Toggle sidebar

PassME/FlashME, How Do They Work?

  • Thread starter Thread starter gudenau
  • Start date Start date
  • Views Views 2,814
  • Replies Replies 13
gudenau

gudenau

Largely ignored
Member
Level 18
Joined
Jul 7, 2010
Messages
4,111
Reaction score
4,446
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
7,750
Country
United States
How do PassMe and FlashME jump to the GBA flash cartridges? I have access to the memory on a DS and tried jumping to 0x08000000 but it didn't appear to do anything, what's the correct procedure?
 
These files might help you reverse engineer on how it all works. But, it probably works by bypassing Nintendo's security checks with the use of a real cart, similar to those Wisdom Tree NES/SNES pass thru carts.
 

Attachments

  • Like
Reactions: bilibili2011
gudenau said:
How do PassMe and FlashME jump to the GBA flash cartridges? I have access to the memory on a DS and tried jumping to 0x08000000 but it didn't appear to do anything, what's the correct procedure?
Click to expand...
ARM7 will jump to 0x080000C0.
ARM9 is held in an infinite loop - write the ARM9 entry address to 0x027FFE24 when ready and it will jump there.
These details were taken from GBATEK.
There is a file, ndsloader.bin. If you concatenate this with a .nds file, it will produce a ROM you can write to a GBA flashcart which bootstraps the ARM7 and ARM9 binaries.
 
  • Like
Reactions: SylverReZ
metroid maniac said:
ARM7 will jump to 0x080000C0.
ARM9 is held in an infinite loop - write the ARM9 entry address to 0x027FFE24 when ready and it will jump there.
These details were taken from GBATEK.
There is a file, ndsloader.bin. If you concatenate this with a .nds file, it will produce a ROM you can write to a GBA flashcart which bootstraps the ARM7 and ARM9 binaries.
Click to expand...
So I need to do something like `mov r15, #0x080000C0` on ARM7 and make sure there's a `mov r15, $` at 0x027FFE24 and make ARM9 jump there?

My flash cart should support DS mode, shocking how easy this sounds.
 
gudenau said:
So I need to do something like `mov r15, #0x080000C0` on ARM7 and make sure there's a `mov r15, $` at 0x027FFE24 and make ARM9 jump there?

My flash cart should support DS mode, shocking how easy this sounds.
Click to expand...
I don't understand, are you asking how to make a bootable slot-2 cartridge or are you asking how to boot a slot-2 cartridge in NDS mode?
 
Depending upon the firmware/hardware revision there was a reason for passme2 which instead used save memory I believe it was. Flashme can do what it likes (custom firmware after all).

That said if this is more about using a GBA flash cart as extra space (presumably for code in this instance, on the rare occasions I do anything here I tend to want bulk data or extra RAM for homebrew that I probably did not write) then yeah I don't think there are any particularly exotic incantations needed.
 
gudenau said:
I'm trying to get a SLOT-2 flash cart to run in a dev kit for dubious reasons.
Click to expand...
If you want to keep this simple, just concat ndsloader.bin to an .nds file, and write the resulting file to your flashcart.
Code: 
cat ndsloader.bin myfirmware.nds > myfirmware.ds.gba
I have attached ndsloader.bin as part of the dslazy tool.

If you wanna get a bit more complicated than that, take a look at the scfw.s file from this project I started a little while ago. You can discard the Supercard specific function, but this assembly program shows how you can make a slot-2 ROM which chainloads an embedded _mb.gba or .nds binary.
 

Attachments

  • Like
Reactions: SylverReZ
FAST6191 said:
Depending upon the firmware/hardware revision there was a reason for passme2 which instead used save memory I believe it was. Flashme can do what it likes (custom firmware after all).

That said if this is more about using a GBA flash cart as extra space (presumably for code in this instance, on the rare occasions I do anything here I tend to want bulk data or extra RAM for homebrew that I probably did not write) then yeah I don't think there are any particularly exotic incantations needed.
Click to expand...

It's to use it as a flash cart, I have dumped games that I want to use the devkit to stream without nuking/backing up save files. If I can use the slot-2 flash cart for that instead it would be super nice. Unless you know of a way for me to create my own backup carts for the dev unit, this might be the most viable path forward with this.

metroid maniac said:
If you want to keep this simple, just concat ndsloader.bin to an .nds file, and write the resulting file to your flashcart.
Code: 
cat ndsloader.bin myfirmware.nds > myfirmware.ds.gba
I have attached ndsloader.bin as part of the dslazy tool.

If you wanna get a bit more complicated than that, take a look at the scfw.s file from this project I started a little while ago. You can discard the Supercard specific function, but this assembly program shows how you can make a slot-2 ROM which chainloads an embedded _mb.gba or .nds binary.
Click to expand...

Would that let you boot into GBA mode and launch a NDS ROM? I thought the hardware used write-once registers that could only be cleared via a hardware reset.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Tutorial  Build DSi NAND from scratch

Homebrew app  A-Pix DS 0.4 – Pixel art editor for Nintendo DS/DSi!

Hardware Misc  JIS or Phillips: What to use on a DSi?

If someone is interested in something, let me know :)

Gaming Hardware ROM Hack  NDS mod players to understand

Hardware  After teardown nintendo dsi doesn't fit in its housing

Hacking  Save File corruptes:(

using the ds's mic as a practical one?