Bootleg overwrite potential

[LunarPurin]

So, I've been curious about this for a little bit, but it's never been done to the same extent as the GBA community. I'm not sure if that's simply because it's impossible or because of a lack of necessity, with R4 cards being abundant and rom hacks being few and far between.

Basically, the GBA has a piece of hardware called a Joey Joebags, or a GBA:RW which functions mostly the same. These exploit the bootleg cartridge's cheaper chips and force an overwrite of the data on them. Basically, these allow you to take a bootleg copy of Emerald and bruteforce an overwrite of... Let's say, Radical Red Edition.

As far as I can tell, the chips used for the Nintendo DS cartridges are identical to these ones used to store the ROM on the GBA, and SHOULD be bruteforceable. I could be entirely wrong about this, but surely you could take a bootleg copy of Diamond and bruteforce Moon Black 2 or something onto the cartridge.

Am I asking if this is practical? No, R4 cards exist which can get romhacks on official hardware easily.
Am I asking if this is a good idea? No, there are plenty of better ways to go about this.

I'm simply asking if this is possible, since it's been something I've thought about for some time now. If I had to guess though, there might be issues with save data on the DS since GBA overwritten carts lose their ability to save without a battery.

Post automatically merged: Dec 9, 2023

If anyone is curious, the reason I want to take on this AT ALL, despite the immense impracticalities is because I love the idea of designing a label, case cover and having an individual cartridge for some of my favorite romhacks.

Kind of emulating that feeling of a new pokemon game for the Nintendo DS with all the bells and whistles.

 

[anotherthing]

Basically, the GBA has a piece of hardware called a Joey Joebags, or a GBA:RW which functions mostly the same. These exploit the bootleg cartridge's cheaper chips and force an overwrite of the data on them.

You can do this with a DS or DS lite.

https://github.com/nflsilva/nds-gbabf

 

[LunarPurin]

I wasn't actually aware you can do this without external hardware.
It's however not the answer to my question and although extremely interesting to me, the question is still whether bootleg DS carts can be overwritten similarly if there was a piece of hardware to do it.

You can do this with a DS or DS lite.

 

[Apache Thunder]

Unless it's one of those "multigame" carts that are some form of R4 clone, bootleg DS games can be overwritten! As far as I can tell most of them are in fact N-Card clones! N-Card aka Nand Card is an ancient flashcart that existed before the R4. They came onto the scene after the passkey type cards that allowed NDS games from slot2 and were some of the first slot 1 based flashcarts. The interesting thing about them is they pretty much still allow booting modern games. Even SDK5 games like Pokemon Black/White. (just have ot manually tell it what save type they use annd prepatch the AP checks as the flashcart's old loader doesn't do AP patching). All this despite losing update support after 2008! A pretty solid hardware design even if the coding behind it was a bit jank as I've found while doing RE work on them.

The only games I've found to be totally unsupported are 512megabyte size roms like Pokemon Black 2/White 2. Fortunately though there's not many of those size games and only the pokemon games using that rom size were released outside of Japan. So if you see any bootlegs of those games they are likely modified R4 clones with the MicroSD card slot removed/covered up by the cart shell.

Anyways on bootleg game carts even the smallest games come in a 1gigabit n-card cart which has a 128MB nand chip inside. You can convert them to standard N-Cards if you install uDisk onto them using a modified udisk updator (as most bootlegs tend to store their games in a location used differently in properly setup N-Card flashcarts.

I haven't really released anything for flashing bootleg game carts yet though. But maybe there will be something soon for that.

In the mean time you can do some things with them with this tool I wrote:

https://github.com/ApacheThunder/nrioTool

If you don't get a "This doesn't appear to be an n-card" message on boot then that means your bootleg is a n-card under hood.

