DSBrick is safer than you think (and FlashMe is a lie)

Blog entry Gallery
IMG_4077.jpeg

Quick tl:dr on DSBrick
A long long time ago in 2005, some homebrew developer produced two trojans. One, DSBrickA/r0mloader, pretended to be a tool to run games. The other, DSBrickB/taihen was a hentai slideshow. Both of these would brick your DS when run by filling at much of it as possible with FF bytes.

Obviously people were in a panic back then, being extra careful to make sure nobody slipped either trojan into some homebrew. Since is was such a serious risk, people started promoting a custom firmware called FlashMe because it had "brick protection." The trojans wouldn't be able to write to the first part of the firmware, so a recovery mode was put in to reflash/repair the firmware.

FlashMe brick protection is a hoax
Brick protection sounds nice, especially with how dangerous the Trojans seem, but let's take a closer look...

Each DS has something called SL1, two pins that determine whether or not the firmware is write protected (photo below). A brand new DS will have the SL1 pins disconnected, meaning that it is impossible to write to the firmware (excluding the settings at the end). This is why every CFW installing guide tells you to bridge- connect the pins of- SL1.
1714383756046.png


The chips normally used to store firmware are LE25FW203A, LE25FW203T, M45PE20, M35PE20. Looking at the manufacturer's data sheets (attached to this post), SL1's write protect works for the first 256 pages, with each page being 256 bytes. 256*256=65536 bytes. In hex, that's write protection until 0x10000. According to gbatek, the DS firmware data goes until 0x3F9FF.
1714376535227.png
1714377368178.png


Everything shows that the DS firmware should brick... but it doesn't... Despite what everything says, anecdotally no normal DS should be affected by the trojans (assuming write protection is on). I tested every chip and board type on my consoles. The only thing that happened was a settings reset. Here's your proof:


Interestingly the firmware wasn't written to until 0x3F760. So as long as you haven't permanently bridged SL1 (eg. soldering), you'll be protected, both with original firmware or CFW. But if SL1 is bridged, the trojan can write to every byte of the firmware without issue. Nothing can save you at that point.
1714384121817.jpeg
IMG_4073.jpeg


Back to FlashMe... did you know that FlashMe's brick "protection" actually puts users at risk? Remember that at the end of the day FlashMe is just data. DSBrick doesn't care that there is a "recovery mode". It will just delete it if it can and move on.

But users are going to be afraid of DSBrick and feel that they have to install FlashMe at all costs. Some might decide to solder SL1 to make flashing easier and expose themselves to the trojan. Others might accidentally short something/drop out the battery and stop flashing before 10% (guaranteed brick). Most users are going to be fine, but the fact that you're putting yourself in harm's way for nothing is just stupid!

I have to wonder how that rumor about FlashMe came to be. Even darkfader was wrong about their own software and recovery...
Erase DS firmware. Practically the first 64 KBytes are write-protected and thus is recoverable when the FlashMe firmware was installed. - darkfader.net, 2005
Click to expand...

Anyways, the trojans really aren't that bad. You don't need extra firmwares or tools to detect DSBrick. All that you need to do is get into the habit of keeping SL1 disconnected! A good thing to do regardless of trojans.

An exception to this post
There are a couple types of DS that are affected out of the box: iQue and Korea. These are so uncommon that they aren't too big of an issue, but still worth mentioning. iQue and Korea has 512kb chips (LE25FW403A and M45PE40) to store the larger character sets for the chinese and korean languages. These chips actually behave like the datasheets say, stopping write protect at 0x10000. This is the only case where FlashMe would do any good with SL1's write protect on. Though this is such a niche case that I doubt this was the reason for people to promote FlashMe.

Could I be wrong?
It's always possible I missed something. I've tested every board and chip type I can think of but I can't say for sure that I didn't miss another, or that my DSes might behave differently (I've put them through so much after all...). If you spot something I didn't, please let me know down below. Thanks!
  • Like
Reactions: AlamosIT, SylverReZ, Rolfie and 5 others

Comments

KleinesSinchen
Wasn't there something about the original DS "Phat", being more problematic (write protection not protecting everything). No source. Memory blurred. Might be wrong.

