#68424 - FluBBa - Tue Jan 24, 2006 2:32 pm
Martin Korth is not dead but has actually updated No$GBA with limited support for the DS.
Problem is that it seems to require the 2 BIOS files from the DS (which probably is a good thing) but I can't seem to find a bios dumper anywhere.
_________________
I probably suck, my not is a programmer.
#68441 - darkfader - Tue Jan 24, 2006 3:56 pm
oh... a few moments ago supplemental information was leaked to do that.
Indeed he's not dead... in fact it seems like he had reversed the encryption stuff too. (For which he also used the bios dump.)
There's little reason in trying to keep everything back now.
#68456 - tssf - Tue Jan 24, 2006 7:22 pm
As soon as the bios' are found, Nintendo DS piracy will spread like a wildfire. Although the homebrewn developers will love it, I sincerely hope he puts in some kind of protection against commercial games.
EDIT: when..the major parts of the hardware are emulated, that is.
_________________
Mathew Valente [TSSF]
------
Chrono Resurrection Musician
#68459 - Darkflame - Tue Jan 24, 2006 7:54 pm
Dunno, I think quite a lot of games simple wont work without the exact hardware.
Metroid Hunters, for instance....controlling with a mouse or even a Wacom pad wouldnt work well at all.
Maybe if there was exact controll mapping that varyed on a game-to-game base's. But frankly, I think piracy will happen, but never be pratical on the platform.
A bit like the Gamecube.
#68466 - MaHe - Tue Jan 24, 2006 9:36 pm
This is only the theory ... I do not mean to do anything like that (way too expensive ;) ) ... Anyways:
Let's say I have:
1. A PocketPC with a DS emulator ( commercial games working)
2. A homemade LPT game dumper
Is it legal to run your OWN backups in a thirdparty device?
#68476 - darkfader - Tue Jan 24, 2006 10:41 pm
An idea would be to allow running games only from a LPT interface and not from a file. But I guess all emulators would need to be closed-source then...
#68511 - Lynx - Wed Jan 25, 2006 6:14 am
Wow.. I guess I will go out on a limb here..
How about an emu that can run all homebrew, as if it were the hardware? That would be nice for deving.. Oops.. how did we get onto that topic?
#68520 - darkfader - Wed Jan 25, 2006 9:08 am
I tried making it load the bioses and firmware, but it 'crashes'.
I also tried debugging the emulator itself (just a habit) but it seems like the entrypoint was modified after exe-packing. Naughty uh.
#68579 - caitsith2 - Wed Jan 25, 2006 8:48 pm
I did have success running the bioses/firmware on no$gba.
Specifically, the arm 7 bios has to be named biosnds7.rom, arm 9 bios biosnds9.rom, and firmware as firmware.bin. (Yes, I do have a complete dump of the arm7 bios.)
#68649 - tssf - Thu Jan 26, 2006 7:56 am
What if..and this probably sounds crazy, but what if the emulator actually works backwards from the DS? In that if it finds a signed RSA signature ROM attempting to be played, it automatically crashes?
That'd be a nice way to keep it home brewn.
_________________
Mathew Valente [TSSF]
------
Chrono Resurrection Musician
#68658 - caitsith2 - Thu Jan 26, 2006 8:33 am
Would be much too easy to bypass.
Besides that, RSA signing only applies to wireless multiboot. Also, no$gba expects encrypted secure areas, if both bioses are completely present, and decrypted secure areas, if the arm7 bios is absent.
Also, none of the official games, (at least the ones I tried) work in it yet.
I will quite likely be using this emulator to reverse engineer some stuff, once emulation becomes compatible enough to be able to run the games, and sound support gets added. (specifically, I wish to further reverse the sdat format used by most (not all) official games.)
#68679 - HyperHacker - Thu Jan 26, 2006 10:21 am
So just out of curiosity, how did you get the ARM7 BIOS dumped?
#68710 - Lynx - Thu Jan 26, 2006 1:59 pm
Pepsiman released a dumper.
I can put it on ndshb.com... if.. it belongs there.
#68714 - pepsiman - Thu Jan 26, 2006 2:22 pm
| Lynx wrote: |
| Pepsiman released a dumper. |
Using source released by caitsith2.
