gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

DS Misc > detecting a bricker program?

#80375 - spinal_cord - Fri Apr 21, 2006 9:33 pm

While im waiting for my passme to come, I've been reading about this bricker trojen. Im only planning to use a few emulators and perhaps learning to code for the DS, but I dont like the idea that someones code can make my DS unusable.

If I run things through an emulator, would I discover if the program was trying to do something bad to my (emulated) DS? I heard the bricker sets a picture of a wall on the screen, would this show on an emulator?

Is this a good way to detect brickers?

#80376 - dexter0 - Fri Apr 21, 2006 9:42 pm

DSLazy has a crashme scanner.

http://l33t.spod.org/ratx/DS/dslazy/

Here is a quote from the readme:
Quote:
crashme scanner is only as reliable as the sig DF provided. It picks up crashme code on some homebrew.


That might help, although I would not trust it 100%. As far as emulators, if I remember correctly the bricker alters your firmware then displays the brick wall. I am guessing most emulators will crash upon a program tyring to access firmware so you would not see the brick wall and know for sure.

#80380 - tepples - Fri Apr 21, 2006 10:30 pm

Right, but emulators that freeze on seeing a write to firmware will also freeze on seeing a write to 3D registers. And even on hardware, if you have installed FlashMe, you can always reinstall FlashMe using the A+B+Select+Start+power on failsafe method and a traditional GBA flash cart or SuperCard.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#80383 - ghazi - Fri Apr 21, 2006 10:38 pm

I believe Moonshell also checks files for bricker code before it executes them.

#80384 - HyperHacker - Fri Apr 21, 2006 10:41 pm

Yeah, I think it just does a quick MD5 check.

#80395 - josath - Fri Apr 21, 2006 11:08 pm

Just install flashme, and then as long as you have some way of getting code into your DS (flash cart, gbamp, supercard, m3, etc etc), then you are perfectly safe.

#80428 - tepples - Sat Apr 22, 2006 4:39 am

josath wrote:
as long as you have some way of getting code into your DS (flash cart, gbamp, supercard, m3, etc etc), then you are perfectly safe.

M3 does not work with the failsafe.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#80444 - tssf - Sat Apr 22, 2006 8:54 am

tepples wrote:
josath wrote:
as long as you have some way of getting code into your DS (flash cart, gbamp, supercard, m3, etc etc), then you are perfectly safe.

M3 does not work with the failsafe.


Wouldn't the latest flashme firmwares be CrashMe-proof anyway?
_________________
Mathew Valente [TSSF]
------
Chrono Resurrection Musician

#80504 - spinal_cord - Sat Apr 22, 2006 11:48 pm

ok, I did flashme, everything is working fine (I was surprised how fast it boots now). Am I right in thinking even if the worst happens, I can recover because the hacked firmware has recoverycode in the sectors that cant be written to?

#80671 - Mr Snowflake - Mon Apr 24, 2006 7:23 pm

Correcty me if I'm wrong, but isn't detecting bricker software, simply checking for opcodes which write to the firmware address space?
_________________
http://www.mrsnowflake.be

#80674 - CubeGuy - Mon Apr 24, 2006 8:04 pm

Not if it's changing wifi, brightness, personal, time, or date settings.
_________________
It's 'CubeGuy.' One word. No space.

#80685 - tepples - Mon Apr 24, 2006 8:29 pm

Setting the firmware flash chip's write address outside the firmware settings area + writing = either a firmware replacement (e.g. FlashMe or FWNITRO) or a bricker.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#80803 - Mr Snowflake - Tue Apr 25, 2006 6:42 pm

CubeGuy wrote:
Not if it's changing wifi, brightness, personal, time, or date settings.

We know where these things belong so we can ignore these addresses...
_________________
http://www.mrsnowflake.be

#80906 - tepples - Wed Apr 26, 2006 2:26 am

True, but a bricker can use obfuscated code to keep a static scanner from picking out those addresses, so a scanner would have to actually run the code in a sandboxed environment functionally identical to a DS. This will not become possible until cycle-accurate DS emulators appear, because a bricker trojan could detect bugs in known emulators and run benign code, but then brick the DS when running on hardware.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.