Since the main reason to have FlashMe is running unsigned Download Play ROMs, eliminating the need for PassMe stuff in the early days and – in my case getting rid of the &§%"!**§ piece of :shit: Health&Safety warning screen, there is simply no reason to not have it on any old DS system.

Bridging SL-1 with solder makes zero sense if you aren't a developer or tester and constantly flashing, so I don't see how installing FlashMe would make a device more vulnerable.
 
  • Like
Reactions: rvtr
rvtr
@KleinesSinchen write protection shouldn't differ between different DSes. It's a feature of the chip itself. The DS is just what holds the "switch".

And as for FlashMe safety, people will solder. To be fair those are typically the people with the knowledge to unbrick, but it's still an added risk. And as for your normal n00bs, it's easy to slip and short something. You've gotta be careful and most people aren't.

Staying on stock firmware will always be safer. No need to change for a wrong fear of bricking.
 
tech3475
Did you test exclusively on the Lite or did you also test on a Phat model from when the bricker was released?

Also I have to agree that soldering SL1 is moronic unless you're a dev, the only practical risks I'm aware of is the flashing failing before it reached 10% (i.e. recovery mode has been written) or shorting something else.
 
  • Like
Reactions: rvtr
MaxiBash
Interesting, I shed some light on these trojans years ago and wrote an article about them, but I never figured it was harmless on DS Lites, at least on the one you tested. I do remember seeing a video showing that twlfirm can get bricked on a 3DS.
 
  • Like
Reactions: Rolfie and rvtr
rvtr
@tech3475 I've got DS phats... but only the motherboards. So no.

However, the write protect should be on the chips themselves. Unless the DS phat has poorly designed traces that bridge SL1, the chips will function the exact same as on a lite.
 
tech3475
rvtr said:
@tech3475 I've got DS phats... but only the motherboards. So no.

However, the write protect should be on the chips themselves. Unless the DS phat has poorly designed traces that bridge SL1, the chips will function the exact same as on a lite.
Click to expand...

Looking around, I found these old posts by chance which suggests it may not be the case and this was known back in the day:
https://gbatemp.net/threads/guide-how-to-fix-a-bricked-ds-ds-lite.137612/

Of course these are unverified until tested otherwise.
 
rvtr
Also for anyone saying only idiots bridge SL1, there are a lot of idiots. I find tons of SL1 bridged DS lites. I've gotten a lot of DS lites DS motherboards. Usually 1/10 have bridged SL1.

Whether it's smart or not it's to do, people will solder.
 
  • Wow
Reactions: cearp
The Real Jdbye
It's supposedly really easy to screw up when installing FlashMe on a DS Lite. When bridging SL1 you can accidentally bridge the wrong pin which would cause the console to turn off, which is a guaranteed brick if it happens at the wrong time. It could happen on a phat too but the pins are less close together.

I never really saw anyone recommending FlashMe to protect against brickers, that was more of a bonus than a selling point, but there was a "virus scanner" to detect both versions of DSBrick which I personally used on every recently released ROM. I wasn't taking any chances, especially with how common it was for trolls to make fake releases. IIRC even some common PC antivirus programs were able to detect them. But the need for FlashMe to protect against bricks wasn't really there when we had tools to detect said brickers.

I did install FlashMe on my DS Phat back in the day, but for unrelated reasons. Having a GBA flashcart and no PassMe it was pretty cool to be able to use a Nintendo WiFi USB Connector (which I already had) and WifiMe to unlock DS rom loading without spending a cent. Even if compatibility was limited.
tech3475 said:
Looking around, I found these old posts by chance which suggests it may not be the case and this was known back in the day:
https://gbatemp.net/threads/guide-how-to-fix-a-bricked-ds-ds-lite.137612/

Of course these are unverified until tested otherwise.
Click to expand...
This would make sense. The write protection would have to be adjustable, since it's an off the shelf part and different devices would have different requirements for what regions need to be writable.
There were some unused regions of the flash that weren't utilized until later on (Nintendo WFC games weren't released until later and the wifi connections were stored in a previously unused part of the flash, possibly they left other unused areas for potential future use that were never actually used) so Nintendo may not have known early on exactly which parts of the firmware it would be safe to write protect and they wanted to leave their options open. Or it was just a mistake, which they later corrected. Either way, I'm sure DarkFader did test that his bricker worked before spreading it. So it stands to reason that there were at least some DS models it worked on.
 

