#58258 - natrium42 - Sat Oct 22, 2005 12:05 am
Help needed from people who have: bootable DS (i.e. with old firmware), PassMe (or clone), GBA flashcart which doesn't require NDS menu loader.
New DSes seem to be shipped with new firmware that makes current PassMe not work. Loopy figured out how to circumvent the new protection, but the exploit is DS card specific and requires SRAM in the GBA slot (i.e. GBAMP won?t work). I can probably fit in support for about four cards into a single PassMe. Also, there will be PassMes with different sets of supported games.
So what I need people to do right now is to run the attached .ds.gba on bootable DSes using different DS cards and tell me the numbers on the screen. This will help me add support for those cards.
You need to run this from a GBA flashcard without any use of DS menu loaders, since they might clear or corrupt the memory that is being searched for the exploit. Consequently, there is no .nds version of the program.
Some PassMes (or clones) are not supported, because a specific bit in the header is set, resulting in scrambled memory. This bit doesn?t affect homebrew in any way, but it makes it impossible to explore memory left over from loading a DS card. This program will tell when a PassMe (or clone) is not supported.
Please post your results here on on my weblog or email them to me. I will then add support for most popular games and put new PassMes up for sale.
Many thanks!
callfinder.ds.gba available at http://www.natrium42.com/blog/?p=34
_________________
www.natrium42.com
#58276 - josath - Sat Oct 22, 2005 4:30 am
using a pretty recent flashme, along with a neoflash 512mb cart, and the game Daigasso! Band Bros. (JPN), I get:
Code: |
SWI AF 02014BC0
SWI FF 020116E6
SWI A4 0203FB44
SWI EA 020124BC
BX LR 02000978
CRC 7B85CF56
GAME 4A424241 00
|
Using an old passme (one of the first batches from lynx) gives this output:
Code: |
SWI AF 020F8E46
SWI FF 020EEF00
SWI A4 00000000
SWI EA 020F3A4E
BX LR 02000978
CRC 2C66CF56
GAME 4A424241 00
|
#58277 - natrium42 - Sat Oct 22, 2005 4:42 am
The PassMe reading looks correct.
FlashMe messes up the memory giving wrong results.
_________________
www.natrium42.com
#58287 - Maverick - Sat Oct 22, 2005 9:01 am
And what about wifime?
#58290 - Thomas - Sat Oct 22, 2005 10:17 am
My PassMe clone (Superpass) is not supported :(
#58292 - GlenC - Sat Oct 22, 2005 11:26 am
Hi,
The SuperPass from supercard is not compatible with this program. However, never say never ;). I reflashed the superpass with the firmware found on dspassme.com and here are some results
Warioware Touched NTR-AZWJ-JPN
SWI AF 00000000
SWI FF 020B0E34
SWI A4 02026C64
SWI EA 020598D8
BX LR 02004978
CRC 0F63CF56
GAME 4A575A41 00
Feel the Magic NTR-APRE-USA
SWI AF 00000000
SWI FF 020506AC
SWI A4 00000000
SWI EA 00000000
BX LR 02000978
CRC 0EC9CF56
GAME 45525041 00
Nintendogs Lab & Friends NTR-AD3P-EUR
SWI AF 00000000
SWI FF 0209F89E
SWI A4 02082602
SWI EA 00000000
BX LR 02000910
CRC E8E8CF56
GAME 50334441 00
Can we just flash the old firmware onto a new Blue or Pink DS to get the old passme functionality back?
Glen.
#58295 - josath - Sat Oct 22, 2005 11:36 am
Quote: |
I reflashed the superpass with the firmware found on dspassme.com and here are some results |
Just to be clear, You reflashed the passme, not your DS?
#58296 - GlenC - Sat Oct 22, 2005 11:59 am
Yep, thats what I said :)
I reflashed the Superpass with the standard passme code and got the results I posted. I'm not sure if there valid or not, seems to be quite a few lines of 0's in there.
In order to reflash a Superpass, you need to take it apart (fairly simple, it's just glued). It has the jtag connectors on the edge of the pcb (presumably used for factory flashing). I build a cheaptag interface with an edge connector , used this to wipe the xilinx and reprogram with the standard code.
