Toggle sidebar

It might be possible to add DSONE to ntrboot_flasher.

  • Thread starter Thread starter moon_rabbit
  • Start date Start date
  • Views Views 7,836
  • Replies Replies 51
  • Likes Likes 6
moon_rabbit

moon_rabbit

Well-Known Member
Member
Level 5
Joined
May 6, 2022
Messages
239
Reaction score
134
Trophies
0
Age
36
Location
kor
XP
670
Country
Korea, South
https://github.com/ntrteam/flashcart_core/issues/13
There seem to be many variations.

it appears to be compatible with dstt in ntrboot_flasher.
One of the DSONE update programs was not encrypted and checking this with ghidra made it clear.

After modifying ntrboot_flasher.
I got 2 backups and both were exactly the same.
It is strange that there is so much empty space though.

I will check if the firmware restore is successful and post additional information soon.

-------

https://github.com/multi-vitamin/flashcart_core/releases
↑ This is ntrboot_flasher(.firm) file

The attached file is a backup of the DSONE SDHC firmware.


-------

If anyone needs this feature, feel free to use it!

I’ve added a new feature that automatically focuses on the last executed ROM after booting up.
https://github.com/multi-vitamin/DSONE-SDHC-KOREAN/releases/tag/release3

How to use:Just download the zip file and overwrite your existing files.

This was implemented using Codex GPT 5.5. If you run into any issues, please let me know!
 

Attachments

Last edited by moon_rabbit,
  • Like
Reactions: k66, orangy57, SylverReZ and 3 others
moon_rabbit said:
https://github.com/ntrteam/flashcart_core/issues/13
There seem to be many variations.

it appears to be compatible with dstt in ntrboot_flasher.
One of the DSONE update programs was not encrypted and checking this with ghidra made it clear.

After modifying ntrboot_flasher.
I got 2 backups and both were exactly the same.
It is strange that there is so much empty space though.

I will check if the firmware restore is successful and post additional information soon.

The attached file is a backup of the DSONE SDHC firmware.
Click to expand...
Good stuff!
Did you dare to restore the FW?
 
That's a standard rom container but with secure area encrypted and blow fish data at 0x1000 and 0x2000 so it's stored in a manner similar to other flashcarts.

Assuming the write commands work that should be ntrboot capable.

But I bet the write commands don't end up doing anything as DSOne might be rolling their own card commands for that. I have a couple Max Media Launcher slot-1 cards and they both use that same flash chip. They respond to the DSTT dump commands too and provide a similar dump with blowfish data and encrypted secure area. But nothing happens when I try to write. (in fact ntrboot just hangs)

It's a shame I couldn't overwrite the rom. Wanted to disable the autoboot flag on the rom for the carts. I dislike autoboot carts. :P
 
  • Like
Reactions: orangy57 and moon_rabbit
This is the modified rom I created for Max Media Dock. At some point they started compressing their arm9 binary so couldn't easily look at it in Ghidra. I ran the rom in No$GBA and ram dump it just as it boots far enough to decompress and got a working result. Maybe you can find out if there was any slot-1 update code in this? Their website for this card (which is still up by the way. :P ) had a manual that claimed it had a upgrade feature but I have a 1.0 cart and used a 1.22 bootme.nds and it never asked to update. Maybe they implemented it but never enabled it for some reason. It's using same flash chip as your DSOne and is 512KB too. :P

One notable difference is Datel stores their blowfish data at 0x2000 and 0x3000 instead of 0x1000/0x2000 like DSTT/DSOne SDHC.

I've tried looking at this in Ghidra but this stuff is hard to make out what it's doing as I'm still new to Ghidra really. :P

Maybe you can give this a look after you finish with that DSOne though I suspect you'd have to go find a Max Media Dock to actually test anything I suppose. I doubt you own one of these. :P

They aren't too hard to come by on eBay and even found some listings that sell just the slot-1 card. The slot-1 card is labeled as "Max Media Player" FYI.

For now I don't use the original cart to boot my Max Media Dock. Instead I reflashed my R4 SDHC Gold Pro with a custom hbmenu bootstrap that uses the Max Media Player's icon and boots MMD.nds off the flashcart's MicroSD if it detects that it booted from a DS/DS Lite. If on DSi/3DS it boots boot.nds instead which is the bootloader NDS file I pulled out of the exploited game they had used so my cart is fully customized and will only run on soft modded consoles or original DS's. :P

I can boot while holding X if I want to override that behavior and boot into YSMenu or something if I want. B button forces a hbmenu filebrowser to come up like my other custom bootstraps. :D
 

Attachments

Last edited by Apache Thunder,
  • Like
Reactions: FR0ZN
Apache Thunder said:
That's a standard rom container but with secure area encrypted and blow fish data at 0x1000 and 0x2000 so it's stored in a manner similar to other flashcarts.

Assuming the write commands work that should be ntrboot capable.

But I bet the write commands don't end up doing anything as DSOne might be rolling their own card commands for that. I have a couple Max Media Launcher slot-1 cards and they both use that same flash chip. They respond to the DSTT dump commands too and provide a similar dump with blowfish data and encrypted secure area. But nothing happens when I try to write. (in fact ntrboot just hangs)

It's a shame I couldn't overwrite the rom. Wanted to disable the autoboot flag on the rom for the carts. I dislike autoboot carts. :P
Click to expand...

Because the code in ntrboot_flasher's DSTT is compatible with the commands in sst39vf040, writing and erasing occurs up to the first 4K sector, 0x1000.

However, I'm still looking for a way to adjust the offset.

It seems to help that DSTT is probably a close clone of DSONE.
 
  • Like
Reactions: Apache Thunder
I see. As for my Max Media Player cart this is what the PCB looks like:

1717823788302.png


Possible Datel is doing something special with this one but interesting that it does respond to the dump commands correctly though...

