#115985 - Dan2552 - Sat Jan 20, 2007 10:59 pm
I'd have no clue how to, but is it possible someone could make flashme run the GBA slot card if select is held at power-on.
What I mean is, for it to basically do the opposite it does now:
- turn on the DS with no buttons held boots to normal looking firmware with pictochat, ds dl play, etc.
- turn on the DS with select held, boots the GBA slot homebrew code.
I ask this because I play commercial NDS games more than homebrew, so it would be better if it were the default option. I could always take the cart out, but I don't like having an empty cart slot and carrying supercard and the blank lite cart isn't worth it.
Last edited by Dan2552 on Mon Jan 22, 2007 5:22 pm; edited 1 time in total
#116028 - tepples - Sun Jan 21, 2007 5:50 am
That's how it works already if you don't put "PASS" or "DSBooter" in the SLOT-2 card's header. - No buttons held: stock behavior.
- Hold A+B+X+Y: boot SLOT-2 in DS mode.
But if you do not control the SLOT-2 card's firmware, you can't make this change.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#116095 - Dan2552 - Sun Jan 21, 2007 10:32 pm
Well I mainly wanted it for my supercard..
so, whats easier to modify, Flashme, or supercard firmware?
#116099 - HyperHacker - Sun Jan 21, 2007 11:22 pm
I thought Supercard was already like that. Did they fix it in a new version? Anyway I know SC has various firmware updates, so you might be able to just hack one in a hex editor, but I'd ask around a bit to ensure there's no checksums or anything first that will render the card useless if you do this. FlashMe is probably more difficult because the installer has several binaries (all the original firmwares plus the FlashMe binary, plus AFAIK the FlashMe Lite binary) so they're probably compressed in it, but if not, you might be able to look for all instances of "DSBooter"; "PASS" should be right near it, edit it to some garbage. ("DSBooter" can be used as a game title for the same purpose, but I don't know of anyone that uses it.)
Or you could install FWNITRO which always boots to its own menu, from where you can choose to boot the DS card, DS homebrew, or GBA cart. It's old though, so I don't know if it works on Lite, and it's quite minimalist so there's no fancy graphics (just a text menu) and no Pictochat or DS Download Play.
_________________
I'm a PSP hacker now, but I still <3 DS.
#116108 - dantheman - Mon Jan 22, 2007 12:40 am
After seeing this topic, I looked around in one of the SC firmwares with a hex editor and found no instances of "PASS" or "DSBooter" at all.
#116112 - Lynx - Mon Jan 22, 2007 1:42 am
They must have added it, as the original firmwares didn't have "PASS" or "DSBooter" in them, and you were forced to hold the buttons to force booting into DS mode. But, I just popped in my SuperCard CF (with latest firmware) in a FlashMe'd DS and it boots right up without holding anything.
I also looked at the .bin file and didn't see anything useful, so I'm guessing it's compressed?
Edit: Grammer :(
_________________
NDS Homebrew Roms & Reviews
#116120 - HyperHacker - Mon Jan 22, 2007 2:31 am
It probably is. If anyone knows a way to write to the SC firmware on-cart, the change would be trivial to make.
_________________
I'm a PSP hacker now, but I still <3 DS.
#116151 - Dan2552 - Mon Jan 22, 2007 5:10 pm
If anyone could work it out, it would only need to be a small .nds file which searches for it and replaces it with random stuff - so therefore it should be pretty much compatable with every supercard type/firmware version.
#116155 - Dan2552 - Mon Jan 22, 2007 5:47 pm
Flashme stealth has 'PASS' near the top, would changing this do anything?
(oops at the double post, i cant delete this one)
#116164 - josath - Mon Jan 22, 2007 6:55 pm
| Dan2552 wrote: |
Flashme stealth has 'PASS' near the top, would changing this do anything?
|
No
#116165 - Lick - Mon Jan 22, 2007 7:17 pm
Maybe it would. A comparison needs two values, so if you can't change the one (SuperCard), you can change the other (FlashMe). But that is, if the value is the right value AT ALL. (I personally think it is.)
josath, why not?
[edit] to=two :/
_________________
http://licklick.wordpress.com
#116173 - Dan2552 - Mon Jan 22, 2007 10:11 pm
| Lick wrote: |
Maybe it would. A comparison needs two values, so if you can't change the one (SuperCard), you can change the other (FlashMe). But that is, if the value is the right value AT ALL. (I personally think it is.)
josath, why not?
[edit] to=two :/ |
Well it's pretty near the top (see in a hex editor yourself), so it does have little chance of being the right value, although I have no idea about the flashme structure.
#116175 - GrizzlyAdams - Mon Jan 22, 2007 10:24 pm
No! the PASS you see at the top of the flashme.nds is part of the ndsloader!
Look further on in the file.
#116178 - Dan2552 - Mon Jan 22, 2007 10:33 pm
| GrizzlyAdams wrote: |
No! the PASS you see at the top of the flashme.nds is part of the ndsloader!
Look further on in the file. |
unless someone can decompress it, I can't look further in.
How supportive are the supercard makers to requests like this? maybe someone could just ask for an option of firmware.
#116180 - felix123 - Tue Jan 23, 2007 12:07 am
You can take a look at cory1492's attempt. Be warned it is for an old firmware version though.
_________________
Nintendo DS homebrew on Wikipedia
#116190 - dantheman - Tue Jan 23, 2007 1:49 am
Hm, that's rather interesting, although I'm not sure I'm willing to risk bricking my Supercard to test it on a later firmware.