Piccie, if anyone is interested.
[Images not permitted - Click here to view it]
@natrium42, sorry for getting this thread slightly off topic, but it may be of use for people with a Superpass.
Glen.
#58299 - GlenC - Sat Oct 22, 2005 12:13 pm
Here are the results for Metroid Prime, you've probably already got these, but is will probably verify whether my other results are valid or not
Metroid Prime Demo NTR-AMFP-EUR
SWI AF 00000000
SWI FF 00000000
SWI A4 00000000
SWI EA 00000000
BX LR 02004910
CRC 4BDFCF56
GAME 50464D41 00
Last edited by GlenC on Sat Oct 22, 2005 2:53 pm; edited 1 time in total
#58310 - Thomas - Sat Oct 22, 2005 2:25 pm
GlenC wrote: |
[...]
I reflashed the Superpass with the standard passme code and got the results I posted. I'm not sure if there valid or not, seems to be quite a few lines of 0's in there.
In order to reflash a Superpass, you need to take it apart (fairly simple, it's just glued). It has the jtag connectors on the edge of the pcb (presumably used for factory flashing). I build a cheaptag interface with an edge connector , used this to wipe the xilinx and reprogram with the standard code.
[...]
|
Great idea. I'll try that as soon as the download of the Xilinx programming environment is completed (at the moment, I have a slow internet connection).
I have Super Mario 64 DS, Yoshi Touch & Go and the Metroid demo. All of them are European versions. Does that make a difference, by the way?
#58313 - GlenC - Sat Oct 22, 2005 2:50 pm
Btw, forgot to add, if building the cheaptag for the Superpass, the connections are from Left - Right (This is with the jtag connectors face up and towards you). You do need to fully erase the Xilinx before programming the new firmware.
GND, TDI, TMS, TCK, TD0, VCC
Glen.
#58323 - natrium42 - Sat Oct 22, 2005 5:51 pm
GlenC wrote: |
I reflashed the Superpass with the standard passme code and got the results I posted. I'm not sure if there valid or not, seems to be quite a few lines of 0's in there.
|
Only one SWI line needs to be non-zero for a working exploit. (i.e. it looks like European Metroid Prime Demo is not going to work)
GlenC wrote: |
@natrium42, sorry for getting this thread slightly off topic, but it may be of use for people with a Superpass.
|
You are giving some good info, that's great!
Anyway, people who have a DS with new FW can reprogram PassMe (or clone) as described. Get passme-iQue.zip from http://home.utah.edu/~u0422123/iQue/ and replace ARM7 entry point in VHDL file with the first non-zero SWI offset and the ARM9 entry point with BX LR offset. Generate programming file with Xilinx ISE. Then sram.bin needs to be modified to use the BX LR offset instead of the current one. (Address in sram.bin starts at offset 0x764 with each address byte 0x32 bytes apart. Also, address bytes are doubled as you can see with a hex editor.) And that's all required to make PassMe (or clone) work with a new DS.
EDIT: ARM7 entry address should have lowest bit set to indicate Thumb mode.
GlenC, if it's not too much trouble for you, could you please reprogram your SuperPass in the described way for Labrador and test? It seems like many people want that game supported.
_________________
www.natrium42.com
Last edited by natrium42 on Sun Oct 23, 2005 5:49 am; edited 1 time in total
#58332 - GlenC - Sat Oct 22, 2005 6:59 pm
Ok, see if I've got this clear.
Address 0x764 contains 0's, are you sure that is the correct location? In fact that area of the sram file is very sparse of data, just the odd short data scattered within the area until 0x9ba
I'm presuming the vhdl file I'm altering is this section
Code: |
-- patch ARM9 entry address to endless loop
when 16#024# => patched_data <= X"78";
when 16#025# => patched_data <= X"49";
when 16#026# => patched_data <= X"00";
-- patch ARM7 entry address
when 16#034# => patched_data <= X"4D";
when 16#035# => patched_data <= X"A2";
when 16#036# => patched_data <= X"05";
|
There is only 3 bytes of information in each group of statements, yet the SWI address to patch is 4 bytes.
Glen.
