Hacking [Release] NTRBoot for R4igoldcc,ARDS(EZ),ARDSI

[Deleted User]

So, I got to thinking. Let's say that the ARDSi black and ARDSi yellow are essentially equivalent, because they hypothetically should be.

Is it possible that the code manager simply isn't resetting the ARDSi yellow? If it is being flashed, the cart simply shouldn't function, correct? My cart DOES function. Maybe this exploit does work as-is on an ARDSi yellow, but the method we're using to apply it doesn't.

If that's the case, is there anything that can be done to solve the problem?

 

[Paccc]

Does anyone have a DIY cable solution or similar? Im not shelling out money to shack a few friends 3DSes.

There's a pinout in this very thread: https://gbatemp.net/threads/release-ntrboot-for-r4igoldcc-ards-ez-ardsi.483802/page-6#post-7572048

 

[RattletraPM]

So, I got to thinking. Let's say that the ARDSi black and ARDSi yellow are essentially equivalent, because they hypothetically should be.

Is it possible that the code manager simply isn't resetting the ARDSi yellow? If it is being flashed, the cart simply shouldn't function, correct? My cart DOES function. Maybe this exploit does work as-is on an ARDSi yellow, but the method we're using to apply it doesn't.

If that's the case, is there anything that can be done to solve the problem?

Do they use the same hardware? Most probably, yes.
Will flashing the firmware to them make NTRBoot work with no other modifications done to it? Probably not.

The reason is pretty simple: in order for NTRBoot to work correctly, one needs to write the blowfish key and firm to one (or more) cart-specific offsets, which can vary depending on the NAND chip's maker, model and size. There's currently no way to know at which offsets those files need to be written without first making a NAND dump of the cart, and making a ROM dump won't work as some stuff is moved at different offsets in a ROM in order for it to be valid.

We already know that ARDSi black & yellow use different hardware than the other ARDS(i) out there, but there's currently no chance of making NTRBoot work on them unless somebody figures out how to dump the NAND flash inside them first.

 

[Deleted User]

So, I just bricked my ARDSi trying to update it so I could use it for its intended purpose. I accidentally knocked the cable out. The updater still sees it, but says "Attached device is NOT a 3DS compatible ActionReplay DSi cartridge." I checked out the cartridge in GodMode9 and the files that used to be there are gone. Is there any way to salvage this if I can obtain the missing files?

 

[RustInPeace]

So, I just bricked my ARDSi trying to update it so I could use it for its intended purpose. I accidentally knocked the cable out. The updater still sees it, but says "Attached device is NOT a 3DS compatible ActionReplay DSi cartridge." I checked out the cartridge in GodMode9 and the files that used to be there are gone. Is there any way to salvage this if I can obtain the missing files?

What files are supposed to be there? I didn't think of using GM9, I only see the GAME_WATCH_C nds file and trimmed version.

 

[Deleted User]

What files are supposed to be there? I didn't think of using GM9, I only see the GAME_WATCH_C nds file and trimmed version.

GM9 isn't useful here. I just used it to confirm that my ARDSi is bricked. Those are the correct files, but they're missing on mine now. Always make sure your USB cable is connected well.

 

[Chetti]

Please help, when I entenr to the menu flash card and select the file should it show me and option to inject? because nothing happens.

 

[Deleted User]

So, I just bricked my ARDSi trying to update it so I could use it for its intended purpose. I accidentally knocked the cable out. The updater still sees it, but says "Attached device is NOT a 3DS compatible ActionReplay DSi cartridge." I checked out the cartridge in GodMode9 and the files that used to be there are gone. Is there any way to salvage this if I can obtain the missing files?

My ARDSi is no longer bricked. I was able to modify the firmware updater to ignore the fact that my ARDSi was corrupt using x64dbg.

 

[Gastonaso15]

@DrCrygor07
The same happens to me. When I tried to launch the updater without ntrboot, the updater tells me that my flashcard it's on a newer version, 5.23 I think. That's probably the problem.
Is there someway to force a downgrade to the 5.06?