#116194 - Lynx - Tue Jan 23, 2007 2:13 am
I would believe the PASS you see (if it also has a "DSBooter" along with it) would be the correct one as well. As the Passthrough code (in the compressed area) is only used if the device in Slot-2 contains either of those.
| Quote: |
FlashMe Start Process from Loopy:
a rough sketch of flashme execution, starting from the failsafe -
if a+b+start+select is pushed, jump to GBA cart
load the rest of firmware, jump into the loaded code
if select pushed, jump to original firmware
if A+B+X+Y pushed, goto flashme
if "PASS" or "DSBooter" identifiers are found, goto flashme
jump to original firmware
flashme:
load firmware settings area into ram
initialize various things (reset DMA, VRAM, touchpad, sound, etc)
jump to GBA cart
So... the difference is that a lot of things are left uninitialized with A+B+Start+Select. |
So, my understanding would be that the ifs happen prior to going into the compressed area which is refered to as "flashme" above.
Edit: Of course.. I'm not willing to brick a DS to test it though.. :)
_________________
NDS Homebrew Roms & Reviews
#116258 - Dan2552 - Tue Jan 23, 2007 8:52 pm
ok I have two supercard rumbles to try this on (a mini and a micro), they both use the same official firmware patches.
Now, can I get a garentee answer on whether I can restore a supercard by using another supercard to restore it? (if anything does go wrong, that is)
edit------------
| Quote: |
If it frags up your device so it will not boot, you must use a wifime capable wireless card
with wireless multiboot firmware and software, to run the flashmp.nds file found here:
|
so if my supercard screws up, can I use this method to fix it with my GBAMP2?
edit again----
stupid supercard resets the DS when its (re)inserted.
Anyone 'wifime capable' which can test?
----hopefully final edit--------
With my supercard rumble MiniSD I get the error | Quote: |
| Supercard not found |
so back to square 1, unless someone will recompile the source, after adding mini/micro SD support- somehow?
----more damn edit----
works fine with supercard CF
#116266 - Dan2552 - Tue Jan 23, 2007 10:17 pm
ok I give up on the editing the post.
When ran, the application gives a number, which is different to when I put a supercard CF in to if I put a rumble in
22B900C2 when running in SC:CF
87C61C1C when running off a SC rumble (both mini and micro SD)
this line in the code has the same number as the CF output
| Code: |
| #define FLASHID_MX_512KB 0x22B900C2 // MX29LV400B 4 Mib 512 KB |
No idea if I'm helping...
edit---
just for the sake of trying it out, I'm gonna see if i can even compile it at all, I'm downloading devkitpro now...
#116274 - dantheman - Tue Jan 23, 2007 11:52 pm
Thank you for testing it. So the SD versions did not get bricked then? They just weren't recognized by the program?
#116275 - Dan2552 - Tue Jan 23, 2007 11:55 pm
| dantheman wrote: |
| Thank you for testing it. So the SD versions did not get bricked then? They just weren't recognized by the program? |
plain SD should *i think* work the same as plain CF, should work fine.
Mini SD/Micro SD (atleast supercard rumble versions) were undetected and wouldn't allow you to rewrite the header
well the source has ConsolePrintf, i did a find and replace with iprintf, but I'm not sure on how either functions are meant to be laid out. All I got was black screens when trying to recompile
Last edited by Dan2552 on Tue Jan 23, 2007 11:58 pm; edited 1 time in total
#116276 - dantheman - Tue Jan 23, 2007 11:57 pm
As far as I know, SD works most similarly to miniSD, while the microSD is off on its own category. If it didn't work on miniSD, it most likely won't work on SD as well.
Then again, I have a miniSD myself. My question was more or less differentiating between SD (all variations) and CF, not necessarily the various SD types. It's still good to be specific though, so thank you for the thorough answer.
#116277 - Dan2552 - Wed Jan 24, 2007 12:02 am
| dantheman wrote: |
As far as I know, SD works most similarly to miniSD, while the microSD is off on its own category. If it didn't work on miniSD, it most likely won't work on SD as well.
Then again, I have a miniSD myself. My question was more or less differentiating between SD (all variations) and CF, not necessarily the various SD types. It's still good to be specific though, so thank you for the thorough answer. |
well this is about supercard firmware rather than the actual i/o type of the memory card - and the original program worked with original-sized-SD, so it probably still works with original-sized-SD with the firmware updates on (like CF did).
I'm not sure at all to be honest, but thinking about it, i would've just thought that we just had to get it to detect the mini/micro sd supercards and write to the right location (if its any different from the others)
can you try running the program on your supercard and seeing whether it detects it or not? (it wont write anything unless you press L+R+up)
#116281 - dantheman - Wed Jan 24, 2007 1:45 am
I have a Supercard miniSD (not Rumble) and it doesn't detect it either. I see:
| Quote: |
To patch, hold LR and press:
Up : Supercard
Not found! (22B9001) |
#116306 - Juglak - Wed Jan 24, 2007 8:32 am
The button pressing stuff is done by FlashMe.
It has a bootloader which takes the place of the original firmware boot code loaded by the BIOS. The bootloader eventually loads the original modified firmware anyway, after doing a few checks.
