Is a "cloned gamecard" exploit-less Gateway possible?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Aurora Wright, Oct 24, 2014.

  1. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    Something that has been buzzing in my head for a while now. What exactly is preventing Gateway right now from releasing a "warez only" card that fully clones an original cart? I knew that the game card protocol and communication are encrypted, but where exactly are keys and algorithms located? If they are in the bootrom, Gateway has decapped the CPU by now (they got the 7.x keys), so what's preventing them? Difficulties in managing save methods and/or card2 gamecard games?
     
  2. Jayro

    Jayro MediCat USB and Mini Windows 10 Developer

    Member
    GBAtemp Patron
    Jayro is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,139
    2,803
    Jul 23, 2012
    United States
    Octo Canyon
    I have wondered this too, why nobody has made a flash cart that mimics a 1:1 retail cart for the 3DS, not having to use an exploit. Is it because they can't sign their launcher?
     
  3. WiiU

    WiiU Lurking in the Shadows

    Member
    446
    331
    May 7, 2014
    Between worlds of Hyrule & Lorule
    That would be so annoying if they did that, Its like looking for GBA games on eBay, .... so ... many .... fakes ..... :hateit:
     
  4. Pedeadstrian

    Pedeadstrian GBAtemp's Official frill-necked lizard.

    Member
    3,533
    1,565
    Oct 12, 2012
    United States
    Sandy Eggo
    I'd comment but then Normmatt would come and say something smart, refuting my answer, and then I'd feel sad.
     
    Dartz150, cearp, Joe88 and 6 others like this.
  5. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,504
    Sep 23, 2013
    The launcher is part of the exploit to make a 1:1 clone of a card means it would act exactly like a retail cart, no launcher files or anything, but i assume if anyone did make anything like that it would just be used in bootleg carts and not the basis for a flashcard style setup I.e fake games like gba/ds bootlegs 1 cart=1 game
     
  6. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    I might be wrong, but the card's fpga should be able to spoof the ROM chip with a ROM on SD. Neimod once said that 3ds ROM chips are way slower than microsds, while it was the opposite with DS cards.
     
  7. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,504
    Sep 23, 2013
    yeah but there is more money in actual bootleg carts, so if they could make a 1:1 clone it would make more sense to sell them as legit games and rake in the money i.e 5x $25 (or whatever the cost of each game is) would be better than a 1 off $50-60 for a single reuasble flashcard
     
  8. alexenochs

    alexenochs GBAtemp Fan

    Member
    426
    71
    Aug 30, 2010
    United States
    yeah but if gateway did do this we would eventually see someone either modify the cart they made to flash a new rom to it OR see a clone cart come out of these "legit-fake" carts with an sd slot
     
  9. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,595
    21,613
    Sep 13, 2009
    Poland
    Gaming Grotto
    I assume it's difficult exactly because of what you're suggesting - the cartridge would have to be a 1:1 replica (which is difficult since the hardware is, to an extent, proprietary) and the launcher would have to be signed exactly like an original game. Since we don't know how to sign the binary properly and replicating the proprietary chips would be expensive, we're not seeing those carts popping up.
     
  10. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    IIRC someone tried.
    It didn't work (well enough due to differences between each individual cards or something).
     
  11. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,299
    5,324
    Mar 17, 2010
    Norway
    Alola
    I can't see any technical reason why it wouldn't be possible. The hardware in the carts is the same between games, except for differences in save chip size and card1/card2 differences. Card2 cartridges already have a writable chip (although only part of it is writable but I assume that's a switch in the cart's chip), so using the same chip or a similar one (or a FPGA to emulate the chip but that might be tough) for a 1:1 clone should be possible. The difference in save sizes might be an issue though.
    There are several things that make it difficult, but if Gateway really has decapped the CPU they should be able to do nearly anything. I guess they haven't tried to do that yet, their focus seems to be on the Gateway and they are still trying to find a new exploit for the latest firmware. Making a new 1:1 flashcart that works on the latest firmware would pretty much mean abandoning all hope of getting the Gateway to work on the newest firmware, so they probably won't do that until they know for certain that they aren't able to find a new exploit.

