Hacking DS-Xtreme OpenSource Firmware Project

[reveng]

I thought a team dumped the firmware/launcher already for the DS-X like the did for the Cyclo?

I thought a team dumped the firmware/launcher already for the DS-X like the did for the Cyclo?

Yeah, it even works for "temporary downgrading" (to play stuff that doesn't work in the 1.1.2s. But so what? The firmware binary is only a small part of this project.

EDIT: http://gbatemp.net/index.php?showtopic=583...21&#entry746321

Hey Guys,
From my understanding the file that was dumped using No$GB and the WiFi connector was only the NDS launcher. Thats not quite the firmware, although it is conatined in the firmware download.


Maybe this will claify:

The PC Updater application you download from the DS-X site, when run, downloads update.txt and update.bin from the dsx servers. Update.bin conatains firmware for the USB controller chip, configuration data for the FPGA chip and the NDS launcher.

The part you have is the launcher, which is stored internally inside the DSX cart in either the FPGA or on a private partion in the EEPROM.

My goal will be to extract a clean copy of this from the Update.bin file. I can use what was as a reference copy to see where it is in the update.bin file.

DSX Cart OpenSource Firmware Project

 

[throwingks]

Keep up the hard work. I would love an open-source firmware. My DS-X currently works, but I would prefer open source to closed source with just about everything I own.

 

[reveng]

Keep up the hard work. I would love an open-source firmware. My DS-X currently works, but I would prefer open source to closed source with just about everything I own.

Hi throwingks,
Thanks for the encouragement, funny I was just laughing at your "is a fine card" message on the dsx forums, wont be there for long.

 

[dib]

If you would prefer an open client and firmware, then try doing something about it like presurring them. If you think they're going to volunteer the information out of the kindness of their hearts, you're either really new or really hopeless. The only way it will happen is if you hold their feet to the fire.

 

[throwingks]

^ IMO, you are 100% exactly wrong.

They won't even release a firmware update, what makes you think they will divulge their secrets? The only way to do it, is to brute force it.

 

[FAST6191]

@dib before this round of DLDI and libraries even trying to prise read/write code from flash cart companies (something I dare say determined the success of the early SC and M3 line compared to a lot of the others) was like getting blood from a stone and most of the time had to be reverse engineered like this (although this looks to be about 50 times more involved).

@reveng I never got a DSX (leds and the "power of the FGPA" line screamed gimmick) but it looks to be a nice reverse engineering project you have going on here. Good luck learning the 10 different flavours of ASM this looks like it will need.

 

[reveng]

@Dib
@Throwingwinks

Hey Guys,
I did try asking them for the firmware before I started, in a few different guises and with a few different methods.

Now I assumed they would be not be forthcomming, but that had to be done legally before embarking on a reverse engineering project.

To be fair try getting info on the R4DS, they are all alike, even the aceKard does not give the firmware, just the launcher.

All these flash cards shout of "HOMEBREW" friendly when they are not. HOMEBREW friendly would mean full specs on everything from the electrical schematics, to the firmware...

If you work commercially in the software engineering area, this is the sort of information is the norm. Look at the links I have provided on the project page, Cypress (usb) - full specs, Actel (fpga) full specs....

The Hackers, dont like being hacked

 

[reveng]

@reveng I never got a DSX (leds and the "power of the FGPA" line screamed gimmick) but it looks to be a nice reverse engineering project you have going on here. Good luck learning the 10 different flavours of ASM this looks like it will need.

Hey FAST6191,

Yeah, lots of different components, but all quite fascinating..
The only flavour of ASM that will be new to me is the FPGA, and thats not quite ASM more like sofware wirewrapping if you now what I mean

thats the area I'm currently most fascinated with and partially the driving force behind the project....

The DSX firmware updater is actually the key to everything, once thats disassembled all else follows.

Thanks for the encouragement, always nice to hear its interesting to others..

 

[FAST6191]

Re: FPGA "asm", yeah that probably was the wrong word. If you will permit the analogy for me ASM is learning an set of opcodes and their uses, FPGA coding (and to a lesser extent the other programmable chips) is making your own opcodes.
While I have not got much in the way of FPGA dev experience I find the best way (aside from a good bit of knowledge of low level electronics: http://ocw.mit.edu/OcwWeb/Electrical-Engin...ience/index.htm and http://webster.cs.ucr.edu/AsmTools/HLA/ I know it "normal" ASM but it does have some stuff if you needed links) is somewhere between thought exercise (this is problem (which will probably become apparent from the "holes" in the disassembly you have) and how would I pull it off) and emulation of components (with a side of brute force).