You can run the xulumenu bootstrap in nrioTool to install a udisk 1.45 compatible filesystem onto the n-card bootleg. Then use this modified version of GodMode9i to copy files onto the card: (which may or may not break the bootlegged game. it depends on the size of the bootleg game they put on it. If it's a 16MB or smaller game rom then teh filesystem might not break it. But it will be pretty hit or miss. So expect the game the cart was bootlegging to die once you put a filesystem on it.

https://github.com/ApacheThunder/GodMode9Nrio

You can go onto linfox to download n-card's 2.55 xmenu menu files. Those work on all the n-card clones including the ones disguised as bootleg games.

 

[SylverReZ]

So, I've been curious about this for a little bit, but it's never been done to the same extent as the GBA community. I'm not sure if that's simply because it's impossible or because of a lack of necessity, with R4 cards being abundant and rom hacks being few and far between.

Basically, the GBA has a piece of hardware called a Joey Joebags, or a GBA:RW which functions mostly the same. These exploit the bootleg cartridge's cheaper chips and force an overwrite of the data on them. Basically, these allow you to take a bootleg copy of Emerald and bruteforce an overwrite of... Let's say, Radical Red Edition.

As far as I can tell, the chips used for the Nintendo DS cartridges are identical to these ones used to store the ROM on the GBA, and SHOULD be bruteforceable. I could be entirely wrong about this, but surely you could take a bootleg copy of Diamond and bruteforce Moon Black 2 or something onto the cartridge.

Am I asking if this is practical? No, R4 cards exist which can get romhacks on official hardware easily.
Am I asking if this is a good idea? No, there are plenty of better ways to go about this.

I'm simply asking if this is possible, since it's been something I've thought about for some time now. If I had to guess though, there might be issues with save data on the DS since GBA overwritten carts lose their ability to save without a battery.

Post automatically merged: Dec 9, 2023

If anyone is curious, the reason I want to take on this AT ALL, despite the immense impracticalities is because I love the idea of designing a label, case cover and having an individual cartridge for some of my favorite romhacks.

Kind of emulating that feeling of a new pokemon game for the Nintendo DS with all the bells and whistles.

Bootleg DS games exist (including older multicards) that contain hardware of a reprogrammable flashcard known as N-Cards. It is possible to replace the ROM data from that with another game, as this has been confirmed by me and @Apache Thunder. However, we have yet to overwrite the ROM data completely, as there are a few hoops we have to go through, such as understanding how the write process works. More information can be found on my thread about the N-Card: https://gbatemp.net/threads/anybody-ever-heard-of-n-cards.642562/

 

[Apache Thunder]

Yeah at this point in time you can put a file system on them and use xmenu to boot other games. But flashing any game larger then 16MB onto them directly via the USB writer slot2 device (which you'd have to obtain separately from another N-Card as bootlegs obviously wouldn't include this extra bit of hardware) isn't possible. I think when these cards first game out they used a USB dongle device and older PC side software for that which was likely what they used to flash the bootlegged games onto the cards in the first place. Aside from the novelty of it you'd want to use xmenu on these things anyways. The pre slot2 era usb dongles are pure unobtainium these days.

 

[SylverReZ]

Yeah at this point in time you can put a file system on them and use xmenu to boot other games. But flashing any game larger then 16MB onto them directly via the USB writer slot2 device (which you'd have to obtain seperately from another N-Card as bootlegs obviously wouldn't include this extra bit of hardware) isn't possible. I think when these cards first game out they used a USB dongle device and older PC side software for that which was likely what they used to flash the bootlegged games onto the cards in the first place.

I suspected before that the PC-side software was an earlier version of the interface before they went with the console tool. There is a setting to turn off the menu and overwrite the existing location at 0x40000 with the retail ROM, I imagine. Such examples of cards that have this are the DSFlash2 and the NinjaPass Junior carts.

 

[Apache Thunder]

Yep and their newer usbdll library used by the usbnds console app has code for updating the banner region too though the usbnds program never used that code in the DLL for anything (and the older DSFlash2 app didn't use that DLL). Likely was used by software the devs never made public.

 

[SylverReZ]

Yep and their newer usbdll library used by the usbnds console app has code for updating the banner region too though the older DSFlash2 program never used that code in the DLL for anything. Likely was used by software the devs never made public.

