1. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    so over the past couple of days ive been working on reverse engineering firmware.nds to understand how it worked. i didnt expect to make any progress, but somehow i managed to figure out exactly how it works.

    ive managed to develop a single tool that automatically converts a firmware.bin file into a firmware.nds with no user interaction other than dragging the bin file onto the exe

    has been tested with 7 different English firmware revisions and all FlashMe v8 variations

    this is important because firmware.nds cannot be legally distributed due to containing substantial portions of the ds firmware, but now we can build our own using legal means :)

    have fun, and be sure to report any issues you have in this thread

    ill be making a more in-depth writeup of how this all works in the near future so stay tuned for that
     

    Attached Files:

    Last edited by dr1ft, Jun 28, 2018
  2. Coto

    Coto -
    Member

    Joined:
    Jun 4, 2010
    Messages:
    2,700
    Country:
    Chile
    Dr1ft == endrift?

    Hope to see more development. Thanks!!
     
    dr1ft likes this.
  3. ChampionLeake

    ChampionLeake NTR/TWL Exploiter
    Member

    Joined:
    Jan 19, 2016
    Messages:
    209
    Country:
    United States
    Nice work!
     
    dr1ft likes this.
  4. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    if someone else is called endrift, im not them :P
     
  5. bilibili2011

    bilibili2011 Newbie
    Newcomer

    Joined:
    Nov 25, 2014
    Messages:
    8
    Country:
    France
    Very nice and interesting , looking forward to source code
     
  6. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    31,151
    Country:
    United Kingdom
    Nice. We have had quite a few people over the years wanting shots, sound samples, video and more of the DS firmware/menu. Would be nice to have a simple point people at it type solution.

    Will you include a PC editor so people can still change the colour, birthday, name... settings of these new .nds files? Or indeed might you be able to force it to use the same offsets somehow?
     
  7. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    well, this doesnt let you do anything you couldnt already do with a competent emulator that supported firmware dumps. also, the settings are contained in nvram and this makes no attempt to store them in the file. you *could* do that with additional patches, but i dont see *why* you would... this is mostly intended for helping with my personal obsession of running the original ds firmware on every iteration of the ds :P
     
    Deleted-236924 likes this.
  8. Sha8q

    Sha8q pls help
    Member

    Joined:
    Mar 31, 2018
    Messages:
    234
    Country:
    Jamaica
    Is the firmware.nds the original DS's firmware? The DS Lite's firmware hadn't publicly been released. I have several flashcards and a DS Lite. If you need the firmware to it, I could provide it.
     
  9. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    i have a ton of firmwares so im not too concerned with that
    feel free to send it my way anyway though, the more the merrier
     
  10. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    31,151
    Country:
    United Kingdom
    I vaguely recall a few years back around the time the pictochat trick got released or rediscovered (well after the DS lite was released as well) that everybody got all the versions going on put into a pack of all of them.

    I don't know about the Korean ones and ique models as they might still have a version or two that did not get dumped (still got some examples though) but as far as mainstream DS models from the usual regions then all firmwares and revisions should be out there, and likely have for many years now.

    Edit. Or if you prefer there is a reason flashme was able to backport the DS lite brightness adjustment for those later revisions of DS with the relevant chip.
     
  11. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    the set i have is mostly from noflashme.nds, they're not complete dumps but enough to build a firmware.nds from
     
  12. Sha8q

    Sha8q pls help
    Member

    Joined:
    Mar 31, 2018
    Messages:
    234
    Country:
    Jamaica
    Oh
     
  13. dr1ft

    OP dr1ft Advanced Member
    Newcomer

    Joined:
    Mar 2, 2018
    Messages:
    53
    Country:
    United States
    well, it took me long enough, but there's a zip file attached in OP with source code in binaries now

    EDIT: is there some way i can change the thread title to [RELEASE] instead of [Very WIP]?
     
    Last edited by dr1ft, Jun 28, 2018
  14. Robz8

    Robz8 Coolest of TWL
    Developer

    Joined:
    Oct 1, 2010
    Messages:
    13,246
    Country:
    United States
    Report the OP to request to change title.
    I've done this plenty of times. :P
     
    dr1ft likes this.
  15. Apache Thunder

    Apache Thunder I have cameras in your head!
    Member

    Joined:
    Oct 7, 2007
    Messages:
    4,272
    Country:
    United States
    snapshot20180629005325.jpg

    ( ͡° ͜ʖ ͡°)


    It doesn't actually boot the game yet though. Big thanks to dr1ft for helping me with this. I managed to get a bootstrap program that launches his firmware.nds SRL and got it to work on 3DS. :D

