How does anti-piracy on the DS work?

Discussion in 'NDS - Flashcarts and Accessories' started by wchill, Jan 30, 2012.

Jan 30, 2012
  1. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    I ask this because it's relevant to running ROMs on the 3DS.
    How do games detect whether they're running on flashcards?
     
  2. Sora de Eclaune

    Member Sora de Eclaune Baby squirrel, you's a sexy motherfucker.

    Joined:
    Feb 15, 2011
    Messages:
    2,785
    Location:
    123 Fake Street
    Country:
    United States
    ...This isn't relevant to running ROMs on the 3DS. Not yet, anyway. You first have to hack the 3DS and figure out how to manipulate 3DS mode. But before that, we still need to hack the DSi!

    And so far, flash cards can only run in DS Mode, unless you're using some powerhouse card like the Supercard DSTwo.
     
  3. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    Actually, I'm asking this because I am planning on doing my own experimentation with loading ROMs using hardware solutions. So it is relevant.

    And I'm asking about DS games specifically, as the same AP methods should carry over.
     
  4. Sora de Eclaune

    Member Sora de Eclaune Baby squirrel, you's a sexy motherfucker.

    Joined:
    Feb 15, 2011
    Messages:
    2,785
    Location:
    123 Fake Street
    Country:
    United States
    Oh. Interesting.

    Well, I've looked it up and I don't really understand it, but....

    Basically, anti-piracy is meant to block unauthorized reading of the ROM. This unauthorized reading is usually due whatever you're using the ROM with (either a flash card, an emulator, or a bootlegged cartridge) not reading it exactly like the legitimate cartridge would. Anti-piracy detects this change and automatically enables a kill message (i.e. 'the save file cannot be read' error, 'game could not be initialized' error, etc), stops the ROM entirely (i.e. black/white screens, freezing, etc), or causes unwanted things to happen during gameplay (i.e. Earthbound's difficulty spike and file deletion near end-game, Michael Jackson: The Experience's vuvuzelas).

    TL;DR Reading a ROM differently than the legitimate cart would in any way

    ...that's about all I understand. Sorry if it doesn't help.
     
  5. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    Can I see your sources? I haven't been able to find detailed info on this
     
  6. kevan

    Member kevan Imagination rules the world

    Joined:
    Dec 4, 2009
    Messages:
    1,378
    Location:
    Place
    Country:
    Australia
    Done. Although not very well done.
     
  7. Sora de Eclaune

    Member Sora de Eclaune Baby squirrel, you's a sexy motherfucker.

    Joined:
    Feb 15, 2011
    Messages:
    2,785
    Location:
    123 Fake Street
    Country:
    United States
    ....Ummm.....google, actually. I googled it. There wasn't a lot of info so I pieced together what I thought was relevant.


    I know, but I meant PROPERLY.
     
  8. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    My Google searches are not turning up anything. Unusual...

    (btw I'm referring to the specific methods that DS games use to detect piracy)
     
  9. Sora de Eclaune

    Member Sora de Eclaune Baby squirrel, you's a sexy motherfucker.

    Joined:
    Feb 15, 2011
    Messages:
    2,785
    Location:
    123 Fake Street
    Country:
    United States
    I couldn't find anything about that.

    Just in general.

    And it had to be pieced together from multiple sites.
     
  10. Pong20302000

    Member Pong20302000 making notes on everything

    Joined:
    Sep 8, 2009
    Messages:
    8,076
    Location:
    One's inner self
    Country:
    Japan
    DS games piracy is used on how the code moves around the data
    its all about the offset because cetain data cannot be moved the certain areas so the anti piracy checks in teh games try and copy data to this area so if succesfull its knows your using a Flashcard
    where on a legitimate card the data cannot be copied and is moved to the correct area

    when a DS rom patch is made all it is doing is sending the data to the correct place rarther than moving it to the error area and causing the AP to kick in
     
  11. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    So if a copy succeeds to some ordinarily protected part of memory, then the check fails?
    But then what part of memory is protected?