Let me find my IDA of my dump of this....
| Code: |
ROM:0380F800 ; Segment type: Pure code
ROM:0380F800 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:0380F800 ; ORG 0x380F800
ROM:0380F800 CODE32
ROM:0380F800
ROM:0380F800 ARM7StubEntry
ROM:0380F800 ADR R0, (StartStub+1)
ROM:0380F804 BX R0
ROM:0380F808 ; ---------------------------------------------------------------------------
ROM:0380F808 CODE16
ROM:0380F808
ROM:0380F808 StartStub ; DATA XREF: ROM:0380F800^o
ROM:0380F808 MOV R11, R12
ROM:0380F80A MOV R1, #0
ROM:0380F80C MOV R2, #1
ROM:0380F80E BL WritePM
ROM:0380F812 MOV R1, #0xD
ROM:0380F814 MOV R2, #0
ROM:0380F816 BL WritePM
ROM:0380F81A ADR R7, dword_380F83C
ROM:0380F81C LDMIA R7!, {R0-R2,R4-R6}
ROM:0380F81E LDRH R1, [R1]
ROM:0380F820 LSL R1, R1, #0x1C
ROM:0380F822 BEQ loc_380F82A
ROM:0380F824 LDR R1, [R6]
ROM:0380F826 CMP R1, R2
ROM:0380F828 BNE loc_380F868
ROM:0380F82A
ROM:0380F82A loc_380F82A ; CODE XREF: ROM:0380F822^j
ROM:0380F82A LDMIA R7!, {R0-R4}
ROM:0380F82C STMIA R3!, {R0-R2}
ROM:0380F82E STR R0, [R4,#8]
ROM:0380F830 ADD R6, #0x14
ROM:0380F832 B loc_380F88A
ROM:0380F834
ROM:0380F834 ; --------------- S U B R O U T I N E ---------------------------------------
ROM:0380F834
ROM:0380F834
ROM:0380F834 WritePM ; CODE XREF: ROM:0380F80E^p
ROM:0380F834 ; ROM:0380F816^p
ROM:0380F834 LDR R3, =0x2369 ; ARM7 BIOS SPIWrite
ROM:0380F836 MOV R0, #0
ROM:0380F838 BX R3
ROM:0380F838 ; End of function WritePM
ROM:0380F838
ROM:0380F838 ; ---------------------------------------------------------------------------
ROM:0380F83A DCW 0
ROM:0380F83C dword_380F83C DCD 0x3F680 ; DATA XREF: ROM:0380F81A^o
ROM:0380F840 DCD 0x4000130
ROM:0380F844 aBoot7 DCB "BOOT7",0x24,0
ROM:0380F84B DCB 0 ;
ROM:0380F84C DCD 0x2A2B
ROM:0380F850 DCD 0x80000AC
ROM:0380F854 dword_380F854 DCD 0x23FFE28 ; DATA XREF: ROM:0380F858r
ROM:0380F858 ; ---------------------------------------------------------------------------
ROM:0380F858 CODE32
ROM:0380F858 LDR R0, =0x23FFE28
ROM:0380F85C BX R0
ROM:0380F85C ; ---------------------------------------------------------------------------
ROM:0380F860 DCD 0x23FFE24
ROM:0380F864 DCD 0x21F0000
ROM:0380F868 ; ---------------------------------------------------------------------------
ROM:0380F868 CODE16
ROM:0380F868
ROM:0380F868 loc_380F868 ; CODE XREF: ROM:0380F828^j
ROM:0380F868 MOV R1, R11
ROM:0380F86A MOV R2, #0x70
ROM:0380F86C BL EndStub_
ROM:0380F870 MOV R7, R11
ROM:0380F872 LDRH R4, [R7,#0x14]
ROM:0380F874 LDR R1, =0x2800000
ROM:0380F876 BL sub_380F896
ROM:0380F87A LDR R1, =0x3810000
ROM:0380F87C LSR R4, R4, #6
ROM:0380F87E ADD R7, #4
ROM:0380F880 BL sub_380F896
ROM:0380F884 POP {R6,R7}
ROM:0380F886 LDR R4, =0x21F0000 ; Tells ARM9 where to jump from ram loop... ?
