Hacking How does original R4 DS auto-boots?

Sonic0509

Sometimes I'm Maryushi3
OP
Member
Joined
Feb 1, 2008
Messages
180
Trophies
1
Location
Poland
XP
434
Country
Poland
After hacking my 2DS and getting my beloved original R4DS to work again I finally returned to 2DS' home menu, and to my surprise something in game card slot icon appeared. Actually it appeared blank but detected something is inside (probably since thanks to CFW blocked flashcards are not blocked anymore). However trying to run it just left me with an error forcing to turn off the console. This made me think... how does the R4 makes the original DS and DSL autoboot into it? Is it some kind of icon exploit (like bannerbomb for Wii), is DS vulnerable to something like a game title exploit or is it something else completely?

So there I am, asking this what seems like not so stupid question. How does original R4DS achieves auto-booting (and why doesn't it work that way on hacked 3DS)?
 

Alex658

Well-Known Member
Member
Joined
Jun 4, 2010
Messages
1,206
Trophies
1
Age
30
Location
Colombia
XP
1,206
Country
Colombia
IIRC the original set of flashcarts for DS phat/lite like R4, M3, N5, DSTT and other clones took advantage of a flaw in the DS original firmware (acted as an improved PASSme) which lead it to autoload.

This would no longer work on DSi and 3ds since now the system asks for a bootloader (a game's name and last name/developer info) before let it be recognized or booting if this info is not valid or complete.

Feel free to correct me though
 

Sonic0509

Sometimes I'm Maryushi3
OP
Member
Joined
Feb 1, 2008
Messages
180
Trophies
1
Location
Poland
XP
434
Country
Poland
Thanks for replying! :)
It seems like you're right about it working like a passcard, since it adds up quite well with this paragraph from an article I've found thanks to you giving a lead about the PASSme :D
In case someone else wants to know but also wants tl;dr version: It's possible to modify a NDS game's header (icon, title, publisher. year) so that it points to another location (outside the space intended for the header) containing some code to execute. As for R4 (and probably most clones), it looks like the header contains just the bare minimum needed to make DS run code stored on it.

Now, I assume that it doesn't work on 3DS the normal way because the code header points to is not executed from the same location as "normal" NDS code that would run after selecting an icon from DS' menu. But this one is just one huge
assumption.
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,772
Trophies
1
Location
Nowhere
XP
1,529
Country
United States
In case someone else wants to know but also wants tl;dr version: It's possible to modify a NDS game's header (icon, title, publisher. year) so that it points to another location (outside the space intended for the header) containing some code to execute.
Really? That's very interesting! No wonder the original r4 has an invalid header! I'll go read the article, I was wondering this too. Thanks! :D
 
  • Like
Reactions: Sonic0509

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,795
Trophies
5
XP
28,518
Country
United Kingdom
It is simpler than that
http://problemkaputt.de/gbatek.htm#dscartridgeheader
Header Overview (loaded from ROM Addr 0 to Main RAM 27FFE00h on Power-up)
Address Bytes Expl.
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)

Basically it, and several other DS flash carts, used a sort of undocumented or at least unused in commercial games (maybe it was a device check/repair cart thing) feature of the DS firmware.

If you want to read more on the overlay bait and switch used by DS flash carts with DSi and 3ds compatibility (at least until save checks came along)
https://hackmii.com/2010/02/lawsuit-coming-in-3-2-1/

Also of passing interest
http://pineight.com/ds/pass/
I should note that smea did a little proof of concept DS exploit using a DS game that took in audio a while back
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,772
Trophies
1
Location
Nowhere
XP
1,529
Country
United States
It is simpler than that
http://problemkaputt.de/gbatek.htm#dscartridgeheader
Header Overview (loaded from ROM Addr 0 to Main RAM 27FFE00h on Power-up)
Address Bytes Expl.
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)

Basically it, and several other DS flash carts, used a sort of undocumented or at least unused in commercial games (maybe it was a device check/repair cart thing) feature of the DS firmware.

If you want to read more on the overlay bait and switch used by DS flash carts with DSi and 3ds compatibility (at least until save checks came along)
https://hackmii.com/2010/02/lawsuit-coming-in-3-2-1/

Also of passing interest
http://pineight.com/ds/pass/
I should note that smea did a little proof of concept DS exploit using a DS game that took in audio a while back

Hmmm. I'll be reading all those links. Thanks!
 

