Dumping ROMs with NDS Adaptor Plus

Discussion in '3DS - Hacking & Homebrew' started by elisherer, Oct 8, 2011.

Oct 8, 2011
    • Member

    elisherer I ♥ 3DS

    Member Since:
    Dec 16, 2009
    Message Count:
    777
    Location:
    3dbrew.org
    Country:
    Israel
    Hello everyone.

    I tinkered with the NDS Adaptor Plus exe file and managed to get some hidden stuff visible..

    With an HEX editor do the following changes in 'NDS_Adaptor_Plus_V3.02.exe':


    Code:
    0x0018C: 001C -> 5C1B
    0x00318: 001C -> 5C1B
    0x9B7ED: 08 -> 09
    0x9B849: 08 -> 09
    Tell me what you think...


    • Member

    SifJar Not a pirate

    Member Since:
    Apr 4, 2009
    Message Count:
    6,019
    Country:
    United Kingdom
    What does it do and how is it related to 3DS Hacking or Homebrew?
    • Member

    elisherer I ♥ 3DS

    Member Since:
    Dec 16, 2009
    Message Count:
    777
    Location:
    3dbrew.org
    Country:
    Israel
    possibly reading 3ds roms in the future can help undrstanding the 3ds native code thus helping develop homebrew.
    • Member

    UniqueGeek Developer

    Member Since:
    May 29, 2009
    Message Count:
    520
    Country:
    United States
    Backs up the first 16 KB properly, then freezes. Upon removing the backup adapter, it somehow continues writing to the file that cannot be run in an emulator and isn't displayed correctly in DS Buff.

    Tested on Game and Watch collection.
    • Member

    elisherer I ♥ 3DS

    Member Since:
    Dec 16, 2009
    Message Count:
    777
    Location:
    3dbrew.org
    Country:
    Israel
    Same here..
    • Member

    Critica1 New Member

    Member Since:
    Oct 4, 2011
    Message Count:
    185
    Location:
    CA
    Country:
    United States
    Good work here.

    Turns out the NDS Adapter Plus proves yet another hardware flaw. If LGC really did dump those roms it would certainly be by hardware.

    edit: This isn't used to dump roms? It's used dump game saves. I've clearly been misled.
    • Member

    nano351 New Member

    Member Since:
    Jun 6, 2009
    Message Count:
    259
    Country:
    United States
    If it is possible to dump an entire game ROM with this, someone should dump one of the games LGC dumped and compare to see if matches to see if we can get legit dumps.
    • Member

    Critica1 New Member

    Member Since:
    Oct 4, 2011
    Message Count:
    185
    Location:
    CA
    Country:
    United States
    It might be possible to dump a 3DS cartridge from this. First we would need to research:
    *The hardware flaw
    *What makes it possible to dump a NDS cartridge in the first place.

    Furthermore need to understand if their is any computer software for the NDS Advance Plus and what it does.
    Lastly, research if there is any changed hardware or added protection to the 3DS cartridge itself to prevent from preforming this task.

    Remember, we aren't 100% positive how LGC dumped those roms.
    They might have discovered another flaw.
    Rest assured, it was by hardware means.

    Edit: Here is a example that I recently came across. This concept is very interesting.
    • Member

    TCJJ New Member

    Member Since:
    May 5, 2009
    Message Count:
    230
    Country:
    New Zealand
    Just a guess, but since the NDS Adaptor [Plus] is designed to handle saves, perhaps it only allows the transfer of a certain file size. Or perhaps any encryption (not sure if the DS ROMs have encryption, although I don't remember them having any) could cause a problem. Although, 16kb is too small for the average DS save file. DS save files go up to 512kb in size (I want to say there are some games that have 1mb save files, but none come to mind, so probably not).
    • Member

    Critica1 New Member

    Member Since:
    Oct 4, 2011
    Message Count:
    185
    Location:
    CA
    Country:
    United States
    I think save dumping is only possible because save decryption was figured out. I've come up with some pretty good designs to dump a DS/3DS game via hardware debugging, but I'm very sure it's going to be more than just hardware to dump the the Nor (Nand?) eeprom.

    In the meantime, I am continuing documenting the differences between the 3DS and DS cartridges. Hopefully this will give us better insight on what's being emulated.

