- Joined
- Oct 7, 2007
- Messages
- 4,562
- Trophies
- 3
- Age
- 37
- Location
- Levelland, Texas
- Website
- www.mariopc.co.nr
- XP
- 7,198
- Country
As some folks know there have been reports of bricked EZP carts as a result of running certain games. Initial brick happened via a specific retail game with any cart on fw 1.05 or older. Then another brick happened as a result of a debug/test rom created via official Nintendo SDK.
Basically there's a decent chance you can brick this card by running any game the cart's firmware/kernel doesn't have a save patch for. For some reason they allowed access to their internal flash via SPI bus and thus standard save read/write operations can alter the contents of that chip! This was how the bricks were happening.
Well I've successfully unbricked a card and wrote up a modified version of NDS Backup Tool. I called this EZP_Recovery_Tool!
Note. If you have run fw1.06 at any point on your cart the first 0x8000 bytes of the flash become locked. This program can write to a specific register the flash chip uses for write protection to disable this. However this only works if you disconnect the WP# pin on the flash chip.
To restore a locked card follow these steps:
1. Disassemble card and use soldering iron or other tool to disconnect WP# pin from PCB. You may have to cut the pin to avoid damaging the pad on the PCB. Use wire or solder blob to reconnect the pin later. Reassemble after making this temporary mod to the cart.
2. Run this tool with the card inserted. (do not flash anything. Just having the program detect the card runs the unlock commands). While this pin is lifted your card may not show up in menus or be detected properly by this program anymore. This is normal. Just hit B button ignore the invalid card message and allow the program to reach the main menu. (something unique to this tool as normal save dumpers like NDS Backup Tool don't allow you to do anything with an invalid cart). Do not attempt to flash anything to the card while it is in this state. It may not work correctly. (I have not tested that)
3. Power off console, take the card out and disassemble again. Reconnect the WP pin.
4. Put it back together. Card should show up on console/menus again. Run this tool to restore a known good flash dump and the card should be restored!
Unfortunately there isn't a simpler way to get around this that avoids soldering equipment/physically damaging pin on the chip. Not until EZFlash decides to make their own unbrick tool (or adopt mine. They are free to use mine if they want) and provide something that can unlock the card through software. Most bricks likely happened while on older fw so this is probably not gonna impact most users though.
If you had never ran fw 1.06 on the cart before you do not need to modify the card in this way. As a matter of fact, now that this tool exists I would recommend NOT ever using that fw version! A card with unlocked flash chip can have any future bricks unbricked with this tool. So it is best to avoid that fw version until EZFlash team decides to provide a fw release that doesn't lock sections of the chip.
Download to my tool can be found here (source code can be found here too if EZFlash wants to use it. @EZ-Flash2 :
https://github.com/ApacheThunder/EZP_Recovery_Tool/releases/
A known good dump can't be posted here because they use a retail spoof game like most other flashcarts so this will likely have copyright issue. You can request a dump from another user...or maybe EZFlash can provide one on their website.
Do NOT run this program from your EZ Flash cart. It will not operate correctly. Please boot from SD on console (if DSi/3DS). If using original DS or DS Lite you need to have a slot-2 device that can run DS homebrew (and some way of booting that device in DS mode obviously) So if your EZP is bricked you'd need to use a different flashcart to boot that slot-2 device in DS mode.
EDIT: While I can't provide an original dump of this card due to it containing copyrighted game data, I can however provide a IPS patch to convert the game into the version EZFlash used. You must obtain this game on your own. Info on the game they used:
http://www.ds-scene.net/?s=viewtopic&nid=2281&hilite=0839
To prepare game rom for the IPS file included, find this game. Re-encrypt the arm9 secure area, then trim the rom to this specific size in hex editor: 0x400000 (it should be 4MB in size afterwords)
Afterwards it should have this MD5:
59F547E3E9DF9261226F6B0AEC30047A
Then use the provided IPS patch to convert it into the version EZDS used. Their version has the ntrboot data added at 0x1000 with their bootloader embedded in an area of the game that has been exploited.
if however you do not wish to go through all this and have soft modded consoles you can instead restore the provided EZFLASH_NEW_ABJJ_00.bin file instead.
This is a sanitized dump that contains their bootloader (it's basically just nds-hb-menu's bootstrap but with their icon/banner and a autoboot path set to ezds.dat instead of boot.dat) and their icon (but with a modified banner text). It will appear with the icon shown at the end of the updated video I posted above. I've also reconfigured it to use the ABJJ game code as it appears their blowfish keys are hardcoded in the FPGA. (I have confirmed they do not exist in the flash dump. So yeah no DSi ntrboot for this card. )
The zip file containing the mentioned files are posted below. Note however if you decide to use the custom sanitized flash dump, the cart will not boot on unmodded 3DS/DSi consoles.