Blog entry information

Author
rvtr
Views
409
Comments
8
Last update

Downloads

  • LE25FW403A.PDF
    160.9 KB · Views: 6
  • M45PE20.PDF
    437.8 KB · Views: 3
  • LE25FW203A.PDF
    133 KB · Views: 4
  • M45PE40.PDF
    546.5 KB · Views: 7

More entries in Personal Blogs

More entries from rvtr

Share this entry

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Jayro @ Jayro:
    The phat model had amazingly loud speakers tho.
     +1
  • SylverReZ @ SylverReZ:
    @Jayro, I don't see whats so special about the DS ML, its just a DS lite in a phat shell. At least the phat model had louder speakers, whereas the lite has a much better screen.
     +1
  • SylverReZ @ SylverReZ:
    They probably said "Hey, why not we combine the two together and make a 'new' DS to sell".
  • Veho @ Veho:
    It's a DS Lite in a slightly bigger DS Lite shell.
     +1
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
  • BakerMan @ BakerMan:
    imagine not having hands, cringe
     +1
  • AncientBoi @ AncientBoi:
    ESPECIALLY for things I do to myself :sad:.. :tpi::rofl2: Or others :shy::blush::evil:
     +1
  • The Real Jdbye @ The Real Jdbye:
    @SylverReZ if you could find a v5 DS ML you would have the best of both worlds since the v5 units had the same backlight brightness levels as the DS Lite unlockable with flashme
  • The Real Jdbye @ The Real Jdbye:
    but that's a long shot
  • The Real Jdbye @ The Real Jdbye:
    i think only the red mario kart edition phat was v5
  • BigOnYa @ BigOnYa:
    A woman with no arms and no legs was sitting on a beach. A man comes along and the woman says, "I've never been hugged before." So the man feels bad and hugs her. She says "Well i've also never been kissed before." So he gives her a kiss on the cheek. She says "Well I've also never been fucked before." So the man picks her up, and throws her in the ocean and says "Now you're fucked."
     +2
  • AncientBoi @ AncientBoi:
    :O:ohnoes::lol::rofl::rofl2:
  • BakerMan @ BakerMan:
    lmao
  • BakerMan @ BakerMan:
    anyways, we need to re-normalize physical media

    if i didn't want my games to be permanent, then i'd rent them
     +1
  • BigOnYa @ BigOnYa:
    Agreed, that why I try to buy all my games on disc, Xbox anyways. Switch games (which I pirate tbh) don't matter much, I stay offline 24/7 anyways.
  • AncientBoi @ AncientBoi:
    I don't pirate them, I Use Them :mellow:. Like I do @BigOnYa 's couch :tpi::evil::rofl2:
     +1
  • cearp @ cearp:
    @BakerMan - you can still "own" digital media, arguably easier and better than physical since you can make copies and backups, as much as you like.

    The issue is DRM
  • cearp @ cearp:
    You can buy drm free games / music / ebooks, and if you keep backups of your data (like documents and family photos etc), then you shouldn't lose the game. but with a disk, your toddler could put it in the toaster and there goes your $60

    :rofl2:
  • cearp @ cearp:
    still, I agree physical media is nice to have. just pointing out the issue is drm
  • rqkaiju2 @ rqkaiju2:
    i like physical media because it actually feels like you own it. thats why i plan on burning music to cds
    rqkaiju2 @ rqkaiju2: i like physical media because it actually feels like you own it. thats why i plan on burning...