#128718 - chishm - Mon May 14, 2007 2:27 pm
Here's the fruits of my efforts for this weekend: r4crypt.
You can use it to encrypt and decrypt the DAT files used by the R4 DS and M3 Simply. This includes _DS_MENU.DAT and CHEAT.DAT. You can completely replace the menu if you want to, or examine what's really in those DAT files.
The R4's decrypter is built into the hardware. All I had to go on were the output of the decrypter when presented with various inputs. Therefore my decryption code is not optimal, but it works.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#128726 - Diddl - Mon May 14, 2007 4:01 pm
Wonderful, thanks to you Chishm.
#128736 - Dood77 - Mon May 14, 2007 6:07 pm
So... this decrypts the DAT files that contain the menu graphics? Or do they contain code for the actual functionality of the firmware? (Or both?)
I've been thinking of getting an R4...
#128743 - tepples - Mon May 14, 2007 6:57 pm
Would this help for extracting the R4's SD card init code and putting it into a DLDI so that fatInitDefault() can work even after a hot-swap? Or would that require dumping the R4 card's BIOS itself?
_________________
Driven from Tilwick by ice storms, couldn't fit in in Flower Bud...
Nintendo DS: With two ARMs, who needs legs?
#128746 - Lick - Mon May 14, 2007 7:03 pm
I think it would require modifying the R4 BIOS. Not sure if that's possible.
_________________
http://licklick.wordpress.com
#128754 - chuckstudios - Mon May 14, 2007 9:32 pm
You are my new personal hero.
#128782 - chishm - Tue May 15, 2007 6:57 am
| tepples wrote: |
| Would this help for extracting the R4's SD card init code and putting it into a DLDI so that fatInitDefault() can work even after a hot-swap? Or would that require dumping the R4 card's BIOS itself? |
Yes it could help, but only if the menu did anything extra. However, after looking at the R4's firmware, it appears that the hardware itself takes care of initialising the TF card. The biggest obstacle to being able to init on re-insertion is the DS card encryption.
The _DS_MENU.DAT file contains the entire menu and default graphics. The code that is booted by the DS is only about 40KiB big. All it does is load the menu file. The R4 hardware takes care of initialising the SD card, reading the FAT file system, finding the menu file and decrypting each block of the menu as the boot code requests it.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#128785 - Diddl - Tue May 15, 2007 7:46 am
this means R4 has it's own intelligence? a small controller or such?
it was rather clearly, cause it can create sav file in real time (while saving within game).
#128801 - yasu - Tue May 15, 2007 11:06 am
first, sorry about that I'm not good at English.
I have more simple code to crypt. is it in need?
(it can crypt using by just 2 bytes seed :)
I resolved the crypt last month but I fear that
M3S go begging if I release it in public...
(M3S firmware will be able to be used in R4)
What do you think about that?
#128803 - tepples - Tue May 15, 2007 12:36 pm
| chishm wrote: |
| However, after looking at the R4's firmware, it appears that the hardware itself takes care of initialising the TF card. The biggest obstacle to being able to init on re-insertion is the DS card encryption. |
Then what's the obstacle to including just enough of a dumper that the TF begins to respond?
_________________
Driven from Tilwick by ice storms, couldn't fit in in Flower Bud...
Nintendo DS: With two ARMs, who needs legs?
#128811 - chishm - Tue May 15, 2007 2:19 pm
| yasu wrote: |
first, sorry about that I'm not good at English.
I have more simple code to crypt. is it in need?
(it can crypt using by just 2 bytes seed :)
I resolved the crypt last month but I fear that
M3S go begging if I release it in public...
(M3S firmware will be able to be used in R4)
What do you think about that? |
That's impressive that you got it down to just two bytes for the seed. I'm very curious to see the algorithm you used.