ROM:0380F888 STR R7, [R4,#8]
ROM:0380F88A
ROM:0380F88A loc_380F88A ; CODE XREF: ROM:0380F832^j
ROM:0380F88A MOV LR, R6
ROM:0380F88C MOV R0, SP
ROM:0380F88E MOV R1, R11
ROM:0380F890 MOV R2, #0xFF
ROM:0380F892 LDR R4, =0x30E4
ROM:0380F894
ROM:0380F894 ; --------------- S U B R O U T I N E ---------------------------------------
ROM:0380F894
ROM:0380F894
ROM:0380F894 EndStub_ ; CODE XREF: ROM:0380F86C^p
ROM:0380F894 BX R4
ROM:0380F894 ; End of function EndStub_
ROM:0380F894
ROM:0380F896
ROM:0380F896 ; --------------- S U B R O U T I N E ---------------------------------------
ROM:0380F896
ROM:0380F896
ROM:0380F896 sub_380F896 ; CODE XREF: ROM:0380F876^p
ROM:0380F896 ; ROM:0380F880^p
ROM:0380F896 LDRH R0, [R7,#0xC]
ROM:0380F898 LDRH R2, [R7,#0xE]
ROM:0380F89A LSL R3, R4, #0x1D
ROM:0380F89C LSR R3, R3, #0x1D
ROM:0380F89E LSL R0, R3
ROM:0380F8A0 LSL R0, R0, #2
ROM:0380F8A2 LSL R3, R4, #0x1A
ROM:0380F8A4 LSR R3, R3, #0x1D
ROM:0380F8A6 LSL R2, R3
ROM:0380F8A8 LSL R2, R2, #2
ROM:0380F8AA SUB R1, R1, R2
ROM:0380F8AC ADR R3, off_380F8E0
ROM:0380F8AE PUSH {R1}
ROM:0380F8B0 BX R5
ROM:0380F8B0 ; End of function sub_380F896
ROM:0380F8B0
ROM:0380F8B2 ; ---------------------------------------------------------------------------
ROM:0380F8B2
ROM:0380F8B2 loc_380F8B2 ; DATA XREF: ROM:0380F8E0o
ROM:0380F8B2 PUSH {R0,LR}
ROM:0380F8B4 MOV R2, #0
ROM:0380F8B6 LDR R3, =0x2389
ROM:0380F8B8 BL BX_R3
ROM:0380F8BC MOV R0, SP
ROM:0380F8BE MOV R1, #4
ROM:0380F8C0 MOV R2, #1
ROM:0380F8C2 LDR R3, =0x33A5
ROM:0380F8C4 BL BX_R3
ROM:0380F8C8 LDR R1, =0x40001C2
ROM:0380F8CA STRH R0, [R1]
ROM:0380F8CC POP {R0,R3}
ROM:0380F8CE
ROM:0380F8CE ; --------------- S U B R O U T I N E ---------------------------------------
ROM:0380F8CE
ROM:0380F8CE
ROM:0380F8CE BX_R3 ; CODE XREF: ROM:0380F8B8^p
ROM:0380F8CE ; ROM:0380F8C4^p
ROM:0380F8CE BX R3
ROM:0380F8CE ; End of function BX_R3
ROM:0380F8CE
ROM:0380F8D0 ; ---------------------------------------------------------------------------
ROM:0380F8D0 LDR R1, =0x40001C0
ROM:0380F8D2
ROM:0380F8D2 loc_380F8D2 ; CODE XREF: ROM:0380F8D6^j
ROM:0380F8D2 LDRH R0, [R1]
ROM:0380F8D4 LSR R0, R0, #8
ROM:0380F8D6 BCS loc_380F8D2
ROM:0380F8D8 LDRB R0, [R1,#2]
ROM:0380F8DA STRH R0, [R1,#2]
ROM:0380F8DC BX LR
ROM:0380F8DC ; ---------------------------------------------------------------------------
ROM:0380F8DE DCB 0 ;
ROM:0380F8DF DCB 0 ;
ROM:0380F8E0 off_380F8E0 DCD loc_380F8B2+1 ; DATA XREF: sub_380F896+16^o
ROM:0380F8E4 DCD 0x22C7
ROM:0380F8E8 DCD 0x380F8D1
ROM:0380F8EC dword_380F8EC DCD 0x2369 ; DATA XREF: WritePM^r
ROM:0380F8F0 dword_380F8F0 DCD 0x2800000 ; DATA XREF: ROM:0380F874^r
ROM:0380F8F4 dword_380F8F4 DCD 0x3810000 ; DATA XREF: ROM:0380F87A^r
ROM:0380F8F8 dword_380F8F8 DCD 0x21F0000 ; DATA XREF: ROM:0380F886^r
ROM:0380F8FC dword_380F8FC DCD 0x30E4 ; DATA XREF: ROM:0380F892^r
ROM:0380F900 dword_380F900 DCD 0x2389 ; DATA XREF: ROM:0380F8B6^r
ROM:0380F904 dword_380F904 DCD 0x33A5 ; DATA XREF: ROM:0380F8C2^r
ROM:0380F908 dword_380F908 DCD 0x40001C2 ; DATA XREF: ROM:0380F8C8^r
ROM:0380F90C dword_380F90C DCD 0x40001C0 ; DATA XREF: ROM:0380F8D0^r
ROM:0380F90C ; ROM ends
ROM:0380F90C
ROM:0380F90C END
|
So, thats a bunch of stuff... thats the binary loaded on the ARM7 by FlashMe on my DS Lite.
Around 0x0380F824 there seems to be a compare of 0x080000AC with the word "BOOT"... but I dont see any reference to PASS or DSBooter in the bootstrap.
Now, I have my dump of my supercard's initial GBA slot state, and at 0x080000AC, it has "PASS".
So, the modified firmware which is loaded by FlashMe's bootloader must have this check somewhere in there. And I havent gotten around to disassembling that yet.
But first glances, after decrypting/decompressing it... I see no plaintext PASS anywhere in it either.
I had considered modifying my Supercard firmware to not say PASS, but, I havent really gotten around to it and its not a huge deal I suppose...
I'd really like to completely gut the supercard firmware and make it custom, but, probably not worth it.
Although, I did rip out the SD card initialization routine from the SC firmware, which makes it so that my custom DS firmware is able to initialize the supercard and access the SD card through gba_nds_fat without ever entering the supercard menu, which is useful I suppose. If anyone is interested in that code, I could post it. Its messy, but it works.
Hope this is of some use...
A sleepy Juglak signing off...
-J
_________________
My goodies: 1xDS Lite - Supercard Lite, DSi, Supercard DSONEi
#116308 - Juglak - Wed Jan 24, 2007 8:37 am
Holy posts batman.
Terribly sorry. Browser went on the fritz when I was posting that!