    Well, SD cards have gotten faster. Back when DS flashcarts came out, class 10 cards didn't even exist.
     
  12. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    I'm well aware of digital signatures, but it's the data in the ROM chip that is signed, so if the card's fpga spoofed "a ROM chip (or flash memory for card2) containing data from a 1:1 dump on SD" a launcher wouldn't be needed at all. Actually, as far as I know gateway does this already, but on top of that the launcher completely disables gamecard crypto (or it makes it use their own one). Normmatt's "infamous" mod removed this patch.
     
  13. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,595
    21,613
    Sep 13, 2009
    Poland
    Gaming Grotto
    You're forgetting about so-called "hardware-based anti-piracy measures" which are implemented to prevent this from happening. As I've mentioned, the chips are proprietary, making it hard(er) to fool the system. I'm not entirely sure what's the difference between normal 3DS storage chips and off-the-shelf ones, probably some stuff in the memory controller low-level programming, but I can tell you how it worked on the Neo Geo Pocket.

    The reason why there's only one flashcart for it is that the system actually checked for the storage chip's manufacturer ID, which is hardcoded into the chip and cannot be altered. Since you couldn't get memory manufactured by SNK, there were no flashcarts for the system. A flashcart for the NGP popped up recently, once FPGA's/ASIC's became more affordable and it became possible to fool the system into thinking that the attached modules were indeed SNK-made. I'm sure the 3DS also uses tricks akin to that, so "cloning" a cartridge would literally require you to know and understand the low-level workings of the cartridge and the system, down to the ALU's.
     
  14. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    I think we would need to hear from people who disassembled the gateway launcher, then. As far as I knew (I was on 3dsdev the days the thing was released) the first version of it was said to just disable the crypto in the gamecard communication (normmatt's launcher region free mod was just a few bytes different, and he said he removed this patch). If that's the case, it would mean that the eventual hardware checks were/are already taken care of by the gateway card fpga.
     
  15. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,595
    21,613
    Sep 13, 2009
    Poland
    Gaming Grotto
    If that's the case then your 1:1 clone would have to be able to correctly use the crypto mechanism of the 3DS. If Gateway disables it then it must be (and obviously is) easier to not use the crypto at all than to replicate it.
     
  16. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    Yeah, but since they decapped the CPU (they were kind of forced to, they had to get 7.x keyY) it's probable they also have the gamecard crypto keys now (I'm not entirely sure until I see it documented, but if I were Nintendo the gamecard crypto keys would be on the bootrom).
     
  17. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,595
    21,613
    Sep 13, 2009
    Poland
    Gaming Grotto
    You still have to research the chain of trust and nail the protocol, just knowing the keys isn't enough. It's sort of like holding a key and standing in front of a door, but not knowing how to turn the key.
     
    loco365 likes this.
  18. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,504
    Sep 23, 2013
    well im assuming they have the protocol figured out to do stuff like cart dumping etc, but its likely down to the "unique header" stuff that gateway dump that would appear to be the last key sort of thing for chip identification, and seeing as thats unique per cart a cloned game could essentially be blocked in an update based on what header ID it uses.....but i suppose the important part is indeed feeding that information to the 3DS in the correct manner where as gateway do it the other way around and patch the system to accept it how they provide it
     
  19. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,544
    4,099
    Aug 13, 2006
    Italy
    They have the protocol figured out just because the card even exist, just (if the launcher just actually disables the crypto) the stream of data between gateway and 3ds is clear text and not encrypted.
     
  20. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,595
    21,613
    Sep 13, 2009
    Poland
    Gaming Grotto
    If they had it all figured out, they wouldn't disable the crypto - they would use it. They merely found an exploit that disables a hurdle they didn't know how or didn't care how to cross.

    There's also another problem, that being that different carts have different kinds of storage built into them, and this goes beyond the CARD-1 and CARD-2 distinction. From what I remember, some games are sensitive to that - you can't put "any game" on "any cartridge". The PSVita is similar to that, some hackers managed to put game X on cartridge Y and it didn't work out or they've experienced some issues, so clearly there's an underlying low-level protection in play.