DS Downloading station hacked!

Discussion in 'NDS - ROM Hacking and Translations' started by Apache Thunder, Jul 1, 2008.

Jul 1, 2008
  1. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    I figured out how to get a standard DS Download Station (volume is irrelevent due to what I did it lol) to send any NDS rom to a client DS.

    I replaced a file in the data/mp folder of the DL station rom.

    The following file contains the client rom that normally loads the DL Station on a DS recieving the station rom:

    NDS_ROOT\data\mb\ds_demo_client.srl

    This has a "srl" extension, but is infact a NDS file! I took a look at it with a hex editor, then noticed the first lines of code matched that of an NDS file, so I opened it with NDS header, and it shows with a valid Security CRC and other CRCs turned out to be valid, so I went ahead and put a rom in place of the srl file. I tested the Max Media Dock rom, since it was one of the smallest roms I have currently. I renamed my max media dock rom to ds_demo_client.srl and replaced it in the mb folder, repacked the NDS file, and ran it on my ds. I then used my sister's ds to connect to the station. It showed up in the DS Download play menu as the DS Download Station Vol. 1 (since thats the one I modified), but after the DS loaded it, instead of getting the menu with the game demos, I got the max media dock!.

    I'm not sure how usefull this could be, since I have only tested one rom as of yet, I will try putting others in and see what happens. I don't expect everything to work (especially if I tried a retail game lol) but this could work out great with homebrew.

    I will edit this thread with any further findings I find from this. This could be usefull since you can send a homebrew rom to a another DS and have that DS beable to use that homebrew WITHOUT any slot-1 or slot-2 device. Because both the DS's have flasme installed, I cannot see what would happen with 2 unflashed DS's, so its up to you guys to test it out.

    I am off to test some other roms and will keep you posted.

    Also, I'm not sure if anyone here has tried something like this, so be sure to mention that if anyone else has done this to the DL station roms.

    Update: I have tested a few more roms. One was Diner Dash. However the server DS froze upon startup. This was probably because the rom was too big. Looks like roms will have to be less then 4mb in size, since it appears to be constrained to DS memory limits during an upload attempt. So I did more testing with homebrew. All of which worked 100% currectly when uploaded to the client DS. Here is what I tested:

    WinDS
    DsOS
    DS Rom Dumper (Slot 2 version) v0.31

    Homebrew seems to work perfectly with this. Retail games however, will not. I didn't expect them to run anyway since the client DS would lack the Slot-1 hardware to allow a retail rom to work properly, but homebrew works just fine! And thats all that matters here. I can think of some usefull stuff to do with this.

    Also I was able to edit the text and icon that appears when the client DS shows the DS Download station in the DS Download Play menu. The icon format is forign to me, but I edited it anyway and got an icon that I expected. (I hex edited in some numbers and letters and and the pattern of what I put in matches what I got as the icon) I also edited the top screen description that appears when you select it (when you get the message asking you if you want to download it, you would then see the description on the top screen)

    Any one got any decent ideas as to what this could be used for? I see alot of potential in this if used currectly.

    If I am allowed to, I can post up the modified ROM, otherwise this will just become a guide on how to do it yourself. (not that hard really!)
     


  2. zidane_genome

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    I would love a guide on this...

    If you could send me a text file of everything you need to hex edit, I'll try to make a GUI tool for you!
     
  3. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    Roger that, I'm working on that now!
     
  4. Mooglepinoy22

    Newcomer Mooglepinoy22 Newbie

    Joined:
    Jul 1, 2008
    Messages:
    2
    Country:
    United States
    I think this would be an amazing step forward in the homebrew community. Not many homebrew games are exclusively multiplayer, and it would give us a chance to spread the homebrew love that many of our friends don't have the opportunity to experience. If anything, I'd think that could be the ideal use for this discovery of yours. My question is, would games that might require external files (lemmings ds for example) not work if sent as a download? Personally I would like to see if I could send the homebrew listed here:

    Pocket Physics
    Still Alive DS
    Colors
    Various Emulators (JenesisDS, etc.)
    Et Cetera...

    I'd sure like to see something done with this. This little project has my full support!
     
  5. 8BitWalugi

    Member 8BitWalugi Taiyohhhhhh!

    Joined:
    Mar 22, 2008
    Messages:
    3,271
    Location:
    Side 7
    Country:
    Australia


    Good job BTW!
     