Believe you saw functions for that when you RE'd the code, right?

 

[Apache Thunder]

Yep when I was messing with the USB app in Ghidra I took a look at the dll and saw "logo" related functions and the sections they work on are the banner regions in the primary rom section of nand so am 100% sure that's what they were used for.

 

[SylverReZ]

Yep when I was messing with the USB app in Ghidra I took a look at the dll and saw "logo" related functions and the sections they work on are the banner regions in the primary rom section of nand so am 100% sure that's what they were used for.

Maybe one day, we could prob get it to work with Linux as either a GUI or console app.

 

[LunarPurin]

Unless it's one of those "multigame" carts that are some form of R4 clone, bootleg DS games can be overwritten! As far as I can tell most of them are in fact N-Card clones! N-Card aka Nand Card is an ancient flashcart that existed before the R4. They came onto the scene after the passkey type cards that allowed NDS games from slot2 and were some of the first slot 1 based flashcarts. The interesting thing about them is they pretty much still allow booting modern games. Even SDK5 games like Pokemon Black/White. (just have ot manually tell it what save type they use annd prepatch the AP checks as the flashcart's old loader doesn't do AP patching). All this despite losing update support after 2008! A pretty solid hardware design even if the coding behind it was a bit jank as I've found while doing RE work on them.

The only games I've found to be totally unsupported are 512megabyte size roms like Pokemon Black 2/White 2. Fortunately though there's not many of those size games and only the pokemon games using that rom size were released outside of Japan. So if you see any bootlegs of those games they are likely modified R4 clones with the MicroSD card slot removed/covered up by the cart shell.

Anyways on bootleg game carts even the smallest games come in a 1gigabit n-card cart which has a 128MB nand chip inside. You can convert them to standard N-Cards if you install uDisk onto them using a modified udisk updator (as most bootlegs tend to store their games in a location used differently in properly setup N-Card flashcarts.

I haven't really released anything for flashing bootleg game carts yet though. But maybe there will be something soon for that.

In the mean time you can do some things with them with this tool I wrote:


If you don't get a "This doesn't appear to be an n-card" message on boot then that means your bootleg is a n-card under hood.

You can run the xulumenu bootstrap in nrioTool to install a udisk 1.45 compatible filesystem onto the n-card bootleg. Then use this modified version of GodMode9i to copy files onto the card: (which may or may not break the bootlegged game. it depends on the size of the bootleg game they put on it. If it's a 16MB or smaller game rom then teh filesystem might not break it. But it will be pretty hit or miss. So expect the game the cart was bootlegging to die once you put a filesystem on it.

You can go onto linfox to download n-card's 2.55 xmenu menu files. Those work on all the n-card clones including the ones disguised as bootleg games.

This answers literally everything and more, thank you so much!
I had no idea N-Cards existed and I'm extremely intrigued by them.

It looks line N-Cards themselves are mostly extinct though. I think I'd prefer to go a more direct route with it if any external hardware comes out to do the job.

I'm now curious though, you mentioned some of them are bootleg R4 cards with the micro SD covered by the shell. I've heard that bootleg R4s tend to self-destruct. Is this something to worry about if I attempted to go this route instead of overwriting or is there a fix for the self-destructing boot carts?

 

[SylverReZ]

This answers literally everything and more, thank you so much!
I had no idea N-Cards existed and I'm extremely intrigued by them.

It looks line N-Cards themselves are mostly extinct though. I think I'd prefer to go a more direct route with it if any external hardware comes out to do the job.

You will find an N-Card if the markings on the contacts have either 'ASNAND' or 'ASIC01' on them. The bootleg carts, however, many of them that I have bought only hold around 125MB of storage or 1GBit as they advertise. They can be replaced with a larger NAND flash, however, if you know how to solder, keep in mind that these are TSOP components, and therefore a heat gun/hot air station is required to remove them with ease. You also need to backup the NAND too before flashing it onto the newer chip, as there are commands that the ASIC blob need to respond to, and if not, can render it unusable.

