How were the DS exploits found?

Discussion in 'NDS - ROM Hacking and Translations' started by imgod22222, Jun 10, 2011.

Jun 10, 2011
  1. imgod22222
    OP

    Member imgod22222 GBAtemp's Original No-faced Member

    Joined:
    Jul 5, 2006
    Messages:
    1,555
    Country:
    United States
    So I remember joining the DS scene back in the days when we would flash our fat DS's with firmware, using a PassMe card and a slot-2 device. Nowadays, people just plug'n'play their flashcarts.
    My question is: How did they figure this stuff out? If anyone has any links/stories about back in the day when hackers on the scene were figuring out "oh shit, if i short this connection, then I can write freely ot the firmware!" or "If I make a DS cart... and put this info on it... then obviously, the DS will begin reading from slot-2!" or "Here's the default firmware DS's ship with. Now what would I go about editing to get rid of this heinous check?" or any of the newer methods being used now which allow people to just pop it in their factory DS and it work fine?
    What are the methods, how are they being used, how do they work, and what understanding is necessary about the DS to get it to do what you want it to?
    [I'm interested in (soft/hard)ware hacking, pretty adept at reading/writing x86-64 asm, and wanted to learn what "hackers" are doing so I can feel less of a bystander, and more as a person who can make a difference]
     
  2. Rydian

    Member Rydian Resident Furvertâ„¢

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    You're pretty much asking for a tutorial on hacking in general.

    Seriously.
     
  3. Poryhack

    Member Poryhack GBAtemp Fan

    Joined:
    Oct 18, 2009
    Messages:
    330
    Country:
    United States
    I might be wrong about this but it seems like a lot of the answers you're looking for are "trade secrets" for flashcard developers and not likely to be publicized. I know there was a lot more of an open nature to DS hacking in its early days but that phase didn't seem to amount to much (especially not hardware-wise); there was homebrew here and there but compared to what you can do with a flashcard now it was pretty limited.

    Anyway I think you might have more luck with your question if you asked in the hackmii/twiizers circles, they seem to be where it's at for low-level hacking now.
     
  4. imgod22222
    OP

    Member imgod22222 GBAtemp's Original No-faced Member

    Joined:
    Jul 5, 2006
    Messages:
    1,555
    Country:
    United States
    So I may be. However, being slightly specific to asking to using DS examples when making the tut/explaining.
    EDIT: Poryhack, that sounds like a good idea, I may go about "asking the hackmii/twiizers circles" also, didn't think I would be asking about flashcart trade circles. If it really were, all flashcarts nowadays have built-in passme functionality and explaining it would in no way change anything. I guess for the more up-to-date stuff that go beyond using just the DS' hardware (like using onboard coprocessors) would be infringing on that territory. But afterall, the method in which flashcarts do that same thing of passing the firmware is the same for all cards once the hack is announced (and subsequently published).
     
  5. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,747
    Country:
    United Kingdom
    I could probably cover why some of the methods work (many flash chips have a write enable pin and for testing purposes pads will usually be there) but as Rydian says you are asking for a hacking tutorial in general and even if I did cover the examples you mentioned it would be more or less just trivia. The proper DS slot stuff (that is to say the encryption method that kicked it all off) though came from Martin Korth aka the author of no$gba and the rather nice hardware docs to match it.
    On top of this you run the risk of overloading yourself; not to slight the skills of anyone but people do not just wake up in the morning and cook up a device that loads games and has a spinning boxart complete with shiny table effect to launch it, it takes quite a bit of effort on the part of many and although it has been said for many years now I do pity those just coming into this game as it does not get easier.

    The way I see it you start with a goal (say running my own code on what amounts to full hardware access rather than say some little piece of scripting language in there somewhere). Consider all the methods you have to get something on there
    Can I use a disc?
    Can I use an SD card?
    Can I use a USB port in some manner?
    Can I use wireless?
    Can I use some proprietary method it has (code or save memory)?
    Can I use some internal memory?
    Can I use some debug method to inject code directly into the memory?
    and so forth

    You then pull something apart (or if somebody else has done it for you read up on that although always remember they might be wrong*) and/or probe each of those avenues to figure out any roadblocks there might be in them.

    If there is encryption/protection can I crack it (higher powered machines and continued research mean methods get weaker all the time although relying on this is not wise), was it implemented properly (history says certainly give it a look), can I bypass it in some way (does it only check at install time/once and then allow you to swap it out?, can you trigger a debug mode that lacks support for it?, were they foolish enough to implement the checks in something you easily control? or can I glitch the hardware at the right time to allow me to bypass it (side channel attacks are extremely powerful) among many other questions).

    *one of the big things here is backwards compatibility- the DS with the passme worked because it had access to the GBA memory which it could be redirected to, the wii tweezers attack used gamecube mode to gain access to things, the wii drive mods descended directly from gamecube mods and so forth.

    Why one avenue and not the other usually exists because it is easier. Occasionally someone might come along and refine it but at first it is almost always about making it easier.

    What I have just written though is almost philosophical in that it contains nothing of great use. Still I blathered on in the 3ds hacking section if you fancy http://gbatemp.net/t287721-some-hacking-concepts-and-links
     
  6. Rydian

    Member Rydian Resident Furvertâ„¢

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    That doesn't matter that much, actually. That only changes a few specifics, and giving away those specifics might as well be giving away some exploits. What will be more helpful to you right now is understanding some of the basic first approaches, like FAST gave.

    Here's some info on PSP hacking that will also help.
    http://wololo.net/wagic/hacking-portal/
     
  7. relminator

    Member relminator GBAtemp Fan

    Joined:
    May 28, 2010
    Messages:
    333
    Country:
    Philippines
    IRC
    server: Blitzed.org
    Channel: #dsdev

    I believe current DS/3DS hackers frequent there.

    You need to have patience with this stuff though. It's time consuming and needs a lot of luck.
     
  8. mrgone

    Member mrgone GBAtemp Advanced Fan

    Joined:
    Nov 6, 2002
    Messages:
    728
    Country:
    Germany
    isn't it always like this:
    find some input, supply an inputstring which hopefully crashes/exploits something
    repeat for strings an inputs
     
  9. Rydian

    Member Rydian Resident Furvertâ„¢

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    No, there's often tricks you can do to get the machine to spit out some info at you that you can look through to try to find something exploitable (or at least find a way to cause a crash) without having to "guess around" various inputs.
     
  10. Valiarchon

    Member Valiarchon trentacles

    Joined:
    Mar 11, 2010
    Messages:
    182
    Location:
    melbourne
    Country:
    Australia
    I'd like to point out something everyone seems to be ignoring: A very, very large proportion of the console hacking originates in one of three communities: Chinese, French and Spanish/Brazilian. If you can understand one of the required languages (although even a google translation would usually suffice for something like this to provide a basic idea of what's going on), I suggest you check them out.
     
  11. gshock

    Member gshock Advanced Member

    Joined:
    Mar 8, 2008
    Messages:
    63
    Country:
    Canada

Share This Page