#68768 - HyperHacker - Thu Jan 26, 2006 6:46 pm
Er, what I mean is how does the dumper work? Another SWI that doesn't check table index? ;-) Just curious as to how you got around the protection.
#68808 - caitsith2 - Thu Jan 26, 2006 10:11 pm
| Code: |
@Code to dump the complete Nintendo DS ARM7 bios, including the
@first 0x1204 bytes residing in the secure area.
@
@The ARM7 bios has read protection where 0x(Word)[FFFF(Half word)[FF(Byte)[FF]]]
@is returned, if any reads are attempted while PC is outside the arm7 bios range.
@
@Additionally, if the PC is outside the 0x0000 - 0x1204 range, that range of the bios
@is completely locked out from reading.
.global arm7_bios_dumper
.align
arm7_bios_dumper:
.arm
adr r0,bios_dump+1
bx r0
.thumb
bios_dump:
push {r4-r7,lr} @Even though we don't use R7, the code we are jumping to is going
@trash R7, therefore, we must save it.
ldr r0,=0x5ED @The code that will be made to read the full bios resides here.
ldr r1,=0x3FFF @Last byte of the Bios
ldr r2,=0xA000000 @GBA cart saveram
loop:
mov r6,#0x12 @We Subtract 12 from the location we wish to read
sub r3,r1,r6 @because the code at 0x5EC is LDRB R3, [R3,#0x12]
adr r6,ret
push {r2-r6} @The line of code at 0x5EE is POP {R2,R4,R6,R7,PC}
bx r0
.align
ret:
strb r3,[r2,r1] @Store the read byte contained in r3, to SRAM.
sub r1,#1 @Subtract 1
bpl loop @And branch as long as R1 doesn't roll into -1 (0xFFFFFFFF).
pop {r4-r7} @Restore the saved registers
pop {r3} @and return.
bx r3
@The exact code that resides at 0x5EC (secure area range) of the arm7 bios.
@ROM:000005EC 9B 7C LDRB R3, [R3,#0x12]
@ROM:000005EE D4 BD POP {R2,R4,R6,R7,PC}
|
Here is the code that was used to dump the bios completely. The bios protection is based on the following.
Code executed inside secure area (0x0000-0x1203) may read the secure area data.
Code executed inside bios area (0x0000-0x3FFF) may read bios range (0x1204-0x3FFF).
Finally, Those conditions are only true after some code within the bios turns on the protection unit. The protection unit is turned off at powerup, to allow for the required table to be copied out during firmware decryption/decompression, and then to allow the bios to read the secure area of the ds game cards, and decrypt it. The tables are then destroyed afterwards, and protection unit is turned on to prevent its readout.
Oh, one more thing. Pepsiman's dumping utility does not dump to saveram, as the released source suggests, but rather to compact flash.
#68816 - Normmatt - Thu Jan 26, 2006 10:54 pm
i would like to see a release that dumps the sram so us people who dont have cf/sd converts can dump the arm7 bios
#68817 - FluBBa - Thu Jan 26, 2006 11:06 pm
And the ARM9 BIOS is just to read out without any special magic?
_________________
I probably suck, my not is a programmer.
#68832 - caitsith2 - Fri Jan 27, 2006 12:30 am
IIRC, yes, you just read out the Arm 9 bios directly. The range to read is 0xFFFF0000 - 0xFFFF0FFF. (4KB).
#69042 - HyperHacker - Sat Jan 28, 2006 2:47 am
Ah, so it calls a piece of code in the secure area that reads a byte from (r3+0x12) and returns? Nice, but how the heck did he find such a piece of code if he couldn't read it in the first place?
#69050 - tepples - Sat Jan 28, 2006 4:01 am
| HyperHacker wrote: |
| Ah, so it calls a piece of code in the secure area that reads a byte from (r3+0x12) and returns? Nice, but how the heck did he find such a piece of code if he couldn't read it in the first place? |
The same way the MidiKey2Freq bug in GBA BIOS was found: lots of trial and error.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#69068 - pepsiman - Sat Jan 28, 2006 6:42 am
| tepples wrote: |
The same way the MidiKey2Freq bug in GBA BIOS was found: lots of trial and error. |
The MidiKey2Freq bug was found by analysis of an existing GBA BIOS dump.
