Hacking Bringing back the ability to boot flash carts on 3DS and DSi

[McHaggis]

Although I never jumped on the 3DS flash card bandwagon (I only have a black Cyclo DS Evo), I've been thinking about this for a while, and have even started looking into it. I would have liked to be advanced enough to do this all on my own, but it looks like I'm disappointingly not smart enough. Anyway, onto the main point. As we all know, Nintendo recently nuked the compatibility of a large number of flash cards on 3DS consoles in a supposedly permanent fashion. When they did this, a thought occurred to me: they probably only blocked these cards from being booted by the home menu. If that's the case then, in theory, a flash card may be bootable by another method.

Cyclo DS iEvolution used WinterMute's CookHack exploit to pretty much do this thing here that what I'm talking about. The card appears as the Cooking Coach game with a hacked save, it even boots into the game before the exploit works its magic and boots up the iEvo menu. Unfortunately, the exploit was fixed in newer system updates on the DSi, and never worked on the 3DS. Even though the CookHack exploit has been fixed, we don't need to be able to boot our cards in DSi mode. We actually only need a DS mode exploit. There's an untapped potential for those on the DS, because we've never really needed to look for them, and most saves are too small to really do anything worthwhile.

Blasty released a video of an exploit for FIFA 08 (found by Warmup) that demonstrates running custom code when the player views their profile. This is, potentially, a great game to start with since the save size is 64kB (as opposed to Cooking Coach's 8kB) and it can be found very cheaply on sites like eBay. Blasty hasn't released the source for the exploit, which is where I'm hitting a brick wall. The exploit most likely lies in the profile name, but I'm too inexperienced to work out the checksum locations and how to fix them. Aside from that, I've compiled small homebrew apps for the DS before, but I'm not really sure how I would write a loader, let alone one that will compile to a small enough size to be stuffed into a 64kB save file. I fear this is beyond my technical abilities, and learning looks like it would take too long.

The theory of the loader is this:

1. Exploit runs the loader code.
2. The loader checks the card header, then waits/loops.
3. When it detects a different header (ie, card swap like savsender), it boots the card.

Here's why I'm fairly confident that it would work:

• The 3DS and DSi allow you to eject a DS game without exiting DS mode (unlike with 3DS games)
• Nintendo have had no reason to patch DS mode exploits, and have been too busy patching cards

Potential drawbacks and limitations:

• Not a permanent solution, once the 3DS/DSi powers down or DS mode is exited, the method would need to be repeated. This means roaming around with your 3DS/DSi in sleep mode all the time. Kind of makes me think of how annoying tethered jailbreaks are.
• Requires an exploitable game, so people would have to be actively looking for more exploits in case the original exploit is patched. The good news here is that there's a vast library of DS games to search through. The bad news is that a lot of them will have very small save sizes, barely any room for executable code, so knowledge of assembly language may be required.
• Requires a method to overwrite saves on an original game card. There are lots of different methods, though, like savsender, eepinator, R4i Save Dongle, NDS Adapter Plus, etc. For people with no access to any of these, it's probably easier just to get a DSTwo.

Despite these limitations, there are added bonuses. For instance, original flash cards could be booted, like my Cyclo DS Evolution or my DSTT clone with an R4 label, cards that have never worked with the 3DS or DSi.


So, what do you guys think?

---

 

[DeShelly]

just a idea... i'm thinking about it...

 

[The Catboy]

That's actually seems a really interesting idea you got going there.

 

[Coto]

This would be a nice idea if you were running code on a real DS Lite. But 3DS's DS mode seems to be "virtualized" and "emulated" at the same time. (ie:something running code natively, while other catching hardcoded values and adapting them into specific hardware values), how'd reach DS mode or boot it? If I get the idea right you'd need the desired game. While this may work with DS/(i?) I doubt it'd work on 3DS mode. Besides someone mentioned once DS mode is loaded, there's no way to boot into DSi mode without doing a system reboot.

I still need to read better HEX lol..

 

[BORTZ]

Very very interesting. I read all of that. So do you have any plans or the knowledge to set this in motion?

