gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

DS Misc > Wifime Thoughts

#66689 - cloak - Thu Jan 12, 2006 11:32 pm

I was wondering...

Currently wifime redirects the arm9 start address to that of the gba rom memory. Does this mean its possible to change that start address to any arbitrary location, like the memory of the DS?

Basically what I am asking, is would it be possible to send down wifime with some extra data appended (ie some arbitrary code), and set the wifime jump address to the beginning of said extra code?

My only thought is that the ds stops recieving data after wifime is recieved, stopping any extra data from being stored.

Any thoughts? Or am I missing some crucial part of the picture that would make this not work?

Thanks,
-Cloak

#66700 - tetsujin - Fri Jan 13, 2006 12:47 am

cloak wrote:
I was wondering...

Currently wifime redirects the arm9 start address to that of the gba rom memory. Does this mean its possible to change that start address to any arbitrary location, like the memory of the DS?

Basically what I am asking, is would it be possible to send down wifime with some extra data appended (ie some arbitrary code), and set the wifime jump address to the beginning of said extra code?

My only thought is that the ds stops recieving data after wifime is recieved, stopping any extra data from being stored.

Any thoughts? Or am I missing some crucial part of the picture that would make this not work?


The main thread on WifiMe has a very low signal:noise ratio, but where there's good signal, you can get a lot of very useful information from it. I'll give you a bit of a summary, but I still recommend reading the thread.

When the NDS loads a program it loads the header and the code to be loaded into main memory. The header contains the jump addresses you mentioned, plus various other data, as well as cryptographic signatures for the program code, which for all practical purposes cannot be cracked. WiFiMe and PassMe work by altering the header (which doesn't affect the crypto signature) to change the jump addresses - but they cannot alter the program code, because doing so would cause the crypto signature to no longer match.

The new firmware defeats this, IIRC, by treating the GBA ROM space as an invalid address in that context. (I don't understand all the details of that, or how Passme2 gets around that.)

So there's really not much place you could put code inside of a modified WMB demo without breaking the crypto check. Maybe you could put some code in the header itself, in that logo or the title text, I don't quite know. It wouldn't be much code, and I'm not sure if you'd be able to jump to it.

Tepples made some posts about his ideas for a future WiFiMe that would work a little differently - but that was several months ago and I don't know if that's gone anywhere. The basic idea was to take a game that first downloads its own program code via WMB, and then downloads other data (levels, 3-D models, maybe even program code, etc.) via a basic network connection to the host. The theory was that, while the NDS firmware is strict about RSA signatures on the initial WMB transmission, security on transmissions after the program code is transferred might be more relaxed. If so, it might be possible to take a WMB transmission captured from a game, and append other code in place of the official game data, such that the receiving DS running the game code will download that data, and either execute it intentionally (if program code is being sent) or unintentionally (by way of a buffer overrun, etc.) But it seems he never found such a security hole in any of the code he examined. If this approach could be found to work, the result would be an almost perfect security-bypassing WMB wrapper: a crypto-signed program which would run whatever code we insert. As long as we had no qualms about endlessly copying and distributing that chunk of copyrighted game code we'd be able to use it to boot things on unmodified DSes.
_________________
---GEC
I think that all the work that's been done by the homebrew community so far to support people who want to program for the GBA or DS is amazing.
Thank you, everyone, I look forward to taking advantage of your work.

#66746 - tepples - Fri Jan 13, 2006 7:27 am

tetsujin wrote:
The new firmware defeats this, IIRC, by treating the GBA ROM space as an invalid address in that context.

And, in the case of wifime, by using an entry point in the signed binary rather than the alternate entry point in the WMB header.

Quote:
(I don't understand all the details of that, or how Passme2 gets around that.)

Three words: jump to SRAM.

Quote:
Tepples made some posts about his ideas for a future WiFiMe that would work a little differently - but that was several months ago and I don't know if that's gone anywhere.

What you describe I've called WiFiMe2. That and various other ideas that haven't seen any public work on them are described on my passthrough page.

Quote:
But it seems he never found such a security hole in any of the code he examined.

I never examined any code. I posted the ideas for other enterprising hackers such as dark* and olimar.

Quote:
As long as we had no qualms about endlessly copying and distributing that chunk of copyrighted game code we'd be able to use it to boot things on unmodified DSes.

Under Sega v. Accolade and Lexmark v. Static Control, two copyright-related cases that were decided in favor of permitting copying that is necessary for interoperability, it would probably be legal to distribute the game code, at least in the United States.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#66762 - pepsiman - Fri Jan 13, 2006 10:43 am

cloak wrote:

Currently wifime redirects the arm9 start address to that of the gba rom memory.

No it doesn't.
WifiMe redirects the arm7 start address to that of the gba rom memory (0x080000c0).
It redirects the arm9 start address to within the copy of the NDS header in normal RAM.
This part of the header has been replaced with some code to read from an address (0x027FFE24) and jump to it.
The NDS loader run by the arm7 writes the real arm9 start address to this location after copying the binary into memory.
Quote:
Basically what I am asking, is would it be possible to send down wifime with some extra data appended (ie some arbitrary code), and set the wifime jump address to the beginning of said extra code?

WifiMe is running arbitrary code, there just isn't much space in the header to store code to do anything useful.

#67295 - cloak - Mon Jan 16, 2006 7:55 pm

I think I understand a little more now.

Thanks for all your replies..

-Cloak