    There's still a lot missing
     
  12. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,748
    Country:
    United Kingdom
    I blathered on about it in the past http://gbatemp.net/t...78#entry1799578

    Short version there are two questions you are asking
    1) How do DS carts on the dsi and 3ds (those are related)
    http://hackmii.com/2...oming-in-3-2-1/ takes it pretty well.
    2) How does game level AP work for which there are three methods at present but only two are really used. Sora de Eclaune already took the rough overview- if your cart does not behave exactly as an original then you can be pinged because of that.
    In practice this means
    i) Below 8000 reads- http://nocash.emubas...rtridgeprotocol (see B7aaaaaaaa000000h (200h) - Get Data)
    Older DS flash cards would quite happily return the actual data/not what is actually done.
    ii) Binary (or portion thereof) checksums/hashes- as you probably know the binaries (ARM9, arm9 overlays and ARM7- arm7 overlays do not exist in commercial games) are loaded into ram and so as not to save on EEPROM (or whatever the game originally used) carts will patch them to save on whatever they are rocking save type for. A handful of carts like the original EZ5 that had a savelist (it was not that bad to maintain but the R4 was easier so most dropped such things) and actually emulated the memory type in hardware meaning they were usually far more compatible (and maintained such abilities well into the AP era where the thought of using a 2 year out of date kernel on a R4-a-like would have got you laughed at). Clean mode, special mode, ghost mode or whatever your cart wants to call it aim to have an ultra light touch on the rom to avoid setting off these at the cost of not having soft reset, cheats, in game menus and such.

    Both these methods existed for a while and at first they were simple enough that general fixes could happen but later on it turned to hundreds of checks (and with it the end of "cheat" patches) even to the point where they slowed the game down (yep even on the DS the maybe not so legit way often ended up superior if you have a cart that patches these out properly*). Obfuscation also happened so where at first you could reasonably scan a rom with an automated tool (there still exists ones for below 8000 checks) or quickly by eye and catch most of them not to mention games triggering them later in the game (was it C.O.P. - The Recruit that had some later stage trouble with the initial patches?) and not having immediately obvious failure conditions (phantasy star changing drop rates for instance) as a result of games hiding them in overlays not used until late in the game, hiding things in THUMB mode as opposed to ARM (the GBA and DS ARM processors have a 32 bit mode known as ARM and a 16 bit mode (kind of- see GBAtek/arm docs) known as THUMB you switch between and I believe there were a couple that did not do the immediately obvious check and fail but send flags and whatnot for later on.

    *most carts owe more than a passing nod to the wood/AKAIO teams so they tend to be properly removed rather than change the result of the if statement (the proper way to bypass is to prevent the check from happening but the quick and easy way is to scan the rom for the checks and change the if result is good carry on but if not then trigger AP failure mode to if it is good then great, if it is bad then also great).

    The third has only been seen on a handful of roms ( Houkago Shounen being the best example) was to time the save process and fail it for being too short (flash carts are nothing if not efficient here)
    I am not counting new save types and things like pokemon utilising the "save" architecture to also do the IR port and castlevania POR being badly coded and crashing due to something resembling a race condition where flash carts had a bit less speed/more latency.
    There are probably a handful of other methods that could be (could have been?) tried based on the idea of a flash cart behaving differently in some small but predictable/detectable manner to original carts but I will leave it to you to cook up ideas here (have a read of GBAtek).
     
  13. wchill
    OP

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    Ahhhhh thanks that was what I was looking for. Perfect.
    So my initial guesses were correct in regards to the first two anti piracy checks, and the third can be worked around with a delay mechanism. Thank you very much.
     
  14. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,748
    Country:
    United Kingdom
    I forgot to mention I think it was Daigasso band brothers (certainly one of the Japanese music game sequels) wrote a serial of sorts into the save memory to allow downloads based on a server side check but the BDX format ultimately got pulled apart, thoroughly documented and had tools made for it.
    http://dshack.wikia.com/wiki/Daigasso!_Band_Bros._series

    Strictly speaking I am not sure where it falls but it is a potential annoyance for flash cart owners so I figure I will mention it.
     

Share This Page