    There's a few things that need to be in ram before firmware srl boots before it will show a game in slot-1. After checking in No$GBA it seems the game's arm binaries are already loaded into ram by the time you reach that screen. I guess NDS BIOS/bootrom loads those into ram? Not sure when that is happening. Firmware SRL doesn't seem to be doing it on it's own though. It is able to load the game's icon data. (it will hang too if I remove cart before it boots or eject cart while it's running just like on real DS consoles) My bootstrap only puts cart's header and a few other tidbits in the needed parts of ram. (refer to this to see what I mean: https://problemkaputt.de/gbatek.htm#biosramusage ). But those are data I compiled directly into the source code and aren't pulling that from the cart in slot-1 yet so my build was hard coded to only show Mario 64. (and will hang on boot if you attempt to use a different cart. :P )

    Cart loading code is a bit beyond me so someone else will have to pick up where I left off. dr1ft has the source to the bootstrap I used to boot this. Hopefully he can get something going with this. :D
     
    Last edited by Apache Thunder, Jun 29, 2018
    Dartz150, Roboman, JSMastah and 3 others like this.
  16. DeadSkullzJr

    DeadSkullzJr Developer
    Developer

    Joined:
    Sep 28, 2017
    Messages:
    1,085
    Country:
    United States
    GBA games, flashcarts, and other various extensions work perfectly with these. dumped quite a few firmwares, obviously the DSi firmware won't work for obvious reasons, creating a firmware.nds from the New Nintendo 3DS DS mode dump doesn't seem to work, it did work with the Old Nintendo 3DS DS mode dump though, turns out my old 3DS uses a v4 Phat firmware in DS mode :P
     
    Ryccardo likes this.
  17. MakeMake

    MakeMake A very squishy IT ghost.
    Member

    Joined:
    Aug 7, 2019
    Messages:
    129
    Country:
    United States
    When i use the firmware.bin on the executeable, it doesn't work.
    Windows 7

    CMD does this: upload_2019-8-11_11-14-42.png
     
  18. DeadSkullzJr

    DeadSkullzJr Developer
    Developer

    Joined:
    Sep 28, 2017
    Messages:
    1,085
    Country:
    United States
    Do it on the desktop, for whatever reason I have better luck with that.
     
  19. jkrosado

    jkrosado Newbie
    Newcomer

    Joined:
    Dec 19, 2019
    Messages:
    8
    Country:
    United States
    how do i get this to work??
     
  20. tuxifan

    tuxifan Newbie
    Newcomer

    Joined:
    Jul 17, 2020
    Messages:
    1
    Country:
    Germany
    Code:
    fw2nds
    build firmware.nds
    dr1ft 2018
    