If I had to guess they probably use it as a kind of hardware interface (USB port, LEDs etc: most other makers use something a bit more suitable like a CPLD) and had maybe intended it as a kind of co-processor (probably more graphics card than math coprocessor although they could have kicked MP3 support to it).
Actel if I recall correctly (it has been about a year and a half since I laid hands on it) also have a reasonable (as in fairly featured) dev kit/compiler if you can lay your hands on it, assuming they used it you can even go some way to decompiling the code straight up.

Also on the subject of DLDI did the DSX ever get a good one (unaligned read, write, good speed etc)? I remember reporting on one ages ago but never followed up.

As for the updater: emulation of the PC/windows is the key here for me (I did a few rudimentary handshake protocols a few months back) as that is probably the best way to get full dumps of the code. You may have to go a bit back into the past as a lot of things have full hardware access now or an interpreter that can feed stuff straight into it.

 

[reveng]

Thaks Fast6191,
Very good links for information....

No probs, the "ASM" model of describing the coding for the FPGA works.. Actually who knows they may have core emulations on the FPGA!

Already got dumps of all the firmware, if you havent looked here's the links
DSX Files
DSX Project
DSX Hardware Info


Done some rudimentry disassembly on the updater, but still experimenting with the best decompiler.
Since I now most of the API's included in the updater (see project), I'm after a decompiler that can use this info, to give me the most readable code, to start with.

Still early days with the project, but some good progress..

Best r.

Re: FPGA "asm", yeah that probably was the wrong word. If you will permit the analogy for me ASM is learning an set of opcodes and their uses, FPGA coding (and to a lesser extent the other programmable chips) is making your own opcodes.
While I have not got much in the way of FPGA dev experience I find the best way (aside from a good bit of knowledge of low level electronics: http://ocw.mit.edu/OcwWeb/Electrical-Engin...ience/index.htm and http://webster.cs.ucr.edu/AsmTools/HLA/ I know it "normal" ASM but it does have some stuff if you needed links) is somewhere between thought exercise (this is problem (which will probably become apparent from the "holes" in the disassembly you have) and how would I pull it off) and emulation of components (with a side of brute force).

If I had to guess they probably use it as a kind of hardware interface (USB port, LEDs etc: most other makers use something a bit more suitable like a CPLD) and had maybe intended it as a kind of co-processor (probably more graphics card than math coprocessor although they could have kicked MP3 support to it).
Actel if I recall correctly (it has been about a year and a half since I laid hands on it) also have a reasonable (as in fairly featured) dev kit/cpmiler if you can lay your hands on it, assuming they used it you can even go some way to decompiling the code straight up.

Also on the subject of DLDI did the DSX ever get a good one (unaligned read, write, good speed etc)? I remember reporting on one ages ago but never followed up.

As for the updater: emulation of the PC/windows is the key here for me (I did a few rudimentary handshake protocols a few months back) as that is probably the best way to get full dumps of the code. You may have to go a bit back into the past as a lot of things have full hardware access now or an interpreter that can feed stuff straight into it.

 

[pbolmstedt]

Also on the subject of DLDI did the DSX ever get a good one (unaligned read, write, good speed etc)? I remember reporting on one ages ago but never followed up.

Yup. http://forums.ds-xtreme.com/showthread.php?p=30177#post30177

 

[Extreme Coder]

Sorry I can't help a lot, lack of time+lack of ASM knowledge stops me :/
But if you want, I can test any thing on my DS-Xtreme.
Good luck on this project!

 

[reveng]

Sorry I can't help a lot, lack of time+lack of ASM knowledge stops me :/
But if you want, I can test any thing on my DS-Xtreme.
Good luck on this project!

Thanks Extreme Coder
for the offer and comments, I know what you mean about lack of time

 

[dib]

@dib before this round of DLDI and libraries even trying to prise read/write code from flash cart companies (something I dare say determined the success of the early SC and M3 line compared to a lot of the others) was like getting blood from a stone and most of the time had to be reverse engineered like this (although this looks to be about 50 times more involved).