Since I've already released my code, I don't think your code can do any more harm. Also, I examined the latest firmware for both the R4 and M3 Simply. They are identical except for the hardware check, brand name, and menu graphics.
| tepples wrote: |
| Then what's the obstacle to including just enough of a dumper that the TF begins to respond? |
The entire dumper is needed to bring the DS card to its "normal" state. To be honest, I'm a little tired of holding back the DS card code to prevent its evil uses. I'll try it out when I have the time and if I can bring the R4 to a usable state upon reinsertion then I'll seriously consider releasing the DS card code.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#128814 - Lick - Tue May 15, 2007 3:12 pm
No no! You must hold strong! You're our only hope!
_________________
http://licklick.wordpress.com
#128822 - Lynx - Tue May 15, 2007 5:08 pm
Evil uses? All the pirate hardware companies already have it.. what more could come of it now?
_________________
NDS Homebrew Roms & Reviews
#128827 - modulo - Tue May 15, 2007 7:05 pm
| chishm wrote: |
| The entire dumper is needed to bring the DS card to its "normal" state. To be honest, I'm a little tired of holding back the DS card code to prevent its evil uses. I'll try it out when I have the time and if I can bring the R4 to a usable state upon reinsertion then I'll seriously consider releasing the DS card code. |
You don't actually have to read the "Secure Blocks" to reinit the R4. If you skip that and just enter the main data mode, the sector read/write commands still work. I haven't tested without doing the 2nd and 3rd "Get ROM Chip ID" commands, but the point is that if you don't want to release a full dumper you can strip it down to the bare minimum...
#128828 - yasu - Tue May 15, 2007 7:17 pm
ok, here is the crypting program with codes.
http://home.usay.jp/pc/etc/nds/r4denc.zip
#128834 - modulo - Tue May 15, 2007 7:54 pm
| yasu wrote: |
I resolved the crypt last month but I fear that
M3S go begging if I release it in public...
(M3S firmware will be able to be used in R4)
What do you think about that? |
I was wondering if someone released this when I noticed that the 1.08 kernel checked the language/hardware bits in 14 places while the 1.07 kernel only checked in 2. Perhaps this explains their paranoia...
#128881 - D-Trogh - Wed May 16, 2007 1:28 pm
Whooh.. Nice.. I wanted to edit this myself.. but I saw it was decrypted and because I don't know how to encrypt something.. Well.. I like this!
I saw that someone (over at the R4DS Forum) ripped the icons.. well.. How can I do that ? What editor do I need to use.. TileMolester is no good :(
Edit:
Ooops.. TileMolester is good.. I just didn't check out the 2-Dimensional option :P
#128892 - MaHe - Wed May 16, 2007 2:56 pm
This tool is _AMAZING_. I encrypted the FlashME binary to _DS_MENU.DAT and it worked perfectly (booted with FlashME v8's recovery mode). Also, DSOrganize can now be used as a bootloader and since de-encrypted _DS_MENU.DAT is just a .NDS binary, you can still keep it on the card.
Hats off to you chishm, you never fail to amaze us.
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#128895 - D-Trogh - Wed May 16, 2007 3:38 pm
| MaHe wrote: |
This tool is _AMAZING_. I encrypted the FlashME binary to _DS_MENU.DAT and it worked perfectly (booted with FlashME v8's recovery mode). Also, DSOrganize can now be used as a bootloader and since de-encrypted _DS_MENU.DAT is just a .NDS binary, you can still keep it on the card.
Hats off to you chishm, you never fail to amaze us. |
Just C&P huh :P
Well.. I created a .BAT file for people that don't know how to work in CMD
Just save under 'All Files' in NotePad as 'Yourname.BAT'
| Code: |
@echo off
cls
:menu
echo -------------
echo Action Menu
echo -------------
echo [1] Decrypt
echo [2] Encrypt
echo [3] Close
echo -------------
echo.
set INPUT=
Set /P INPUT= Action:
if "%input%" =="" goto menu
if "%input%" =="1" goto decrypt
if "%input%" =="2" goto encrypt
if "%input%" =="3" goto close
:decrypt
r4crypt.exe -d _DS_MENU.DAT OUTPUT.DAT
goto close
:encrypt
r4crypt.exe -e OUTPUT.DAT _DS_MENU.DAT
goto close
:close
cls |
Not that anyone needs this on these Forums.. but, maybe some other people do..
