Hacking Analysis on the Gateway 3DS blue cart (updateable??)

[FR0ZN]

WARNING: This thread got pretty long while I was writing it. There was so much I wanted to say that I completely lost track and messed up the structure pretty good.
My goal might not be clear at first, but the text is about getting to know what the blue cart bundled with the Gateway 3DS actually is and if there might be way to update it, to support later 3DS firmwares, since I read that the bootstap can't be updated, yet I found "proof" that it might work ... at least I hope so.


Hi,

I'm pretty new to this whole DS flashcart thing. I knew such things existed because a lot of my buddies got Nintendo DS' with flashcarts, but I never realy bothered about the Nintendo world that much, since I'm more into the PlayStation scene.
But every now and then I buy a new console just for fun and so I got myself a 3DS XL together with the Gateway 3DS flashcart.
Now the thing is, everytime I buy a new console which has a huge community behind it and an ongoing hacking scene which I never cared about, I find myself lost in all of the information which is available for the specific device, I'm pretty sure we've all been there once.
For the 3DS part of the Gateway 3DS it's a piece of cake, since this thing is "brand new" and the news and information about it can be overwatched.
But a few days ago the DS part of the Gateway 3DS (the blue cart) got some of my attention, so I set out to check whats the deal with DS flashcarts and found myself in a chaos of information.
From Wood Firmware, to 2000 R4 clones, over words like DLDI, Bootstrap, Kernel and whatnot my brain began to crack my skull in order to break out because it didn't fit anymore.

I'm that kind of person who wants to know everything about each of my devices, to see whats possible and what is not.
But I also know that there are peeps out there who just want to play their games and don't give a damn about how the stuff works, as long as it works, tell them what to do and of they go.
Which is fine actually, but also wrong, in case you ever decide to check whats going on and find yourself in the same situation as me and realise pretty quick that there is way to much information to keep track of everything.

But lets get to the goal of this thread, I just wanted to share my point on things first and show that it isn't easy for someone whos is completly new to the whole thing, but I think I got my around all that stuff pretty well.

So, back to the blue cart...

On my journey to figure out the whole NDS scene, I first tried to understand what I actually got with my Gateway 3DS.
I looked around several sites and reviews of the GW3DS and saw pics of the PCB from the blue cart.
After reading through the review and inspecting the GW3DS firmware folder I understood that the cart is a R4i clone, so I got my first clue to look for further information about the cart, since I knew that the GW3DS Team wasn't building those carts themselfs.

The PCB from the blue cart had this "X-B" marking close to its pins, which I tried to use as a reference on my search and found out that the Ace3DS+ has to be the manufacturer for these carts.

X-B marking on GW3DS review samples:


X-B marking on Ace3DS+:


Now that I knew what cart it is, I tried to compare the files that the GW3DS and Ace3DS+ Teams are offering to see if there is anything suspecious in there.
One thing that caught my attention was the menu file. The GW3DS Team uses the name "_DSMENU.DAT", while the Ace3DS+ Team uses "_DS_MENU.DAT".
My understanding about this .dat file is, that its the first file the bootloader/bootstrap is looking for, if it can't be found you get an error during startup.
I don't know if both names are accepted or not, but to me it was a clue that the GW3DS Team is buying the DS cart hardware from different teams and installing their custom bootstrap onto them to somehow make it unique / not of the shelf.

I think at a certain point they began to identify those carts by altering the markings on them, as you can see on the following pictures, where the "X" in the "X-B" marking is blacked out:



It looks like the GW3DS Team buys the PCBs. programs them and sent them out to the retailers where they get labled with "Gateway" stickers etc.

Without labels:


Stickers:


Noticed the yellow PCB on the DS cart ? ... I'll get to that at the end

Now that I knew there was more than just one cart (with the X-B marking), I checked my blue cart and was surprised to find a 003 marking on it.
During my research I found out that the Ace3DS+ Team was building carts with 001-002a markings on them, so I was still on the Ace3DS+ track which is good, since I couldn't find anything useful on the cart with the yellow PCB other than a name of a possible manufacturer (but again, more at the end).

On the Ace3DS+ page I found out that at one point they offered firmware updates for their carts, which confirms that those carts can be written to. They also tried to offer updates for the very first Ace3DS+ ("ACE" marking). Even today they are offering a fix to patch some kind of savegame bug.