Sonic0509

Sometimes I'm Maryushi3
OP
Member
Joined
Feb 1, 2008
Messages
180
Trophies
1
Location
Poland
XP
434
Country
Poland
It is simpler than that
http://problemkaputt.de/gbatek.htm#dscartridgeheader
Header Overview (loaded from ROM Addr 0 to Main RAM 27FFE00h on Power-up)
Address Bytes Expl.
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)

Basically it, and several other DS flash carts, used a sort of undocumented or at least unused in commercial games (maybe it was a device check/repair cart thing) feature of the DS firmware.

If you want to read more on the overlay bait and switch used by DS flash carts with DSi and 3ds compatibility (at least until save checks came along)
https://hackmii.com/2010/02/lawsuit-coming-in-3-2-1/

Also of passing interest
http://pineight.com/ds/pass/
I should note that smea did a little proof of concept DS exploit using a DS game that took in audio a while back


I can't believe it's just literally 2 bits (or even a single bit if you look at it right) that makes it all possible.

I've read all those links. It's bit too late for me (1:20 am at time of writing this post) to understand completely all the technical aspects but I can't say it wasn't a fun read. Thanks so much :D

But still one question remains: why won't 3DS boot autobooting R4 cartridge normally even when it's whitelisted (or not blacklisted... I'm never sure how it works in 3DS' case)? Could it be that (like @Alex658 said) 3DS expects fully correct/proper header (completely ignoring the autoboot flag) or just flips off every autobooting cartridge, or maybe R4 autoboots different code than selecting it from menu would?
Any idea if there is an autobooting flashcard that also has a proper header?


Also, that sound exploit... Smealum is just an insane guy :wtf:


Oh, and one more thing. Thank you so much for replying to this thread. I expected to get "if it werks it werks" kind of answers ^_^


And another thing. It seems like R4 is getting pretty "powerful" in 3DS scene (insert :yayR4: here)
 
Last edited by Sonic0509,

Technicmaster0

Well-Known Member
Member
Joined
Oct 22, 2011
Messages
4,465
Trophies
2
Website
www.flashkarten.tk
XP
3,763
Country
Gambia, The
It is simpler than that
http://problemkaputt.de/gbatek.htm#dscartridgeheader
Header Overview (loaded from ROM Addr 0 to Main RAM 27FFE00h on Power-up)
Address Bytes Expl.
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)

Basically it, and several other DS flash carts, used a sort of undocumented or at least unused in commercial games (maybe it was a device check/repair cart thing) feature of the DS firmware.
I think that it I read somewhere that it was used for Demo/debug cards.

I can't believe it's just literally 2 bits (or even a single bit if you look at it right) that makes it all possible.

I've read all those links. It's bit too late for me (1:20 am at time of writing this post) to understand completely all the technical aspects but I can't say it wasn't a fun read. Thanks so much :D

But still one question remains: why won't 3DS boot autobooting R4 cartridge normally even when it's whitelisted (or not blacklisted... I'm never sure how it works in 3DS' case)? Could it be that (like @Alex658 said) 3DS expects fully correct/proper header (completely ignoring the autoboot flag) or just flips off every autobooting cartridge, or maybe R4 autoboots different code than selecting it from menu would?
Any idea if there is an autobooting flashcard that also has a proper header?


Also, that sound exploit... Smealum is just an insane guy :wtf:


Oh, and one more thing. Thank you so much for replying to this thread. I expected to get "if it werks it werks" kind of answers ^_^


And another thing. It seems like R4 is getting pretty "powerful" in 3DS scene (insert :yayR4: here)
It's really simple. Every DS ROM (and therefor every flashcard as well) has it's own header (later official headers got copied to get compatible with DSi/3DS). The console reads the header before it boots the game to get the information like the icon, the text etc. There's one bit, one information in the header that you can change so that the card autoboots. It was used by nintendo itself and is no exploit/bug.
This feature doesn't work with DSi/3DS anymore because the flashcards have to copy the headers of official games which don't have the feature enabled.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: I feel better now