Basically there's a decent chance you can brick this card by running any game the cart's firmware/kernel doesn't have a save patch for. For some reason they allowed access to their internal flash via SPI bus and thus standard save read/write operations can alter the contents of that chip! This was how the bricks were happening.
Well I've successfully unbricked a card and wrote up a modified version of NDS Backup Tool. I called this EZP_Recovery_Tool!
Note. If you have run fw1.06 at any point on your cart the first 0x8000 bytes of the flash become locked. This program can write to a specific register the flash chip uses for write protection to disable this. However this only works if you disconnect the WP# pin on the flash chip.
To restore a locked card follow these steps:
1. Disassemble card and use soldering iron or other tool to disconnect WP# pin from PCB. You may have to cut the pin to avoid damaging the pad on the PCB. Use wire or solder blob to reconnect the pin later. Reassemble after making this temporary mod to the cart.
2. Run this tool with the card inserted. (do not flash anything. Just having the program detect the card runs the unlock commands). While this pin is lifted your card may not show up in menus or be detected properly by this program anymore. This is normal. Just hit B button ignore the invalid card message and allow the program to reach the main menu. (something unique to this tool as normal save dumpers like NDS Backup Tool don't allow you to do anything with an invalid cart). Do not attempt to flash anything to the card while it is in this state. It may not work correctly. (I have not tested that)
3. Power off console, take the card out and disassemble again. Reconnect the WP pin.
4. Put it back together. Card should show up on console/menus again. Run this tool to restore a known good flash dump and the card should be restored!
Unfortunately there isn't a simpler way to get around this that avoids soldering equipment/physically damaging pin on the chip. Not until EZFlash decides to make their own unbrick tool (or adopt mine. They are free to use mine if they want) and provide something that can unlock the card through software. Most bricks likely happened while on older fw so this is probably not gonna impact most users though.
If you had never ran fw 1.06 on the cart before you do not need to modify the card in this way. As a matter of fact, now that this tool exists I would recommend NOT ever using that fw version! A card with unlocked flash chip can have any future bricks unbricked with this tool. So it is best to avoid that fw version until EZFlash team decides to provide a fw release that doesn't lock sections of the chip.
Download to my tool can be found here (source code can be found here too if EZFlash wants to use it. @EZ-Flash2 :
https://github.com/ApacheThunder/EZP_Recovery_Tool/releases/
A known good dump can't be posted here because they use a retail spoof game like most other flashcarts so this will likely have copyright issue. You can request a dump from another user...or maybe EZFlash can provide one on their website.
Do NOT run this program from your EZ Flash cart. It will not operate correctly. Please boot from SD on console (if DSi/3DS). If using original DS or DS Lite you need to have a slot-2 device that can run DS homebrew (and some way of booting that device in DS mode obviously) So if your EZP is bricked you'd need to use a different flashcart to boot that slot-2 device in DS mode.
EDIT: While I can't provide an original dump of this card due to it containing copyrighted game data, I can however provide a IPS patch to convert the game into the version EZFlash used. You must obtain this game on your own. Info on the game they used:
http://www.ds-scene.net/?s=viewtopic&nid=2281&hilite=0839
To prepare game rom for the IPS file included, find this game. Re-encrypt the arm9 secure area, then trim the rom to this specific size in hex editor: 0x400000 (it should be 4MB in size afterwords)
Afterwards it should have this MD5:
59F547E3E9DF9261226F6B0AEC30047A
Then use the provided IPS patch to convert it into the version EZDS used. Their version has the ntrboot data added at 0x1000 with their bootloader embedded in an area of the game that has been exploited.
if however you do not wish to go through all this and have soft modded consoles you can instead restore the provided EZFLASH_NEW_ABJJ_00.bin file instead.
This is a sanitized dump that contains their bootloader (it's basically just nds-hb-menu's bootstrap but with their icon/banner and a autoboot path set to ezds.dat instead of boot.dat) and their icon (but with a modified banner text). It will appear with the icon shown at the end of the updated video I posted above. I've also reconfigured it to use the ABJJ game code as it appears their blowfish keys are hardcoded in the FPGA. (I have confirmed they do not exist in the flash dump. So yeah no DSi ntrboot for this card. )
The zip file containing the mentioned files are posted below. Note however if you decide to use the custom sanitized flash dump, the cart will not boot on unmodded 3DS/DSi consoles.
Attachments
Last edited by Apache Thunder,