"ACE" marking:


001-002a markings:


Their official news log has some nice information about previous releases:

On the 27th of April 2012 they released an update for the Ace3DS (NOT Ace3DS+ !!!), which enabled it to work on 3DS' with FW 4.0.0-7 and introduced the Deep Labyrinth bootstrap, which is also present on my Ace3DS+ rev 003 which came with the Gateway 3DS:



On the 3rd of October 2012 they released another update, this time around for the Ace3DS+ which actually confirms that they can be updated via software.
Here is page archived by the wayback machine:

http://web.archive.org/web/20130115201154/http://ace3ds.com/ace-3ds-download.html

The download link back then was: ftp://ace3dssoft:[email protected]/ace3ds plus/Ace3dsplus_4.40_update.zip which doesn't work anymore.
They changed their download server overtime and moved all the files with it, so here is the new working link if you want to check it out (I'll also attach it, just in case):

ftp://files.ace3ds.com/ace3ds plus/Ace3dsplus_4.40_update.zip


On the 3rd of January 2013 they said the following:

Our newest Ace3DS Plus (with "001 / 001A / 002 /002A" on PCB) can support 3DS V4.5.0-10 and DSi V1.45 directly.
We are still working on a patch for those old revision 3DS cards, will keep it updated on our site soon,
please don't upgrade your 3DS system version now.. -2013-01-04

Which is another indication that their hardware is indeed writeable.


On the 19th of January 2013 they released their modified Wood FW v1.56. The changelog looks similiar to the one in the GW3DS FW package, yet a lot of checksums differ.

Ace3DS+ Changelog:

1.56
core:
- fatfs updated to 0.09a.
compatibility:
- 'apprends avec pokemon a la conquete du clavier (france)' fixed.

Gateway 3DS Changelog:

1.56
Support 3DS V4.5.0-10 and DSi V1.45.
Compatibility:
'apprends avec pokemon a la conquete du clavier (france)' fixed.

Does anybody recognize the changelog from Team GW3DS? I don't think they would modify it themselfs and write anything FW related in there.
Maybe again another Team ? Another indication that R4i cloned hardware can be updated ?


On the 22nd of January 2013 they released a fix for all their carts which patches a savegame bug, which is another indication that their hardware is indeed writeable.

Extremely Strenghen the stability of the flashcard (All Ace3DS plus versions)! -2013-1-22

The executable looks exactly like their firmware update for 4.4.0 (I'll also attach it): ftp://ace3dssoft:[email protected]/ace3ds plus/ace3ds_fix_all.zip


Since my rev 003 cart came pre-installed with the Deep Labyrinth bootstrap, I wondered which 3DS firmware is still going to support it.
Another user here in the forums has a rev 002 cart which still works perfectly fine on 5.1.0-11.
http://gbatemp.net/threads/ace3ds-plus-on-3ds-version-5-1-0-11e.347875/#post-4669738

Now I wonder the difference might be between his rev 002 and my rev 003 cart, since the Ace3DS+ Team said the following:

On the 23rd of March 2013:

Ace3ds plus, which work well on 3DS V4.5.0-10, can perfectly support the latest V5.0.0-11.!

and on the 5th of April 2013:

Ace3ds plus can perfectly support the latest V5.1.0-11! -2013-4-05

which can be confirmed by the other user here on the forums.

What confuses me tho is the fact that a lot of people on youtube are running the Ace3DS+ with the Alex Rider bootstrap even on 6.1.0-11U and none of them has the Deep Labyrinth bootstrap:

3DS 4.3.0-10J (Alex Rider bootstrap - works):


3DS 4.4.0-10 (Alex Rider bootstrap - works - updates it to Metroid Prime bootstrap - writing confirmed !!):


3DS 4.4.0-10J (Alex Rider bootstrap doesn't work ?? - but again, another udpate proof !!!):
http://www.ndshop.jp/blog/?p=2382

3DS 5.0.0-11U (Alex Rider bootstrap working again ??):


3DS 6.1.0-11U (Alex Rider bootstrap still working fine):


3DS 6.3.0-12 (Spongebob bootstrap, seems to be the newest revision, dunno which tho ):



The Ace3DS+ seems to be a clone of the R4i Gold and the R4i DSN clones, which actually can be udpated. They don't look that much different actually:



Update procedure (PCB at 10:10):



Oh boy what a f***** up thread :/
This is all the information I could get about the GW3DS blue cart and its Ace3DS+ counterpart.
I hope someone can make some sense out of it, so that we might be able to update this cart with a firmware from another manufacturer or something like that, since they are similiar to each other hardware wise.
Even tho those carts are cheap, I don't see why we should buy new ones everytime Nintendo pushes another FW Update for the 3DS.

