Dumping ROMs with NDS Adaptor Plus

Discussion in '3DS - Flashcards & Custom Firmwares' started by elisherer, Oct 8, 2011.

  1. elisherer
    OP

    elisherer I ♥ 3DS

    Member
    778
    153
    Dec 16, 2009
    Iceland
    3dbrew.org
    Hello everyone.

    I tinkered with the NDS Adaptor Plus exe file and managed to get some hidden stuff visible..

    With an HEX editor do the following changes in 'NDS_Adaptor_Plus_V3.02.exe':


    Code:
    0x0018C: 001C -> 5C1B
    0x00318: 001C -> 5C1B
    0x9B7ED: 08 -> 09
    0x9B849: 08 -> 09
    Tell me what you think...
     


  2. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    What does it do and how is it related to 3DS Hacking or Homebrew?
     
  3. elisherer
    OP

    elisherer I ♥ 3DS

    Member
    778
    153
    Dec 16, 2009
    Iceland
    3dbrew.org
    possibly reading 3ds roms in the future can help undrstanding the 3ds native code thus helping develop homebrew.
     
  4. evandixon

    evandixon PMD Researcher

    Member
    1,646
    773
    May 29, 2009
    United States
    Backs up the first 16 KB properly, then freezes. Upon removing the backup adapter, it somehow continues writing to the file that cannot be run in an emulator and isn't displayed correctly in DS Buff.

    Tested on Game and Watch collection.
     
  5. elisherer
    OP

    elisherer I ♥ 3DS

    Member
    778
    153
    Dec 16, 2009
    Iceland
    3dbrew.org
    Same here..
     
  6. Critica1

    Critica1 GBAtemp Regular

    Member
    185
    33
    Oct 4, 2011
    United States
    CA
    Good work here.

    Turns out the NDS Adapter Plus proves yet another hardware flaw. If LGC really did dump those roms it would certainly be by hardware.

    edit: This isn't used to dump roms? It's used dump game saves. I've clearly been misled.
     
  7. nano351

    nano351 GBAtemp Regular

    Member
    259
    2
    Jun 6, 2009
    United States
    If it is possible to dump an entire game ROM with this, someone should dump one of the games LGC dumped and compare to see if matches to see if we can get legit dumps.
     
  8. Critica1

    Critica1 GBAtemp Regular

    Member
    185
    33
    Oct 4, 2011
    United States
    CA
    It might be possible to dump a 3DS cartridge from this. First we would need to research:
    *The hardware flaw
    *What makes it possible to dump a NDS cartridge in the first place.

    Furthermore need to understand if their is any computer software for the NDS Advance Plus and what it does.
    Lastly, research if there is any changed hardware or added protection to the 3DS cartridge itself to prevent from preforming this task.

    Remember, we aren't 100% positive how LGC dumped those roms.
    They might have discovered another flaw.
    Rest assured, it was by hardware means.

    Edit: Here is a example that I recently came across. This concept is very interesting.
     
  9. TCJJ

    TCJJ GBAtemp Fan

    Member
    457
    87
    May 5, 2009
    New Zealand
    New Zealand
    Just a guess, but since the NDS Adaptor [Plus] is designed to handle saves, perhaps it only allows the transfer of a certain file size. Or perhaps any encryption (not sure if the DS ROMs have encryption, although I don't remember them having any) could cause a problem. Although, 16kb is too small for the average DS save file. DS save files go up to 512kb in size (I want to say there are some games that have 1mb save files, but none come to mind, so probably not).
     
  10. Critica1

    Critica1 GBAtemp Regular

    Member
    185
    33
    Oct 4, 2011
    United States
    CA
    I think save dumping is only possible because save decryption was figured out. I've come up with some pretty good designs to dump a DS/3DS game via hardware debugging, but I'm very sure it's going to be more than just hardware to dump the the Nor (Nand?) eeprom.

    In the meantime, I am continuing documenting the differences between the 3DS and DS cartridges. Hopefully this will give us better insight on what's being emulated.

    Recent thoughts:
    Backwards compatibility for GBA/GB cartridges obviously removed as a potential hardware threat to the 3DS system.
    DS rom dumping is hard information to come across.
     