  6. Spikey

    Member Spikey Your Special Someone

    Joined:
    Mar 16, 2006
    Messages:
    2,284
    Country:
    United States
    I've tested with Vol. 8 and Vol. 1. Didn't work with 8, but with 1 it works. Still Alive needs a file system so won't run anyways... but it boots. That's a start. [​IMG]

    Edit: Upon further testing, it only sends correctly to a flashed DS. Unflashed DSs will freeze after the Nintendo logo(assuming that's what shows).
     
  7. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    Here's an idea, see if the flashme.nds roms will boot! This could make it so easy to flash DS's it would have to be a crime! [​IMG]

    I'm done with the guide. I am now finding an appropriate file host to host this.

    Oh and here's some photos I took of it:

    Here are some pics:

    (click to enlarge)
    [​IMG]
    View of first sceen before its selected.

    (click to enlarge)
    [​IMG]
    Image showing it after its selected and waiting for user to press A to start.

    (full sized, you don't have to click this one)
    [​IMG]
    Image showing both DS's side by side


    As for making homebrew like Moonshell work, perhaps some tweaking of the DLDI drivers for that app so that it trys to access a slot-2/slot-1 device instead of looking on the same path that its residing on. Source code changes will more then likely be needed to make this work out. But stuff like homebrew games or specialty apps that don't save files or access anything will work out of the box. Also GBAExploder and other slot booters should theoreticly work, I haven't tried them yet though.

    I will post the guide once is uploaded.
     
  8. Spikey

    Member Spikey Your Special Someone

    Joined:
    Mar 16, 2006
    Messages:
    2,284
    Country:
    United States
    As I said, this only works for sending to a flashed DS. An unflashed DS will freeze at the same point many will remember from the slot 2 days when sending to an unflashed DS. It's too bad... [​IMG]
     
  9. Narin

    Former Staff Narin The Cheat Master, kupo!

    Joined:
    Feb 19, 2008
    Messages:
    2,624
    Country:
    United States
    Its due to the encryption the Nintendo DS uses when a game sends a demo or multi-play of a game to another DS. Flashing the Nintendo DS bypasses this so it will only work on flashed Nintendo DS systems.
     
  10. caitsith2

    Member caitsith2 GBAtemp Regular

    Joined:
    Jan 16, 2004
    Messages:
    285
    Location:
    a secret location 93 million miles from the sun
    Country:
    Canada
    This is because official nintendo demos are RSA signed. Since none of the homebrew has a valid RSA signature, it will not send to an unflashed DS. Nintendo took the extra measure to make absolutely certain that even the DS download station demo transfer program checks for a valid RSA signature. (same public key is the DS itself, as part of a chain of trust.)

    Unfortunately, there is no trucha bug in the DS. (Was checked for, after the bug came to light on the Wii.)
     
  11. Maikel Steneker

    Member Maikel Steneker M3 Fanboy

    Joined:
    May 16, 2007
    Messages:
    3,396
    Country:
    Netherlands
    It's a shame it won't work for unflashed DSses... Now it won't be of any use to me...
     
  12. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    Ahh I had a feeling that SGN file that resides in the same folder might have something to do with it.

    Looks like whenever they made the SRL file (the rom for the client DS), they used a batch file to generate a SGN file for it.

    Thats about the only hint to how the whole RSA signing process works. Unless you get your hands on the NitroSDK stuff that the batch file links too, then not much can be done about it. [​IMG]

    Ok here's the guide for the hex editing stuff and such. Also includes NitroExplorer2 for ease of use.

    http://rapidshare.com/files/126251521/Editing_Guide.rar.html

    This also includes the rom I edited. Since the DL station is just a bunch of free demo's, it shouldn't hurt to post it. But will be removed if a mod requests me too.
     
  13. strata8

    Member strata8 Look! A pointless distraction!

    Joined:
    Jun 18, 2007
    Messages:
    618
    Location:
    over there
    Country:
    Australia
    Wouldn't using an EFS work?
     
  14. Curley5959

    Member Curley5959 CCC Member!

    Joined:
    Feb 2, 2008
    Messages:
    2,572
    Location:
    Australia
    Country:
    Australia
    might do.. depends.. I think its more trouble than its worth just for a few demos and trailers of games and such!! [​IMG]
     
  15. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,711
    Country:
    United Kingdom
    Regarding file systems assuming you keep within limits then FCSR has a fair chance of working.
    It can get a bit complex but the tool DLDIRC/dldi right click is a good start if you do not want to play around with the command line (check around the DLDI guide here by Opium as I seem to recall adding some links to the more in depth stuff).