Apparently that FPGA was used in some PS1 modchips (or PS2..forget which). :P
 
  • Love
Reactions: SylverReZ
Apache Thunder said:
I see. As for my Max Media Player cart this is what the PCB looks like:

View attachment 441222

Possible Datel is doing something special with this one but interesting that it does respond to the dump commands correctly though...

Apparently that FPGA was used in some PS1 modchips (or PS2..forget which). :P
Click to expand...
Correction: PS2 modchips, such as the Matrix Infinity.
 
Ahh thanks for clarifying that. I heard it was a Playstation modchip. I just forgot which one. :P

Maybe if I'm lucky Datal also cloned the DSOne and just stripped out the MicroSD slot (since it was expected to use the slot-2 device for storage)...But I don't know. Since this is using a rather unique FPGA it's probable they are rolling something fully custom here that isn't related to DSOne/DSTT's lineage.
 
  • Like
Reactions: SylverReZ
Apache Thunder said:
Ahh thanks for clarifying that. I heard it was a Playstation modchip. I just forgot which one. :P
Click to expand...
If it was a PS1 modchip, then most, if not all of the chips are PIC-based. One of the very early PS2 modchips that did use a PIC was the NEO 2, which relied on an Action Replay/GameShark disc to play backups.
 
FR0ZN said:
If you want anything risky tested let me know.
I have a DSOne that is stuck on error 0004 for which apperently no fix exists.
I would sacrifice that cart 😅
Click to expand...
Does it have the SST39VF040 chip?
Only the SST39VF040 chip is supported.
 
moon_rabbit said:
Does it have the SST39VF040 chip?
Only the SST39VF040 chip is supported.
Click to expand...
Looks right

PXL_20240608_114559165~2.jpg



EDIT: I just tried to see what NTRBoot Flasher does with this cart and it appears that the R4i SDHC option think it's a compatible cart.
It does dump a 2MB binary, but it's all 00 - so I didn't try to write it back :D
 
Last edited by FR0ZN,
I analyzed the updater file and realized it was a completely different older DSONE updater.
The included firmware is also different from the DSONE SDHC.
The older one probably has 1MB of eeprom.
It's probably more than 85% empty. lol

I got lost in the rabbit hole of the updater file and neglected to analyze the DSTT code.
Anyway, I was able to build it with simple changes.
It currently only supports the SST39VF040 chip.
I haven't tried ntrboot injection.

https://github.com/multi-vitamin/flashcart_core/releases
↑ This is ntrboot_flasher(.firm) file

caution
Always do a dump first, backup the firmware, and then try.

The attached file is a firmware that removed autoboot.
 

Attachments

Last edited by moon_rabbit,
  • Like
Reactions: Deleted member 702243 and FR0ZN
Apache Thunder said:
This is the modified rom I created for Max Media Dock. At some point they started compressing their arm9 binary so couldn't easily look at it in Ghidra. I ran the rom in No$GBA and ram dump it just as it boots far enough to decompress and got a working result. Maybe you can find out if there was any slot-1 update code in this? Their website for this card (which is still up by the way. :P ) had a manual that claimed it had a upgrade feature but I have a 1.0 cart and used a 1.22 bootme.nds and it never asked to update. Maybe they implemented it but never enabled it for some reason. It's using same flash chip as your DSOne and is 512KB too. :P

One notable difference is Datel stores their blowfish data at 0x2000 and 0x3000 instead of 0x1000/0x2000 like DSTT/DSOne SDHC.

I've tried looking at this in Ghidra but this stuff is hard to make out what it's doing as I'm still new to Ghidra really. :P

Maybe you can give this a look after you finish with that DSOne though I suspect you'd have to go find a Max Media Dock to actually test anything I suppose. I doubt you own one of these. :P

They aren't too hard to come by on eBay and even found some listings that sell just the slot-1 card. The slot-1 card is labeled as "Max Media Player" FYI.

For now I don't use the original cart to boot my Max Media Dock. Instead I reflashed my R4 SDHC Gold Pro with a custom hbmenu bootstrap that uses the Max Media Player's icon and boots MMD.nds off the flashcart's MicroSD if it detects that it booted from a DS/DS Lite. If on DSi/3DS it boots boot.nds instead which is the bootloader NDS file I pulled out of the exploited game they had used so my cart is fully customized and will only run on soft modded consoles or original DS's. :P

I can boot while holding X if I want to override that behavior and boot into YSMenu or something if I want. B button forces a hbmenu filebrowser to come up like my other custom bootstraps. :D
Click to expand...
After a quick look, I don't see any commands of any kind.
Or maybe it's encrypted.
Anyway, it's hard to tell because I don't have it.
 

Attachments

  • Like
Reactions: moon_rabbit
7766243 said:
I think the only difference is that it uses the DSONE SDHC Evolution V1.0 SP6_20121030 (chs) firmware.

I made a dump of it before changing, did not compare the dump between the english and chinese version
Click to expand...

I checked and found three different parts: 0x8860, 0x8874, 0x8888.
Also, from 0x7E5BC~, there is some extra 02.

The end part that extends to 0x1CA40 is also different.
Thanks for the upload.
 
  • Like
Reactions: soulpower11

Site & Scene News

Go to forum More news

Popular threads in this forum

ROM Hack Translation  Draglade 2 electric boogaloo a new translation.

Hacking  Video about the history of DS Hacking

[WIP/Release] ds_mangaman - Turning the Nintendo DS into the Ultimate Vertical Book-Style Manga Reader!

Help needed with installing Pokemon ROM hack for DSi

Pokemon White

Mini vMac DS(i)

Hacking  Save File corruptes:(

[HELP] I Lost my kid's PMD: Explorers of Sky Save