If I mod could remove the dupes, that'd be appreciated. I couldnt edit them away, kept getting SQL errors.
Thanks.
-J
_________________
My goodies: 1xDS Lite - Supercard Lite, DSi, Supercard DSONEi
#116361 - Dan2552 - Wed Jan 24, 2007 7:45 pm
I wont even try to understand that dump, but we already know that it's controlled by Flashme, and can be either prevented by editing Flashme or the actual cart firmware.
I have tested on my supercard CF and it does not boot automatically anymore, now all we need to find out is how to get it working with the other carts.
As far as I understand, possible solutions could be:
-Editing supercard firmware
-Editing Flashme, somehow. (Is there like, a source? How did the flashme guys make it in the first place? Surely somebody here can mod it?)
-Making a homebrew firmware which holds original pictochat and ds download play clients with them (or maybe its possible to dump these to .nds files themselves???? - this option would be pretty cool, not sure if its actually do-able though..)
22B900C2 when running off a SC Compact Flash
just guessing -22B900C2 when running off a SC SD
22B9001 when running off a SC Mini SD (can you recheck that, it seems to have less digits than the others?)
87C61C1C when running off a SC Micro SD rumble
87C61C1C when running off a SC Mini SD rumble
#116367 - MaHe - Wed Jan 24, 2007 10:04 pm
Any chance of seeing this on M3 (Lite)? =)
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#116373 - Dan2552 - Wed Jan 24, 2007 10:36 pm
| MaHe wrote: |
| Any chance of seeing this on M3 (Lite)? =) |
If someone could make a Flashme mod, it would be compatable with all slot-2 homebrew devices :)
#116374 - dantheman - Wed Jan 24, 2007 10:56 pm
My apologies, it's 22B90001. I must have missed the zero at the end.
And also, you said it doesn't boot automatically anymore. Does it still reboot when you eject the Supercard and re-insert it? And did it do this on your SC CF before you applied the change?
#116443 - Dan2552 - Thu Jan 25, 2007 8:54 pm
| dantheman wrote: |
My apologies, it's 22B90001. I must have missed the zero at the end.
|
:)
| Quote: |
And also, you said it doesn't boot automatically anymore.
|
SC CF after patching doesn't boot automatically anymore without holding A+B+X+Y.
| Quote: |
Does it still reboot when you eject the Supercard and re-insert it? |
yes :(
| Quote: |
And did it do this on your SC CF before you applied the change? |
it did reboot when reinserted before applying anything
#116520 - Juglak - Fri Jan 26, 2007 3:31 pm
Looking further into disassembling Flashme... the check for PASS is done WAY WAY later than I thought. (Using no$gba and a firmware dump of my flashme DS as firmware in the emu)...
Honestly, at this point, not 100% sure how to edit it, since the code is compressed/loaded/encrypted/etc, and I havent completely figured out where the flashme stub is loading it...
More as I get deeper into this...
-J
_________________
My goodies: 1xDS Lite - Supercard Lite, DSi, Supercard DSONEi
#116524 - Lick - Fri Jan 26, 2007 3:55 pm
I think it's like this:
1) Decrypt and decompress FlashMe.
2) Find ARM7 boot code and hexmodify.
3) Compress and encrypt FlashMe.
The compression and encryption might be the other way around, I don't have time to look at it. [Thanks Chishm for correction]
I do have Loopys firmware unpacking code, if anyone is interested.
_________________
http://licklick.wordpress.com
Last edited by Lick on Fri Jan 26, 2007 4:10 pm; edited 2 times in total
#116526 - chishm - Fri Jan 26, 2007 4:05 pm
Juglak:
I have just finished writing a firmware unpacker, and I have found that the PASS check is done in the first 0x200 bytes of the proper ARM7 boot binary.
It goes something like:
BIOS->Flashme failsafe (if A+B+Start+Select is held, jump to cart) ->Modified start of boot binary -> check for PASS, if found, jump to cart -> normal boot binary
Lick:
I'd check with Loopy before redistributing that. It uses FireFly's code and I'm not sure FireFly wants it publicly available. Also, compression always comes before encryption. Good encryption should result in something that is practically indistinguishable from random data. Since random data doesn't compress well, you may as well not compress it at that stage.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#116529 - Lick - Fri Jan 26, 2007 4:17 pm
chishm: I stand corrected. I would really like to see your unpacking code, just out of curiosity. And yes, I think the procedure goes like that. I have seen the FlashMe ARM7 bootcode (arm asm) somewhere but I don't really remember where.
Anyway, Loopy/olimar confirms here. [Edit] And here.
_________________
http://licklick.wordpress.com
#116532 - Dan2552 - Fri Jan 26, 2007 4:26 pm
So in the (maybe near) future we'll be able to edit flashme?
...
What would be a mighty cool addition to the collection of flashme versions is a birthday boot noise version :)
#116570 - dantheman - Fri Jan 26, 2007 11:48 pm
A guy Here claims it works on firmware version 1.70, although he did not state which product he was using.
#116746 - Dan2552 - Mon Jan 29, 2007 1:58 am
Hopefully chishm makes a firmware repacker...
Then we're basically good to go.
#116934 - chishm - Wed Jan 31, 2007 3:36 am
It's far easier to modify the Supercard firmware than it is to modify FlashMe. I'll have something for SC Lite users soon...
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#117298 - Lick - Sat Feb 03, 2007 3:09 pm
Modifying FlashMe will work for all devices in one shot!