#128899 - czw - Wed May 16, 2007 4:06 pm
yasu is the first one decrypt/encrypt R4 kernel.
(or Rudolph ??,I forget.)
I have been posted in gbatemp one month ago.
here is his website :)
http://home.usay.jp/pc/etc/nds/
R4 Cheat Code Editor is another good tool.
#128910 - Dood77 - Wed May 16, 2007 6:32 pm
So you can replace the menu boot with ANY .nds?? Awesome!
I wonder what happens with libcartreset after this... (does it support R4?)
I'm thinking an R4 is definitely in my future purchase list.
Once again chishm, you've made a priceless contribution to DS homebrew :)
#128976 - OOPMan - Thu May 17, 2007 9:11 am
| MaHe wrote: |
This tool is _AMAZING_. I encrypted the FlashME binary to _DS_MENU.DAT and it worked perfectly (booted with FlashME v8's recovery mode). Also, DSOrganize can now be used as a bootloader and since de-encrypted _DS_MENU.DAT is just a .NDS binary, you can still keep it on the card.
Hats off to you chishm, you never fail to amaze us. |
Very very very cool :-)
_________________
"My boot, your face..." - Attributed to OOPMan, Emperor of Eroticon VI
You can find my NDS homebrew projects here...
#128977 - MaHe - Thu May 17, 2007 9:18 am
| D-Trogh wrote: |
| Just C&P huh :P |
Yeah, first I wrote a different post there, but it got deleted ... =(
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#128993 - chishm - Thu May 17, 2007 12:19 pm
I think yasu's tool is even better than mine. I use a na?ve, almost brute-force approach with the encryption. I stopped refining the method once it worked. yasu's code should be quicker, using a better 2-byte state-based approach rather than my multiple tables of seed data. So my code is rudimentary, yasu's is refined. Use his, it's better.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#129029 - macha88 - Fri May 18, 2007 2:03 am
it seems yasu has made use of his tool and made translate packs to translate the firmware to japanese. Yasu, do you think you could make one for translate to english?
#129124 - felix123 - Sat May 19, 2007 4:35 am
I think we need more communication between DS hackers from the East and the West. Where do Japanese DS hackers hang out generally?
_________________
Nintendo DS homebrew on Wikipedia
#129132 - chuckstudios - Sat May 19, 2007 1:28 pm
| felix123 wrote: |
| I think we need more communication between DS hackers from the East and the West. Where do Japanese DS hackers hang out generally? |
Japan. XD
#129133 - yasu - Sat May 19, 2007 2:02 pm
| felix123 wrote: |
| I think we need more communication between DS hackers from the East and the West. Where do Japanese DS hackers hang out generally? |
yes, in japan... XD
I think there are few DS programmers in Japan.
there is a DS programming topic in '2 channel'
but comments are scarce...
so I often visit DS programmers' web sites and their blogs.
#129198 - souLLy - Sun May 20, 2007 4:35 pm
I Decrypted the latest M3 simply menu and renamed it test.nds and tried to boot it but it froze on the front menu and the text was corrupted- anyone had this problem? I'm considering booting directly to either moonshell or ds organize but i want to make sure I can easily boot to the official simply menu if I want to.
#154066 - rexii - Thu Apr 10, 2008 11:34 am
| MaHe wrote: |
This tool is _AMAZING_. I encrypted the FlashME binary to _DS_MENU.DAT and it worked perfectly (booted with FlashME v8's recovery mode). Also, DSOrganize can now be used as a bootloader and since de-encrypted _DS_MENU.DAT is just a .NDS binary, you can still keep it on the card.
Hats off to you chishm, you never fail to amaze us. |
Sorry to dig up dirt, I still cant figure out how use this decrypted _DS_MENU.DAT as a bootloader in dsorganize, can someone help?
#154077 - JLsoft - Thu Apr 10, 2008 4:21 pm
I think they meant taking DSOrganize.nds, encrypting it using this tool, and replacing the normal R4/M3S kernel's _DS_MENU.DAT with it so that the card boots up directly into DSOrganize.