    Recent thoughts:
    Backwards compatibility for GBA/GB cartridges obviously removed as a potential hardware threat to the 3DS system.
    DS rom dumping is hard information to come across.
    • Member

    Immortal_no1 New Member

    Member Since:
    Jul 17, 2003
    Message Count:
    246
    Country:
    United Kingdom
    Looking into this now, Made the mod and had a look at the ASM, there are actually a few more things that aren't enabled, such as:
    Option to select "new game"
    Button for "Upgrade"
    Button called "BitBth4" - Seems to be some sort of refresh
    Button called "BitBth5" - Unsure of what this does, appears to do nothing

    BitBth 4 + 5 are placed in the middle of the screen so it would appear as though they are there for remnants of previous builds.

    Not currently got my NDS Adapter Plus to hand, i'll try it out tonight and see what everything does, may be able to work around the issues reported in above posts.

    I could post the differences to enable the options, but the differences are too numerous and would take a while to change everything.

    I'm still a little hazy on what we can and cannot post link to on the forum, so............ i can provide a link to the modified executables with the options enabled in a PM until someone can confirm that the links can be displayed here.
    • Member

    elisherer I ♥ 3DS

    Member Since:
    Dec 16, 2009
    Message Count:
    777
    Location:
    3dbrew.org
    Country:
    Israel
    Don't trouble yourself. just find Resource Hacker and hack the exe... there's a form in the exe. Edit it (it's written in delphi) and you could enable everything...
    I posted the changes for the exe becuase i know not to post an altered official exe file...
    And ofcourse I enabled the mentioned buttons...one of them is like the download button but i don't want to try them because of fearing it would damage my cart..
    I mentioned the rom/eeprom checkboxes becuase i tried them and they are harmless..

    Apperantly they didn't insert code to dump 3ds roms so we need to reverse engineer the nds adapter driver and create our own program to talk with the cart.
    • Member

    Immortal_no1 New Member

    Member Since:
    Jul 17, 2003
    Message Count:
    246
    Country:
    United Kingdom
    To a point you can reverse engineer it. I would be inclined to have a look at the DLL's and make a new app which uses them to do what we want. It would be a long task unless we can get the input parameters -which isn't a hard thing, just a little time, a disassembler, and time off work would be nice too :)
    • Member

    Dimensional New Member

    Member Since:
    Dec 7, 2008
    Message Count:
    355
    Location:
    Texas
    Country:
    United States
    I had sent a PM to someone about this idea, but never got a response. I hope this works out. Would be a new way for me to back up my games, since my DSlite is dead.
    • Member

    how_do_i_do_that Blue Wizard is about to die.

    Member Since:
    May 16, 2008
    Message Count:
    4,357
    Country:
    Antarctica
    You would have to rewire some of the circuits on the adaptor for it to dump all the rom. The NDS adaptor+ only uses the pins for reading the save and power.

    Making it read non-existant contacts will do what you made it do, sit and wait until it makes a connection, the aka "it just hangs" issue.
    • Member

    Critica1 New Member

    Member Since:
    Oct 4, 2011
    Message Count:
    185
    Location:
    CA
    Country:
    United States
    I knew it only looked like a good idea. Never was a actual good idea xD
    • Member

    Immortal_no1 New Member

    Member Since:
    Jul 17, 2003
    Message Count:
    246
    Country:
    United Kingdom
    Are you 100% positive about that?

    I played around with it last night and it's true it dumps the first 16k of the ROM, byte compared it with a known ROM i dumped and matches perfectly byte for byte. Everything after that point appears as garbage, i would imagine that after the 16k (Header?) a key would need to be injected in order to dump the rest of the contents.
    • Newcomer

    lazymarek New Member

    Member Since:
    Dec 18, 2010
    Message Count:
    30
    Country:
    Germany
    After 16k into the ROM image (at offset 0x4000) the first NCCH block usually starts.
    • Member

    how_do_i_do_that Blue Wizard is about to die.

    Member Since:
    May 16, 2008
    Message Count:
    4,357
    Country:
    Antarctica
    Yeah I am pretty certain that you would have to rewire or add parts to the PCB since alot of the contacts terminate at soldered to dead end points and are not traced on the other side.

    [IMG]
    • Member

    Immortal_no1 New Member

    Member Since:
    Jul 17, 2003
    Message Count:
    246
    Country:
    United Kingdom
    Nice one, i haven't taken mine apart yet. From what i can see in your pic none of the Data lines are connected unless it's a multi layered PCB and the contacts are made on one of the internal layers. I'll have a look when i get the time. It may be possible to wire up the extra pins. O i can just use my Neo SMS4..... would be easier.. :)

Share This Page