_________________
http://licklick.wordpress.com
#117299 - Lick - Sat Feb 03, 2007 3:18 pm
WOW
I think the automatic-Slot2-device-PASS-passme can be removed WITHOUT unpacking/repacking.
I just looked at a firmware dump and it seems that the bootstrap at 0x2A16E, checks for DSBooter and PASS. I think you can simply change that PASS to something else like LICK and it will only boot Slot2 devices with LICK as gamecode.
Because..
Loopy explains that this bootstrap is run before parts1-5, so no encryption, no compression. | Quote: |
The firmware is modified to run a small boot stub left in the write protected area (low 64k) in case the rest of the firmware gets trashed. It will:
- Jump to GBA cart (0x80000C0) with ARM9 in standard passme loop if GBA gamecode (0x80000AC)="BOOT" or A+B+SELECT+START are held.
- Unpack and run part1+2. |
Instructions
1) Open FlashMe.nds in a HEX Editor
2) Go to 0x2B55B, you'll see "DSBoot.erPASS" // or search for "DSBoot"
3) Modify "PASS"
Warning: I haven't tested this.
_________________
http://licklick.wordpress.com
#117327 - MaHe - Sat Feb 03, 2007 10:10 pm
Hummm, anyone dares to try? ;D
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#117334 - HyperHacker - Sat Feb 03, 2007 11:00 pm
| Lick wrote: |
| I think you can simply change that PASS to something else like LICK and it will only boot Slot2 devices with LICK as gamecode. |
I was thinking FAIL myself. :-p
BTW, is this check done on ARM7 or ARM9? And is the cache cleared first? I was hoping to add to my Advanced Boot Menu an option that would load the firmware into memory and run it; obviously for FlashMe you'll have to hold Select for this to be of much use, but I was hoping I could fool it via the cache so it reads some other value. (I guess I could just patch it in RAM too...)
_________________
I'm a PSP hacker now, but I still <3 DS.
#117384 - chuckstudios - Sun Feb 04, 2007 3:31 pm
I tried it, and it runs - but it still boots from Slot-2. However, there is ANOTHER location of DSBoot.erPASS... I will report back soon.
EDIT
Changing the other location makes it report:
NDS file is corrupt.
2045034 1eb53077 1fc4ffff 5a00
#117419 - Lick - Sun Feb 04, 2007 8:27 pm
I'm going to write a patcher!
_________________
http://licklick.wordpress.com
#117431 - chuckstudios - Sun Feb 04, 2007 9:12 pm
| Lick wrote: |
| I'm going to write a patcher! |
Please do. I like having my Slot1 card (M3 Simply) be a sort of "control center" where it can access my other Slot2 devices (M3SD, GBAMP, MMD) and use files from them - regular FlashMe makes this difficult.
#117438 - Lick - Sun Feb 04, 2007 9:45 pm
0x2A177 is outside of the protected 64KiB, but somehow I can't write to it. If I find out why and solve this, I can make a patcher that doesn't require you to short SL1.
_________________
http://licklick.wordpress.com
#117450 - Lick - Sun Feb 04, 2007 10:37 pm
http://lickr.org/files/nds/flashme/unpassme_flashme.nds
http://lickr.org/files/nds/flashme/unpassme_flashme.ds.gba
It works! I successfully patched FlashMe, now it boots to the original firmware even when a homebrew slot-2 device is inserted. Try without shorting SL1 first, if it says "Failed" then short.
1) Download and run unpassme_flashme. Read on-screen text.
2) Open battery-case, short SL1. (Beware of the evil-screw!!!)
3) Press START.
4) The write-procedure will only run ONCE, so make sure that the MOMENT you press START, SL1 is connected.
After patching, you can still hold ABXY to boot to Slot-2.
I'm going to work on a unpatcher now..
_________________
http://licklick.wordpress.com
Last edited by Lick on Sun Feb 04, 2007 10:51 pm; edited 1 time in total
#117453 - Lick - Sun Feb 04, 2007 10:48 pm
#117486 - HyperHacker - Mon Feb 05, 2007 2:26 am
Newer DSes, and AFAIK all DS Lites, protect everything but the user settings area. You will have to short SL1 for any updates on them.
_________________
I'm a PSP hacker now, but I still <3 DS.
#117492 - chuckstudios - Mon Feb 05, 2007 3:08 am
Alright, I gave it a run. It seemed to work - but it still boots to Slot2. When I run it again it says DONT instead of PASS. So I assume it patched... Have you changed the DSBooter string?
#117543 - Lick - Mon Feb 05, 2007 2:40 pm
I have only changed the PASS string. Are there any devices that have DSBooter as gametitle? (Yours?)
_________________
http://licklick.wordpress.com
#117626 - chuckstudios - Tue Feb 06, 2007 1:50 am
| Lick wrote: |
| I have only changed the PASS string. Are there any devices that have DSBooter as gametitle? (Yours?) |
M3 SD Phat?
#117665 - Lick - Tue Feb 06, 2007 2:06 pm
http://lickr.org/files/nds/flashme/DSHooterDONT.nds (disables Passing)
http://lickr.org/files/nds/flashme/DSBooterPASS.nds (enables Passing)
There you go. Added retries (press START to try again and again and again) and DSBoote.r replacement.
Tested, works fine!