 

[Joelgp83]

Instead of using the ROM file posted in the MEGA link, take the ARDS 1.71 firmware file, remove the first 8 bytes (41 52 32 4D CC CD 00 00) and rename it to .nds, then run it on your flashcart. This way you'll basically get something more similiar to a NAND image than a ROM (some stuff isn't where it should normally be, such as the Secure Value) but most flashcarts don't care and it'll boot anyways - plus, as it contains only what's needed for an ARDS to function properly and nothing else (no cheat codes, extra ROM/NAND pages or anything else really) so it should be compatible with more flashcarts.

I've got a R4DS (non SDHC, original) with WoodR4 as a kernel and it boots just fine. If you're having trouble, try to see if there's a wood kernel available for your card.

That is, in a word, utterly fascinating. Now, where did I put my hex editor?

 

[Chetti]

Well...

 

[Olmectron]

Hi there.

I just want to know. I followed the steps for installing NTRBoot on Action Replay DSi. I followed the steps completely without any problem. However, it won't boot anything when making the combo. Also, the game is recognized as GAME & WATCH COLLECTION (as before) and I can boot it as the Action Replay, is it normal for it to still boot normally from home menu? How do I know NTRBoot flashed correctly?

 

[ThisIsDaAccount]

Hi there.

I just want to know. I followed the steps for installing NTRBoot on Action Replay DSi. I followed the steps completely without any problem. However, it won't boot anything when making the combo. Also, the game is recognized as GAME & WATCH COLLECTION (as before) and I can boot it as the Action Replay, is it normal for it to still boot normally from home menu? How do I know NTRBoot flashed correctly?

Does your AR have an SD card slot?

 

[Olmectron]

Does your AR have an SD card slot?

I just read the thread, and I see now that it's not compatible.

No, it's an ARDSi with a yellow sticker and no microSD port.

 

[Deleted User]

I just read the thread, and I see now that it's not compatible.

No, it's an ARDSi with a yellow sticker and no microSD port.

Doesn't work. Read the thread.

 

[Olmectron]

Doesn't work. Read the thread.

I just read the thread, and I see now that it's not compatible.

 

[Paccc]

There's a pinout in this very thread: https://gbatemp.net/threads/release-ntrboot-for-r4igoldcc-ards-ez-ardsi.483802/page-6#post-7572048

Soldered my ARDS and got a Datel USB id

- WARNING - the colorcoding on the picture is correct on the testpads, but I measured with a multimeter and found that the data lines were swapped as indicated on the connector.
My typical luck to pick the connectors indications first and then having to redo it to what was shown on the pad.

No I just need to find a computer with an old windows version that reads miniature cd's - I guess I just have to download the drivers somewhere...

 

[Olmectron]

Hi. Just asking.

So, the only way to really fix this working for non-micro SD port DSi cards is to donate one of these?

Or, is there any other way we could help fix it?

 

[RattletraPM]

Hi. Just asking.

So, the only way to really fix this working for non-micro SD port DSi cards is to donate one of these?

Or, is there any other way we could help fix it?

You could try to reverse engineer how the updater writes the firmware to the ARDSi via a debugger. If you figure that out it's pretty much guaranteed that you'll also be able to obtain the firmware binaries itself, or at the very least see where the updater writes its data on the device. If someone figures that out, then porting NTRBoot to it shouldn't bee too hard.

Still, I'm going to make it clear that I'm not too sure I could do something like that, so please don't send me one of those. The ARDSes using Code Manager pretty much have no security at all (aside from a simple CRC-16 check) and I still wasn't even able to correctly find the addresses where to write the blowfish key & firm on my own, so I'm pretty sure that trying to port NTRBoot to these ARDSi models would be a bit too much for someone like me.

 

[Olmectron]

You could try to reverse engineer how the updater writes the firmware to the ARDSi via a debugger. If you figure that out it's pretty much guaranteed that you'll also be able to obtain the firmware binaries itself, or at the very least see where the updater writes its data on the device. If someone figures that out, then porting NTRBoot to it shouldn't bee too hard.

Still, I'm going to make it clear that I'm not too sure I could do something like that, so please don't send me one of those. The ARDSes using Code Manager pretty much have no security at all (aside from a simple CRC-16 check) and I still wasn't even able to correctly find the addresses where to write the blowfish key & firm on my own, so I'm pretty sure that trying to port NTRBoot to these ARDSi models would be a bit too much for someone like me.

Alright.

While I'm a complete noob, I know a bit of programming, at least.

Do you know any good way to debug an EXE file without its source code?