  11. Immortal_no1

    Immortal_no1 GBAtemp Regular

    Member
    266
    12
    Jul 17, 2003
    Looking into this now, Made the mod and had a look at the ASM, there are actually a few more things that aren't enabled, such as:
    Option to select "new game"
    Button for "Upgrade"
    Button called "BitBth4" - Seems to be some sort of refresh
    Button called "BitBth5" - Unsure of what this does, appears to do nothing

    BitBth 4 + 5 are placed in the middle of the screen so it would appear as though they are there for remnants of previous builds.

    Not currently got my NDS Adapter Plus to hand, i'll try it out tonight and see what everything does, may be able to work around the issues reported in above posts.

    I could post the differences to enable the options, but the differences are too numerous and would take a while to change everything.

    I'm still a little hazy on what we can and cannot post link to on the forum, so............ i can provide a link to the modified executables with the options enabled in a PM until someone can confirm that the links can be displayed here.
     
  12. elisherer
    OP

    elisherer I ♥ 3DS

    Member
    778
    153
    Dec 16, 2009
    Iceland
    3dbrew.org
    Don't trouble yourself. just find Resource Hacker and hack the exe... there's a form in the exe. Edit it (it's written in delphi) and you could enable everything...
    I posted the changes for the exe becuase i know not to post an altered official exe file...
    And ofcourse I enabled the mentioned buttons...one of them is like the download button but i don't want to try them because of fearing it would damage my cart..
    I mentioned the rom/eeprom checkboxes becuase i tried them and they are harmless..

    Apperantly they didn't insert code to dump 3ds roms so we need to reverse engineer the nds adapter driver and create our own program to talk with the cart.
     
  13. Immortal_no1

    Immortal_no1 GBAtemp Regular

    Member
    266
    12
    Jul 17, 2003
    To a point you can reverse engineer it. I would be inclined to have a look at the DLL's and make a new app which uses them to do what we want. It would be a long task unless we can get the input parameters -which isn't a hard thing, just a little time, a disassembler, and time off work would be nice too :)
     
  14. Dimensional

    Dimensional GBAtemp Advanced Fan

    Member
    579
    73
    Dec 7, 2008
    United States
    Texas
    I had sent a PM to someone about this idea, but never got a response. I hope this works out. Would be a new way for me to back up my games, since my DSlite is dead.
     
  15. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,918
    255
    May 16, 2008
    Antarctica
    You have insufficient posts to view location.
    You would have to rewire some of the circuits on the adaptor for it to dump all the rom. The NDS adaptor+ only uses the pins for reading the save and power.

    Making it read non-existant contacts will do what you made it do, sit and wait until it makes a connection, the aka "it just hangs" issue.
     
  16. Critica1

    Critica1 GBAtemp Regular

    Member
    185
    33
    Oct 4, 2011
    United States
    CA
    I knew it only looked like a good idea. Never was a actual good idea xD
     
  17. Immortal_no1

    Immortal_no1 GBAtemp Regular

    Member
    266
    12
    Jul 17, 2003
    Are you 100% positive about that?

    I played around with it last night and it's true it dumps the first 16k of the ROM, byte compared it with a known ROM i dumped and matches perfectly byte for byte. Everything after that point appears as garbage, i would imagine that after the 16k (Header?) a key would need to be injected in order to dump the rest of the contents.
     
  18. lazymarek

    lazymarek Member

    Newcomer
    30
    0
    Dec 18, 2010
    Gambia, The
    After 16k into the ROM image (at offset 0x4000) the first NCCH block usually starts.
     
  19. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,918
    255
    May 16, 2008
    Antarctica
    You have insufficient posts to view location.
    Yeah I am pretty certain that you would have to rewire or add parts to the PCB since alot of the contacts terminate at soldered to dead end points and are not traced on the other side.

    [​IMG]
     
  20. Immortal_no1

    Immortal_no1 GBAtemp Regular

    Member
    266
    12
    Jul 17, 2003
    Nice one, i haven't taken mine apart yet. From what i can see in your pic none of the Data lines are connected unless it's a multi layered PCB and the contacts are made on one of the internal layers. I'll have a look when i get the time. It may be possible to wire up the extra pins. O i can just use my Neo SMS4..... would be easier.. :)