Homebrew [RELEASE] fw2nds - build firmware.nds from firmware.bin

dr1ft

Well-Known Member
OP
Newcomer
Joined
Mar 2, 2018
Messages
53
Trophies
0
Location
?????
Website
dr1ft.xyz
XP
245
Country
United States
so over the past couple of days ive been working on reverse engineering firmware.nds to understand how it worked. i didnt expect to make any progress, but somehow i managed to figure out exactly how it works.

ive managed to develop a single tool that automatically converts a firmware.bin file into a firmware.nds with no user interaction other than dragging the bin file onto the exe

has been tested with 7 different English firmware revisions and all FlashMe v8 variations

this is important because firmware.nds cannot be legally distributed due to containing substantial portions of the ds firmware, but now we can build our own using legal means :)

have fun, and be sure to report any issues you have in this thread

ill be making a more in-depth writeup of how this all works in the near future so stay tuned for that
 

Attachments

  • fw2nds.zip
    65.6 KB · Views: 2,668
Last edited by dr1ft,

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Nice. We have had quite a few people over the years wanting shots, sound samples, video and more of the DS firmware/menu. Would be nice to have a simple point people at it type solution.

Will you include a PC editor so people can still change the colour, birthday, name... settings of these new .nds files? Or indeed might you be able to force it to use the same offsets somehow?
 

dr1ft

Well-Known Member
OP
Newcomer
Joined
Mar 2, 2018
Messages
53
Trophies
0
Location
?????
Website
dr1ft.xyz
XP
245
Country
United States
Nice. We have had quite a few people over the years wanting shots, sound samples, video and more of the DS firmware/menu. Would be nice to have a simple point people at it type solution.

Will you include a PC editor so people can still change the colour, birthday, name... settings of these new .nds files? Or indeed might you be able to force it to use the same offsets somehow?
well, this doesnt let you do anything you couldnt already do with a competent emulator that supported firmware dumps. also, the settings are contained in nvram and this makes no attempt to store them in the file. you *could* do that with additional patches, but i dont see *why* you would... this is mostly intended for helping with my personal obsession of running the original ds firmware on every iteration of the ds :P
 
  • Like
Reactions: Deleted-236924

dr1ft

Well-Known Member
OP
Newcomer
Joined
Mar 2, 2018
Messages
53
Trophies
0
Location
?????
Website
dr1ft.xyz
XP
245
Country
United States
Is the firmware.nds the original DS's firmware? The DS Lite's firmware hadn't publicly been released. I have several flashcards and a DS Lite. If you need the firmware to it, I could provide it.
i have a ton of firmwares so im not too concerned with that
feel free to send it my way anyway though, the more the merrier
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Is the firmware.nds the original DS's firmware? The DS Lite's firmware hadn't publicly been released.

I vaguely recall a few years back around the time the pictochat trick got released or rediscovered (well after the DS lite was released as well) that everybody got all the versions going on put into a pack of all of them.

I don't know about the Korean ones and ique models as they might still have a version or two that did not get dumped (still got some examples though) but as far as mainstream DS models from the usual regions then all firmwares and revisions should be out there, and likely have for many years now.

Edit. Or if you prefer there is a reason flashme was able to backport the DS lite brightness adjustment for those later revisions of DS with the relevant chip.
 

dr1ft

Well-Known Member
OP
Newcomer
Joined
Mar 2, 2018
Messages
53
Trophies
0
Location
?????
Website
dr1ft.xyz
XP
245
Country
United States
I vaguely recall a few years back around the time the pictochat trick got released or rediscovered (well after the DS lite was released as well) that everybody got all the versions going on put into a pack of all of them.

I don't know about the Korean ones and ique models as they might still have a version or two that did not get dumped (still got some examples though) but as far as mainstream DS models from the usual regions then all firmwares and revisions should be out there, and likely have for many years now.
the set i have is mostly from noflashme.nds, they're not complete dumps but enough to build a firmware.nds from
 

dr1ft

Well-Known Member
OP
Newcomer
Joined
Mar 2, 2018
Messages
53
Trophies
0
Location
?????
Website
dr1ft.xyz
XP
245
Country
United States
well, it took me long enough, but there's a zip file attached in OP with source code in binaries now

EDIT: is there some way i can change the thread title to [RELEASE] instead of [Very WIP]?
 
