Hacking Flashcard Update Project 3DS

[StunterMan]

Hi all, i am new in the community, and i am a developer. I know C++, F#, Java and HTML languages.
I am a project in my mind, but i don't know how to do this real.
I know that with the devkit we can do homebrews for the nintendo DS. Than, i also know that "updates" for flashcards like R4i-Ultra, are only "spoofers" of other games, all is to spoof the flashcard as a game. If we edit the .nds file of the flashcard, we'll be able, with the properly utilities, to make our custom updates! If we can do this, I'll do a C++ tool to auto-generate an update for our flashcards, able to do for newbies!
Who and what i need to continue this project:
1) A developer/programmer that knows the devkit DS language/an utility to edit directly .nds files
2) A tool to edit .NDS files and if possible the source code
3) A person or a team who can find the game to spoof with for the last 3DS firmware, and his gameID.
4) A lot, and a lot of testers, i don't have all flashcards XD
With those things, we'll make customs updates, and we'll be able to update our flashcards without the official release, which comes after the releasing of new firmware...
PS: If the section is wrong, send me a pm which notifies me where is moved the topic
Thanks,
StunterMan

 

[Terminator02]

A flashcart doesn't just hold a .nds file in the microSD card that is directly loaded up, the spoofing information is stored in the firmware of the flashcart itself. It's not as easily accessible as I'm imaging you imagine.

 

[The Catboy]

As interesting an idea that maybe, I doubt it would be that easy. Otherwise I am pretty sure someone in the Acekard community would have done it along time ago.

 

[StunterMan]

@Terminator02, yeah, i know, but you may have forgotten that this .nds file "writes" this "spoof" on the flash of flashcard And i don't want to re-write all the code of the .NDS file, i only want to change the "spoof" informations, such as name, image and gameID
The thing is possible, if we want. As the Catboy wrote, if Acekard community did it, we can do it.

 

[The Catboy]

As the Catboy wrote, if Acekard community did it, we can do it.

I think you might have misunderstood me.
Right now the Acekard 2i has pretty much run out of firmware updates and now it appears to no longer be able to update for the 3DS updates.
What I was saying was pretty much if this were possible, the most likely someone in the Acekard community would have done it first, but sadly it appears not to be possible and no one in the community has done it.

 

[Rydian]

An incorrectly-written update means a non-bootable cart, which is probably why nobody's messed with it much.

In addition the updates are per-cart, as the various carts use various control chips and such... so you'd need to figure out the firmware layout individually for each cart, and even for the different hardware revisions (as they need different update files).

NDS files are binary copies of the same filesystem used for the game ROMs, this also means that the executable code is compiled too (ARM9.bin and ARM7.bin). As far as I know, source is not available for ANY Cart's firmware.

Also a lot of the time carts stop updating because the 3DS is looking for more info to confirm, and the cart's simply can't store that much. This was the case with the AK2i HW44 (confirmed by AKAIO team), and is likely the case for all the other flash carts who have older DSi models that can't handle the latest updates... so even if you could modify the data, you can't fit everything that the recent 3DS updates are requesting.

 

[Terminator02]

@Terminator02, yeah, i know, but you may have forgotten that this .nds file "writes" this "spoof" on the flash of flashcard And i don't want to re-write all the code of the .NDS file, i only want to change the "spoof" informations, such as name, image and gameID
The thing is possible, if we want. As the Catboy wrote, if Acekard community did it, we can do it.

This master .nds file that writes to the flash on the flashcart doesn't exist (at least not publicly), the necessary information for spoofing is already on the flashcart. The only way I see this being possible is if you can find a way to read and edit that information already on the flashcart, figure out Nintendo's anti-piracy methodology, and then find a way around it.

Catboy was saying that it's most likely not possible because the Acekard community has not done it yet.

 

[StunterMan]

Sorry, i didn't understand The Catboy's post >.< I am italian aahahha Sorry for my bad english.. than, can we contact the teams of cards and ask for the source? I know that they won't send we the code... but in other words if they can update to the last version, they can sell more cards, because people find flashcards compatible.. I don't know, but we can try.
I know that the update files uses an other file on the flash, but they only contain a little program wich sends commands to the program written on the flash and images/other files contained on a normal .NDS file..
If an update is only 300-700kb it can't contain big files.. but if it contain only executable code, it'll be only 16-20kb... Than if it contains the base-operations to do, icon and gameID, we can only edit those files, this is my objective. I don't need to change the executable code.. i knew that there was a program which makes you explore the .nds file. It is used to do Pokemon hack roms, and other games hack roms, i don't renember the name. We can try with this program.