Oh yeah I'm very aware of that fact, I own an EZFA cart for the GBA afterall. Borden never released any libraries for it, so no homebrew could ever use features like the real time clock, nor even support things like soft reset on it. Lots of homebrew just plain didn't work/didn't save. Great compatibility with commercial products, however.

Do you have a 512 or a 2048 DS-X, reveng? Just curious because there are bound to be some differences between the two. When they said the two would be exactly the same, I'm not sure I believe that considering it required brand new firmware.

Nice updates on the wiki btw, it's becoming very informative.

 

[throwingks]

Does the PC Software need to be cracked at all? Couldn't we just intercept it, and have it redirect to a different server with the homebrew versions of update.txt and update.bin.

 

[reveng]

Does the PC Software need to be cracked at all? Couldn't we just intercept it, and have it redirect to a different server with the homebrew versions of update.txt and update.bin.

Hey Throwingwinks,
Its easy to have the updater redirected to another server, just compare Shuny's Updater to the DSX Updater and you will see how its done (maybe I should put that info on the Wiki?). EDIT: added to the Wiki.


The problem with that is, what does it achieve? you still can't update the firmware with your own.

The firmware file Update.bin is either encrypted or ZLIB Compressed. I think the latter is probabily the case, also what are all the values in Update.txt about?

My approach to find out what is going on with update.bin is decompiling the DSX updater, yes people could just work on cracking update.bin (feel free to hack at it, help is very welcome). Then you could just use the DSX updater as the firmware writer.

You could also step thru the DSX updater with a X86 debugger and see what its doing to update.bin, again feel free to hack at it, all the help you can give is welcome.

To achieve the OpenSource goal though the updater will need decompiling as with the other components.

AN OBSERVATION ON THE UPDATER:
Since you have to download the updater from the dsx site, why on earth did they go thru all the trouble of coding with indy sockets to then download update.txt and update.bin. It would have been much simpler/reliable to just download update.bin and update.txt with the updater! or bury these files inside the updater or tell people to download them. If the R4DS approach of adding the launcher NDS with the skin files had been taken, it would've saved them so, so ,so much work in making updates as only the launcher module wouldve been changed for many of the updates.

COMMENT DSX TEAM? Anyone there, hello..echo echo echo..hello......



Hope That makes sense?

 

[reveng]

Do you have a 512 or a 2048 DS-X, reveng?  Just curious because there are bound to be some differences between the two.  When they said the two would be exactly the same, I'm not sure I believe that considering it required brand new firmware.

Nice updates on the wiki btw, it's becoming very informative.

Hey Dib,
Thanks for the comments, glad you liked the WiKi updates. I've added info on how Shuny's downgrader works.

I have a 4gb (512MB) card, good point we need info on the other flavours of DSX Carts.

If any one out there has a DSX cart that is not the 512gb model could they update the Wiki.

Obviously check its not already there before you update.

Your help is always greatly appreciated.

 

[reveng]

Sorry all,
I've just had to add a humongous warning to the project hardware page as I noticed someone had bricked their DSX and was posting for help on the DSX site.

The hardware page did already have the following:

!!!Please dont mess with the firmware if you are not a well seasoned programmer, as I guarantee you will BRICK IT!!!!

but to keep my conscience clear I've made it very much in your face. Its pretty ugly but it does get the point over.

I also edited the first post in this thread with a similar warning.

I guess its one of the pitfall's for opening up information, on the brighter side Sir Frank Whittle nearly blew himself up whilst testing his new invention "The Jet Engine" (so the story goes).

If you dont experiment, you'll never know! (not that this is anywhere in Whittle's league)

 

[throwingks]

please disregard.

 

[pbolmstedt]

Since you have to download the updater from the dsx site, why on earth did they go thru all the trouble of coding with indy sockets to then download update.txt and update.bin.I can think of several reasons:

1. One updater should be usable for all updates; no need to re-download it every time
2. It lets the DS-X team control which update(s) people are able/allowed to install (if v1.1.0 was bundled with the updater, people wouldn't need Shuny for downgrading, right?)
3. It lets the DS-X team "silently" update the firmware (as was done with the second revision of 1.1.2) and just tell people to "run the updater again".

Nothing strange about this IMHO, I would have done it the same way.
revengwhat are all the values in Update.txt about?

Looks like hashes of the firmwares. Probably used for checking which firmware is currently installed?