    As for what to post, a batch file would probably be a good idea.

    Regarding RSA is seems Mr Korth did some work and I am seeing echos of the wii (trucha) stuff there as well (of course such things would have already appeared should it matter so I doubt we are going to find anything new and 1024 bits is a bit long for the brute force and RSA was still secure last I checked (I assume the number is a decent one from a cryptographical standpoint i.e. no 7xvery large number)).
    http://nocash.emubase.de/gbatek.htm#dswifimultiboot
     
  16. Doggy124

    Member Doggy124 GBAtemp Advanced Fan

    Joined:
    Sep 14, 2007
    Messages:
    831
    Location:
    Thailand
    Country:
    Thailand
    I got an idea!
    this hack+DS2DS (file transfer homebrew)

    You and your friend (both have flashcart and flashed DS) want to share a small(ie. save/txt) file.
    you have DS2DS on your DS but your friend don't have it.
    you use this hack which modified to send DS2DS to send the program to your friend
    then use DS2DS to tranfer the file you want
    [​IMG]

    I might try this If I have some time.
     
  17. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    Someone needs to test the largest rom size they can send, The largest homebrew rom I tried was around 600kb. However the large file tests I did were at least 6mb+ in size and those failed.

    I did say its probably limited to 4mb, but chances are it could go a bit higher or is a bit more limited to less then exactly 4mb. Since I don't have a rom that pushes the 4mb limit, I have no way to test it.

    What I could do is put a dummy file into a NDS file prior to renaming it to the SRL file so that its the file size I want, I could then test the file size limits.

    As for EFS and FCSR....I seemed to be left out of the loop on those particular *cough* "abbreviations", so please fill me in as to what those two stand for. [​IMG]
     
  18. Treflex

    Member Treflex GBAtemp Regular

    Joined:
    Feb 1, 2008
    Messages:
    179
    Location:
    New Jersey, USA
    Country:
    United States
    Nice job! I tried this once before, but instead of replacing the .srl file I was replacing the demos that get sent out for download. I guess I was doing it wrong =X
     
  19. zidane_genome

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    Would anyone still like a program made for easy inserting of Homebrew? Since the flash needs to be done, not sure if anyone still wants this...
     
  20. Apache Thunder
    OP

    Member Apache Thunder I have cameras in your head!

    Joined:
    Oct 7, 2007
    Messages:
    3,815
    Location:
    Levelland, Texas
    Country:
    United States
    Yes the demos seem to be compressed. Unless someone here has a tool that can decompress/compress them, then those can't really swapped out for anything else. Also, the demomenu (which is also compressed) specifies what demo games are available and what files they link to. Also contains help info and such for each one. Its sent to the client DS after the original SRL file boots up on client side and starts communicating with the server again. The file is then sent and the SRL then display's available games.


    This would have to be edited if you don't want to be stuck with the filenames used by the original demos. Editing this would also theoretically allow more then the original amount of games. Unless you decide to make a homebrew version of the original SRL file, then all this decompression work could be avoided. As with the SRL files, the demos seem to limited to 4mbs and less since you can pop anything in their place (wouldn't matter if its compressed or not) and the client DS will begin downloading it. (but it won't boot obviously)If the file is too large the client DS freezes immediately when it tries to tell the server to send it. I think the server doesn't crash in this case.

    I'm not sure if only the SRL needs RSA. Perhaps the original SRL file once loaded on the client DS(which has working RSA and works on all DS's) can be tricked into loading homebrew instead of the demos. But giving the amound of time has passed since the DS came out, I'm sure a workaround like this wouldn't work since no one has tried it yet and said anything so this all could just be a wild goose chase here. [​IMG]

    If the demos can be uncompresssed, then rather large homebrew or retail games could be recompressed and could then be used. The compression is probably used to get around memory limits for upload and such. Also to cut down on upload/download time. In all likely hood, the demos arn't decompressed by the server DS during transfer. The client DS probably does the decompresson work upon booting the game. It also by off chance could be an encryption format that doubles as compression, so then you really screwed if the demo's are encrypted. Then a homebrew SRL file would be required.


    EDIT: Go ahead and make the GUI tool if you feel the need. Its a real drag that it won't work on unflashed DS's, but this can still be used for those who have flashed DS's. Infact I do believe the DS that is acting as the server can be unflashed or flashed since only the recieving DS would have to be flashed. But I could be wrong on that.
     

Share This Page