Hacking New DSi and current flashcarts

[TrolleyDave]

@chuck : Do you know how the current flashcarts bypass the firmware? Is it some kind of buffer overflow trick?

 

[Smuff]

The DSi contains a new anti-piracy software in the camera that will fire a lethal beam of light through your brain if it even suspects that you are a pirate.

:3

Well thats me screwed then

 

[chuckstudios]

@chuck : Do you know how the current flashcarts bypass the firmware? Is it some kind of buffer overflow trick?

It's actually a byte in the header of the cartridge, address 0x1F.

Edit: 777 posts! Woo!

 

[AndreXL]

Imagine Nintendo taking your snapshot and sending them thru the web...
You're BUSTED!

 

[Chrono_Tata]

My theory as stated in IRC last night:

(chuckstudios) there will be a whitelist built into the flash memory for all existing games
(chuckstudios) something like MD5, which could hold about 3000 games in under 50KB
(chuckstudios) all games from now on will be digitally signed in such a way that the DSi recognizes but the old DS models ignore
(chuckstudios) effectively killing piracy and homebrew

In that case, can't flashcarts be made to fool the the DSi into thinking it's one of the games in the whitelist?

 

[chuckstudios]

My theory as stated in IRC last night:

(chuckstudios) there will be a whitelist built into the flash memory for all existing games
(chuckstudios) something like MD5, which could hold about 3000 games in under 50KB
(chuckstudios) all games from now on will be digitally signed in such a way that the DSi recognizes but the old DS models ignore
(chuckstudios) effectively killing piracy and homebrew

In that case, can't flashcarts be made to fool the the DSi into thinking it's one of the games in the whitelist?

Hashing, unlike a checksum which is sometimes used for similar purposes, is very difficult to find a 'collision' for - data which is hashed to the same value as another a known hash. A SHA-1 hash would be much stronger than MD5, though, and would require maybe 15KB more for a whitelist.

 

[TrolleyDave]

@chuck : Do you know how the current flashcarts bypass the firmware? Is it some kind of buffer overflow trick?

It's actually a byte in the header of the cartridge, address 0x1F.

Edit: 777 posts! Woo!

You don't know any sites with info on how it works do you? I've found loads of info on how passthroughs work but not the slot-1's. Do the registers set it to some kind of "technician" mode that allows it to bypass the firmware? Sorry for the questions mate but I know very little about how the DS flashcarts work.

 

[chuckstudios]

@chuck : Do you know how the current flashcarts bypass the firmware? Is it some kind of buffer overflow trick?

It's actually a byte in the header of the cartridge, address 0x1F.

Edit: 777 posts! Woo!

You don't know any sites with info on how it works do you? I've found loads of info on how passthroughs work but not the slot-1's. Do the registers set it to some kind of "technician" mode that allows it to bypass the firmware? Sorry for the questions mate but I know very little about how the DS flashcarts work.

Everything you ever need to know about the DS hardware is here. Specifically, the section with the autostart byte mentioned is here.

 

[Maz7006]

Imagine Nintendo taking your snapshot and sending them thru the web...
You're BUSTED!

That would suck like hell



Ive been reading some of the posts and ive been saying to myself, why would we wont to get a DSi and flash it, i mean think about it, first of all a flashcard has some kind of multimedia function i.e moonshell in some cases. So why would we wont a DSi, which may not be able to be compatible with flashcards. Ok a DSi now has a SD slot, but no GBA slot. It has better firmware but may not be compatible with flascards. So i dont see what we will be getting. A VGA camera with 2 3.25 inch screens

 

[TrolleyDave]

Everything you ever need to know about the DS hardware is here. Specifically, the section with the autostart byte mentioned is here.

Nice one, alot of went over straight over my head but I think I got the basics. Am I right in thinking that this

"9000000000000000h (4) - 1st Get ROM Chip ID
Returns RAW unencrypted Chip ID (eg. C2h,0Fh,00h,00h), repeated every 4 bytes. 1st byte - Manufacturer (C2h = Macronix)
2nd byte - Chip size in megabytes minus 1 (eg. 0Fh = 16MB)
3rd byte - Reserved/zero (probably upper bits of chip size)
4th byte - Bit7: Secure Area Block transfer mode (8x200h or 1000h)"

returns the actual manafacturer of the ROM chips inside the cart, rather than the publisher/manafacturer of the game itself?

 

[Slowking]

Signing - encrypting, tomato - tomato. and they are RSA-encryptet if I remember correctly...

No. Card encryption is definitely based on Blowfish, I just looked it up in gbatek. The encryption was somewhat flawed, however, and the header was unencrypted. This allowed PassMes to execute code, and the encryption was then able to be reverse engineered. Signing is bulletproof provided Nintendo's private key is never leaked.

Edit: And provided they don't use strcmp()

Edit 2: Also, Blowfish is symmetric key. Digital signatures are asymmetric (public-key crypto).

If they really just used blowfish the encryption would have been cracked a LOT sooner. And the DS does use RSA, atleast for downloadplay. Nintendo would have been really stupid if they didn't use it for their cards (which I wouldn't put past them.

)
Maybe they used a combination of both. I read somewhere that most of the time RSA is combined with a symetric encryption...

 

[mysticwaterfall]

Flashcarts will work with the new DS. I wasn't around the scene when the lite first came out, but I'm sure people had similar concerns then.


