ROM Hack How were the DS exploits found?

imgod22222 · Jun 10, 2011

So I remember joining the DS scene back in the days when we would flash our fat DS's with firmware, using a PassMe card and a slot-2 device. Nowadays, people just plug'n'play their flashcarts.
My question is: How did they figure this stuff out? If anyone has any links/stories about back in the day when hackers on the scene were figuring out "oh shit, if i short this connection, then I can write freely ot the firmware!" or "If I make a DS cart... and put this info on it... then obviously, the DS will begin reading from slot-2!" or "Here's the default firmware DS's ship with. Now what would I go about editing to get rid of this heinous check?" or any of the newer methods being used now which allow people to just pop it in their factory DS and it work fine?
What are the methods, how are they being used, how do they work, and what understanding is necessary about the DS to get it to do what you want it to?
[I'm interested in (soft/hard)ware hacking, pretty adept at reading/writing x86-64 asm, and wanted to learn what "hackers" are doing so I can feel less of a bystander, and more as a person who can make a difference]

Rydian · Jun 10, 2011

You're pretty much asking for a tutorial on hacking in general.

Seriously.

Poryhack · Jun 10, 2011

I might be wrong about this but it seems like a lot of the answers you're looking for are "trade secrets" for flashcard developers and not likely to be publicized. I know there was a lot more of an open nature to DS hacking in its early days but that phase didn't seem to amount to much (especially not hardware-wise); there was homebrew here and there but compared to what you can do with a flashcard now it was pretty limited.

Anyway I think you might have more luck with your question if you asked in the hackmii/twiizers circles, they seem to be where it's at for low-level hacking now.

imgod22222 · Jun 10, 2011

So I may be. However, being slightly specific to asking to using DS examples when making the tut/explaining.
EDIT: Poryhack, that sounds like a good idea, I may go about "asking the hackmii/twiizers circles" also, didn't think I would be asking about flashcart trade circles. If it really were, all flashcarts nowadays have built-in passme functionality and explaining it would in no way change anything. I guess for the more up-to-date stuff that go beyond using just the DS' hardware (like using onboard coprocessors) would be infringing on that territory. But afterall, the method in which flashcarts do that same thing of passing the firmware is the same for all cards once the hack is announced (and subsequently published).

FAST6191 · Jun 10, 2011

I could probably cover why some of the methods work (many flash chips have a write enable pin and for testing purposes pads will usually be there) but as Rydian says you are asking for a hacking tutorial in general and even if I did cover the examples you mentioned it would be more or less just trivia. The proper DS slot stuff (that is to say the encryption method that kicked it all off) though came from Martin Korth aka the author of no$gba and the rather nice hardware docs to match it.
On top of this you run the risk of overloading yourself; not to slight the skills of anyone but people do not just wake up in the morning and cook up a device that loads games and has a spinning boxart complete with shiny table effect to launch it, it takes quite a bit of effort on the part of many and although it has been said for many years now I do pity those just coming into this game as it does not get easier.

The way I see it you start with a goal (say running my own code on what amounts to full hardware access rather than say some little piece of scripting language in there somewhere). Consider all the methods you have to get something on there
Can I use a disc?
Can I use an SD card?
Can I use a USB port in some manner?
Can I use wireless?
Can I use some proprietary method it has (code or save memory)?
Can I use some internal memory?
Can I use some debug method to inject code directly into the memory?
and so forth

You then pull something apart (or if somebody else has done it for you read up on that although always remember they might be wrong*) and/or probe each of those avenues to figure out any roadblocks there might be in them.

If there is encryption/protection can I crack it (higher powered machines and continued research mean methods get weaker all the time although relying on this is not wise), was it implemented properly (history says certainly give it a look), can I bypass it in some way (does it only check at install time/once and then allow you to swap it out?, can you trigger a debug mode that lacks support for it?, were they foolish enough to implement the checks in something you easily control? or can I glitch the hardware at the right time to allow me to bypass it (side channel attacks are extremely powerful) among many other questions).

*one of the big things here is backwards compatibility- the DS with the passme worked because it had access to the GBA memory which it could be redirected to, the wii tweezers attack used gamecube mode to gain access to things, the wii drive mods descended directly from gamecube mods and so forth.

Why one avenue and not the other usually exists because it is easier. Occasionally someone might come along and refine it but at first it is almost always about making it easier.

What I have just written though is almost philosophical in that it contains nothing of great use. Still I blathered on in the 3ds hacking section if you fancy http://gbatemp.net/t287721-some-hacking-concepts-and-links

Rydian · Jun 10, 2011

imgod22222 said:
So I may be. However, being slightly specific to asking to using DS examples when making the tut/explaining.

That doesn't matter that much, actually. That only changes a few specifics, and giving away those specifics might as well be giving away some exploits. What will be more helpful to you right now is understanding some of the basic first approaches, like FAST gave.

Here's some info on PSP hacking that will also help.
http://wololo.net/wagic/hacking-portal/

relminator · Jun 10, 2011

IRC
server: Blitzed.org
Channel: #dsdev

I believe current DS/3DS hackers frequent there.

You need to have patience with this stuff though. It's time consuming and needs a lot of luck.

mrgone · Jun 10, 2011

isn't it always like this:
find some input, supply an inputstring which hopefully crashes/exploits something
repeat for strings an inputs

Rydian · Jun 10, 2011

mrgone said:
isn't it always like this:
find some input, supply an inputstring which hopefully crashes/exploits something
repeat for strings an inputs

No, there's often tricks you can do to get the machine to spit out some info at you that you can look through to try to find something exploitable (or at least find a way to cause a crash) without having to "guess around" various inputs.

Valiarchon · Jun 11, 2011

I'd like to point out something everyone seems to be ignoring: A very, very large proportion of the console hacking originates in one of three communities: Chinese, French and Spanish/Brazilian. If you can understand one of the required languages (although even a google translation would usually suffice for something like this to provide a basic idea of what's going on), I suggest you check them out.

gshock · Jun 18, 2011

imgod22222 said:
How did they figure this stuff out? If anyone has any links/stories

pineight.com/ds/pass, bottledlight.com/ds

ROM Hack How were the DS exploits found?

GBAtemp's Original No-faced Member

Resident Furvert™

Well-Known Member

GBAtemp's Original No-faced Member

Techromancer

Resident Furvert™

#AnyaBasic

old man

Resident Furvert™

trentacles

Well-Known Member

Similar threads

Popular threads in this forum