 

[McHaggis]

Very very interesting. I read all of that. So do you have any plans or the knowledge to set this in motion?

I've never done anything like this before, but given enough time and the right assistance I could probably do it. I have limited experience in hacking save games; I've never had to mess around with checksums before. I also have no experience in programming hardware at the level this would require. I posted the idea here because there's smarter people than me with more experience in this kind of thing, that could probably do it much faster.

This would be a nice idea if you were running code on a real DS Lite. But 3DS's DS mode seems to be "virtualized" and "emulated" at the same time. (ie:something running code natively, while other catching hardcoded values and adapting them into specific hardware values), how'd reach DS mode or boot it? If I get the idea right you'd need the desired game. While this may work with DS/(i?) I doubt it'd work on 3DS mode. Besides someone mentioned once DS mode is loaded, there's no way to boot into DSi mode without doing a system reboot.

I still need to read better HEX lol..

The idea is to use a DS game exploit to boot a DS mode flash card that is no longer bootable through the home menu, this isn't intended to be a DSi or 3DS mode hack.

 

[The Milkman]

I dont know much about this at all, other then running flashcart menus and CFW, so I wouldnt be any help. But this idea sounds good, however. If this is done, essentially it would kill the convinence of using DS flashcarts on the 3DS in the first place. In fact, since you would have to keep the console in DS mode all the time, it would make having a 3DS pointless in the first place. Still, harnessing DS mode and figuring out how to force switches like that could be really helpful in the long run.

 

[McHaggis]

I agree, it would lessen the convenience, but there's always the option of exiting and repeating the process after spending some time in 3DS mode ― it just means you're carrying two cards instead of one.

 

[Rydian]

Er, the problem is that the DSi and 3DS won't initialize a second cart put into them. This is why you can't use anything that needs cart swapping, like save backup/restore homebrews, NitroHax, multi-cart-flashing, etc.

The DS/Lite do, which is why those homebrews work on them.

 

[osm70]

Er, the problem is that the DSi and 3DS won't initialize a second cart put into them. This is why you can't use anything that needs cart swapping, like save backup/restore homebrews, NitroHax, multi-cart-flashing, etc.

The DS/Lite do, which is why those homebrews work on them.

But you can swap cards without shutdown.

 

[Rydian]

Er, the problem is that the DSi and 3DS won't initialize a second cart put into them. This is why you can't use anything that needs cart swapping, like save backup/restore homebrews, NitroHax, multi-cart-flashing, etc.

The DS/Lite do, which is why those homebrews work on them.

But you can swap cards without shutdown.

What's the point of swapping carts if the new cart is never initialized? You may as well never put the second cart in because it'll never run or activate.

It's like swapping actors in the middle of a show, but the second actor is a corpse. It's not going to do anything useful.

 

[McHaggis]

Er, the problem is that the DSi and 3DS won't initialize a second cart put into them. This is why you can't use anything that needs cart swapping, like save backup/restore homebrews, NitroHax, multi-cart-flashing, etc.

The DS/Lite do, which is why those homebrews work on them.

I did not know that. I guess only 3DS/DSi mode can re-initialize the card device. Well, I'm glad you pointed that out before I wasted too much time on it.

It's like swapping actors in the middle of a show, but the second actor is a corpse. It's not going to do anything useful.

Nice analogy

 

[Rydian]

It would be a cool concept, though. I can imagine "loader carts" coming out that could enable specific homebrew development tools or carts to run after them.

Complete with a spinning reindeer?

 

[elisherer]

I don't see anything wrong with your idea. It should work just fine.. (might need a big saveflash as you said)

But, Nintendo could always find the bug in the DS sandbox and patch it (like seeing if fifa 08 is loaded and patch it while loading - like game genie)...
not all flashcart fighting ends in the flashcart black list..

 

[evandixon]

That could theoretically work, as long as the supported cartridge swapping is a 3DS feature, as opposed to only a 3DS home menu feature.

