gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

DS Flash Equipment > Newb Question About PassMe

#38810 - linus - Fri Apr 01, 2005 12:05 am

*If this has already been covered and ive missed it im sorry plz redirect me*

Ok as I understand it the DS wont execute any instructions that arent encrypted, and the PassMe lets the real game to the encryption then executes its own command which tells the processor to execute the code in the GBA slot. If so is it possible to put more than just a jump instuction in there?

I guess its my understanding of encryption that is foggy. Is all the code (or executed commands sent to the processor) encrypted? Or is it more of a validation process when it starts up to see whether the game is a licensed one. If its the former how does the PassMe execute the jump command.

Thanks for any replies,

Linus

#38917 - linus - Sat Apr 02, 2005 12:22 am

are people not answer because they cant be arsed or because its a stupid question?

#38919 - outRider - Sat Apr 02, 2005 1:03 am

When the DS starts a DS game it first reads the header from the card, which is unencrypted. After that, all further reads from the card are encrypted. The header contains, amongst other things, 2 addresses to entrypoints, one for the ARM9 and one for the ARM7. Normally both addresses are in the DS cart's address space. The passthroughs change the ARM7 address to somewhere in the GBA cart's address space. As far as the DS knows, it's executing the game that belongs to the header it read previously. Your code then interrupts the ARM9 (which started executing from the DS slot by now) so you can redirect it to the GBA cart as well.
_________________
outRider

#38920 - outRider - Sat Apr 02, 2005 1:07 am

When the DS starts a DS game it first reads the header from the card, which is unencrypted. After that, all further reads from the card are encrypted. The header contains, amongst other things, 2 addresses to entrypoints, one for the ARM9 and one for the ARM7. Normally both addresses are in the DS cart's address space. The passthroughs change the ARM7 address to somewhere in the GBA cart's address space. Your code then interrupts the ARM9 (which started executing from the DS slot by now) so you can redirect it to the GBA cart as well.
_________________
outRider

#38925 - linus - Sat Apr 02, 2005 2:05 am

cheers!

#38947 - Steve++ - Sat Apr 02, 2005 8:39 am

We'd all better start buying DSs before they block that in the BIOS (or by some other means).

#38948 - darkfader - Sat Apr 02, 2005 9:21 am

I think the startup screen is in firmware, so I bet it's possible for Nintendo to add a check for it. That will all be fixed once multiboot has been found out I hope.

#38950 - linus - Sat Apr 02, 2005 10:48 am

(this is a bit off topic but i dont think it merits a new thread)

I heard that the bios is writable but encrypted and that people have actually dumped it. What are the chances of actually being able to work out how it works and mod it or create replacement?

From an architectual point of view how is encryption implemented on the DS, is it something the hardware does, or something the bios does, or something that i dont know about?

Cheers again,

Linus

ps anyone got a link to a forum or something that tells me more about multiboots (i dont like to have numerous newb question at the same time :) )

#38994 - assassda - Sun Apr 03, 2005 12:17 am

@darkfader since you can now read write ds bios why not creat a custom bios that instead of checking header at all goes directly to gba flash card?

#38995 - darkfader - Sun Apr 03, 2005 12:25 am

You mean firmware :)
We don't know how the encryption of firmware works... so it will probably take a while until we have a firmware replacement. Another thought is to erase the firmware and see what happens. Perhaps it skips the startup screen and runs PassMe programs immediately. There should be some way how Nintendo fills the firmware for the first time on a DS.

#38998 - octopusfluff - Sun Apr 03, 2005 12:52 am

darkfader wrote:
We don't know how the encryption of firmware works... so it will probably take a while until we have a firmware replacement. Another thought is to erase the firmware and see what happens. Perhaps it skips the startup screen and runs PassMe programs immediately. There should be some way how Nintendo fills the firmware for the first time on a DS.


Adventures in brick-making! =>

Actually, I'd expect they'd flash the chip prior to it being installed in the DS. That'd be the easiest way to do it.

My experience with similar devices indicates if you erase the firmware, you stand a good chance of never getting the device to do anything productive ever again (without pulling the chip and re-flashing it with the proper equipment). This might not be like the GBA; the firmware in the DS does an awful lot, and may well be necessary for normal operation.

There -are- some similar devices that have two seperate firmwares, one which is only used for loading the primary firmware.. But these generally are only present in devices where the end-user is expected to perform firmware updates such as the BIOS in a PC, or development-capable devices such as the Zaurus by Sharp.

I seriously doubt Nintendo had any plans of letting users do anything like this. I don't think they even intended for the firmware to get updated.