It is not the only way to dump the GBA BIOS.
#69162 - darkfader - Sat Jan 28, 2006 10:55 pm
| pepsiman wrote: |
The MidiKey2Freq bug was found by analysis of an existing GBA BIOS dump.
It is not the only way to dump the GBA BIOS. |
Actually, I just knew what the function was supposed to do, and tried that. It's not even using a register that they forgot clearing or something similar. There are no other obvious SWI's that return something based on input.
I think Martin used custom firmware replacement to read BIOS. Loopy,Costis,CaithSith etc. found that LDR instruction.
Joat once said he tried pretty much everything to find such instruction. Therefore me and others gave up early.
Oh well, it doesn't really matter. But it would have been more challenging to crack the DS card encryption without having the BIOS dump :P
#69181 - tepples - Sun Jan 29, 2006 12:47 am
So does this mean it will become possible to build a self-contained unlock chip that doesn't need an official game anymore? (It can't really be called a "passthrough" in this case...)
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#69222 - pepsiman - Sun Jan 29, 2006 11:57 am
| tepples wrote: |
So does this mean it will become possible to build a self-contained unlock chip that doesn't need an official game anymore?
|
Yes.
| Quote: |
| (It can't really be called a "passthrough" in this case...) |
It's currently called "nopass".
#69249 - tepples - Sun Jan 29, 2006 4:20 pm
Thanks. I just added NoPass to my list of future DS booting methods.
Now if only Mr Korth could help crack the NES lockout chip...
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#69278 - HyperHacker - Sun Jan 29, 2006 7:27 pm
Hey, doesn't this also make a real NDS flash cart possible? One that just sticks in the slot, without needing a GBA cart?
#69280 - dualscreenman - Sun Jan 29, 2006 7:33 pm
| HyperHacker wrote: |
| Hey, doesn't this also make a real NDS flash cart possible? One that just sticks in the slot, without needing a GBA cart? |
Let's hope so. *crosses his fingers*
#70433 - FluBBa - Mon Feb 06, 2006 12:40 pm
Ok, I compiled the code and built a bios dumper.
It dumps both bioses to the SRAM on a GBA cart.
ARM7 0x0000->0x3FFF.
ARM9 0x4000->0x4FFF.
http://hem.passagen.se/flubba/gba.html
_________________
I probably suck, my not is a programmer.
#70496 - tepples - Mon Feb 06, 2006 10:07 pm
Good job. Do you also plan on making a GBAMP version that dumps to an array in RAM and then writes it to the CF?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#70524 - Empyrean - Tue Feb 07, 2006 12:43 am
Apparently pepsiman already did... but I have no idea where it's at.
_________________
3 is not an "e",
7 is not a "t",
1 is not an "l",
And for the love of God,
Learn how to spell!
#70566 - pepsiman - Tue Feb 07, 2006 10:53 am
| Empyrean wrote: |
| Apparently pepsiman already did... but I have no idea where it's at. |
http://pepsiman.pwp.blueyonder.co.uk/bios_dumper.nds
#70574 - bafio - Tue Feb 07, 2006 1:25 pm
#70801 - Empyrean - Wed Feb 08, 2006 9:11 pm
Faster than the speed of thought, pepsiman saves the day! Much appreciated! ;)
_________________
3 is not an "e",
7 is not a "t",
1 is not an "l",
And for the love of God,
Learn how to spell!
#71098 - mreaves - Fri Feb 10, 2006 10:37 am
Looks like Martin is also looking for help to further enhance the emulator. Anyone on here willing to help the cause?
#90733 - ajcrm125 - Sun Jul 02, 2006 3:00 am
| HyperHacker wrote: |
| Hey, doesn't this also make a real NDS flash cart possible? One that just sticks in the slot, without needing a GBA cart? |
What ever happend on this topic? Is anyone working on this?
-Adam
#90734 - tepples - Sun Jul 02, 2006 3:01 am
| ajcrm125 wrote: |
| HyperHacker wrote: | | Hey, doesn't this also make a real NDS flash cart possible? One that just sticks in the slot, without needing a GBA cart? |
What ever happend on this topic? |
The MK4 plus MK2/3 combo happened.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#90788 - ajcrm125 - Sun Jul 02, 2006 1:52 pm
| tepples wrote: |
| The MK4 plus MK2/3 combo happened. |
Please excuse the noobness.....