 

[Terminator02]

Good luck.

 

[Rydian]

It's not just the icon and game ID anymore. Multiple carts have been blocked and then updated while keeping the same icon and ID, while other carts like the DSTwo can update without editing their internal flash at all (they're reading data off the MicroSD on boot).

 

[Terminator02]

It's not just the icon and game ID anymore. Multiple carts have been blocked and then updated while keeping the same icon and ID, while other carts like the DSTwo can update without editing their internal flash at all (they're reading data off the MicroSD on boot).

That's only true for the DSi, it requires an update to the flash for 3DS compatibility updates.

 

[StunterMan]

Okay, i didn't found anything with Nitro Explorer v2... I searched with HEX and i found a lot of parts of the update, a binary part and a part which i suppose is the icon of the game

 

[Rydian]

The DS uses two processors, the ARM7 (generally used for sound, wifi, and saving), and the ARM9, which runs the main program. The binaries for these are ARM7.bin and ARM9.bin, and when you extract a ROM you should be able to get at those binaries and all the other included resources. Like I said, DS ROMs use a filesystem (unlike earlier systems that used raw data and just tried to make sure they were referencing the right areas).

Tinke is a recent tool, I just checked and it was able to open a few homebrew projects of mine and extract the binaries and resources, so hopefully it's updated enough to grab the stuff out of the firmware update files.
http://filetrip.net/nds-downloads/utilities/download-tinke-082-f26643.html

Also, I just remembered that a few ROM release groups have dumped some flash carts, I know they dumped the AK2i firmware, but don't remember which other carts... it was only a few so I don't know if it'd be useful.
EDIT: As in, they dumped the data that's stored on a cart itself.

 

[StunterMan]

Thanks Guys! I'm studying the composition of an update. I found the files, they are: rom.nds, fat.bin, fnt.bin, arm7.bin and arm9.bin. Now i'm trying to extract rom.nds and analyze it. Probably i found the real "update" which is written by the flashcard

 

[Pong20302000]

The DS uses two processors, the ARM7 (generally used for sound, wifi, and saving), and the ARM9, which runs the main program. The binaries for these are ARM7.bin and ARM9.bin, and when you extract a ROM you should be able to get at those binaries and all the other included resources. Like I said, DS ROMs use a filesystem (unlike earlier systems that used raw data and just tried to make sure they were referencing the right areas).

Tinke is a recent tool, I just checked and it was able to open a few homebrew projects of mine and extract the binaries and resources, so hopefully it's updated enough to grab the stuff out of the firmware update files.
http://filetrip.net/nds-downloads/utilities/download-tinke-082-f26643.html

Also, I just remembered that a few ROM release groups have dumped some flash carts, I know they dumped the AK2i firmware, but don't remember which other carts... it was only a few so I don't know if it'd be useful.
EDIT: As in, they dumped the data that's stored on a cart itself.

the DSTwo early on had its internal data dumped also

heres the list of dumped internals from cards that can be used for bad things

x027 Max Media Launcher (World) (Unl)
x028 Passcard 3 (World) (Unl)
x034 Ninjapass Media Launcher (World) (Unl)
x035 Ninjapass Junior 512M (World) (Unl)
x036 Action Replay DS (World) (v1.00) (Unl)
x037 Action Replay DS (World) (v1.02) (Unl)
x041 Dog Trainer 2 (Europe) (Cheat Cartridge) (Unl)
x042 Pro Action Replay DS (Japan) (v1.21) (Unl)
x047 Passcard 3 (World) (v3.0,v4.0) (Unl)
x048 Passcard 3 (World) (v5.0) (Unl)
x049 Super Key (World) (v4.0) (Unl)
x050 Super Key (World) (v5.0) (Unl)
x051 Super Key (World) (v6.0) (Unl)
x052 Passcard 3 (World) (v6.0) (Unl)
x053 Ninjapass Evolution X9 TransFlash (World) (v1.1) (Unl)
x054 EZ-Flash V (World) (Unl)
x055 Super Card DS (World) (Unl)
x056 M3DS Simply & R4DS (World) (Unl)
x061 Pro Action Replay DS (Japan) (v1.50) (Unl)
x070 CycloDS Evolution (World) (Unl)
x072 G6DS Real (World) (Unl)
x073 Super Card DS One (World) (v2) (Unl)
x074 DS-Xtreme 4Gb (World) (v1.1.0) (Unl)
x079 M3DS Real (World) (Unl)
x082 Acekard R.P.G. (World) (Unl)
x083 MK6-Motion (World) (Unl)
x084 DSTT (World) (Unl)
x090 EDGE (World) (Unl)
x094 Acekard 2 (World) (Unl)
x099 Action Replay DS (World) (v1.54) (Unl)
x119 Acekard 2i (World) (Unl)
x120 DSTTi (World) (Unl)
x121 EZ-Flash Vi (World) (Unl)
x132 R4i (World) (Unl)
x133 CycloDS Evolution (World) (v1.1) (Unl)
x134 Acekard 2 (World) (v2.1) (Unl)
x156 Super Card DS One SDHC (World) (Unl)
x163 Super Card DS Two (World) (Unl)
x178 Max Media Player (World) (v1.22) (Unl)