Last edited by dr1ft,

RocketRobz

Stylish TWiLight Hero
Developer
Joined
Oct 1, 2010
Messages
16,513
Trophies
3
Age
24
XP
20,842
Country
United States
well, it took me long enough, but there's a zip file attached in OP with source code in binaries now

EDIT: is there some way i can change the thread title to [RELEASE] instead of [Very WIP]?
Report the OP to request to change title.
I've done this plenty of times. :P
 
  • Like
Reactions: dr1ft

Apache Thunder

I have cameras in your head!
Member
Joined
Oct 7, 2007
Messages
4,402
Trophies
3
Age
36
Location
Levelland, Texas
Website
www.mariopc.co.nr
XP
6,744
Country
United States
snapshot20180629005325.jpg

( ͡° ͜ʖ ͡°)


It doesn't actually boot the game yet though. Big thanks to dr1ft for helping me with this. I managed to get a bootstrap program that launches his firmware.nds SRL and got it to work on 3DS. :D

There's a few things that need to be in ram before firmware srl boots before it will show a game in slot-1. After checking in No$GBA it seems the game's arm binaries are already loaded into ram by the time you reach that screen. I guess NDS BIOS/bootrom loads those into ram? Not sure when that is happening. Firmware SRL doesn't seem to be doing it on it's own though. It is able to load the game's icon data. (it will hang too if I remove cart before it boots or eject cart while it's running just like on real DS consoles) My bootstrap only puts cart's header and a few other tidbits in the needed parts of ram. (refer to this to see what I mean: https://problemkaputt.de/gbatek.htm#biosramusage ). But those are data I compiled directly into the source code and aren't pulling that from the cart in slot-1 yet so my build was hard coded to only show Mario 64. (and will hang on boot if you attempt to use a different cart. :P )

Cart loading code is a bit beyond me so someone else will have to pick up where I left off. dr1ft has the source to the bootstrap I used to boot this. Hopefully he can get something going with this. :D
 
Last edited by Apache Thunder,

DeadSkullzJr

Developer
Developer
Joined
Sep 28, 2017
Messages
1,549
Trophies
1
XP
3,348
Country
United States
GBA games, flashcarts, and other various extensions work perfectly with these. dumped quite a few firmwares, obviously the DSi firmware won't work for obvious reasons, creating a firmware.nds from the New Nintendo 3DS DS mode dump doesn't seem to work, it did work with the Old Nintendo 3DS DS mode dump though, turns out my old 3DS uses a v4 Phat firmware in DS mode :P
 
  • Like
Reactions: Ryccardo

tuxifan

New Member
Newbie
Joined
Jul 17, 2020
Messages
1
Trophies
0
Age
19
XP
45
Country
Germany
Code:
fw2nds
build firmware.nds
dr1ft 2018

