#40810 - Mike - Fri Apr 22, 2005 9:06 pm
Trying to find a way to upload custom code to the DS through WiFi, I stumbled upon some puzzeling things I lack information of. I'm hoping someone can fill me out.
1. How is the game icon which is sent to the DS during download play stored? (If it's stored as game data, we could send about 0.5 Kb of code instead of the icon and redirect execution to the icon's location in memory by modifying the header)
2. In the 'data' folder inside the WiFiMe directory, there are two files present called arm7.bin and arm9.bin. What are these files for?
3. Would it not be possible to replace game files in the MarioDS Download Play program with bogus files containing our code and have the game execute it when it loads the file, using a buffer overflow exploit?
Thank you for any light potentially shed on these stupid questions :p
#40818 - NEiM0D - Fri Apr 22, 2005 10:16 pm
1. Almost the entire RAM is cleared before booting the downloaded code.
2: These are the multiboot Mario DS arm9 and arm7 extracted binaries.
3: I haven't played with DS wifi data so I can't help you there.
#40820 - josath - Fri Apr 22, 2005 10:36 pm
3. I don't think so, the mariods download program has an encrypted signature which is not feasable to break.
#40821 - Mike - Fri Apr 22, 2005 10:49 pm
| Quote: |
| I don't think so, the mariods download program has an encrypted signature which is not feasable to break. |
I figured that only game code was encrypted, as the Metroid demo was recently dumped and someone wrote a file extractor and viewer for it. It even loaded models and maps.
#40823 - Mike - Fri Apr 22, 2005 11:07 pm
Heh? Offcourse the game data isn't encrypted, stupid me, how else would a program load data from the cart? By calling NDSDecryptBlock() for every 512 bytes of a file? :p
Come to think of it, it might be possible to extract the Metroid demo's arm7.bin and arm9.bin and upload it using WiFiMe. This might make it easier for us to try and find a buffer overflow exploit, as we'd have access to the numerous Metroid datafiles....
#40835 - tepples - Sat Apr 23, 2005 2:59 am
| Mike wrote: |
| Heh? Offcourse the game data isn't encrypted, stupid me, how else would a program load data from the cart? By calling NDSDecryptBlock() for every 512 bytes of a file? :p |
If that were the case, then it'd possibly be integrated with the official filesystem code.
| Quote: |
| Come to think of it, it might be possible to extract the Metroid demo's arm7.bin and arm9.bin |
But does Metroid First Hunt have a DS Download Play mode? I don't have a DS myself, but given that it comes with all North American and European units, Nintendo might have assumed that they don't need single-pak play because all system owners would have multi-paks.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#40843 - Sebbo - Sat Apr 23, 2005 4:02 am
hunters is multi-pak, i got my DS from japan so i've had to steal my gf's copy of hunters :-P
instead of breaking an encrypted signature, could we use it instead? or is this a no-go cos of copyright laws?
#40861 - tepples - Sat Apr 23, 2005 5:17 am
You can't just use someone else's signature, as the signature depends on the data being signed. Please read the Wikipedia article "Digital signature" to learn why.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#40862 - Sebbo - Sat Apr 23, 2005 5:27 am
my bad. for some reason i wasn't thinking about encryption sides of things
#40867 - tepples - Sat Apr 23, 2005 5:50 am
You were probably thinking of the logo verification used on Game Boy, GBC, GBA, and Pokemon Mini ROMs. Until the Nintendo DS, no Nintendo handheld has used an actual PK cryptographic signature. Did Ness have something to do with this?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#40873 - PhoenixSoft - Sat Apr 23, 2005 7:18 am
Well, unless you count the iQue as a handheld :P
I have a feeling the iQue shares a lot of technology with the DS - it is approximately as powerful as the DS (it plays ported N64 titles too) and has encrypted game cards. I bet Nintendo used it as a test - what better way to test your encryption scheme than to send a system utilising it out into China?
#40875 - Sebbo - Sat Apr 23, 2005 7:37 am
yeah, some where along those lines. more like a signature for checks and forms and i was thinking you could "forge" these
#40937 - josath - Sat Apr 23, 2005 6:37 pm
i thought the iQue WAS a n64, just in a smaller form, and the games are stored on rewriteable memory which you download at the store, instead of game carts? I don't think it has any original games, only old n64 games.
#40939 - dagamer34 - Sat Apr 23, 2005 6:50 pm
| josath wrote: |
| i thought the iQue WAS a n64, just in a smaller form, and the games are stored on rewriteable memory which you download at the store, instead of game carts? I don't think it has any original games, only old n64 games. |
We were specifically talking about the copyright protection places on the iQue's games to prevent piracy in the region which it was released.
_________________
Little kids and Playstation 2's don't mix. :(