    unpacking with fwunpack
    Nintendo DS Firmware Unpacker by Michael Chisholm (Chishm)
    Firmware size 0x00040000
    ARM9 Boot: From 0x00000180 to 0x021F0000
    ARM7 Boot: From 0x000001A0 to 0x0380F800
    GUI Data: From 0x000002C0
    ARM9 GUI: From 0x000183B0
    ARM7 GUI: From 0x0000F5B0
    ARM7 GUI size: 0x0000D940
    ARM9 GUI size: 0x0001AFA0
    GUI Data size: 0x0003A7A0
    Flashme firmware
    ARM9 Boot2: From 0x01FFFE00 to 0x00800200
    ARM7 Boot2: From 0x01FFFE00 to 0x00800200
    wine: Unhandled page fault on read access to 02420FE8 at address 00401D76 (thread 0009), starting debugger...
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    Unhandled exception: page fault on read access to 0x02420fe8 in 32-bit code (0x00401d76).
    0030:fixme:dbghelp:elf_search_auxv can't find symbol in module
    Register dump:
     CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
     EIP:00401d76 ESP:0032fe7c EBP:00401e00 EFLAGS:00010202(  R- --  I   - - - )
     EAX:02420fe8 EBX:7e9b2ec0 ECX:02420fe8 EDX:02420fe8
     ESI:00401d70 EDI:004211e8
    Stack dump:
    0x0032fe7c:  0040158b 02420fe8 004211e8 7e9b0600
    0x0032fe8c:  7e9af740 7e9b2ec0 0032feac 00401d90
    0x0032fe9c:  00401db0 00000000 00401ad3 0032fef4
    0x0032feac:  00403314 01fffe00 00800200 004032f0
    0x0032febc:  01fffe00 00800200 004032dc 0041da78
    0x0032fecc:  00000001 0032ff30 00000000 00800200
    Backtrace:
    =>0 0x00401d76 EntryPoint+0xffffffff() in fwunpack (0x00401e00)
      1 0x40641ca3 (0x0424448b)
    0x00401d76 EntryPoint+0xffffffff in fwunpack: movb      0x0(%ecx),%al
    Modules:
    Module  Address                 Debug info      Name (19 modules)
    PE        400000-  41f000       Export          fwunpack
    PE      7b000000-7b2e9000       Deferred        kernelbase
    ELF     7b400000-7b673000       Deferred        kernel32<elf>
      \-PE  7b420000-7b673000       \               kernel32
    ELF     7bc00000-7beb3000       Deferred        ntdll<elf>
      \-PE  7bc30000-7beb3000       \               ntdll
    ELF     7c000000-7c005000       Deferred        <wine-loader>
    ELF     7e7e1000-7e800000       Deferred        libgcc_s.so.1
    ELF     7e905000-7e92e000       Deferred        libtinfo.so.6
    ELF     7e92e000-7e95a000       Deferred        libncurses.so.6
    ELF     7e95a000-7ea3d000       Deferred        msvcr80<elf>
      \-PE  7e980000-7ea3d000       \               msvcr80
    ELF     7eeb6000-7eecb000       Deferred        libnss_files.so.2
    ELF     7eecb000-7efd0000       Deferred        libm.so.6
    ELF     f7bc2000-f7bc8000       Deferred        libdl.so.2
    ELF     f7bc8000-f7db6000       Deferred        libc.so.6
    ELF     f7db6000-f7dd9000       Deferred        libpthread.so.0
    ELF     f7e09000-f7fbc000       Dwarf           libwine.so.1
    ELF     f7fbe000-f7feb000       Deferred        ld-linux.so.2
    Threads:
    process  tid      prio (all id:s are in hex)
    00000008 (D) Z:\mnt\be72c2f6-dadb-4f53-9bc0-f509230a0e01\Programme\OSS\CFW-Suite\fw2nds\bin\fwunpack.exe
            00000009    0 <==
    0000000e services.exe
            0000002c    0
            00000020    0
            0000001b    0
            00000015    0
            00000014    0
            00000013    0
            00000010    0
            0000000f    0
    00000011 winedevice.exe
            00000018    0
            00000017    0
            00000016    0
            00000012    0
    00000019 plugplay.exe
            0000001d    0
            0000001c    0
            0000001a    0
    0000001e winedevice.exe
            00000026    0
            00000023    0
            00000022    0
            00000021    0
            0000001f    0
    00000024 explorer.exe
            0000002b    0
            0000002a    0
            00000029    0
            00000025    0
    00000027 ACService.exe
            0000002e    0
            0000002d    0
            00000028    0
    System information:
        Wine build: wine-5.0.1
        Platform: i386 (WOW64)
        Version: Windows 10
        Host system: Linux
        Host version: 5.4.0-40-generic
    reading images
    boot7 critical region at FFFFFFFF
    boot9 critical region at FFFFFFFF
    
    Unhandled Exception:
    System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
    Parameter name: startIndex
      at System.BitConverter.ToInt32 (System.Byte[] value, System.Int32 startIndex) [0x00016] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
      at System.BitConverter.ToUInt32 (System.Byte[] value, System.Int32 startIndex) [0x00000] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
      at bluelib.Utils.ToUInt (System.Byte[] data, System.Int32 offset) [0x00000] in <e8ce40ccd31e49108c6a43227d843ea8>:0
      at fw2nds.Program.Main (System.String[] args) [0x00225] in <0ad843ee36bf46d796b49c32028d6cd1>:0
    [ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
    Parameter name: startIndex
      at System.BitConverter.ToInt32 (System.Byte[] value, System.Int32 startIndex) [0x00016] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
      at System.BitConverter.ToUInt32 (System.Byte[] value, System.Int32 startIndex) [0x00000] in <12b418a7818c4ca0893feeaaf67f1e7f>:0
      at bluelib.Utils.ToUInt (System.Byte[] data, System.Int32 offset) [0x00000] in <e8ce40ccd31e49108c6a43227d843ea8>:0
      at fw2nds.Program.Main (System.String[] args) [0x00225] in <0ad843ee36bf46d796b49c32028d6cd1>:0
    
    This is all I get when running that, any idea?

    Edit: Compiled fwunpack.exe on my own and the first exception disappeared. The second one still persists…
     
    Last edited by tuxifan, Jul 17, 2020
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - [RELEASE], firmware, firmware