_________________
http://licklick.wordpress.com
#117689 - Dan2552 - Tue Feb 06, 2007 5:57 pm
don't think it works with stealthme
#117690 - Lick - Tue Feb 06, 2007 6:03 pm
| Dan2552 wrote: |
| don't think it works with stealthme |
If you could make a firmware dump, I could find the offsets for StealthMe. Simply run supersmall.nds and press START. See if your root directory contains a firmware dump [256KB].
O by the way, I tested on FlashMe_NoWarning.nds.
_________________
http://licklick.wordpress.com
#117691 - Dan2552 - Tue Feb 06, 2007 6:19 pm
#117756 - chuckstudios - Wed Feb 07, 2007 3:50 am
$%#*. Apparently, when I flashed a small piece of foil was left inside - causing my DS to short out randomly today. Well, time to use that warranty I got... :D
#117901 - Dan2552 - Thu Feb 08, 2007 3:28 pm
| chuckstudios wrote: |
| $%#*. Apparently, when I flashed a small piece of foil was left inside - causing my DS to short out randomly today. Well, time to use that warranty I got... :D |
thats a lesson learnt, never use foil.
Use a paperclip with the 2 ends taped together ;)
#117961 - Firon - Thu Feb 08, 2007 10:54 pm
I've used foil a lot of times, no problems yet. ;D
#118051 - Lynx - Fri Feb 09, 2007 1:29 pm
If it is foil related, I guess someone needs to write a tutorial on how to roll up a piece of foil so that pieces don't fall off? Or, is this just a guess as to what happened? Unless you tear the foil or something, or have pieces hanging off to get cought when you remove it, I can't imagine how the foil would matter. I'd guess more along the lines of it not being insulated good enough and blowing F2.
_________________
NDS Homebrew Roms & Reviews
#118054 - tepples - Fri Feb 09, 2007 2:28 pm
| Lynx wrote: |
| If it is foil related, I guess someone needs to write a tutorial on how to roll up a piece of foil so that pieces don't fall off? |
My tutorial describes how to find two metal paperclips and tape them together, as seen in lower left of this image.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#118151 - chuckstudios - Sat Feb 10, 2007 2:41 pm
| Lynx wrote: |
| If it is foil related, I guess someone needs to write a tutorial on how to roll up a piece of foil so that pieces don't fall off? Or, is this just a guess as to what happened? Unless you tear the foil or something, or have pieces hanging off to get cought when you remove it, I can't imagine how the foil would matter. I'd guess more along the lines of it not being insulated good enough and blowing F2. |
I'm pretty sure a piece got caught and was left inside. Anyway... I'm probably getting a new one tomorrow.
#118173 - Dan2552 - Sat Feb 10, 2007 7:41 pm
I just installed Flashme rather than stealth, and it's working fine :D
one more thing, is it possible to make it like hold L+R or something easier?
#118206 - HyperHacker - Sun Feb 11, 2007 1:19 am
FlashMe already has that; holding A+B+X+Y forces booting from the GBA slot.
_________________
I'm a PSP hacker now, but I still <3 DS.
#118263 - Modrak - Sun Feb 11, 2007 6:34 pm
Lick, we have a problem, the files somehow turned into unfancy 404 pages :(
#118273 - Dan2552 - Sun Feb 11, 2007 8:00 pm
| HyperHacker wrote: |
| FlashMe already has that; holding A+B+X+Y forces booting from the GBA slot. |
by "something easier" I meant something easier than A+B+X+Y
Modrak: I'd mirror, but I can't find my USB thing to copy the files off my memory card
#118290 - Modrak - Sun Feb 11, 2007 10:21 pm
Oh, thanks a lot...
#118309 - Lick - Mon Feb 12, 2007 12:32 am
#118330 - kalibar - Mon Feb 12, 2007 6:23 am
What is the point of the "DSBooterPASS.nds" file? Wouldn't re-installing a regular copy of FlashMe v7 achieve the same purpose?
_________________
Enamel Navy DS Lite || FlashMe v7 || SLOT-1: R4DS (Kernel: v1.06) w/ A-Data 1GB microSD || SLOT-2: G6 Lite 4Gb/512MB (Manager: v4.6D, Loader: v4.6C)
#118338 - Modrak - Mon Feb 12, 2007 8:43 am
Lick: so that will work for both PASS or DSBooter ? Thanks, I thought there were 2 versions :)
*goes to brick the DS* :D
#118341 - Modrak - Mon Feb 12, 2007 9:01 am
| kalibar wrote: |
| What is the point of the "DSBooterPASS.nds" file? Wouldn't re-installing a regular copy of FlashMe v7 achieve the same purpose? |
I think this patch is faster as you don't have to flash the DS all the way through...
Tadaaa, now I can have SuperCard inside and use R4 :)
(had to run to store and buy a pack of chocolate, cause screwdriver didn't work well :)
#118344 - kalibar - Mon Feb 12, 2007 10:37 am
Also, is the first version supposed to be called "DSHooterDONT.nds"? Gotta love me some DS hooters!
I kid, I kid. For real though, this is a great chunk of code and everyone who has FlashMe and an R4DS should be using it. That's a lot of stinkin' people.
_________________
Enamel Navy DS Lite || FlashMe v7 || SLOT-1: R4DS (Kernel: v1.06) w/ A-Data 1GB microSD || SLOT-2: G6 Lite 4Gb/512MB (Manager: v4.6D, Loader: v4.6C)
#118361 - Dan2552 - Mon Feb 12, 2007 6:14 pm
Well I'm glad I've helped all those R4 owners by making this thread.
wtf is an R4 :S
#119274 - Anga - Wed Feb 21, 2007 11:28 am
Uhhh... DSHooterDONT.nds tells me "That value isn't PASS"
I have the flashme v7 from the tinyurl in this thread
Is there like... a newer version or something? That one supports brightness levels on Lites and everything, so uh...
