they implemented a brick code, for whatever reason. they are then trying to confirm that its not happening to many people, they are trying to save themselves and have lost many customers, they done screwed up
they implemented a brick code, for whatever reason. they are then trying to confirm that its not happening to many people, they are trying to save themselves and have lost many customers, they done screwed up
- Joined
- Apr 29, 2011
- Messages
- 31,284
- Trophies
- 2
- Age
- 38
- Location
- Dr. Wahwee's castle
- XP
- 18,969
- Country
Normatt was not aware that brick code existed when he released his region-free exploit, he had no idea, then Gateway decides to use the code (again, which Normatt didn't know about) and now they are pointing fingers at him, as well as accusing users of buying clones or some crap like that. GW can piss up a rope for all I care.
So basically he used someone else's code, distributed it after he modified it and didn't double check that anything bad happens when he removed an obvious integrity check?
Sounds like HE is the one that screwed up in multiple ways, at least for those that got bricked because they used his region free firmware.
Those using the clones, well thank the R4/3DSLink team for that, if they wouldn't have just copied a program from someone else those bricks would have never happened.
The only real victims are the ones using gateway cards, the gateway team should have never implemented such a "feature" without makeing sure it doesn't go wrong.
No, it was a patch that had to be applied by the end-user.
He didn't know it contained the brick code, because people weren't being bricked until the timer went off in the Gateway firmware. It was too late by then...
- Joined
- Apr 29, 2011
- Messages
- 31,284
- Trophies
- 2
- Age
- 38
- Location
- Dr. Wahwee's castle
- XP
- 18,969
- Country
It was NOT his fault. He didn't know it contained the brick code, so don't blame him for the shitstorm.
I'm not quite sure I agree, here. When you are releasing software without reference to someone else's work, you're releasing it as your own. You're therefore responsible, at least in part.
Now, if he had made his own work and someone hacked in and put exploit code in, that's a different story. But nobody is claiming anything of the kind took place.
Gateway is certainly responsible for the core issue as they put the code in there in the first place, but Normatt/R4i/Orange/whatever can't be absolved of all responsibility. The software people were using was the "blessed" software released by that/those entities, and those people had no other option.
Gateway did something bad, in my opinion. They could certainly have told everyone there was code in there for this sort of thing, but they didn't. They fully intended - through their own actions - to damage people who bought a competing product. Doesn't absolve R4i (etc) of blame, but GW could have bought themselves weeks of lead time on feature releases if they had just been up front. Then, when this all happened, they could have at least said "We told you, guys.". Still shitty of them, but slightly less shitty.
Much respect for Normatt, but just because the GW team is spiteful and underhanded, doesn't absolve him of blame.
Edit: For clarity, I'm referring to the "Normatt is behind the software for R4i" discussion earlier. I'm not referring to his region-free patch, for which he should not take any blame.
Actually, as far as I have read here, he was aware of the bricking code and has patched it so that it would be safe. But according to some further claims of hackers GW has put more bricking code in the launcher firmware that was discovered only after Normmatt released his region-free patch.
- Joined
- Apr 29, 2011
- Messages
- 31,284
- Trophies
- 2
- Age
- 38
- Location
- Dr. Wahwee's castle
- XP
- 18,969
- Country
They actually put more bricking code in there? Wow, just wow. I think we should change the name of "Team Gateway" to "Team Gatewanker". I'm not at Normatt, because his intent for doing so was good, he wanted to make a region-free patch.
I've been trying but I need a SPI programmer. most sd readers do not enter SPI mode, but SD mode straight!
a nice source (check the concept parts):
http://www.seanet.com/~karllunt/sdlocker2.htm
first:
SPI commands are issued on bytes, directly splitted into 8 bits , YET based on eight bits (8/20000000) based off PWM: which leaves us 0,0000004 bits per second.
while line bus held down. being :
CLK line for syncing both microcontrollers:
this means we can take directly SCLK from eMMC and sync it with our SPI programmer
(MISO/DI) line for us the SPI controller connected to emmc spi (DO/MOSI).
(MOSI/DO) from the SPI controller goes to (DI/MISO) on emmc spi.
card init:
(from unaware to sd connect state)
1. emmc(3ds) sends on (DO/MOSI->DI/MISO)(spi prog) the 8th bit a short rising clock that begins and end on the 8bit,
while spi prog sends on (DO/MOSI->DI/MISO) 2 short rising clocks right after the 8th bit, to show emmc is connected to spi programmer.
(init sd to accept commands)
2. spi prog(DO/MOSI->DI/MISO) emmc requires 11 x 8 bits (FF) on the SSEL high.
after that, emmc card is ready to receive commands.
*: please denote that most CMDs, including CMD42 responses on R1 (from emmc DO/MOSI)
*: modern cards have different "sd controllers" we will focus on the SD I/F which takes SPI commands.
Data is sent as 2^48-1 patterns (48 bits) so a command can be read properly. (while DO/MOSI line is high)
bootup(SD mode, we are not interested in this):
1.8V
bootup (SPI mode, yay):
3.3V
and here is the interesting part:
accepted commands on a locked card: CMD0,CMD7,CMD16,ACMD41,ACMD42
*dat bit 3 looks interesting
a nice source (check the concept parts):
http://www.seanet.com/~karllunt/sdlocker2.htm
first:
SPI commands are issued on bytes, directly splitted into 8 bits , YET based on eight bits (8/20000000) based off PWM: which leaves us 0,0000004 bits per second.
while line bus held down. being :
CLK line for syncing both microcontrollers:
Code:
The cards are initialized with a default relative card address (RCA=0x0000) and with a default
driver strength with 400KHz clock frequency(MISO/DI) line for us the SPI controller connected to emmc spi (DO/MOSI).
