Hacking Dumping ROMs with NDS Adaptor Plus

[elisherer]

Hello everyone.

I tinkered with the NDS Adaptor Plus exe file and managed to get some hidden stuff visible..

With an HEX editor do the following changes in 'NDS_Adaptor_Plus_V3.02.exe':

0x0018C: 001C -> 5C1B
0x00318: 001C -> 5C1B
0x9B7ED: 08 -> 09
0x9B849: 08 -> 09

Tell me what you think...

 

[SifJar]

What does it do and how is it related to 3DS Hacking or Homebrew?

 

[elisherer]

possibly reading 3ds roms in the future can help undrstanding the 3ds native code thus helping develop homebrew.

 

[evandixon]

Backs up the first 16 KB properly, then freezes. Upon removing the backup adapter, it somehow continues writing to the file that cannot be run in an emulator and isn't displayed correctly in DS Buff.

Tested on Game and Watch collection.

 

[elisherer]

Same here..

 

[Critica1]

Good work here.

Turns out the NDS Adapter Plus proves yet another hardware flaw. If LGC really did dump those roms it would certainly be by hardware.

edit: This isn't used to dump roms? It's used dump game saves. I've clearly been misled.

 

[nano351]

If it is possible to dump an entire game ROM with this, someone should dump one of the games LGC dumped and compare to see if matches to see if we can get legit dumps.

 

[Critica1]

It might be possible to dump a 3DS cartridge from this. First we would need to research:
*The hardware flaw
*What makes it possible to dump a NDS cartridge in the first place.

Furthermore need to understand if their is any computer software for the NDS Advance Plus and what it does.
Lastly, research if there is any changed hardware or added protection to the 3DS cartridge itself to prevent from preforming this task.

Remember, we aren't 100% positive how LGC dumped those roms.
They might have discovered another flaw.
Rest assured, it was by hardware means.

Edit: Here is a example that I recently came across. This concept is very interesting.

 

[TankedThomas]

Just a guess, but since the NDS Adaptor [Plus] is designed to handle saves, perhaps it only allows the transfer of a certain file size. Or perhaps any encryption (not sure if the DS ROMs have encryption, although I don't remember them having any) could cause a problem. Although, 16kb is too small for the average DS save file. DS save files go up to 512kb in size (I want to say there are some games that have 1mb save files, but none come to mind, so probably not).

 

[Critica1]

I think save dumping is only possible because save decryption was figured out. I've come up with some pretty good designs to dump a DS/3DS game via hardware debugging, but I'm very sure it's going to be more than just hardware to dump the the Nor (Nand?) eeprom.

In the meantime, I am continuing documenting the differences between the 3DS and DS cartridges. Hopefully this will give us better insight on what's being emulated.

Recent thoughts:
Backwards compatibility for GBA/GB cartridges obviously removed as a potential hardware threat to the 3DS system.
DS rom dumping is hard information to come across.

 

[Immortal_no1]

Looking into this now, Made the mod and had a look at the ASM, there are actually a few more things that aren't enabled, such as:
Option to select "new game"
Button for "Upgrade"
Button called "BitBth4" - Seems to be some sort of refresh
Button called "BitBth5" - Unsure of what this does, appears to do nothing

BitBth 4 + 5 are placed in the middle of the screen so it would appear as though they are there for remnants of previous builds.

Not currently got my NDS Adapter Plus to hand, i'll try it out tonight and see what everything does, may be able to work around the issues reported in above posts.

I could post the differences to enable the options, but the differences are too numerous and would take a while to change everything.

I'm still a little hazy on what we can and cannot post link to on the forum, so............ i can provide a link to the modified executables with the options enabled in a PM until someone can confirm that the links can be displayed here.

 

[elisherer]

Don't trouble yourself. just find Resource Hacker and hack the exe... there's a form in the exe. Edit it (it's written in delphi) and you could enable everything...
I posted the changes for the exe becuase i know not to post an altered official exe file...
And ofcourse I enabled the mentioned buttons...one of them is like the download button but i don't want to try them because of fearing it would damage my cart..
I mentioned the rom/eeprom checkboxes becuase i tried them and they are harmless..

Apperantly they didn't insert code to dump 3ds roms so we need to reverse engineer the nds adapter driver and create our own program to talk with the cart.

 

[Immortal_no1]

To a point you can reverse engineer it. I would be inclined to have a look at the DLL's and make a new app which uses them to do what we want. It would be a long task unless we can get the input parameters -which isn't a hard thing, just a little time, a disassembler, and time off work would be nice too

 

[Dimensional]

I had sent a PM to someone about this idea, but never got a response. I hope this works out. Would be a new way for me to back up my games, since my DSlite is dead.

 

[how_do_i_do_that]

You would have to rewire some of the circuits on the adaptor for it to dump all the rom. The NDS adaptor+ only uses the pins for reading the save and power.

Making it read non-existant contacts will do what you made it do, sit and wait until it makes a connection, the aka "it just hangs" issue.

 

[Critica1]

I knew it only looked like a good idea. Never was a actual good idea xD

 

[Immortal_no1]

You would have to rewire some of the circuits on the adaptor for it to dump all the rom. The NDS adaptor+ only uses the pins for reading the save and power.

Making it read non-existant contacts will do what you made it do, sit and wait until it makes a connection, the aka "it just hangs" issue.

Are you 100% positive about that?

I played around with it last night and it's true it dumps the first 16k of the ROM, byte compared it with a known ROM i dumped and matches perfectly byte for byte. Everything after that point appears as garbage, i would imagine that after the 16k (Header?) a key would need to be injected in order to dump the rest of the contents.

 

[lazymarek]

You would have to rewire some of the circuits on the adaptor for it to dump all the rom. The NDS adaptor+ only uses the pins for reading the save and power.

Making it read non-existant contacts will do what you made it do, sit and wait until it makes a connection, the aka "it just hangs" issue.

Are you 100% positive about that?

I played around with it last night and it's true it dumps the first 16k of the ROM, byte compared it with a known ROM i dumped and matches perfectly byte for byte. Everything after that point appears as garbage, i would imagine that after the 16k (Header?) a key would need to be injected in order to dump the rest of the contents.

After 16k into the ROM image (at offset 0x4000) the first NCCH block usually starts.

 

[how_do_i_do_that]

Yeah I am pretty certain that you would have to rewire or add parts to the PCB since alot of the contacts terminate at soldered to dead end points and are not traced on the other side.

 

[Immortal_no1]

Nice one, i haven't taken mine apart yet. From what i can see in your pic none of the Data lines are connected unless it's a multi layered PCB and the contacts are made on one of the internal layers. I'll have a look when i get the time. It may be possible to wire up the extra pins. O i can just use my Neo SMS4..... would be easier..