#41557 - DsPet - Fri Apr 29, 2005 5:17 pm
My Background:
I have disassembled and reverse engineered a lot of ARM code in the past -- most recently the ARM based Zipit with encrypted firmware uploads
However, I am a Nintendo "newbie". I bought my first Nintendo portable a few days ago, and finally enough hardware to run "FlashMe" only yesterday. After trying all the obvious things [running GBA variant linux, building NDS demo programs, grabbing ARM9 BIOS and disassembling it, grabbing encrypted firmware etc] I'm looking for some new challenges.
I've checked all the public BBSs and there is a lot of progress being made. Congratulations to all involved. There are a few remaining questions below. I'm asking here because this BBS looks to be the most technical I've found.
NOTE: I'd be happy with an answer along the lines "we don't know" or in some cases "we know but we don't want to talk about it in public".
FWIW: Ultimately my goal is to provide an AIBO remote control using an unmodified NDS (AIBO uses WiFi, but it has lower level 802.11 radio access with some limitations)
====================
The Questions:
The ARM9 BIOS is very easy to grab and disassemble. The ARM7 BIOS is intentionally copy protected.
Question #1: Has someone figured out an easy way to grab the ARM7 BIOS ROM?
------
The main 256KB firmware is possible to grab. It is encrypted specific to the device. I see that the "FlashMe" utility will install pre-encrypted firmware (the fast boot and the revert to original) -- encrypted to a specific hardware key. This leads me to believe the firmware encryption and decryption has already been figured out. I haven't found any open source code that does this.
Question #2: Is there any public discussion or source code of how to decrypt (and ideally re-encrypt) the firmware for applying your own patches or disassembling things like the Pictochat program ?
NOTE: All reverse engineering done under DMCA allowable "fair uses"
------
The "ndslib" is making good progress. I assume that people are reverse engineering it from existing firmware.
Question #3: What code / programs are people using to help their disassembly ? (game like the Metroid cart or from the 256K built-in firmware or something else?)
NOTE: my interest is mostly in the 802.11 WiFi-/NiFi functionality or areas others haven't already addressed [I don't want to reinvent the wheel]
------
Regarding PictoChat and the "NiFi" protocol
Question#4: Has anyone figured out the PictoChat protocol enough to emulate it on the PC or other WiFi-enabled device (like an AIBO) ?
------
Regarding re-signing/re-encrypting for downloaded multi-boot games.
I see some discussion on brute-force cracking techniques, however exact details of what needs to be "cracked" are not mentioned. I see Tim's WiFiMe uses existing encrypted/signed binaries.
Question#5: Has anyone figured out the decryption algorithm for this (not necessarily the keys) and what is missing.
NOTE: This is getting dangerously close the DMCA trouble (more so than the other topics)
------
Thanks in advance
--DsPet/AiboPet
I have disassembled and reverse engineered a lot of ARM code in the past -- most recently the ARM based Zipit with encrypted firmware uploads
However, I am a Nintendo "newbie". I bought my first Nintendo portable a few days ago, and finally enough hardware to run "FlashMe" only yesterday. After trying all the obvious things [running GBA variant linux, building NDS demo programs, grabbing ARM9 BIOS and disassembling it, grabbing encrypted firmware etc] I'm looking for some new challenges.
I've checked all the public BBSs and there is a lot of progress being made. Congratulations to all involved. There are a few remaining questions below. I'm asking here because this BBS looks to be the most technical I've found.
NOTE: I'd be happy with an answer along the lines "we don't know" or in some cases "we know but we don't want to talk about it in public".
FWIW: Ultimately my goal is to provide an AIBO remote control using an unmodified NDS (AIBO uses WiFi, but it has lower level 802.11 radio access with some limitations)
====================
The Questions:
The ARM9 BIOS is very easy to grab and disassemble. The ARM7 BIOS is intentionally copy protected.
Question #1: Has someone figured out an easy way to grab the ARM7 BIOS ROM?
------
The main 256KB firmware is possible to grab. It is encrypted specific to the device. I see that the "FlashMe" utility will install pre-encrypted firmware (the fast boot and the revert to original) -- encrypted to a specific hardware key. This leads me to believe the firmware encryption and decryption has already been figured out. I haven't found any open source code that does this.
Question #2: Is there any public discussion or source code of how to decrypt (and ideally re-encrypt) the firmware for applying your own patches or disassembling things like the Pictochat program ?
NOTE: All reverse engineering done under DMCA allowable "fair uses"
------
The "ndslib" is making good progress. I assume that people are reverse engineering it from existing firmware.
Question #3: What code / programs are people using to help their disassembly ? (game like the Metroid cart or from the 256K built-in firmware or something else?)
NOTE: my interest is mostly in the 802.11 WiFi-/NiFi functionality or areas others haven't already addressed [I don't want to reinvent the wheel]
------
Regarding PictoChat and the "NiFi" protocol
Question#4: Has anyone figured out the PictoChat protocol enough to emulate it on the PC or other WiFi-enabled device (like an AIBO) ?
------
Regarding re-signing/re-encrypting for downloaded multi-boot games.
I see some discussion on brute-force cracking techniques, however exact details of what needs to be "cracked" are not mentioned. I see Tim's WiFiMe uses existing encrypted/signed binaries.
Question#5: Has anyone figured out the decryption algorithm for this (not necessarily the keys) and what is missing.
NOTE: This is getting dangerously close the DMCA trouble (more so than the other topics)
------
Thanks in advance
--DsPet/AiboPet