#58333 - natrium42 - Sat Oct 22, 2005 7:07 pm
GlenC wrote: |
Address 0x764 contains 0's, are you sure that is the correct location? In fact that area of the sram file is very sparse of data, just the odd short data scattered within the area until 0x9ba
|
Oops, Loopy updated his SRAM code, but didn't put it up yet. Here is the new binary: http://www.natrium42.com/downloads/sramFF.bin
GlenC wrote: |
I'm presuming the vhdl file I'm altering is this section
...
There is only 3 bytes of information in each group of statements, yet the SWI address to patch is 4 bytes.
|
Bytes at 0x027 and 0x037 are both 0x02 in all NDS headers I have seen, so don't need to be modified.
Also, make sure to enable Area/Density optimizations under "Synthesize - XST" and "Fit" in Xilinx ISE.
_________________
www.natrium42.com
#58352 - GlenC - Sat Oct 22, 2005 9:48 pm
Hi,
Did it all, and it didn't work :(
Code: |
-- patch ARM9 entry address to endless loop BX LR
when 16#024# => patched_data <= X"10";
when 16#025# => patched_data <= X"09";
when 16#026# => patched_data <= X"00";
-- patch ARM7 entry address First SWI
when 16#034# => patched_data <= X"9E";
when 16#035# => patched_data <= X"F8";
when 16#036# => patched_data <= X"09";
|
This is the modifications to the vhd file for nintendogs
The sram file was modified so that
0x764 = 0x1010
0x796 = 0x0909
0x7c8 = 0x0000
0x7FA = 0x0202
The DS (blue) booted as normal and only showed a GBA cart present.
I'll redo it all again to make sure I've not made any mistakes, but I was pretty careful.
Just to reiterate, both the sram and the ARM9 entry points both point to the same memory location?
Glen.
#58365 - natrium42 - Sat Oct 22, 2005 10:56 pm
Heh, sorry I forgot to mention that lowest bit should be set in ARM7 entry point to indicate THUMB mode. i.e. ARM7 entry point should be 0x0209F89F instead of 0x0209F89E.
Change
when 16#034# => patched_data <= X"9E";
to
when 16#034# => patched_data <= X"9F";
Everything else looks correct.
_________________
www.natrium42.com
#58393 - The 9th Sage - Sun Oct 23, 2005 4:23 am
Ok, I had to fix my PassMe (old PCI pin version, getting kinda beat up) for this, but I got it working. I have a whole stack of games loose here, and here's the info for them. :) (I have FlashMe installed, but not using it to boot this of course)
Castlevania: Dawn of Sorrow (US Vers)
SWI AF 00000000
SWI FF 00000000
SWI A4 0200063E
SWI EA 00000000
BX LR 02000910
CRC C9D9CF56
GAME 455564341 00
Jump SuperStars (J Vers)
SWI AF 00000000
SWI FF 00000000
SWI A4 00000000
SWI EA 00000000
BX LR 02000910
CRC 069DCF56
GAME 4A534A41 00
Nintendogs Lab Version (US vers)
SWI AF 00000000
SWI FF 0209FE60
SWI A4 02081592
SWI EA 00000000
BX LR 02000910
CRC 3D05CF56
GAME 45334441 00
Trauma Center: Under the Knife (US vers)
SWI AF 00000000
SWI FF 0212dff4
SWI A4 0217742c
SWI EA 00000000
BX LR 0200098c
CRC 8f45cf56
GAME 45444b41 00
Lost in Blue (US vers)
SWI AF 00000000
SWI FF 023a26ec
SWI A4 00000000
SWI EA 00000000
BX LR 020013b0
CRC d11ccf56
GAME 454b5341 00
Legend of Zelda: Twilight Princess e3 Press Trailer (US vers) :P
SWI AF 00000000
SWI FF 0201B21C
SWI A4 00000000
SWI EA 00000000
BX LR 02000910
CRC 248dcf56
GAME 45445a41 00
WarioWare Touched! (US vers)
SWI AF 00000000
SWI FF 020b3870
SWI A4 00000000
SWI EA 020be9c6
BX LR 020048f8
CRC 9036cf56
GAME 45575a41 00
Meteos (US vers)
SWI AF 00000000
SWI FF 00000000
SWI A4 00000000
SWI EA 00000000
BX LR 02000910
CRC 0f9acf56
GAME 45544d41 00
Feel the Magic (US vers)
SWI AF 00000000
SWI FF 020506ac
SWI A4 00000000
SWI EA 00000000
BX LR 02000978
CRC 0ec9cf56
GAME 45525041 00
Kirby: Canvas Curse (US vers)
SWI AF 00000000
SWI FF 0201f2f4
SWI A4 00000000
SWI EA 00000000
BX LR 02000910
CRC e41ccf56
GAME 454b5441 00
Puyo Pop Fever (US vers)
SWI AF 02000552
SWI FF 0201802e
SWI A4 02011e04
SWI EA 0200770c
BX LR 020008f8
CRC 7225cf56
GAME 45595041 00
Polarium (US vers)
SWI AF 00000000
SWI FF 00000000
SWI A4 02018268
SWI EA 0238c6dc
BX LR 02000910
CRC 38b1cf56
GAME 454e5341 00
I hope this helps. ^_^
_________________
Now with 20% More Old Man from Zelda 1 than ever before!
