PassME/FlashME, How Do They Work?

gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,398
Country
United States
How do PassMe and FlashME jump to the GBA flash cartridges? I have access to the memory on a DS and tried jumping to 0x08000000 but it didn't appear to do anything, what's the correct procedure?
 
SylverReZ

SylverReZ

The planet is fine. The people are crazy.
Member
GBAtemp Patron
Level 29
Joined
Sep 13, 2022
Messages
7,222
Trophies
3
Location
The Wired
Website
m4x1mumrez87.neocities.org
XP
22,121
Country
United Kingdom
These files might help you reverse engineer on how it all works. But, it probably works by bypassing Nintendo's security checks with the use of a real cart, similar to those Wisdom Tree NES/SNES pass thru carts.
 

Attachments

  • passkey2-v2.rar
    360.7 KB · Views: 26
  • passme_pack1.3.zip
    68.3 KB · Views: 20
  • passme1.4.zip
    58.1 KB · Views: 23
  • passme2.zip
    71.3 KB · Views: 21
  • passme-iQue.zip
    10.1 KB · Views: 25
  • passme-serial.zip
    12.5 KB · Views: 23
  • Like
Reactions: bilibili2011
M

metroid maniac

An idiot with an opinion
Member
Level 11
Joined
May 16, 2009
Messages
2,088
Trophies
2
XP
2,640
Country
gudenau said:
How do PassMe and FlashME jump to the GBA flash cartridges? I have access to the memory on a DS and tried jumping to 0x08000000 but it didn't appear to do anything, what's the correct procedure?
Click to expand...
ARM7 will jump to 0x080000C0.
ARM9 is held in an infinite loop - write the ARM9 entry address to 0x027FFE24 when ready and it will jump there.
These details were taken from GBATEK.
There is a file, ndsloader.bin. If you concatenate this with a .nds file, it will produce a ROM you can write to a GBA flashcart which bootstraps the ARM7 and ARM9 binaries.
 
  • Like
Reactions: SylverReZ
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,398
Country
United States
metroid maniac said:
ARM7 will jump to 0x080000C0.
ARM9 is held in an infinite loop - write the ARM9 entry address to 0x027FFE24 when ready and it will jump there.
These details were taken from GBATEK.
There is a file, ndsloader.bin. If you concatenate this with a .nds file, it will produce a ROM you can write to a GBA flashcart which bootstraps the ARM7 and ARM9 binaries.
Click to expand...
So I need to do something like `mov r15, #0x080000C0` on ARM7 and make sure there's a `mov r15, $` at 0x027FFE24 and make ARM9 jump there?

My flash cart should support DS mode, shocking how easy this sounds.
 
M

metroid maniac

An idiot with an opinion
Member
Level 11
Joined
May 16, 2009
Messages
2,088
Trophies
2
XP
2,640
Country
gudenau said:
So I need to do something like `mov r15, #0x080000C0` on ARM7 and make sure there's a `mov r15, $` at 0x027FFE24 and make ARM9 jump there?

My flash cart should support DS mode, shocking how easy this sounds.
Click to expand...
I don't understand, are you asking how to make a bootable slot-2 cartridge or are you asking how to boot a slot-2 cartridge in NDS mode?
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,348
Country
United Kingdom
Depending upon the firmware/hardware revision there was a reason for passme2 which instead used save memory I believe it was. Flashme can do what it likes (custom firmware after all).

That said if this is more about using a GBA flash cart as extra space (presumably for code in this instance, on the rare occasions I do anything here I tend to want bulk data or extra RAM for homebrew that I probably did not write) then yeah I don't think there are any particularly exotic incantations needed.
 
M

metroid maniac

An idiot with an opinion
Member
Level 11
Joined
May 16, 2009
Messages
2,088
Trophies
2
XP
2,640
Country
gudenau said:
I'm trying to get a SLOT-2 flash cart to run in a dev kit for dubious reasons.
Click to expand...
If you want to keep this simple, just concat ndsloader.bin to an .nds file, and write the resulting file to your flashcart.
Code: 
cat ndsloader.bin myfirmware.nds > myfirmware.ds.gba
I have attached ndsloader.bin as part of the dslazy tool.

If you wanna get a bit more complicated than that, take a look at the scfw.s file from this project I started a little while ago. You can discard the Supercard specific function, but this assembly program shows how you can make a slot-2 ROM which chainloads an embedded _mb.gba or .nds binary.
 

Attachments

  • dslazy.zip
    151.1 KB · Views: 26
  • Like
Reactions: SylverReZ
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,398
Country
United States
FAST6191 said:
Depending upon the firmware/hardware revision there was a reason for passme2 which instead used save memory I believe it was. Flashme can do what it likes (custom firmware after all).

That said if this is more about using a GBA flash cart as extra space (presumably for code in this instance, on the rare occasions I do anything here I tend to want bulk data or extra RAM for homebrew that I probably did not write) then yeah I don't think there are any particularly exotic incantations needed.
Click to expand...

It's to use it as a flash cart, I have dumped games that I want to use the devkit to stream without nuking/backing up save files. If I can use the slot-2 flash cart for that instead it would be super nice. Unless you know of a way for me to create my own backup carts for the dev unit, this might be the most viable path forward with this.

metroid maniac said:
If you want to keep this simple, just concat ndsloader.bin to an .nds file, and write the resulting file to your flashcart.
Code: 
cat ndsloader.bin myfirmware.nds > myfirmware.ds.gba
I have attached ndsloader.bin as part of the dslazy tool.

If you wanna get a bit more complicated than that, take a look at the scfw.s file from this project I started a little while ago. You can discard the Supercard specific function, but this assembly program shows how you can make a slot-2 ROM which chainloads an embedded _mb.gba or .nds binary.
Click to expand...

Would that let you boot into GBA mode and launch a NDS ROM? I thought the hardware used write-once registers that could only be cleared via a hardware reset.
 
SylverReZ

SylverReZ

The planet is fine. The people are crazy.
Member
GBAtemp Patron
Level 29
Joined
Sep 13, 2022
Messages
7,222
Trophies
3
Location
The Wired
Website
m4x1mumrez87.neocities.org
XP
22,121
Country
United Kingdom
SylverReZ

SylverReZ

The planet is fine. The people are crazy.
Member
GBAtemp Patron
Level 29
Joined
Sep 13, 2022
Messages
7,222
Trophies
3
Location
The Wired
Website
m4x1mumrez87.neocities.org
XP
22,121
Country
United Kingdom
  • Love
  • Like
Reactions: ak1nok and metroid maniac

Site & Scene News

Go to forum More news

Popular threads in this forum

Testing the new EZ-Flash Parallel

ROM Hack  Mario Kart DS - Custom Tracks Grand Prix NITRO (CTGP NITRO) v1.1.0 Release

EZ-Flash Parallel Question (Sav files and where to put them)

Emulation  What are the emulation capability of a DSi? (2024)

Emulation  Tomodachi Collection Cheat Codes (For Delta)

So what IS the best DS Flashcart?

EZ-Flash Parallel doesn't works on DSi XL

EZ Flash Parallel / GBA ROMs

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Poor and jaundiced is he!