unpacking with fwunpack
Nintendo DS Firmware Unpacker by Michael Chisholm (Chishm)
Firmware size 0x00040000
ARM9 Boot: From 0x00000180 to 0x021F0000
ARM7 Boot: From 0x000001A0 to 0x0380F800
GUI Data: From 0x000002C0
ARM9 GUI: From 0x000183B0
ARM7 GUI: From 0x0000F5B0
ARM7 GUI size: 0x0000D940
ARM9 GUI size: 0x0001AFA0
GUI Data size: 0x0003A7A0
Flashme firmware
ARM9 Boot2: From 0x01FFFE00 to 0x00800200
ARM7 Boot2: From 0x01FFFE00 to 0x00800200
wine: Unhandled page fault on read access to 02420FE8 at address 00401D76 (thread 0009), starting debugger...
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
Unhandled exception: page fault on read access to 0x02420fe8 in 32-bit code (0x00401d76).
0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:00401d76 ESP:0032fe7c EBP:00401e00 EFLAGS:00010202(  R- --  I   - - - )
 EAX:02420fe8 EBX:7e9b2ec0 ECX:02420fe8 EDX:02420fe8
 ESI:00401d70 EDI:004211e8
Stack dump:
0x0032fe7c:  0040158b 02420fe8 004211e8 7e9b0600
0x0032fe8c:  7e9af740 7e9b2ec0 0032feac 00401d90
0x0032fe9c:  00401db0 00000000 00401ad3 0032fef4
0x0032feac:  00403314 01fffe00 00800200 004032f0
0x0032febc:  01fffe00 00800200 004032dc 0041da78
0x0032fecc:  00000001 0032ff30 00000000 00800200
Backtrace:
=>0 0x00401d76 EntryPoint+0xffffffff() in fwunpack (0x00401e00)
  1 0x40641ca3 (0x0424448b)
0x00401d76 EntryPoint+0xffffffff in fwunpack: movb      0x0(%ecx),%al
Modules:
Module  Address                 Debug info      Name (19 modules)
PE        400000-  41f000       Export          fwunpack
PE      7b000000-7b2e9000       Deferred        kernelbase
ELF     7b400000-7b673000       Deferred        kernel32<elf>
  \-PE  7b420000-7b673000       \               kernel32
ELF     7bc00000-7beb3000       Deferred        ntdll<elf>
  \-PE  7bc30000-7beb3000       \               ntdll
ELF     7c000000-7c005000       Deferred        <wine-loader>
ELF     7e7e1000-7e800000       Deferred        libgcc_s.so.1
ELF     7e905000-7e92e000       Deferred        libtinfo.so.6
ELF     7e92e000-7e95a000       Deferred        libncurses.so.6
ELF     7e95a000-7ea3d000       Deferred        msvcr80<elf>
  \-PE  7e980000-7ea3d000       \               msvcr80
ELF     7eeb6000-7eecb000       Deferred        libnss_files.so.2
ELF     7eecb000-7efd0000       Deferred        libm.so.6
ELF     f7bc2000-f7bc8000       Deferred        libdl.so.2
ELF     f7bc8000-f7db6000       Deferred        libc.so.6
ELF     f7db6000-f7dd9000       Deferred        libpthread.so.0
ELF     f7e09000-f7fbc000       Dwarf           libwine.so.1
ELF     f7fbe000-f7feb000       Deferred        ld-linux.so.2
Threads:
process  tid      prio (all id:s are in hex)
00000008 (D) Z:\mnt\be72c2f6-dadb-4f53-9bc0-f509230a0e01\Programme\OSS\CFW-Suite\fw2nds\bin\fwunpack.exe
        00000009    0 <==
0000000e services.exe
        0000002c    0
        00000020    0
        0000001b    0
        00000015    0
        00000014    0
        00000013    0
        00000010    0
        0000000f    0
00000011 winedevice.exe
        00000018    0
        00000017    0
        00000016    0
        00000012    0
00000019 plugplay.exe
        0000001d    0
        0000001c    0
        0000001a    0
0000001e winedevice.exe
        00000026    0
        00000023    0
        00000022    0
        00000021    0
        0000001f    0
00000024 explorer.exe
        0000002b    0
        0000002a    0
        00000029    0
        00000025    0
00000027 ACService.exe
        0000002e    0
        0000002d    0
        00000028    0
System information:
    Wine build: wine-5.0.1
    Platform: i386 (WOW64)
    Version: Windows 10
    Host system: Linux
    Host version: 5.4.0-40-generic
reading images
boot7 critical region at FFFFFFFF
boot9 critical region at FFFFFFFF

Unhandled Exception:
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
  at System.BitConverter.ToInt32 (System.Byte[] value, System.Int32 startIndex) [0x00016] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
  at System.BitConverter.ToUInt32 (System.Byte[] value, System.Int32 startIndex) [0x00000] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
  at bluelib.Utils.ToUInt (System.Byte[] data, System.Int32 offset) [0x00000] in <e8ce40ccd31e49108c6a43227d843ea8>:0
  at fw2nds.Program.Main (System.String[] args) [0x00225] in <0ad843ee36bf46d796b49c32028d6cd1>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
  at System.BitConverter.ToInt32 (System.Byte[] value, System.Int32 startIndex) [0x00016] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
  at System.BitConverter.ToUInt32 (System.Byte[] value, System.Int32 startIndex) [0x00000] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
  at bluelib.Utils.ToUInt (System.Byte[] data, System.Int32 offset) [0x00000] in <e8ce40ccd31e49108c6a43227d843ea8>:0
  at fw2nds.Program.Main (System.String[] args) [0x00225] in <0ad843ee36bf46d796b49c32028d6cd1>:0
This is all I get when running that, any idea?

Edit: Compiled fwunpack.exe on my own and the first exception disappeared. The second one still persists…
 
Last edited by tuxifan,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.