#58396 - natrium42 - Sun Oct 23, 2005 5:46 am
@The 9th Sage
Wow, that's quite a few games, thanks! I only have two...
Now all these games can be supported by PassMe for new DS FW.
BTW, GlenC tested PassMe code for Nintendogs Labrador (E) and got his blue DS to boot :)
_________________
www.natrium42.com
#58397 - The 9th Sage - Sun Oct 23, 2005 5:52 am
natrium42 wrote: |
@The 9th Sage
Wow, that's quite a few games, thanks! I only have two...
Now all these games can be supported by PassMe for new DS FW.
BTW, GlenC tested PassMe code for Nintendogs Labrador (E) and got his blue DS to boot :) |
You're welcome...actually, it didn't even occur to me how many games I have accumulated until I did this. O_o That's good news by the way, now maybe a 'red firmware' flashme can come into existence eventually. :)
_________________
Now with 20% More Old Man from Zelda 1 than ever before!
#58415 - Cojones - Sun Oct 23, 2005 1:10 pm
Maybe someone could make a sticky with those working games?
#58417 - GlenC - Sun Oct 23, 2005 1:48 pm
I've just flashed by new firmware blue ds with the latest flashme, and now my supercard works again :) no more hassle.
Excellent work, Olimar and Natrium42.
Cheers
Glen.
#58422 - Cubehacker - Sun Oct 23, 2005 2:56 pm
Sorry to be a pain in the ass guys but could to explain in lamerns terms how using a passme on the new DS Firmware is achived. Does it involve coding or physicaly moding the passme.
_________________
Sick of roms??
Get RETRO !!!
#58490 - natrium42 - Mon Oct 24, 2005 12:40 am
PassMe2 is now available in my Webshop: http://natrium42.com/shop
Thanks for helping me guys! And thanks Loopy for figuring out how to boot with new DS firmware!
I will add support for more DS cards gradually as I receive new numbers.
Cubehacker wrote: |
Sorry to be a pain in the ass guys but could to explain in lamerns terms how using a passme on the new DS Firmware is achived. Does it involve coding or physicaly moding the passme. |
You can reprogram it using a JTAG cable such as Cheaptag. Otherwise, you can buy a preprogrammed PassMe2 from me.
_________________
www.natrium42.com
#58537 - cory1492 - Mon Oct 24, 2005 12:05 pm
Using my origional PassMe from dspassme I get these for some more additions to your list:
Madden 2005 (US ver)
Code: |
SWI AF 020D478C
SWI FF 0213BBBA
SWI A4 00000000
SWI EA 02000978
BX LR 3AC9CF56
CRC 3AC9CF56
GAME 45444D41 00
|
Spyro: Shado Legacy (US)
Code: |
SWI AF 0206C450
SWI FF 02056FF4
SWI A4 020007F2
SWI EA 00000000
BX LR 02000910
CRC 6D81CF56
GAME 45535341 00 |
Dig Dug: Digging Strike (US)
Code: |
SWI AF 00000000
SWI FF 00000000
SWI A4 0208E0B4
SWI EA 00000000
BX LR 02000910
CRC 7F4ACF56
GAME 45444441 00 |
World Championship Poker Deluxe Series (US)
Code: |
SWI AF 00000000
SWI FF 02054516
SWI A4 00000000
SWI EA 00000000
BX LR 02000910
CRC A8FACF56
GAME 45505741 00 |
#58546 - darkfader - Mon Oct 24, 2005 2:58 pm
Oh... what a beautiful name.