For reference regarding the NAND, the chip on one of my N-Card bootlegs use a Hynix HY27UF081G2M-TPC8 (datasheet found here: https://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html).

I'm now curious though, you mentioned some of them are bootleg R4 cards with the micro SD covered by the shell. I've heard that bootleg R4s tend to self-destruct. Is this something to worry about if I attempted to go this route instead of overwriting or is there a fix for the self-destructing boot carts?

Timebombs do not render the cart unusable physically, as in destroy the on-board flash. Everything is kernel based, meaning that after it has passed a certain date, then it forces you to buy another card. There are methods that can bypass this, such as using RetroGameFan's YSMenu kernel or by installing TWiLightMenu++. More information can be found here: https://flashcarts.net

 

[LunarPurin]

You will find an N-Card if the markings on the contacts have either 'ASNAND' or 'ASIC01' on them. The bootleg carts, however, many of them that I have bought only hold around 125MB of storage or 1GBit as they advertise. They can be replaced with a larger NAND flash, however, if you know how to solder, keep in mind that these are TSOP components, and therefore a heat gun/hot air station is required to remove them with ease. You also need to backup the NAND too before flashing it onto the newer chip, as there are commands that the ASIC blob need to respond to, and if not, can render it unusable.

For reference regarding the NAND, the chip on one of my N-Card bootlegs use a Hynix HY27UF081G2M-TPC8 (datasheet found here:


Timebombs do not render the cart unusable physically, as in destroy the on-board flash. Everything is kernel based, meaning that after it has passed a certain date, then it forces you to buy another card. There are methods that can bypass this, such as using RetroGameFan's YSMenu kernel or by installing TWiLightMenu++. More information can be found here:

Ah, that's actually extremely interesting!
Apparently the timebomb is also exclusive to the r4isdhc carts, and only those produced after 2014.

It's entirely possible the bootleg R4 cards both don't use that variation of the carts, and don't use that version of the software.
Either way, it seems very easy to bypass and I might look into that method of making a custom cart over an overwriting method unless it proves impractical.

While I'm at it, is it possible to force an R4 to boot directly into game instead of a menu?
(Also I keep removing links from the quotes since my account is too baby to post links)

 

[Apache Thunder]

This answers literally everything and more, thank you so much!
I had no idea N-Cards existed and I'm extremely intrigued by them.

It looks line N-Cards themselves are mostly extinct though. I think I'd prefer to go a more direct route with it if any external hardware comes out to do the job.

I'm now curious though, you mentioned some of them are bootleg R4 cards with the micro SD covered by the shell. I've heard that bootleg R4s tend to self-destruct. Is this something to worry about if I attempted to go this route instead of overwriting or is there a fix for the self-destructing boot carts?

You should also keep in mind that retail carts use ROM chips and can't be rewritten. Any bootlegs that exist are gonna be using flashcart type hardware like the N-Card clones disguised as games. N-cards are the closest equivalent right now to GBA bootleg carts. GBA carts though are much simpilar in design due to GBA not having all the extra security and such the DS had so GBA flashcarts haven't really changed a lot over the years. The same can't be said for DS carts so no suprise N-Cards have become rare these days as newer flashcarts with MicroSD slots quickly replaced them after the R4 came out.

There isn't really a open source hardware design for DS carts yet. There's a thread floating around where someone is working on that though....

You might want to keep an eye on this thread if N-Card stuff isn't the route you want to go:

https://gbatemp.net/threads/gathering-ds-flashcard-knowledge-diy-opencard-idea.624757/

 

[SylverReZ]

Ah, that's actually extremely interesting!
Apparently the timebomb is also exclusive to the r4isdhc carts, and only those produced after 2014.

r4isdhc.com carts as well as clones that use the same hardware. Most of the R4i-SDHC carts use DSTTi hardware.

Either way, it seems very easy to bypass and I might look into that method of making a custom cart over an overwriting method unless it proves impractical.