(MOSI/DO) from the SPI controller goes to (DI/MISO) on emmc spi.
Code:
After poweron or CMD0, all cards CMD lines are in input mode, waiting for start bit of the next commandcard init:
(from unaware to sd connect state)
1. emmc(3ds) sends on (DO/MOSI->DI/MISO)(spi prog) the 8th bit a short rising clock that begins and end on the 8bit,
while spi prog sends on (DO/MOSI->DI/MISO) 2 short rising clocks right after the 8th bit, to show emmc is connected to spi programmer.
(init sd to accept commands)
2. spi prog(DO/MOSI->DI/MISO) emmc requires 11 x 8 bits (FF) on the SSEL high.
after that, emmc card is ready to receive commands.
*: please denote that most CMDs, including CMD42 responses on R1 (from emmc DO/MOSI)
*: modern cards have different "sd controllers" we will focus on the SD I/F which takes SPI commands.
Data is sent as 2^48-1 patterns (48 bits) so a command can be read properly. (while DO/MOSI line is high)
bootup(SD mode, we are not interested in this):
1.8V
:CMD8 //allows booting up SDXX mode
: CMD41(HCS->OCR) //on 1 indicates if SDHC or SDXC
: SR18A & SR18? //both 1
:CMD11
:CMD2
:CMD3
: CMD41(HCS->OCR) //on 1 indicates if SDHC or SDXC
: SR18A & SR18? //both 1
:CMD11
:CMD2
:CMD3
bootup (SPI mode, yay):
3.3V
(now issuing from (DO/MOSI(spi prog) to DI/MISO(emmc) )
:CMD0 0x0 // 0x400000000001 //fake crc, must be valid
:R1 (response command) (DI/MISO spi prog line must be high, so it will listen from DI/MISO emmc, responses will repeat in 0xFF until a proper response appears)
:CMD8 and or CMD7
R1 (response command)
:CMD41
R1 (response command)
:CMD16 0x00000200 //0x500000000281 //force block length to 0x200 fatfs // fake crc
:CMD0 0x0 // 0x400000000001 //fake crc, must be valid
:R1 (response command) (DI/MISO spi prog line must be high, so it will listen from DI/MISO emmc, responses will repeat in 0xFF until a proper response appears)
:CMD8 and or CMD7
R1 (response command)
:CMD41
R1 (response command)
:CMD16 0x00000200 //0x500000000281 //force block length to 0x200 fatfs // fake crc
and here is the interesting part:
accepted commands on a locked card: CMD0,CMD7,CMD16,ACMD41,ACMD42
*dat bit 3 looks interesting
I don't really have time to read through all the drama, but as I understand it Gateway included some temporary bricking code in their latest firmware that is ran when used on clones, Normatt worked with clone manufacturers and found the issue whilst working on clones? If so, I don't see why you're all getting angry over this. There have been worse methods of protecting IP. The only downside is that if it bricks whilst on a legitimate cart, and they seem happy enough to repair/replace if that is the case. It was also a beta release, so they're not even inclined to go that far.
- Joined
- Apr 29, 2011
- Messages
- 31,284
- Trophies
- 2
- Age
- 38
- Location
- Dr. Wahwee's castle
- XP
- 18,969
- Country
They're not even inclined to take care of the issue at hand, read the 3DS section on the Max Console forum, it's full of lulz
Just out of curiosity and may have been discussed somewhere but here it goes: Could a person with an external programmer and with an FBGA adapter zero out the NAND and re-flash a backed up nand file back to the chip thus bypassing the eMMC controller? Or is the controller coded into the NAND itself? I think the controller is on a separate chip but I could be wrong here, so please correct me if I am wrong. One would have to completely remove the chip from the board to accomplish this and attempting to do this may be counter productive.
the SD I/F handles all SPI & SD, this is the main chip the eMMC has, even if separate exists. Another user posted a script zeroing and removing the pass from it, but you need a resource to reach your eMMC (this is the spi controller that can be accesed directly from the OS), and the application sending/receiving commands into a terminal (or memory heap)
Well, they could have made the batteries explode. Certain countries seem to have many reported cases of such things.
EVIL CLONE ENGINEER... You CANNOT be serious
! If anything I bet he didn't even know the code was there until stuff started going down. Typical, someone tries to take something good out of piracy (using flashcart files so people can use actual games region-free) and people go after them~Anyway, let's just hope things get better instead of getting worse (because they can be a lot worse)
I'd be more willing to read the main post if it used actual readable sentences.
Have people given a crap about what garyopa says... ever?
This isn't an official statement or anything, he didn't do anything more than kiss some ass to be called the "official support forum" just to make advertising revenue.
This isn't an official statement or anything, he didn't do anything more than kiss some ass to be called the "official support forum" just to make advertising revenue.
- Joined
- Apr 29, 2011
- Messages
- 31,284
- Trophies
- 2
- Age
- 38
- Location
- Dr. Wahwee's castle
- XP
- 18,969
- Country
Similar threads
-
BakerMan
I rather enjoy a life of taking it easy. I haven't reached that life yet though.
