work.
Friday, February 11, 2005
First test complete
At about 80% of the first test, the correct value was found. This proves my theories and allows me to take the next few steps :). Thank you all for participation.
Wednesday, February 09, 2005
Distributed cracking
I would like to conduct some test(s) on data that has been captured from a cartridge. Because I know how the PRNG works, I made a simple distributed cracking tool to find the correct values for a given set of null-data.
If you want to help out, check out http://darkfader.net/ds/stats.php
If you want to help out, check out http://darkfader.net/ds/stats.php
Tuesday, February 08, 2005
Encryption
I stopped the Real Time Clock in the DS and proved the encryption bases its random number generator on the time and the 4-character gamecode in the header. The game does not start when the gamecode is altered. Most of the bios code has been dumped and we found some others things on the encryption.
I've analyzed the random number generators and can reproduce the numbers, but unfortunately the initial numbers are in a locked part of the bios. The are ways to read it though :)
I'm currently making some program that calculates the LFSR values from the stream in reverse direction... challenging ;)
I've analyzed the random number generators and can reproduce the numbers, but unfortunately the initial numbers are in a locked part of the bios. The are ways to read it though :)
I'm currently making some program that calculates the LFSR values from the stream in reverse direction... challenging ;)
Romdumps
I've dumped the Metroid demo and Mario 64 DS.
This could be done by capturing commands to the cartridge and then play them back and alter the first byte to turn a normal read into an ID command. The difference in data resulted in the original data.
This gave me the idea of running two cartridges at the same time. One using normal commands and other ID commands. But since I didn't got a 2nd GBC connector and am too lazy to make one myself, I haven't tried this method yet. And it's not required anymore.
Unfortunately, the first part of the ARM9 executable uses some other encryption method. This part has been dumped from the RAM but is not the original data. The rest of the cartridge was dumped by issueing the ID command instead of the read command and save the data difference.
This could be done by capturing commands to the cartridge and then play them back and alter the first byte to turn a normal read into an ID command. The difference in data resulted in the original data.
This gave me the idea of running two cartridges at the same time. One using normal commands and other ID commands. But since I didn't got a 2nd GBC connector and am too lazy to make one myself, I haven't tried this method yet. And it's not required anymore.
Unfortunately, the first part of the ARM9 executable uses some other encryption method. This part has been dumped from the RAM but is not the original data. The rest of the cartridge was dumped by issueing the ID command instead of the read command and save the data difference.
My pass-through ran the first code!
So... when I got my DS and games, I started to make an FPGA (a programmable logic chip) -based pass-through that would let me capture and alter the cartridge traffic. An etched PCB goes into the DS and a cut GBC-connector holds a DS cartridge. Once this worked, I tried fiddling with the header and found out that it could run own code from the GBA slot. There is even a bit that automatically starts the program without user-interaction at the boot screen. For this, I made a utility called ndstool that fixes the CRC values in the header.
After I could run my own code, I made a small program that modified a text in memory of the Metroid demo and then continued executing.
Commercial games might be playable from GBA cartridge with some code patching, but it's also possible to attach a flashchip to the DS slot to put game files on. In fact, no GBA cartridge is even required for the pass-through trick. Just execute some small loader that is stored in the unencrypted header.
After I could run my own code, I made a small program that modified a text in memory of the Metroid demo and then continued executing.
Commercial games might be playable from GBA cartridge with some code patching, but it's also possible to attach a flashchip to the DS slot to put game files on. In fact, no GBA cartridge is even required for the pass-through trick. Just execute some small loader that is stored in the unencrypted header.
The begin of .hack//DS
After a few weeks the Nintendo DS was out, I found someone that was willing to ship me one at a nice price from USA to NL. One thing was on my mind... to hack it. I had looked at inside pictures of the cartridge and DS. I guessed the pinout rather nicely. Others started to capture the traffic of the cartridge. We then saw the header data and encrypted data. We somehow knew it was encrypted before we started looking, but the "RSA" on the back does not apply to the cartridge.
Subscribe to:
Posts (Atom)