 

[StunterMan]

I don't need Values like those.. i need only to know how to find the values for image, text and gameID. Than, we can do the procedure for making an hack rom and change image and gameID with a game already existing.. it should work.. i don't know if the update writes also a firmware, but it seems to write only image and text. The updating process is of about 30-50sec. and if it had to flash also the firmware it had to do the process into 1-2 minutes and the file of 3-4MB..
Even, i need a little group of people.. we'll have to make a "list" of hex values to "where is the image" or the text, and we'll make a list. With this list we'll try the hard part.. to change values (icon and text)..after tihs is done, we need a tester... but i know that anyone wants to do this job. Than, i wanted to test updates directly on an emulator.. is it possible to emulate an r4-ak2 just with the flashcard dump?

 

[Rydian]

Dude, he was giving you info about the dumps of the data on the carts. If you look at that data, you can try to determine what is written and where it's written...

Also, what's your reason for doing this? If it's just to get a custom icon for use on the DS/Lite (and older DSi/3DS updates)... uh, have fun? It's been considered and requested (before people at large were aware of how the DSi/3DS protection works), but nobody's willing to put forth all the effort.

However if you're trying to update older carts for the 3DS, you're not going to have much luck. The problem is often the lack of storage space. The AK2i HW44 didn't have enough space to update past an earlier update, and the HW88 ran out of space eventually too, as the 3DS wanted more and more data. If the 3DS wants more data than the cart can actually store, the cart's fucked. This is why other carts (such as the DSTwo) are more complex and can pull the non-header data from the MicroSD, but earlier carts only needed to fake a smaller bit of data, and so didn't include much storage space.

And it's not just the AK2i. The R4i Gold, for example, has multiple hardware revisions too, and only the newer ones work for newer updates. The same can be seen for lots of other carts.

And this is all assuming the carts don't encrypt anything, which they do. We're not sure exactly what's encrypted and what's not (it varies by carts), but the update launcher and firmware updates (and even game launching softwares for carts) are often encrypted to prevent clones from just copying the updates (as happens often anyways, look at the Ace3DS cart using an older hacked Wood)... some carts even put out new hardware revisions to stop other companies from copying stuff (M3i-Zero model GMP-003 as an example).



The amount of time you spend on this could instead be spend at work, and you'd be able to buy a new cart, and that would actually be successful.

 

[Rydian]

Normmatt, who was a main developer for AKAIO (the Acekard's main software) and also worked on Desmume, confirmed here that the data written for the AK2i is encrypted and hasn't been broken. Given that the method the Ak2i uses (which was one of the first DSi-bootable carts) is the same method almost every other flash cart uses (and they implement the same sort of securities), I'll stress again that this is going to be a huge amount of effort for relatively little gain.

 

[Frankdux]

This may or may not be useful info. Has anyone tried to use Tinke to extra the rom.nds from R41Gold 4.5.0-10 update and inject / replace it into an other update like the Ace3DS update and then run it and see what happens.

Also an easy way to find the new update data in the .bin and rom.nds files contained in these updates, MIGHT be (don't quote me on this), is to run a comparison... example. take the R4iGold 4.4.0 update extract the files rom.nds, arm7.bin and arm9.bin and compare it to a 4.3.0 update and record the data and locations of the changes between the 2 sets. these would then be the new update data.


Just food for thought.

 

[ichichfly]

You can use this information about the ievo http://gbatemp.net/threads/can-someone-please-test-this.335054/ (last post)

add: A way to sniff the update process is to add an card interface to an DS emulator. But it will need some time to find out how it works.