I'm confused... the MK4 looks like a straight forward passthrough device (I.E. like a max media launcher or Superkey card) Is this essentially what it is?
If thats true, I guess what I was wondering is if there was a card that fit into your DS slot with a built-in SD/mini-SD slot attached so you could do homebew without having to purchase a GBA type card.
Thanks guys... this is great stuff.
-Adam
#90789 - ajcrm125 - Sun Jul 02, 2006 2:01 pm
Whoooops! Nevermind. Got the lowdown on the MK2/MK3 and all is good.
Thanks,
-Adam
#90813 - ajcrm125 - Sun Jul 02, 2006 7:18 pm
So I'm looking at the M3 description and it says:
"MagicKey3 can boot from ANY Flash cart. "
What does this mean? You still nead a cart of some kind in the GBA slot to fire this thing up? Or am I missing something?
Thanks,
#90815 - tepples - Sun Jul 02, 2006 7:40 pm
I would imagine that the MK2 and MK3 use a special program, then stored as a ds.gba or .nds file, to boot the card. In the MK4, this program is on the MK4. You boot the MK4, swap to the MK2 or MK3, and then press a button.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#90824 - dXtr - Sun Jul 02, 2006 8:12 pm
well.. there is a supposedly nds flash cart called Ultra FlashPass. it was linked to in a DSLinux thread. I'm not goind to link to it directly b\c they link to none-homebrew nds material, so you'll have to search for it.
but I myst warn you.. the whole site + the shop seems a bit shady imho.
_________________
go back to coding and stop screaming wolf :)
#90875 - ajcrm125 - Mon Jul 03, 2006 3:44 am
Huh that seems kinda backwards. I figured since the MK2/MK3 had the SD slot you could just slap that guy in there and run anything off the SD card without having any GBA device inserted in the DS at all.
So since you still need both the MK2/MK3 + GBA flash cart.. is there a benefit to using this method over say a Superkey (or variant) and a GBA flash device?
#90880 - GPFerror - Mon Jul 03, 2006 4:42 am
| mreaves wrote: |
| Looks like Martin is also looking for help to further enhance the emulator. Anyone on here willing to help the cause? |
He should get in contact with mic the dualis author, he was gratious enough to help with adding support of the FAT lib to desmume., or maybe Normmatt has the information he could share?
Without FAT lib support no$gba is kind of useless for most of my homebrew coding. Unless I rewrite everything to use my romfs and appended it to my nds, for applications that use my romfs they work great in no$gba.
The debugger does sound interesting if its a gdb type source code debugger otherwise I wouldn't know what to do with it. and will await the wireless gdb debugger thats being developed for hardware debugging., otherwise if it is a source code debugger I will see if i can buy it :)
Troy(GPF)
http://gpf.dcemu.co.uk
#142984 - mute - Mon Oct 15, 2007 9:30 pm
wonder what that was suppose to do. now my 3-in-1 isn't recognized anymore. whoops. =(
#143169 - mute - Wed Oct 17, 2007 6:07 pm
hah yah i don't remember how i found this thread... =)
btw, my 3-in-1 works again after i took it out for a few minutes. i certainly got nervous. :)
#143181 - dualscreenman - Wed Oct 17, 2007 7:46 pm
Wow, it's already up to version 2.5. Time flies, I guess.
_________________
| dualscreenman wrote: |
| What about Gaim DS? Gaim pretty much has support for all IM programs. |
| tepples wrote: |
| "Goshdammit, the DS is not a Gaim-boy! It's a third pillar!" |
#143193 - tepples - Thu Oct 18, 2007 12:01 am
| dualscreenman wrote: |
| Wow, it's already up to version 2.5. Time flies, I guess. |
If the time flies are helping Martin Korth maintain a useful emulator, we had better keep the insecticide put away :-)
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#143212 - simonjhall - Thu Oct 18, 2007 8:15 am
All I can think of is Jeff Goldblum in The Fly - good stuff!
http://www.youtube.com/watch?v=t1N86ER3-3U
Martin Korth = Jeff Goldblum
_________________
Big thanks to everyone who donated for Quake2