Sorry if i'm retarded and missed something important. XD
Edit: Oh yeah forgot to mention it, i'm using the regular FlashMe, not stealth, of course.
_________________
maggiekarp: Aghhh okay guys why would my right ide hurt in my ribs
Angahith: Um... you didn't connect the ribs right to the IDE.
Angahith: You can only set one on master and one on slave.
#119321 - kojicolnair - Wed Feb 21, 2007 10:26 pm
I get the same error as well... not sure what version im using though as i flashed mine a year or so ago
#119380 - MaHe - Thu Feb 22, 2007 3:47 pm
FlashME 7, Stealth (DSLite)
Can't get it to work either. :'(
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#119428 - outphase - Thu Feb 22, 2007 10:44 pm
| MaHe wrote: |
FlashME 7, Stealth (DSLite)
Can't get it to work either. :'( |
In previous posts, stealth was determined to not work.
#120504 - bitsoffish - Sun Mar 04, 2007 5:16 am
couldnt get the patch to work... v7 on ds phat... it just gives some garbage characters when it tries to look for PASS...
#120524 - Anga - Sun Mar 04, 2007 12:19 pm
| bitsoffish wrote: |
| couldnt get the patch to work... v7 on ds phat... it just gives some garbage characters when it tries to look for PASS... |
Yeah, that's exactly the same thing i get.
Hope we can sucker Lick into having a look at it. <<;
_________________
maggiekarp: Aghhh okay guys why would my right ide hurt in my ribs
Angahith: Um... you didn't connect the ribs right to the IDE.
Angahith: You can only set one on master and one on slave.
#120553 - Lick - Sun Mar 04, 2007 5:52 pm
Yeah this patch is Flashme_nowarning only. I already know the stealth addresses but no time writing it. BRB.
_________________
http://licklick.wordpress.com
#120556 - daninski - Sun Mar 04, 2007 6:14 pm
I just flashme'd and hooteredme'd my dslite, worked a charm. i'm with the guy who sudgested holding the shoulder buttons to go into passme mode - i'd even go as far as just holding the left shoulder button on start up. Also, i'd LOVE to be able to put my own start up screen, like the sky blue on white sega logo :D
_________________
www.holbrooksfilms.com
www.tdotodotm.com
#120565 - kojicolnair - Sun Mar 04, 2007 6:51 pm
where exactly is this "Flashme_nowarning.nds" I've looked around but can't find it anywhere.
#120568 - Anga - Sun Mar 04, 2007 7:03 pm
| Lick wrote: |
| Yeah this patch is Flashme_nowarning only. I already know the stealth addresses but no time writing it. BRB. |
's cool, dude!
We're happy you're even doing this, so don't worry. XD
I've just been wondering if my flashme v7 with Lite support isn't the latest one, because well... i'm not using the stealth version and it finds different characters at the offset it checks.
_________________
maggiekarp: Aghhh okay guys why would my right ide hurt in my ribs
Angahith: Um... you didn't connect the ribs right to the IDE.
Angahith: You can only set one on master and one on slave.
#120817 - bitsoffish - Tue Mar 06, 2007 8:25 am
is it possible to put the patched flashme back online instead of just the patcher???
thx
btw couldnt find the file Flashme_nowarning.nds
#120868 - outphase - Tue Mar 06, 2007 10:41 pm
the "no warning" version of flashme is the non-stealth version.
#120899 - kojicolnair - Wed Mar 07, 2007 3:37 am
I recently put the non stealth one on and it still doesn't work.
#123393 - canoli - Tue Mar 27, 2007 9:48 pm
just to say "thank you". It worked fine.
#125947 - veganjay - Wed Apr 18, 2007 12:33 pm
Hi, I'm using the no warning flashme patch v7, with a DS Phat (original silver DS) and when I try to patch it says: "That value isn't pass."
Here is the md5 checksum of the flashme version I used:
fa220267edb05f4386025d97e2168f3f *flashme.nds
This version worked with the patch for another person, who was using a DS Lite.
So, could it be the patch does not work with an original DS?
#126868 - Dragon Chan - Fri Apr 27, 2007 6:21 pm
Worked fine for me. First of all, I flashed the non stealth version as requested by the program, and then the patch. Works flawlessly. But I noticed that i can't boot with the original firmware by pressing start+select, I think it's related to the patch. As anyone solved that "problem"? And if I want to unflash my ds lite, can I unflash directly over the patched firmware or have i to unpatch before unflash it? Lick can you, please, answer me?
Thank you in advance!
#126873 - veganjay - Fri Apr 27, 2007 6:52 pm
Can anyone please confirm that they got the patch to work on an original DS (DS Phat, not a DS Lite)? I'm assuming that's the problem.
#126897 - Dan2552 - Fri Apr 27, 2007 11:21 pm
| veganjay wrote: |
| Can anyone please confirm that they got the patch to work on an original DS (DS Phat, not a DS Lite)? I'm assuming that's the problem. |
I don't believe it works on phat.
#127538 - veganjay - Thu May 03, 2007 3:55 am
Thanks - just wanted to mention I got the new Flashme 8a (no autoboot) working on my DS Phat, so no longer need the patch.