Oh yeah btw, the cart with the yellow PCB seems to be a R4infinity 2 (J-B marking), like with the blacked out X-B marking on the red PCB, they are doing the same here with the "J" in J-B:
To make it work on 6.1.0-12 you had to make a hardware mod and cut a trace as demonstrated in the picture:

Blacked out:

I just noticed that the PCB is 1:1 the same as the Ace3DS+ X-B rev., which is probably why the GW3DS Team chose these as an alternative. Now it makes me wonder what my rev 003 PCB lloks like.

Kindest regards,
iCEQB

 

[UltraMew]

Brain exploded.

 

[Another World]

that is an interesting bit of investigative work. you may want to contact gateway and ask if they are ready to let us know what clone they used.

i've been told in the past, from various trusted sources, just how small the ds flash kit scene actually is. some well known clones were developed by well known companies under different names. it could be possible that r4ids.cn are behind the ace3ds+, and that would be really interesting.

-another world

 

[Ryukouki]

Wow, that is actually really fascinating. I honestly thought it would be a fruitless investigation but I actually read the whole thing, and I have to say "not bad!"

 

[FR0ZN]

Wow guys, thanks for the good feedback so far !

I looked a bit further into the R4infinity 2 cart and got some nice surprises on their website -> http://r4infinity.com/down_2.asp

They actually released an update for 4.5.0 and their 1.56 cracked Wood FW actually matches in a lot of things that came with the Gateway 3DS FW package.
They both named their menu file "_DSMENU.dat", but the checksums differ. And you can find a "game.dldi" in both of them.
So this begins to shape up nicely ... and I'm pretty confident that this cart CAN be updated, the problem is to find a suitable update file.
On the other hand, the updates aren't that big, maybe we can reverse them ?
I'm pretty sure the installer doesn't differ over the released updates, only what actually gets written into the cart.

 

[FR0ZN]

Ok my microSD came in today so I got a better look at the whole thing now.

You all probably might know this, but I just want to write down my findings so that when maybe another guy tries to understand this whole mess, he/she can look it up pretty quick.

The Gateway 3DS blue cart looks up for a file called "_DSMENU.DAT" during startup. It has to be exactly THE .dat file, that came with the GW3DS firmware package, or else it won't run.
Renaming the file to the more common "_DS_MENU.DAT" or copying another "_DSMENU.DAT" from another clone will cause an error during startup ("Can't open _dsmenu.dat").

There are several clones which use the "_DSMENU.DAT" format. I dunno how many cracked Wood firmwares I downloaded over the last couple days, but here are the top 3 which looked similiar to the structure from the GW3DS release:

R4A+:          http://www.r4i.ndsi.in/R4iAdownloads.htm  (game.dldi present)
R4iDSN:        http://r4idsn.com/download.asp
R4infinity 2:  http://r4infinity.com/down_2.asp

All .dldi's match from each clone, so I don't know how important it is to have the exact name. I also don't know how Wood is looking for it. The GW3DS Wood FW doesn't care what it's named, it worked with the one from the Ace3DS+ FW, but I probably used it wrong, or not at all.

I also tested if the Ace3DS+ savegame fix worked on the blue cart, without success tho. It says "invalid cart", which leads me to believe that the Gateway 3DS Team is only buying the PCB from different manufacturers and install their own bootstrap, which also is probably the reason why no other cracked Wood FW runs on the blue cart, since every clone stores another decryption key in its bootstrap.

R4crypt sadly isn't capable to decrypt any of the cracked Wood firmwares. I wonder, how CK3 managed to get the decryption key from the original R4 ?
Is there some kind of homebrew application which is capable to extract it from the bootrom inside the flashcart?

I also couldn't check if the WAIO package that CK3 posted works properly on the blue cart. It comes with a ton of patched Wood firmwares for several clones, but everytime I run one of them it says "Loading" and returns to the exact same selection screen as before.
Launching another .NDS file (game or cracked/decrypted Wood FW), does nothing.

That's all for now ... for me these are the facts:

1) Gateway 3DS Team buys the PCB from different manufacturers.
2) They install their own bootstrap ("Deep Labyrinth" icon) with its own unique decryption key for "_DSMENU.DAT".
3) The blue cart doesn't accept any other "_DSMENU.DAT", which confirms point 2.

As for bootstrap updates I'm pretty sure the same facts apply, that only the Gateway 3DS Team can update it, unless we ge the de-/encryption keys for the blue cart.

BTW, I made some PCB pics from my rev 003 blue cart which is most likely another Ace3DS+ PCB revision:



I hope this helped in some way.

Kindest regards,
iCEQB

 

[BXZ_]

Good news everyone!

After I found this thread I decided to brute-force the encryption key.

