DSi bootrom dumped andnew exploit disclosed @37th CCC

CMDreamer · Jan 1, 2024

PoroCYon said:
Apparently the conference where it was accepted is being really slow with their proceedings, sigh...

Anyway, I've attached a PDF of the proceedings version, enjoy.

Thank you! Downloading it rn.

I'm sure I'll learn a lot from this!

Edit:
You used LaTeX to create/edit it?

PoroCYon · Jan 1, 2024

CMDreamer said:
You used LaTeX to create/edit it?

Yes.

FyrruPuff · Jan 3, 2024

Thank you more convenience this way

HK$ · Jan 6, 2024

What does Gericom's new project GCDTool (https://github.com/Gericom/GCDTool) used for?
Can we flash the GCD rom to a flashcard, and use a magnet to trigger ntrboot and load a firm on sdcard, like we do for 3DS?

RocketRobz · Jan 6, 2024

HK$ said:
What does Gericom's new project GCDTool (https://github.com/Gericom/GCDTool) used for?
Can we flash the GCD rom to a flashcard, and use a magnet to trigger ntrboot and load a firm on sdcard, like we do for 3DS?

Yes, you can!
This fork of ntrboot_flasher_nds does just that, and should work on Ace3DS+, Acekard2i, and DSTT.
https://github.com/Epicpkmn11/ntrboot_flasher_nds/tree/twl

Next step would be to find a GCD ROM to use.

Apache Thunder · Jan 6, 2024

RocketRobz said:
Yes, you can!
This fork of ntrboot_flasher_nds does just that, and should work on Ace3DS+, Acekard2i, and DSTT.
https://github.com/Epicpkmn11/ntrboot_flasher_nds/tree/twl

Next step would be to find a GCD ROM to use.

Could try and use the bootloader SRL used with HiyaCFW as a source for building the GCD rom as a way to test things? (as they are basically patched arm binaries from stage2 section of nand) I imagine the arm binaries are similar to the ones on stage2 section of nand and I think the entry addresses used check out for this.

SylverReZ · Jan 6, 2024

Apache Thunder said:
Could try and use the bootloader SRL used with HiyaCFW as a source for building the GCD rom as a way to test things? (as they are basically patched arm binaries from stage2 section of nand) I imagine the arm binaries are similar to the ones on stage2 section of nand and I think the entry addresses used check out for this.

Next future step: Get the N-Cards/DS Linker running ntrboot.

Apache Thunder · Jan 6, 2024

SylverReZ said:
Next future step: Get the N-Cards/DS Linker running ntrboot.

That would be cool but I'm about 80% sure the blowfish key is hardcoded in the blob chip. It's not on nand last I checked....Unless the blob chip dynamically generates the blowfish key depending on the game code the main rom uses ...but I doubt that.

JORGETECH · Jan 12, 2024

RocketRobz said:
Yes, you can!
This fork of ntrboot_flasher_nds does just that, and should work on Ace3DS+, Acekard2i, and DSTT.
https://github.com/Epicpkmn11/ntrboot_flasher_nds/tree/twl

Next step would be to find a GCD ROM to use.

Is the GCD ROM something that was used in the factory to flash the console or something like that? I guess this is what @PoroCYon meant with the new exploits that were being discovered.

I also wanted to know if the ntrboot flasher for TWL works in "www.r4isdhc.com" carts, I did use those kind of flashcarts for 3DS ntrboot and they work just fine.

RocketRobz · Jan 12, 2024

JORGETECH said:
Is the GCD ROM something that was used in the factory to flash the console or something like that? I guess this is what @PoroCYon meant with the new exploits that were being discovered.

No idea.

JORGETECH said:
I also wanted to know if the ntrboot flasher for TWL works in "www.r4isdhc.com" carts, I did use those kind of flashcarts for 3DS ntrboot and they work just fine.

It does not work for those carts, or any other Demon/timebomb flashcard, due to issues related to the blowfish.

JORGETECH · Jan 12, 2024

RocketRobz said:
It does not work for those carts, or any other Demon/timebomb flashcard, due to issues related to the blowfish.

Oh well, I wonder if the Ace3DS X is compatible, it seems like it's the card that is being offered right now by most sellers on sites like Aliexpress.

EDIT: It could be my fault for not finding the Ace3DS+, Aliexpress search sucks.

Apache Thunder · Jan 12, 2024

RocketRobz said:
No idea.

It does not work for those carts, or any other Demon/timebomb flashcard, due to issues related to the blowfish.

On the subject of the demon timebomb carts. I found out how the blowfish is setup on mine. The 48 byte chunk starts at 0x1000 in the dump with the rest the exact spacing it would normally be if the entire rom was at 0x1000. (so the main blowfish is at 0x2000.

But there's another copy of the blowfish at 0x1F1000 where the header for the game is placed. (that one I'm unsure if it uses...probably does).

Not sure why it has two copies but you could try updating them both. I may attempt this myself. The test GCD should fit in the 0x1F1000 region without me having to worry about the arm7 binary since that is stored right next to the arm9 binary. I'd have to edit the header otherwise and that would be tricky to do since I'd have to resign it and I'm not setup for that currently. But you could give this ago on your end too and see if that works.

By the way the second copy of the blowfish looks like the setup the GCD uses. But the first copy at 0x1000 has some unrelated data in between the first 48 byte chunk and the rest instead of zero data...not sure what that other data is used for...

EDIT: Yep it worked. I have already let Robz know about this.

DSi bootrom dumped andnew exploit disclosed @37th CCC

Well-Known Member

Member

Member

Well-Known Member

Stylish TWiLight Hero

I have cameras in your head!

The planet is fine. The people are crazy.

I have cameras in your head!

Active Member

Stylish TWiLight Hero

Active Member

I have cameras in your head!

Similar threads

Popular threads in this forum