 

[CollosalPokemon]

Cyclo DS iEvolution used WinterMute's CookHack exploit to pretty much do this thing here that what I'm talking about. The card appears as the Cooking Coach game with a hacked save, it even boots into the game before the exploit works its magic and boots up the iEvo menu. Unfortunately, the exploit was fixed in newer system updates on the DSi, and never worked on the 3DS. Even though the CookHack exploit has been fixed, we don't need to be able to boot our cards in DSi mode. We actually only need a DS mode exploit. There's an untapped potential for those on the DS, because we've never really needed to look for them, and most saves are too small to really do anything worthwhile.

100% BS. I did use my iEvolution in DSi mode on the 3DS on some older 3DS firmware. (and unfortunately I wish I didn't buy it knowing what the team did now)
It did work on the 3DS for a bit though. (I forgot the exact 3DS firmware DSi mode was blocked...I think it was somewhere above v3.0.0-0 it was blocked in v2.1.0-4, but it did work before that)

The 3DS and DSi allow you to eject a DS game without exiting DS mode (unlike with 3DS games)

I could've sworn Nintendo DOES check if the DS game was removed on a DSi/3DS and prevents further DS mode code activation after a DS card is removed (even though it doesn't go back to the menu), which is why DS mode dumpers don't work on a DSi/3DS.

 

[loco365]

I remember seeing a SNES card that did this, but you'd have your flashcard, and on the side of it, a retail card. It would use some of the features of the retail card to run the flashcard, perhaps the 3DS can be done in the same aspect?

 

[McHaggis]

Cyclo DS iEvolution used WinterMute's CookHack exploit to pretty much do this thing here that what I'm talking about. The card appears as the Cooking Coach game with a hacked save, it even boots into the game before the exploit works its magic and boots up the iEvo menu. Unfortunately, the exploit was fixed in newer system updates on the DSi, and never worked on the 3DS. Even though the CookHack exploit has been fixed, we don't need to be able to boot our cards in DSi mode. We actually only need a DS mode exploit. There's an untapped potential for those on the DS, because we've never really needed to look for them, and most saves are too small to really do anything worthwhile.

100% BS. I did use my iEvolution in DSi mode on the 3DS on some older 3DS firmware. (and unfortunately I wish I didn't buy it knowing what the team did now)
It did work on the 3DS for a bit though. (I forgot the exact 3DS firmware DSi mode was blocked...I think it was somewhere above v3.0.0-0 it was blocked in v2.1.0-4, but it did work before that)

Not BS, an honest mistake ― I thought I'd read it somewhere. Besides it being a bit of a silly thing to lie about, it's not like the whole concept revolved around that, there would be no need for me to lie. Just a mistake.

The 3DS and DSi allow you to eject a DS game without exiting DS mode (unlike with 3DS games)

I could've sworn Nintendo DOES check if the DS game was removed on a DSi/3DS and prevents further DS mode code activation after a DS card is removed (even though it doesn't go back to the menu), which is why DS mode dumpers don't work on a DSi/3DS.

Yeah, Rydian said something similar: that the card is never reinitialized after the first time. If that's really the case, then that's too bad. Unfortunately, I never had a 3DS enabled card, so I couldn't test it out.

 

[Foxi4]

I like where this is going - it makes perfect sense. DS mode is not exactly "desirable" seeing that it has no SD access, but for the purpose of running a flashcart it works out dandy. Even if they do end up unupdatable, if the laucher starts from an accepted cart of app, the flashcart won't be verified once more upon insertion as far as I know. Good thinking, I must say.

If removing and re-inserting the card will somehow become an issue, I'm reminding you of PASSME. Grandad's pipe mode activated!

Problem being that we don't exactly know how the exploit works. My "educated guess" is that he found a faulty pointer of sorts and re-directed it to an area in memory where his custom code was, but I'm fairly certain that Blasty would be reluctant to share his method.

 

[Rydian]

If removing and re-inserting the card will somehow become an issue, I'm reminding you of PASSME. Grandad's pipe mode activated!

And Passme is non-functional on the DSi and 3DS...