I modified r4denc's source code to loop through key 0x0 to 0xFFFF and 65536 files later
I made a script to take the first 16 bytes from each file and print the name of any with
gamecode "####".
Turns out the key is 0x4002 as opposed to 0x484a used by the original r4 wood.

So I decrypted the original r4 wood firmware and reencrypted it with the new key but it didn't load anyway.
I looked at both decrypted files and changed the header to have same gametitle and makercode, didn't work either.
(the header on GW's firmware have game title "R4IT", r4itt maybe?)
Then I realized I didn't update the header checksum,

now it loaded but it couldn't access the sd card.
I did the same with the ace3ds+ firmware to no avail. sigh. (btw ace3ds+ had the same key as the blue cart)
I read the whole thread properly and decided to test r4infinity's firmware... succuess!

It seems like the GW team use same hardware as r4infinity but with different bootstrap code.

I might try to dump the bootstrap from the spi flash chip, but I currently don't have a 3.3v µC.

Edit:
Seems like as long the game title is "R4IT" and header checksum is correct
it'll try to load any nds rom. I tried with a random homebrew game but it froze
trying to load

happy hacking
//BXZ_

 

[FR0ZN]

Very good progress mate !
As long as we can update the Wood firmware, we should still be good, since we bought the GW3DS for a 3DS which runs the FW 4.5.0, so updating the bootstrap itself might be our second priority here.
Check your PMs btw

Regards,
iCEQB

 

[octopus]

I have received a Blue card with green PCB. It’s marked L−C and seems to be the same as 003 revision.
Photo:

Spoiler

 

[eggsample]

I found that Blue Gateway 3DS has 3 different PCBs
full size
full size

 

[corvettesky]

Hi,

I'm not really device hacking involved but I tried this, I have a blue gateway with red 003 pcb, I tried to move my saved files from a R4infinity dual core, they didn't worked first time but then I realized that the name of the file was different ,on the blue gateway they have "name.nds.sav" on the r4infinity the name is "name.sav" so I rename the files to match with the names and it worked!!!

I hope this help you in someway.

Best regards

Update: I just tried to run the gateway installer using the r4infinity card instead of the blue gateway one and it worked without issues.

 

[Kever]

Hi,

Gateway arrived (china import), x-c marking

 

[kyogre123]

So, at the end none of the new firmwares from other carts are compatible with Gateway's?

 

[migles]

i just want to say, thank you for all the information and research, people like you make this world (the internet) a really better place

 

[FR0ZN]

Oh wow thank you !
This thread will get more active soon (at least I hope so).
I'll contact BXZ_ about the de-/encryption stuff ... or if you are reading this buddy, it would be great if you could get me a decrypted version of the GW DSMENU.

I'm pretty sure we can get newer Wood FWs running on the blue card, but I don't know about the bootstrap.
On the other hand, if you are buying a Gateway cart, you'll need a 3DS on 4.5 anyway, else you would buy different DS cart anyway, so there is currently no need to update the bootstrap in order to make it work on FWs >6.2.0.
Wood FW on the other hand gets us more game compatability, which is always good to have, a lot has happened since 1.56 so I'll try and focus to get this running first.

Maybe even the community can help on this, once we get the decrypted version, we'll have to look for differences which are neccessary for the blue cart to work.

Regards,
iCEQB

 

[Darkseeker109]

Its quite fascinating to go behind the scenes for all this flash card stuff. I gotta say Im one those guys that plays the games and doesn't care how it works but it was an interesting read none the less.

 

[FR0ZN]

Thanks to BXZ_ we now have a decryptor for the GW3DS _DSMENU.DAT, which I attached below.
He is currently working on some nice stuff and we gonna hear more from him soon.

I also attached both decrypted v1.56 Wood FWs (orig. and GW3DS) for you to experiment, I didn't had much time to look into it, but the different file sizes are worrying (to me).

My card reader is broken, so maybe someone sees something interesting in there or wants to experiment with us

Happy new year to all !!

Regards,
iCEQB

 

[eosia]

I've got a Blue Card too, and NDS where I can test, but I dont have any 3DS with FW lower than 4.5.

 

[FR0ZN]

You don't need a 3DS.
The current goal here is to correctly execute Wood FW 1.62 on the blue cart, so we get greater compatability.

 

[FR0ZN]

RELEASE: Wood FW v1.62 for Gateway 3DS Blue Cart​

​

​

BXZ_ did it, he managed to patch the Wood FW v1.62 so we can run it on our GW3DS blue carts!
Just replace the "_DSMENU.DAT" in the root of your microSD card and enjoy the greater compatability !!

Expect more news from him soon !


Regards,
iCEQB