It was already done: https://kynex.ovh/patching-the-timebomb-in-an-r4-flashcart.html

 

[LunarPurin]

You should also keep in mind that retail carts use ROM chips and can't be rewritten. Any bootlegs that exist are gonna be using flashcart type hardware like the N-Card clones disguised as games. N-cards are the closest equilivant right now to GBA bootleg carts. There isn't really a open source hardware design for DS carts yet. There's a thread floating around where someone is working on that though....

You might want to keep an eye on this thread if N-Card stuff isn't the route you want to go:

To be honest, my main thing is simply cost and having the best look.

From what I can tell the cost of a bootleg R4 and a bootleg DS game are roughly identical, and the price of the bootleg R4/multicarts actually seem to average cheaper, especially the ones marketed as 100 in 1 carts.

Though, N-Cards would be much more viable if I wanted to use a transparent custom DS cartridge shell since they don't have the micro SD being an eyesore.

Post automatically merged: Dec 10, 2023

r4isdhc.com carts as well as clones that use the same hardware. Most of the R4i-SDHC carts use DSTTi hardware.


It was already done: https://kynex.ovh/patching-the-timebomb-in-an-r4-flashcart.html

Oh! I might have to give this a shot then. Not sure what exactly I'd want to make an unofficial cartridge of but putting together fake box art and a sticker design should be fun

 

[Apache Thunder]

To be honest, my main thing is simply cost and having the best look.

From what I can tell the cost of a bootleg R4 and a bootleg DS game are roughly identical, and the price of the bootleg R4/multicarts actually seem to average cheaper, especially the ones marketed as 100 in 1 carts.

Though, N-Cards would be much more viable if I wanted to use a transparent custom DS cartridge shell since they don't have the micro SD being an eyesore.

Yeah most N-card PCBs from what I can tell are pretty close to the retail shell design. Though because of the nand chip being on the label side of the shell you still can't really just drop them into retail shells though. Not unless you get really fancy with a dremil tool or something.

N-Cards were more common for bootlegs because unlike other flashcarts, they are able to use the icon of the game they are disguised as when you load them up from DS menu. They even boot properly on DSi if you have CFW (though they won't pass DS Cart whitelist checks like newer flashcarts). Although this is only the case for bootlegged carts actually. Normal N-Cards with a stage2 rom section don't boot correctly direct from System Menu. But you can just use NTR Launcher or Twilight Menu's slot1 launcher for that.

Another reason was unlike other flash carts the very early N-Cards came with software for easily swapping out the icon/rom they boot up from so was easy for cloners to make clones and create bootlegs from them. Newer flashcarts are more locked down and tended not to allow rewriting their internal software as easily. Though as mentioned earlier the USB dongle required to use that ancient software for icon/rom replacement is pretty unoptanium these days.

One of the reasons flashcarts started using fixed unchangable icon/internal roms was due to the DSi's extra security so add that to the reason why the N-Card design wasn't reused in anything past that era. Flashcart makers no doubt tried to lock things down more to avoid getting cloned though the success that had is not great. Most major flashcarts still saw clones despite that.

 

[SylverReZ]

Yeah most N-card PCBs from what I can tell are pretty close to the retail shell design. Though because of the nand chip being on the label side of the shell you still can't really just drop them into retail shells though. Not unless you get really fancy with a dremil tool or something.

The NAND chip does bulge on-top of the label. Only way you can resolve this is by dremeling a small window on the front plastic shell to make room for the chip, similar to what the DSTT has.

Oh! I might have to give this a shot then. Not sure what exactly I'd want to make an unofficial cartridge of but putting together fake box art and a sticker design should be fun

I wish you the best on your project.

 

[LunarPurin]

The NAND chip does bulge on-top of the label. Only way you can resolve this is by dremeling a small window on the front plastic shell to make room for the chip, similar to what the DSTT has.


I wish you the best on your project.

I'm planning on using reproduction cartridge shells if I do go the N-Card route, so it might turn out completely fine in that regard but I guess it's a pretty easy fix that can be entirely covered by the label if that does turn out to be the case ^^;