13 years.

The original DS was released in 2004, and to this day, no hax for Download Play had been made.

Until now.

Gericom found an exploit in DS Download Station, allowing us to run any homebrew we'd like over DS download play.

Source code for dspatch: https://github.com/Gericom/dspatch

Enjoy!

Credits:
Exploit: shutterbug2000, Gericom, and Apache Thunder
Graphics: Jaames, Robz8

And if you want to load unsupported flashcarts on a DSi:

Yes.
Here's Apache Thunder's flashcard launchers edited for HaxxStation. @shutterbug2000 should put this in the first post.
https://www.odrive.com/s/23b9f39c-ae15-4c1b-8ff7-64344fa6f2d2-5939fc7f

 

[tozevleal]

Can I launch the final nds with Twloader? If yes, how? I can't see it in Twloader. Installed the Twloader cia and the twlnand cia and copied the nds to the path in the settings

Well i test it on TWLoader and it doesn't work unfortunaly

 

[DinohScene]

I'd love to see a write up.

 

[PrincessLillie]

Does this work with TWLoader or is a flashcard REQUIRED?

 

[tozevleal]

Does this work with TWLoader or is a flashcard REQUIRED?

For now its flashcard required

 

[PrincessLillie]

For now its flashcard required

Shit. Let me know when TWLoader is possible.

 

[Oleboy555]

YESSS Now I can run my M3DS Real!!!

 

[APartOfMe]

this is awesome!

 

[megahunter]

So judging from the video this seems to be something in the style of how you could use the wifi usb connector and linux to send game demos to the ds back in the day or am i way off?

 

[Oleboy555]

Spoiler: Image

Its stuck at 0%

does it not support full game roms?

 

[Van28]

Are you planning on making it twloader compatible?

 

[THYPLEX]

That exploit is useful with my old DS lite ?
And how ?

 

[tozevleal]

Spoiler: Image

View attachment 89480

Its stuck at 0%

does it not support full game roms?

Only works with small NDS files (like homebrew games like textris, or this grand dad remake )

 

[Oleboy555]

Only works with small NDS files (like homebrew games like textris, or this grand dad remake )

thats a shame

 

[tozevleal]

thats a shame

Its because of the NDS ram ... its only 8mb of ram!

 

[Gericom]

Nice.
I shall await a writeup on how this works for a thought things were RSA signed and only flashme would bypass it.

Other than chain loading I am not sure what use this will be for most, at least pending some means of launching from a PC, but still very cool to see.

Well, tbh, there is not very much to say about it.

I first researched the firmware and dsi downloader and I found a semi-exploit there regarding the arm9 size. It checks the start and start + size, so you can overflow the second one with a very big value. I first thought we could overwrite memory that way, but that turned out not to be the case because each chunk of data is checked individually too. It however caused a crash during the sha1 calculation which for unknown reasons lead to code execution on dsi and 3ds (in ntr mode of course), but not on dslite. So that was not a good way to do it.

I then checked out the download station. By disassembling I found out barely any checks are done on load addresses and stuff, allowing to overwrite arbitrary memory. The best thing was that it loaded the arm9 to the right place before doing the rsa stuff, so by changing the arm9 load address to the rsa check function, I could overwrite it with my code that did the actual arm9 loading and jumped over the rsa checks. This yielded a very small payload that could be patched into every rom I'd like to run it though that download station client.

Spoiler: Image

View attachment 89480

Its stuck at 0%

does it not support full game roms?

No, it does not work. Those games use NitroFS; files on the ds cartridge. This is not possible by simply sending over the rom (would need patches and a special parent on the other ds to send over the data when needed). Besides the ds only has 4 MB of ram, which it uses to execute code too.

Its because of the NDS ram ... its only 8mb of ram!

*4 MB

 

[SoslanVanWieren]

Could you send over a GBA ROM dumper that dumps over wifi is there one?

--------------------- MERGED ---------------------------

Well i test it on TWLoader and it doesn't work unfortunaly

Did you try the bootstrap 0.2.0

 

[tozevleal]

Could you send over a GBA ROM dumper that dumps over wifi is there one?

--------------------- MERGED ---------------------------


Did you try the bootstrap 0.2.0

Thanks for the protip!
I selected the unoficial bootstrap and now it works! (with the bonus Rainbow notification LED )

 

[PrincessLillie]

Only works with small NDS files (like homebrew games like textris, or this grand dad remake )

So if I get a legit demo or game ROM under 8 MB, I can use it with HaxxStation? Cool!

--------------------- MERGED ---------------------------

Thanks for the protip!
I selected the unoficial bootstrap and now it works! (with the bonus Rainbow notification LED )

So does it work with TWLoader or not? I'm confused now.

 

[tozevleal]

So if I get a legit demo or game ROM under 8 MB, I can use it with HaxxStation? Cool!

Its 4Mb (my mistake)
But yeah... probably you can boot any NDS rom with 4mb or less (most of them is homebrew and demos)

Edit: YES IT WORKS! But remember go to the settings menu (on twloader) and set the bootstrap has unofficial

 

[migles]

So if I get a legit demo or game ROM under 8 MB, I can use it with HaxxStation? Cool!

*4 MB