#58569 - Thomas - Mon Oct 24, 2005 5:36 pm
I have flashed my Superpass with the original PassMe firmware. Everything works fine now. Too bad the Superpass code is write protected; it's not possible to dump it and examine the differences.
Anyway, I don't know if some of these codes were already given, but here are mine:
- Metroid demo (NTR-AMFP-EUR)
Code: |
SWI AF 00000000
SWI FF 00000000
SWI A4 00000000
SWI EA 00000000
BX LR 02004910
CRC 4BDFCF56
GAME 50464D41 00 |
- Yoshi Touch & Go (NTR-AYIP-EUR)
Code: |
SWI AF 00000000
SWI FF 02081FBC
SWI A4 0207D5EC
SWI EA 02024DEC
BX LR 02000910
CRC DBBDCF56
GAME 50495941 00 |
- Super Mario 64 DS (NTR-ASMP-EUR)
Code: |
SWI AF 00000000
SWI FF 02051BA8
SWI A4 0204D976
SWI EA 00000000
BX LR 02004978
CRC 97E6CF56
GAME 504D5341 00 |
#59025 - Lynx - Fri Oct 28, 2005 3:35 am
I am also selling version 2 PassMes.. And if you have an old PassMe, and would like step by step instructions on making it work with your game, check out the unfinished tutorial HERE
I have also added a PassMe2 file section that I will be adding .zip files with the .jed and sram.bin for all the games I have already done. Also, my sram.bin files are padded to 32k, as my linker won't work with the 4k ones. :( Check the progress HERE
Please feel free to e-mail me with updates/info if I missed something.
#59338 - rumblpak - Mon Oct 31, 2005 6:49 pm
if someone has the games, can either lunar or advance wars DS (both US) be put into a passme2? i only have those two games and would rather not buy a game just so i can use a passme2.
thanks for the help.
#59410 - Onori - Tue Nov 01, 2005 5:32 pm
I ordered a passme2 from natrium42 website and still didn't get it, or even an answer by email
do other have ordered passme2 and received them ?
#59415 - pepsiman - Tue Nov 01, 2005 6:22 pm
rumblpak wrote: |
if someone has the games, can either lunar or advance wars DS (both US) be put into a passme2? i only have those two games and would rather not buy a game just so i can use a passme2.
thanks for the help. |
advance wars us:
swi a4 = 0238c164 + 1
bx lr = 02000910
#59715 - mike260 - Thu Nov 03, 2005 6:12 pm
Advance wars (NTR-AWRP-EUR):
Code: |
SWI AF 020CC570
SWI FF 021296AE
SWI A4 020D69B4
SWI EA 00000000
BX LR 02000910
CRC 5C3FCF56
GAME 50525741 00
|
Mario 64 (NTR-ASME-EUR):
Code: |
SWI AF 00000000
SWI FF 02026C68
SWI A4 00000000
SWI EA 00000000
BX LR 02004978
CRC F2A0CF56
GAME 454D5341 01
|
I noticed someone already posted EUR Mario64 results - my cart's got a different product code and gives different results.
_________________
"Ever tried? Ever failed? No matter. Try Again. Fail again. Fail better."
-- Samuel Beckett
#59716 - natrium42 - Thu Nov 03, 2005 6:33 pm
mike260 wrote: |
I noticed someone already posted EUR Mario64 results - my cart's got a different product code and gives different results. |
Yes, your Mario is version 01 instead of 00 as seen by this line:
"GAME 454D5341 01"
So I have to make special PassMe2 code for EUR Mario to look for the version number and provide entry points based on that.
Thanks for the numbers!
