DSi bootrom dumped andnew exploit disclosed @37th CCC
- Thread starter syrusch
- Start date
- Views 5,293
- Replies 31
- Likes 7
What does Gericom's new project GCDTool (https://github.com/Gericom/GCDTool) used for?
Can we flash the GCD rom to a flashcard, and use a magnet to trigger ntrboot and load a firm on sdcard, like we do for 3DS?
Can we flash the GCD rom to a flashcard, and use a magnet to trigger ntrboot and load a firm on sdcard, like we do for 3DS?
Yes, you can!What does Gericom's new project GCDTool (https://github.com/Gericom/GCDTool) used for?
Can we flash the GCD rom to a flashcard, and use a magnet to trigger ntrboot and load a firm on sdcard, like we do for 3DS?
This fork of ntrboot_flasher_nds does just that, and should work on Ace3DS+, Acekard2i, and DSTT.
https://github.com/Epicpkmn11/ntrboot_flasher_nds/tree/twl
Next step would be to find a GCD ROM to use.
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,794
- Country
Could try and use the bootloader SRL used with HiyaCFW as a source for building the GCD rom as a way to test things? (as they are basically patched arm binaries from stage2 section of nand) I imagine the arm binaries are similar to the ones on stage2 section of nand and I think the entry addresses used check out for this.
- Joined
- Sep 13, 2022
- Messages
- 7,178
- Trophies
- 3
- Location
- The Wired
- Website
- m4x1mumrez87.neocities.org
- XP
- 22,026
- Country
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,794
- Country
That would be cool but I'm about 80% sure the blowfish key is hardcoded in the blob chip. It's not on nand last I checked....Unless the blob chip dynamically generates the blowfish key depending on the game code the main rom uses ...but I doubt that.Next future step: Get the N-Cards/DS Linker running ntrboot.
Is the GCD ROM something that was used in the factory to flash the console or something like that? I guess this is what @PoroCYon meant with the new exploits that were being discovered.
I also wanted to know if the ntrboot flasher for TWL works in "www.r4isdhc.com" carts, I did use those kind of flashcarts for 3DS ntrboot and they work just fine.
No idea.
It does not work for those carts, or any other Demon/timebomb flashcard, due to issues related to the blowfish.
Oh well, I wonder if the Ace3DS X is compatible, it seems like it's the card that is being offered right now by most sellers on sites like Aliexpress.
EDIT: It could be my fault for not finding the Ace3DS+, Aliexpress search sucks.
- Joined
- Oct 7, 2007
- Messages
- 4,426
- Trophies
- 3
- Age
- 36
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 6,794
- Country
On the subject of the demon timebomb carts. I found out how the blowfish is setup on mine. The 48 byte chunk starts at 0x1000 in the dump with the rest the exact spacing it would normally be if the entire rom was at 0x1000. (so the main blowfish is at 0x2000.
But there's another copy of the blowfish at 0x1F1000 where the header for the game is placed. (that one I'm unsure if it uses...probably does).
Not sure why it has two copies but you could try updating them both. I may attempt this myself. The test GCD should fit in the 0x1F1000 region without me having to worry about the arm7 binary since that is stored right next to the arm9 binary. I'd have to edit the header otherwise and that would be tricky to do since I'd have to resign it and I'm not setup for that currently. But you could give this ago on your end too and see if that works.
By the way the second copy of the blowfish looks like the setup the GCD uses. But the first copy at 0x1000 has some unrelated data in between the first 48 byte chunk and the rest instead of zero data...not sure what that other data is used for...
EDIT: Yep it worked. I have already let Robz know about this.
Last edited by Apache Thunder,
-
K3Nv2
-
Sonic Angel Knight
-
BakerMan
The snack that smiles back, Ballsack!
