How are slot 1 cards booted?

Discussion in 'NDS - Flashcarts and Accessories' started by YoshiInAVoid, Dec 12, 2013.

  1. YoshiInAVoid
    OP

    YoshiInAVoid GBAtemp Advanced Fan

    Banned
    560
    337
    Jan 10, 2011
    If the firmware reads the cartridge and checks it has a valid RSA signature before it will boot it, how do slot 1 flashcards bypass this? Was the private key ever found? I seem to remember a DS Bricker which was disguised as Mario Party and had a valid signature.
     
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,838
    9,725
    Nov 21, 2005
    United Kingdom
    I assume you mean on the DSi/3ds. On a normal DS or DS lite it is not so bad.

    http://hackmii.com/2010/02/lawsuit-coming-in-3-2-1/ pretty much covers it.

    The shorter version

    All new DS games post around the DSi launch have a small extra piece of data onboard which is the RSA signature. This is as yet uncracked at any level. It is also why many games got redumped/"propered" and as it is useless why nobody really cares.

    Older DS games were gathered together in a group and each had hashes made by Nintendo. This then makes a whitelist (whitelist = only run if the file is on this list). If a game is on the whitelist it gets checked and booted and if a game is of the RSA type then that signature gets checked. To make flash carts the makers took a game from this whitelist and used that. How did they get past it? DS code can come from 4 places though 3 if you ignore wifi. Said 3 places are the ARM9, the ARM7 and overlays. Overlays are small code fragments loaded on command at some point during the game (typically something you do not do very often... like booting), now the makers need to find a game on the whitelist and that loads an overlay immediately or very soon after (it is why there was an update for some cards that had the optional DSi/3ds boot that took a few more seconds to load) and that can become their faked game. If you can load more than about 10 instructions and read from something (easily done) you own the DS mode. Nintendo went through various steps including checking more and more of the game, checking the save worked as it should and so on which is why carts often changed the game they pretended to be.
     
  3. YoshiInAVoid
    OP

    YoshiInAVoid GBAtemp Advanced Fan

    Banned
    560
    337
    Jan 10, 2011
    Thanks. Now my next quesiton, I know several cards can be reflashed like R4i Advance, Ace 3DS, and Supercard DS TWO. Were any of these cards hacked to be able to have a custom ROM flashed to them? So I can put homebrew on a cards?