_________________
www.natrium42.com
#59717 - mike260 - Thu Nov 03, 2005 6:39 pm
natrium42 wrote: |
mike260 wrote: |
I noticed someone already posted EUR Mario64 results - my cart's got a different product code and gives different results. |
Yes, your Mario is version 01 instead of 00 as seen by this line:
"GAME 454D5341 01"
So I have to make special PassMe2 code for EUR Mario to look for the version number and provide entry points based on that.
Thanks for the numbers! |
Sorry, my brain's not working at all today. I somehow managed to (a) forget I got Mario64 on import, and (b) misread 'USA' as 'EUR'.
Doh.
_________________
"Ever tried? Ever failed? No matter. Try Again. Fail again. Fail better."
-- Samuel Beckett
#60130 - darkfader - Mon Nov 07, 2005 10:59 am
If anyone cares/dares...
sav and jed files for releases up to 0148 or so.
I will create another script to extract info into a database that I can put onto my website. Autodetecting the savegame size will be the the difficult part.
#60216 - darkfader - Tue Nov 08, 2005 4:04 am
#60251 - wiedo - Tue Nov 08, 2005 12:29 pm
Code: |
Meteos
NTR-AMTP-EUR
SWI AF 0204585C
SWI FF 02100BF0
SWI A4 020A43D8
SWI EA 02057B44
BX LR 02000910
CRC FB6ACF56
GAME 50544D41 00 |
#60257 - darkfader - Tue Nov 08, 2005 1:31 pm
Uh. that's odd. AMTP passme code is not listed on my page.
Perhaps my SWI finder doesn't work so well. might be too strict or something. Or it could be a different version :)
#60365 - lambi1982 - Wed Nov 09, 2005 5:16 pm
is the original passme not supposedto work on new blue DS???
cause thats what I thought, but it works just fine with the DS I just bought (BLUE)
_________________
Who, Me?
#60429 - Jakelshark - Thu Nov 10, 2005 4:06 am
^ some do and some dont, the later it was built the more likely it will have new
#64654 - tepples - Sat Dec 24, 2005 5:21 pm
ARM instructions are available in any of several different condition codes. Does this tool look only for instructions in the "AL" variant (e.g. SWI 0xAF0000), or does it also look for other relevant condition code variants that might be present (e.g. SWINE 0xAF0000)? It might make more games available.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#64666 - olimar - Sat Dec 24, 2005 7:56 pm
Last edited by olimar on Wed Aug 20, 2008 10:04 pm; edited 1 time in total
#64667 - tepples - Sat Dec 24, 2005 9:05 pm
c: Condition number
dd: don't care
nn: number of SWI
ARM SWI: dd dd nn cF (cFnndddd)
Thumb SWI: nn DF (DFnn)
Conditions:
0 EQ (Z=1)
1 NE (Z=0)
2 CS (C=1)
3 CC (C=0)
4 MI (N=1)
5 PL (N=0)
6 VS (V=1)
7 VC (V=0)
8 HI (C=1 and Z=0)
9 LS (C=0 or Z=1)
A GE (N=V)
B LT (N!=V)
C GT (Z=0 N=V)
D LE (Z=1 or N!=V)
E AL (always)
Only a few of these conditions are likely to be relevant, based on the firmware code just before the branch to the ARM7 entry point. The LE case is redundant with the Thumb case.
I just want my PassMeteos joke back is all.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#65050 - ReRuss - Thu Dec 29, 2005 10:06 pm
I have a question
I just got a Blue DS with newer firmware (I beleive NU116****9 [9] is new firmware)
If I get a PassMe2 , will I be able to put FlashMe it so I dont have to use PassMe to boot NDS files?
#65063 - Thomas - Thu Dec 29, 2005 11:24 pm
ReRuss wrote: |
I have a question
I just got a Blue DS with newer firmware (I beleive NU116****9 [9] is new firmware)
If I get a PassMe2 , will I be able to put FlashMe it so I dont have to use PassMe to boot NDS files? |
Yes.
#65064 - ReRuss - Thu Dec 29, 2005 11:26 pm
sweet - thanx
EDIT - Also I notice teh list doesn't show teh Mew Edition DS and if it can use PassMe , whne I get mine in I'll try to get that in the list