Whitelist: This can't be implemented, because there would be no reliable way to update it. Not everybody has broadband (shocking, I know) or wifi access. So, if they bought a new game that wasn't on the list, it would be seen as "bad" and they wouldn't be able to play it.

If you update via the cart, then obviously there would be a way for the flashcart to add itself to the whitelist in the same manner.

This is of course, assuming the whitelist is secure in the first place and there isn't a way found to flash the whitelist to whatever you want. Or, that there isn't a way for a flashcart to pretend to be something else. So, either way, a whitelist doesn't help much.


No matter what the new firmware does, there will always be a way around it. The DSi has exciting new possibilities of running stuff direct from the sd slot with a hacked firmware. Granted, it's probably not going to support sdhc (since the wii doesn't) but it would be cool none the less.

 

[Kokorazashi]

I wonder if firmware or homebrew will allow loading of ROMs from the internal memory/SD slot. Especially on cards like the AceKard 2 which allow loading from/to the Slot-2 on the DS Phat/Lite.
I hope the SD slot will support SDHC, then I can have 8GB + internal storage worth of DS roms on DSi.

Nintendo have said that it isn't going to be SDHC compatible. Too bad.

 

[Slowking]

I wonder if firmware or homebrew will allow loading of ROMs from the internal memory/SD slot. Especially on cards like the AceKard 2 which allow loading from/to the Slot-2 on the DS Phat/Lite.
I hope the SD slot will support SDHC, then I can have 8GB + internal storage worth of DS roms on DSi.

Nintendo have said that it isn't going to be SDHC compatible. Too bad.

Ok. I really wanted this new DS, now not so much. The main reason for me would be to have a cool multi-media-thingy includet in a great gaming device. But what can you store on 2GB?

 

[Maz7006]

I wonder if firmware or homebrew will allow loading of ROMs from the internal memory/SD slot. Especially on cards like the AceKard 2 which allow loading from/to the Slot-2 on the DS Phat/Lite.
I hope the SD slot will support SDHC, then I can have 8GB + internal storage worth of DS roms on DSi.

Nintendo have said that it isn't going to be SDHC compatible. Too bad.

Ok. I really wanted this new DS, now not so much. The main reason for me would be to have a cool multi-media-thingy includet in a great gaming device. But what can you store on 2GB?

Another reason why you shouldent get this yet, im only getting it when my NDS lite's warranty runs out and when i break it, which is highly unlikely, man its such a shame i believe Nintendo should have put some more thought into it. Don't you think?

 

[TrolleyDave]

Flashcarts will work with the new DS. I wasn't around the scene when the lite first came out, but I'm sure people had similar concerns then.

Didn't the lite stop the original PassMes from working?

QUOTEWhitelist: This can't be implemented, because there would be no reliable way to update it. Not everybody has broadband (shocking, I know) or wifi access. So, if they bought a new game that wasn't on the list, it would be seen as "bad" and they wouldn't be able to play it.

Not really. If I'm right in thinking that this

"Returns RAW unencrypted Chip ID (eg. C2h,0Fh,00h,00h), repeated every 4 bytes. 1st byte - Manufacturer (C2h = Macronix)"

returns the manafacturer of the actual ROM chip inside the cart then it wouldn't be hard at all. Sure it wouldn't take long for flashcart makers to overcome it but if Nintendo just add in a quick call to make sure you're using a Nintendo approved ROM chip inside the cart then the whitelist would work like a charm. Plus it doesn't necessarily have to use the net to update the firmware. Upgrades could be put onto carts in a similar way to the PSP upgrading firmwares from within games.

 

[Trolly]

Maybe, maybe not. What IS certain is that none of us can tell the future.

Nintendo have said that it isn't going to be SDHC compatible. Too bad.

WTF? Why not? Garrr, even more certain I'm not gonna get it now. Then again, it would look pretty bad on Nintendo having a handheld with more memory capacity than their home console aha.

 

[Ssseth]

I wonder if firmware or homebrew will allow loading of ROMs from the internal memory/SD slot. Especially on cards like the AceKard 2 which allow loading from/to the Slot-2 on the DS Phat/Lite.
I hope the SD slot will support SDHC, then I can have 8GB + internal storage worth of DS roms on DSi.

Nintendo have said that it isn't going to be SDHC compatible. Too bad.

Ok. I really wanted this new DS, now not so much. The main reason for me would be to have a cool multi-media-thingy includet in a great gaming device. But what can you store on 2GB?

Correct me if I'm wrong, but I thought you could have 4GB SD and 4GB SDHC cards (both formats). That does really suck though that it won't work with the new technology. It's not like it's brand new or anything!

Edit: Ya, the maximum size "regular" SD technology could do was 4 GB, not 2GB. As per Wikipedia anyway.

 

[Link5084]

First off, let's face the facts. The flashcarts that boot to the main menu and do not allow you to go to the DSi menu will NOT work with the DSi. So you can eliminate most flashcarts. Okay, besides the CycloDS, which other flashcarts dont automatically boot up to their menu?

 

[Ssseth]

First off, let's face the facts. The flashcarts that boot to the main menu and do not allow you to go to the DSi menu will NOT work with the DSi. So you can eliminate most flashcarts. Okay, besides the CycloDS, which other flashcarts dont automatically boot up to their menu?

I'm curious to know this as well.

Although, with an update to the firmware couldn't some current flashcarts go to the DS menu instead of straight to theirs?...